I'm implementing Identity in ASP.NET Core 3 and having a bit of a problem understanding the flow of external login authentication, as are my users.
Things start clearly enough:
As expected I'm prompted to pick a Google identity:
Now at this point I'd expect to see a dialog such as the following, asking for permission to grant my app access to various pieces of the Google identity:
But that dialog never happens.
What does happen next is:
The above process step seems completely non-standard to any oauth flow I've ever seen. I've already given it which Google identity I'm using; the email address is unambigious. So this dialog seems extraneous and just confuses my users. Is there a reason for this step that I am not understanding?
...And back to the permission dialog above that I would have expected to get there, this never occurs. Why is the app able to accept a Google login without granting access via that dialog?
That seems Google will automatically grant OpenID Connect Scopes(
openid profile email) after creating application . You can verify the scopes in console -->OAuth consent screen :But if you want to also require additional sensitive scopes , you still need to grant permission dynamically during authentication :
That is because you enable the ASP.NET Core Identity. In asp.net core identity ,for external login ,after authentication , identity will help create a local user associated with external login user .After scaffolding Identity in ASP.NET Core projects , you could check the
ExternalLogin.cshtml.csfile insideAreas/Identity/Pages/Accountfolder . In functionOnGetCallbackAsyncyou will find identity will check the external login user information and confirm a local user is associated with external user , if yes , sign in user ; If no, it will redirect user to another page to ask the user to create an account in local database .If you don't need that feature , just remove asp.net core identity or customize
OnGetCallbackAsyncfunction to skip the process .