Why Using External Logins with ASP.Net Identity is a Bad Idea

Blast Zone No. 1204 - 2 Comments
Set Up On:
Category: Other - News
Current Office Address:
One Microsoft Way

If you are thinking of configuring your ASP.Net web application with ASP.Net Identity to let users sign up with external logins like Facebook, Twitter, Google, and Microsoft, don't do it. It is a horrible idea that will surely lock out your users someday. That is because all of these third party providers force developers to upgrade in order to keep using their APIs and depending on how you have your external logins setup you might never be able to fix your site to work with the new version of Facebook, Twitter, Google, or Microsoft or the task will be so monumental as not to be worth the benefit of the external login integration.


How do external logins work with ASP.Net Identity? According to Microsoft they work very easily. They have tutorials where all you need to do is create applications with the third party services, un-comment a couple lines of code in your ASP.Net application, and paste in your credentials. The first time I did that it worked great. Then I went a long time without accessing the site and when I did my Facebook and Twitter login capabilities were broken. I was never able to fix the Twitter login because no matter what I did it would give me a 403 error from Twitter. I was able to fix the Facebook login by upgrading other features that I needed for regular membership after which Facebook was mysteriously working again. Yesterday Facebook told me to fix my app or face suspension because nobody can login to Facebook from this website anymore even though I changed nothing.


The internet is full of examples of people that set-up external logins for their websites only to find them broken overnight at no fault of their own. The internet is also full of horror stories where people troubleshooted for hours only to still have problems. I have never had any problems like that with any membership provider that I have built and I do not believe that allowing people to join this site using their Facebook login credentials is worth the trouble of fixing it again whenever Facebook decides to change things on their end. I want a solution that I will never have to fix again and for me that solution is the default membership in ASP.Net either through Identity or the old SQL Membership.


If this leaves you locked out of this website because you signed up using Twitter or Facebook I would apologize if it were my fault but it is not. Take your gripes up with the social networks that broke your ability to access this site because I am not wasting another day on this problem. If you want to use this site take the time to create a membership and if you do not want to use this site bad enough to create a membership then I really do not want your business bad enough to waste the time needed to serve you.


If you are a developer then I hope you learn from this and stop using external logins because someday it will break. When it breaks you will have to stop what you are doing and change your site to fix problems caused by external login providers. In the meantime nobody that joined your site using an external login will be able to access it anymore. Is that worth enabling users to join using their social media accounts? In my opinion it is not worth it.

My latest attempt to enable this feature led to 500 errors at the URI endpoints. It looks like a conflict with the routing rules since it is a problem no matter what network (ex: https://copblaster.com/signin-facebook) so I won't try to enable this anymore. The good news is I can now add back the update panel on this comment feature since removing it was done to allow the login control to direct people to the external network, so the page won't have to refresh when you post a comment.

Another problem is that not all third party logins provide the developer access to the user's email address. For instance if you let people join with Twitter the only ways for people to contact them would be to let them know which Twitter user it is because you can't just setup a form to send them an email. So, the ability to be anonymous is severely compromised.

Login to Comment using a Cop Blaster Account.


 
 

Register if you don't have a Cop Blaster account.