External Login via OAuth and OpenID

Historically, the huge majority of web applications have handled authorization based on a locally maintained account database. The ASP.NET Membership system is a familiar example: New users register for an account by providing a name, password, and possibly other required information. The application adds the user information to a local membership database and uses it to validate login attempts.

While traditional membership is a great fit in a lot of web applications, it comes with some serious downsides:

  • Maintaining a local database of usernames and secret passwords is a large security liability. It's become common to hear about large security breaches involving hundreds of thousands of users' account information (often including unencrypted passwords). Worse, because many users reuse passwords on multiple websites, compromised accounts may affect your users' security on their banking or other sensitive websites.
  • Website registration is annoying. Users have gotten tired of filling out forms, complying with widely differing password policies, remembering passwords, and worrying if your site is going to keep their information secure. A significant percentage of potential users will decide they'd rather not bother with registering for your site.

OAuth and OpenID are open standards for authorization. These protocols allow your users to log in to your site using their existing accounts on other trusted sites (called providers), such as Google, ...

Get Professional ASP.NET MVC 4 now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.