Forum Xamarin.Forms

Integrate OAuth2 in Xamarin with WEB API


I posted this in "Libraries, Components, and Plugins" and I think that was wrong.
I apologize in advance for any dumb questions or if I'm posting in the wrong location, im new to this forum.

I have a question regarding the integration between OAuth2Authenticator and Web API.
So currently I have a standard ASP.Net Web API running and I use POST/GET/PUT/DELETE methods from my Xamarin mobileapp to register users, change users etc.

I've managed to, with 0Auth2Authenticator, get a working Google and Facebook authentication. I get a access_token in return and that token is used to get profile information, works like a charm.

My only problem is HOW do i save that information in my Web API so that I can know who has registrered through social media login? I understand that some people don't want to save that information anywhere, but I would like to so I can save their settings and their activity.

I Understand that I should be using the /api/Account/RegisterExternal url of the WebAPI, but there are only tutorials, documentation and guides for that using a web application. and in thoose cases they use the customized URL combination of your web api webpage (eg: h t t p : / / WEBSITE.COM/api/Account/ExternalLogin?provider=Google&response_type=token&client_id=self&redirect_uri=REDIRECT_URL&state=SOME_STRANGE_ID_FROM_WEB_API)

Please could someone guide me to any information?



  • batmacibatmaci DEMember ✭✭✭✭✭

    how did you accomplish this? normally your app should be doing authentication, not your web api. this is also against Apple and Googles terms and condition. you may get your app removed from the store. I visualize for you the correct and best way to work with login providers and web api.

    Using Google, Facebok, Amazon, Twitter etc. You use native logins for ios and android. Basically using. Xamarin.Android.Facebook and Xamarin.IOS,Facebook on native level with dependency injection. You receive an access token. This token can be used to store in Firebase Authentication and Firebase will give you another access token(JWT TOKEN). Schema is like below.
    What is the advantage of using Firebase Authentication? You dont have to store user information or expiry date, expiry calculation. Because google tokens expire every 24 hours and Facebook 1 year or never.
    Next time user comes to your app, you make a firebase check and firebase will handle everything for you. Your user will never have to login again unless he logs out.
    This schema works also with username and password, firebase gives you free username, password database store and api.

    And you create an Web api to sync user data. You want to log using JWT token. I couldnt find a way to integrate it using Web api but using Web api core, it is very straightfoward, 1 line of code. Please see the SO answer and article below

    In xamarin Share library you pass the jwt token as authentication and api core takes it verifies it using firebase and in your controller function, you will have userid provided by firebase. name and email also i believe. Storing these 2 information against google policy if your app targets under 13 years old users.

  • EsselitowEsselitow Member ✭✭

    Hey, Thanks for the response!
    I am currently using Xamarin.Auth to authenticate with Facebook/Google, so I am NOT currently storing anything. I just assumed that this would be the way to go.

    But if storing the email/name is against policy, how come so many applications use google login and store personolized settings and save the username etc? Do they only target 13+ users then?

    Also, is there a big difference between web api and web api core? (sorry if this is a really dumb question)


  • sparkist97sparkist97 Member ✭✭

    For web auth, you normally send username/email and password in a POST request then if successful you'd get a JWT (if the server supports it) or something else if your service uses another scheme. From now on, you'd need to send the JWT in request header so you have to store it. Now it's your responsibility to store it securely and Xamarin.Essentials has SecureStorage for such purposes.

    To "track" users, if it's legal, you can store things like user id WITHOUT ANY AUTH INFO

  • EsselitowEsselitow Member ✭✭


    Hey, Thanks for the response!
    I think I have to read up on JWT and also consider the Firebase that @batmaci was refering to!
    At first glance it seems like Firebase is not free, and Im doing this project as a hobby, so I will have to do some deep diving in that.

    I think my original post maybe didn't explain everything too well, I wanted to briefly explain everything but not post to much at the same time :smile:

    I am not "tracking" the users in that matter, for example, in my App the user can create an actual Event that people can join. this Event can be either open or closed. if it's closed the person who created the event can approve/decline users who wish to join the event. For this reason I need to be able to tie the event to the user, to do that I need to store SOMETHING about the user that connects them to the account. My initial Idea was, because I already store email+password of manually created users, to do the same for Social Media login. But I really don't care and I'd prefer to store as LITTLE data as possible, so only a token or a unique ID would be prefered.


  • batmacibatmaci DEMember ✭✭✭✭✭
    edited October 2019

    Storing password isnt legal. you can store email though. thats why you should work with JWT. I understood what you are doing because initially i started like you but concept of mobile authentication is totally different than website or similar. I would suggest you to go through this documentation. it is one of the best tutorial. Although it is written for Azure as JWT token storage or provider. it can be applied for firebase as well. I started with azure but switched to firebase because it is totally free. Azure has limitations although it is easier to work with.

    another good article

    Web api and api core has no big difference. but Api core has JWT token authentication nuget package makes things easier. At the time i built my api. i couldnt find a good solution for web api.

    like @Esselitow said, you need to send jwt token in the header. You shouldnt pass user name password to your api for security purpose as well. jwt token decryption will return you userid on the server side. thats how you authenticate user. Not with linq query password=password :)

  • sparkist97sparkist97 Member ✭✭

    this obviously needs a backend service and only an app isn't simply enough

    you have to have a backend service that has a database in which you'd store events and such and also users' info. If you'd like to go with simple username/email & password auth then you'd need to store passwords hashed then if a login is successful the service returns a JWT that your app will use to authenticate and authorize users

    you can use OAuth2 directly within the app then send some required info to the database to be stored like username, email, names and what not

    Do you have a backend?

  • EsselitowEsselitow Member ✭✭

    @batmaci Thanks for the in-depth response, I will make sure to go through the documentation you provided. Would Firebase than replace my current ASP .Net Web Api or would I run my web api in Firebase?

    @sparkist97 Yes I have a ASP .Net Web Api running backend, making POST/DELETE/PUT/UPDATE calls towards from the mobile-app. The web api has a database running on it for storage.


Sign In or Register to comment.