Implementing OpenID: identifying users
https://stackoverflow.com/questions/1017435
-
06-07-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
Company I work for wants to publish an internal website to the outside world, but also wants to identify the visitors in some easy way. Some functionality will be visible for all visitors but most must be visible for authenticated visitors. (And some functionality is restricted to admin-visitors.) While management is considering to implement our own authentication system, I've suggested to just use an existing technology that's already available and which keeps the management of usernames/passwords away from us. (Because we're just amateurs when we're talking about security. The authentication needs to be very good.)
So I started with OpenID from Google and examined the library that they provide. Looks easy to use and I can get tokens that tell me that a user is authenticated. But how do I identify this user so I can link our profile information to his ID/Token/Whatever?
I know I'm missing something so to keep it simple: I just need some example that shows how to authenticate the visitor with Google and then get some token back that I can use to link to this user forever. (So, no session token.) This token could then be used for the user to fill in his/her profile.
Solution
Since your tags suggest you're language is C#, I recommend DotNetOpenAuth. It is free, and includes samples that will show you how to get your token (in OpenID terms it's called a Claimed Identifier) that you can use to distinguish between users.
To get the Claimed Identifier (the permanent identifier you're looking for), if you're using the OpenIdTextBox or OpenIdLogin control just handle its LoggedIn event and get the e.ClaimedIdentifier property. If you're doing it programmatically (no controls), the OpenIdRelyingParty.GetResponse() method returns an IAuthenticationResponse interface that has a ClaimedIdentifier property on it you can get.
Then you can implement a ASP.NET RoleProvider (pretty trivial, really) that will allow some OpenID Claimed Identifiers to belong to an admin role, allowing your standard ASP.NET authorization techniques to progressively lock out individuals based on how they've authenticated.
