How to build an MVC site that has both OpenID and local users?

2
votes

We've got an MVC website that is going to use DotNetOpenAuth for signing in users via OpenID and I've found this really helpful template and other more simple examples that will help me get started on that end. However, what I don't have fully figured out is how to provide my users with a way to create an account with us if they don't want to use OpenID.

I can see two options here, write some custom code that allows OpenID to piggy back on the standard membership provider. Or, have the end site only use OpenID via DotNetOpenAuth and build an Identity Provider for my users to sign up on. That way the site would only see OpenID users and wouldn't know a difference.

Are these my only options? I haven't been able to find anything on standing up my own Identity Provider, just the relying party templates. I think I can get by with just putting OpenID on top of the default membership provider, but that feels like I'm doing it wrong, since I should be able to just stand up an identity provider.

So, in my situation, what would be the best way to support membership via local account creation and OpenID via DotNetOpenAuth?

1
asp.net-mvcasp.net-membershipopeniddotnetopenauth
users have profiles that their information is attached too. they can be authenticated using an openID identity or log into your system with your username and password option (then this gives you an identity to mapp to the profiles table) .. then users can add multiple identities to one profile (google, twitter, facebook, etc)rlemon
Ah yeah, I forgot about the account linking stuff! That is a requirement for us as well. Locally created users must have the ability to link OAuth accounts to their local account. Maybe I should just go the simple route and use the default membership provider stuff and just piggyback OAuth on it, like here andrewblogs.com/blog/openid-for-asp-net-mvc-a-quick-setupAllen Rice
the idea is the same; create you local registration system, but instead of it containing the user profile information it just contains the credentials and a identity (id value or something) that you have a key mapping to the profiles table.rlemon

1 Answers

1
votes

Setting up your own identity provider so that your site only speaks OAuth is certainly an option, but a non-trivial one. I wouldn't recommend setting up an identity provider unless you intend your customers to use it for logging into other sites.

Also keep in mind that most web sites don't use OAuth to authenticate (since it's not an authentication protocol anyway). OpenID is more popular.

The project template you linked to in your question demonstrates allowing users to log in via several OpenID Providers and includes support for linking user accounts.

As for supporting local user accounts as well, I suggest you take a look at the source code behind nerddinner.com. I would advise against using the ASP.NET Membership provider for the OpenID/OAuth accounts as the interface doesn't fit very well, but folks have made it work so you can too if you want.