Associating an External Login or Sign In Service (SIS) to an existing account is not difficult. However, the scaffolded Identity UI needs modification to create a new account which has a unique, verified email address and other required properties. I have created Bootstrap Native Project sign in apps with Google, Microsoft, Facebook, Twitter, GitHub, LinkedIn, and Reddit. Login@BSNP to experience the process.

The procedures to create an OAuth app varies by provider. See MS Docs - Setup login providers required by your application. When you configure an app, the redirect URI is /signin-providername like /signin-google appended to the calling host name. All I have evaluated, allow the host name = localhost:port for testing. Some allow more than one redirect URI. The approved app will have an Id and Secret. Most use parameter names ClientId and ClientSecret. Some providers request verification and branding for approval.

The SIS buttons post to the Identity UI page Area/ Identity/ Pages/ Account/ ExternalLogin. cshtml which returns a ChallengeResult (An Microsoft. AspNetCore. Mvc. ActionResult that on execution invokes HttpContext. ChallengeAsync). The ChallengeResult has a redirectUrl property which handles the callback. The callback attempts to sign in with the SIS's name and key. If the SIS is not associated with an existing account, the ExternalLogin page is displayed requesting the user create a new account. The Identity UI template requires an email address to create the user. The email is used for both the username and email address. The template prompts the developer to send a verification email.

You can associate a SIS with an existing account without the SIS returning an email address. To create a new user with a SIS, the BSNP expects the SIS return an email address and considers it as verified. Most SIS return an email claim with the ExternalLoginInfo. Twitter employs an option, RetrieveUserDetails set to true, to request the user's email address. The Twitter user can authorize access without sharing their email address. Reddit does not share an email address.

If the SIS returns an email address, the BSNP displays the email address in readonly mode and requests the user to enter a username and displayed name. If an email address is not returned or already in use by another account, the user is redirected to register or login with the error message.

I have installed the Authentication NuGet packages, stubbed out an Authentication section in appsettings.json and created an option to load the AddAuthentication extensions in Startup > ConfigureServices. The provider options are configured to return an email address and redirect to the Login page if the user declines provider access. All you need are the sign in apps to implement external logins.