Scott Hanselman

The Weekly Source Code 25 - OpenID Edition

April 30, '08 Comments [161] Posted in ASP.NET | ASP.NET MVC | DasBlog | Identity | Source Code
Sponsored By

OpenID Logo We spent a lot of time at Corillian (my last job) thinking about Identity, and a few months before I left I started getting into Cardspace and OpenID. This was a little over a year ago. We did a podcast on OpenID as well.

At that time, I tried to take the only .NET implementation at the time of OpenID which was written in in Boo written originally by Grant Monroe and port it to C# causing me to go through the Programmer Phases of Grief. Andrew Arnott and Jason Alexander took the reins and we spend a number of late nights trying to get a good OpenID library working. I gave up, but they soldiered on and created dotnetopenid (downloads), including a client and server as well as Andrew's excellent ASP.NET controls .

Fast-forward to now. My new friend Aaron Hockley decided to a stands and promote OpenID. He said:

Effective immediately, I will no longer comment on tech blogs that don’t support OpenID for comment authentication.

He's just one guy, but his heart is in the right place. He points out that:

Google offers it as a Blogger option. It’s available as a super-easy-to-install WordPress plugin. Movable Type has it as a built-in feature.

OpenID is a good thing and it's Growing. You may already have an OpenID if, for example, you have a Yahoo! account. More on this soon.

How to turn your blog into an OpenID

Simon Willison wrote How to turn your blog into an OpenID and it's very easy.

STEP 1: Get an OpenID. There a lots of servers and services out there you can use. I use http://www.myopenid.com for two reasons. One, I know the CEO (they're in Portland), and two, they support optionally using CardSpace to authenticate yourself (as well as the standard way with password).

STEP 2: Add these two lines to your blog's main template in-between the <HEAD></HEAD> tags at the top of your template. Most all blog engines support editing your template so this should be an easy and very possible thing to do.

Example:

<link rel="openid.server" href="http://www.myopenid.com/server" />
<link rel="openid.delegate" href=
http://YOURUSERNAME.myopenid.com/ />

This will let you use your domain/blog  as your OpenID. Now, I can log in with "http://www.hanselman.com" when I see an OpenID Login option - and so can you! Go do it now!

Making OpenID Logins Easier

If you have a blog or site with OpenID support, you should go get this little snippet of JavaScript and install an OpenID ID Selector on your blog from http://www.idselector.com/.

virgin-3

One of the things that is slowing OpenID adoption is that many people don't realize that they may already have one. That's what this little Javascript is trying to do by showing folks sites that they recognize. This way my Dad could login using Yahoo and it would make sense to him. It's a little busy, but it's a start. I've added an http://www.idselector.com/ to my blog for comments.

Adding OpenID Support to DasBlog

A year ago, I originally tried to port the Boo code to C# in an attempt to enable OpenID in DasBlog but eventually gave up. However, last night, I re-familiarized myself with the OpenID spec (it's on 2.0 now) and started reading the source for http://code.google.com/p/dotnetopenid/.

In a word, it's a joy. I was able to get OpenID running OK in two hours and working well and up on my blog in two more. I have to give credit to the fantastic work that Andrew Arnott and Jason Alexander and team are doing. It's come far and you should know about it, Dear Reader.

I had two scenarios in DasBlog (again, in case you didn't know, it's the C# and XML-based blog that runs this site and others) to handle.

First, I wanted to support OpenID for Comments which wouldn't actually "log a user in" in the stateful FormsAuthentication sense. I think this isn't a very common scenario, and I'd describe it as One-Time Occasional Authentication. In this case, I used the dotnetopenid classes directly in a moderately complex scenario.

Second, I wanted to support OpenID to login as the Administrator for my site. This would, in fact, log me in via FormsAuthentication. This would be a common scenario that you'd probably care about as it's very typical. In this case, I used the dotnetopenid ASP.NET Controls, which were about as easy as falling off a log. (That's pretty easy.)

Here's the first, harder, scenario.

If you've entered your OpenID and hit Submit Comment then we'll store the current entry and the comment you're submitting. We'll be redirecting away to get authenticated and we'll need them when we get back. If you're running in a WebFarm, you'll want to store these temporary variables in a database or somewhere that doesn't have node-affinity.

Session["pendingComment"] = comment.Text;
Session["pendingEntryId"] = ViewState["entryId"] as string;
OpenIdRelyingParty openid = new OpenIdRelyingParty();
IAuthenticationRequest req = openid.CreateRequest(openid_identifier.Text);
ClaimsRequest fetch = new ClaimsRequest();
fetch.Email = DemandLevel.Require;
fetch.Nickname = DemandLevel.Require;
req.AddExtension(fetch);
SaveCookies();
req.RedirectToProvider();
return;

What I think of as an "OpenID Client" is called a "Relying Party" or "RP" in the parlance of the OpenID folks. In this code we create an AuthenticationRequest and add some additional claims. There's a nice interface-based extension model in this lower-level library that lets you Request or Require information from the user's profile. For comments on the blog, I just need your email for your Gravatar and your Nickname for Display.

I then call RedirectToProvider, and that's if for the request side. Remember I said this was the hard scenario! Not so hard. ;)

Next, we're redirected to an OpenIDProvider, we authenticate (or not) and are redirected BACK with additional information encoded on the GET. On the way back in, in our Page_Load (or an HttpHandler if you like) we check the Response status.  If we're Authenticated, we grab the info we requested and add the comment. Bam. Sprinkle in a little error handling and we're all set.

OpenIdRelyingParty openid = new OpenIdRelyingParty();
if (openid.Response != null)
{
// Stage 3: OpenID Provider sending assertion response
switch (openid.Response.Status)
{
case AuthenticationStatus.Authenticated:
ClaimsResponse fetch = openid.Response.GetExtension(typeof(ClaimsResponse)) as ClaimsResponse;
string nick = fetch.Nickname;
string homepage = openid.Response.ClaimedIdentifier;
string email = fetch.Email;
string comment = Session["pendingComment"] as string;
string entryId = Session["pendingEntryId"] as string;
if (String.IsNullOrEmpty(comment) == false && String.IsNullOrEmpty(entryId) == false)
{
AddNewComment(nick, email, homepage, comment, entryId, true);
}
break;
}
}

Here's the second scenario where we'll log in as the Administrator of the blog. I just register the DotNetOpenId assembly in my ASPX page and put an <openidlogin> control on the page. Notice that even the claims I created in the manual scenario above are just properties on this control. There's also events like OnLoggedIn to handle the results.

<%@ Register Assembly="DotNetOpenId" Namespace="DotNetOpenId.RelyingParty" TagPrefix="cc1" %>
<cc1:openidlogin id="OpenIdLogin1"
RequestEmail="Require" RequestNickname="Request" RegisterVisible="false"
RememberMeVisible="True" PolicyUrl="~/PrivacyPolicy.aspx" TabIndex="1"
OnLoggedIn="OpenIdLogin1_LoggedIn"/></cc1:openidlogin>

This controls renders nicely as seen in the screenshot below.

image

In the OnLoggedIn event, I call my existing security APIs (Thanks to Tony Bunce and Anthony Bouch) and set the AuthCookie from FormsAuthentication.

protected void OpenIdLogin1_LoggedIn(object sender, OpenIdEventArgs e)
{
UserToken token = SiteSecurity.Login(e.Response);
if (token != null)
{
FormsAuthentication.SetAuthCookie(userName, rememberCheckbox.Checked);
Response.Redirect(SiteUtilities.GetAdminPageUrl(), true);
}
}

Poof. I love using well designed libraries and just work. At this point all that was left was adding some CSS and tidying up.

OpenID and ASP.NET WebForms and MVC

The dotnetopenid source includes source for sample sites. It actually includes three samples, two WebForms and one ASP.NET MVC.

The MVC implementation is very clean, even though (or because?) it doesn't use controls. Here's the Authenticate Controller Action:

public void Authenticate() {
var openid = new OpenIdRelyingParty();
if (openid.Response == null) {
// Stage 2: user submitting Identifier
openid.CreateRequest(Request.Form["openid_identifier"]).RedirectToProvider();
} else {
// Stage 3: OpenID Provider sending assertion response
switch (openid.Response.Status) {
case AuthenticationStatus.Authenticated:
FormsAuthentication.RedirectFromLoginPage(openid.Response.ClaimedIdentifier, false);
break;
case AuthenticationStatus.Canceled:
ViewData["Message"] = "Canceled at provider";
RenderView("Login");
break;
case AuthenticationStatus.Failed:
ViewData["Message"] = openid.Response.Exception.Message;
RenderView("Login");
break;
}
}
}

What about CardSpace?

Infocard LogoOpenID is a spec for a protocol that "eliminates the need for multiple usernames across different websites, simplifying your online experience."  What's cool is that it's open, so you (the consumer) gets to pick your Provider. It's not owned by anyone, so it's ours to screw up (or succeed with).

CardSpace is built into Vista and installed on XP when you put .NET 3.0 on your system. There are also Identity Selectors for Safari and Firefox in the works. It's different than OpenID in that it's concerned with strong authentication. Therefore, they are very complimentary.

Here's my CardSpace login as I'm getting ready to log into this blog...

image

...because my chosen OpenID provider at http://www.myopenid.com (it's free) also supports both InfoCards and SSL Certificates for authentication as well as strong passwords.

Notice the "Sign into Information Card" icon below next to the IconCard purple icon.

image

An OpenID provider can choose to use anything available with which to authenticate you. Here's a video of a Belgian using an eID to authenticate against an OpenID provider at http://openid.trustbearer.com/ that supports biometric devices, USB keys, and smart cards.

So What?

Get involved and give it a try! Here's some things you can do.

  1. Sign up for a Free OpenID at MyOpenID or one of the many public OpenID providers out there.
  2. Go use your new OpenID at one of the many sites that supports OpenID.
    • Come back to this post and leave your first comment using OpenID!
  3. Watch Simon Willison talk about the case for OpenID (video)

And, if you're a developer, get an OpenID library like dotnetopenid and consider enabling your app. Consider using the Javascript ID Selector to make for a nicer User Experience.

Technorati Tags: ,,

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. I am a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by ORCS Web
Wednesday, April 30, 2008 8:21:26 AM UTC
Sorry for meaningless comment using OpenId
Wednesday, April 30, 2008 8:50:16 AM UTC
Looks like it works from a blackberry
Wednesday, April 30, 2008 9:12:54 AM UTC
I have nothing useful to say but will be jolly pleased if this works!
Wednesday, April 30, 2008 9:35:34 AM UTC
Yet another meaningless OpenID Comment
Wednesday, April 30, 2008 9:43:58 AM UTC
Also, there's the the MVC Membership Starter Kit which show how to authenticate with the dotnetOpenId assembly, Windows Live ID and of course the traditional forms authentication.

+1 for MVC and OpenId :)
Wednesday, April 30, 2008 5:15:11 PM UTC
I've tried both from work and at home, on Firefox and on IE6/7 to post a comment using my OpenID from Blogspot. It continues to throw an error, so if you are looking through the error logs and notice a few, that's what is causing it.
J.Simpson
Wednesday, April 30, 2008 5:20:32 PM UTC
Hm..nothing in the logs...do you have a screenshot?
Wednesday, April 30, 2008 5:31:59 PM UTC
test
Wednesday, April 30, 2008 5:32:12 PM UTC
test2
Wednesday, April 30, 2008 5:32:32 PM UTC
Test while "stay signed in" == true.
Wednesday, April 30, 2008 5:32:56 PM UTC
Test3
Wednesday, April 30, 2008 5:34:24 PM UTC
I like the OpenID Selector.

What do you think about letting the user enter a OpenID and a homepage? Not everyone has delegation setup so linking to their OpenID URL isn't always the best action.
Wednesday, April 30, 2008 5:35:11 PM UTC
I also get an error with OpenId, stating:

An error has been encountered while processing the page. We have logged the error condition and are working to correct the problem. We apologize for any inconvenience.
James Culbertson
Wednesday, April 30, 2008 5:35:20 PM UTC
Honestly I'm not the biggest fan of the OpenID javascript thingy, but I guess it is good for getting people to realize that they might already have an OpenID. I personally prefer to use a website that I know I'll use forever (like my own) and delegate the authentication to whatever OpenID provider I'm using at the time.

Nice work and looking forward to see you at DevTeach!

Scott
Wednesday, April 30, 2008 5:36:50 PM UTC
Working well Scott. Great to see your support for OpenID.
Wednesday, April 30, 2008 5:39:37 PM UTC
James, can you check your OpenID Provider to see if your Nickname or FullName are set?
Wednesday, April 30, 2008 5:40:31 PM UTC
Mucman. Yes, I understand your concern about the Javascript thingy, but just set Allow Forever and you'll never worry about it again. ;)
Wednesday, April 30, 2008 5:40:51 PM UTC
This is weird. It's the 3rd time I try to comment with openID. The other two times the comment showed on your page. Then when I did a refresh, the comment was gone! That happened two times already, any ideas?
Wednesday, April 30, 2008 5:41:00 PM UTC
I've been trying to get more synergy between my IT resources of late. Adding the OpenID link tags in the header is perfect. I'll be adding the OpenID comment support to my blog as soon as I can.

Thanks for the tip.
Wednesday, April 30, 2008 5:43:55 PM UTC
Test with no Email
ScottWithNoEmail
Wednesday, April 30, 2008 5:48:34 PM UTC
OpenId to the rescue
Wednesday, April 30, 2008 5:52:31 PM UTC
Ramiro - That may be my fault, I'm slapping bugs as fast as I can and I may have been updating the site while you were submitting.
Wednesday, April 30, 2008 5:52:32 PM UTC
Hi Scott,

Great post and good walk-through.
Wednesday, April 30, 2008 6:05:16 PM UTC
Being a lemming and posting using my openid :)
Wednesday, April 30, 2008 6:05:23 PM UTC
Thanks for the help on Open ID. I just picked up the new book on Cardspace and am looking to implement it myself. I think this might be the year Open ID gains traction.
Wednesday, April 30, 2008 6:17:18 PM UTC
Would it make more sense for Task 2, to instead of use OpenID to login to dasBlog, instead make dasBlog an OpenID provider, so you don't need a service like myopenid?
Wednesday, April 30, 2008 6:19:39 PM UTC
One other thing I noticed after I just left this comment. It appears that you use as a link back to me in the comment section the URL for my OpenID provider (in this case nickschweitzer.net which redirects to nickschweitzer.myopenid.com). However, when I setup MyOpenID, I created multiple "personas", and for this comment, I asked that my "Coding Monkey" persona be used. That personal links to www.thecodingmonkey.net. Is there a way for you to determine that in the response and use that URL for linking purposes instead?
Wednesday, April 30, 2008 6:27:50 PM UTC
Nothing to see here..testing new OpenID provider
Wednesday, April 30, 2008 6:29:05 PM UTC
Nick - From my point of view, if we make DasBlog a Provider, then we suddenly are out of the blog business and we're chasing cool futures like all the OpenID providers. I don't want to implement SmartCard support. ;) Let the providers push the envelope and I'll pick the one I like. My OpenID won't change.
Wednesday, April 30, 2008 6:31:19 PM UTC
Very cool - I'll have to switch my personal site over to OpenID.

What are your thoughts on using this in place of new account creation? Maybe use this in forum software and just have them enter any additional profile info and have that mapped to their openID?
Dave
Wednesday, April 30, 2008 6:32:49 PM UTC
Heh. Looked into OpenID a while back, but was waiting for Blogger to roll out its support for it a bit better. After the reminder of this post, here I am using your blog as a test :D
Wednesday, April 30, 2008 6:37:45 PM UTC
So, my blog is now setup as my OpenID identity. Been meaning to do that for a while. It is amazing how effective a gentle reminder can be. Great blog.
Wednesday, April 30, 2008 6:38:00 PM UTC
Dave - Exactly. Most good OpenID-using sites don't actually ask you to *create* an account.

The idea is that it turns folks off..."create ANOTHER account?" So you offer "Create" and "Login with OpenID" and it's all automatic. You don't even need to store profile details because you can get them from the OpenID provider by requesting them.
Wednesday, April 30, 2008 6:43:27 PM UTC
Great post! I still wish that the Cardspace integration in Firefox were better. I'm trying out http://www.codeplex.com/IdentitySelector because it uses the same UI as IE does with Cardspace.

I have to admit, though, that Cardspace usage still doesn't make a ton of sense to me (from an end-user's perspective). Like, if I should be storing my cards on my flash drive so that I can use them between computers, etc.

(not that you have to use Cardspace with OpenID)
Wednesday, April 30, 2008 6:48:47 PM UTC
Scott - However it is not unreasonable to expect that many sites may ask you to fill in additional profile details that are not covered in the OpenID spec or that are not approved for transfer by the OpenID provider. A great example of this is the age check that is required on many ecommerce sites in order to meet certain laws in the US.
Wednesday, April 30, 2008 6:51:26 PM UTC
David, CardSpace is a *system level service* so I think that I'd like my infocards managed in the same way regardless of browser. The fact that the Identity Selector is the same for FireFox and IE is a GOOD thing. Why would I want a different one? That said, there's this older proof of concept in Java: http://xmldap.org/

Again, as you said not that you have to use Cardspace with OpenID.
Wednesday, April 30, 2008 6:53:22 PM UTC
Joe Brinkman - Yes, and that's why there are extensions to OpenID to request things that aren't cover by the spec (see my ClaimsRequest example). If folks want height or weight or whatever, they can still host it at the Provider and it can still be requested by the Client (RP) as I understand it.
Wednesday, April 30, 2008 6:54:55 PM UTC
test
Wednesday, April 30, 2008 7:09:54 PM UTC
Test
Wednesday, April 30, 2008 7:24:18 PM UTC
Test post, OpenID-Blogspot, Firefox 2.0.0.14
Wednesday, April 30, 2008 7:55:51 PM UTC
Test from Norway with OpenID
Wednesday, April 30, 2008 7:59:43 PM UTC
Ignore this. Just testing ...
Wednesday, April 30, 2008 8:10:29 PM UTC
Checkity check.
Wednesday, April 30, 2008 8:35:38 PM UTC
worst.. comment.. ever...
Wednesday, April 30, 2008 8:36:26 PM UTC
Test
Wednesday, April 30, 2008 8:36:34 PM UTC
test2
Wednesday, April 30, 2008 8:38:00 PM UTC
test3
Wednesday, April 30, 2008 8:41:56 PM UTC
test4
Wednesday, April 30, 2008 8:42:14 PM UTC
test5
Wednesday, April 30, 2008 8:47:09 PM UTC
I just started looking into this, the website I use frequently for development (www.unfuddled.com) just started supporting it which ROCKS!

On another note, it's fun to see my friend Aaron getting the world straightened out about blog comment authentication and things. I too find it very frustrating trying to login or not login, or maybe setup a whole different account to login and comment on blogs. Very frustrating.
Wednesday, April 30, 2008 9:17:07 PM UTC
Did you ever fix the code for the gravatar to force to lowercase before computing the MD5? Let's see :)
Wednesday, April 30, 2008 9:17:46 PM UTC
Yes, you did :)
Wednesday, April 30, 2008 9:58:06 PM UTC
test
Wednesday, April 30, 2008 10:09:10 PM UTC
test
Wednesday, April 30, 2008 10:15:19 PM UTC
Sorry, just a test.
Wednesday, April 30, 2008 10:16:04 PM UTC
Sorry, but since there is no "preview", this is the only way to test what happens when I select OpenID.
Wednesday, April 30, 2008 10:17:02 PM UTC
Don't apologize! Test on testers!
Wednesday, April 30, 2008 10:28:36 PM UTC
Test again.
Wednesday, April 30, 2008 10:29:10 PM UTC
Thanks Scott, it works now!
Wednesday, April 30, 2008 10:46:54 PM UTC
test
Wednesday, April 30, 2008 10:59:14 PM UTC
test. using my blog url.
Wednesday, April 30, 2008 11:40:47 PM UTC
I like the idea that you can cname a subdomain to openid, e.g. openid.hanselman.com/scott
Thursday, May 01, 2008 12:01:35 AM UTC
Excellent post, glad Aaron made the post when he did, sure has stirred up some excellent discussion. Lets all demand OpenID!
Thursday, May 01, 2008 1:24:38 AM UTC
test
Thursday, May 01, 2008 3:00:22 AM UTC
Comment using OpenID :)
Thursday, May 01, 2008 4:47:43 AM UTC
yay test to see if this works.
Praveen
Thursday, May 01, 2008 5:46:31 AM UTC
Here's another OpenID test.
Thursday, May 01, 2008 5:52:15 AM UTC
Yet another test!
Thursday, May 01, 2008 8:17:36 AM UTC
Just a test!
Thursday, May 01, 2008 1:44:29 PM UTC
And another
Thursday, May 01, 2008 4:17:41 PM UTC
Just a few thoughts -- when you have two methods of login for leaving a comment, I was left questioning which pieces of information were going to be pulled from where...

For instance, I have previously commented on your blog, so my "details" are pre-populated. I can now put in my openId. Is it going to pull my email from the openId or the E-mail field? If my OpenId profile website field has no value, does it pull the "Home Page" value from the details section?

Anyway, I've been struggling with issues like this on a project that I've been working on. Whenever there is a new paradigm, figuring out the optimal way to go about things is a challenge.

I implemented auto-sign-up using dotnetopenid and I have a method for signing in if you don't have an openId -- but I did some user testing and people were putting in their openId and then additionally filling out the info for the other type of login as well.

Basically, it seems that the lowest friction method for setting up a non openId account is to ask for a username / password, send an opt-in email, and confirm the account when they return to your site via an email link.

OpenId is cool and it is really strong from the perspective of low friction for the initial sign-up process.

Still, it would be a good idea for the community to come up with some sort of consensus of how to integrate OpenId with the flow of a normal "username / password / email confirm" login process since not everyone jumps on the hayride at the same time. You would probably lose a lot of users if you only allowed authentication with OpenId.
Thursday, May 01, 2008 4:49:51 PM UTC
Test
Thursday, May 01, 2008 5:16:55 PM UTC
I like Thomas Freudenberg's idea about using a subdomain.
Thursday, May 01, 2008 5:22:49 PM UTC
Another test
Thursday, May 01, 2008 5:23:46 PM UTC
OpenID I Like
Thursday, May 01, 2008 5:46:18 PM UTC
One thing that bothers me in the OpenID space is that while Yahoo and Google both act as OpenID providers they themselves don't allow logging in using OpenID. I'd love to log into Flickr or Google Analytics using OpenID vs. yet another set of logins.

Another OpenID area that needs developing is new signups. A lot of places offer OpenID authentication only *after* you've gone through a lenghty signup process when most of that information could have been pre-populated via OpenID. The same even goes for your comment authentication, it seems an AJAX call could be made that shows the Name, EMail and Homepage once the user tabs away from the OpenID box.

So many ideas, so little time :)

Thursday, May 01, 2008 6:37:15 PM UTC
Timothy: Great point! Currently, if you use OpenID I pull from OpenID *only*. If you use the other form, I'll pull from there, just like before. At some point in the next few years, I'll remove the ability to leave unauthenticated comments, I think, but only after like at least 75% of folks have OpenIDs (like if Google or LiveID jumps in). I thought about graying out the other controls if you have something in the OpenID field, but I'm not good at JavaScript.
* Any volunteers want to write me a JQuery that disables the 3 fields of the OpenID is filled out? and vice versa?

Shawn: Dude, preach on. The big players don't *get it* yet.


Thursday, May 01, 2008 6:43:34 PM UTC
I see the advantage of openid and want to use it on my latest solution.

Benny
Thursday, May 01, 2008 6:49:44 PM UTC
Awesome. Testing.
Thursday, May 01, 2008 6:54:15 PM UTC
Yay, Open Id!
Thursday, May 01, 2008 7:05:09 PM UTC
Another comment
Thursday, May 01, 2008 7:27:02 PM UTC
Scott - While the OpenID 2.0 spec added support via the OpenID Attribute Exchange spec this is still a problem since that spec is not widely implemented by the OPs or RPs. As a result there are still a large number of common properties that are not provided for in the original OpenID 1.1 spec and that are requested by many websites. Also, it should be noted that the user may or may not have provided all of their profile details to the OP or may have denied the request to provide the profile data to the RP. In this scenario, the RP still needs to have a mechanism in place on how to deal with some profile attributes which are not provided by the OP for whatever reason.
Thursday, May 01, 2008 7:41:24 PM UTC
Ok, you ask for tests but how many tests can one man handle.
Thursday, May 01, 2008 8:08:40 PM UTC
Can it actually work?
Thursday, May 01, 2008 8:25:30 PM UTC
Just a test :)
Thursday, May 01, 2008 8:51:53 PM UTC
I have had an open ID forever. The thing is that on blog comments, I had really liked the Gravatar option, and it would be cool to see an integration somehow...
Thursday, May 01, 2008 8:53:15 PM UTC
I just wanted to test what would happen if I entered all the details above (my openid as well as the usual details).
Thursday, May 01, 2008 8:54:37 PM UTC
Sorry to spam your blog with comments Scott, but it's disappointing that neither my OpenID Persona image, nor my gravatar shows if I use OpenId.
Thursday, May 01, 2008 9:12:47 PM UTC
Vaibhav - Your Gravatar isn't showing because you haven't entered your email in your default persona on your OpenID provider's site. The Gravatar will display if you have set your email, as I request your email when you login. You also haven't set your "Nickname."
Thursday, May 01, 2008 9:20:56 PM UTC
Test
Thursday, May 01, 2008 9:36:36 PM UTC
Well, looks like I have tied Vaibhav in terms of spam. Sorry for the bother :( but testing is fun!
Thursday, May 01, 2008 11:00:37 PM UTC
Got it!
Thursday, May 01, 2008 11:17:45 PM UTC
Thanks for introducing me to OpenID! I had heard about both Cardspace and OpenID in passing but had never really investigated either technology too deeply.

Hoping this works,
-- Stu
Friday, May 02, 2008 12:03:57 AM UTC
Nothing to add, just testing like everyone else :)
Friday, May 02, 2008 3:26:13 AM UTC
Let's see if IE times out...
Friday, May 02, 2008 5:22:32 AM UTC
Testing blog openid url... The first post linked to myopenid page instead.
Friday, May 02, 2008 5:41:37 AM UTC
Does this really work? Do I still remember my OpenID?
Friday, May 02, 2008 5:42:55 AM UTC
nnn
Friday, May 02, 2008 8:06:53 AM UTC
Testing my newly created openid account...
Friday, May 02, 2008 11:29:48 AM UTC
Nice work. Now I *really* do need to upgrade to the latest build of Das Blog.
Friday, May 02, 2008 2:09:03 PM UTC
The selector isn't providing a good default for yahoo IDs. The template should be https://me.yahoo.com/ .
Friday, May 02, 2008 8:02:09 PM UTC
Testing openID... Hopefully now I can leave comments :)
Friday, May 02, 2008 9:24:19 PM UTC
Testing?
Friday, May 02, 2008 9:37:19 PM UTC
One last thought -- you might ask JitBit to add OpenId authentication to their forum software.

Cheers,
Timothy
Friday, May 02, 2008 10:37:35 PM UTC
Testing
Saturday, May 03, 2008 2:50:02 AM UTC
test
Saturday, May 03, 2008 4:55:58 AM UTC
Nice post. I wonder how hard it would be to add this to BlogEngine.NET...
Saturday, May 03, 2008 11:02:21 AM UTC
Testing if you re-pull details after my persona is altered
Saturday, May 03, 2008 11:14:55 AM UTC
Either you didn't update or you are ignoring my webpage in favour of my openid
Saturday, May 03, 2008 11:22:06 AM UTC
Ok.... Did I set my Blog up correctly?
Saturday, May 03, 2008 6:12:58 PM UTC
-Rory = According to MyOpenID they aren't sending the Persona's Webpage yet (see comment above).
Sunday, May 04, 2008 12:42:02 AM UTC
testing
Sunday, May 04, 2008 11:09:22 PM UTC
Just trying out openid!
Monday, May 05, 2008 3:32:06 AM UTC
It Woiks!
Monday, May 05, 2008 6:06:18 AM UTC
Works :) .. one up ... My site works with OpenId too.
Cheers
Vishal
Monday, May 05, 2008 3:36:44 PM UTC
It still works.
Monday, May 05, 2008 7:15:02 PM UTC
Yet another useful OpenID test, from italy :-)
Tuesday, May 06, 2008 3:22:32 AM UTC
OpenID rocks
Tuesday, May 06, 2008 6:28:46 AM UTC
My test comment
Tuesday, May 06, 2008 7:23:28 AM UTC
test
Tuesday, May 06, 2008 7:50:50 AM UTC
test2
Tuesday, May 06, 2008 3:37:14 PM UTC
testing openid login, testing gravatar
Wednesday, May 07, 2008 12:00:31 PM UTC
test :)P
Thursday, May 08, 2008 9:22:57 AM UTC
Great post. Thanks.
Thursday, May 08, 2008 6:59:22 PM UTC
I just set up my personal website as my OpenID last week. It was surprisingly easy, and I'm digging the user experience so far.
Thursday, May 08, 2008 7:39:14 PM UTC
Test 1
Friday, May 09, 2008 3:53:06 AM UTC
openID test :)
Friday, May 09, 2008 5:01:57 PM UTC
OpenID redirect from my blog. Nice.
Friday, May 09, 2008 10:50:33 PM UTC
Another OpenID test
Saturday, May 10, 2008 11:10:04 PM UTC
Test
Sunday, May 11, 2008 8:54:38 AM UTC
Yet Another OpenID Test :)
Tuesday, May 13, 2008 12:39:04 AM UTC
test
Wednesday, May 14, 2008 5:37:49 AM UTC
I noticed that the DasBlog login code has an addition about the necessity of including e.Cancel. You might want to update your source code listing if that's the case. I'm looking at LoginBox.ascx.cs:

/// <summary>
/// Fired upon login.
/// Note, that straight after login, forms auth will redirect the user to their original page. So this page may never be rendererd.
/// </summary>
protected void OpenIdLogin1_LoggedIn(object sender, OpenIdEventArgs e)
{
e.Cancel = true; //Need to cancel or the control will log us in for free. Eek!
UserToken token = SiteSecurity.Login(e.Response);
if (token != null)
{
SetAuthCookie(token.Name, token.Name);
Response.Redirect(SiteUtilities.GetAdminPageUrl(), true);
}
}
Wednesday, May 14, 2008 12:43:28 PM UTC
testing
Wednesday, May 14, 2008 4:10:42 PM UTC
Yep, the obligatory test :)
Friday, May 16, 2008 5:02:38 PM UTC
Testing my OpenID
Monday, May 19, 2008 3:48:30 PM UTC
Got my openid, used the dotnetopenid package and tried it in my sample ASP.NET MVC application. Works like a charm :)
Tuesday, May 20, 2008 1:10:19 PM UTC
test!
Wednesday, May 21, 2008 2:32:56 PM UTC
Yet another open ID test...
Wednesday, May 21, 2008 6:56:17 PM UTC
Gah. That friggen button next to the openid textbox just screams "HEY! CLICK ME TO AUTHENTICATE! LOL UR STUPID".
Thursday, May 22, 2008 4:14:49 AM UTC
Are there any plans on integrating this into the official DasBlog source?
Friday, May 23, 2008 1:12:06 AM UTC
Chris - Already done!
Friday, May 23, 2008 2:23:46 AM UTC
just testing with my claimid openid -- I got a .NET error the last time I tried to leave a comment with it.
Tuesday, May 27, 2008 3:10:21 AM UTC
Test
Tuesday, May 27, 2008 3:44:43 AM UTC
OpenID test using website as OpenID
Wednesday, May 28, 2008 11:19:25 AM UTC
Got OpenID support for comments running on my .net blog - sweet!
Thursday, May 29, 2008 1:07:57 AM UTC
Cool, this worked, now I have my blog as an OpenID. What a great way to get comments!
Saturday, May 31, 2008 3:56:04 AM UTC
Testing some openId settings
Tuesday, June 03, 2008 4:41:58 AM UTC
good article
Wednesday, June 04, 2008 9:17:05 PM UTC
Where do you install the nice selector in wordpress? do you have to hack into the core of it?
Thank you.
Tuesday, June 10, 2008 10:53:30 AM UTC
testing - thanks for a thorough and comprehensive post!
Friday, June 20, 2008 6:34:14 PM UTC
Question about the OpenID ID Selector, and OpenID in general: suppose I trust Yahoo and Flickr, but I've never heard of Vidoop or Vox (which I haven't, BTW). Can I lock down to only accept OpenIDs from folks who keep their IDs at places I trust? Or if I support OpenID, do I have to support all of them?
Saturday, June 21, 2008 9:39:29 PM UTC
test
Sunday, June 22, 2008 9:50:29 PM UTC
myopenid.com comment test.
Tuesday, June 24, 2008 5:40:07 PM UTC
Verisign comment test. Kind of worried this won't give me a picture.
Wednesday, June 25, 2008 6:00:47 PM UTC
test
Wednesday, June 25, 2008 6:04:35 PM UTC
test2
Friday, June 27, 2008 5:01:24 PM UTC
Hi everyone!

I was trying to setup my dasblog based blog (it's in godaddy) to use openId. I had the blog running with the latest release, but I haven't been able to when using a build supporting open id.

Do you know if the openid capable versions have some issue regarding using medium trust? Any tips on enabling openid?

Thanks!
Friday, June 27, 2008 5:56:44 PM UTC
The code is up at http://www.codeplex.com/dasblog !
Scott Hanselman
Comments are closed.

Disclaimer: The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.