Home/ Questions/Q 4324852
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-21T09:11:18+00:00

I’m developing a solution for a client, who is dealing with a fairly typical

  • 0

I’m developing a solution for a client, who is dealing with a fairly typical problem: they have many systems in production, each one with its own users and passwords, leading to the situation where each user has to remember three or four different (or not) logins and passwords, one per system they are allowed to use. Also, each application has its own authentication levels (that is, if you are a superuser in one, that doesn’t mean you are a superuser in all of them).

My best idea so far involves installing an OpenID provider, and supplying access levels using the AX (Attribute Exchange) extension. This is complicated, though, mostly because I can’t find a decent implementation of an OpenID provider with said extension – for what I’ve read in the archives, not even Google and friends have done this right yet…

A few extra points:

  • The good side about using AX is that access could be managed from a central point – if an application asks for a field, but the OpenID provider returns nothing, then you are not allowed to log in. That way, a power user (aka the boss, or more precisely his secretary) could grant/revoke permissions in all systems from a single webpage.
  • I’d love to use, say, myOpenId, but if you’ve ever tried to convince a manager to share the full list of users, passwords and permissions with a foreign website then you know the kind of answers I got. A local server, although probably less secure than using Google, would paradoxically be the preferred solution.
  • LDAP is frowned upon, mostly due to the concern that you could get the full list of users with the appropriate query (maybe not the regular users, but the developers could get it). I’m not an expert on LDAP, though, so if you think it’s a valid option, I’m listening.
  • Yes, I know sreg is easier to use, but there is no “application_access” attribute, and piggybacking another field, like “email”, sounds a little ugly.

So, would you think I’m doing the right thing here? Is there a better solution I’m missing? And if it is, do you happen to know a good OpenID provider (with AX extension!) I can install?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    With the requirements you’re talking about (admins being able to revoke privileges that are communicated via attributes, etc), it sounds like running your own provider is the best way to go, as a public provider would be less likely to offer the flexibility you want. DotNetOpenAuth has full support of AX as both consumer and provider, so it’d be a good place to start- you could also build all your admin-level storage and attribute communication customizations on top of it. It’s still not a turnkey solution (ie, coding will be required to “source” the AX values from wherever they’re stored), but it’s a whole lot better than trying to start from scratch. Lots of good samples and community, and the main author is active on StackOverflow.

    • 0