OpenID, how to develop a provider

21
votes

Currently I'm developing some infrastructure and I've implemented my own RESTful authentication mechanism.

Now I've in mind that maybe I shouldn't go this way and use an industry standard so interoperability with my project could be trivial and easier to understand in terms of authentication and authorization.

After checking some articles googling everywhere and reading some Q&A here in Stackoverflow, I don't find how to be an OpenID provider - I'm not talking about authenticate users using Google, Windows Live, Facebook Connect and so, I want to develop an OpenID-enabled system so if some want to register into my services, they'll do in my own domain -.

Actually my question is: can anyone become an OpenID provider and is DotNetOpenAuth a library to develop this protocol in your own infrastructure?

Thank you.

3
c#.net.net-4.0openid
I would argue the "industry standard" is using existing OID providers, not rolling your own. I'm not sure what the benefit of that would be. - Matt Grande
@MattGrande This is the part I'm not understanding. Is an standard if some private companies hold user data, but no one can become an OpenID provider if you aren't a big company? - Matías Fidemraizer
Absolutely anyone can become an OpenID provider, it is not just for big companies. - JonnyBoats
I'm saying that the benefit of OID is that you don't need another login. Users will be able to go to other websites and login using their existing credentials. This is only benefitial if there's a pretty good chance that people already have an account with your service. So, unless you're playing with the big boys (Google, Microsoft, Facebook, etc), I guess I don't really see the point. - Matt Grande
@MattGrande You're right, but don't think in OpenID for getting authenticated everywhere, in any service in the world. Just imagine you want to create some cloud services and you don't want to force everyone to re-register in any of them. Ok, this "Matias OpenID" won't be interesting for logging-in in Stackoverflow, but it should be interesting for logging-in in my X,Y,Z,N services. Instead of creating my own "single sign-on" system, I'd prefer to use a common standard, so my products will be easier to understand and interoperate. - Matías Fidemraizer

3 Answers

19
votes

Developing an OpenID Provider as a means of Single-Sign-On (SSO) within an organizations ring of web sites is a very valid scenario. DotNetOpenAuth comes with a pair of sample web sites (a Provider and a Relying Party) that demonstrate a single-sign-on relationship. They're called OpenIdWebRingSsoProvider and OpenIdWebRingSsoRelyingParty.

Please do not attempt to implement OpenID by yourself any more than you'd implement SSL by yourself. Getting OpenID security and interoperability just right takes a very long time and a deep level of domain knowledge. DotNetOpenAuth in particular gives you programmatic access to do just about anything you'd want to with OpenID, and since it's free, it's hard to go wrong.

Disclosure: I am a developer behind DotNetOpenAuth.

9
votes

Actually my question is: can anyone become an OpenID provider and is DotNetOpenAuth a library to develop this protocol in your own infrastructure?

  1. How to become an OpenID Provider
  2. DotNetOpenAuth has some hiccups but all-in-all is a good tool to use it under .NET

if you're think you can do it, you can follow this:

Lastly, and most challenging, is implementing custom support for OpenID in your software and account management tools. While this approach of course affords the greatest degree of control over the user experience, it is also the most risky and only for developers experienced with web security. Start by reviewing the specs and documentation.

But my question would always be:

Why one more provider? Facebook, Google, MyOpenID, ... already have it, and with them, plenty of users have (even without them knowing) an OpenID login...

StackExchange is an OpenID provider since a while ago, but... there's so much users cross StackExchange platform. Are you developing such a big community so it will be reasonable to create and implement your own provider?

1
votes

I see the answers are couple of years old. If you are looking for the latest solution to build an OpenID provider using Microsoft technology stack, IdentityServer is the open source option. One can use this and build an Open ID connect Identity provider.

Documentation on how to use and build : https://identityserver4.readthedocs.io/en/latest/

IdentityServer4 is an OpenID Connect and OAuth 2.0 framework for ASP.NET Core 2.

It enables the following features in your applications:

Authentication as a Service Centralized login logic and workflow for all of your applications (web, native, mobile, services). IdentityServer is an officially certified implementation of OpenID Connect.

Single Sign-on / Sign-out Single sign-on (and out) over multiple application types.

Access Control for APIs Issue access tokens for APIs for various types of clients, e.g. server to server, web applications, SPAs and native/mobile apps.

Federation Gateway Support for external identity providers like Azure Active Directory, Google, Facebook etc. This shields your applications from the details of how to connect to these external providers.

Focus on Customization The most important part - many aspects of IdentityServer can be customized to fit your needs. Since IdentityServer is a framework and not a boxed product or a SaaS, you can write code to adapt the system the way it makes sense for your scenarios.

Mature Open Source IdentityServer uses the permissive Apache 2 license that allows building commercial products on top of it. It is also part of the .NET Foundation which provides governance and legal backing.