Secure Single Sign On in ASP.NET for the authentication from anthother (php) website via OpenID
I need to realize a following authentication on my asp.net: the user on the ASP.NET and PHP websites should authenticated using the OpenID. The login and registration exists only on the PHP website. SO the requirements are:
- My ASP.NET website should redirect to the PHP website for the authentication. The user will authenticated using OpenID from the PHP website.
- If the user is new (I plan to use a coookie) to my ASP.NET website, it will redirects with empty paramater. Otherwise, I pass a stored OpenID in the redirect request.
- The PHP website shows the user the login page if the passed OpenID is empty and allows the user to authenticate and register himself. If the passed OpenID is not empty. the PHP website should check its valid state.
- Only if the authentication / registration succeeded the PHP website redirects back to my ASP.NET website the OpenID, that I will use for the user.
- This process, of course, must be secure.
I found that the check for the authentication should be implement in the Global.asax in the Application_AuthenticateRequest event using 开发者_如何学Cthe FormAuthentication. I plan it like this
protected void Application_AuthenticateRequest(Object sender, EventArgs e) {
if(HttpContext.Current.User != null) {
// Extract the forms authentication cookie if exists.
// Redirects to the php website using the OpenID extracted from the cookies, or empty.
// Pass also a new generated token to secure the communication.
} else {
// Store a new GeneralPrincipal to the HttpContext.Current.User.
}
}
protected void Application_BeginRequest(Object sender, EventArgs e) {
// Check for the redirected back token and OpenID.
// Create FormsAuthenticationTicket for the openid and store it in the cookie.
}
The problem is, that I can't save the generated token in the Session, because the SessionState is not initialized at the time.
Which is the best practice to solve the requirements above?
I've solve the problem by using the base page class for all my sites that should be protected. The user will be checked in the OnInit on every request like this
protected override void OnInit(EventArgs e) {
// Check Identity.
if(HttpContext.Current.User.Identity.IsAuthenticated) {
// The user is already authenticated.
// Get the user...
return;
}
// Check if the php server sends request with token.
if(!string.IsNullOrEmpty(Request.QueryString["token"])) {
try {
// Get user from the PHP-Server by the token.
//...
// Remove old FormsAuthentication.
FormsAuthentication.SignOut();
// Save new authentication.
SaveAuthentication();
} catch(Exception exception) {
// Handle...
return;
}
} else {
// Get new php-token and redirect to the php-server for the authentication.
//...
}
For the localizable ASP.NET web sites it can be implemented in the InitializeCulture method.
精彩评论