HOW TO implement Authentication & Authorization using OAuth 2.0 Providers with ASP.NET WebForms

I found the code sample in Blaize Stewart's video tutorial OAuth 2.0 Up and Running (requires subscription) easy to follow for  implementing authentication & authorization using OAuth 2.0 Providers - Google, Facebook, Live Connect/Windows Live in a ASP.NET WebForms web application. The tutorial doesn't get into all the details so I'm jotting down what I picked from the official documentation of the OAuth 2.0 Providers (links are provided in the References section at the end), here. The original sample showed how to utilize OAuth 2.0 with Google & Facebook. Extending the same sample to work for Live Connect was easy.

OAuth 2.0 is a standards based authentication and authorization framework on top of the HTTP protocol. There are more than a dozen services that support OAuth 2.0; the popular ones being - Google, Facebook Graph API, Live Connect, FourSquare, DropBox, SalesForce, GitHub

This image from the Google's OAuth 2.0 documentation explains the workflow well:


Replace the Google label in the image with Facebook and Live Connect when you have to imagine how it works with those services. OAuth primarily uses 2 types of grants: "token" and "code". The code sample that I'm talking about is for a "code" grant type of implementation.
The sample shows how you can let Google, Facebook, Live Connect manage the authentication on your behalf, saving you the hassle of setting up a user database and the site users from having to create yet another user name & password. Upon successful authentication, the code fetches the name of the user stored by that OAuth 2.0 Provider through their API.

To try that sample on your own, create an empty ASP.NET WebForms application in Visual Studio and copy the code in the sample to a WebForms page. Add a reference to Newtonsoft.Json.dll. You will need to replace values of some of the parameters like client_id and client_secret with values specific to your application (refer to Step 1 below). The URL of the single web page you are building will have to be assigned to the redirect_uri variable in the code.

These are the 3 basic steps required to outsource your web application's authentication process to a third-party OAuth 2.0 Provider:
1. Register your application with the OAuth 2.0 Provider - The links below will take you to the respective Provider's developer dashboards where you can get the values for parameters required in the code:
2. Obtain an access token from the Google/Facebook/Live Connect Authorization Server -  An access token is a random string that gives an app temporary and secure access to Facebook APIs. Before your application can access private data using the OAuth 2.0 Provider's API, it must obtain an access token that grants access to that API

3. Send the access token to an API - After an application obtains an access token, it sends the token to a OAuth 2.0 Provider's API in an HTTP authorization header.

References:
Using OAuth 2.0 for Web Server Applications
OAuth 2.0 with Live Connect

Comments