I have an ASP.NET MVC application into which I have just integrated the RPX third-party federated identity system. The integration is working ok, but I'm having some difficulty wrapping my head around what to do with it at the ASP.NET level.
Because the identity is handled externally, I have no need for passwords in my app: I never receive the user's password, just their identity. However, the ASP.NET Membership Provider stuff requires passwords be passed around in order to create a user, sign a user in, etc.
I've been considering using new Guid()
at creation time, but this would require a call to the database to retrieve the user's password before I could sign the user in via the membership provider. I could use the same password for each user so that it's known in advance, but I'm concerned that this would make my user's data insecure.
I'd be interested to hear how other sites handle this issue, e.g., StackOverflow.
[Please also see my other question, regarding membership providers for such an app.]