Secure way to authenticate an administrator on an ASP.NET site using OpenID with DotNetOpenID

Question

Secure way to authenticate an administrator on an ASP.NET site using OpenID with DotNetOpenID

Inspired by SO, I'm trying to write an ASP.NET site that uses OpenID to authenticate users. This is a regular WinForms site (not MVC.NET), using the DotNetOpenId library for authentication.

Is it safe for me to enable / disable administrative functions on the site by simply comparing the current "RequestedID" session (as returned by the OpenIdLogin_LoggedIn event, as a member of DotNetOpenId.RelyingParty, OpenIdEventArgs.Response.ClaimedIdentifier) to a known OpenID administrator (i.e., My)?

If so, is it safe for this identifier to be visible (for example, in open source) or should it be "hidden" in the configuration file or in the database row? (I know this is the best design to make it customizable, my question is about security.)

+3

asp.net openid dotnetopenauth

Eric Sep 11 '08 at 15:43

source share

2 answers

, . . "" UserRoles, , .

. . Users, , . , , . LINQ, .LoadWith(), , .

+3

Jarrett Meyer 11 . '08 16:38

Andrew Arnott · Accepted Answer · 2008-12-17T04:43:37+0000

Jarrett gives good comments about using database tables.

Just to answer one of your questions, no, it's not a secret to put your OpenID in your code as a whole. If setting the role seems unnecessary for your site, a simple equality check with your ClaimedIdentifier is just perfect.

Secure way to authenticate an administrator on an ASP.NET site using OpenID with DotNetOpenID

More articles: