What should i store as UserName from DotNetOpenAuth

帅比萌擦擦* 提交于 2019-12-25 08:59:54

问题


Im using DotNetOpenAuth to integrate Google,Yahoo,Twitter and Facebook Logins into my application.

Now everything works as expected.

  • Twitter returns -> User-name and Claim-identifier(Just Id)
  • Google returns -> Email-Address, First and last Name and ID(URL+ID)
  • Yahoo returns -> Email-Address, Alias and ID (Url + ID)

Also im also allowing my users to register internally so my database User table is like this:

  • ID,UserName,Name,OpenID,LoginType,DisplayName

im wondering what i should be storing as User-Name, i was thinking of the ID, but i have this questions:

  1. Shall i store the whole ID as User-Name ?!
  2. Would it affect performance to store the whole ID(URL) as username?
  3. If i extracted the ID from the Claim-Identifier would it still be unique between all 3 providers?

回答1:


For OpenID, you must use the ClaimedIdentifier as the ID. Not anything else, and certainly not only a substring from the claimed identifier. Anything else seriously compromises the security of your application.

As far as where you store it, I would recommend you keep a dedicated column for storing your claimed identifier rather than just storing it in your UserName column. Consider this scenario:

  1. A user creates an account with your web site using an OpenID http://SomeOpenIDUrl
  2. An attacker logs in via the username/password form. He leaves the password blank but enters http://SomeOpenIDUrl as the username
  3. The attacker successfully logs in as his victim.

A situation like the above can be mitigated in various ways of course, but the best way IMO is to keep the OpenID out of the username column so that it's completely impossible.



来源:https://stackoverflow.com/questions/8574557/what-should-i-store-as-username-from-dotnetopenauth

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!