Planning common membership provider for different authentication providers

I am trying to implement form based authentication (FBA) membership provider that is able to support multiple authentication mechanisms. Take it as an self-training experiment. In this posting I will introduce bases of my experiment and introduce my current plans and ideas.

Why membership provider for multiple authentication mechanisms?

There are many people in the world who are users of some social network or some open services provider. Today Facebook and Twitter are very popular social networks. Also Google and Microsoft Live services are very popular although they are not social networks. But all mentioned systems provide their own authentication channels also to other applications. The question is: why should I have another username and password if I have already one at some of systems I mentioned before?

Estonia on Europe mapHere, in Estonia, we are building local Microsoft community portal with local Microsoft. We analyzed the situation and decided to use Live ID as authentication mechanism in our portal. We were a little it worried too because we were afraid that there are load of users who are not happy with Live ID as authentication mechanism. And guess what – as time has shown us there is no reason to worry! Our ~2000 users (Estonia is small country) are all happy with Live ID and the ones who doesn’t have Live ID yet can go and join Live ID – it’s free.

If you have no idea where I live then take a look at map on right. The small and strong screen splash there is Estonia. If you don’t see it well then feel free to click on this image to see it at original size. :)

Profile store

To give you better idea what I am thinking about take a look at the following diagram.

Multi-authentication provider

Every user has one account. Each account has account specific information and custom profile fields. Profile fields can be customized because different sites need different profiles. My profile store will be common enough to live over almost all common situations. Or at least I hope so.

Authentication tokens is the place where I store tokens for users returned by different authentication mechanisms. This way each user is able to use authentication mechanism he or she likes. Also users will be able to use Twitter and Live ID both if they like. Same goes for all the other authentication providers I am able to support.

Implementation details

I have some implementation details on my mind. I am sure that the end result is maybe a little bit different but in big picture things hopefully does not change a lot.

  • There will be one common membership provider that is able to authenticate users to ASP.NET site by querying the authentication tokens table.
  • It is possible that each authentication provider gets it’s own membership provider that is extended from common one. I am not very sure yet if this is the great idea.
  • Usernames will be in form: ProviderName:ProfileName so I am able to detect which authentication mechanism I have to look to find out correct profile.
  • There will be additional field for profile or membership provider that returns me ProfileName without authentication mechanism information.
  • Data will be held in SQL Server at first place. Later I plan to support also the other databases or data stores.
  • There will be common login page that is automatically able to offer authentication mechanisms it knows about.

I think these points are good enough for start.

What’s next?

Well…. as a next thing I try to implement support for different authentication mechanisms and when all common providers are covered then it is time to write generic membership and role providers for ASP.NET. My first four candidates are Twitter, Facebook, Google and Live ID and after these I plan to write providers. Stay tuned, it will be interesting experiment!

Gunnar Peipman

Gunnar Peipman is ASP.NET, Azure and SharePoint fan, Estonian Microsoft user group leader, blogger, conference speaker, teacher, and tech maniac. Since 2008 he is Microsoft MVP specialized on ASP.NET.

    5 thoughts on “Planning common membership provider for different authentication providers

    • August 31, 2010 at 3:11 pm
      Permalink

      We have been using EpiServer CMS which includes a “multiplexing” membership provider that allows us to configure multiple providers (Forms and/or Active Directory) instead of only one.

    • September 1, 2010 at 1:05 am
      Permalink

      I think you are on the right path to success implementing this experiment same as you expect :)! Very interesting. I will keep track of your next blog posts.

      P.S. By d way, Estonia is a nice country!

    • December 23, 2010 at 1:01 pm
      Permalink

      Hi Sudeep and thanks for feedback. Right now I am working on Windows Identity Framework and AppFabric Access Control Services support. ACS is still in CTP but it promises to solve a lot of problems with writing own custom identity providers for different services. I stringly recommend you to take a look at it and if you want to find out more then feel free to read my blog postings about Access Control Service.

    • February 14, 2012 at 5:54 am
      Permalink

      One of the best articles i have ever read till date.

    • Pingback:Adding Twitter authentication support to ASP.NET application | Gunnar Peipman - Programming Blog

    Leave a Reply

    Your email address will not be published. Required fields are marked *