I am working with OAuth in my ASP.NET API for a web app + mobile app, anyway lets use Google as an example here the user authenticates using the Google provider then Google calls my API and I issue a redirection to my web app / go back to mobile app.
When I authenticate with email using my own API, I typically send the refresh token and access token in API response, but since there is a redirection this is not allowed.
My question is: how do I handle sending tokens in OAuth while redirecting?
This is the method used for redirection:
[HttpGet("signin-google")]
[AllowAnonymous]
public async Task<IActionResult> GoogleResponse([FromQuery] string returnUrl, CancellationToken cancellationToken)
{
var authenticateResult = await HttpContext.AuthenticateAsync(GoogleDefaults.AuthenticationScheme);
if (!authenticateResult.Succeeded)
return BadRequest("Google authentication failed.");
var claims = authenticateResult.Principal.Identities.FirstOrDefault()?.Claims;
var email = claims?.FirstOrDefault(c => c.Type == ClaimTypes.Email)?.Value;
// var ipAddress = HttpContext.Connection.RemoteIpAddress.MapToIPv6().ToString();
if (string.IsNullOrEmpty(email))
return BadRequest("Email not found");
var result = await _authenticationService.SignInWithProviderAsync("google", email, cancellationToken);
return result.Match<IActionResult, SignInResponse>(success =>
{
return Redirect("http://localhost:3000");
}, BadRequest);
}
.net-8.0(or whatever version you're using) andasp.net-core-webapito make it clear to anyone reading your question what the platform in use is ...