难道一个OpenID领域必须是网站的基础URL?领域、基础、网站、OpenID
为继续这个问题中,有一个问题,我在使用dotnetopenauth。
基本上,我想知道,如果在RP指定的领域必须是应用程序的实际基本URL?也就是说,(的http://本地主机:1903 )?鉴于以取代现有的架构是难以去除的重定向 - 我想的境界设置在底座的OpenID控制器(的http://本地主机:1903 / OpenID的)和测试手工做生成XRDS文档。但是,应用程序似乎停止了,而EP日志显示以下错误:
2012年10月10日15:17:46000(GMT-4)[24]错误DotNetOpenAuth.OpenId - 属性交换分机没有提供在if_available或需要列出所有别名
code:
依赖方:
公众的ActionResult进行身份验证(字符串RuserName =)
{
UriBuilder returnToBuilder =新UriBuilder(Request.Url);
returnToBuilder.Path =/ OpenID的/验证;
returnToBuilder.Query = NULL;
returnToBuilder.Fragment = NULL;
乌里returnTo = returnToBuilder.Uri;
returnToBuilder.Path =/;
境界境界= returnToBuilder.Uri;
变种响应= openid.GetResponse();
如果(响应== NULL){
如果(的Request.QueryString [RETURNURL] = NULL和放大器;!&安培; User.Identity.IsAuthenticated){
} 其他 {
字符串strIdentifier =HTTP://本地主机:3314 /用户/身份证/+ RuserName;
VAR请求= openid.CreateRequest(
strIdentifier,
领域,
还给);
VAR fetchRequest =新FetchRequest();
request.AddExtension(fetchRequest);
request.RedirectToProvider();
}
} 其他 {
开关(response.Status){
案例AuthenticationStatus.Canceled:
打破;
案例AuthenticationStatus.Failed:
打破;
案例AuthenticationStatus.Authenticated:
//记录用户的
打破;
}
}
返回新EmptyResult();
}
供应商:
公众的ActionResult指数()
{
IRequest请求= OpenIdProvider.GetRequest();
如果(请求!= NULL){
如果(request.IsResponseReady){
返回OpenIdProvider prepareResponse(要求).AsActionResult()。
}
ProviderEndpoint.PendingRequest =(IHostProcessedRequest)请求;
返回this.ProcessAuthRequest();
} 其他 {
//用户无意中发现的OpenID端点 - 404可能?
返回新EmptyResult();
}
}
公众的ActionResult ProcessAuthRequest()
{
如果(ProviderEndpoint.PendingRequest == NULL){
//没有未处理的请求
返回新EmptyResult();
}
的ActionResult响应;
((满分响应)this.AutoRespondIfPossible)如果{
返回响应;
}
如果(ProviderEndpoint.PendingRequest.Immediate){
返回this.SendAssertion();
}
返回新EmptyResult();
}
解决方案
在回答你的问题是没有。该领域可以成为你的网站的基本URL和您的return_to URL之间的任何URL。因此,举例来说,如果你的return_to URL是的http://本地主机:1903 / OpenID的/验证,以下都是有效的领域:
的http://本地主机:1903 / OpenID的/验证
的http://本地主机:1903 / OpenID的/
的http://本地主机:1903 /
以下是的没有的有效的领域,鉴于上述的return_to:
的http://本地主机:1903 / OpenID的/验证/ (额外尾随斜线)
的http://本地主机:1903 / OpenID的/ (!区分大小写)
的https://本地主机:1903 / (模式变化)
由于一些的OpenID提供商如谷歌事件成对地为他们的用户基础上的确切领域URL唯一标识符,这是明智的您的领域是基础URL到您的网站,以便它是最稳定的(重新设计你的网站将不会更改)。它也强烈建议,如果能够HTTPS,你让它HTTPS作为,让您的return_to是HTTPS和稍微安全的这种方式(它减少了DNS中毒攻击)。
在日志中的错误的原因是因为你的RP创建并添加了一个 FetchRequest 扩展到OpenID身份验证请求,但你还没有初始化FetchRequest任何实际属性,你请求。
我不能告诉你为什么你的应用程序冻结,虽然,与您所提供的信息。
As a continuation of this question, there's an issue I'm having with dotnetopenauth.
Basically, I'm wondering if the realm specified in the RP has to be the actual base URL of the application? That is, (http://localhost:1903)? Given the existing architecture in place it is difficult to remove the redirect - I tried setting the realm to the base OpenId controller (http://localhost:1903/OpenId) and testing manually did generate the XRDS document. However, the application seems to freeze, and the EP log reveals the following error:
2012-10-10 15:17:46,000 (GMT-4) [24] ERROR DotNetOpenAuth.OpenId - Attribute Exchange extension did not provide any aliases in the if_available or required lists.
Code:
Relying Party:
public ActionResult Authenticate(string RuserName = "")
{
UriBuilder returnToBuilder = new UriBuilder(Request.Url);
returnToBuilder.Path = "/OpenId/Authenticate";
returnToBuilder.Query = null;
returnToBuilder.Fragment = null;
Uri returnTo = returnToBuilder.Uri;
returnToBuilder.Path = "/";
Realm realm = returnToBuilder.Uri;
var response = openid.GetResponse();
if (response == null) {
if (Request.QueryString["ReturnUrl"] != null && User.Identity.IsAuthenticated) {
} else {
string strIdentifier = "http://localhost:3314/User/Identity/" + RuserName;
var request = openid.CreateRequest(
strIdentifier,
realm,
returnTo);
var fetchRequest = new FetchRequest();
request.AddExtension(fetchRequest);
request.RedirectToProvider();
}
} else {
switch (response.Status) {
case AuthenticationStatus.Canceled:
break;
case AuthenticationStatus.Failed:
break;
case AuthenticationStatus.Authenticated:
//log the user in
break;
}
}
return new EmptyResult();
}
Provider:
public ActionResult Index()
{
IRequest request = OpenIdProvider.GetRequest();
if (request != null) {
if (request.IsResponseReady) {
return OpenIdProvider.PrepareResponse(request).AsActionResult();
}
ProviderEndpoint.PendingRequest = (IHostProcessedRequest)request;
return this.ProcessAuthRequest();
} else {
//user stumbled on openid endpoint - 404 maybe?
return new EmptyResult();
}
}
public ActionResult ProcessAuthRequest()
{
if (ProviderEndpoint.PendingRequest == null) {
//there is no pending request
return new EmptyResult();
}
ActionResult response;
if (this.AutoRespondIfPossible(out response)) {
return response;
}
if (ProviderEndpoint.PendingRequest.Immediate) {
return this.SendAssertion();
}
return new EmptyResult();
}
解决方案
The answer to your question is "no". The realm can be any URL between the base URL of your site and your return_to URL. So for example, if your return_to URL is http://localhost:1903/OpenId/Authenticate, the following are all valid realms:
http://localhost:1903/OpenId/Authenticate
http://localhost:1903/OpenId/
http://localhost:1903/
The following are not valid realms, given the return_to above:
http://localhost:1903/OpenId/Authenticate/ (extra trailing slash)
http://localhost:1903/openid/ (case sensitive!)
https://localhost:1903/ (scheme change)
Because some OpenID Providers such as Google issue pairwise unique identifiers for their users based on the exact realm URL, it's advisable for your realm to be the base URL to your web site so that it's most stable (redesigning your site won't change it). It's also strongly recommended that if it can be HTTPS that you make it HTTPS as that allows your return_to to be HTTPS and is slightly more secure that way (it mitigates DNS poisoning attacks).
The reason for the error in the log is because your RP creates and adds a FetchRequest extension to the OpenID authentication request, but you haven't initialized the FetchRequest with any actual attributes that you're requesting.
I couldn't tell you why your app freezes though, with the information you've provided.
