tags:

views:

54

answers:

1
+1  Q: 

How can I validate OpenId token in C#?

I am trying to validate using this parameters:

"openid.mode=check_authentication"
+ "&openid.assoc_handle=" + txtAssocHandle.Text
+ "&openid.response_nonce=" + HttpUtility.UrlEncode(txtNonce.Text)
+ "&openid.op_endpoint=" + txtEndpoint.Text
+ "&openid.sig=" + txtSignature.Text
+ "&openid.signed=mode,identity,return_to";

and it returns

is_valid:false ns:http://specs.openid.net/auth/2.0

what am I doing wrong here? the txt fields are being filled with login response values

A: 

Your openid.signed argument needs to be exactly what the OP sent to your RP rather than this incomplete hard-coded list of 3 parameters, for one thing. All your arguments should be URL encoded as well, not just your nonce.

There is a lot more to validating an OpenID token than just sending it back to the OP using "dumb mode". What are you trying to do?

Have you considered using an OpenID library? Seriously, getting OpenID right (meaning secure, and interoperable) is a big job. Way bigger than assembling just the right query string. :)

Andrew Arnott  2010-07-21 20:44:26
I want user to login, then I take the token, pass it to a web service, then the web service must validate this token.I've tried this library, but I didn't find any help to validate the token.
tiagodll  2010-07-22 13:34:50
Are you passing it to a web service *just* to validate the token, or because you're using the token to authorize a request that is made on the user's behalf?
Andrew Arnott  2010-07-22 19:46:21
I am using the token as parameter for every method to verify if user is authorized to access that method.
tiagodll  2010-07-22 19:55:09
actually, webservice must only verify if the user is logged in the openid server, because the authorization will be done in other way.
tiagodll  2010-07-22 20:31:57
OpenID was *not* designed for this, and you'll run into trouble when you send the same OpenID assertion for more than one web service call since direct verification should only work *once* per assertion. What you're doing is really a scenario better covered by OAuth IMO.
Andrew Arnott  2010-07-24 00:22:46

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?