Securing the Backing API of Your Xamarin App With Social Logins and ASP.NET Core 2, Part 1

So you’ve got a Xamarin app that calls a REST API you wrote with ASP.NET Core 2 and you want users to be able to log in to your app with Google, Facebook or Twitter accounts? And you also want that login to happen on the server, not just in your app? In this series I will explain my approach.

Choosing the OAuth flow

Anyway. When you want to use social login for your application, you need to adopt an OAuth flow. Since you’re authenticating a mobile app and you don’t want to store any client secrets on the user’s device, you’ll need to adopt an implicit flow. This actually quite easy because Xamarin provides almost everything you need to accomplish that. You can quite easily allow the user to login to your app using Facebook and others. The problem is that the user is logged on to your app, not to your backend service. Actually, this problem occurs no matter what OAuth flow you choose. Now you could send the authentication provider’s access token to your service on each request and let the service verify the token before processing the request. But do you really want that? That would mean that your service must call the authentication provider on each and every request. Apart from that being not very performant, I’m not sure if the authentication provider will play nicely with you if your service starts calling it a couple of thousand times a second (depending on your own traffic, that ist).

So what do? Implicit flow ok, but how? The answer is that your app will use the implicit flow to login on your own service, while your service, on the user’s behalf, logs on to the external authentication provider, handles its response, and, upon success, issues its own token to send back to your app. So what you’ve got is an implicit flow with an embedded code flow.

Sample App: Monkey Logon

I’ll be going through most of the steps necessary to create a sample app I called Monkey Logon (you log on to your app to get bananas). You can find the source code on If you’ve already created web applications with ASP.NET Core that use external authentication providers, you’ll find a lot of this very familiar. At the end of this article, we’ll have a web service that supports external authentication only (i.e. we’ll strip the ability to create a user name and password), and that allows users to log on in the browser.

So let’s get started. Open Visual Studio and create a new project and choose “New ASP.NET Core Web Application” from the project template dialog. Call this project “MonkeyLogon.Server”. Still on the “New ASP.NET Core Web Application” dialog, select “Change Authentication” and choose “Individual User Accounts”.



After that, click ok on each dialog and let Visual Studio scaffold a web application for you. Then, add a new API empty controller named “BananaController” into the “controllers” folder.

Next, we’ll delete all the files we don’t need in out application. We only want to allow users to log on using external authentication providers, we don’t want to store any passwords ourselves. So we will delete all files related to registration, user management and password authentication. So delete all files shown in the following screenshots (click on each thumbnail to enlarge).

Also, we’ll strip the AccountController of the methods we don’t nee. So in the file AccountController, delete all members shown next.


Also, we need to clean up the HTML views that used to provide access to the functionality we just removed. Remove the marked code in the files _LoginPartial.cshtml and Login.cshtml (click on each thumbnail to enlarge).

Now we’ve got a running web application that won’t allow us to log on to. Before we can add external authentication providers, we must add SSL support. This will be covered in the next article.

The sample code can be found at

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s