Im using DotNetOpenAuth to integrate Google,Yahoo,Twitter and Facebook Logins into my application.
Now everything works as expected.
- Twitter returns -> User-name and Claim-identifier(Just Id)
- Google returns -> Email-Address, First and last Name and ID(URL+ID)
- Yahoo returns -> Email-Address, Alias and ID (Url + ID)
Also im also allowing my users to register internally so my database User table is like this:
- ID,UserName,Name,OpenID,LoginType,DisplayName
im wondering what i should be storing as User-Name, i was thinking of the ID, but i have this questions:
- Shall i store the whole ID as User-Name ?!
- Would it affect performance to store the whole ID(URL) as username?
- If i extracted the ID from the Claim-Identifier would it still be unique between all 3 providers?
For OpenID, you must use the ClaimedIdentifier as the ID. Not anything else, and certainly not only a substring from the claimed identifier. Anything else seriously compromises the security of your application.
As far as where you store it, I would recommend you keep a dedicated column for storing your claimed identifier rather than just storing it in your UserName column. Consider this scenario:
- A user creates an account with your web site using an OpenID
http://SomeOpenIDUrl
- An attacker logs in via the username/password form. He leaves the password blank but enters
http://SomeOpenIDUrl as the username
- The attacker successfully logs in as his victim.
A situation like the above can be mitigated in various ways of course, but the best way IMO is to keep the OpenID out of the username column so that it's completely impossible.
