.NET 6 Google Authentication - Allow user to set password before signing In-CodePudding

I have added Google authentication in a .NET 6 application. Everything is working fine. The user is redirected to Google for authentication and after successful authentication redirected back to my application callback URL.
So after successful authentication, the authentication middleware Sign's In the user and creates a cookie.

What I want is that before the user is signed In and the cookie is created, I want the user to enter a password like redirecting the user to a set password page but by the time the callback method is called after authentication, the user is already signed in and the cookie has been created. I want to create a cookie and log a user in only after the user enters the password.

It's like the user has authenticated through Google but I want them to set the password as well so I can save it in the database.

Program.cs

services.AddAuthentication(options =>
        {
            options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
            options.DefaultChallengeScheme = CookieAuthenticationDefaults.AuthenticationScheme;
        })
        .AddCookie(options =>
        {
            options.ExpireTimeSpan = TimeSpan.FromMinutes(20);
            options.SlidingExpiration = true;
            options.AccessDeniedPath = "/Error/Forbidden/";
            options.LoginPath = "/account/register/";
        })
        .AddGoogle(googleOptions =>
        {
            googleOptions.ClientId = "*******";
            googleOptions.ClientSecret = "********";
            googleOptions.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
            
        });

AccountController.cs

public async Task GoogleAuth()
{
    await HttpContext.ChallengeAsync(GoogleDefaults.AuthenticationScheme, new AuthenticationProperties
    {
        RedirectUri = Url.Action("AuthCallback", "Account")
    });
}    

public async Task<IActionResult> AuthCallback()
    {
        //This method is called when a user successfully authenticates with Google.    
        //At this point, the user is signed in and a cookie has been created.    
        //I want the user to enter their password before they are signed in.
    }

CodePudding user response：

You could add a temp cookie authentication scheme and set that for Google SignInScheme.

services.AddAuthentication(options =>
{
    options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
    options.DefaultChallengeScheme = CookieAuthenticationDefaults.AuthenticationScheme;
})
.AddCookie(options =>
{
    options.ExpireTimeSpan = TimeSpan.FromMinutes(20);
    options.SlidingExpiration = true;
    options.AccessDeniedPath = "/Error/Forbidden/";
    options.LoginPath = "/account/register/";
})
.AddGoogle(googleOptions =>
{
    googleOptions.ClientId = "*******";
    googleOptions.ClientSecret = "********";
    googleOptions.SignInScheme = "temp-cookie"; // change here
})
.AddCookie("temp-cookie", options => // add temp-cookie scheme
{
    options.ExpireTimeSpan = TimeSpan.FromMinutes(20);
    options.SlidingExpiration = true;
    options.AccessDeniedPath = "/Error/Forbidden/";
    options.LoginPath = "/account/register/";
});

Check for temp-cookie scheme in the callback and set the default scheme after user set the password.

public async Task<IActionResult> AuthCallback()
{
    // check for temp-cookie authentication
    var result = await HttpContext.AuthenticateAsync("temp-cookie");

    return View("SetPassword");
}

public async Task<IActionResult> SetPassword()
{
    ...
    // after setting the password

    var result = await HttpContext.AuthenticateAsync("temp-cookie");

    // sign in the user with default cookie scheme
    await HttpContext.SignInAsync(result.Principal);

    // delete temporary cookie 
    await HttpContext.SignOutAsync("temp-cookie");
}