How to pass password given by user for openid without going to openid site in .Net?

Question

Hi ,

I am using the below code.

OpenIdRelyingParty createRelyingParty()
{
    OpenIdRelyingParty openid = new OpenIdRelyingParty();
    int minsha, maxsha, minversion;
    if (int.TryParse(Request.QueryString["minsha"], out minsha))
    {
        openid.Settings.MinimumHashBitLength = minsha;
    }
    if (int.TryParse(Request.QueryString["maxsha"], out maxsha))
    {
        openid.Settings.MaximumHashBitLength = maxsha;
    }
    if (int.TryParse(Request.QueryString["minversion"], out minversion))
    {
        switch (minversion)
        {
            case 1: openid.Settings.MinimumRequiredOpenIdVersion = ProtocolVersion.V10; break;
            case 2: openid.Settings.MinimumRequiredOpenIdVersion = ProtocolVersion.V20; break;
            default: throw new ArgumentOutOfRangeException("minversion");
        }
    }
    return openid;
}

OpenIdRelyingParty openid = createRelyingParty();  
IAuthenticationRequest request = openid.CreateRequest(openIdBox.Text); 

request.RedirectToProvider();

the above line goes to the openid site to get the authentication.But i would like to authenticate without going to the openid site. Can you please help me out.Thanks

Answer 1

If I understand correctly, what you are trying to do is have the OpenID username and password captured on your site and then pass them to OpenID in the background for authentication. Do you not see that this is a very bad idea? If OpenID made this possible I, for one, would stop using them. I don't want them to provide the capability for client applications to grab my username and password thank you very much...!!!!

Answer 2

OpenID is build in such way, to prevent the dependant parties to get the password.

In addition, Username + Password is not the only possible way for users to log into an OpenID

For example, My OpenID doesn't have a password, it has a certificate + verification and my fallback has Username + Password + Yubikey OTP login.

So, Effectively... It is not possible to work the way you imagined with this question, as a password might not even be part of the OpenID, or not enough to enable login.

Answer 3

When you use OpenID you are giving them responsibility for identification and authentication, and they do it for you. If you want to see the information used to authenticate and deal with it within your code, OpenID is not for you.

Answer 4

The only way you can avoid redirecting to the Provider is to use a popup window. The latest version of DotNetOpenAuth (v3.2) adds popup window behavior so that you can do this. Use the OpenIdTextBox control and set its Popup property to Always.

BTW, It looks like you copied your code from the DotNetOpenId sample's loginProgrammatic.aspx.cs file. Just so you know, you can take all that QueryString checking and special logic out. That's just to support some interop testing.