tags:

views:

148

answers:

3
+1  Q: 

How do DotNetOpenAuth whitelist and blacklists work?

Does anyone have any documentation on DotNetOpenAuth and the way it handles while lists and black lists?

My config 

<untrustedWebRequest>
        <blacklistHosts>
            <add name="*" />
        </blacklistHosts>

      <whitelistHosts>
        <add name="www.mysite.ca" />
        <add name="mysite.ca" />
        <add name="devel.mysite.ca" />
        <add name="devel.mysite.com" />
        <add name="mysite.com" />
        <add name="www.mysite.com" />

      </whitelistHosts>


    </untrustedWebRequest>

What I want is to have it cancel the request if it's any site not in the whilelist. I'm currently running version 2.5.49045 but plan to update soon.

using 

<blacklistHostsRegex> 
<add name=".*" />  
</blacklistHostsRegex>

blocked ever site even ones in the whitelist.

A: 

I believe all domains which are not in the whitelist will be denied. This is a general concept and I am not sure how DotNetOpenAuth behaves.

Ramesh  2010-03-17 21:55:59
+3  A: 

The logic that processes the whitelist and blacklist is like so:

DotNetOpenId/DotNetOpenAuth already has some intuition about some safe and unsafe host names. So it will block some and allow others without you setting anything in these lists. The lists are to override this behavior.

  1. DNOA encounters an implicitly disallowed hostname. Deny -- unless it's on the whitelist in which case let it through immediately.
  2. The hostname otherwise looks safe, but if it is on the blacklist, deny.

A host that's on the blacklist will (almost) never get through (the exception being if it looks unsafe anyway AND it's on the whitelist).

If you want to blacklist everything except a specific set of hosts, I think your best bet is to use just the blacklist, and do a regex "not" match:

<untrustedWebRequest>
    <blacklistHostsRegex>
        <add name="^(?!www.mysite.ca|www.mysite.com|devel.mysite.com)$" />
    </blacklistHostsRegex>
</untrustedWebRequest>

This seems a bit convoluted. But it will work in present versions of DotNetOpenId/DotNetOpenAuth. And going forward, I'll get this fixed to be something much more obvious.

Andrew Arnott  2010-03-18 15:02:10
Hmm I tried with no luck <untrustedWebRequest> <blacklistHostsRegex> <add name="(?!www.nanaimo.ca|nanaimo.ca|secretnanaimo.com|www.secretnanaimo.com)" /> </blacklistHostsRegex> <whitelistHosts> <add name="www.nanaimo.ca" /> <add name="nanaimo.ca" /> <add name="secretnanaimo.com" /> <add name="www.secretnanaimo.com" /> </whitelistHosts> </untrustedWebRequest> Basically we allow login from any openID but because our users don't have openID account we let then create one for use internally. We can't be a full open provider.
Jeff  2010-03-19 17:08:16
Sorry... I guess my regex skills with the NOT operator aren't that good. But I still think the idea would work, if someone could come up with the regex to do the correct matching.
Andrew Arnott  2010-03-20 04:47:05
+1  A: 

If you're trying to filter the Providers that are allowed to log users in, this may not be the best approach, as it would break delegated identifiers from other domains that delegate to OPs that you do mean to trust.

To filter on OP Endpoint, set the OpenIdRelyingParty.EndpointFilter property to a function that returns true for just those endpoints that you like, and false for those you don't.

Andrew Arnott  2010-03-20 04:46:27

related questions

how to get login credentials by openId?
OpenID Migration
PHP Tutorial for OpenId and OAuth
OpenID login workflow?
OpenID support for Ruby on Rails application
Using OpenID for both .NET/Windows and PHP/Linux/Apache web sites
What is the benefit of using ONLY OpenID authentication on a site?
Problems with migrating Cardspace cards between computers
secure way to authenticate administrator in ASP.NET site using OpenID with DotNetOpenID
How do I enable open id on a Java Webapp?
What would it take to make OpenID mainstream?
What's the best .NET library for OpenID and ASP.NET MVC?
Useful browser plugins for openid authentication?
How do I implement an OpenID server in Rails?
How do I implement OpenID in my web application?
Why is HTML form redirection used in OpenID 2?
How do you set up an OpenID provider (server) in Ubuntu?
OpenID as a Single Sign On option??
Should my website abandon username/password authentication in favor of OpenID?
OpenID authentication in ASP.NET?
Open ID - What happens when you decide you don't like your existing provider?
OpenID authentication in Ruby on Rails
OpenID Attribute Exchange - should I use it?
OpenID: which provider should I recommend to my users?
How do I use more than one OpenID?