2

I use the standard OAuth functions that ship with MVC 4 to let users sign in with Google and Facebook. Everything was working fine until I used url rewrite to remove the virtual directory name from my godaddy hosted site (see http://support.godaddy.com/library/removing-virtual-application-name-from-urls/)

Facebook still works fine but google now fails every time. Google redirects back to the correct url but when the OAuth library tries to grab the information from the url it acts as if its not there.

I can't figure out why but I know it has something to do with the url rewriting as when I manually add the virtual directory name to the return url it works (but facebook breaks).

This is the code in web.config to remove the virtual directory:

<rule name="Remove Virtual Directory">
    <match url=".*" />
    <action type="Rewrite" url="{R:0}" />
</rule>

This is the OAuth code:

[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
public ActionResult ExternalLogin(string provider, string returnUrl)
{
    var action = Url.Action("ExternalLoginCallback", new { ReturnUrl = returnUrl });
    return new ExternalLoginResult(provider, action);
}

//
// GET: /Account/ExternalLoginCallback

[AllowAnonymous]
public ActionResult ExternalLoginCallback(string returnUrl)
{
    var action = Url.Action("ExternalLoginCallback", new{ReturnUrl = returnUrl});
    AuthenticationResult result = OAuthWebSecurity.VerifyAuthentication(action);
    //AuthenticationResult result = OAuthWebSecurity.VerifyAuthentication();
    if (!result.IsSuccessful)
    {
        return RedirectToAction("ExternalLoginFailure");
    }

It all seems to fall apart here, even though the provider name is clearly visible in the url:

public static string GetProviderName(HttpContextBase context)
{
    return context.Request.QueryString[ProviderQueryStringName];
}

EDIT:

I have been able to get it working for now by changing the external login handler to this:

    [HttpPost]
    [AllowAnonymous]
    [ValidateAntiForgeryToken]
    public ActionResult ExternalLogin(string provider, string returnUrl)
    {
        var action = Url.Action("ExternalLoginCallback", new {ReturnUrl = returnUrl});
        var mustHackGodaddy = provider == "google";
        if (mustHackGodaddy){
            action = "/[virtual directory name]" + action;
        }
        return new ExternalLoginResult(provider, action);
    }

I wouldn't really call it a solution though. Can anyone shed some light on what is going on? I am wondering if the oauth library thinks it is an xss attack because of the re-written url. But it is strange that it only breaks for google and that the requests are also issued from the same url.

Improve this question
1
  • Note that I have also configured a route to handle urls that have the virtual directory attached.
    – Nigel
    Commented Jun 11, 2013 at 22:14
Related questions
2
DotNetOpenAuth WebConsumer not redirecting to OAuth provider in ASP.NET MVC app
3
Invalid redirect url after open auth 2.0 authentication via Google
1
Google OAuth login works locally, fails on production server
Load 7 more related questions Show fewer related questions

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.