Web.config file configuration of DotNetOpenId

DotNetOpenId can be configured in some aspects inside your web project's web.config file. To do this, add the below <sectionGroup> within the <configSections> of your Web.config file:

<configSections>
    <sectionGroup name="dotNetOpenId">
        <section name="relyingParty" type="DotNetOpenId.Configuration.RelyingPartySection" requirePermission="false" allowLocation="true"/>
        <section name="provider" type="DotNetOpenId.Configuration.ProviderSection" requirePermission="false" allowLocation="true"/>
        <section name="untrustedWebRequest" type="DotNetOpenId.Configuration.UntrustedWebRequestSection" requirePermission="false" allowLocation="false"/>
    </sectionGroup>
</configSections>

If you do not already have a configSections element in your Web.config file, add it at the very top, as the first child of the root <configuration> tag.

Following is an example of every possible configuration setting, where each demonstrate value happens to be the default that would be used if it wasn't set in the .config file. Keep in mind that every setting below is optional, so you need only include those elements that you wish to change in your own copy of Web.config. The <dotNetOpenId> node below should show up as a peer node to system.web in your Web.config file.

<dotNetOpenId>
    <relyingParty>
        <security minimumHashBitLength="160" maximumHashBitLength="256"
                  requireSsl="false" minimumRequiredOpenIdVersion="V10" />
        <store type="SomeSite.CustomRPStore, SomeSite" />
    </relyingParty>
    <provider>
        <security minimumHashBitLength="160" maximumHashBitLength="256" />
        <store type="SomeSite.CustomProviderStore, SomeSite" />
    </provider>
    <untrustedWebRequest readWriteTimeout="00:00:00.800" timeout="00:00:10" maximumBytesToRead="1048576" maximumRedirections="10">
        <whitelistHosts>
            <add name="localhost" />
            <add name="127.0.0.1" />
        </whitelistHosts>
        <whitelistHostsRegex>
            <add name="^(.*\.)?goodsite.com" />
        </whitelistHostsRegex>
        <blacklistHosts>
            <add name="internalfinancialserver" />
            <add name="www.evilsite.com" />
        </blacklistHosts>
        <blacklistHostsRegex>
            <add name="^(.*\.)?evilsite.com" />
        </blacklistHostsRegex>
    </untrustedWebRequest>
</dotNetOpenId>

All these configuration values are also configurable at runtime using the object model of the library. Using the Web.config file allows changes to be made without recompiling the web site. In the case of OpenIdRelyingParty and OpenIdProvider, it also allows you to setup your configuration just once, in your .config file, and have it apply to every instance of OpenIdRelyingParty or OpenIdProvider instead of you having to set up that configuration everywhere you instantiate these types.

By using the ASP.NET <location> element, you can set some configuration settings for OpenIdRelyingParty or OpenIdProvider based on which directory or web page in your project is instantiating them. This would allow you to, for example, use enhanced SSL security requirements at just the administrator log in screen while allowing non-SSL OpenIDs for ordinary users.