Confused about OpenID and ASP.NET - asp.net

I don't want to add another username and ID to the world, so I really want to integrate openId into my web site. However, I am confused about it. I looked at various blogs about it, and they all point to DotNetOpenAuth. I plugged that in, but didn't get quite what I expected.
What I see is something like this (from Scott Hanselman's blog)
What I expected to see was the same sort of log on experience I have here at stackoverflow.com
I am obviously confused on what OpenID is. Can someone help clarify for me? Even better, can someone point out what I need to do to get that stackoverflow.com experience.
Thanks.

Think of Open ID as the concept of taking a providers word that I am 'Joe'. There are many different providers you can use. Facebook, Twitter, Stackexchange, Google, Yahoo, and more. The UI you have is just using the OpenID provider. If you want a better UI, check out this jquery plugin, or this one.
The UI SO uses (and the two linked above) is really just eye candy. Conceptually they build a URL that your user will be sent to. Some require the username in the URL, others do not. If you are going to roll your own solution, you will need to know what every provider needs. If you use a prebuilt one, just go with it. :)
I did a blog bost a while ago that walks you through implementing DotNetOpenAuth in an MVC site. What is important to note is the method ActionResult LogOn(string openid_identifier) takes the URL the provider needs, and redirects the user there. You will get this URL from one of those controls. If I remember correctly, it handles everything for you. All you do it tell it where to POST the form to.
Once you get a response back (the other LogOn method), you can process it. response.ClaimedIdentifier is basically the users ID. It will be different for each user. If I log in using Google, AND Facebook, it will be different for both even though I am the same person. If you want your users to be able to log in with more than one, you will need to allow them to assosiate the logins, and code accordingly.

Ok so OpenID works by communicating with trusted openID providers (e.g. google) to tell the site who you are. A write up about how google's implementation can be found here http://www.readwriteweb.com/archives/google_clarifies_openid_implementation.php
Here is what I see when I click on Scott Hanselmans comment login system. http://imagebin.org/186528 Note how the OpenID textbox adds the url? I am pretty sure that all stackoverflow is doing is teh same thing - but having a link to click rather than something less usable.

Related

How to use Cookies to prevent login credential sharing in Wordpress

First of all, I'd like to preface this post by stating that I know this is a terrible user experience...
I have a client who would like to prevent site visitors from sharing login credentials.
Because this is a corporate marketing site, social login is not an option.
The client claims that there is a site where upon registration, a cookie is dropped onto the user's device and the user is also given a unique password that will only work on that specific device.
Does anyone know how to make this work using Wordpress? (I'd like to avoid using third party plugins)
This sounds like the use of Single Sign On (SSO) or 2 factor Authenticaton (2FA) will be needed. The SSO Wikipidea page references a cookie based solution for TCP/IP networks https://en.wikipedia.org/wiki/Single_sign-on so perhaps that's how this came up from your client.
Once you identify what your options are with that, based on what your client is using for authentication, then set up may be a bit easier. I think a plugin would save you a lot of time, since this is a pretty elaborate task. This one may do the trick https://wordpress.org/plugins/miniorange-saml-20-single-sign-on/
Regardless it's pretty challenging to prevent the sharing of credentials. SSO may be a deterrent if that gives access to something else that user doesn't want to share. 2FA doesn't prevent a user from sharing the pin thats generated too. Perhaps the only real way is to require an IP match on a device with bio-metric authenticaton.

Is there some logout hook in Plone 4?

I have a Plone-4.3-based site which provides access to another site as well: Whenever someone logs in to my site, (s)he can click on special hyperlinks and proceed to that other site without the need to enter a password there (some kind of simple SSO, based on a ReST interface).
Now I have the need to logout the user from that other site whenever (s)he logs out from my own site, e.g. by sending a special request which is of course not the topic of this question (perhaps it still needs to be implemented, because session expiration used to be good enough.)
How would I accomplish this, to be precise: Where would I hook in that secondary logout code? Is there some kind of logout hook, or should I modify some logout.[c]py view? I couldn't find no event nor category mentioned in the Event types section here.
There is the Products.PlonePAS.events.UserLoggedOutEvent for such purposes.
As an example, it is explained at the Events Section of the Plone Addon Developer Guide

Can I bypass a sites login page with a form POST?

I am trying to integrate a product offered by a 3rd party into my web site. This 3rd party does not have the resources to make code changes for a single sign-on type of setup so I am looking for a way to provide a similar user experience through some possible shortcuts. One that I am considering is to use an HTML POST to post the login credentials directly to the form on the login page which would hopefully bypass the page all together and direct the user directly to the home page fully authenticated. Does anyone know if this is possible, and if so how would I go about it?
i don't think it's possible. i believe that most well made authentication will have some sort of nonce in its form, which is essentially to ensure that unless you use their form to submit, the submission will be rejected.
and even if currently they don't have nonce, in the future they might have

Is there a way to secure an RSS feed behind ASP.Net Forms Authentication and still allow readers?

Is there a way to create an RSS feed that only customers who have logins to our customer portal would be able to see the content of the feeds? I know I can secure the RSS feed using standard ASP.Net authentication which would be fine for viewing while on our site... but how would a reader be able to subscribe to the feed then?
I'm pretty sure the answer to this is No... but maybe there's another solution I'm not seeing?
Thanks!
You can secure it with a other auth cookie, with a long time out like in this article
http://www.andreas-kraus.net/blog/increase-aspnet-authentication-membership-cookie-timeout/
but i prefer another approach. If you have a user, than its always good to give the user an uuid column in the database. Then you could give the user a link to your feed with his uuid and can check if he is allowed too consume it without other authentification.
hope that helps
You can not use forms authentication as an RSS client would not know how to handle that. What you could do though is secure it with basic authentication and let the users that are suppose to be able to access the RSS feed include the username and password in the URL. E.g. like:
http://username:password#www.domain.com/feeds/rss
This should be supported by any RSS client as this is a perfectly valid URI. Preferable use https though as the username and password are sent in the clear.
Note: Recent versions of Internet Explorer do not support this anymore as it was subject to spoofing. For example, spam mail could be sent containing links to:
http://www.trustedbanksite.com#somewhere.ru/
This could easily fool users into thinking that they are actually visiting the website of their bank. I don't know how the support is in other browsers.

How to loggedin in LinkedIn automatically from Asp.net Application?

I have created a username and password to enter and search people in linkedin. Now, I am devloping a web application using asp.net. I need to open a popup page which is displaying the searched results in linked in as logged in.
When the popup page is displaying, I need to logged in automatically using the username and password.
So, here is my question,
How to logged in automatically when the button clicked in Asp.net application using linked in username and password?.
Thanks
The problem is twofold:
deciding which credentials to use
actually logging in
Logging in is fairly straightforward: post to LinkedIn's login URL in the manner that LinkedIn expects. Unfortunately, LinkedIn still does not have a public API, so this is going to require hackery. Go to a LinkedIn web page that allows login and analyze the page source. There will be a field names for username and password in the login form, and the login form will post to a specific URL. Duplicate the username and password with a web request to the URL of the form. You will receive a cookie as part of the response. Make sure you include that cookie in future requests to LinkedIn and you are then "logged in" for every request.
Of far more importance than the actual logging in, which is a simple programming challenge, is deciding which credentials to use. I'm guessing that you're building an application for others to use, rather than yourself. If so, you'll need to ask them to give you their LinkedIn credentials. Beware: this is something that most people simply will not do. It's a trust issue; if they give you their credentials, you now have access to their profile and can do nefarious things with it. You'll need a good disclaimer explaining how you would never do that, ever, and you'll need the people who read it to believe you. Not as easy as it sounds.
If, however, this is just for you, you're on easy street. Just use your own credentials.

Resources