Hi all,
I'm trying to make use of OpenID to allow me to login to my website via Google. Eventually it'll be used by visitors, but for now it's simply hard-coded as Google to verify my own login only.
My code looks like this:
var openId = new OpenIdRelyingParty();
// If we have no response, start
if (openId.Response == null)
{
// Create a request and send the user off
openId.CreateRequest("https://www.google.com/accounts/o8/id").RedirectToProvider();
}
else
{
// We got a response - check it's valid
if (openId.Response.Status == AuthenticationStatus.Authenticated
&& openId.Response.ClaimedIdentifier == "blah_blah")
{
}
}
Now, I have a some questions:
Is it safe to run this once, capture ClaimedIdentifier and put it in there. Will it always be the same?
Is it safe to hard-code it there (Is it secret? If a user did see it, would that comprimise anything? Can a user forge this? Can only Google cause ClaimedIdentifiers starting with their url?)
I've tried the docs, but they're a little sparse and I'm having trouble finding answers to these questions.
**Edit: ** I may have answered my own question. I used a meta-tag on my website (openid.delegate) so that I could use my blog url instead of a nasty Google url for logging in. When I login via Google, it returns ClaimedIdentifier as my blog url. This makes me think anybody could go to my login page, login as their own Google account and it would return them to my blog with my own ClaimedIdentifier.
- How am I supposed to validate a user when ClaimedIdentifier seems so easily forged?