我应该从gmail DotNetOpenAuth获取什么?

时间:2012-03-07 19:58:05

标签: c# asp.net-mvc dotnetopenauth

我想在我的网站上使用DotNetOpenAuth进行身份验证+授权(gmail)。

但是,我想问:我应该坚持什么?

我想:

  1. 在DB中:为每个用户保存一个Guid和他的gmail(获取)
  2. 在formAuthentication中,我已分配给该用户的Guid。

    3. 还有其他建议吗?

    public bool Login()
{
    IAuthenticationResponse authResponse = GoogleConsumerHandler.RelyingParty.GetResponse();
    if (authResponse != null)
    {
        HandleAuthResponse(authResponse);
    }
    else
    {
        HandleAuthNullResponse(authResponse);
    }

    return false;
}

#region private methods

private void HandleAuthResponse(IAuthenticationResponse authResponse)
{
    switch (authResponse.Status)
    {
        case AuthenticationStatus.Authenticated:
            State.FetchResponse = authResponse.GetExtension<FetchResponse>();
            var consumer = new WebConsumer(GoogleConsumerHandler.ServiceDescription, mConsumerTokenManager);
            AuthorizedTokenResponse accessToken = consumer.ProcessUserAuthorization(authResponse);
            if (accessToken != null)
            {                  
                var email = authResponse.ClaimedIdentifier;

                //existing or new
                Guid userId = mCRMService.GetUserId(email, accessToken.AccessToken);

                State.GoogleAccessToken = accessToken.AccessToken;

                FormsAuthentication.SetAuthCookie(userId.ToString(), false);

                //authenticat and authorized
                //Response.Redirect("~/Browser.htm");
            }
            else
            {
                //authenticated and not authorized
                //MultiView1.SetActiveView(AuthorizationDenied);
            }
            break;

        case AuthenticationStatus.Canceled:
            break;
        case AuthenticationStatus.Failed:
            break;
        default:
            //not authenticated
            //this.MultiView1.SetActiveView(this.AuthenticationFailed);
            break;
    }
}

private void HandleAuthNullResponse(IAuthenticationResponse authResponse)
{
    // Google requires that the realm and consumer key be equal,
    // so we constrain the realm to match the realm in the web.config file.
    // This does mean that the return_to URL must also fall under the key,
    // which means this sample will only work on a public web site
    // that is properly registered with Google.
    // We will customize the realm to use http or https based on what the
    // return_to URL will be (which will be this page).

    var consumer = new WebConsumer(GoogleConsumerHandler.ServiceDescription, mConsumerTokenManager);

    //Realm realm = "http://localhost:8976/";
    Realm realm = System.Web.HttpContext.Current.Request.Url.Scheme + Uri.SchemeDelimiter + consumer.ConsumerKey + "/";
    IAuthenticationRequest authReq = GoogleConsumerHandler.RelyingParty.CreateRequest(GoogleConsumerHandler.GoogleOPIdentifier, realm);

    // Prepare the OAuth extension
    string scope = GoogleConsumerHandler.GetScopeUri(GoogleConsumerHandler.Applications.Gmail);
    consumer.AttachAuthorizationRequest(authReq, scope);

    // We also want the user's email address
    var fetch = new FetchRequest();
    fetch.Attributes.AddRequired(WellKnownAttributes.Contact.Email);
    authReq.AddExtension(fetch);

    authReq.RedirectToProvider();
}

1 个答案:

答案 0 :(得分:0)

出于身份验证的目的,您应该将您返回的OpenID ClaimedIdentifier存储在IAuthenticationResponse对象中。这是用户的“主键”,因此您可以在返回时识别它们。我建议您使用claims_id作为FormsAuthentication用户名,而不是随机GUID。同时存储您收集的电子邮件地址也不错,但不建议将其用作识别返回用户的方法。

请记住,您无法登录“gmail用户”。您可以登录可能使用任何提供商的OpenID用户。您可以通过过滤Google OP端点的IAuthenticationResponse.Provider.Uri将其限制为“Google”用户,但即使这样,您也无法保证这些帐户使用Gmail(无论如何,他们的电子邮件地址可能是foo@bar.com) 。

最后,如果您需要的只是他们的身份验证和电子邮件地址(无论是哪种电子邮件),您都可以使用OpenID AX扩展(内置于DNOA)并且您不需要“授权”,这可能会大大简化您的代码。

相关问题
最新问题