views:

35

answers:

2

Is it possible to limit the users who can sign in with open id on my site. I have clients that I want to give access to a client area on my website. I don't want anyone with a open id to be able to login just my clients. Is this possible?

A: 

OpenID is made for authentification, not for authorization. I am sure, you could make it work (*), however you must keep in mind that OpenID has not been made for this sort of task.

If you want to do it, you must probably restrict the set of allowed OpenID providers to prevent a malicious provider to hand faked/bogus identity URLs to your application (consumer).

(*) how, depends on where you want to enforce the restriction (web server, web framework, etc.)

ChrisM
A: 

One way to do this would be to create a "sign up" form to validate the user. Part of the sign up process would be to associate your OpenID. You can then leave the newly created account in a "pending" mode to be approved by an admin. (note: if you have a different way of adding the clients, you would use that method.)

Basically you would create a profile for a user the same way you would in any other application, except you would replace the UserName / Password portion with OpenID.

rockinthesixstring
Thanks this has put me on the right path
dotNetDave