Working with Passport Authentication

Passport authentication is a centralized authentication service offered by Microsoft. When a user logs in to a Web site that has Passport authentication enabled, he or she is automatically redirected to the Passport Web site. After entering a username and password, the user is automatically redirected back to the original site.

More than 130 million users are already signed up with Microsoft Passport. For example, both HotMail and MSN use Passport to authenticate users.

Passport authentication has several significant advantages over Forms authentication. First, and most important, users benefit by using Passport authentication because they can use the same username and password that they currently use at other Web sites. Therefore, users are less likely to forget their passwords. Also, registration information can be kept more current.

Second, when using Passport authentication, you don't need to set up and maintain a database to store user registration information. Microsoft does all the work for you.

Passport authentication also provides you with options to customize the appearance of the Registration and Sign In pages by supplying templates. You can even supply your own Cascading Style Sheets to format the appearance of these pages.

To use the Microsoft Passport service, you must pay a subscription fee. The current subscription fee is $10,000 a year plus a $1,500 fee for URL. For details, see the www.passport.com/business Web site.

Enabling Passport Authentication

Before you can use Passport authentication, you must first download and install the Microsoft Passport Software Development Kit (SDK) from www.passport.com/_business. The Passport SDK contains the Passport Manager, the Passport Manager Administrator utility, and a sample site that implements Passport authentication. (Currently, the sample site is written with Classic ASP, not ASP.NET.)

After you download and install the SDK, you can create a site in test mode. Certain features of Passport do not work in test mode, however. For example, you cannot read all the information from a user's profile, nor can you customize the appearance of the Sign In or Registration pages. The sign-out process doesn't work either. (You need to shut down all the instances of your browser to sign out.) To use any of these features, you must enter production mode.

To enter production mode, you must register to become a Passport participant site. After you register and sign the necessary agreements, you are issued a Site ID and an encryption key.

After you download and install Microsoft Passport, you can enable Passport authentication for an application by creating a Web.Config file in its root directory. The Web.Config file in Listing 19.30 contains the necessary authentication section to enable Passport authentication.

Listing 19.30 Passport\Web.Config

 <configuration>   <system.web>     <authentication mode="Passport">       <passport redirectUrl="/Login.aspx" />     </authentication>   </system.web> </configuration> 

The C# version of this code can be found on the CD-ROM.

The Web.Config file in Listing 19.30 sets the authentication mode for the application to use Passport authentication. It also sets the value of the redirectUrl attribute. If a user is not authenticated and requests a page in a directory that requires authentication, he or she is redirected to the page specified by the redirectUrl attribute.

After you enable Passport authentication, you can protect the pages in any directory from unauthenticated access by including the file in Listing 19.31 in the directory.

Listing 19.31 Passport\Secret\Web.Config

 <configuration>   <system.web>     <authorization>       <deny users="?" />     </authorization>   </system.web> </configuration> 

The C# version of this code can be found on the CD-ROM.

The Web.Config file in Listing 19.31 prevents anonymous users (represented by the ? symbol) from accessing any ASP.NET page in the current directory. This Web.Config file applies to the current directory and all subdirectories that do not have a Web.Config file that overrides it. If an anonymous user attempts to access an ASP.NET page, that user is automatically redirected to the page indicated by the redirectUrl attribute in Listing 19.30.

Enabling Users to Sign In and Sign Out

Many Web sites that use Passport authentication, such as MSN, do not have a distinct sign in page. Instead, they display a sign-in button on the top of each page. After a user has signed in, customized content can be displayed for him or her.

To create a sign-in button, you can use the LogoTag2() method of the PassportIdentity class. This method automatically displays a sign-in button for unauthenticated users and a sign-out button for authenticated users. For example, the page in Listing 19.32 uses the LogoTag2() method to display a sign-in button at the top of the page (see Figure 19.3).

Listing 19.32 Passport\Default.aspx

 <Script Runat="Server"> Sub Page_Load   Dim objPassportID As PassportIdentity   objPassportID = User.Identity   If objPassportID.GetFromNetworkServer Then     Response.Redirect( Request.Path )   End If   plhPassport.Controls.Add( New LiteralControl( objPassportID.LogoTag2() ) ) End Sub </Script> <html> <head><title>Default.aspx</title></head> <body> <asp:PlaceHolder   ID="plhPassport"   Runat="Server" /> <hr> <h2>Welcome to our Web site!</h2> </body> </html> 

The C# version of this code can be found on the CD-ROM.

In the Page_Load subroutine in Listing 19.32, an instance of the PassportIdentity class is created. Next, the LogoTag2() method is called to retrieve the necessary HTML tag for a sign-in button, which is added to the controls collection of an ASP.NET PlaceHolder control. This results in the sign-in button being displayed at the top-left corner of the page.

 If objPassportID.GetFromNetworkServer Then   Response.Redirect( Request.Path ) End If 

The LogoTag2() method displays a sign-in button until you sign in. After you sign in, the method displays a sign-out button.

If you want to create a distinct sign-in page, you can use the LogoTag2() method to create the sign-in button on the page. For example, the page contained in Listing 19.33 asks the user to log in.

Listing 19.33 Passport\Login.aspx

 <Script Runat="Server"> Sub Page_Load   Dim objPassportID As PassportIdentity   objPassportID = User.Identity   If objPassportID.IsAuthenticated Then     Response.Redirect( "Default.aspx" )   End If   plhPassport.Controls.Add( New LiteralControl( objPassportID.LogoTag2 ) ) End Sub </Script> <html> <head><title>Login.aspx</title></head> <body> <h2>Please Login:</h2> You have requested a restricted resource. To continue, please login by clicking the following button: <p> <asp:PlaceHolder   ID="plhPassport"   Runat="Server" /> </body> </html> 

The C# version of this code can be found on the CD-ROM.

In the Page_Load subroutine in Listing 19.33, the IsAuthenticated property is checked to see whether the user has already been authenticated. If the user hasn't been authenticated, he or she is invited to click the sign-in button. After clicking the sign-in button, the user is authenticated by the Passport service and returned to the Default.aspx page.

You can use the IsAuthenticated property to detect whether a user has signed in and to display customized content. For example, the page in Listing 19.34, named News.aspx , displays customized news only for authenticated users.

Listing 19.34 Passport\News.aspx

 <Script Runat="Server"> Sub Page_Load( s As Object, e As EventArgs )   Dim objPassportID As PassportIdentity   objPassportID = User.Identity   If objPassportID.GetFromNetworkServer Then     Response.Redirect( Request.Path )   End If   plhPassport.Controls.Add( New LiteralControl( objPassportID.LogoTag2() ) )   If objPassportID.IsAuthenticated Then     pnlAuth.Visible = True   Else     pnlAnon.Visible = True   End If End Sub </Script> <html> <head><title>News.aspx</title></head> <body> <asp:PlaceHolder   ID="plhPassport"   Runat="Server" /> <hr> <asp:Panel   ID="pnlAuth"   Visible="False"   Runat="Server">   <h2>Customized News</h2>   News customized only for you... </asp:Panel> <asp:Panel   ID="pnlAnon"   Visible="False"   Runat="Server">   <h2>Anonymous News</h2>   News for anonymous users... </asp:Panel> </body> </html> 

The C# version of this code can be found on the CD-ROM.

In the Page_Load subroutine in Listing 19.34, the IsAuthenticated property checks whether the current user has been authenticated with Passport authentication. If IsAuthenticated returns the value True , the first panel on the page is displayed. Otherwise , the second panel is displayed.

Retrieving User Information

Information about authenticated Passport users is stored in Passport user profiles. You can retrieve a Passport user profile from the PassportIdentity class.

The Passport profile is guaranteed to contain certain information about each user. For each user, you can read his or her unique Passport User ID, country, region or state, postal code, and language preference.

A Passport profile also contains optional information. The user can enter such additional information as email address, nickname, age, or sex. If the user has not already entered this information, you can create a form at your Web site that enables the user to enter and update it at the central Passport database.

You can retrieve the unique user ID for a Passport user by reading the Name property of the PassportIdentity class. The Passport User ID (PUID) is a 64-bit number that you can use to uniquely match a user to rows in a database table.

Other profile information can be read from the Item property of the PassportIdentity class. For example, you can retrieve a user's country by using the following code:

 strUserCountry = objPassportIdentity.Item( "Country" ) 

Because the Item property represents the default collection for the PassportIdentity class, you also can retrieve profile information like this:

 strUserCountry = objPassportIdentity( "Country" ) 

The following attributes are initially defined in a user's core profile:

• Accessibility ” Returns 1 when accessibility features should be enabled for the current user, and otherwise. The default value is .

• BDay_precision ” Specifies an integer that indicates the precision of the Birthdate attribute:

  = Birthdate deleted or not supplied

  1 = User is 18 or older, but no birth month or day supplied

  2 = User is 18 or older; both birth month and day supplied

  3 = User is under 18

  4 = User is under 13

  5 = User is minor over 13

• Birthdate ” Returns either the user's birth year or full birth date in the format MM/DD/YYYY. The default value is .

• City ” Indicates a GeoID value that represents the user's city.

• Country ” Contains a two-character ISO 3166 country code.

• Flags ” Contains an integer bitmask. If the first bit is set (00000000 00000000 00000000 00000001), the email address of the user has been verified .

• Gender ” Specifies the value M (Male), F (Female), or U (Unknown).

• Lang_Preference ” Indicates the LCID value for the user's preferred language.

• MemberIDHigh ” Specifies the upper portion of the 64-bit Passport Unique ID (PUID) associated with each user.

• MemberIDLow ” Specifies the lower portion of the 64-bit Passport Unique ID (PUID) associated with each user.

• Nickname ” Indicates a user-supplied friendly name. The nickname is not guaranteed to be unique and must be fewer than 30 bytes.

• PreferredEmail ” Indicates the user's preferred email address.

• PostalCode ” Specifies the postal code (both for the U.S. and other countries ).

• ProfileVersion ” Returns the value 1 currently.

• Region ” Indicates a GeoID that represents the user's geographical region.

• Wallet ” Returns 1 when the user has created an online wallet and otherwise.

The page in Listing 19.35, for example, displays several of the profile attributes for the current user.

Listing 19.35 Passport\UserInfo.aspx

 <Script Runat="Server"> Sub Page_Load   Dim objID As PassportIdentity   objID = User.Identity   If objID.IsAuthenticated Then     lblInfo.Text &= "<li>PUID: " & objID.Name     lblInfo.Text &= "<li>Accessibility: " & objID( "Accessibility" )     lblInfo.Text &= "<li>BDay_precision: " & objID( "BDay_precision" )     lblInfo.Text &= "<li>Birthdate: " & objID( "Birthdate" )     lblInfo.Text &= "<li>City: " & objID( "City" )     lblInfo.Text &= "<li>Country: " & objID( "Country" )     lblInfo.Text &= "<li>Gender: " & objID( "Gender" )     lblInfo.Text &= "<li>Lang_Preference: " & objID( "Lang_Preference" )     lblInfo.Text &= "<li>MemberIDHigh: " & objID( "MemberIDHigh" )     lblInfo.Text &= "<li>MemberIDLow: " & objID( "MemberIDLow" )     lblInfo.Text &= "<li>Nickname: " & objID( "Nickname" )     lblInfo.Text &= "<li>PreferredEmail: " & objID( "PreferredEmail" )     lblInfo.Text &= "<li>PostalCode: " & objID( "PostalCode" )     lblInfo.Text &= "<li>ProfileVersion: " & objID( "ProfileVersion" )     lblInfo.Text &= "<li>Region: " & objID( "Region" )     lblInfo.Text &= "<li>Wallet: " & objID( "Wallet" )   End If End Sub </Script> <html> <head><title>UserInfo.aspx</title></head> <body> <h2>User Data:</h2> <asp:Label   ID="lblInfo"   Runat="Server" /> </body> </html> 

The C# version of this code can be found on the CD-ROM.

In the Page_Load subroutine in Listing 19.35, an instance of the PassportIdentity class is created. If the user has been authenticated, several profile attributes are retrieved and displayed in a Label control.