DotNetOpenAuth: How to implement a simple OpenId provider?

Question

Every OpenId provider has a provider Url (e.g Google: https://www.google.com/accounts/o8/id)

Using OpenIdRelyingParty.CreateRequest I successfully managed to redirect the user to Google provider Url and receive the provider callback. Everything worked fine.

Now I'm trying to implement my own simple OpenId provider (I want to act as Google on my example). DotNetOpenAuth has a provider demo called OpenIdProviderWebForms. For the last 4 or 5 hours I've been tryng to connect to it using the same demo I managed to connect on Google. First: It's not clear to me what URL should I call. I tried all Urls (server.aspx, provider.ashx...) and all of them trigger an exception "No OpenID endpoint found". All the configurations seems to be just fine.

How do I implement a simple OpenId provider? What URL should I call in the OpenRelyingParty.CreateRequest ?

Answer 1

First let's establish some terms:

The User-supplied identifier is the string that the user actually types in (or is triggered by clicking a predefined button at the RP) that triggers OpenID discovery to take place. It is not normalized, and should never be used to represent the user in your database because it is not secure or unique, but it is a necessary starting point. Discovery on this identifier yeilds either a claimed identifier or an OP Identifier. Examples: yahoo.com, myopenid.com, andrewarnott.myopenid.com

The Claimed Identifier is the OpenID Identifier that the user "controls" or uses as his identity. It may or may not be a URL (it may be an XRI). A positive assertion from an OP will always be a claimed identifier (even if discovery started with an OP Identifier). Examples: https://andrewarnott.myopenid.com/

The OP Identifier, or "OpenID Provider Identifier" is the OpenID Identifer that RPs may perform discovery on to begin an identifier select flow where the RP does not yet know what the user's Claimed Identifier will be. Examples: https://me.yahoo.com/, http://www.myopenid.com/ and https://www.google.com/accounts/o8/id

The OP Endpoint is the actual URL that the RP redirects the user to in order to authenticate the user, and is used to establish shared associations or perform direct verification of an assertion that uses an OP private association. Examples: http://localhost/server.aspx, http://localhost/provider.ashx, https://www.google.com/accounts/o8/ud (note the ud ending instead of id)

So with all that background, your OpenIdRelyingParty.CreateRequest call should receive a user-supplied identifier, which may also be a claimed identifier or an OP Identifier. It should not be the OP endpoint. So for example, you might pass in:

openIdRelyingParty.CreateRequest("http://localhost/sampleop/")

or

openIdRelyingParty.CreateRequest("http://localhost/user.aspx?username=bob")