tags:

views:

173

answers:

1
Q: 

DotNetOpenAuth OpenIdTextBox For Google/Yahoo

If I want to integrate DotNetOpenAuth (primary for people to use their Google/Yahoo accounts to login, not act as provider) into my existing site, is this one line control good enough? 

<rp:OpenIdTextBox ID="OpenIdTextBox1" runat="server" />

Say, if a user wants to login as Google, I can simply set the textbox to "https://www.google.com/accounts/o8/id" and then they can login. I tried it with my Google account, it seems working and I can get the token from HttpContext.Current.User.Identity.Name.

Is this "one line" solution secure enough for production? or is it a "must" that I have to use "OpenIdSelector" or "OpenIDLogin" control?

I also opened the .net template and some samples, they are very complicated. There are PAPE policies, xrds.aspx (for discovery), ConsumerKey + ConsumerSecret...etc. As a newbie, I am very confused. Any tips on this will be really appreciated. Thanks

+1  A: 

Security-wise what you've done is sufficient. But there is more that you'll want/need to do. The first one being to set this attribute on your top-line page tag:

<%@ Page ValidateRequest="false" %>

Otherwise your users will see random login failures because some OpenID messages "look" dangerous to ASP.NET.

The next thing you'll want to do is set up your xrds.aspx page and the link to it from your home page. This isn't strictly necessary to get basic OpenID working, but it enhances security for your site if you have open redirector URLs, and some Providers like Google and Yahoo can display ugly warning messages to your users if you don't properly implement this "RP discovery" aspect of your site.

After that, you're free to leave it alone if you're getting everything you need.

But if you're only interested in Google users, consider using the OpenIdButton ASP.NET control instead of OpenIdTextBox as it may provide a better visual for your users.

Andrew Arnott  2010-05-12 04:27:51
Thanks a lot Andrew for your tips, they are very useful. Your DotNetOpenAuth is just amazing, keep up the good work. The more I think about it, I am thinking of using "OpenIdSelector". I guess the validaterequest and xrds.aspx tips also applies to OpenIdSelector, right?
userb00  2010-05-12 19:13:16
Thanks. And that's right.
Andrew Arnott  2010-05-13 05:35:29

related questions

Having problems with Attributes and DotNetOpenID
Implementing multi-database, multi-provider authentication system...
WSS and OpenID
rpxnow vs dotnetopenid, What do you think ?
How do i moq this DotNetOpenAuth Response object?
RememberMe with DotNetOpenId in ASP.NET MVC
DotNetOpenId ClaimedIdentifier - Is it safe to hard-code this?
DotNetOpenId -- "This message has already been processed" Error
Retrieve GMail data through DotNetOpenId
Can i request a MyOpenId persona's Avatar with dotNetOpenId?
How can i set Policy Url programmatically?
DotNetOpenID Programmatic Login
Problem installing OpenID on ASP.NET MVC Site
How can I change the ReturnUrl for OpenID?
Request email address from OpenID provider
Limited Use OpenID
Get FriendlyIdentifierForDisplay from ClaimedIdentifier in dotNetOpenId
Logging in to an OpenID site from a .net app
What is a good openid selector control?
Specifying a proxy to use with DotNetOpenID
What's the secret to getting ClaimsResponse working with DotNetOpenId?
Can I use OpenId with the ASP MembershipProvider?
How is OpenID implemented?
secure way to authenticate administrator in ASP.NET site using OpenID with DotNetOpenID
OpenID authentication in ASP.NET?