Securing A Website using Windows Live Web Authentication SDK - 9/18/2010
Unfortunately my web host(DiscountASP) wants $10/month for SSL even if I provide my own certificate(like a cheap one from GoDaddy). Their explanation is that getting IP addresses from ARIN is now more expensive. Whatever the reason, for a personal site, $10 for SSL is too much to pay. Instead of seeing this as a problem, I saw it as an opportunity to use Windows Live ID authentication(aka Passport).
The idea of using Windows Live credentials instead of rolling my own account system makes sense. I get a free ride on their SSL. As an added bonus, I am planning to add a comments feature to my blog at some point and since almost everyone already has a Windows Live account if I wanted to require login to prevent spam in comments most users will already have a login and not need to register.
Actually implementing the Windows Live Web Authentication was pretty easy and straightforward. Register your site, modify their sample code and go. There is more to it than that but that is saved for another post.
Unfortunately as with most APIs, you don't know the quirks until you get 80% of the way into them. Apparently with Live authentication all you get is a GUID(which is a hash of their Live ID guid and your registered application's GUID). You cannot get their name or email address.
I could of course just let users who are logged in provide their name at the time of posting a comment but then I'm trusting them to be honest. If anyone wanted to be abusive there is no way I could figure out who posted it from the GUID.
It is understandable why they do not allow you to get more than just a GUID from the user but given this limitation, if you need their name and email you must still force users through a custom registration process and then just associate this GUID with the account.
In conclusion, using Live ID for authentication does get me around the SSL barrier for login security but it is an incomplete solution.