Added log warning message when problematic OpenIDs are encountered by the RP, and a configuration option to enable/disable approximate OpenID discovery for partial trust hosts.

6 files changed, 62 insertions, 1 deletions

diff --git a/src/DotNetOpenAuth/Configuration/DotNetOpenAuth.xsd b/src/DotNetOpenAuth/Configuration/DotNetOpenAuth.xsd
index a4f932e..47c9831 100644
--- a/src/DotNetOpenAuth/Configuration/DotNetOpenAuth.xsd
+++ b/src/DotNetOpenAuth/Configuration/DotNetOpenAuth.xsd
@@ -320,6 +320,16 @@
 													</xs:annotation>
 												</xs:attribute>
 												<xs:attribute name="allowDualPurposeIdentifiers" type="xs:boolean" />
+												<xs:attribute name="allowApproximateIdentifierDiscovery" type="xs:boolean">
+													<xs:annotation>
+														<xs:documentation>
+															Controls whether certain Claimed Identifiers that exploit
+															features that .NET does not have the ability to send exact HTTP requests for will
+															still be allowed by using an approximate HTTP request.
+															Only impacts hosts running under partial trust.
+														</xs:documentation>
+													</xs:annotation>
+												</xs:attribute>
 												<xs:attribute name="protectDownlevelReplayAttacks" type="xs:boolean">
 													<xs:annotation>
 														<xs:documentation>
diff --git a/src/DotNetOpenAuth/Configuration/OpenIdRelyingPartySecuritySettingsElement.cs b/src/DotNetOpenAuth/Configuration/OpenIdRelyingPartySecuritySettingsElement.cs
index 1e3df8f..1bf2ebc 100644
--- a/src/DotNetOpenAuth/Configuration/OpenIdRelyingPartySecuritySettingsElement.cs
+++ b/src/DotNetOpenAuth/Configuration/OpenIdRelyingPartySecuritySettingsElement.cs
@@ -71,6 +71,11 @@ namespace DotNetOpenAuth.Configuration {
 		private const string AllowDualPurposeIdentifiersConfigName = "allowDualPurposeIdentifiers";
 
 		/// <summary>
+		/// Gets the name of the @allowApproximateIdentifierDiscovery attribute.
+		/// </summary>
+		private const string AllowApproximateIdentifierDiscoveryConfigName = "allowApproximateIdentifierDiscovery";
+
+		/// <summary>
 		/// Gets the name of the @protectDownlevelReplayAttacks attribute.
 		/// </summary>
 		private const string ProtectDownlevelReplayAttacksConfigName = "protectDownlevelReplayAttacks";
@@ -206,6 +211,20 @@ namespace DotNetOpenAuth.Configuration {
 		}
 
 		/// <summary>
+		/// Gets or sets a value indicating whether certain Claimed Identifiers that exploit
+		/// features that .NET does not have the ability to send exact HTTP requests for will
+		/// still be allowed by using an approximate HTTP request.
+		/// </summary>
+		/// <value>
+		/// 	The default value is <c>true</c>.
+		/// </value>
+		[ConfigurationProperty(AllowApproximateIdentifierDiscoveryConfigName, DefaultValue = true)]
+		public bool AllowApproximateIdentifierDiscovery {
+			get { return (bool)this[AllowApproximateIdentifierDiscoveryConfigName]; }
+			set { this[AllowApproximateIdentifierDiscoveryConfigName] = value; }
+		}
+
+		/// <summary>
 		/// Gets or sets a value indicating whether the Relying Party should take special care 
 		/// to protect users against replay attacks when interoperating with OpenID 1.1 Providers.
 		/// </summary>
@@ -234,6 +253,7 @@ namespace DotNetOpenAuth.Configuration {
 			settings.RejectDelegatingIdentifiers = this.RejectDelegatingIdentifiers;
 			settings.IgnoreUnsignedExtensions = this.IgnoreUnsignedExtensions;
 			settings.AllowDualPurposeIdentifiers = this.AllowDualPurposeIdentifiers;
+			settings.AllowApproximateIdentifierDiscovery = this.AllowApproximateIdentifierDiscovery;
 			settings.ProtectDownlevelReplayAttacks = this.ProtectDownlevelReplayAttacks;
 
 			return settings;
diff --git a/src/DotNetOpenAuth/OpenId/OpenIdStrings.Designer.cs b/src/DotNetOpenAuth/OpenId/OpenIdStrings.Designer.cs
index 29315bb..9c2c88c 100644
--- a/src/DotNetOpenAuth/OpenId/OpenIdStrings.Designer.cs
+++ b/src/DotNetOpenAuth/OpenId/OpenIdStrings.Designer.cs
@@ -1,7 +1,7 @@
 //------------------------------------------------------------------------------
 // <auto-generated>
 //     This code was generated by a tool.
-//     Runtime Version:4.0.30104.0
+//     Runtime Version:4.0.30319.1
 //
 //     Changes to this file may cause incorrect behavior and will be lost if
 //     the code is regenerated.
@@ -196,6 +196,15 @@ namespace DotNetOpenAuth.OpenId {
         }
         
         /// <summary>
+        ///   Looks up a localized string similar to This OpenID exploits features that this relying party cannot reliably verify.  Please try logging in with a human-readable OpenID or from a different OpenID Provider..
+        /// </summary>
+        internal static string ClaimedIdentifierDefiesDotNetNormalization {
+            get {
+                return ResourceManager.GetString("ClaimedIdentifierDefiesDotNetNormalization", resourceCulture);
+            }
+        }
+        
+        /// <summary>
         ///   Looks up a localized string similar to The ClaimedIdentifier property must be set first..
         /// </summary>
         internal static string ClaimedIdentifierMustBeSetFirst {
diff --git a/src/DotNetOpenAuth/OpenId/OpenIdStrings.resx b/src/DotNetOpenAuth/OpenId/OpenIdStrings.resx
index ae68fe6..b5eb570 100644
--- a/src/DotNetOpenAuth/OpenId/OpenIdStrings.resx
+++ b/src/DotNetOpenAuth/OpenId/OpenIdStrings.resx
@@ -349,4 +349,7 @@ Discovered endpoint info:
   <data name="X509CertificateNotTrusted" xml:space="preserve">
     <value>The X.509 certificate used to sign this document is not trusted.</value>
   </data>
+  <data name="ClaimedIdentifierDefiesDotNetNormalization" xml:space="preserve">
+    <value>This OpenID exploits features that this relying party cannot reliably verify.  Please try logging in with a human-readable OpenID or from a different OpenID Provider.</value>
+  </data>
 </root>
\ No newline at end of file
diff --git a/src/DotNetOpenAuth/OpenId/RelyingParty/PositiveAuthenticationResponse.cs b/src/DotNetOpenAuth/OpenId/RelyingParty/PositiveAuthenticationResponse.cs
index b6a1b76..3e2298c 100644
--- a/src/DotNetOpenAuth/OpenId/RelyingParty/PositiveAuthenticationResponse.cs
+++ b/src/DotNetOpenAuth/OpenId/RelyingParty/PositiveAuthenticationResponse.cs
@@ -146,6 +146,14 @@ namespace DotNetOpenAuth.OpenId.RelyingParty {
 				}
 			}
 
+			// Check whether this particular identifier presents a problem with HTTP discovery
+			// due to limitations in the .NET Uri class.
+			UriIdentifier claimedIdUri = claimedId as UriIdentifier;
+			if (claimedIdUri != null && claimedIdUri.ProblematicNormalization) {
+				ErrorUtilities.VerifyProtocol(relyingParty.SecuritySettings.AllowApproximateIdentifierDiscovery, OpenIdStrings.ClaimedIdentifierDefiesDotNetNormalization);
+				Logger.OpenId.WarnFormat("Positive assertion for claimed identifier {0} cannot be precisely verified under partial trust hosting due to .NET limitation.  An approximate verification will be attempted.", claimedId);
+			}
+
 			// While it LOOKS like we're performing discovery over HTTP again
 			// Yadis.IdentifierDiscoveryCachePolicy is set to HttpRequestCacheLevel.CacheIfAvailable
 			// which means that the .NET runtime is caching our discoveries for us.  This turns out
diff --git a/src/DotNetOpenAuth/OpenId/RelyingParty/RelyingPartySecuritySettings.cs b/src/DotNetOpenAuth/OpenId/RelyingParty/RelyingPartySecuritySettings.cs
index e2bf2a1..a7686c5 100644
--- a/src/DotNetOpenAuth/OpenId/RelyingParty/RelyingPartySecuritySettings.cs
+++ b/src/DotNetOpenAuth/OpenId/RelyingParty/RelyingPartySecuritySettings.cs
@@ -27,6 +27,7 @@ namespace DotNetOpenAuth.OpenId.RelyingParty {
 			: base(false) {
 			this.PrivateSecretMaximumAge = TimeSpan.FromDays(7);
 			this.ProtectDownlevelReplayAttacks = ProtectDownlevelReplayAttacksDefault;
+			this.AllowApproximateIdentifierDiscovery = true;
 		}
 
 		/// <summary>
@@ -132,6 +133,16 @@ namespace DotNetOpenAuth.OpenId.RelyingParty {
 		public bool AllowDualPurposeIdentifiers { get; set; }
 
 		/// <summary>
+		/// Gets or sets a value indicating whether certain Claimed Identifiers that exploit
+		/// features that .NET does not have the ability to send exact HTTP requests for will
+		/// still be allowed by using an approximate HTTP request.
+		/// </summary>
+		/// <value>
+		/// 	The default value is <c>true</c>.
+		/// </value>
+		public bool AllowApproximateIdentifierDiscovery { get; set; }
+
+		/// <summary>
 		/// Gets or sets a value indicating whether special measures are taken to
 		/// protect users from replay attacks when those users' identities are hosted
 		/// by OpenID 1.x Providers.