ansaurus

Question

Retrieve OpenId User Information (Claims) across providers

Answer 1

+2 A:

I recommend that you look at the actual exchanges that happen. I.e. when your service redirects the user to the provider, find out what parameters are sent, and then, when the user comes back, also find out what parameters are transmitted.

In OpenID 2, there are two ways to request user information: Attribute Exchange (AX), and Simple Registration (SREG). Not sure what SIG is. Whether or not providers implement these protocols, and what information they provide, is their choice (at first, and then hopefully also the user's choice).

I found that Google supports AX, and provides always the email address, and sometimes the user's first and last name. In my experience, Yahoo doesn't provide anything but the claimed ID. As a consequence, I don't accept Yahoo as a provider, see http://pypi.python.org/pypi?%3Aaction=openid

Martin v. Löwis 2009-09-07 04:43:14

Thanks. Helpful to know that Google uses AX. Now just figuring out how to get the values out (if they are even coming back). Looked at the request data. When using ClaimsRequest the SREG request is made which presumably doesn't do anything. Lots of encoded stuff comes back but no plain data. The SREG values are plain text when they come back from MyOpenId and that would even be easy to manually parse. Google doesn't return anything though that looks parsable.

Rick Strahl 2009-09-07 07:17:47

Answer 2

A:

Check out my answer to a very similar question here:

http://stackoverflow.com/questions/1082502/cannot-get-attributes-from-dotnetopenid-response

Addition: Here's a blog post I wrote on the subject as well. Note that I wrote it before I wrote the AXFetchAsSregTransform behavior, so some of it is easier than presented on the blog post. But of particular note, it mentions that Google ignores all attribute requests that are "optional". So you have to make email "required" in order to ever get it.

http://blog.nerdbank.net/2009/03/how-to-pretty-much-guarantee-that-you.html

Andrew Arnott 2009-09-07 04:45:44

Andrew, that's a painful config section :-}. Try it as is, couldn't get that to work - it blows up with a configuration error on xri proxy setting in the config (null object reference).

Rick Strahl 2009-09-07 07:14:59

Dude, don't put in the *entire* config section that the guy put into his question. Scroll down to my answer and put in just that very simple small part. (with the necessary outer tags). The guy who asked the question misinterpreted the configuration reference page I guess and thought it was all mandatory. Certainly not. It's just a comprehensive reference.

Andrew Arnott 2009-09-07 13:36:03

Andrew I used the config section from the Wiki page here (not the posted code in the question):http://dotnetopenauth.net:8000/wiki/CodeSnippets/ConfigurationI have no idea what is required off that and what's optional and what the dependencies are. :-}I did find what I needed here:http://dotnetopenauth.net:8000/wiki/CodeSnippets/OpenIDRP/AXFetchAsSregTransformand this seems to work somewhat better. I can get the email address from Google for example, but nothing else.Has anybody accomplished retrieving email and fullname (or nickname) from Google?

Rick Strahl 2009-09-07 21:37:06

Glad you got it working. Google will not give a full name or nickname for their users. They ONLY give email address, and (I think, but perhaps only on a white list) the timezone. It's not a matter of figuring out how to rig your RP so that it works. Google just won't do it yet.

Andrew Arnott 2009-09-08 14:22:55

Answer 3

A:

For clarification I'm posting this link as the answer:

http://www.dotnetopenauth.net/developers/code-snippets/the-axfetchassregtransform-behavior/

This link provides configuration file settings for AXFetchAsSregTransform behavior in a small configuration example (as mentioned by Andrew) which allows using ClaimsRequest() to get both SREG and AX information.

This allows retrieval of some (but not all) request information. For Google it works with email address retrieval at least.

To make a request:

var req = openid.CreateRequest(Request.Form["openid_identifier"]);

var fields = new ClaimsRequest();                       
fields.Email = DemandLevel.Require;
fields.FullName = DemandLevel.Require;

req.AddExtension(fields);

return req.RedirectingResponse.AsActionResult();

to receive the response:

var claim = response.GetExtension<ClaimsResponse>();
string email = null, fullname= null, password = null;
if (claim != null)
{
    email = claim.Email;
    fullname = claim.FullName;
}

Note that Google only seems to pick up the email address and it needs DemandLevel.Require, otherwise nothing gets returned.

Rick Strahl 2009-09-07 22:01:23

ansaurus

tags:

views:

answers:

Retrieve OpenId User Information (Claims) across providers

related questions