Click here to Skip to main content
Click here to Skip to main content
 
Add your own
alternative version

OpenID With Forms Authentication

, 13 Dec 2010 CPOL
Shows how to use OpenID with ASP.NET MVC Forms Authentication.
DotNetOpenIdTest.zip
DotNetOpenIdTest
DotNetOpenIdTest
App_Data
bin
DotNetOpenAuth.dll
DotNetOpenIdTest.dll
Content
images
aolW.png
blogger.png
claimid.png
facebookW.png
fadegrey.png
flickr.png
flickrW.png
googleW.png
livejournal.png
myopenid.png
myopenidW.png
myspaceW.png
openidico.png
openidW.png
technorati.png
verisign.png
vidoop.png
wordpress.png
yahooW.png
Controllers
DotNetOpenIdTest.csproj.user
Global.asax
obj
Debug
DotNetOpenIdTest.dll
TempPE
Properties
Scripts
Views
Account
Home
Site
refs
DotNetOpenAuth.dll
using System.Web.Mvc;
using DotNetOpenAuth.Messaging;
using DotNetOpenAuth.OpenId;
using DotNetOpenAuth.OpenId.RelyingParty;
using System.Web.Security;
using System.Linq;
using System;
using System.Text.RegularExpressions;
using DotNetOpenAuth.OpenId.Extensions.SimpleRegistration;
using System.Web;

namespace DotNetOpenIdTest.Controllers
{


    /// <summary>
    /// Simple class that represents a OpenId validated user in the system
    /// </summary>
    public class UserData
    {
        public string Email { get; set; }
        public string FullName { get; set; }

        public override string ToString()
        {
            return String.Format("{0}-{1}", Email, FullName);
        }
    }


    /// <summary>
    /// Provides actions/methods for creating an OpenId request and how to 
    /// obtain information from a authenticated OpenId response, and also 
    /// has methods for creating a Forms Authentication Ticket
    /// </summary>
    public class AccountController : Controller
    {
        #region Actions
        /// <summary>
        /// Show default logon page, and also see if user is already authenticated. 
        /// If they are we can examine the IAuthenticationResponse to get the 
        /// user data from the OpenId provider
        /// </summary>
        /// <returns></returns>
        public ActionResult LogOn()
        {
            ViewData["message"] = "You are not logged in";

            OpenIdRelyingParty openid = new OpenIdRelyingParty();
            IAuthenticationResponse response = openid.GetResponse();

            //check for ReturnUrl, which we should have if we use forms 
            //authentication and [Authorise] on our controllers
            if (Request.Params["ReturnUrl"] != null)
                Session["ReturnUrl"] = Request.Params["ReturnUrl"];

            if (response != null && response.Status == AuthenticationStatus.Authenticated)
            {
                var claimUntrusted = response.GetUntrustedExtension<ClaimsResponse>();
                var claim = response.GetExtension<ClaimsResponse>();

                UserData userData = null;

                if (claim != null)
                {
                    userData = new UserData();
                    userData.Email = claim.Email;
                    userData.FullName = claim.FullName;
                }

                //fallback to claim untrusted, as some OpenId providers may not
                //provide the trusted ClaimsResponse, so we have to fallback to 
                //trying the untrusted on
                if (claimUntrusted != null && userData == null)
                {
                    userData = new UserData();
                    userData.Email = claimUntrusted.Email;
                    userData.FullName = claimUntrusted.FullName;
                }
            
                //now store Forms Authorisation cookie 
                IssueAuthTicket(userData, true);

                //store ClaimedIdentifier it in Session 
                //(this would more than likely be something you would store in a database I guess
                Session["ClaimedIdentifierMessage"] = response.ClaimedIdentifier;

                //If we have a ReturnUrl we MUST be using forms authentication, 
                //so redirect to the original ReturnUrl
                if (Session["ReturnUrl"] != null)
                {
                    string url = Session["ReturnUrl"].ToString();
                    return new RedirectResult(url);
                }
                //This should not happen if all controllers have [Authorise] used on them
                else
                    throw new InvalidOperationException("There is no ReturnUrl");
            }
            return View("LogOn");
        }

        /// <summary>
        /// Logon post request, so redirect to OpenId provider and when they authenticate, 
        /// redirect back to orginal url which is the one that needed authenticating in the 1st place
        /// </summary>
        [AcceptVerbs(HttpVerbs.Post)]
        public ActionResult LogOn(string openid_identifier)
        {
            var openid = new OpenIdRelyingParty();


            IAuthenticationRequest request = openid.CreateRequest(Identifier.Parse(openid_identifier));
            var fields = new ClaimsRequest();
            fields.Email = DemandLevel.Require;
            fields.FullName = DemandLevel.Require;
            request.AddExtension(fields);
            return request.RedirectingResponse.AsActionResult();
        }

        /// <summary>
        /// Logoff and clears forms authentication cookie
        /// </summary>
        /// <returns></returns>
        public ActionResult LogOff()
        {
            Session.RemoveAll();
            Session.Clear();
            Session.Abandon();
            Response.Cookies.Remove("AUTHCOOKIE"); 
            FormsAuthentication.SignOut();

            return View("LogOff");
        }
        #endregion



        #region Private Methods
        /// <summary>
        /// Issue forms authentication ticket for authenticated user, and store the cookie
        /// </summary>
        private void IssueAuthTicket(UserData userData, bool rememberMe)
        {
            FormsAuthenticationTicket ticket = 
                new FormsAuthenticationTicket(1, userData.Email,
                    DateTime.Now, DateTime.Now.AddDays(10),
                    rememberMe, userData.ToString());

            string ticketString = FormsAuthentication.Encrypt(ticket);
            HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, ticketString);
            if (rememberMe)
                cookie.Expires = DateTime.Now.AddDays(10);

            HttpContext.Response.Cookies.Add(cookie);
        }
        #endregion
    }
}

By viewing downloads associated with this article you agree to the Terms of Service and the article's licence.

If a file you wish to view isn't highlighted, and is a text file (not binary), please let us know and we'll add colourisation support for it.

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Share

About the Author

Sacha Barber
Software Developer (Senior)
United Kingdom United Kingdom
I currently hold the following qualifications (amongst others, I also studied Music Technology and Electronics, for my sins)
 
- MSc (Passed with distinctions), in Information Technology for E-Commerce
- BSc Hons (1st class) in Computer Science & Artificial Intelligence
 
Both of these at Sussex University UK.
 
Award(s)

I am lucky enough to have won a few awards for Zany Crazy code articles over the years

  • Microsoft C# MVP 2014
  • Codeproject MVP 2014
  • Microsoft C# MVP 2013
  • Codeproject MVP 2013
  • Microsoft C# MVP 2012
  • Codeproject MVP 2012
  • Microsoft C# MVP 2011
  • Codeproject MVP 2011
  • Microsoft C# MVP 2010
  • Codeproject MVP 2010
  • Microsoft C# MVP 2009
  • Codeproject MVP 2009
  • Microsoft C# MVP 2008
  • Codeproject MVP 2008
  • And numerous codeproject awards which you can see over at my blog

| Advertise | Privacy | Terms of Use | Mobile
Web01 | 2.8.141223.1 | Last Updated 13 Dec 2010
Article Copyright 2010 by Sacha Barber
Everything else Copyright © CodeProject, 1999-2014
Layout: fixed | fluid