Support Microsoft Account login

[ghost]

[Edited by anurse]
Let's add support for Microsoft Account login! From there we can start adding new auth providers.

[phillip-haydon]

Is the NuGet team open to supporting OAuth for login?

[jeffhandley]

Yeah, this is starting to get close to the top of the list. This would also alleviate the session timeout issue too #768.

[ghost]

why is it alleviating the session timeout issue?

[phillip-haydon]

@dotnetjunky I think because if it signed out and you selected 'Twitter' again, it would re-authenticate and you would be logged in with minimal effort. Rather than having to manually login.

[xavierdecoster]

I think OAuth makes a lot of sense for the NuGet Gallery. As @dotnetjunky points out, at MyGet we support quite a few using Azure ACS (GitHub, StackOverflow, LiveID, etc), see http://www.myget.org/Account/Login.

Bear in mind you'll need some mechanism to link/merge NuGet accounts with these other identities to avoid duplicate accounts being created. Also, first time visitors using OAuth will still need to create a NuGet.org profile (same flow as on MyGet). This to ensure everyone has a username/password for classic authentication, as well as an API key and email address.
Identity providers return different info (LiveID is an annoying one), so you'll have to map this to the claims you want to get from ACS. The beauty of it is that you can manage a lot through ACS afterwards.

[jeffhandley]

Yeah, we definitely still want to have a NuGet.org "username" but not having an actual password for nuget.org would be grand.

For those of you that have already implemented this in MyGet and JabbR (@PureKrome), we'd really appreciate your help on this.

//cc @anurse @howarddierking

[xavierdecoster]

Happy to assist, pinging @maartenba as well

[phillip-haydon]

Awesome sauce, I'm gonna start on this tomorrow night.

[analogrelay]

We'd definitely be open for PRs. Not sure about Azure ACS as it has complexities I'm not sure we want to deal with, but having said that, we also want to consider ADFS log in at some point (specifically for Microsoft's own domain ;)) and ACS might help a lot there.

Just FYI that we're going to need to think and talk about this a bit before we're totally ready, but we'll keep those discussions open and will definitely look at PRs for inspiration if nothing else (and be sure to credit where credit is due :)).

[analogrelay]

Closing this but we are definitely working on it. See #1348.

[analogrelay]

It's back! We're finally getting rolling on this!

[PureKrome]

Andrew - if you're still going to use SimpleAuthentication (now rebranded, was previously known as WorldDom..Authentication) ... then @phillip-haydon and I are here to assist :)

@phillip-haydon - were you going to do a PR for this?

Lastly, this is using Session (until I finish refactoring out Session and replacing it with an ICache - so you can choose your caching mechanism). Is Session an issue, in the very very very short term?

(if no custom ICache will be provided, then it defaults to Session)

[analogrelay]

I'm going to look at a few options. Right now I'm investigating the new Auth components that are part of the Katana Project as they handle Cookie auth, OAuth and will have Federated auth soon. It's less Simple than SimpleAuth though, so we'll see how it goes :).

[PureKrome]

NP Andrew - I understand.