We are in the process of upgrading our SPA (angular) app with a WebAPI back end to authenticate with OpenID Connect through Google. Ideally we would like to use the hybrid flow.
We have gotten to the point where after clicking the Google Sign In button, the browser redirects to google, takes you through the consent screen and sends the response back to our app with code and id token. Most of the scenarios published out there show how you configure an MVC app with notifications that fire when authorization code is returned:
app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
ClientId = "",
MetadataAddress = "https://accounts.google.com/.well-known/openid-configuration",
RedirectUri = "https://localhost:44300/authentication",
Scope = "openid profile",
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthorizationCodeReceived = async n =>
{
That never fires in our case and I think the reason for that is because the response is sent back to our SPA, not to the server side end point of our app. What would be the next steps here?
- Do we receive the code on the client and send an ajax request to our web api layer that then exchanges it for an access token? Once we have an access token, how do we communicate that the user is signed in so the tokens are recognized as valid when we make the api calls from js.
- Do we tell google to send the response to our web api layer, let that exchange the code for an access token and send a redirect response with a hash fragment containing the access token at the end? Would the notification handler fire in that instance?
In either case, can we leverage anything in the OpenID middleware for exchanging the code? The post request doesn't seem terribly complicated, but still it would be nice leverage an existing library for that if possible.