Integration of Facebook and asp.net membership

╄→尐↘猪︶ㄣ 提交于 2019-12-03 00:50:04

Facebook uses OAuth 2.0. The only way you can authenticate a user is by sending the user to a Facebook login page, and redirecting back using their OAuth implementation. This essentually provides you with a user specific time limited access_token.

It isn't really a good fit for MembershipProviders, although it is possible to request offline_access permission which allows you perform authorized requests on behalf of the user at any time. The user has to agree to this. Facebook T&Cs are that you can't deny the user access to your site for not agreeing to extended permissions, so this again breaks the model.

I'm not saying it's not possible, it just doesn't seem worth the effort. You would be better off just using the forms authentication parts without membership. Setting up auth cookie & validating auth cookie based on facebook access_token.

For authentication with Facebook look at open source .NET OAuth libraries. I also wrote an article of Facebook integration which shows some integration techniques (and opinions) here.

Update based on you amended question:

Use Forms authentication cookie to store the unique identifier of your choosing (Facebook username for instance). You can also store the current access_token in the cookie.

if (OAuth.ValidateUser(username, user_access_token))
{  
  // store the user access token to make it available on each request
  string userData = user_access_token;

  FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(
    1,                                     // ticket version
    username,                              // authenticated username
    DateTime.Now,                          // issueDate
    DateTime.Now.AddMinutes(30),           // expiryDate
    isPersistent,                          // true to persist across browser sessions
    userData,                              // can be used to store additional user data
    FormsAuthentication.FormsCookiePath);  // the path for the cookie

  // Encrypt the ticket using the machine key
  string encryptedTicket = FormsAuthentication.Encrypt(ticket);

  // Add the cookie to the request to save it
  Response.Cookies.Add(new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket));

  // Your redirect logic
  Response.Redirect(FormsAuthentication.GetRedirectUrl(username, isPersistent));
}

Then override authenticate request to read the cookie and retrieve the user details.

protected void Application_AuthenticateRequest(Object sender, EventArgs e)
{
    HttpCookie authCookie = Request.Cookie[FormsAuthentication.FormsCookieName];
    if(authCookie != null)
    {
        //Extract the forms authentication cookie
        FormsAuthenticationTicket authTicket = FormsAuthentication.Decrypt(authCookie.Value);

        // If caching roles in userData field then extract
        string user_access_token = authTicket.UserData;

        // Create the IIdentity instance, maybe use a custom one
        // possibly retrieve extra data from database or whatever here
        IIdentity id = new FacebookIdentity( authTicket, user_access_token );

        // Create the IPrinciple instance
        IPrincipal principal = new GenericPrincipal(id, new string[]{});

        // Set the context user 
        Context.User = principal;
    }
}

Then in your code on each request:

var username = Context.User.Identity.Username;
// implement as an extension method on IIdentity which types to
// FacebookIdentity to get user_access_token
var user_access_token = Context.User.Identity.Access_Token;

1 option: You should generate a password and send it by email to the user, for example:

Welcome to my superwebsite.com, login: foo@foo.com password:dhyfd46

Then if you see that the password is the original (generated) ask the user to change it for another one.

2nd option: you will never use a password, for you an account is a tuple (facebookID,email) (you will get it from the facebook Api) and if it will match this (the user will click om 'login with facebook', you will be able to create the user session

After the Edit:

Why not using the tuple (userId,facebookId) and if you have the fb Id you know the userId?

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!