Issues trying to get the AddSteam command to work with .NET 7 Angular SPA template

[Naliath]

Describe the bug
Unable to add steam auth to ASP.NET 7 + Angular app

Steps To reproduce
dotnet new angular, add package. Next manual step add a new lib with the steam code

Expected behaviour
I would exect the AddSteam extension method to be available but it is not. When I manually add the project to get the extension method available I would assume the callback is registered and available to be called and create a valid user identity

EDIT: I see that there is a *.Steam package available from the myget feed, that explains that part of the problem

Actual behaviour
Callback does not get called, seems like the route is not available to be called. Identity server that is provided out of the box with the template does list the external provider but I can not seem to get the correct user identity to be created. Sign-in goes just fine to Steam but as soon it should go back to the app callback no joy... All I feel I need to do is register the callback route so ASP can deal with it but I can't figure out how.

Is this just something that is not possible in this fashion? At first glance it looks real easy but I have been cursing this thing for hours now. There is 0 usefull errors in the front-end nor the back-end, I have no clue where to start to get it registered correctly.

[ArwynFr]

Sounds like you are confusing OpenID Authentication 2.0 with OpenID Connect 1.0.

Steam is an OpenID Authentication 2.0 provider. This protocol is a legacy protocol, designed to allow monolithic web applications, or possibly stateful APIs to verify the end user's identity, and store that information in a session mechanism. It was not designed with client-server architecture in mind.

You can't use Steam Authentication with BOTH your Angular client and your ASP.NET 7 APIs. The protocol is specifically designed against that. Every authentication response by the OpenID Endpoint is digitally signed, and this signature can only be verified once. In order to have both your client and services to access the user's identity, you need to do the Steam authentication on the server (because it requires a secret), then expose a route for the client to download the user's details. In any case, you need to store the user's information in a server-side session.

This is a limitation of the protocol's design and is the reason why OpenID introduced OpenID Connect (OIDC), which allows stateless client-server authentication. Unfortunately, Steam looks very reluctant to move to that technology.

[Naliath]

I am aware of the difference. I was kind of expecting identityserver to take the response and issue its own token, possibly enriched with information from the steam endpoint.

I also can't understand why valve persists with this ancient standard.

Currently I switched over to an entierly different stack since I whould have to spend conciderable effort to get this to work as expected. And besides that I do not like rolling my own stuff in regards to authentication flows.