Facebook API Question posted in
The official documentation for the Facebook APIs can be found here.

IdentityServer4: How to show external providers consent screen?

Just recently starting using IdentityServer4 (IS4) playing around with samples and so on.

I have a setup where run IS4 (using the included sample UI MVC) configured with Google as an external provider. I also have an API setup, as well as a client (MVC web app). When authenticating, and the user clicks “Google” in the “External Login” section, he/she is redirected to Google as expected. However, after supplying the username and password, I expected to the see Google consent screen, but instead I am redirected back to the consent screen in IS4. Why is that? Should the end user not give consent that his/her Google profile information is being accessed, on a page which clearly is from Google (i.e. HTTPS and Googles certificate)?

I acknowledge that since I am also requiring consent from the user to access my API I might end up with 2 consent screens (one for profile info from Google, and one for API access from my own IS4 configuration), but if I did not have an API in my setup and simply wanted to use IS4 in a federated setup to provide ID tokens, I would not have a need for the consent of my own API and thus would expect only to see the consent screen from my external providers (e.g. Google, Facebook, Twitter, etc.).

I have my external provider configured like this:

services.AddAuthentication()
    .AddGoogle("Google", options =>
    {
        options.ClientId = "<my client id>";
        options.ClientSecret = "<my client secret>";
        options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;
    });

Could someone please enlighten me 🙂

Thanks

Tags:

2

Answers


  1. 0

    You don’t have control when you redirect to external idp since it is a delegated authentication. I don’t know how Google have implemented their OAuth flows but the following might be reasons as to why consent screen is not shown:

    • You are not requesting any scopes that require user consent
    • The user already gave consent to access to his/her info to your client (you should be able to check this in Google account pages)
    • Your client is configured to bypass consent screens (this is possible in IDS4 by setting RequireConsent flag to false, but I would doubt you can do this in Google as a 3rd party OAuth client)
    Login or Signup to reply.
  2. 0

    From Google’ help:

    To set up your project’s consent screen and request verification:

    1. Go to the Google API Console OAuth consent screen page.
    2. Add required information like a product name and support email address.
    3. Click Add Scope.
    4. On the dialog that appears, select the scopes your project uses. Sensitive scopes display a lock icon next to the API name.
      • To select scopes for registration, you need to enable the API, like Drive or Gmail, from APIs & Services > API Library.
      • You must select all scopes used by the project.
    5. When you’re finished adding details to the OAuth consent screen, click Submit for verification.
    6. A Verification required window displays.
    7. Add scopes justification, a contact email address, and any other information that can help the team with verification, then click Submit.

    Note: The consent screen
    settings within the console are set at the project level, so the
    information that you specify on the Consent screen page applies across
    the entire project.

    So, what you need is to disable consent for your client in IdSrv and enable it in Google.

    Additionally, as described in this answer,

    By design, the consent screen is not shown in the scenario with account selection and profile/email scopes only requested…, since the account selection UI already shows the email and profile (name/picture) information that will be shared with the app.

    As added by @Mike Wilcox:

    When including a sensitive/restricted scope, if not verified for the scopes added, you will see a not verified screen during consent oauth flow. You can pass through by clicking advanced – > go to [app_name] (unsafe)

    There is a playground: https://developers.google.com/oauthplayground/ where you can test this out.
    Click on the settings icon in the top right and then check the “Use your own OAuth Credentials” box to then enter your app creds. You can add scopes and test out there.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search