Use social sign-in provider authentication without ASP.NET Core Identity

By Kirk Larkin and Rick Anderson

Facebook and Google authentication in ASP.NET Core describes how to enable users to sign in using OAuth 2.0 with credentials from external authentication providers. The approach described in that article includes ASP.NET Core Identity as an authentication provider.

This sample demonstrates how to use an external authentication provider without ASP.NET Core Identity. This approach is useful for apps that don't require all of the features of ASP.NET Core Identity, but still require integration with a trusted external authentication provider.

This sample uses Google authentication for authenticating users. Using Google authentication shifts many of the complexities of managing the sign-in process to Google. To integrate with a different external authentication provider, see the following articles:

Configuration

In Program.cs, configure the app's authentication schemes with the AddAuthentication, AddCookie, and AddGoogle methods:

using Microsoft.AspNetCore.Authentication.Cookies;
using Microsoft.AspNetCore.Authentication.Google;

var builder = WebApplication.CreateBuilder(args);

builder.Services
    .AddAuthentication(options =>
    {
        options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
        options.DefaultChallengeScheme = GoogleDefaults.AuthenticationScheme;
    })
    .AddCookie()
    .AddGoogle(options =>
    {
        options.ClientId = builder.Configuration["Authentication:Google:ClientId"];
        options.ClientSecret = builder.Configuration["Authentication:Google:ClientSecret"];
    });

builder.Services.AddRazorPages();

The call to AddAuthentication sets the app's DefaultScheme. The DefaultScheme is the default scheme used by the following HttpContext authentication extension methods:

Setting the app's DefaultScheme to CookieAuthenticationDefaults.AuthenticationScheme ("Cookies") configures the app to use Cookies as the default scheme for these extension methods. Setting the app's DefaultChallengeScheme to GoogleDefaults.AuthenticationScheme ("Google") configures the app to use Google as the default scheme for calls to ChallengeAsync. DefaultChallengeScheme overrides DefaultScheme. See AuthenticationOptions for more properties that override DefaultScheme when set.

In Program.cs, call UseAuthentication and UseAuthorization. This middleware combination sets the HttpContext.User property and runs the Authorization Middleware for requests:

app.UseHttpsRedirection();
app.UseStaticFiles();

app.UseAuthentication();
app.UseAuthorization();

app.MapRazorPages();

To learn more about authentication schemes, see Authentication Concepts. To learn more about cookie authentication, see Use cookie authentication without ASP.NET Core Identity.

Apply authorization

Test the app's authentication configuration by applying the [Authorize] attribute to a controller, action, or page. The following code limits access to the Privacy page to users that have been authenticated:

[Authorize]
public class PrivacyModel : PageModel
{

}

Save the access token

SaveTokens defines whether access and refresh tokens should be stored in the AuthenticationProperties after a successful authorization. SaveTokens is set to false by default to reduce the size of the final authentication cookie.

To save access and refresh tokens after a successful authorization, set SaveTokens to true in Program.cs:

builder.Services
    .AddAuthentication(options =>
    {
        options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
        options.DefaultChallengeScheme = GoogleDefaults.AuthenticationScheme;
    })
    .AddCookie()
    .AddGoogle(options =>
    {
        options.ClientId = builder.Configuration["Authentication:Google:ClientId"];
        options.ClientSecret = builder.Configuration["Authentication:Google:ClientSecret"];
        options.SaveTokens = true;
    });

To retrieve a saved token, use GetTokenAsync. The following example retrieves the token named access_token:

public async Task OnGetAsync()
{
    var accessToken = await HttpContext.GetTokenAsync(
        GoogleDefaults.AuthenticationScheme, "access_token");

    // ...
}

Sign out

To sign out the current user and delete their cookie, call SignOutAsync. The following code adds a Logout page handler to the Index page:

public class IndexModel : PageModel
{
    public async Task<IActionResult> OnPostLogoutAsync()
    {
        // using Microsoft.AspNetCore.Authentication;
        await HttpContext.SignOutAsync();
        return RedirectToPage();
    }
}

Notice that the call to SignOutAsync doesn't specify an authentication scheme. The app uses the DefaultScheme, CookieAuthenticationDefaults.AuthenticationScheme, as a fallback.

Additional resources

Facebook and Google authentication in ASP.NET Core describes how to enable users to sign in using OAuth 2.0 with credentials from external authentication providers. The approach described in that article includes ASP.NET Core Identity as an authentication provider.

This sample demonstrates how to use an external authentication provider without ASP.NET Core Identity. This approach is useful for apps that don't require all of the features of ASP.NET Core Identity, but still require integration with a trusted external authentication provider.

This sample uses Google authentication for authenticating users. Using Google authentication shifts many of the complexities of managing the sign-in process to Google. To integrate with a different external authentication provider, see the following articles:

Configuration

In the ConfigureServices method, configure the app's authentication schemes with the AddAuthentication, AddCookie, and AddGoogle methods:

public void ConfigureServices(IServiceCollection services)
{
    // requires
    // using Microsoft.AspNetCore.Authentication.Cookies;
    // using Microsoft.AspNetCore.Authentication.Google;
    // NuGet package Microsoft.AspNetCore.Authentication.Google
    services
        .AddAuthentication(options =>
        {
            options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
            options.DefaultChallengeScheme = GoogleDefaults.AuthenticationScheme;
        })
        .AddCookie()
        .AddGoogle(options =>
        {
            options.ClientId = Configuration["Authentication:Google:ClientId"];
            options.ClientSecret = Configuration["Authentication:Google:ClientSecret"];
        });

    services.AddRazorPages();
}

The call to AddAuthentication sets the app's DefaultScheme. The DefaultScheme is the default scheme used by the following HttpContext authentication extension methods:

Setting the app's DefaultScheme to CookieAuthenticationDefaults.AuthenticationScheme ("Cookies") configures the app to use Cookies as the default scheme for these extension methods. Setting the app's DefaultChallengeScheme to GoogleDefaults.AuthenticationScheme ("Google") configures the app to use Google as the default scheme for calls to ChallengeAsync. DefaultChallengeScheme overrides DefaultScheme. See AuthenticationOptions for more properties that override DefaultScheme when set.

In Startup.Configure, call UseAuthentication and UseAuthorization between calling UseRouting and UseEndpoints. This middleware combination sets the HttpContext.User property and runs the Authorization Middleware for requests:

app.UseRouting();

app.UseAuthentication();
app.UseAuthorization();

app.UseEndpoints(endpoints =>
{
    endpoints.MapRazorPages();
});

To learn more about authentication schemes, see Authentication Concepts. To learn more about cookie authentication, see Use cookie authentication without ASP.NET Core Identity.

Apply authorization

Test the app's authentication configuration by applying the [Authorize] attribute to a controller, action, or page. The following code limits access to the Privacy page to users that have been authenticated:

[Authorize]
public class PrivacyModel : PageModel
{

}

Sign out

To sign out the current user and delete their cookie, call SignOutAsync. The following code adds a Logout page handler to the Index page:

public class IndexModel : PageModel
{
    public async Task<IActionResult> OnPostLogoutAsync()
    {
        await HttpContext.SignOutAsync();
        return RedirectToPage();
    }
}

Notice that the call to SignOutAsync doesn't specify an authentication scheme. The app's DefaultScheme of CookieAuthenticationDefaults.AuthenticationScheme is used as a fallback.

Additional resources