According to the documentation (documentation) :
Your application can trigger the same redirect itself by navigating the user to the /.auth/login/ endpoint of your site, where is one of aad, facebook, google, microsoftaccount, and twitter. This option is perfect for sites featuring a login button and for many mobile applications.
Alternatively, a client can obtain a token using a provider SDK and exchange it for a session token. Simply submit an HTTP POST to the same endpoint with the provider token in a JSON body under the key “access_token” (or “authenticationToken” for Microsoft Account). This is the preferred solution for mobile applications if a provider SDK is available on the platform, and it also works for many web and API applications.
I have found this ONLY works with a facebook token. I am able to authenticate with google, facebook, twitter, and microsoft account by hitting the normal /.auth/login/{provider} endpoint. However if you attempt to POST the resulting token from as discovered from the .auth/me endpoint or from the HTTP Headers (e.g. X-MS-TOKEN-GOOGLE-ACCESS-TOKEN, etc.) the POST endpoint only works for Facebook.
I discovered the following:
- Google - you'll get a HTTP/1.1 400 'authorization_code' field is required. if you follow the documentation. However when changing the "access_token" name to "authorization_code" causes a 500 Internal Server Error
- Twitter - undisclosed in the documentation requires an "access_token_secret" value in the payload in addition to the "access_token" value. However including this only results in a Unauthorized 401 results - which seems to be a bug since the facebook payload works so the controller shouldn't required auth already
- Microsoft account - Same Unauthorized 401 Error as Twitter.