Add etsy oauth provider

[DevTKSS]

This pull request adds initial support for Etsy OAuth authentication to the codebase. It introduces the core implementation for an ASP.NET Core authentication provider, including configuration, constants, and documentation. The changes provide all the necessary building blocks and guidance for integrating Etsy login into an ASP.NET Core application.

Etsy OAuth Provider Implementation

• Added the main project file AspNet.Security.OAuth.Etsy.csproj to define the package and its dependencies for the Etsy authentication provider.
• Introduced EtsyAuthenticationAccessType enum to distinguish between personal and commercial access types for Etsy apps.
• Added EtsyAuthenticationConstants class with claim and scope constants for mapping Etsy user data and permissions.
• Defined EtsyAuthenticationDefaults with all the required default values for endpoints, scheme names, and callback paths used by the Etsy authentication middleware.
• Implemented extension methods in EtsyAuthenticationExtensions to make it easy to add Etsy authentication to an ASP.NET Core application via the authentication builder.

Documentation

• Added a comprehensive setup and usage guide in docs/etsy.md, detailing configuration, required/optional settings, claims mapping, and sample code for integrating Etsy OAuth authentication.

Note

The AccessType enum does so far only have one member Personal because I only have this level of App registration and can not see or tell if the commercial Access Apps do somehow support confidential clients against the guidelines of the Etsy Authentication API. I asked their support some while ago which did tell that the shared secret would be used at refresh, but there is no note at all for this in their docs, so this provider is adhering to the existing docs and oAuth standards RFC 6749 and does treat it as Public Client.
Recognizing the #610 Issue in the past, I directly implemented the same fix up from the start, because even if the user sets the value, we don't have to require it, so the provider should also not fail because of not setting this.

Closes: #1082

[Copilot]

Pull Request Overview

This PR adds a new Etsy OAuth 2.0 authentication provider to the AspNet.Security.OAuth.Providers library. The implementation supports Etsy's Authorization Code flow with PKCE, personal access type (public client), and optional detailed user information fetching.

• Implements complete OAuth 2.0 flow with PKCE requirement
• Supports optional detailed user profile enrichment via configurable flag
• Includes comprehensive validation for required scopes and configuration

Reviewed Changes

Copilot reviewed 11 out of 12 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
src/AspNet.Security.OAuth.Etsy/EtsyAuthenticationOptions.cs	Configuration options with validation logic for Etsy OAuth requirements
src/AspNet.Security.OAuth.Etsy/EtsyAuthenticationHandler.cs	OAuth handler implementing token exchange and user info retrieval
src/AspNet.Security.OAuth.Etsy/EtsyAuthenticationExtensions.cs	Extension methods for registering Etsy authentication
src/AspNet.Security.OAuth.Etsy/EtsyAuthenticationDefaults.cs	Default endpoint URLs and configuration values
src/AspNet.Security.OAuth.Etsy/EtsyAuthenticationConstants.cs	Claim types and scope constants
src/AspNet.Security.OAuth.Etsy/EtsyAuthenticationAccessType.cs	Enum defining access types (Personal)
test/AspNet.Security.OAuth.Providers.Tests/Etsy/EtsyTests.cs	Integration tests for authentication flow and claims
test/AspNet.Security.OAuth.Providers.Tests/Etsy/EtsyAuthenticationOptionsTests.cs	Unit tests for options validation
test/AspNet.Security.OAuth.Providers.Tests/Etsy/bundle.json	Test fixture data for HTTP interception
docs/etsy.md	Comprehensive usage documentation with examples
AspNet.Security.OAuth.Providers.sln	Solution file updated with new project references

Comments suppressed due to low confidence (2)

src/AspNet.Security.OAuth.Etsy/EtsyAuthenticationHandler.cs:51

• This assignment to userId is useless, since its value is never read.

        var userId = meRoot.GetProperty("user_id").GetInt64();

src/AspNet.Security.OAuth.Etsy/EtsyAuthenticationHandler.cs:52

• This assignment to shopId is useless, since its value is never read.

        var shopId = meRoot.GetProperty("shop_id").GetInt64();

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull Request Overview

Copilot reviewed 16 out of 17 changed files in this pull request and generated 8 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[martincostello]

Thanks for responding to the various comments - I'll take a look at this again when I get the time. Shipping the release for .NET 10 was the main priority this week.

[DevTKSS]

@martincostello thanks for your response and time!
Until you find time, do you think from what you seen and the tests implemented by now, I could use the produced .dll locally in a ASP.NET Core API project to do an actual test call? 🤔

I am not sure in this, because I have had lots of trouble with implementing oAuth in there, because of Antiforgery and Cors 😓

the Official MS Docs for oAuth2 are horribly lacking on guidiance when there is no exiting provider like Google or something OIDC that supports discovery endpoint, which the Etsy API doesn't have 👀

We do have the Auth Code Exchange implemented here, which is against the Cross Origin Forgery Attacking 🤔
I would currently miss the information, if we then still need specific setup content for Antiforgery additionally to what's told in our:

• Basic Provider Readme
• Repo root Readme

And in the Authentication/Authorization docs for minimal api here:

• https://learn.microsoft.com/en-us/aspnet/core/fundamentals/minimal-apis/security?view=aspnetcore-9.0

Its not told in our Readme files, if we do need Cookie to be added, or if the oAuth Base Extension our Providers here are building on do this already for us by default.

In case we need the dev user (like me then) to add this for e.g. have something like the Refreshing of the Token implemented (which I seen in none of the existing Providers here (?), so did not add it in the Etsy Provider too) eventually it would be usefull to add a Link to the Cookie Auth ms docs eventually to the OIDC docs which contains a auth flow diagram with code and code_verifyer or at least to Social Providers Auth ?

BUT while on the social login providers docs do link to the External Providers Page, which also links to this repo (thats how I found it 😉) this would be missing information about Refreshing Tokens too 🤷

If you would like me to open another issue / PR for this to improve these spots, let me know 👍

[martincostello]

You should be able to use our MVC sample App to test the changes locally.

[DevTKSS]

@martincostello Hey, I am on trying the provider with the samples/Mvc.Client but a bit confused how and where to set the Callback Url, as the Etsy API requires me to pre-provide one or more Callback Url's, no dynamic Url, no dynamic Port etc.
The Options we configure in the IOptions loaded appsettings or User Secrets for the ClientId, we can provide the CallbackPath, but seems like the Mvc.Client is overwriting it? 👀

    [HttpPost("~/signin")]
    public async Task<IActionResult> SignIn([FromForm] string provider)
    {
        // Note: the "provider" parameter corresponds to the external
        // authentication provider chosen by the user agent.
        if (string.IsNullOrWhiteSpace(provider))
        {
            return BadRequest();
        }

        if (!await HttpContext.IsProviderSupportedAsync(provider))
        {
            return BadRequest();
        }

        // Instruct the middleware corresponding to the requested external identity
        // provider to redirect the user agent to its own authorization endpoint.
        // Note: the authenticationScheme parameter must match the value configured in Startup.cs
        return Challenge(new AuthenticationProperties { RedirectUri = "/" }, provider);
    }

Could you maybe take a quick look and let me know if I just misunderstood this and the CallbackPath set in Options can be used as expected?
I am not getting the exact difference between them I guess...

• CallbackPath -> EtsyAuthenticationOptions
• RedirectUri -> Mvc.Client AuthenticationProperties

the Value I would like to set is e.g. https://localhost:8080/etsy/callback

[martincostello]

CallbackPath is where the OAuth provider will redirect the user after authenticating so that an authenticated session can be created for your application by the authentication middleware. For your example, you would set this to "etsy/callback".

RedirectUri is the URL the user is directed to in your website once they have successfully authenticated and been signed in.

[DevTKSS]

@martincostello 🎉 🥳 Worked!!! just that the CallbackPath needed to be /callback/etsy with the / before

[martincostello]

I haven't fully reviewed this PR yet, or thought about responding to the specific questions yet, but I've done a quick pass. I'll come back to this another time next week.

[martincostello]

Please resolve merge conflicts - the .sln file has been removed and replaced with an .slnx file.

[DevTKSS]

@martincostello Resolved Merge Conflicts + cleaned commits up a bit
I would have squashed some more/reworded, but the sln->slnx migration crashes git rebase -i so hope it's okay like this?

[martincostello]

Thanks for being so comprehensive, but I think there's a little too much detail here from a maintenance perspective.

A lot of the content here should be evident from reading ASP.NET Core OAuth documentation and Etsy's own documentation (e.g. the various setup steps needed in the Etsy developer portal).

Typically we just document the bare minimum required to set things up with a code snippet, highlighting any optional code (example), point out anything that's unusual compared to other providers, and document the purpose of any non-optional settings that aren't part of the underlying OAuthHandler from ASP.NET Core (for example, we don't typically document UsePkce, SaveTokens or CallbackPath as they aren't our properties).

For example, mapping additional claims isn't specify to Etsy, it can be done with any of the providers.

[DevTKSS]

@martincostello the etsy api has not very much information as they are only telling about JavaScript way to do this and even this is known to be outdated + incomplete. They did at least add the /users/me endpoint in the past, so the users will any longer have to inspect the raw html to get their shop ID 😅
What I am not sure about, can you tell me, if you know any reference, what the default paths in Cookie Auth are? I did not find them honestly. The MVC.Client Sample does specify them, but the ASP.NET Core Docs are not clear about this and never mapping them 🤔

Refering to the Minimal API quick Reference"](https://learn.microsoft.com/de-de/aspnet/core/fundamentals/minimal-apis?view=aspnetcore-10.0#authorization) or [Use cookie authentication without ASP.NET Core Identity`, I did not find this information, so while I was trying to set the provider up in my own API, which uses Minimal API, I have no idea, if I now need to explicitly register it or if not need to 😅

Same for implementing Refresh Token 🤔

1. Do we need in ASP.NET Core to have some kind of TokenRefreshHandler over the here shown claims actions in the Consumer WebApi from your knowledge or does the Framework handle this automatically?
2. If it does not, but I potentially just didn't find what the Name of the Event or Method is, we would need to call and the social Auth guide in ASP.NET Core (which would be those providers here too?) only tells about:
3. "Apply Authorization" (using MVC, no minimal API) by only adding the attribute, no sample content at all so assuming we might be fine with calling this ChallengeAsync like the Mvc client does?
4. Then Save Tokens by defining a route OnGetAsync() which I dont see in our sample (any additionals to be known for our providers repo I missed?) 🤔
5. And then it's just telling about Sign Out which endpoint we also have in our sample, BUT if I click on the Logout Button in it the comment would tell me, the cookie with the access_token or refresh_token we eventually automatically stored, does get deleted (?) so I should be asked to approve sign in of this app again if I click sign in, and not have to delete the cookies for Etsy before it prompts me again 🤔
6. BUT their SocialSample does define such route 👀

[DevTKSS]

@martincostello updated guide, would you check if this fits now?