What's the Difference Between OAuthWebSecurity's "RequestAuthentication()" and "VerifyAuthentication()" methods in ASP.NET-Webpages with C#?

Question

I'm trying to really "hash out" what's going on when I use OAuth (actually using it for Google only), but I just can't quite seem to understand the difference between:

OAuthWebSecurity.RequestAuthentication("Google", Href("~/Account/RegisterService.cshtml"));

And:

OAuthWebSecurity.VerifyAuthentication(Href("~/Account/RegisterService.cshtml"));

At "http://msdn.microsoft.com" They describe the difference as:

RequestAuthentication():

Requests the specified provider to start the authentication by directing users to an external website, and directs the provider to redirect the user to the specified URL when authentication is successful.

(Found Here: http://msdn.microsoft.com/en-us/library/microsoft.web.webpages.oauth.oauthwebsecurity.requestauthentication(v=vs.111).aspx)

And VerifyAuthentication():

Returns a value that indicates whether the user account has been confirmed by the provider.

(Found Here: http://msdn.microsoft.com/en-us/library/microsoft.web.webpages.oauth.oauthwebsecurity.verifyauthentication(v=vs.111).aspx)

So, I guess the question comes down to what the difference between their meanings of "authenticated" and "confirmed" are.

Answer 1

RequestAuthentication is going to redirect the user to the website and ask for the login. Once the credentials are entered and permission granted for your application it is going back to your website (returnUrl).

Once it comes back you should use VerifyAuthentication to validate the tokens returned by the provider.

var result = OAuthWebSecurity.VerifyAuthentication();

if (result.IsSuccessful)
{
    var provider = result.Provider;
    var uniqueUserID = result.ProviderUserId;
}

So RequestAuthentication is called when the user should be redirected to the provider to login/grant access. (User Login & Consent)

And VerifyAuthentication is the validation part just bellow.