WebSecurity Classes / DotNetOpenAuth / SREG

Topics: ASP.NET MVC, ASP.NET Web API, ASP.NET Web Pages
Nov 19, 2012 at 5:38 PM

Hi All,

I'm wondering if anyone has information on enabling the SREG capabilities of DotNetOpenAuth from the WebSecurity and OAuthWebSecurity classes?  It's detailed on the DotNetOpenAuth site here:

http://www.dotnetopenauth.net/developers/help/the-axfetchassregtransform-behavior/

I have actually pulled the source for the two classes (along with associated classes) I mention into my own source so these are free to edit for me yet I can't seem to find in the code where I would need to make changes, if any.

Will simply adding the required configuration change the behavious of DotNetOpenAuth?  Will I then need to somehow query the results and deserialize them like the provider and provideruserid values? 

Nov 19, 2012 at 7:42 PM

The "behavior" that you link to is only necessary if you want to use the Simple Registration extension on your end, when the remote end may be using the AX Fetch extension. If you just want to do SREG on both sides the "behavior" isn't necessary.

Orthogonal to that, however, I don't think that the OAuthWebSecurity classes allow you to add extensions to your requests at all anyway. They are strictly intended for authenticating the user -- not getting extra data about the user or obtaining authorization to access more user data at the provider. If you want to use extensions, I think you need to use DotNetOpenAuth directly (via its OpenIdRelyingParty class).

Nov 19, 2012 at 8:15 PM

Hi Andrew,

OK, thanks for that.

Since I have the source for OAuthWebSecurity I might look at adding in some overloads to see if I can incorporate this.


Thanks,

Nov 19, 2012 at 8:39 PM

Hi Again,

Just out of interest, in the WebMatrix dll class ProviderUserIdSerializationHelper there is this method:

        [SuppressMessage("Microsoft.Usage", "CA2202:Do not dispose objects multiple times", Justification = "The instances are disposed correctly.")]
        [SuppressMessage("Microsoft.Design", "CA1031:DoNotCatchGeneralExceptionTypes", Justification = "All exception are being caught on purpose.")]
        public static bool UnprotectData(string protectedData, out string providerName, out string providerUserId)
        {
            providerName = null;
            providerUserId = null;
            if (String.IsNullOrEmpty(protectedData))
            {
                return false;
            }

            byte[] decodedWithPadding = MachineKey.Decode(protectedData, MachineKeyProtection.All);

            if (decodedWithPadding.Length < _padding.Length)
            {
                return false;
            }

            // timing attacks aren't really applicable to this, so we just do the simple check.
            for (int i = 0; i < _padding.Length; i++)
            {
                if (_padding[i] != decodedWithPadding[i])
                {
                    return false;
                }
            }

            using (MemoryStream ms = new MemoryStream(decodedWithPadding, _padding.Length, decodedWithPadding.Length - _padding.Length))
            using (BinaryReader br = new BinaryReader(ms))
            {
                try
                {
                    // use temp variable to keep both out parameters consistent and only set them when the input stream is read completely
                    string name = br.ReadString();
                    string userId = br.ReadString();
                    // make sure that we consume the entire input stream
                    if (ms.ReadByte() == -1)
                    {
                        providerName = name;
                        providerUserId = userId;
                        return true;
                    }
                }
                catch
                {
                    // Any exceptions will result in this method returning false.
                }
            }
            return false;
        }

Is there anything else that can be extracted from this initial authorisation data?

Thanks,

Nov 21, 2012 at 6:24 PM
I couldn't say... I'm not familiar with this method or what it's decoding.

--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre


On Mon, Nov 19, 2012 at 1:39 PM, findjammer <notifications@codeplex.com> wrote:

From: findjammer

Hi Again,

Just out of interest, in the WebMatrix dll class ProviderUserIdSerializationHelper there is this method:

        [SuppressMessage("Microsoft.Usage", "CA2202:Do not dispose objects multiple times", Justification = "The instances are disposed correctly.")]
        [SuppressMessage("Microsoft.Design", "CA1031:DoNotCatchGeneralExceptionTypes", Justification = "All exception are being caught on purpose.")]
        public static bool UnprotectData(string protectedData, out string providerName, out string providerUserId)
        {
            providerName = null;
            providerUserId = null;
            if (String.IsNullOrEmpty(protectedData))
            {
                return false;
            }

            byte[] decodedWithPadding = MachineKey.Decode(protectedData, MachineKeyProtection.All);

            if (decodedWithPadding.Length < _padding.Length)
            {
                return false;
            }

            // timing attacks aren't really applicable to this, so we just do the simple check.
            for (int i = 0; i < _padding.Length; i++)
            {
                if (_padding[i] != decodedWithPadding[i])
                {
                    return false;
                }
            }

            using (MemoryStream ms = new MemoryStream(decodedWithPadding, _padding.Length, decodedWithPadding.Length - _padding.Length))
            using (BinaryReader br = new BinaryReader(ms))
            {
                try
                {
                    // use temp variable to keep both out parameters consistent and only set them when the input stream is read completely
                    string name = br.ReadString();
                    string userId = br.ReadString();
                    // make sure that we consume the entire input stream
                    if (ms.ReadByte() == -1)
                    {
                        providerName = name;
                        providerUserId = userId;
                        return true;
                    }
                }
                catch
                {
                    // Any exceptions will result in this method returning false.
                }
            }
            return false;
        }

Is there anything else that can be extracted from this initial authorisation data?

Thanks,

Read the full discussion online.

To add a post to this discussion, reply to this email (ASPNETWebStack@discussions.codeplex.com)

To start a new discussion for this project, email ASPNETWebStack@discussions.codeplex.com

You are receiving this email because you subscribed to this discussion on CodePlex. You can unsubscribe on CodePlex.com.

Please note: Images and attachments will be removed from emails. Any posts to this discussion will also be available online at CodePlex.com