User Roles?

Jan 15, 2011 at 4:27 AM

Can we have user roles integrated with OpenID?



Jan 15, 2011 at 6:54 PM

If you mean if it's possible, the answer is yes. You can manage your users anyway you want. I've just implemented the most basic kind so you can see where you can do it.

But if you meant if I was planning to implement that, the answer is no. At least for right now. I still have a lot of actual OpenID stuff to do. But I'll add it to my list of TO-DOs.




Jan 16, 2011 at 6:40 PM

What I did was to add UserType to the User class and manually adding the type when the user registers, it works but I don't know how to expose that UserType to the UserContext as I want to add an Attribute class so that I can do something like:

[AdminOnlyAttribute] on a Controller or a method inside a controller.

But anyway, I'm glad that you are still working on the OpenID stuffs :) I'm really looking forward to use them. Here are some suggestion that I think would be nice as I'm implementing your MVCOpenId in my actual site:

  1. As mentioned, User Roles
  2. A normal registration if the user don't really want to use OpenId (a lot of them still don't know what OpenId is and hesitates to login to their Yahoo/Gmail/Other accounts as they think that I'm capturing their username & password! This probably just re-use the current Registration form (after they have logged in using their OpenId), but with an addition of asking for the password. Once they have registered, they can chose to add OpenId to their account or not.


Jan 16, 2011 at 7:27 PM

I don't think you really need to expose UserType to UserContext. You could make a attribute check the authentication cookie, just like I do in Global.asax.cs in the MvcApplication_PostAuthenticateRequest method. The key part of that is the OpenIdIdentity. More specifically the UserInfo property. You have the user's UserId in there, so you can get it from the database or add info about the role in there (but that's a cookie, so it may hold out-of-date data in there. This is from the top of my head at the moment, but I hope you understood what I meant. For proper User Roles you should check out how the DotNetOpenAuth's Visual Studio template does it. It's much more complex.

Normal registration and logins should be easy enough to add. The reason I didn't add them is because I've read (I think it was a discussion on StackOverflow) that registrations decreased for site's using multiple registration/login methods. I decided to make all my sites OpenID-only (later I'll add Twitter and Facebook, which are OAuth, like StackOverflow does). There's also the issue of security. There is a lot of work to make a simple login form secure. But if you really want it I'm sure you can figure out how to add that form and bypass the OpenID stuff.

I'm sorry I can't look into all of this at the moment, as I'm swamped with other work. But the first thing I'm going to do when I get a bit of time is to update to MVC3 RTM and then publish a demo to my server. As I promised I'll add a UserVoice feedback module for you to add suggestions.