Added Claimed Identifier discovery as a preliminary step to unsolicited assertions to ensure that the Provider is authorized to send these assertions.

3 files changed, 23 insertions, 1 deletions

diff --git a/src/DotNetOpenAuth/OpenId/OpenIdStrings.Designer.cs b/src/DotNetOpenAuth/OpenId/OpenIdStrings.Designer.cs
index b0bdc6c..f917f88 100644
--- a/src/DotNetOpenAuth/OpenId/OpenIdStrings.Designer.cs
+++ b/src/DotNetOpenAuth/OpenId/OpenIdStrings.Designer.cs
@@ -524,6 +524,15 @@ namespace DotNetOpenAuth.OpenId {
         }
         
         /// <summary>
+        ///   Looks up a localized string similar to An unsolicited assertion cannot be sent for the claimed identifier {0} because this is not an authorized Provider for that identifier..
+        /// </summary>
+        internal static string UnsolicitedAssertionForUnrelatedClaimedIdentifier {
+            get {
+                return ResourceManager.GetString("UnsolicitedAssertionForUnrelatedClaimedIdentifier", resourceCulture);
+            }
+        }
+        
+        /// <summary>
         ///   Looks up a localized string similar to Unsolicited assertions are not allowed from 1.0 OpenID Providers..
         /// </summary>
         internal static string UnsolicitedAssertionsNotAllowedFrom1xOPs {
diff --git a/src/DotNetOpenAuth/OpenId/OpenIdStrings.resx b/src/DotNetOpenAuth/OpenId/OpenIdStrings.resx
index 6e88fcc..8bffd62 100644
--- a/src/DotNetOpenAuth/OpenId/OpenIdStrings.resx
+++ b/src/DotNetOpenAuth/OpenId/OpenIdStrings.resx
@@ -286,4 +286,7 @@ Discovered endpoint info:
   <data name="AbsoluteUriRequired" xml:space="preserve">
     <value>An absolute URI is required for this value.</value>
   </data>
+  <data name="UnsolicitedAssertionForUnrelatedClaimedIdentifier" xml:space="preserve">
+    <value>An unsolicited assertion cannot be sent for the claimed identifier {0} because this is not an authorized Provider for that identifier.</value>
+  </data>
 </root>
\ No newline at end of file
diff --git a/src/DotNetOpenAuth/OpenId/Provider/OpenIdProvider.cs b/src/DotNetOpenAuth/OpenId/Provider/OpenIdProvider.cs
index f7eb3ad..4744a4f 100644
--- a/src/DotNetOpenAuth/OpenId/Provider/OpenIdProvider.cs
+++ b/src/DotNetOpenAuth/OpenId/Provider/OpenIdProvider.cs
@@ -202,7 +202,17 @@ namespace DotNetOpenAuth.OpenId.Provider {
 			// is authorized to send an assertion for the given claimed identifier,
 			// do due diligence by performing our own discovery on the claimed identifier
 			// and make sure that it is tied to this OP and OP local identifier.
-			//// TODO: code here
+			var serviceEndpoint = DotNetOpenAuth.OpenId.RelyingParty.ServiceEndpoint.CreateForClaimedIdentifier(claimedIdentifier, localIdentifier, new ProviderEndpointDescription(providerEndpoint, Protocol.Default.Version), null, null);
+			var discoveredEndpoints = claimedIdentifier.Discover(this.WebRequestHandler);
+			if (!discoveredEndpoints.Contains(serviceEndpoint)) {
+				Logger.DebugFormat(
+					"Failed to send unsolicited assertion for {0} because its discovered services did not include this endpoint.  This endpoint: {1}{2}  Discovered endpoints: {1}{3}",
+					claimedIdentifier,
+					Environment.NewLine,
+					serviceEndpoint,
+					discoveredEndpoints.ToStringDeferred(true));
+				ErrorUtilities.ThrowProtocol(OpenIdStrings.UnsolicitedAssertionForUnrelatedClaimedIdentifier, claimedIdentifier);
+			}
 
 			Logger.InfoFormat("Preparing unsolicited assertion for {0}", claimedIdentifier);
 			var returnToEndpoint = relyingParty.Discover(this.WebRequestHandler, true).FirstOrDefault();