protected void Page_Load(object sender, EventArgs e)
{
var url = HttpContext.Current.Request.Url;
FacebookOAuthResult oauthResult;
var oauthClient = new FacebookOAuthClient { AppId = AppId, AppSecret = AppSecret, RedirectUri = new Uri(_silverlightFacebookCallback) };
if (oauthClient.TryParseResult(url, out oauthResult))
{
if (oauthResult.IsSuccess)
{
var result = (IDictionary<string, object>)oauthClient.ExchangeCodeForAccessToken(oauthResult.Code);
AccessToken = result["access_token"].ToString();
Label1.Text = AccessToken;
}
else
{
ErrorDescription = oauthResult.ErrorDescription;
}
Response.Cache.SetCacheability(HttpCacheability.NoCache);
}
else
{
Response.Redirect("~/");
}
}
public ActionResult FacebookCallback()
{
var oauthClient = new FacebookOAuthClient(FacebookApplication.Current) { RedirectUri = GetFacebookRedirectUri() };
FacebookOAuthResult oAuthResult;
if (oauthClient.TryParseResult(Request.Url, out oAuthResult))
{
if (oAuthResult.IsSuccess)
{
if (!string.IsNullOrWhiteSpace(oAuthResult.Code))
{
string returnUrl = null;
try
{
if (!string.IsNullOrWhiteSpace(oAuthResult.State))
{
dynamic state = JsonSerializer.Current.DeserializeObject(Encoding.UTF8.GetString(Base64UrlDecode(oAuthResult.State)));
if (!state.ContainsKey("csrf_token") || !ValidateFacebookCsrfToken(state.csrf_token))
{
// someone tried to hack the site.
return RedirectToAction("Index", "Home");
}
if (state.ContainsKey("return_url") && !string.IsNullOrWhiteSpace(state.return_url))
{
returnUrl = Encoding.UTF8.GetString(Base64UrlDecode(oAuthResult.State));
}
}
}
catch (Exception)
{
// catch incase user puts his own state,
// Base64UrlDecode might throw exception if the value is not properly encoded.
return RedirectToAction("Index", "Home");
}
try
{
var result = (IDictionary<string, object>)oauthClient.ExchangeCodeForAccessToken(oAuthResult.Code);
ProcessSuccesfulFacebookCallback(result);
// prevent open redirection attacks. make sure the returnUrl is trusted before redirecting to it
if (!string.IsNullOrWhiteSpace(returnUrl) && Url.IsLocalUrl(returnUrl) && returnUrl.Length > 1 && returnUrl.StartsWith("/") && !returnUrl.StartsWith("//") && !returnUrl.StartsWith("/\\"))
{
return Redirect(returnUrl);
}
else
{
return RedirectToAction("Index", "Facebook");
}
}
catch (FacebookApiException)
{
// catch incase the user entered dummy code or the code expired.
}
}
return Redirect("~/");
}
return View("FacebookCallbackError", oAuthResult);
}
return Redirect("~/");
}
public FacebookAuthorizationModule(FacebookClient fb, FacebookOAuthClient fbOAuthClient, IAppUserMapper userMapper)
: base("/facebook")
{
_fb = fb;
_userMapper = userMapper;
Get["/login"] = _ =>
{
string returnUrl = Request.Query.returnUrl;
dynamic parameters = new ExpandoObject();
parameters.scope = ExtendedPermissions;
parameters.state = Base64UrlEncode(Encoding.UTF8.GetBytes(
JsonSerializer.Current.SerializeObject(new { return_url = returnUrl })));
string loginUri = fbOAuthClient.GetLoginUrl(parameters).AbsoluteUri;
return Response.AsRedirect(loginUri);
};
Get["/login/callback"] = _ =>
{
FacebookOAuthResult oAuthResult;
var requestUrl = Request.Url.Scheme + "://" + Request.Url.HostName + Request.Url.BasePath + Request.Url.Path + Request.Url.Query;
if (fbOAuthClient.TryParseResult(requestUrl, out oAuthResult))
{
if (oAuthResult.IsSuccess)
{
if (!string.IsNullOrWhiteSpace(oAuthResult.Code))
{
string returnUrl = null;
try
{
if (!string.IsNullOrWhiteSpace(oAuthResult.State))
{
dynamic state = JsonSerializer.Current.DeserializeObject(Encoding.UTF8.GetString(Base64UrlDecode(oAuthResult.State)));
if (state.ContainsKey("return_url") && !string.IsNullOrWhiteSpace(state.return_url))
returnUrl = state.return_url;
}
}
catch (Exception ex)
{
// catch exception incase user puts custom state
// which contains invalid json or invalid base64 url encoding
return Response.AsRedirect("~/");
}
try
{
dynamic result = fbOAuthClient.ExchangeCodeForAccessToken(oAuthResult.Code);
DateTime expiresOn;
User user = ProcessSuccessfulFacebookCallback(result, out expiresOn);
if (user == null)
return Response.AsRedirect("~/");
// todo: prevent open redirection attacks. make sure the returnUrl is trusted before redirecting to it
return this.LoginAndRedirect(user.Identifier, expiresOn, returnUrl);
}
catch (Exception ex)
{
// catch incase the user entered dummy code or the code expires
// or no internet access or any other errors
}
}
return Response.AsRedirect("~/");
}
return View["FacebookLoginCallbackError", oAuthResult];
}
return Response.AsRedirect("~/");
};
}