Menu
Company I work for wants to publish an internal website to the outside world, but also wants to identify the visitors in some easy way. Some functionality will be visible for all visitors but most must be visible for authenticated visitors. (And some functionality is restricted to admin-visitors.) While management is considering to implement our own authentication system, I've suggested to just use an existing technology that's already available and which keeps the management of usernames/passwords away from us. (Because we're just amateurs when we're talking about security. The authentication needs to be very good.)
So I started with OpenID from Google and examined the library that they provide. Looks easy to use and I can get tokens that tell me that a user is authenticated. But how do I identify this user so I can link our profile information to his ID/Token/Whatever?
I know I'm missing something so to keep it simple: I just need some example that shows how to authenticate the visitor with Google and then get some token back that I can use to link to this user forever. (So, no session token.) This token could then be used for the user to fill in his/her profile.
942
Yes. OpenID Connect applications using OneLogin as an identity provider can authenticate users using multifactor authentication as well as machine learning-powered adaptive authentication.
OpenID Connect (OIDC) is an open authentication protocol that works on top of the OAuth 2.0 framework. Targeted toward consumers, OIDC allows individuals to use single sign-on (SSO) to access relying party sites using OpenID Providers (OPs), such as an email provider or social network, to authenticate their identities.
OpenID is a standard added on the top of Oauth 2.0 (Authorization Protocol) framework which adds ID Token to access token in OAuth 2.0. OAuth and OpenID both act as Single Sign-On (SSO) standards. OpenID must be in JWT(JSON) data format.
Since your tags suggest you're language is C#, I recommend DotNetOpenAuth. It is free, and includes samples that will show you how to get your token (in OpenID terms it's called a Claimed Identifier) that you can use to distinguish between users.
To get the Claimed Identifier (the permanent identifier you're looking for), if you're using the OpenIdTextBox or OpenIdLogin control just handle its LoggedIn event and get the e.ClaimedIdentifier property. If you're doing it programmatically (no controls), the OpenIdRelyingParty.GetResponse() method returns an IAuthenticationResponse interface that has a ClaimedIdentifier property on it you can get.
Then you can implement a ASP.NET RoleProvider (pretty trivial, really) that will allow some OpenID Claimed Identifiers to belong to an admin role, allowing your standard ASP.NET authorization techniques to progressively lock out individuals based on how they've authenticated.
90
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
