views:

353

answers:

1

I'm Trying to login with dotNetOpenId to GMail accounts. It works but I'm not able to retrieve any claims. I know I could retrieve email addresses or user names as well, but no claims are being returned only the ClaimedIdentifier is available. Anyone know how to retrieve this data from Gmail accounts? If you could please provide me an example of ClaimsRequest configuration I would be grateful.

Thanks

+2  A: 
// Either you're creating this already or you can get to it in 
// the LoggingIn event of the control you're using.

IAuthenticationRequest request;

// Add the AX request that says Email address is required.
var fetch = new FetchRequest();
fetch.Attributes.Add(
    new AttributeRequest(WellKnownAttributes.Contact.Email, true));
request.AddExtension(fetch);

Google then authenticates the user and returns the email address, which you can get with:

var fetch = openid.Response.GetExtension<FetchResponse>();  
if (fetch != null) 
{  
    IList<string> emailAddresses = fetch.GetAttribute(
        WellKnownAttributes.Contact.Email).Values;  
    string email = emailAddresses.Count > 0 ? emailAddresses[0] : null;  
}

You can see my blog post on the subject for a bit more information. The important thing to note here is that Google will only tell you the user's email address if you mark it as required (as I have done in the above snippet). But this also means that if the user does not want to share his email address, he cannot log in at all. Sorry, that's the way Google set it up. Other Providers that people use have different behaviors, unfortunately.

Andrew Arnott
Thanks for the reply, I've used your solution in my code but it's doesn't work anymore, I think because I've included more attributes than just the email one...so I will going to use this solution and I'll tell you..As what you said it's neeeded to implement an exchange by provider!..
Hoghweed
Google is unique in that it will only give you the attribute value ONCE per user. So if you test it with your own Google account and click "Allow this site to remember me", it won't give the email address the next time. Your RP MUST store the value and recall it the next time the user logs in.
Andrew Arnott
Can I force google somehow to forget that it gave me this information?
Matthias Hryniszak
Yes. Visit https://www.google.com/accounts/IssuedAuthSubTokens and "Revoke Access" for your RP. That will get Google to send the data again the next time.
Andrew Arnott
Andrew, is this a common practice (for providers like Google) to do this? It sounds ... sorta ... lame???
Pure.Krome
Not in my experience. As far as I know, Google is the only one to behave this way.
Andrew Arnott