Update: Here’s the related screencast episode.
As you may have noticed in the last episode (episode4), writing the Feed Reader has got to the stage where we require UserID’s.
Given the delicate nature of login credentials and the security precautions required, its much easier to hand off the details to Google Federated Login, or even Windows Live ID. These services simply give us a return token indicating who has logged in.
The previous version of the feed reader used Windows Live ID. Its a very simple implementation. It consists of a single MVC controller, and a small iFrame containing the login button. It’s elegantly simple. Since its MVC, there are no issue running it on Windows Azure. The reason why I picked it the last time, was a) its simplicity and b) its part of the Windows Azure ecosystem.
The alternative is to use Google Federated Login. This is a combination of OpenID and OAuth. The implementation is certainly much more involved, with a lot of back and forth with Google’s Servers.
- The web application asks the end user to log in by offering a set of log-in options, including using their Google account.
- The user selects the “Sign in with Google” option. See Designing a Login User Interface for more options.
- The web application sends a “discovery” request to Google to get information on the Google login authentication endpoint.
- Google returns an XRDS document, which contains the endpoint address.
- The web application sends a login authentication request to the Google endpoint address.
- This action redirects the user to a Google Federated Login page, either in the same browser window or in a popup window, and the user is asked to sign in.
- Once logged in, Google displays a confirmation page (redirect version / popup version) and notifies the user that a third-party application is requesting authentication. The page asks the user to confirm or reject linking their Google account login with the web application login. If the web application is using OpenID+OAuth, the user is then asked to approve access to a specified set of Google services. Both the login and user information sharing must be approved by the user for authentication to continue. The user does not have the option of approving one but not the other.Note: If the user is already logged into their Google account, or has previously approved automatic login for this web application, the login step or the approval step (or both) may be skipped.
- If the user approves the authentication, Google returns the user to the URL specified in the openid.return_to parameter of the original request. A Google-supplied identifier, which has no relationship to the user’s actual Google account name or password, is appended as the query parameter openid.claimed_id. If the request also included attribute exchange, additional user information may be appended. For OpenID+OAuth, an authorized OAuth request token is also returned.
- The web application uses the Google-supplied identifier to recognize the user and allow access to application features and data. For OpenID+OAuth, the web application uses the request token to continue the OAuth sequence and gain access to the user’s Google services.Note: OpenID authentication for Google Apps (hosted) accounts requires an additional discovery step. See OpenID API for Google Apps accounts.
As you can see, an involved process.
There is a C# library available called dontnetopenauth, and I’ll be investigating the integration of this into MVC and its use in the Feed Reader.
There is one advantage of using Google Accounts, and that’s the fact that the Google Base Data API lets us import Google Reader Subscriptions.
It may well be possible to allow the use of dual login systems. Certainly, sites like stackoverflow.com use this to great effect.
Why is choosing an external login system important?
Well, firstly its one less username and password combination that has to be remembered.
Secondly, security considerations are onus of the authentication provider.
If we were to go with multiple authentication providers, I’d add a third reason: Not having an account with the chosen authentication provider is a source of frustration for users.
So, the question is, dear readers, which option would you choose?
- Google Federated login
- Windows Live ID