Previously named DotNetOpenId in its v1.x and 2.x releases, the v3.0 release is rechristened DotNetOpenAuth to reflect its support for multiple authentication and authorization protocols. Sporting OpenID, OAuth and InfoCard support in its initial incarnation, it has been re-architected and largely rewritten to make adding more protocols fast and less error-prone.
Even if you’re already using DotNetOpenId 2.x and have no interest in InfoCard or OAuth, this is a worthy upgrade. It’s faster, more stable, and better tested. This new version is already being used as the standard for OSIS I5 OpenID interop testing, adding assurance that sites that use this library are secure and interoperate with many other sites and OpenID libraries.
In the making since August 30th, DotNetOpenAuth took 229 days to write. Valued at nearly $1.9 million by Ohloh.net, this is truly the culmination of a lot of work of many developers and cryptography experts. Although I wrote the library, I included some code from the Mono project for the Diffie-Hellman algorithm that OpenID requires.
- New OAuth support! Both for Service Provider and Consumer roles.
- RP+OP: discovery results cached for faster repeat logins (Issue 198).
- RP+OP: Exceptions are now much more predictable: the host need only catch ProtocolException to handle all unexpected error cases.
- RP+OP: OpenID extensions without simultaneous authentication (not that any such extensions exist).
- RP+OP: Better interop with some remote servers that omit certain common HTTP headers.
- RP: New InfoCard Selector ASP.NET control
- RP: Classic ASP officially supported via our new COM server, including support for the Simple Registration extension.
- RP: Signed callback arguments so relying parties can be confident their data was not tampered with during authentication.
- RP: OpenIdAjaxTextBox now batches authentication attempts to several OPs specified in the user’s XRDS document simultaneously in search of one that will authenticate without further user interaction.
- RP: Smaller authentication request messages (shorter URLs).
- RP: All callback arguments on return_to URL are now signed to protect against tampering (Issue 147).
- RP: More reliable logins due to nonce checking that is per-provider endpoint instead of global (Issue 175).
- RP: Added support for using ASP.NET State Server and other serialization-based session stores (Issue 185).
- RP: More efficient reuse of allocated objects by ASP.NET controls.
- OP: Ability to customize the lifetimes of each shared association type for added security.
- OP: Even OpenID 1.x RPs are now protected from replay attacks on positive assertions (Issue 176).
- OP: New ASP.NET MVC OpenID Provider sample.
- 430+ unit tests (180+ more than DotNetOpenId 2.x).
Notes to web sites upgrading from DotNetOpenId 2.x:
The public API, while very similar, has changed its namespace. Hosting sites will need to accommodate to the changes!