When I play ping-pong with the Google OpenID provider, I can't get a friendly name/nickname/username (whatever you want to call it).
I get something atrocious looking like the following:
www.google.com/accounts/o8/id?id=AItOawmtAnQvSXGhRTkAHZWyxi4L4EKa7xoTT1dk
instead of something nice like
JohnDoe
What's the protocol for getting the user's name from Google in a nice friendly manner like say, myopenid does?
**I'm using DotNetOpenAuth*
Google's OAuth 2.0 APIs can be used for both authentication and authorization. This document describes our OAuth 2.0 implementation for authentication, which conforms to the OpenID Connect specification, and is OpenID Certified.
Go to the Identity Providers page in the Google Cloud console. Click Add a Provider, and select OpenID Connect from the list.
Today, anyone can choose to use an OpenID or become an OpenID Provider for free without having to register or be approved by any organization.
OpenID itself is secure, however due to its decentralised nature it often assumes that three servers are "trusted". If these servers are not trustworthy then your security is gone.
You can't. The identifier that the OP issues is strictly up to the OP. The RP doesn't really have any say in it. Now, some OPs support offering attributes with the login, such as nickname, email address, etc. Google has very limited support for these, offering only email address.
Google chose to not issue user-recognizable identifiers because it's an information disclosure risk. Yahoo went both routes by offering users both a human-friendly and non-human-friendly identifiers that the user can choose between. MyOpenID and other OPs generally go with just a user-friendly identifier that the user picks when they sign up at the OP.
You may want to special case Google at your RP to pick a more friendly string to display to the user when they're logged in, or since Google isn't the only one that does this, write code to figure out when the identifier is unreadable and display something more friendly to the user so they know they're logged in (perhaps their email address or a nickname they pick on your site).
Caution: if you choose to display a more friendly identifier than the one Google issues, you must still use the official Claimed Identifier from Google for the official username of the user that you pass to FormsAuthentication.RedirectFromLogin
and for username lookup in your database. Anything else you put together usually introduces security risks.
base on Roy answer, i tried to make the same request using DotNetOpenAuth
and it worked fine.
the request:
var req = openid.CreateRequest("https://www.google.com/accounts/o8/id");
var fetch = new FetchRequest();
fetch.Attributes.Add(new AttributeRequest(WellKnownAttributes.Contact.Email,true));
fetch.Attributes.Add(new AttributeRequest(WellKnownAttributes.Name.First,true));
fetch.Attributes.Add(new AttributeRequest(WellKnownAttributes.Name.Last,true));
req.AddExtension(fetch);
note: make sure the second parm of AttributeRequest
constructor is set to true.
the response part is straight forward.
var openid = new OpenIdRelyingParty();
var response = openid.GetResponse();
var fetch = response.GetExtension<FetchResponse>();
if (fetch != null) {
IList<string> emailAddresses =fetch.Attributes[WellKnownAttributes.Contact.Email].Values;
IList<string> firstNames = fetch.Attributes[WellKnownAttributes.Name.First].Values;
IList<string> lastName = fetch.Attributes[WellKnownAttributes.Name.Last].Values;
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With