MVC Storefront Part 16: Membership Redo With OpenID
I take a sledge-hammer (this is Ayende's fault) to my current Membership system and split it out into three separate services/parts. I then sit with Jon Galloway and talk about OpenID - and then I implement it.
Haven't I Done This Before?
New Table >>> "Users" >>> UserID, UserName, Password .... BLECH!
I remember when ASP.NET gracefully took care of this for me and I've never had to do it again. Ever. Then Ayende comes along and tells me (as he loves to do) "you can write dis in ... ehhhh.... no time at all". Now I'd never in a million years rewrite ASP.NET Membership - but what he was saying was "loosen this application up - ASP Membership isn't everyone's thing" and he's right.
Active Directory, LDAP (of your choice), OpenID, Passport - so many things out there to choose from. The concept of a User these days is ... well... weird.
This episode is 40 minutes long and I hack apart the Membership bits into 3 services: Authentication, Authorization, and Personalization. My goal here is to create some reusable code that will move us beyond UserNames and Passwords... in other words to put on our thinking caps and look outside our beautiful walled garden.
I sound soooo ALT!
Watch It Here (40 minutes, 63Mb)
Oren (Ayende) has his own membership called rhino-security.
I think if its not too hard to give users (programmers) the ability to change Implementation by just implementing a Interface or overriding (a method of) an existing one then its the right way to do it and it also gives you the extra level of abstraction that should make it more scalable if needed.
(Isn't ASP.NET Membership "Provider Based" so that you can just plug in a different provider)
Hi Yitzchok- Rhino Security isn't a membership engine - it's an Auth engine (what a user is allowed to do). It also requires NHibernate, which I'm not using just yet.
You're on the right track here though- swappage by implementing a simple interface...
I wanted to bring out "you can write dis in ... ehhhh.... no time at all"
And and whats with the code on codeplex?
estimates from people who don't sleep (ayende) don't count. double whatever he said it would take. /semi-kidding. I need to catch on these episodes but I'm sure this is another good screencast.
I had my headset on, I'm not sure what was wrong with the audio. Sorry about that!
Rob, I haven't watched this video and you may know something that I don't but this OpenID came as a shock to me. I've read up on numerous OpenID security problems and potential for phishing in the past so I am not sure if it's a good candidate for an ecommerce website.
@Firefly The phishing aspect's only an issue in the case that the store site is untrustworthy (in which case your info is unsafe regardless) or the OpenID info the user input points to a phishing site. The IdentitySelector guide helps guide users in typing in correct OpenID url's; additionally, the site or DotNetOpenID could use an OpenID provider whitelist to only allow redirect to specific providers.
Hi,
you can take a look to www.codeplex.com/.../AltairisIdToolk
"Altairis Identity Toolkit is set of components which will allow you to add any kind of authentication (such as Windows Live ID or Information Cards / CardSpace) to any application, which is based on ASP.NET memership and forms authentication."
I honestly haven't had time to follow through all of the screen casts, and I'm sure there are others as well. Would it be possible to get one of three things:
1) A page with links to all of the downloads so that someone doesn't have to go back through and find all the posts.
2) A single download with all of the screencasts in it
3) Blocks of screencasts in a zip (maybe 5 or something)
I know I'm being lazy, but for those of us who haven't followed the screencasts all the way through, having a way to get them all in one shot will probably lower the bar to entry.
Most of the screencasts are already here
www.asp.net/.../default.aspx
ALT + Enter is your friend.
I have learned a lot looking at these webcasts. You're bringing my toolset and my knowledge just that one notch up. Great to see, great to follow. You said in the previous screencast that it's good to do some code review some time in the process, but screencasts like these also give a developer a chance to look at how others are doing it. And I find that priceless.
Rob,
I have said it before but thanks for the great screencasts.
I have a couple of questions:
1. Are you going to check-in the code for this session to codeplex? (I haven't watched this screencast yet so sorry if you answered it in this screencast).
2. Are you planning on showing field validation, maybe with the MVCContrib project Validation Helper?
Thanks again
Any chance we can get another code drop?
You could use Migrator.NET and generate the tables yourself from an nant/msbuild file if you don't like creating the Users table yourself.
IMO, I would do that manual process a thousand times before I used the asp.net membership provider again. What a nightmare =)
@Sean the issue isn't with the actual creation of the tables :)
Hi Rob,
As @Corey hinted at, whenever you see the Resharper "light bulb", or red/grey code, or underlined code, if your cursor is on that code section and you hit ALT + Enter ReSharper will pop up various options related to that code.
<cueShamelessBlogPlug/>
I've written a dodgy little quickstart to R# 3 (but most of it applies to 4 too): davesquared.blogspot.com/.../getting-to-grip (search for "Quick fixes" for the light bulb info).
Cheers,
David
@ Jon, You are right however let look at this example. A and B both running and store. A is our store and it's legit. B is some phishing site that user doesn't know. User shop at B store and their OpenID is now compromise. So hacker now have access to our store as well. Of course one might argue that user could create two OpenID or they might end up using the same username and password on both site anyway (in case of separate user registration) but that's another story.
So the problem that I am seeing is with OpenID is that if their OpenID got compromise then all the site they use OpenID is also compromise. So the potential is higher and I think it's a little worrisome. Unless we only white list certain provider or just our own provider in that case the the convenience of using OpenID is dismissed.
I'd really like to watch this webcast. Any chance the link will be working soon?
What's wrong with the link?
@Rob: Sorry, It's just not working in my ie 8 beta. When I tried it in firefox it was alright. Strange.
@Rob: In regard to ReSharper (...the resharper Wonk comment.....lol) and that TestPersonalizationService that you typed out, this is what you have to do (and the resharper Wonk comment.....lol):
1. Hit F12 to get to the next error (shift+F12 to go to the previous error) or possible area for refactoring (either Re#r will make it red, or underlined with squigglys).
2. Hit Alt+Enter to choose an option to be performed (like "create class TestPersonalizationService" )
3. Then you can move to that class and hit F6 to move that class to another file or namespace (quick refactoring).
4. Then Ctrl+Alt+L to get to solution explorer and copy the new file and place it where you want (then Enter to open it, F12,Alt+Enter, to new change namespace based on file location)
One thing, you say you are using a repository pattern here but it certainly isn't a repository in the DDD sense.
In fact even in Fowlers book the repository is there to encapsulate as much query logic as possible but your actually doing this in the services and are just returning IQueryable. I'd argue thats not strictly a repository, http://weblogs.asp.net/fredriknormen/archive/2008/04/24/what-purpose-does-the-repository-pattern-have.aspx, but you could argue that Linq changes things in this regard.
However if you are going for a repository in the DDD sense then I think you are quite far off because you should have one repository per aggregate.
Not sure if you're going for a real repository here though, if so I'm happy to send on more details of what I mean.
Hey Rob,
Great webcast! Check out the Simple Registration extension support built into DotNetOpenId for how to get your visitors' first name and other information for display so you don't have to say "Hi, http://some.openid.com/", which you said you were hoping to learn how to avoid.
Also, I'm curious why you pointed out the necessity of having http:// in front of the openid that someone types into your login box. If you leave it off it's supposed to add it automatically. What problem with this were you seeing?
One more thing: you mentioned that unit testing your controller was difficult because DotNetOpenId relied heavily on HttpContext. I just wanted to point out that every method in the library that requires an HttpContext also has an overload that does _not_ require an HttpContext, so if you call those overloads and do the redirects yourself you may be able to unit test after all.
Here's a link for how to add the Simple Registration extension to an ASP.NET MVC app to get a user's friendly name to say "Hi" to on your home page: blog.nerdbank.net/.../enhancing-aspne
Rob,
As an aside, do you know whether OpenID can work with web.sitemap and the AspNetXmlSiteMapProvider and the securityTrimmingEnabled feature?
@Colin: Yah, I've been having the Repository discussion ongoing :). I know what I'm doing is not strict, but I assert it's in the same nightclub. See previous webcasts.
@Andrew - dude, blog it more. It's impossible to find anything reference-wise. I'd love to see some more info on all the things you mention here.
WRT testing - got epic fail if I tried to unit test the call. I'd love to see a webcast...
@Justin
Hi I have collect all the video links and put them in a link so you cam download them from one place and I will update the post.
omidzaman.com/.../MVC-Storefront-
Rob, in the video you wondered how to get user name from the OpenId provider. There is a way to do this using Attribute Exchange (AX), which is also supported by the DotNetOpenId library. I wrote a quick blog post about it, weblogs.asp.net/.../fetching-user-d
I'm not sure how well estblished AX is, but you may want to check it out. MyOpenId supports it anyway.
Rob, Can you put the 3rd party libraries such as StructureMap into a folder in the project and reference from that folder? The build is broken since I don't have structure map in my GAC and I don't want to install it in there.
Thanks
All 3rd party bits are in the Dependencies folder...
And having said that - I see that TFS didn't load them with the latest checkin. Gimme 5 mins...
We're starting to introduce linq2sql into our product and we're following some of the patterns you're using but we've run into a snag.
In our Model, we have an abstract base class (Address) with a couple of subclasses (BillingAddress, ShippingAddress, etc). In our repository, we'd like to have a method like public IQueryable<Address> GetAddresses() that will properly resolve the subclasses.
I've been googling this problem for a couple of days but everything i can find refers to handling this inheritance in the linq2sql classes but doesn't reveal how to do this with seperate Model objects.
any ideas?
Hi Michael - send me an email about this. I'm tempted to suggest that the trouble you're having is because the abstraction doesn't work. For instance, a Billing Address can be a Shipping Address, and vise-versa. I'd like to know what properties/methods make these different.
In summary - I would keep it simple and just have an Address.
jsut wondering how the screen cast are comming. I have enjoyed these alot and I am on the edge of my seat waiting for the next one. Is it possibly that you are waiting for the preview 4 release?
Yep - just loaded Preview 4 bits on my box here and I'm readying up number 17. I have about 2 hours of video that I'm trying to organize... not fun...