我應該從Gmail中獲取DotNetOpenAuth？

Question

我想在我的網站中使用DotNetOpenAuth進行身份驗證+授權（gmail）。

但是，我想問：我應該堅持什麼？

心想：

1. 在DB：爲每個用戶保存一個GUID和他的Gmail（取）
2. 在formAuthentication餅乾的GUID我已經分配給該用戶。

其他建議？

public bool Login() 
{ 
    IAuthenticationResponse authResponse = GoogleConsumerHandler.RelyingParty.GetResponse(); 
    if (authResponse != null) 
    { 
     HandleAuthResponse(authResponse); 
    } 
    else 
    { 
     HandleAuthNullResponse(authResponse); 
    } 

    return false; 
} 

#region private methods 

private void HandleAuthResponse(IAuthenticationResponse authResponse) 
{ 
    switch (authResponse.Status) 
    { 
     case AuthenticationStatus.Authenticated: 
      State.FetchResponse = authResponse.GetExtension<FetchResponse>(); 
      var consumer = new WebConsumer(GoogleConsumerHandler.ServiceDescription, mConsumerTokenManager); 
      AuthorizedTokenResponse accessToken = consumer.ProcessUserAuthorization(authResponse); 
      if (accessToken != null) 
      {     
       var email = authResponse.ClaimedIdentifier; 

       //existing or new 
       Guid userId = mCRMService.GetUserId(email, accessToken.AccessToken); 

       State.GoogleAccessToken = accessToken.AccessToken; 

       FormsAuthentication.SetAuthCookie(userId.ToString(), false); 

       //authenticat and authorized 
       //Response.Redirect("~/Browser.htm"); 
      } 
      else 
      { 
       //authenticated and not authorized 
       //MultiView1.SetActiveView(AuthorizationDenied); 
      } 
      break; 

     case AuthenticationStatus.Canceled: 
      break; 
     case AuthenticationStatus.Failed: 
      break; 
     default: 
      //not authenticated 
      //this.MultiView1.SetActiveView(this.AuthenticationFailed); 
      break; 
    } 
} 

private void HandleAuthNullResponse(IAuthenticationResponse authResponse) 
{ 
    // Google requires that the realm and consumer key be equal, 
    // so we constrain the realm to match the realm in the web.config file. 
    // This does mean that the return_to URL must also fall under the key, 
    // which means this sample will only work on a public web site 
    // that is properly registered with Google. 
    // We will customize the realm to use http or https based on what the 
    // return_to URL will be (which will be this page). 

    var consumer = new WebConsumer(GoogleConsumerHandler.ServiceDescription, mConsumerTokenManager); 

    //Realm realm = "http://localhost:8976/"; 
    Realm realm = System.Web.HttpContext.Current.Request.Url.Scheme + Uri.SchemeDelimiter + consumer.ConsumerKey + "/"; 
    IAuthenticationRequest authReq = GoogleConsumerHandler.RelyingParty.CreateRequest(GoogleConsumerHandler.GoogleOPIdentifier, realm); 

    // Prepare the OAuth extension 
    string scope = GoogleConsumerHandler.GetScopeUri(GoogleConsumerHandler.Applications.Gmail); 
    consumer.AttachAuthorizationRequest(authReq, scope); 

    // We also want the user's email address 
    var fetch = new FetchRequest(); 
    fetch.Attributes.AddRequired(WellKnownAttributes.Contact.Email); 
    authReq.AddExtension(fetch); 

    authReq.RedirectToProvider(); 
} 

Answer 1

認證的目的，你應該存儲的OpenID ClaimedIdentifier你回來的IAuthenticationResponse對象。這是用戶的「主鍵」，因此您可以在他們返回時識別它們。我建議你使用claims_id作爲FormsAuthentication用戶名，而不是隨機的GUID。同時存儲您收集的電子郵件地址也很好，但用它作爲識別返回用戶的手段是不明智的。

請記住，您無法登錄「Gmail用戶」。您可以登錄OpenID用戶，這可能會使用任何提供商。您可以通過過濾Google OP端點的IAuthenticationResponse.Provider.Uri來限制爲「Google」用戶，但即使這樣，您也無法保證這些帳戶使用Gmail（無論如何，其電子郵件地址可能都是foo@bar.com）。最後，如果您只需要他們的身份驗證和電子郵件地址（無論是哪種電子郵件地址），則可以使用OpenID AX擴展（內置於DNOA中）並且不需要「授權」，這可能會大大簡化你的代碼。