tags:

views:

29

answers:

1
Q: 

Storing a users OpenID and how to handle different provider urls

Hi, I'm exploring OpenID for a new "hobby" project. Mostly just to learn how it works and have downloaded the DotNetOpenAuth samples and looked at the Nerddinner implementation.

And I have a couple of questions.

  1. What do you store locally to identify returning users (role management, their posts, whatever)? What I see is people using the ClaimedIdentifier which leads me to the next question.

  2. How do you handle users choosing another url for the OpenID?

If I use Google as my provider I can use "http://www.google.com/accounts/o8/id" as the url or I might use "http://www.google.com/profiles/username". In the DotNetOpenAuth relying party sample I get a different ClaimedIdentifier value when using the two.

www.google.com/accounts/o8/id?id=blahblahbla and www.google.com/profiles/

Looking at the stackoverflow.com login it seems to handle this and gets me to my account when using either one of the google urls or using facebook.

But the different OpenID providers have no knowledge of each other am I right?

Anyway I hope some of you clever people can help me understand :)

--

Christian

A: 

You want to use the FormsAuthentication methods to make asp.net keep the user logged in. You are simply using OpenId to validate a user name and password from a provider that you do not manage.

Yes, the claimed identifier is the token that identifies a user from an open id provider. If you want to assign more than one claimed identifier to your users, you just need to store all of their claimed identifiers in your database. Check which user is attached to that claimed identifier during the authentication process.

NickLarsen  2010-10-27 21:05:43
Thanks Nick, but how did stackoverflow know that I was the same user when logging in with the two different urls? I even tried in different browsers to make sure no cookies were left behind to associate one login attempt with another. Am I missing something about OpenID?
ChristianSparre  2010-10-27 21:19:30
StackOverflow uses something called stackAuth, a custom solution they built to go across all of their sites. I can only imagine the magic is built into that. At some point you had to be logged in while attaching the others though I think.
NickLarsen  2010-10-27 21:44:49
Magic it is then :) thanks again...
ChristianSparre  2010-10-29 15:39:25

related questions

how to get login credentials by openId?
OpenID Migration
PHP Tutorial for OpenId and OAuth
OpenID login workflow?
OpenID support for Ruby on Rails application
Using OpenID for both .NET/Windows and PHP/Linux/Apache web sites
What is the benefit of using ONLY OpenID authentication on a site?
Problems with migrating Cardspace cards between computers
secure way to authenticate administrator in ASP.NET site using OpenID with DotNetOpenID
How do I enable open id on a Java Webapp?
What would it take to make OpenID mainstream?
What's the best .NET library for OpenID and ASP.NET MVC?
Useful browser plugins for openid authentication?
How do I implement an OpenID server in Rails?
How do I implement OpenID in my web application?
Why is HTML form redirection used in OpenID 2?
How do you set up an OpenID provider (server) in Ubuntu?
OpenID as a Single Sign On option??
Should my website abandon username/password authentication in favor of OpenID?
OpenID authentication in ASP.NET?
Open ID - What happens when you decide you don't like your existing provider?
OpenID authentication in Ruby on Rails
OpenID Attribute Exchange - should I use it?
OpenID: which provider should I recommend to my users?
How do I use more than one OpenID?