ASP.NET WebApi Identity Facebook login access denied

I'm building a ASP.NET (4.6) WebApi project and I'm using ASP.NET Identity to authenticate with Facebook, Google and Microsoft to my API. I have managed to authenticate with Google and Microsoft, but not with Facebook. I'm using Visual Studio 2015

The problem is that I get access denied every time I authenticate. The scenario goes like this:

  1. I make an API call to localhost:2975/api/Account/ExternalLogins?returnUrl=%2F&generateState=true through my browser.
  2. I receive a link to my API for every external provider my API support. In the Facebook case I got localhost:2975/api/Account/ExternalLogin?provider=Facebook&response_type=token&client_id=self&redirect_uri=http%3A%2F%2Flocalhost%3A2975%2F&state=99...01
  3. I go to that link with my browser, and gets redirected to the Facebook login page.
  4. I authenticate to Facebook, and a dialog window appears and asks permission for the requested information about me.
  5. I accept and gets redirected back to my API with the error "access_denied". localhost:2975/api/Account/ExternalLogin gets called.

I haven't figured out where the problem comes from, whether its some permission setting in my Facebook app, the Facebook user I log in with, or if the problem lies in the ASP.NET Identity template.

Regarding Facebook I have created a test app of my app, as well as pushed it as a live app. I can find the app on my Facebook profile, and I've removed it several times. My Facebook profile has the administrator role of the app. I have created test users, as well as added a friend of mine as developer/tester of the app. The problem remains. I read somewhere that there should be a pending request for the app that I should accept, but I haven't found any.

Regarding the ASP.NET Identity template the error is received very early in the process:


public async Task<IHttpActionResult> GetExternalLogin(string provider, string error = null)
    if (error != null)
        // This is where the API comes in step 5 above
        return Redirect(Url.Content("~/") + "#error=" + Uri.EscapeDataString(error)); 

    if (!User.Identity.IsAuthenticated)
        // This is where the API comes in step 2 above before it redirects me to Facebook login 
        return new ChallengeResult(provider, this); 

    ExternalLoginData externalLogin = ExternalLoginData.FromIdentity(User.Identity as ClaimsIdentity);

    // Untouched logic
    // ....

When I use Google Chromes Network tool I can see that I gets redirected to this link: There is a cancel url with predefined error: "access_denied", error code: 200, reason: "user_denied", so maybe the "access_denied" error I receive isn't very accurate?

Other relevant code I can come up with is in Startup.Auth.cs (I never get to the OnAuthenticated part though):

var facebookOptions = new FacebookAuthenticationOptions()
    AppId = "XXX",
    AppSecret = "XXX",
    Scope = { "email", "public_profile" }
facebookOptions.Provider = new FacebookAuthenticationProvider()
    OnAuthenticated = (context) =>
        context.Identity.AddClaim(new Claim("urn:facebook:access_token", context.AccessToken, ClaimValueTypes.String, "Facebook"));
        context.Identity.AddClaim(new Claim("urn:facebook:email", context.Email, ClaimValueTypes.Email, "Facebook"));
        return Task.FromResult(0);

It feels like I've tried everything. Any ideas on how to solve this?

Thanks in advance!

Update NuGet packages solved my issue.

WebAPI Facebook login returning Access Denied when removing , When logging in, they enter the following method at the WebAPI and reach call to this method returns on Redirect() with "access denied" as the error. String, " Facebook")); context.Identity.AddClaim(new System.Security. You will add both into your ASP.NET Core application in the next section: When deploying the site you need to revisit the Facebook Login setup page and register a new public URI. Store the Facebook app ID and secret. Store sensitive settings such as the Facebook app ID and secret values with Secret Manager. For this sample, use the following steps:

From this post in the line

context.Identity.AddClaim(new Claim("urn:facebook:email", context.Email, ClaimValueTypes.Email, "Facebook"));

the context.Email is null.

ASP.NET WebApi Identity Facebook login access denied, I'm building a ASP.NET (4.6) WebApi project and I'm using ASP.NET Identity to authenticate with Facebook, Google and Microsoft to my API. I have managed to � Login to your ASP.NET Web API (OWIN) applications with Facebook Includes, identity management, single sign on, multifactor authentication, social login and more. The Developer-First Identity Platform Auth0's Story and Future by CTO and Co-founder Matias Woloski Read more Close featured banner

try to update the nuget package which Microsoft.Owin.Security,Microsoft.Owin.Security.Facebook and so on

ASP.NET Web API 2 external logins with Facebook and Google in , e) Then we need to check if this social login (external user id with external provider) is already linked to local database account or this is first time� Ok so it is time to enable ASP.NET Web API 2 external logins such as Facebook & Google then consume this in our AngularJS application. In this post we’ll add support to login using Facebook and Google+ external providers, then we’ll associate those authenticated social accounts with local accounts.

Those who were unable to resolve the issue by just updating nuget packages, it might help.

Our Web App was working fine with External Login, what was happening before was our app redirected the users to Facebook or Google for authentication and returned the relevant details from their account. But then this issue arises in which the redirect url contains an error with a value Access_Denied. which is not descriptive at all so you need to manually find the errors.

After a lot of debugging and nuget updates I was still unable to resolve the issue and then it turned out the solution was the IP whitelisting for the server as our IT team and few developers changed the the server settings or migrated the website to new server which obviously had a different IP. Hence, I added the IP address in Facebook dev console to whitelist the address and it worked like a charm.

Whereas, Google authentication was fixed without whitelisting anything, just updating the nuget packages did the job.

Facebook external login setup in ASP.NET Core, On this page, make a note of your App ID and your App Secret . You will add both into your ASP.NET Core application in the next section: When� Local login. The user registers at the site, entering a username and password. The app stores the password hash in the membership database. When the user logs in, the ASP.NET Identity system verifies the password. Social login. The user signs in with an external service, such as Facebook, Microsoft, or Google.

Secure a Web API with Individual Accounts and Local Login in ASP , This topic shows how to secure a web API using OAuth2 to authenticate When the user logs in, the ASP.NET Identity system verifies the password. An authentication filter validates access tokens, and the [Authorize] Otherwise, authorization is denied, and Web API returns a 401 (Unauthorized) error. Facebook, Google, and external provider authentication in ASP.NET Core. 01/23/2020; 4 minutes to read +5; In this article. By Valeriy Novytskyy and Rick Anderson. This tutorial demonstrates how to build an ASP.NET Core 3.0 app that enables users to sign in using OAuth 2.0 with credentials from external authentication providers.

How to create ASP.NET MVC web api for Facebook login , Quote: how to create mvc web api for facebook login. ASP NET Web API facebook authentication - YouTube[^]. Quote: i am completely� ASP.NET Identity, OAuth 2 Social Login, Web API 2, and MVC 5 SPAs 6 minute read, July 20, 2015. Wow, that’s a mouthful. I feel like that lady on the right sometimes. So, I spent a few days studying SPA applications and how to use external social logins like Facebook and Google with Web API 2.

Access denied when permission of app to my application is denied , Identityserver4 application is built in core . But the issue arirses when i click deny, then google console app redirects to my identity server website with It is worked for me to link the login page when I cancel the Facebook login page. Contact GitHub � Pricing � API � Training � Blog � About. ASP.NET Core Identity uses default values for settings such as password policy, lockout, and cookie configuration. These settings can be overridden in the Startup class. Identity options. The IdentityOptions class represents the options that can be used to configure the Identity system.

  • Late update: There was nothing wrong with my code. After I changed some settings in my Facebook app it worked
  • Could you please let us know what are the changes you have made in facebook site for which it worked ?
  • I am also very curious about these settings...
  • this did it for me!
  • The default template included v3.0.1. I updated the package to v3.1.0 and it worked.