OpenID Integration - asp.net

Does anyone know of an ASP.NET guide to implementing OpenID and what information can be returned by the OpenID provider? I understand you can get the email address but if someone logs in with their Google OpenID can you get access to their addresses?

Yes, OpenID Providers can and often do offer 'claims' or 'attributes' about the people logging in if the OpenID relying party requests them and the user consents to these data being shared.
If you use DotNetOpenAuth for your ASP.NET OpenID library, it has built-in support for several ways of getting these attributes but keeps it simple on your side to get at them regardless of which way the Provider offers them. If you download the library it comes with a sample of how to do this.
As far as work address, and some other attributes specific to certain domains (domains of data--not Internet domains) very few Providers offer them. The best you can do is get "full address" and ask the user if that's the one they want to use.

This should help: http://www.eggheadcafe.com/tutorials/aspnet/4b3c7c9b-fe80-4e6e-a34e-0e9efed5c575/integrate-openid-authenti.aspx
Or a "simpler" one: http://madskristensen.net/post/OpenID-implementation-in-Csharp-and-ASPNET.aspx

Document describes how to implement Google login into your web application
and Third-party web sites and let you aware how OpenID authentication works.
Here is the step-by-step process to implement OpenID on your ASP.NET application using DotNetOpenOAuth libraray.
Tutorial demonstrates how to add OpenID support to an existing site that already has traditional membership without breaking anything in AspDotNetMVC.

I just blogged about this here. this shows how you can get extra information from these providers
http://blogs.msdn.com/b/webdev/archive/2012/08/22/extra-information-from-oauth-openid-provider.aspx

Related

OWIN OAuth2 Authentication

I've been looking around for information on this for a little while and keep seeing what appears to be how to set up a OAuth2 server in ASP.NET.
What I want is like the "app.UseMicrosoftAccountAuthentication" where I can use an external login service but that service is standard OAuth2 and not one of the built in providers. I'm not finding a lot of documentation on that subject and would like it if someone could point me in the right direction!
There isn't really such a thing as a standard oauth2 provider when you are looking for authentication. See http://www.cloudidentity.com/blog/2013/01/02/oauth-2-0-and-sign-in-4/ for a discussion about it.
Which providers were you looking to support?

when to use authentication?

when to use
windows authentication, form authentication, passport authentication, none?
I don't find on internet any relevant matter on it, although all say how to use these authentication.
But no one says which one is superior and when to use one.
Please elaborate a little on it.
Also i want to know benefit of one over another, and what is that authentication i did by now by creating table with user id and password and match the user id and password with the data table. If that can be done easily what is the need of these authentication.
It depends on the project and what you want to achieve. If you were developing an Intranet for a company obviously only to be accessed from internal computers then windows authentication would be the choice.
If you want people to register and wish to access as much information as possible then use forms authentication to get the data you require and store it alongside membership.
If you want people to come and go from your site with ease with as little steps as possible for registration, then use Passport.
Hope this helps :)
Windows authentication is generally for companies where people do something locally and server checks if the computer that is trying to do something is valid.Example: Company that accepts some requests and people working there do something with them.
Forms authentication is for whole web where you want people to access the content regardless from PC/other device? they are using.Example: Website like this.
Windows Authentication is generally used for Active Directory-enabled networks, such as Intranet sites etc. where the user's Windows credentials double as a login to the web app.
Forms Authentication allows you to use the .NET Membership/Role/Login features and control a more in-depth user database.
I've never come across a good reason to use Passport Authentication, but it's a proprietry MS single-signon style authentication method.

OpenID + OAuth for Webapp and Desktop/Mobile application Authentication and Authorizaiton

I'd like to use OpenID to authenticate users on my webapp -- similar to how StackExchange does it. I'd also like to enable users of my website to use my Desktop and Mobile Apps using the same account. I've read this requires OAuth (OpenID is purely website only).
What I don't know is
Is this the correct approach?
What would the workflow for this be?
What data do I need in my database per user/OpenID? Do I store an "account" and then when they've authenticated with OpenID, I allow them to generate an OAuth Token for the mobile app?
In an ideal world, I would be able to have buttons similar to those on https://stackoverflow.com/users/login for both my WebApp and also in my Desktop and Mobile Apps which would simply allow users to login with their google or facebook account, is that possible? Simplicity for users is paramount, because my userbase will not take well anything remotely complex.
Can I use something like DotNetOpenAuth to provide all of this functionality?
Would a better solution be to break this up and allow users to authenticate to my site with OpenID and then I provide my own OAuth scheme for my desktop and mobile clients?
Probably the simplest mechanism is to embed a web view, and simply watch for navigation to a specific callback page and grab the authentication data that way. You should still be able to use OpenID for this.
What you should be looking into is Windows Identity Framework (WIF), it will work similarly for Web or Desktop applications using Claims-Based Identity. You would store an authorization token for each user (along with any other information you need) and you would get it in the Authorization Header of an authenticated HTTP Request. oAuth is the protocol for passing authorization requests and responses. WIF is a .NET toolkit to simplify this interaction.
For more info, check out the WIF home page and the following blog (not mine):
http://msdn.microsoft.com/en-us/security/aa570351
http://blogs.msdn.com/b/vbertocci/
This is the workflow that I came up with, and so far I think its working well.
The user is required to authenticate to the website via third party OpenID/Facebook/etc (mobile friendly website is available). Then, in their "profile" they can generate an API "key" which they can copy/paste into their client software. It isn't 100% transparent to the user, but its pretty good.

Sample code for Own OpenId Server in ASP.NET?

There are sample codes on the net for OpenId Client but none for OpenId Server. Do you know some ?
I know about dotnetopenAuth but there seem to be no tut on how to use as OpenId Provider. I don't even know if it can do that. Maybe it can just be used to create openid consumer app.
You mean like dotnetopenAuth?
There are lots of other implementations for other languages which can be found here (OpenID wiki).

How do I use OpenID in my new ASP.NET website?

I must be stupid, because all the articles I've seen on OpenID in ASP.NET have simply confused me on the issue. I'm pretty sure I understand the concepts involved here, I'm just a little fuzzy on how things look on the back end side of things.
So a new user comes to my website and wants to create an account. Here comes the flood of questions:
Is the first step here to have him pick which openID provider he will use to sign in?
Do I prompt him for a user name on my system?
Do I need to tie him to the same openID provider each time he returns, or can he select a new provider each time?
What does the database look like here? Do I have his username in a table and that is linked to an openID provider?
What if the user doesn't have an OpenID account? Should I allow him to create a traditional account on my end, then expose myself as an OpenID provider?
What am I missing here? I'm usually pretty bright, but this area has been like kryptonite to Superman for my developer smarts. Thanks in advance!
Adam
This page is a step-by-step tutorial on implementing OpenId on a web site. I believe it will answer all your questions about the mechanics of adding it.
A Recipe for OpenID-Enabling Your Site
If the user doesn't have an OpenId I would just allow them to register 'normally', storing their credentials for local use. There is no need to add the extra complexity of becoming an OpenID provider unless you have a business case for that.
Dude, you're not alone. OpenID confuses everyone except the people who designed it, and even then, I'm not so sure it doesn't confuse them either since there are multiple OpenID providers and slight incompatibilities between them, depending on whose libraries you use.
Imagine the user is a sql "table" himself (that table contains his "credentials"), and you have a table of profile data specific to your website that you own. The OpenID url is a "foreign key" that you use to "join" these two tables. You must prove to yourself that he really owns that OpenID url before accepting it (or associating it with your private profile data). You're essentially "offshoring" the authentication portion of your site.
So ultimately, you use an openid client library that does the work for you on your website. They register as normal filling in "full name, "age," etc (whatever you want) but they provide an openid url instead of username/password. The library looks after verifying they really own it. You have to trust this library to do that. You then store all of your profile data with that openid. Done.
While you could offer your own openid provider, it's not worth it at this point. There are plenty out there already. What you could do though, is offer a traditional username/password INSTEAD of openid. The idea of openid is that your register ONCE with a provider, and then just prove you own that URL to any site that wants to use it to identify you (instead of username/password).
Make sense?
-Oisin

Resources