diff options
| author | Andrew Arnott <andrewarnott@gmail.com> | 2012-06-12 08:50:24 -0700 |
|---|---|---|
| committer | Andrew Arnott <andrewarnott@gmail.com> | 2012-06-12 08:50:24 -0700 |
| commit | 2b23b9affdc5064394a46a5a7d9d2ada4148450f (patch) | |
| tree | dcff3fe7744dc893a31303bafaecbd4bca93ff63 /samples/OpenIdProviderMvc/Controllers/OpenIdController.cs | |
| parent | 4aa2ffd3206cd342282e6bf3e0a518a6d0f65529 (diff) | |
| download | DotNetOpenAuth-2b23b9affdc5064394a46a5a7d9d2ada4148450f.zip DotNetOpenAuth-2b23b9affdc5064394a46a5a7d9d2ada4148450f.tar.gz DotNetOpenAuth-2b23b9affdc5064394a46a5a7d9d2ada4148450f.tar.bz2 | |
Added PAPE max_auth_time handling to sample OP
The OpenIdRelyingPartyWebForms and OpenIdProviderMvc samples now
interact via PAPE to sample enforcement of the PAPE max_auth_time
parameter.
Diffstat (limited to 'samples/OpenIdProviderMvc/Controllers/OpenIdController.cs')
| -rw-r--r-- | samples/OpenIdProviderMvc/Controllers/OpenIdController.cs | 62 |
1 files changed, 51 insertions, 11 deletions
diff --git a/samples/OpenIdProviderMvc/Controllers/OpenIdController.cs b/samples/OpenIdProviderMvc/Controllers/OpenIdController.cs index 198c434..4782e94 100644 --- a/samples/OpenIdProviderMvc/Controllers/OpenIdController.cs +++ b/samples/OpenIdProviderMvc/Controllers/OpenIdController.cs @@ -17,6 +17,16 @@ namespace OpenIdProviderMvc.Controllers { public class OpenIdController : Controller { internal static OpenIdProvider OpenIdProvider = new OpenIdProvider(); + public OpenIdController() + : this(null) { + } + + public OpenIdController(IFormsAuthentication formsAuthentication) { + this.FormsAuth = formsAuthentication ?? new FormsAuthenticationService(); + } + + public IFormsAuthentication FormsAuth { get; private set; } + [ValidateInput(false)] public ActionResult Provider() { IRequest request = OpenIdProvider.GetRequest(); @@ -29,25 +39,44 @@ namespace OpenIdProviderMvc.Controllers { // This is apparently one that the host (the web site itself) has to respond to. ProviderEndpoint.PendingRequest = (IHostProcessedRequest)request; - // Try responding immediately if possible. - ActionResult response; - if (this.AutoRespondIfPossible(out response)) { - return response; - } - - // We can't respond immediately with a positive result. But if we still have to respond immediately... - if (ProviderEndpoint.PendingRequest.Immediate) { - // We can't stop to prompt the user -- we must just return a negative response. - return this.SendAssertion(); + // If PAPE requires that the user has logged in recently, we may be required to challenge the user to log in. + var papeRequest = ProviderEndpoint.PendingRequest.GetExtension<PolicyRequest>(); + if (papeRequest != null && papeRequest.MaximumAuthenticationAge.HasValue) { + TimeSpan timeSinceLogin = DateTime.UtcNow - this.FormsAuth.SignedInTimestampUtc.Value; + if (timeSinceLogin > papeRequest.MaximumAuthenticationAge.Value) { + // The RP wants the user to have logged in more recently than he has. + // We'll have to redirect the user to a login screen. + return this.RedirectToAction("LogOn", "Account", new { returnUrl = this.Url.Action("ProcessAuthRequest") }); + } } - return this.RedirectToAction("AskUser"); + return this.ProcessAuthRequest(); } else { // No OpenID request was recognized. This may be a user that stumbled on the OP Endpoint. return this.View(); } } + public ActionResult ProcessAuthRequest() { + if (ProviderEndpoint.PendingRequest == null) { + return this.RedirectToAction("Index", "Home"); + } + + // Try responding immediately if possible. + ActionResult response; + if (this.AutoRespondIfPossible(out response)) { + return response; + } + + // We can't respond immediately with a positive result. But if we still have to respond immediately... + if (ProviderEndpoint.PendingRequest.Immediate) { + // We can't stop to prompt the user -- we must just return a negative response. + return this.SendAssertion(); + } + + return this.RedirectToAction("AskUser"); + } + /// <summary> /// Displays a confirmation page. /// </summary> @@ -133,6 +162,17 @@ namespace OpenIdProviderMvc.Controllers { pendingRequest.AddResponseExtension(claimsResponse); } + + // Look for PAPE requests. + var papeRequest = pendingRequest.GetExtension<PolicyRequest>(); + if (papeRequest != null) { + var papeResponse = new PolicyResponse(); + if (papeRequest.MaximumAuthenticationAge.HasValue) { + papeResponse.AuthenticationTimeUtc = this.FormsAuth.SignedInTimestampUtc; + } + + pendingRequest.AddResponseExtension(papeResponse); + } } return OpenIdProvider.PrepareResponse(pendingRequest).AsActionResult(); |