Current filter:
                                You should refresh the page.
                                Support Center
                                This example demonstrates the use of OAuth2 authentication in a web application. Users can sign in to the application via Google, Facebook or  Microsoft authentication providers.

                                You can try this demo "as is" to overview its capabilities, and then try the demonstrated functionality in your own XAF applications according to the instructions below.

                                How to Run this Demo

                                Before running this demo, register developer accounts at the services you are going to use:

                                Open the Web.config file and specify your own client IDs and client secrets for each provider.

                                <appSettings> <add key="GoogleClientID" value="YourGoogleClientID" /> <add key="GoogleClientSecret" value="YourGoogleClientSecret" /> <add key="FacebookClientID" value="YourFacebookClientID" /> <add key="FacebookClientSecret" value="YourFacebookClientSecret" /> <add key="MicrosoftClientID" value="YourMicrosoftClientID" /> <add key="MicrosoftClientSecret" value="YourMicrosoftClientSecret" />

                                You can remove keys corresponding to providers that you do not want to use. 

                                Now you can run the application.

                                Overview of this Demo Capabilities

                                In the logon window, there are buttons for each provider specified in Web.config:

                                Standard XAF authentication with built-in username/password is also supported. When you log in via OAuth authentication, the email is used as a user name. By default, a user object is autocreated for each logon. You can disable autocreation, or specify the auto-assigned role for new users in the InitializeComponent method (see WebApplication.cs(vb)):
                                this.securityStrategyComplex1.NewUserRoleName = "Default"; ((AuthenticationStandartWithOAuth)authenticationBase).CreateUserAutomatically = true;
                                Me.securityStrategyComplex1.NewUserRoleName = "Default" CType(authenticationBase, AuthenticationStandartWithOAuth).CreateUserAutomatically = True
                                When CreateUserAutomatically is false, the logon is allowed if a user with the email returned by the external service exists in the application database. To grant access to a user with a specific e-mail, use the built-in Admin account, create a user object and set the UserName to this e-mail.

                                If you set the EnableStandardAuthentication property to true for an auto-created user, this user will be able to login directly, with a user name and password. Note that the password is empty by default, so do not forget to specify it when enabling standard authentication.

                                Each user can have several associated email addresses. To add or remove email addresses, use the  OAuth Authorization Emails list in the user's Detail View.

                                How to Implement the Demonstrated Functionality in your XAF Application

                                1. In your solution, open Package Manager Console.
                                  1.1. Choose the YourSolutionName.Web project in the Default project combo box, and execute the following commands to add Owin packages:
                                  Install-Package Microsoft.Owin -Version 3.1.0
                                  Install-Package Microsoft.Owin.Security -Version 3.1.0
                                  Install-Package Microsoft.Owin.Security.Cookies -Version 3.1.0
                                  Install-Package Microsoft.Owin.Host.SystemWeb -Version 3.1.0
                                  Install-Package Microsoft.Owin.Security.Google -Version 3.1.0
                                  Install-Package Microsoft.Owin.Security.Facebook -Version 3.1.0
                                  Install-Package Microsoft.Owin.Security.MicrosoftAccount -Version 3.1.0
                                  1.2. Switch to the YourSolutionName.Module.Web project and install these two packages:
                                  Install-Package Microsoft.Owin -Version 3.1.0
                                  Install-Package Microsoft.Owin.Host.SystemWeb -Version 3.1.0

                                2. Open the Web.config file and specify your own client IDs and client secrets for each provider you are going to use. Refer to the AuthenticationOwin.Web\Web.config file in the demo solution to see the example. Then, set the authentication mode to "None" and comment or remove settings related to the default XAF authentication:
                                <authentication mode="None" /> <!--<forms name="Login" loginUrl="Login.aspx" path="/" timeout="10" />--> </authentication> <!--<authorization> <deny users="?" /> <allow users="*" /> </authorization>-->

                                3. Copy the following files from the demo solution to the corresponding locations within your solution:
                                - AuthenticationOwin.Module\AuthenticationStandartWithOAuth.cs(vb)
                                - AuthenticationOwin.Module\IAuthenticationOAuthUser.cs(vb)
                                - AuthenticationOwin.Module.Web\Controllers\LogonAuthController.cs(vb)
                                - AuthenticationOwin.Module.Web\Security\CustomSecurityStrategyComplex.cs(vb)
                                - AuthenticationOwin.Module.Web\Controllers\LogonAuthController.cs(vb)
                                - AuthenticationOwin.Module.Web\Images\Facebook.svg
                                - AuthenticationOwin.Module.Web\Images\Google.svg
                                - AuthenticationOwin.Module.Web\Images\Microsoft.png

                                - AuthenticationOwin.Web\Startup.cs(vb)
                                Include the copied files to your solution (Add | Existing Item...). Update the namespace names in the copied code files to match namespaces you use in your solution. For image files, set the Build Action property to Embedded Resource.

                                4. Edit the YourSolutionName.Module\Module.cs file. In the overridden Setup method, handle the XafApplication.CreateCustomLogonWindowControllers event and add the LogonAuthController to the e.Controllers collection passed to this event. Refer to the AuthenticationOwin.Module.Web\Module.cs(vb) file to see an example.

                                5. Edit the YourSolutionName.Web\WebApplication.cs(vb) code and register this custom security strategy:
                                this.securityStrategyComplex1 = new AuthenticationOwin.Module.Web.Security.CustomSecurityStrategyComplex();
                                Me.securityStrategyComplex1 = New AuthenticationOwin.Module.Web.Security.CustomSecurityStrategyComplex()

                                6. Implement the IAuthenticationOAuthUser interface in your custom user class. You can see an example in the AuthenticationOwin.Module\BusinessObjects\OAuthUser.cs file. If you use the built-in user, you can copy the OAuthUser class to your project from the demo and set the SecurityStrategy.UserType property to OAuthUser in the Application Designer.

                                7. Change the code that creates your predefined users in YourSolutionName.Module\DatabaseUpdate\Updater.cs. Set EnableStandardAuthentication to true for users who can login with standard authentication (username and password). See the example in the AuthenticationOwin.Module\DatabaseUpdate\Updater.cs file.

                                8. Register the LogonTemplateContent1.ascx template in the YourSolutionName.Web\Global.asax.cs file:
                                WebApplication.Instance.Settings.LogonTemplateContentPath = "LogonTemplateContent1.ascx";
                                WebApplication.Instance.Settings.LogonTemplateContentPath = "LogonTemplateContent1.ascx"

                                9. Copy the LoginWith* actions customizations and the AuthenticationStandardLogonParameters_DetailView layout settings from the AuthenticationOwin.Module.Web\Model.xafml file to the same file in the YourSolutionName.Web project. If you have no model customizations in Model.xafml, you can just overwrite it with the file from demo. Ensure that the IsPostBackRequired property of each LoginWith* action is set to true.

                                Tip: You can refer to the OWIN OAuth 2.0 Authorization Server documentation to learn how to add more authentication providers.

                                For an example of integrating OAuth2 authentication in a WinForms XAF application, refer to the XAF - OAuth2 Authentication for WinForms ticket.

                                • Scott Gross 07.14.2017
                                  Will this work with XAF Mobile as well?
                                • Konstantin B (DevExpress) 07.16.2017
                                  We haven't yet tested this approach with XAF Mobile. However, we will consider including the mobile app project to this demo. I've created a separate ticket on your behalf (T536304: OAuth2 authentication in XAF Mobile). It has been placed in our processing queue and will be answered shortly.
                                • Rik Pronk 08.01.2017
                                  In the sample project, I noticed some errors in the web.config file. Below 'For applications with a security system' the <Authentication> tag is used, but that's supposed to be the <authorization> tag instead.
                                • Konstantin B (DevExpress) 08.01.2017
                                  Hello Rik,

                                  Your comment is correct, we have updated this demo. Thanks!  
                                • Martin Svärd 08.31.2017
                                  Hi Konstantin,

                                  I am not able to try this example, even though I register it with Microsoft.
                                  Am I missing something?
                                  And will this work with Microsoft Azure as well, or is it only Microsofts non O365 accounts?
                                • @Martin: Thanks for your interest. I've created a separate ticket on your behalf (T550911: Difficulties when running the T535280 example (OAuth2 authentication)). It has been placed in our processing queue and will be answered shortly.
                                • Genesis Supsup 1 10.23.2017
                                  Is it possible to implement this in XAF using Windows Forms?
                                • @Genesis Supsup: We will answer you in the XAF - OAuth2 Authentication for WinForms ticket. Thanks.
                                • Vince G 01.21.2018
                                  For Google Authentication you will need to enable the Google+ API otherwise the google authentication won't work, that took me a while to debug.
                                Show Implementation Details
                                Select file
                                • AuthenticationStandartWithOAuth.cs
                                • CustomSecurityStrategyComplex.cs
                                • Global.asax.cs
                                • IAuthenticationOAuthUser.cs
                                • LogonAuthController.cs
                                • LogonTemplateContent1.ascx
                                • LogonTemplateContent1.ascx.cs
                                • OAuthUser.cs
                                • Startup.cs
                                • WebApplication.cs
                                Select language
                                • C#
                                • VB.NET
                                Select version
                                • 17.1.3 - 17.2.5

                                If you need additional product information, write to us at or call us at +1 (818) 844-3383

                                FOLLOW US

                                DevExpress engineers feature-complete Presentation Controls, IDE Productivity Tools, Business Application Frameworks, and Reporting Systems for Visual Studio, along with high-performance HTML JS Mobile Frameworks for developers targeting iOS, Android and Windows Phone. Whether using WPF, ASP.NET, WinForms, HTML5 or Windows 10, DevExpress tools help you build and deliver your best in the shortest time possible.

                                Copyright © 1998-2018 Developer Express Inc.
                                All trademarks or registered trademarks are property of their respective owners