I am trying to get Google OAuth to work in a Blazor Server App. Note that what I need is NOT login functionality. Instead, I want to call the Calendar API for a user, and the end user needs to authorize this which, as I understand it, is a different user flow.
In this user flow, the user is directed to a url like this:
https://accounts.google.com/o/oauth2/v2/auth?scope=https://www.googleapis.com/auth/calendar&include_granted_scopes=true&response_type=token&state=12345&redirect_uri=https%3A//localhost:7115/api/gauth&client_id=test.apps.googleusercontent.com
`
This initiates the Google Authorization Prompt and the user authorizes it, and then google sends a callback to the redirect_uri which is included in the above url.
The problem is that the callback querystring is formatted like this according to the documentation: https://oauth2.example.com/callback#access_token=xyz&token_type=Bearer&expires_in=3600
Note the use of the hashtag, instead of the questionmark. The callback is a Controller method, not a browser, so it ignores everything after the hashtag. Thus, the controller action does not get any of the parameters.
[Microsoft.AspNetCore.Mvc.Route("api")]
[ApiController]
public class GoogleScopeAuth : ControllerBase
{
[HttpGet("gauth")]
public async Task<ActionResult> Get(string? access_token = null, string? token_type = null, BigInteger? expires_in = null, string? state = null, string? error = null )
{
Console.WriteLine(access_token);
Console.WriteLine(token_type);
Console.WriteLine(expires_in);
Console.WriteLine(state);
return Ok();
}
}
How do I configure this so that the hashtag is converted to a question mark so it get properly processed?
I am a newby at Google OAuth, so if I am missing something, let me know.
What I am trying to do is capture the access token so I can use it to keep the app’s calendar in sync with the users Google Calendar (insert Events into the Google Calendar).
Query Strings vs. Fragments
How do I configure this so that the hashtag is converted to a question mark so it gets properly processed?
You can’t. ?‘s are query strings. #‘s are fragments.
The clear difference is that # fragments are NOT part of the HTTP request itself. Think of it more like a bookmark that only the browser is aware of. Fragments can’t be read from the HTTP request. So, you can’t read the token after the #, nor can you tell the browser, the identity provider or the HTTP to do it differently.
OIDC and authorization flows
Based on the format of the query string, I’m guessing you’re trying to use “implicit grant” authentication flow. This is not recommended.
Is OAuth Implicit flow dead?
https://developer.okta.com/blog/2019/05/01/is-the-oauth-implicit-flow-dead
Microsoft doesn’t recommend using Implicit grant.
https://learn.microsoft.com/en-us/aspnet/core/blazor/security/webassembly/?view=aspnetcore-8.0#use-the-authorization-code-flow-with-pkce
Blazor
From what I found, Implicit flow in Blazor is broken. I found the following GitHub issue which is closed due to inactivity. Based on the information above, I would GUESS it’s broke and a won’t fix unless there is a necessary amount of demand.
Use the authorization code flow to authenticate and access the Google APIs. More information can be found here.
https://blazorschool.com/tutorial/blazor-server/dotnet7/authentication-with-google-oauth-700535