A struggle that many web developers face is how to secure your apps. While it is pretty straightforward to develop some sort of username/password authentication, it becomes much more complex when considering self-service account maintenance. Things like registering, changing or resetting passwords, maintaining names, email addresses, etc. can all ramp up the complexity.

Secure Your Apps

I realize the Microsoft MVC template delivered with Visual Studio implements quite a bit of this functionality when creating a new MVC application. But, depending upon the industry or the level of security required, there is another way to authenticate users while pushing the responsibility of user maintenance onto other developers, external authentication providers.

What I’ve Learned

By using the OAuthWebSecurity class in the Microsoft.Web.WebPages.OAuth namespace, applications can leverage OAuth providers such as Facebook, Live, and Twitter or OpenID providers like Google and Yahoo to authenticate users. Adding providers is relatively simple, requiring some configuration on the provider and registering the provider in the application.

Getting Started

First, start with an empty MVC application. Once created, manage NuGet packages and add the Microsoft WebPages OAuth library (Now, here is the first gotcha. There is a disconnect in Visual Studio 2013 between the MVC and OAuth libraries. Running the application will result in a version mismatch exception. While in NuGet, go to Updates and update all packages. This should fix the mismatch).

Create an AuthConfig class. This class is responsible for configuring/registering each of the external authentication providers.

using Microsoft.Web.WebPages.OAuth;

namespace OAuthDemo
    public static class AuthConfig
        public static void RegisterAuth()
                clientId: "",
                clientSecret: "");

                consumerKey: "",
                consumerSecret: "");

                appId: "",
                appSecret: "");


and register the authorizations in the Application_Start event of the Global.asax.


Each external provider requires registering the application. For each provider except Google, this will also set the id, secret combination necessary to configure in the application. Microsoft provides some guidance on how to configure each provider here.

Configuring each provider does have some gotchas. For instance, Microsoft Live does not allow http://localhost as a redirect URL. This article provides a workaround to that limitation. However, Google does not recognize the workaround as a valid domain, so testing is somewhat of an adventure.

Once registered, the external providers can be iterated to allow users to log in using their preferred (or required) provider.

In the Controller:

        public ActionResult Index() {
            return View(OAuthWebSecurity.RegisteredClientData);

In the View:

                @model ICollection
                @foreach (AuthenticationClientData p in Model)

It is a simple matter then of requesting authentication with the selected provider, verifying the results and finally authorizing the user. It is important to note that each provider returns a slightly different data set, though each provides a unique identifier for the user. Also, the user’s email address is returned in the dataset except when using Microsoft Live. Returning the email address from Live requires elevated privileges that most users are unwilling to grant.

                OAuthWebSecurity.RequestAuthentication(Provider, ReturnUrl);
            AuthenticationResult result = OAuthWebSecurity.VerifyAuthentication(Url.Action("ExternalLoginCallback", new {ReturnUrl = returnUrl}));
            if (!result.IsSuccessful) {
                return RedirectToAction("ExternalLoginFailure");

            // User is new, ask for their desired membership name
            ViewBag.ProviderDisplayName = OAuthWebSecurity.GetOAuthClientData(result.Provider).DisplayName;
            ViewBag.ReturnUrl = returnUrl;
            return View("ExternalLoginConfirmation", new RegisterExternalLoginModel {UserName = result.UserName, ExternalLoginData = loginData});


Microsoft Azure also provides an access control namespace service which provides very similar functionality from the cloud. But, that is a topic for another day …

Next Steps

Review our case studies and engagements where we helped companies just like yours solve a variety of business needs.

About Oakwood

Since 1981, Oakwood has been helping companies of all sizes, across all industries, solve their business problems.  We bring world-class consultants to architect, design and deploy technology solutions to move your company forward.   Our proven approach guarantees better business outcomes.  With flexible engagement options, your project is delivered on-time and on budget.  11,000 satisfied clients can’t be wrong.