Comments on: Converting the ASP.NET MVC project into OpenID http://pupeno.com/blog/converting-the-asp-net-mvc-project-into-openid/?utm_source=rss&utm_medium=rss&utm_campaign=converting-the-asp-net-mvc-project-into-openid A bit of this, a bit of that and a lot about computers Sat, 03 Jul 2010 15:12:19 +0000 hourly 1 http://wordpress.org/?v=3.0 By: Pablo http://pupeno.com/blog/converting-the-asp-net-mvc-project-into-openid/#comment-362 Pablo Fri, 16 Oct 2009 18:42:27 +0000 http://pupeno.com/?p=633#comment-362 Justin, I've used the <a href="http://jvance.com/pages/JQueryOpenIDPlugin.xhtml" rel="nofollow">jQuery plug in for OpenID</a> which looks like this: Justin, I’ve used the jQuery plug in for OpenID which looks like this:

]]> By: Justin Chase http://pupeno.com/blog/converting-the-asp-net-mvc-project-into-openid/#comment-361 Justin Chase Thu, 15 Oct 2009 23:32:40 +0000 http://pupeno.com/?p=633#comment-361 How does your view look? How does your view look?

]]> By: Nimesh – Perception System http://pupeno.com/blog/converting-the-asp-net-mvc-project-into-openid/#comment-360 Nimesh – Perception System Sat, 29 Aug 2009 06:19:58 +0000 http://pupeno.com/?p=633#comment-360 Nice Post Informative and useful one I am .Net Developer and I am looking for this Thanks for the great stuff. Nice Post
Informative and useful one
I am .Net Developer and I am looking for this
Thanks for the great stuff.

]]> By: Pablo http://pupeno.com/blog/converting-the-asp-net-mvc-project-into-openid/#comment-359 Pablo Thu, 30 Jul 2009 22:38:19 +0000 http://pupeno.com/?p=633#comment-359 Thank you Andrew for the comment. I believe all issues are solved now. Thank you Andrew for the comment. I believe all issues are solved now.

]]> By: Andrew Arnott http://pupeno.com/blog/converting-the-asp-net-mvc-project-into-openid/#comment-358 Andrew Arnott Thu, 30 Jul 2009 15:21:06 +0000 http://pupeno.com/?p=633#comment-358 Great post. Just a few bits of feedback: Your response.GetExtension call collapsed to response.GetExtension() (note lack of generic parameter), probably due to HTML parsing. You are setting user passwords to new Guids. It's good that you're randomizing them, but guid generation is predictable, allowing someone to pretty easily brute-force attack what the password is. While your site MAY not expose a web page that allows username/password login at all anyway, it's a good security mitigation to assign a cryptographically strong random password just to make sure. Here's some code that generates cryptographically strong random strings: internal static readonly RandomNumberGenerator CryptoRandomDataGenerator = new RNGCryptoServiceProvider(); byte[] buffer = new byte[length]; CryptoRandomDataGenerator.GetBytes(buffer); return Convert.ToBase64String(buffer); Consider initializing one static OpenIdRelyingParty field in your controller and reusing it for all logins. OpenIdRelyingParty is relatively heavy to instantiate, and it's thread safe. So the recommended pattern is to reuse one for all your logins on a single page. I know the sample doesn't do this (the sample should be updated). Great post. Just a few bits of feedback:

Your response.GetExtension call collapsed to response.GetExtension() (note lack of generic parameter), probably due to HTML parsing.

You are setting user passwords to new Guids. It’s good that you’re randomizing them, but guid generation is predictable, allowing someone to pretty easily brute-force attack what the password is. While your site MAY not expose a web page that allows username/password login at all anyway, it’s a good security mitigation to assign a cryptographically strong random password just to make sure.

Here’s some code that generates cryptographically strong random strings:
internal static readonly RandomNumberGenerator CryptoRandomDataGenerator = new RNGCryptoServiceProvider();

byte[] buffer = new byte[length];
CryptoRandomDataGenerator.GetBytes(buffer);
return Convert.ToBase64String(buffer);

Consider initializing one static OpenIdRelyingParty field in your controller and reusing it for all logins. OpenIdRelyingParty is relatively heavy to instantiate, and it’s thread safe. So the recommended pattern is to reuse one for all your logins on a single page. I know the sample doesn’t do this (the sample should be updated).

]]>