DotNetOpenAuth and FormsAuthentication

Question

I'm implementing DotNetOpenAuth (OpenID) and Forms Authentication as the authentication mechanism for a site I'm building. However, I'm not happy with parts of the solution I've come up with and though I should check with you guys how it is usually done.

I have set the Forms Authentication loginUrl to login.aspx. This is the code behind for the login page:

public partial class Login : DataAccessPage {
    protected void Page_Load(object sender, EventArgs e) {
        if (Request.QueryString["dnoa.receiver"] != "openId") {
            openId.ReturnToUrl = Request.Url.ToString();
            openId.LogOn();
        }
    }

    protected void openId_LoggedIn(object sender, DotNetOpenAuth.OpenId.RelyingParty.OpenIdEventArgs e) {
        var fetch = e.Response.GetExtension();

        if (fetch != null) {
            string eMail = fetch.GetAttributeValue(WellKnownAttributes.Contact.Email);
            string name = fetch.GetAttributeValue(WellKnownAttributes.Name.FullName);

            var usr = db.Users.SingleOrDefault(u => u.EMailAddress == eMail);

            if (usr != null) {
                // update the name in db if it has been changed on Google
                if (usr.Name != name) {
                    usr.Name = name;
                    db.SaveChanges();
                }

                FormsAuthentication.RedirectFromLoginPage(usr.UserId.ToString(), false);
            }
        }
    }

    protected void openId_LoggingIn(object sender, DotNetOpenAuth.OpenId.RelyingParty.OpenIdEventArgs e) {
        var fetch = new FetchRequest();
        fetch.Attributes.AddRequired(WellKnownAttributes.Contact.Email);
        fetch.Attributes.AddRequired(WellKnownAttributes.Name.FullName);
        e.Request.AddExtension(fetch);
    }
}

So directly when a user is not logged in, it is sent to the login.aspx-page which directly tries to log it in using OpenID against Google. It checks if the user is on the list of allowed users, and then FormsAuthentication.RedirectFromLoginPage().

So far no problem... the problem is at sign out. Ideally I would like the sign in to be directly connected to the Google Account sign in status. If the user is signed in to Google, he/she should also be signed in at my site. When the user logs out of Google, he/she should be logged out from my site. However, since Forms Authentication is used, the ticket will last some time even if the user signs out of Google.

Anyone have any ideas on how to solve this?

Thanks in advance!

Answer 1

First to answer your question: OpenID does not provide a means to tie the length of the Google session to your own session. The best you can do is provide a session-only (non-persistent) cookie as it looks you're already doing, so that if the user logs out of Google and closes their browser they'll be logged out of your site as well. This is an OpenID protocol limitation -- no other OpenID library can fix it either.

Now to the issue you didn't ask for, but I can't ignore it -- you're implementation is quite unsafe. You are trusting the AX fetch response extension implicitly, allowing whatever email address it claims the user controls be the user who is logged in. This means anyone can trivially set up an OpenID Provider that lies about the email address and spoof your users' identity. You may be incorrectly assuming that just because you redirect your users to Google that that means all responses come from Google (and assuming you trust Google). Just because you send a request to Google, doesn't mean someone can't synthesize a response from their own non-Google server.

There are two ways to solve your security problem. First (and preferably) don't use email address as your username. Use the IAuthenticationResponse.ClaimedIdentifier as the username instead. That's what it's there for, and will protect you against many different attacks. The less preferable fix is to keep using email, but to verify that the response is in fact coming from Google before you trust that email. You can do this via the IAuthenticationResponse.Provider.Uri property and verify that it is the one(s) you are expecting and trust.