views:

173

answers:

1

If I want to integrate DotNetOpenAuth (primary for people to use their Google/Yahoo accounts to login, not act as provider) into my existing site, is this one line control good enough?

<rp:OpenIdTextBox ID="OpenIdTextBox1" runat="server" />

Say, if a user wants to login as Google, I can simply set the textbox to "https://www.google.com/accounts/o8/id" and then they can login. I tried it with my Google account, it seems working and I can get the token from HttpContext.Current.User.Identity.Name.

Is this "one line" solution secure enough for production? or is it a "must" that I have to use "OpenIdSelector" or "OpenIDLogin" control?

I also opened the .net template and some samples, they are very complicated. There are PAPE policies, xrds.aspx (for discovery), ConsumerKey + ConsumerSecret...etc. As a newbie, I am very confused. Any tips on this will be really appreciated. Thanks

+1  A: 

Security-wise what you've done is sufficient. But there is more that you'll want/need to do. The first one being to set this attribute on your top-line page tag:

<%@ Page ValidateRequest="false" %>

Otherwise your users will see random login failures because some OpenID messages "look" dangerous to ASP.NET.

The next thing you'll want to do is set up your xrds.aspx page and the link to it from your home page. This isn't strictly necessary to get basic OpenID working, but it enhances security for your site if you have open redirector URLs, and some Providers like Google and Yahoo can display ugly warning messages to your users if you don't properly implement this "RP discovery" aspect of your site.

After that, you're free to leave it alone if you're getting everything you need.

But if you're only interested in Google users, consider using the OpenIdButton ASP.NET control instead of OpenIdTextBox as it may provide a better visual for your users.

Andrew Arnott
Thanks a lot Andrew for your tips, they are very useful. Your DotNetOpenAuth is just amazing, keep up the good work. The more I think about it, I am thinking of using "OpenIdSelector". I guess the validaterequest and xrds.aspx tips also applies to OpenIdSelector, right?
userb00
Thanks. And that's right.
Andrew Arnott