OpenID implementation in C# and ASP.NET

Nice work Mads; thanks for sharing!

Great work. Thanks for sharing. Also: I haven't looked at the code, but I know that mojoportal (http://www.mojoportal.com/), a .net opensource CMS, has OpenID features. You may want to check it out.

Currently receiving an error with your feed: Feed Address: http://feeds.feedburner.com/netslave HTTP Error Code: 500 Detail: There was a problem retrieving the feed: com.burningdoor.rsspp.resource.impl.HttpConnectionException: Error getting URL: 502 - Source feed is too large ... maximum size is 512K

Hey Mads, Nice video. Anything that spreads the word about OpenID and makes it easier for developers to integrate into their applications is a good idea in my book. Does this mean that you might be investigating this again for integration with BlogEngine? I remember looking into it a while back and seeing that one of the things preventing it's inclusion is the use of Diffie-Hellman encryption by OpenID. That particular encryption pattern is not included in the .Net framework's encryption library and unfortunately is non-trivial to implement without relying on a separate assembly (such as Mono for its BigInteger class). Troy

Very cool. As always, excellent work my friend. I have no idea how you do it all.

Great info/work!! THX Mads!!

Way cool... Do you plan on adding this gem to BlogEngine (please?!) as an optional login? Perhaps you could consider getting LiveID working for those of us who would like to embrace the Microsoft platform?

A while ago I ran across an article that described the marriage of OpenID and Information Cards as a more secure way to authenticate. After reading this article I immediately went to www.signon.com and created an account. When looking for an OpenID provider I would encourage you to do a little research and find a OpenID provider that supports both OpenID and Information Cards!

Thanks Mads - Great videos!

Great work. Thanks Mads...

There is a bug on the video. If you go to the properties of the video you will see that the Title is "User Control Injection" and the comments are "Shows how to inject user controls into blog posts and pages in BlogEngine.NET 1.2" :D

I was looking at it before and found this implementation. http://code.google.com/p/dotnetopenid/ It is suppose to be a full blown implementation. Both server and client implementations.

Mads, This is a great example of "less is more". Top notch work. Peter

Great Post. Thank you.

Awesome post, thanks!

I'm currently beta testing the first Danish, public OpenID identity provider, LoginBuzz - http://www.loginbuzz.com/ and because of this, I naturally have a large interest in the adaption of OpenID. Be aware, that your solution is insecure. If you are familiar with the OpenID protocol, you could enter an identity URL into your field, which would store it into the session data. After this you would get redirected to the provider for authentication, but here your knowledge of the protocol comes in handy. A simple HTTP get request towards your server with some specific query string variables, would "prove" your own the OpenID. Your code lacks the implementation of a "handshake"; that is a shared secret, which is sent straight from the consumer to the identity provider. You have reached your goal of supporting OpenID authentication. But you have also exposed your system wide open, if you use it anywhere. This could be as bad as not sanitizing database inputs though it would require you to use OpenID for something important. For introducing people to OpenID, the article is fine - just like the code. My point, however, is that no one should use this code for real authentication. Just a friendly warning; I completely agree with you on the lack of proper libraries.

That was a great video!

Thanks for posting, and I sure it was great. But when I ran it with my new Yahoo open ID, they gave me a message stating that my code (downloaded from here) was outdated. FYI.

Mads, Thanks, it's cool someone has finally put this together, started my own last year but got distracted by other work. I've blooged about it http://weblogs.asp.net/plip/archive/2008/02/02/openid-in-asp-net.aspx Thanks, Phil.

Good job. Easy to understand, easy to use. Thanks for sharing it. Regards

Trackback from Chris Love's Official Blog - Professional ASP.NET Links of the Week

No offense, Mads... but nonetheless NO ONE SHOULD USE THIS CODE ON A PRODUCTION SITE! It can be hacked with a single change of a word in the URL! This library is so simple it skips any signature verification, which means anyone can spoof ANYONE's identity on a site that uses this code. Very dangerous. Mads, with all due respect, and thanks for promoting OpenId, you should warn your readers before posting code that will likely be reused on others' web sites w/o knowledge of how OpenId really works and end up with security holes all over the web. There's a reason that most OpenId libraries are "big" and yours is small: implementing the spec in a secure way requires a great deal more code than you've got here. If you or other readers care to look at a more complete and secure implementation for C#, I suggest you check out http://dotnetopenid.googlecode.com.

Hi Andrew, it would be much easier to understand your concerns if you could provide a sample for your "It can be hacked with a single change of a word in the URL" claim. Regards

Hi Neil, I'm sure it would be easier, but I intentionally left out the method of the hack because posting exactly how to hack a web site isn't what I wanted to do. I did however send a private message to Mads explaining the method so that he can either correct it or post a warning he found to be appropriate.

Hi Andrew, of course, totally agree. Wouldn't be an additional check_authentication helpful against hacking here? I mean the advantage of Mad's solution is, that it can easily be used by .net applications (not asp.net), because most of the C# implementations are designed to be used in asp.net applications only, and it is hard to substitute the lots of "HttpContext.xxx" by other session tracking mechanisms. Thanks for your comments.

I'm pretty sure, that enhancing the Authenticate function with a POST to the OpenID provider (check_authentication) would close the vulnerability against hacks, without having to implement the full phalanx of OpenID v.2 (establish association etc.) Regards

Neil, Yes, a check_authentication would protect against the hack. For what it's worth, the DotNetOpenId library does not require ASP.NET, although combining it with ASP.NET allows use of simpler method overloads.

Hi Andrew, thanks for confirmation. It's rather simple to implement that check. Concerning ASP.NET and DotNetOpenId: I meant, DotNetOpenId is full of "HttpContext.whatever" calls. One is not able to use this lib as it is, because this API isn't available outside ASP.NET. Or am I missing something? Regards

Hi everyone. For those that are interested I have implemented check_authentication and provided instructions for how to add it to Mads' code. Posted here: http://www.squaredroot.com/post/2008/04/OpenID-Check_Authentication.aspx

Hi Troy, this is nearly what I did too, already. With one exception: The spec talks about, one has to return "exactly" the response received, except the openid.mode, which has of course to be set to "openid.authenticate". Don't you fear to miss something with this selections? //### get data required for check_authentication string mode = "check_authentication"; string handle = query["openid.assoc_handle"]; string signature = query["openid.sig"]; string signed = query["openid.signed"]; string extra = string.Empty; I made good experiences with just reflecting all the stuff I got in the response and just changing the mode. Regards

Hi neil, I do reflect everything that is requested by teh "openid.signed" field, per the spec. I also pull out the handle, signature, and signed fields prematurely since no matter what is in the signed fields, those fields are required. I then loop through all fiels requested in "openid.signed" and if they aren't one of the previous pulled fields, I pop them into the "extra" string to later be concatenated together for the POST. Just to clarify, the spec only requires sending back the response paramaters that were requested by openid.signed. Here is the relevant portion: "openid.* Value: The Consumer MUST send all the openid.* response parameters from the openid.signed list which they'd previously gotten back from a checkid_setup or checkid_immediate request, with their values being exactly what were returned from the Provider." If you still think I'm not doing this correctly, please let me know, I'm open to changing it!

Hmm. I don't see this from the spec http://openid.net/specs/openid-authentication-2_0.html#verifying_signatures <snip> 11.4.2.1. Request Parameters openid.mode Value: "check_authentication" Exact copies of all fields from the authentication response, except for "openid.mode". </snip> This is rather clear. Regards

Ah, well that would explain the difference in our implementation. I have been working with the 1.1 specification, as specified in the post on my blog. I will update the code to conform to the 2.0 specification later this weekend. The change should be rather trivial, as I only need to repurpose the current foreach loop to look through the query collection rather than the collection specified by openid.signed. That said, the 1.1 implementation does appear to work with the OpenID providers I have tried so far...

That's it :) Regards

Neil, DotNetOpenId does use HttpContext.Current in several places, but all of those codepaths can be avoided by using the right method overloads. Several web sites are using the library without ASP.NET or HttpContext.Current and doing great.

DotNetOpenId is not the best sample: Claims to be satisfied with .net 2 (in specification), but requires .net 3 or 3.5 at least (-> Visual Studio 2008 required. For what? Just for some pre-initialized Collections? Hmmm...). Because I'm not already on the 2008 track, I just tried ExtremeSwank, and a quick shot with a ConsoleApp and a "OpenIDConsumer u = new OpenIDConsumer()" did end up in a NullReferenceException. Guess why? Yes, cause of HttpContext()... So I tend to use Mads fine and simple lib, because it is rather easy to remove all HttpContext() refs and use a self-made session management. And with the add on of the "openid.authenticate" request it should be safe enough, even for productive environments. Regards

How to remove the query string send by openID like (openid.assoc_handle, openid.identity and etc., protected void Application_BeginRequest(object sender, EventArgs e) { httpContext.Response.Redirect("~/add.aspx"); } I tried like this but I cant able to get the data Thanks.