I have an iOS app with a ASP.NET Core backend using IdentityUser tokens and it's working fine with username/password login to retrieve the token like so:
var result = await _signInManager.PasswordSignInAsync(model.Username, model.Password, isPersistent: true, lockoutOnFailure: true);
if (result.Succeeded)
{
return Ok(result);
}
But now I'd like to add the option to 'Sign in with Apple' which is easy to do on the app side and after Apple validates the user we get an IdentityToken (JWT) that is signed and contains the email address. It seems straightforward and I can pass that IdentityToken back to my API and verify it's valid by checking the signature using: https://stackoverflow.com/a/34423434/1999217
But by my understanding (and the expiry) the IdentityToken provided by Apple is only meant to be used once and converted into a new token (a Microsoft.AspNetCore.Identity token in my case).
How can I achieve this? Once I've verified the IdentityToken and I trust the requesting user owns the passed in email address then I can retrieve the ApplicationUser and Microsoft.AspNetCore.Identity.UserManager seems to have a method SignInAsync() but it's return type isn't IdentityResult as expected so it's not helpful.
I've also looked at the ExternalLoginProvider methods but it relies on callbacks which I don't believe suits this situation as I have a token I can trust.
I'm thinking about taking the email address and doing an instant password reset but it feels dodgy. Something like:
var user = await _userManager.FindByEmailAsync(email);
var token = await _userManager.GeneratePasswordResetTokenAsync(user);
var result = await _userManager.ResetPasswordAsync(user, token, RandomPassword());
Because this has to do with Authentication I feel it's better to be safe than sorry. I guess the nut of my question would be: Is this dodgy? Is there a better way to get an IdentityResult having just an email?
