I'm attempting to implement OpenID with ASP.NET MVC (Yeah, we haven't heard that one before I'm sure!)
That really isn't the big problem, though. My huge problem is that I am exceedingly confused about how to do this alongside an application that will need to store a lot of information about the logged in users (profiles, histories, etc)
It seems to me that OpenID takes away the site-centric logic and makes it, well, open. This is all well and good if you just make an authentication ticket to be seen as a 'validated' user - but in all seriousness I am completely lost. Is it possible to implement OpenID such that logging in with it will allow users to 'exist' on my own application as if they had gone through normal registration?
I've been reading the NerdDinner 2.0 application code that implements openId, hoping that would answer my question - but alas I find no such clues.
Just grab the data from OpenID and automatically create a new registration. Or redirect a user with empty profile to a page with profile forms.
The most important thing to understand here is that the OpenID provider does not control the users session in any way. It only gives you the user's identifier that is associated with that user. Optionally you can request some data about the user as well. This means that you don't have to manage any user data other then the user's OpenID identifier. In most cases you'd want to link that identifier with a user in your database, but it's not strictly necessary.
But you have to manage the session on your own. When you login with OpenID doesn't have a clue that you've actually logged in. All it knows is that you've been communicating with the provider. This means that mvc actions that have the
AuthorizeAttribute
applied to it still won't get fired. For that you'd have to issue aFormsAuthenticationTicket
like so:This is the simples version of this. You can then access the identifier data using
User.Identity.Name
.If you want some user data stored in you database you can then do it via a Registration form that follows the OpenID login and link the identifier to the account (you can also choose to support linking multiple OpenID identifiers to a single account). As I mentioned you can also request some data from the provider and use that for an automatic registration. But be careful as all the providers don't always supply everything even if you say that you must have it.
Google for example only gives you the data marked as required. I simply ignores all requests for data that you would wish to have if you can get it but you don't actually must have. MyOpenID will give you all the data either marked as required or requested if the user fill it in into his or her Persona. But the login will even be successful if the user's Persona doesn't have the data that you marked as required.
Doing OpenID in ASP.NET MVC is, in my opinion, best done with DotNetOpenAuth. They also have a sample for MVC which is the simplest as it gets but it works. The sample does not show how to request data about user though, but you can find that in NerdDinner.
The typical way to do this is just associate the OpenID with the existing user account. I have an association table in my cases as a user can have multiple OpenID's.
So if i have an account and i log with https://openid.org/steven then that gets mapped to an existing account.