Posted January 29, 2008 and filed under Technology    tags:  , ,

I was looking into using OpenID to authenticate to BlogEngine and found an excellent article that outlined how this can be accomplished.  Why would I want this, you ask?  Well, when using OpenID you are redirected to your OpenID provider to authenticate your credentials.  Then you are redirected back to your blog as an authenticated user. 

One argument for not using OpenID is a known spoofing vulnerability.  This can happen when you are redirected to a site that you think is your OpenID provider, but is actually a spoofed site.  And entering your OpenID password on a spoofed site will provide the host administrator with your OpenID password.  Very bad because now the spoofing administrator has the keys to your OpenID kingdom.

image So to counter the spoofing risk I would suggest you look for an OpenID provider that supports using an Information Card as a way to authenticate to the OpenID Provider site.  Information cards does not send your password to the website so your password is never delivered to a spoofing site.  So, since I use SignOn.com as my OpenID provider I get to use my Information Card instead of entering a password.  So after all is said and done I never need to enter in my password again!

So here are the steps to getting OpenID working on your BlogEngine.Net server!

I have been using the Artem XML Membership Provider to hash my passwords.  I still need to keep this in place to support applications that interact with my blog that don't support OpenID, such as Windows Live Writer.  Also, since I won't be using the username/password input fields I removed them from my Login.aspx page.  You will also need to clear out the Login.aspx.cs file or you will get a bunch of errors... 

   1: <%@ Page Language="C#" AutoEventWireup="true" CodeFile="login.aspx.cs" Inherits="login" Title="Sign in" %>

   2: <%@ Register Assembly="Janrain.OpenId" Namespace="NerdBank.OpenId.Consumer" TagPrefix="nb" %>

   3: <asp:Content ID="Content1" ContentPlaceHolderID="cphBody" Runat="Server">

   4:   <div style="text-align:center">

   5:     <nb:OpenIdLogin runat="server" />

   6:   </div>

   7: </asp:Content>

I rely on ISA 2006 to publish and protect my web site.  I found an interesting problem that required changing the default configuration settings.  For some reason the OpenID redirection wouldn't pass normalization, which caused ISA to deny the return connection attempt.  To allow this to work correctly I had to uncheck the Verify normalization HTTP Filter.

image

That's about it.  As you can see I can now login to my blog without sending my password to BlogEngine!

kick it on DotNetKicks.com

If you liked this article why not share it with others?

Kick it up to DotNetKicks.com

Comments

Add comment


(Will show your Gravatar icon)

biuquote
Loading