Friday, January 15, 2010

DotNetOpenAuth v3.4 now available

You can go download DotNetOpenAuth v3.4 today.  Highlights of the new version include:

  1. Support for Google Apps for Domains issued OpenIDs.  This required special work since Google has their own flavor of OpenID discovery that had to be supported until something like Google’s scenario get’s standardized.
  2. Identifier discovery extensibility (this is how Google Apps support was enabled, but the extensibility is exposed for others as well – but use with caution!)
  3. A new ASP.NET MVC OpenID web project template.
  4. Twitter image POST via OAuth fixed.
  5. New SSO web-ring samples added, so organizations looking to use OpenID for their SSO solution can see how it might be done.
  6. Minor bug fixes.

Please note that this is the first version to have statistical reporting enabled by default, which reports feature usage statistics and the URL of the site hosting the library to the library authors.  To opt-out of this feature, you should add this to your web.config file:

  <reporting enabled="false" />

The details included in the reports may be selectively turned on or off as well, if you are willing to contribute statistics but don't want the URL to your web site exposed, for example.  More information can be found in my follow-up post: DotNetOpenAuth’s “call home” reporting.

Don’t forget to donate to the cause if you like the library.


  1. Nice work!

    One thing I have been trying to get is a website that functions both as a OpenID provider and relying party. I see in 3.4 there are samples for the two separately, and I have attempted to merge the two code bases and configs etc into a single website to no avail.

    Is what I am attempting even possible? Or does OpenID, by its very nature, require providers and relying parties to be cleanly separated?

    As to why I want to do this, it is to allow standard username / password when the website is launched (ie it will use OpenID but be restricted to itself as the provider), but with flexibility to broaden the provider list later depending on website takeup.

  2. Hi mjwills,
    A site can certainly be an RP and OP at once. And DotNetOpenAuth doesn't do anything to stop you, although as you say, there are no samples of it doing this. Please send details to for more help.

  3. Hi,

    It seem that the DotNetOpenAuth.resources under the sr is only delay signed. it has been this way since this assembly has been added.

    You can make a little experiment by trying to install the assembly into the GAC. You will get:
    Failure adding assembly to the cache: Strong name signature could not be verifie
    d. Was the assembly built delay-signed?

    I open an issue for in the DotNetOpenAuth trac (171).

    Am I missing something? Do I need to-do something on my end? I searched the wiki but couldn't find anything.

    -Shay Erlichmen.

  4. Shay,

    Thanks for the report and for filing the bug. It turns out this is is a duplicate bug, and has been fixed for future releases.

  5. "has been fixed for future releases."

    I didn't understand if the fix is in 3.4.1 or will be in future release.
    I don't see it in the roadmap of 3.4.2 nor 3.5 so I'm assuming that you think this is resolved.

    The official sr resource in the bin folder is not singed, but I found that the same dll is also in some samples bin folder. I tried those and they are singed.

  6. Shay,

    The fix for the signing issue is not yet available in a public release. But v3.4.2, and any future version of v3.3.x will have the fix.

  7. Are their more documentation (or mail list threads or whatever) on the web sso stuff?

  8. carl,

    Yes, there's a long thread about SSO work here:

    The new SSO samples largely came out of this discussion.

  9. Andrew.. I am enjoying the dotnetopenauth work quite a bit and I think as for google and yahoo I have it licked.

    Now .. the question, facebook claims to be an openid vendor.. the rich user interaction one can glean from facebook connect is of interest to me. Any guidance out there on a facebook implementation using .net. I think the key issue is the wiring up of the post-authorize call back.. or so it seems to me...

  10. Hi Dawie,

    Facebook is not an OpenID Provider, so DotNetOpenAuth cannot log Facebook users into third party web sites.

  11. I just downloaded DNOA.

    I can make it work with regular google accounts with this url: ""

    But no success with google education. i use this url:

    But i keep getting AuthenticationStatus.Failed with an exception:
    "The X.509 certificate used to sign this document is not trusted. The revocation function was unable to check revocation for the certificate.
    , The revocation function was unable to check revocation because the revocation server was offline."

    I really do not know what else i can do. Any idea?


Note: Only a member of this blog may post a comment.