Login/Register
IAuthenticationResponse.GetExtension<ClaimsResponse>() always returning null
Asked Answered
Solved c#asp.net-mvc-4dotnetopenauth
T

1

6

Update Thanks to a comment by @IvanL, it turns out that the problem is Google specific. I have since tried other providers and for those everything works as expected. Google just doesn't seem to send claims information. Haven't yet been able to figure out why or what I need to differently to get Google to send it.

A wild stab in the dark says it may be related to the realm being defaulted to http://:/ as I have seen an answer by Andrew Arnott that Google changes the claimed identifier for the same account based on the realm passed with the authentication request.

Another possibly important tidbit of information: unlike many of the examples that can be found around the web for using dotnetopenauth, I am not using a "simple" textbox and composing the openIdIdentifier myself, but I am using the openID selector and that is providing the openIdIdentifier passed to the ValidateAtOpenIdProvider. (As per the Adding OpenID authentication to your ASP.NET MVC 4 application article.)

Question is: why is IAuthenticationResponse.GetExtension() always returning null when using Google as the openId provider, when otherwise all relevant gotcha's with regard to Google (Email requested as required, AXFetchAsSregTransform, etc) have been addressed?

Original

I am struggling with getting DotNetOpenAuth to parse the response returned from the provider. Followed the instructions of Adding OpenID authentication to your ASP.NET MVC 4 application up to the point where the login should be working and a login result in a return to the home page with the user's name (nick name) displayed at the top right. (That is up to "The user should at this point see the following:" just over half way down the article).

I am using Visual Studio Web Developer 2010 Express with C#. DotNetOpenAuth version is 4.0.3.12153 (according to the packages.config, 4.0.3.12163 according to Windows Explorer).

My web.config was modified following the instructions in Activating AXFetchAsSregTransform which was the solution for DotNetOpenId - Open Id get some data

Unfortunately it wasn't enough to get it working for me.

The openid-selector is working fine and resulting in a correct selection of the openid provider. The authentication request is created as follows:

    public IAuthenticationRequest ValidateAtOpenIdProvider(string openIdIdentifier)
    {
        IAuthenticationRequest openIdRequest = openId.CreateRequest(Identifier.Parse(openIdIdentifier));

        var fields = new ClaimsRequest()
        {
            Email = DemandLevel.Require,
            FullName = DemandLevel.Require,
            Nickname = DemandLevel.Require
        };
        openIdRequest.AddExtension(fields);

        return openIdRequest;
    }

This all works. I can login and authorize the page to receive my information, which then results in a call to GetUser:

    public OpenIdUser GetUser()
    {
        OpenIdUser user = null;
        IAuthenticationResponse openIdResponse = openId.GetResponse();

        if (openIdResponse.IsSuccessful())
        {
            user = ResponseIntoUser(openIdResponse);
        }

        return user;
    }

openIdResponse.IsSuccessful is implemented as an extension method (see linked article):

return response != null && response.Status == AuthenticationStatus.Authenticated;

and always is successful as the ResponseIntoUser method is entered:

   private OpenIdUser ResponseIntoUser(IAuthenticationResponse response)
    {
        OpenIdUser user = null;
        var claimResponseUntrusted = response.GetUntrustedExtension<ClaimsResponse>();
        var claimResponse = response.GetExtension<ClaimsResponse>();

        // For this to work with the newer/est version of DotNetOpenAuth, make sure web.config
        // file contains required settings. See link for more details.
        // http://www.dotnetopenauth.net/developers/help/the-axfetchassregtransform-behavior/

        if (claimResponse != null)
        {
            user = new OpenIdUser(claimResponse, response.ClaimedIdentifier);
        }
        else if (claimResponseUntrusted != null)
        {
            user = new OpenIdUser(claimResponseUntrusted, response.ClaimedIdentifier);
        }
        else
        {
            user = new OpenIdUser("[email protected];ikke van ikkenstein;ikke nick;ikkeclaimedid");
        }
        return user;
    }

My version above only differs from the code in the linked article by my addition of the final else block to ensure that I always get the home page with a user name and a logoff link displayed (which helps when trying to do this several times in succession).

I have tried both Google and Yahoo. Both authenticate fine, both return an identity assertion as logged by the WebDev server. However, GetUntrustedExtenstion and GetExtension always return null. I always get to see "ikke nick" from the last else, never the name I actually used to authenticate.

I am at a loss on how to continue to try and get this to work. It probably is some oversight on my part (I am an experienced developer but just started dipping my toes in C# and web front-end development), and I can't see it.

Any and all suggestions on how to proceed / debug this are very much welcome.

Trustful answered 24/12, 2012 at 18:51 Comment(9)
Can you activate logging and add logs to your question?Terrarium
Also note the comment that I just added to the tutorial you've referenced that calls out that using email address for the username is grossly insecure. You must use the ClaimedIdentifier for username, and only display the email address to users as a friendly identifier if you so choose.Terrarium
@AndrewArnott: Thanks, yes, I have seen your remarks about using the e-mail address in other questions and agree. This tutorial is just something to get my feet wet... I'll add the logging and post back (it may be some time, going out for a Christmas beach walk soon).Trustful
@AndrewArnott: Turned out I had the openid config changes wrt AXFetchAsSreg in the wrong web.config (somewhere in the Views folder). Moved them to the web.config in the solution's folder. Didn't make a difference though. Added the logging as per option 2 (direct log4net logging) from your linked reference. I copied the example verbatim (actual copy paste to the appropriate locations). A log file is created, behavior of my app is the same, but nothing gets added to the log. Even after shutting down the WevDev server it stays at 0 KB...Trustful
Are you using Google as OpenId provider to test your solution against? Because Google has/had the habit of including the Claims only the first time you authenticate the application. So perhaps try using a fresh google account and see if that works?Octans
@IvanL: Yes I was indeed using Google. Thanks very much for taking the time to comment. I'll check, but why don't you change your comment into an answer in the mean time. Could get you Anar's bounty as well as my accept.Trustful
@IvanL: Just tried it with both a used and an as yet unused Google account. Both end up in the "ikke nick" branch. So I guess Google simply doesn't send a claim, first time or otherwise... I'll try with another provider as well to check, but am at a loss how to get the claimed identifier for people logging in with google accounts.Trustful
@IvanL: Ok, just successfully received a claimResponse from Wordpress.com, so I guess that the reason it wasn't working for me before is connected to using Google. Maybe Google doesn't send an openID claimResponse unless you have registered your app there. Still have to figure out then how to setup openID selector to use specific application information instead of the http://<host>:<port>/ --- back to the manual.Trustful
@IvanL, I would gladly award the bounty if you post that as an answer.Broeder
O
0

Are you using Google as OpenId provider to test your solution against? Because Google has/had the habit of including the Claims only the first time you authenticate the application. So perhaps try using a fresh google account and see if that works?

Sorry for the slow response, doing a big migration at a client this week :-) Glad that this little comment resolved your issue.

Octans answered 3/9, 2013 at 15:20 Comment(1)
Just a pity that the resolution is that Google apparently doesn't send a claim even on the first authentication... (see my subsequent comments and update to the question) Ah well, I'll post another question on how to get Google to actually send the information...Trustful

© 2022 - 2024 — McMap. All rights reserved.