Encouraged by SO, I’m trying to write an ASP.NET site that uses OpenID for

Question

0

Asked: May 10, 20262026-05-10T22:32:02+00:00 2026-05-10T22:32:02+00:00

Encouraged by SO, I’m trying to write an ASP.NET site that uses OpenID for

0

Encouraged by SO, I’m trying to write an ASP.NET site that uses OpenID for user authentication. It’s a regular WinForms site (not MVC.NET), using the DotNetOpenId library for authentication.

Is it safe for me to permit/deny administrative functions on the site by simply comparing the current session’s ‘ClaimedID’ (as returned in the OpenIdLogin_LoggedIn event, as member DotNetOpenId.RelyingParty,OpenIdEventArgs.Response.ClaimedIdentifier) to a known administrator’s OpenID (i.e. mine)?

If so, is it safe for this ID to be visible (e.g. in open source code), or should it be ‘hidden’ in a configuration file or a database row? (I know it’s better design to make it configurable, my question is just about safety.)

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

score 0 · Answer 1 · 2026-05-10T22:32:03+00:00

2026-05-10T22:32:03+00:00Added an answer on May 10, 2026 at 10:32 pm

Jarrett makes some good comments about using database tables.

Just to answer another one of your questions, no, it’s not a confidentiality thing to put your OpenID in your code generally. If setting up roles seems overkill for your site, a simple equality check against your ClaimedIdentifier is just perfect.

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

Encouraged by SO, I’m trying to write an ASP.NET site that uses OpenID for

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply