Using External Logins with ASP.NET Identity

A feature request for SimpleSecurity has been the ability to support external logins.  This has been completed and by default it supports login with a Google account.  Google login is enabled because it does not require setup of any accounts on the provider side.  In order to enable other social logins, like Facebook, follow this tutorial for ASP.NET Identity, which will work the same way in SimpleSecurity.

As part of this process I have also upgraded SimpleSecurity to ASP.NET Identity 2.0.  This version of ASP.NET Identity has added missing features that SimpleSecurity already provided, such as email confirmation and password reset.  It has also added some other beneficial features that you can read about here.  Watch for future posts in this blog that will compare how the ASP.NET Identity team implemented email confirmation compared to SimpleSecurity, and I explore some of the other new features.

For those that have not been following the evolution of SimpleSecurity it originally was developed as a reference implementation on how to decouple SimpleMembership from an MVC application and to add missing features.  To make the transition as easy as possible the API for SimpleSecurity mimicked the WebSecurity class used in SimpleMembership, and just like the original it was made a static class.  When ASP.NET Identity became available another implementation was developed with this security framework under the hood, and again the same WebSecurity facade was used.  As some readers pointed out making the API with a static class made it next to impossible to use IoC and DI.  Therefore the WebSecurity class is no longer static and it inherits from IDisposable for proper cleanup of the UserManager when it is out of scope.  Check out these changes and let me know what you think.

Back to external logins. I had one reader ask for a tutorial on how to tie external logins and local logins together. The example given was that a user initially sets up a local account but then decides they would rather use their Facebook account to login.  How do we allow the user to now login with the Facebook account and they would still have access to the same profile and user information they had available in the local account. I started to look into this and wondered if other sites allowed for this.

I found an example in CodePlex, where SimpleSecurity can be found.  I have had a local CodePlex account for years and they recently added the ability to logon with your Microsoft Live account.  I tried creating a login with Microsoft Live.  After logging in with Microsft Live I was prompted to either login with my local CodePlex account, to tie the two together, or register as a new user. I found the user experience to be very good.  But I did not complete the process because I am still concerned about the use of social logins.

What do you think?  Is this good way to implement this feature that is secure?  Is this a useful feature?  Some people even question the benefits of social logins and believe they are not secure. Think about it. If someone hacks into your social account now they have access to every system that you login with that account.  Don't think it can happen to you? Read about this person's nightmare here. What are your thought?  I am interested in hearing from you.


Popular posts from this blog

Customizing Claims for Authorization in ASP.NET Core 2.0

Using Claims in ASP.NET Identity

Adding Email Confirmation to ASP.NET Identity in MVC 5