protected void Page_Load(object sender, EventArgs e) { var url = HttpContext.Current.Request.Url; FacebookOAuthResult oauthResult; var oauthClient = new FacebookOAuthClient { AppId = AppId, AppSecret = AppSecret, RedirectUri = new Uri(_silverlightFacebookCallback) }; if (oauthClient.TryParseResult(url, out oauthResult)) { if (oauthResult.IsSuccess) { var result = (IDictionary<string, object>)oauthClient.ExchangeCodeForAccessToken(oauthResult.Code); AccessToken = result["access_token"].ToString(); Label1.Text = AccessToken; } else { ErrorDescription = oauthResult.ErrorDescription; } Response.Cache.SetCacheability(HttpCacheability.NoCache); } else { Response.Redirect("~/"); } }
public ActionResult FacebookCallback() { var oauthClient = new FacebookOAuthClient(FacebookApplication.Current) { RedirectUri = GetFacebookRedirectUri() }; FacebookOAuthResult oAuthResult; if (oauthClient.TryParseResult(Request.Url, out oAuthResult)) { if (oAuthResult.IsSuccess) { if (!string.IsNullOrWhiteSpace(oAuthResult.Code)) { string returnUrl = null; try { if (!string.IsNullOrWhiteSpace(oAuthResult.State)) { dynamic state = JsonSerializer.Current.DeserializeObject(Encoding.UTF8.GetString(Base64UrlDecode(oAuthResult.State))); if (!state.ContainsKey("csrf_token") || !ValidateFacebookCsrfToken(state.csrf_token)) { // someone tried to hack the site. return RedirectToAction("Index", "Home"); } if (state.ContainsKey("return_url") && !string.IsNullOrWhiteSpace(state.return_url)) { returnUrl = Encoding.UTF8.GetString(Base64UrlDecode(oAuthResult.State)); } } } catch (Exception) { // catch incase user puts his own state, // Base64UrlDecode might throw exception if the value is not properly encoded. return RedirectToAction("Index", "Home"); } try { var result = (IDictionary<string, object>)oauthClient.ExchangeCodeForAccessToken(oAuthResult.Code); ProcessSuccesfulFacebookCallback(result); // prevent open redirection attacks. make sure the returnUrl is trusted before redirecting to it if (!string.IsNullOrWhiteSpace(returnUrl) && Url.IsLocalUrl(returnUrl) && returnUrl.Length > 1 && returnUrl.StartsWith("/") && !returnUrl.StartsWith("//") && !returnUrl.StartsWith("/\\")) { return Redirect(returnUrl); } else { return RedirectToAction("Index", "Facebook"); } } catch (FacebookApiException) { // catch incase the user entered dummy code or the code expired. } } return Redirect("~/"); } return View("FacebookCallbackError", oAuthResult); } return Redirect("~/"); }
public FacebookAuthorizationModule(FacebookClient fb, FacebookOAuthClient fbOAuthClient, IAppUserMapper userMapper) : base("/facebook") { _fb = fb; _userMapper = userMapper; Get["/login"] = _ => { string returnUrl = Request.Query.returnUrl; dynamic parameters = new ExpandoObject(); parameters.scope = ExtendedPermissions; parameters.state = Base64UrlEncode(Encoding.UTF8.GetBytes( JsonSerializer.Current.SerializeObject(new { return_url = returnUrl }))); string loginUri = fbOAuthClient.GetLoginUrl(parameters).AbsoluteUri; return Response.AsRedirect(loginUri); }; Get["/login/callback"] = _ => { FacebookOAuthResult oAuthResult; var requestUrl = Request.Url.Scheme + "://" + Request.Url.HostName + Request.Url.BasePath + Request.Url.Path + Request.Url.Query; if (fbOAuthClient.TryParseResult(requestUrl, out oAuthResult)) { if (oAuthResult.IsSuccess) { if (!string.IsNullOrWhiteSpace(oAuthResult.Code)) { string returnUrl = null; try { if (!string.IsNullOrWhiteSpace(oAuthResult.State)) { dynamic state = JsonSerializer.Current.DeserializeObject(Encoding.UTF8.GetString(Base64UrlDecode(oAuthResult.State))); if (state.ContainsKey("return_url") && !string.IsNullOrWhiteSpace(state.return_url)) returnUrl = state.return_url; } } catch (Exception ex) { // catch exception incase user puts custom state // which contains invalid json or invalid base64 url encoding return Response.AsRedirect("~/"); } try { dynamic result = fbOAuthClient.ExchangeCodeForAccessToken(oAuthResult.Code); DateTime expiresOn; User user = ProcessSuccessfulFacebookCallback(result, out expiresOn); if (user == null) return Response.AsRedirect("~/"); // todo: prevent open redirection attacks. make sure the returnUrl is trusted before redirecting to it return this.LoginAndRedirect(user.Identifier, expiresOn, returnUrl); } catch (Exception ex) { // catch incase the user entered dummy code or the code expires // or no internet access or any other errors } } return Response.AsRedirect("~/"); } return View["FacebookLoginCallbackError", oAuthResult]; } return Response.AsRedirect("~/"); }; }