OAuth 2.0 in ASP.NET Web API Registration Flow


Here is the default flow of registering a user in Web API. All of these routes can be found in the AccountController:

  • The user requests a list of the login providers using the GetExternalLogins route, passing a return URL as a parameter. This returns an array of provider objects, containing the provider's name and the route that should be requested in order to log in with it (each configured to use the given return url).

    e.g. GET: /api/Account/ExternalLogins?returnUrl=/callback&generateState=true, where the requested return URL is /callback

  • The user calls one of these returned URLs in a browser, where they're redirected to the provider's login page. Once logged in, the provider passes a cookie back to ASP, which handles the creation of an external user account.

  • The user will be redirected to the return URL they passed in the first step. An external access token is passed back to the user, appended to the URL in a # param. This token can only be used on select routes, such as RegisterExternal.

  • The user now sends a POST request to RegisterExternal, using the new access token as a Bearer key. ASP then creates a new ApplicationUser and returns a proper access token which can be used on any route.