<< Check for expiring SSL certificates | ADAM Services Debug >>

OpenID for BlogEngine.Net

by chris 1/30/2008 12:55:00 AM

I was looking into using OpenID to authenticate to BlogEngine and found an excellent article that outlined how this can be accomplished. Why would I want this, you ask? Well, when using OpenID you are redirected to your OpenID provider to authenticate your credentials. Then you are redirected back to your blog as an authenticated user.

One argument for not using OpenID is a known spoofing vulnerability. This can happen when you are redirected to a site that you think is your OpenID provider, but is actually a spoofed site. And entering your OpenID password on a spoofed site will provide the host administrator with your OpenID password. Very bad because now the spoofing administrator has the keys to your OpenID kingdom.

So to counter the spoofing risk I would suggest you look for an OpenID provider that supports using an Information Card as a way to authenticate to the OpenID Provider site. Information cards does not send your password to the website so your password is never delivered to a spoofing site. So, since I use SignOn.com as my OpenID provider I get to use my Information Card instead of entering a password. So after all is said and done I never need to enter in my password again!

So here are the steps to getting OpenID working on your BlogEngine.Net server!

Download the .NET OpenID library
Follow the instructions found on JMPInline Blog

I have been using the Artem XML Membership Provider to hash my passwords. I still need to keep this in place to support applications that interact with my blog that don't support OpenID, such as Windows Live Writer. Also, since I won't be using the username/password input fields I removed them from my Login.aspx page. You will also need to clear out the Login.aspx.cs file or you will get a bunch of errors...

   1: <%@ Page Language="C#" AutoEventWireup="true" CodeFile="login.aspx.cs" Inherits="login" Title="Sign in" %>

   2: <%@ Register Assembly="Janrain.OpenId" Namespace="NerdBank.OpenId.Consumer" TagPrefix="nb" %>

   3: <asp:Content ID="Content1" ContentPlaceHolderID="cphBody" Runat="Server">

   4:   <div style="text-align:center">

   5:     <nb:OpenIdLogin runat="server" />

   6:   </div>

   7: </asp:Content>

I rely on ISA 2006 to publish and protect my web site. I found an interesting problem that required changing the default configuration settings. For some reason the OpenID redirection wouldn't pass normalization, which caused ISA to deny the return connection attempt. To allow this to work correctly I had to uncheck the Verify normalization HTTP Filter.

That's about it. As you can see I can now login to my blog without sending my password to BlogEngine!

openid, blogengine.net, information card

BlogEngine.NET | Technology

You have an OpenID account, don't you? Mads recently posted an article that outlined how to use OpenID on your website. This code is...Theme dependencies in BlogEngine.NetI am happy to say that I completed my upgrade to BlogEngine.Net v1.3 without any major problems.&nbs...Encrypt Web.Config Extension for BlogEngine.Net I wanted to extend my previous efforts of providing a means to encrypt your web.config file...

Add comment

Name*
E-mail* (Will show your Gravatar icon)
Website
b i u quote

Comment
Preview

Notify me when new comments are added

Powered by BlogEngine.NET Theme by Mads Kristensen Hosted by 1and1 Hosting Sign in
The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way. © 2008 Chris Blankenship