CODEWITHSUNDEEP
facebookauthenticationxamarinxamarin.forms
Rasmus Christensen
Rasmus Christensen

Reputation: 8531

Xamarin.Auth with facebook results in state - Explicit flow

I'm implementing facebook login using the Xamarin.Auth component. I request a login by my backend (aspnet webapi) which returns a challenge result and my app gets a redirect to facebook login. At the same time of the redirect I also get a popup in the app saying "Invalid state from server. Possible forgery!" found it here in the source https://github.com/xamarin/Xamarin.Auth/blob/master/src/Xamarin.Auth/OAuth2Authenticator.cs

If I investigate the request I can see a state is generated in the OAuth2Authenticator class.

My question, is the best way to handle authentication in the current setup or should I avoid to let my own backend redirect the app login. Instead let the app login directly with facebook and the send the token from facebook to my backend, where I'll verify it with a call to https://graph.facebook.com/me and then generate my own auth_token if the call is valid?

I just read Instagram login docs https://www.instagram.com/developer/authentication/

And it's exactly what I meant, Implicit or Explicit flow. For me Explicit is not working with Xamarin.Auth against facebook, due to the state.

Best regards

Upvotes: 1

Views: 646

Answers (1)

Zac
Zac

Reputation: 2373

Little late to the game here on this one, but I've run in to the same issue recently with an ASP.NET web API that I'm trying to connect to.

What I ended up doing was extending the OAuth2Authenticator class and overriding OnPageEncountered(). See below for a Xamarin.Android implementation:

public class DroidOAuth2Authenticator : OAuth2Authenticator
{
    ...

    protected override void OnPageEncountered(Uri url, System.Collections.Generic.IDictionary<string, string> query, System.Collections.Generic.IDictionary<string, string> fragment)
    {
        // Remove state from dictionaries. 
        // We are ignoring request state forgery status 
        // as we're hitting an ASP.NET service which forwards 
        // to a third-party OAuth service itself
        if (query.ContainsKey("state"))
        {
            query.Remove("state");
        }

        if (fragment.ContainsKey("state"))
        {
            fragment.Remove("state");
        }

        base.OnPageEncountered(url, query, fragment);
    }
}

Granted this removes the security warning for the user, but not sure of any other way around it.

Upvotes: 5

Related Questions