JMPInline

Why OAuth can't be ignored

2008-10-06T10:03:00.001-07:00

Do you realize that your email password is probably your most sensitive piece of information? You should never, ever give it away. Not to another "trustworthy" web site, and not to a desktop app that wants to perform some service for you. Web-based email these days is hosted by providers that offer many other services using the same user account. For instance, if you use a desktop app to

What's coming for DotNetOpenId and DotNetOAuth

2008-09-26T07:47:00.001-07:00

Did you even know DotNetOAuth existed? It's alpha quality right now but that will change soon. OAuth and OpenID serve two orthogonal needs, and although Google is trying to combine the two, I haven't figured out how they are going to do it yet. In the meantime I have been writing the DotNetOAuth library for you .NET programmers out there. It's coming along nicely. When I joined the

NoTrailingWhitespace StyleCop rule, and others

2008-09-19T21:01:00.001-07:00

After a period of initial bad taste, I've come to like StyleCop. I dislike a few of their rules, and I turn those off. But overall I like how it helps many developers maintain a consistent coding style within a project. I wrote a few rules of my own, and offer them here for free. Source code here: NerdBank StyleCop Rules And here are the rules that are currently in the library, with more

A rebuttal to the concerns surrounding OpenID

2008-09-15T08:15:00.001-07:00

OpenID is still largely unknown to most Internet users. Those who already know something about it are mostly very tech savvy and have a strong opinion either for or against it. Those for it see it as a realistic vision for single sign-on for the web. Those who are against it range from simply not seeing a need for it to adamantly thinking it's one of the worst protocols because of the

My OpenID Provider wishlist

2008-09-09T04:01:00.001-07:00

I have yet to find an OpenID Provider that offers all that OpenID has to offer. Though some come awfully close, myopenid.com most notably. Multiple personas Attribute Exchange support (using the correct type URIs), including both ordinary persona information and allowing RPs to push attributes up. Simple registration support Unsolicited assertions to any RP I name

DotNetOpenId adds an OpenID AJAX login control

2008-08-18T14:20:00.004-07:00

DotNetOpenId may be feature complete per the OpenID spec, but it's far from stagnant. The next version will be packed with new enhanced security features that can be optionally turned on by relying party sites with high security requirements, and a new AJAX login control! I'm pleased to announce as well that it will be just as easy to drop in and use as the non-AJAX version. Ah, the joys and

Make your ASP.NET custom controls work with the validation controls

2008-08-09T13:58:00.001-07:00

Do you have a custom ASP.NET control that you want to allow your users to attach the standard ASP.NET validation controls to? A quick web search turns up a lot of forum topics that seem to suggest it's not possible. But it is! And it's so easy. Just add a ValidationPropertyAttribute to your custom control's type declaration: [ValidationProperty("Text")] public class YourCustomControl :

How to use a library without taking a hard dependency on it

2008-08-02T13:03:00.001-07:00

First let me lay out the problem: you're writing a library that so far is self-contained as a single DLL. You want to add some functionality to your library that is available in another library that your users may or may not have or wish to deploy with your library. You can either add a reference to that library and code against it in your library and require that your users deploy both

How to cleanly log messages without wasting cycles when not logging

2008-07-30T23:23:00.001-07:00

Whether you use System.Diagnostics.Trace, log4net, or any other logger, it's often the case that you want to allow the logging to be turned on or off at runtime. To avoid your logging to slow down your app unnecessarily when the log messages are not being collected, it's common to use conditionals to only execute the logging paths if someone is listening. This leads to logging logic that clutters

How I have taken control of my own identity, part 2

2008-07-22T23:23:00.001-07:00

In my last post, I discussed how I made http://blog.nerdbank.net my one OpenID URL that allows me to link my several accounts with various OpenID Providers into a single URL that I may use anywhere. In this post, I'll talk about some of the problems that remain with the system, and how XRI i-names can solve them. Why use an XRI/i-name? I purchased =Arnott from 1id.com, one of the many XRI

How I have taken control of my own identity, part 1

2008-07-18T13:33:00.001-07:00

First I obtained an OpenID account with www.myopenid.com. I actually have several other accounts with other OpenID Providers, such as pip.verisignlabs.com and yahoo.com because some relying parties allow only white-listed Providers, and some services offer me an OpenID whether I use it or not. But to avoid an identity crisis of appearing all over the web as http://andrew.arnott.myopenid.com,

DotNetOpenId gets a new face

2008-07-14T12:48:00.001-07:00

Javier Román has completed his work on the new DotNetOpenId logo. I think he has done excellent work, and he did it for free in the spirit of contributing to this open source project. This logo is now on the project home page, and will soon be added to the samples. A big thank you to Javier!

How to make your OpenID Provider case insensitive

2008-07-09T16:27:00.001-07:00

In my last post, I discussed why case sensitive OpenID URLs are so important for security. But case sensitive OpenID URLs are no fun at all for users. For instance, most users probably expect they could alternate between logging in as www.myprovider.com/myopenidurl and www.myprovider.com/MYOPENIDURL at an RP and be considered the same person. But if OpenID URLs must be case sensitive, how can

The case for case sensitive OpenID URL checking

2008-07-08T23:02:00.001-07:00

URLs on the Internet are case sensitive by definition. Some web servers choose to be case insensitive. To treat OpenID urls as anything but case sensitive for purposes of identifying a user introduces a grave security risk. Implementers of OpenID should be cautious when using case-insensitive string comparisons and be aware that in most cases checks should be case sensitive. OpenID Claimed

How to use DotNetOpenId's Attribute Exchange extension

2008-07-03T19:18:00.001-07:00

DotNetOpenId supports OpenID extensions, but does not provide samples for using any except the Simple Registration extension. Since the Attribute Exchange extension (AX) was added recently, which is more extensible and generally usable than Simple Registration, sites using OpenID should consider using this extension, perhaps in addition to Simple Registration, to ease your web visitor's new user

How to add OpenID to your ASP.NET forms web site without using ASP.NET controls

2008-07-03T18:36:00.001-07:00

Although DotNetOpenId makes adding OpenID support to your ASP.NET web site as easy as dropping a control on your page design surface, there are reasons you may want to take the lower-level approach of writing a bit of the code yourself. DotNetOpenId fully supports both scenarios. In this post, I'll walk through a best practice minimal sample of how to get it working without using the controls.

Why Yahoo! says your OpenID site's identity is not confirmed

2008-06-11T19:53:00.001-07:00

Are you building an OpenId 2.0 relying party site and having your visitors who use Yahoo! as their Provider see this message? Warning: This website has not confirmed its identity with Yahoo! and might be fraudulent. Do not share any personal information with this website unless you are certain it is legitimate. Here is what you need to do to get rid of this warning: Write an XRDS

When NOT to use the C# "as" keyword

2008-06-04T16:44:00.001-07:00

Both C++ and C# offer the cast () operator. C# also offers the "as" operator syntax which does almost the same thing and is considered by some to look prettier and be more C#'ish. But using the "as" keyword has downsides that you may not know about. Consider the following two methods. Please skip the question of "Why would you take an object and cast to a string instead of just casting to a

Uri.AbsoluteUri and Uri.ToString() are NOT the same

2008-04-28T16:29:00.003-07:00

If you're familiar with the System.Uri class you know that it has a couple of ways of becoming a string for purposes of communication: its AbsoluteUri property and its ToString() method. What I didn't find out until very recently was the significant difference between the two. Since the difference led to functional bugs in production code, I thought I'd share the knowledge to help you avoid the

DotNetOpenId 2.1.0 released, adds Attribute Exchange support

2008-04-24T21:33:00.001-07:00

DotNetOpenId had a double release tonight. Version 2.0.1 is a maintenance release with a few minor bug fixes. Version 2.1 adds built-in support for the Attribute Exchange extension, but introduces a couple of small breaking changes. Check out the VersionChanges page to decide which version is right for you. Download the new versions here.

Enhancing the ASP.NET MVC OpenID login experience

2008-04-22T07:16:00.001-07:00

In a previous post, I present an example of how to accept OpenIDs for logins on your ASP.NET MVC site. To keep the sample simple, I left out a feature that people very quickly noticed was lacking: getting registration data from the OpenID Provider (like email and postal address) so the user didn't have to type it in manually. High demand leads me to follow up with this post on how to add those

Why DotNetOpenID as your C# OpenID library of choice

2008-04-16T06:50:00.001-07:00

In choosing an implementation of OpenID for your .NET web site, of course I would have to recommend DotNetOpenId, seeing as I spend a considerable amount of my spare time working on it. But Samuli (in the comments on Troy's recent blog post regarding OpenID) recently asked me to give a sales pitch for DotNetOpenID over another implementation called ExtremeSwank. First I want to make clear

How to add OpenID to your ASP.NET web site (in C# or VB.NET)

2008-04-14T10:26:00.001-07:00

Adding OpenID support to your VB.NET web site couldn't be easier. Here is the easiest way: Download the DotNetOpenId library. Extract the DotNetOpenId.dll from the bin directory of the .zip file you downloaded. Make sure you're using FormsAuthentication. Open Web.config Find your

Add OpenID login support to your ASP.NET MVC site

2008-04-13T17:53:00.001-07:00

While this post assumes a C# web site, the steps will work for VB.NET just as well, but the syntax of the glue code will have to be adjusted slightly. Because ASP.NET MVC changes frequently, this will be a high-level outline of what you must do to support OpenID, and the implementation details I will leave up to you and your particular version of MVC. At the end I will show the code that

An argument for the extra dependency of a library

2008-04-11T23:18:00.001-07:00

Lately there has been some blogging activity around C# implementations of OpenID that are "so small you can just host the source code as a single class your web site." This is argued to be a virtue because it keeps your web site from having to add another dependency to it. I'm glad OpenID is gaining greater traction. But I disagree with avoiding libraries. Let me count the ways... A