tags:

views:

103

answers:

1
Q: 

ASP.NET, OpenID and registration confusion

Hi,

I have managed to get all the authentication parts working, however i am confused about setting up registration.

By registration i mean that if the OpenID is not attached to an existing account, then a new account must be created.

Should i simply have it return to a registration page (with from fields for registration) and redirect to a different page if the user is registered?

Is there a way to set up a clean and simple registration flow without signing the user in first (formsauthentication.redirectfromloginpage) then checking if they are new on every page?

Sorry if this is worded badly, like most other things i ask it is difficult to explain!

Thanks

+1  A: 

Ideally, no registration is required at all beyond simply an OpenID. Does your site require to know more than a user identifier to provide any functionality at all?

If your site can offer any services to users (even just informational) without asking for more than their identifier, which OpenID supplies, then don't have a registration page at all. This is by far the best for the users and will lower the barrier of entry to new users to your site. Then, when the user accesses a page that offers something that requires the user to give up more information about themselves, stick them with a registration page at that time.

If you must stick up a registration page for all new users, I suggest you do a check every time someone logs in with their OpenID. If you recognize the OpenID Claimed Identifier upon successful login, you just let them through... otherwise you create a database entry for them and redirect them to the registration form.

You can optimize the experience by using OpenID extensions such as Simple Registration or Attribute Exchange so that the user might get a pre-filled out registration form courtesy of the OpenID Provider, further streamlining the registration process.

Andrew Arnott  2009-07-22 16:14:06
Actually, when i think about it no personal information is required. I could always do it Facebook style (well, in the UK at least) and let them enter a username voluntarily later on. Thanks. Oh, and by the way, your blog has helped me out many a time with OpenID related things. Thanks for the great work!
 2009-07-22 17:04:31
One last thing, is there a way to 'canonicalise' the OpenID the user entered before they are redirected to the provider. For example a user may enter "abcd.myopenid.com" whereas the stored from of their OpenID and the one returned by the provider is "http://abcd.myopenid.com/"
 2009-07-22 17:18:29
I'm really glad you asked that normalization question since a lot of people tend to get it wrong, leading to security holes.While you can 'normalize' what the user entered, it is NOT authoritative in ANY sense and should NOT be stored. The *only* identifier you should store and use to lookup a user account is the Claimed Identifier that comes back from the Provider in the positive assertion. The OpenID spec goes more in depth in this, but you could just go with DotNetOpenAuth and let it do all this work for you and just take the ClaimedIdentifier from the IAuthenticationResponse object.
Andrew Arnott  2009-07-22 17:44:23
Thanks for the reply. I am using the DotNetOpenAuth, which so far has reduced a lot of work and code. The only thing that gets stored in the database is the claimedIdentifier. I am currently checking whether the user is registered just after they enter their openID and click 'sign in'. I set which page on my site to return to after they authenticate with the provider depdning on whether they are registered or not. The problem i am faced with is that the user enters a non-normalised version, whereas the database contains the normalised claimedIdentifier. Can the library normalise an openid?
 2009-07-22 19:53:26
Update: i have managed to get a normalised version of the OpenID before it goes to the provider, however i am not sure if it is a productive or effecient way of doing it. Dim oid As New OpenIdRelyingParty Dim req As IAuthenticationRequest = oid.CreateRequest(TextBox1.Text) Label1.Text = req.ClaimedIdentifier
 2009-07-22 20:18:42
You're on the right track. IAuthenticationRequest.ClaimedIdentifier is also safe to use and can be used for what you're shooting for. HOWEVER, you must take into account the directed identity case (where the use just types "yahoo.com" and you have no idea who the user is until after they come back from the OP). IAuthenticationRequest.IsDirectedIdentity will be true in this case.
Andrew Arnott  2009-07-22 21:02:47

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps