7

Company I work for wants to publish an internal website to the outside world, but also wants to identify the visitors in some easy way. Some functionality will be visible for all visitors but most must be visible for authenticated visitors. (And some functionality is restricted to admin-visitors.) While management is considering to implement our own authentication system, I've suggested to just use an existing technology that's already available and which keeps the management of usernames/passwords away from us. (Because we're just amateurs when we're talking about security. The authentication needs to be very good.)

So I started with OpenID from Google and examined the library that they provide. Looks easy to use and I can get tokens that tell me that a user is authenticated. But how do I identify this user so I can link our profile information to his ID/Token/Whatever?

I know I'm missing something so to keep it simple: I just need some example that shows how to authenticate the visitor with Google and then get some token back that I can use to link to this user forever. (So, no session token.) This token could then be used for the user to fill in his/her profile.

Andrew Arnott
  • 80,040
  • 26
  • 132
  • 171
Wim ten Brink
  • 25,901
  • 20
  • 83
  • 149
  • 1
    I'm confused where you talk about "Google" here. It looks like when you say "OpenID from Google" you mean "the DotNetOpenAuth library maintained by Andrew Arnott and hosted on Google Code." But I'm not sure what you mean when you say "authenticate the visitor with Google." Do you mean you need your users to only have Google accounts, and not OpenIDs from other providers? If you just need "some token" it doesn't sound like you need their gmail address or anything. – keturn Jun 22 '09 at 00:10
  • Actually, for now I just want to keep it simple and support only Google OpenID. The project is still a proof-of-concept and I'm tryiong to convince management to use OpenID instead of having to implement our own Authentication system. Then again, OpenID is an open standard so it shouldn't be difficult to use it for other providers too... – Wim ten Brink Jun 22 '09 at 08:09

1 Answers1

4

Since your tags suggest you're language is C#, I recommend DotNetOpenAuth. It is free, and includes samples that will show you how to get your token (in OpenID terms it's called a Claimed Identifier) that you can use to distinguish between users.

To get the Claimed Identifier (the permanent identifier you're looking for), if you're using the OpenIdTextBox or OpenIdLogin control just handle its LoggedIn event and get the e.ClaimedIdentifier property. If you're doing it programmatically (no controls), the OpenIdRelyingParty.GetResponse() method returns an IAuthenticationResponse interface that has a ClaimedIdentifier property on it you can get.

Then you can implement a ASP.NET RoleProvider (pretty trivial, really) that will allow some OpenID Claimed Identifiers to belong to an admin role, allowing your standard ASP.NET authorization techniques to progressively lock out individuals based on how they've authenticated.

Ferran Salguero
  • 516
  • 10
  • 22
Andrew Arnott
  • 80,040
  • 26
  • 132
  • 171
  • You do realize that you link to the same site that's mentioned in my question? And yes, I know it's trivial but somehow I've failed to discover how I can get a permanent identifier or whatever to link the OpenID account to my own user database. – Wim ten Brink Jun 19 '09 at 19:26
  • Whoops. :) Sorry, I didn't check that link... just assumed it was to a generic openid.net site. I've updated my answer to include more detail about getting the permanent identifier you need. – Andrew Arnott Jun 20 '09 at 18:42
  • Thanks! Exactly the thing I was missing. :-) – Wim ten Brink Jun 22 '09 at 09:05