OpenId.Provider now builds.

19 files changed, 139 insertions, 194 deletions

diff --git a/src/DotNetOpenAuth.OpenId.Provider.UI/DotNetOpenAuth.OpenId.Provider.UI.csproj b/src/DotNetOpenAuth.OpenId.Provider.UI/DotNetOpenAuth.OpenId.Provider.UI.csproj
index 3e0369d..a97022f 100644
--- a/src/DotNetOpenAuth.OpenId.Provider.UI/DotNetOpenAuth.OpenId.Provider.UI.csproj
+++ b/src/DotNetOpenAuth.OpenId.Provider.UI/DotNetOpenAuth.OpenId.Provider.UI.csproj
@@ -52,6 +52,8 @@
   </ItemGroup>
   <ItemGroup>
     <Reference Include="System" />
+    <Reference Include="System.Net.Http" />
+    <Reference Include="System.Net.Http.WebRequest" />
     <Reference Include="Validation">
       <HintPath>..\packages\Validation.2.0.1.12362\lib\portable-windows8+net40+sl5+windowsphone8\Validation.dll</HintPath>
       <Private>True</Private>
diff --git a/src/DotNetOpenAuth.OpenId.Provider.UI/packages.config b/src/DotNetOpenAuth.OpenId.Provider.UI/packages.config
index 58890d8..1d93cf5 100644
--- a/src/DotNetOpenAuth.OpenId.Provider.UI/packages.config
+++ b/src/DotNetOpenAuth.OpenId.Provider.UI/packages.config
@@ -1,4 +1,5 @@
 <?xml version="1.0" encoding="utf-8"?>
 <packages>
+  <package id="Microsoft.Net.Http" version="2.0.20710.0" targetFramework="net45" />
   <package id="Validation" version="2.0.1.12362" targetFramework="net45" />
 </packages>
\ No newline at end of file
diff --git a/src/DotNetOpenAuth.OpenId.Provider/DotNetOpenAuth.OpenId.Provider.csproj b/src/DotNetOpenAuth.OpenId.Provider/DotNetOpenAuth.OpenId.Provider.csproj
index 0df2b70..0d9a643 100644
--- a/src/DotNetOpenAuth.OpenId.Provider/DotNetOpenAuth.OpenId.Provider.csproj
+++ b/src/DotNetOpenAuth.OpenId.Provider/DotNetOpenAuth.OpenId.Provider.csproj
@@ -73,6 +73,8 @@
   </ItemGroup>
   <ItemGroup>
     <Reference Include="System" />
+    <Reference Include="System.Net.Http" />
+    <Reference Include="System.Net.Http.WebRequest" />
     <Reference Include="Validation">
       <HintPath>..\packages\Validation.2.0.1.12362\lib\portable-windows8+net40+sl5+windowsphone8\Validation.dll</HintPath>
       <Private>True</Private>
diff --git a/src/DotNetOpenAuth.OpenId.Provider/OpenId/ChannelElements/ProviderSigningBindingElement.cs b/src/DotNetOpenAuth.OpenId.Provider/OpenId/ChannelElements/ProviderSigningBindingElement.cs
index f84860b..520f41a 100644
--- a/src/DotNetOpenAuth.OpenId.Provider/OpenId/ChannelElements/ProviderSigningBindingElement.cs
+++ b/src/DotNetOpenAuth.OpenId.Provider/OpenId/ChannelElements/ProviderSigningBindingElement.cs
@@ -9,6 +9,7 @@ namespace DotNetOpenAuth.OpenId.ChannelElements {
 	using System.Collections.Generic;
 	using System.Linq;
 	using System.Text;
+	using System.Threading;
 	using System.Threading.Tasks;
 	using System.Web;
 	using DotNetOpenAuth.Messaging;
@@ -61,8 +62,8 @@ namespace DotNetOpenAuth.OpenId.ChannelElements {
 		/// The protections (if any) that this binding element applied to the message.
 		/// Null if this binding element did not even apply to this binding element.
 		/// </returns>
-		public override MessageProtections? ProcessOutgoingMessage(IProtocolMessage message) {
-			var result = base.ProcessOutgoingMessage(message);
+		public override async Task<MessageProtections?> ProcessOutgoingMessageAsync(IProtocolMessage message, CancellationToken cancellationToken) {
+			var result = await base.ProcessOutgoingMessageAsync(message, cancellationToken);
 			if (result != null) {
 				return result;
 			}
@@ -162,7 +163,7 @@ namespace DotNetOpenAuth.OpenId.ChannelElements {
 		/// <returns>
 		/// The applied protections.
 		/// </returns>
-		protected override Task<MessageProtections> VerifySignatureByUnrecognizedHandleAsync(IProtocolMessage message, ITamperResistantOpenIdMessage signedMessage, MessageProtections protectionsApplied) {
+		protected override Task<MessageProtections> VerifySignatureByUnrecognizedHandleAsync(IProtocolMessage message, ITamperResistantOpenIdMessage signedMessage, MessageProtections protectionsApplied, CancellationToken cancellationToken) {
 			// If we're on the Provider, then the RP sent us a check_auth with a signature
 			// we don't have an association for.  (It may have expired, or it may be a faulty RP).
 			var tcs = new TaskCompletionSource<MessageProtections>();
diff --git a/src/DotNetOpenAuth.OpenId.Provider/OpenId/Provider/AnonymousRequest.cs b/src/DotNetOpenAuth.OpenId.Provider/OpenId/Provider/AnonymousRequest.cs
index 9d73d9a..23d1e3c 100644
--- a/src/DotNetOpenAuth.OpenId.Provider/OpenId/Provider/AnonymousRequest.cs
+++ b/src/DotNetOpenAuth.OpenId.Provider/OpenId/Provider/AnonymousRequest.cs
@@ -7,6 +7,8 @@
 namespace DotNetOpenAuth.OpenId.Provider {
 	using System;
 	using System.Diagnostics.CodeAnalysis;
+	using System.Threading;
+	using System.Threading.Tasks;
 	using DotNetOpenAuth.Messaging;
 	using DotNetOpenAuth.OpenId.Messages;
 	using Validation;
@@ -77,14 +79,12 @@ namespace DotNetOpenAuth.OpenId.Provider {
 		/// <summary>
 		/// Gets the response message, once <see cref="IsResponseReady"/> is <c>true</c>.
 		/// </summary>
-		protected override IProtocolMessage ResponseMessage {
-			get {
+		protected override async Task<IProtocolMessage> GetResponseMessageAsync(CancellationToken cancellationToken) {
 				if (this.IsApproved.HasValue) {
-					return this.IsApproved.Value ? (IProtocolMessage)this.positiveResponse : this.NegativeResponse;
+					return this.IsApproved.Value ? (IProtocolMessage)this.positiveResponse : (await this.GetNegativeResponseAsync());
 				} else {
 					return null;
 				}
-			}
 		}
 
 		#endregion
diff --git a/src/DotNetOpenAuth.OpenId.Provider/OpenId/Provider/AuthenticationRequest.cs b/src/DotNetOpenAuth.OpenId.Provider/OpenId/Provider/AuthenticationRequest.cs
index 0167580..a13cba1 100644
--- a/src/DotNetOpenAuth.OpenId.Provider/OpenId/Provider/AuthenticationRequest.cs
+++ b/src/DotNetOpenAuth.OpenId.Provider/OpenId/Provider/AuthenticationRequest.cs
@@ -6,6 +6,8 @@
 
 namespace DotNetOpenAuth.OpenId.Provider {
 	using System;
+	using System.Threading;
+	using System.Threading.Tasks;
 	using DotNetOpenAuth.Messaging;
 	using DotNetOpenAuth.OpenId.Messages;
 	using Validation;
@@ -177,13 +179,11 @@ namespace DotNetOpenAuth.OpenId.Provider {
 		/// <summary>
 		/// Gets the response message, once <see cref="IsResponseReady"/> is <c>true</c>.
 		/// </summary>
-		protected override IProtocolMessage ResponseMessage {
-			get {
-				if (this.IsAuthenticated.HasValue) {
-					return this.IsAuthenticated.Value ? (IProtocolMessage)this.positiveResponse : this.NegativeResponse;
-				} else {
-					return null;
-				}
+		protected override async Task<IProtocolMessage> GetResponseMessageAsync(CancellationToken cancellationToken) {
+			if (this.IsAuthenticated.HasValue) {
+				return this.IsAuthenticated.Value ? (IProtocolMessage)this.positiveResponse : (await this.GetNegativeResponseAsync());
+			} else {
+				return null;
 			}
 		}
 
diff --git a/src/DotNetOpenAuth.OpenId.Provider/OpenId/Provider/AutoResponsiveRequest.cs b/src/DotNetOpenAuth.OpenId.Provider/OpenId/Provider/AutoResponsiveRequest.cs
index 91bb6f3..d9ed053 100644
--- a/src/DotNetOpenAuth.OpenId.Provider/OpenId/Provider/AutoResponsiveRequest.cs
+++ b/src/DotNetOpenAuth.OpenId.Provider/OpenId/Provider/AutoResponsiveRequest.cs
@@ -9,6 +9,8 @@ namespace DotNetOpenAuth.OpenId.Provider {
 	using System.Collections.Generic;
 	using System.Linq;
 	using System.Text;
+	using System.Threading;
+	using System.Threading.Tasks;
 	using DotNetOpenAuth.Messaging;
 	using DotNetOpenAuth.OpenId.Messages;
 	using Validation;
@@ -64,15 +66,15 @@ namespace DotNetOpenAuth.OpenId.Provider {
 		/// <summary>
 		/// Gets the response message, once <see cref="IsResponseReady"/> is <c>true</c>.
 		/// </summary>
-		internal IProtocolMessage ResponseMessageTestHook {
-			get { return this.ResponseMessage; }
+		internal Task<IProtocolMessage> GetResponseMessageAsyncTestHook() {
+			return this.GetResponseMessageAsync(CancellationToken.None);
 		}
 
 		/// <summary>
 		/// Gets the response message, once <see cref="IsResponseReady"/> is <c>true</c>.
 		/// </summary>
-		protected override IProtocolMessage ResponseMessage {
-			get { return this.response; }
+		protected override Task<IProtocolMessage> GetResponseMessageAsync(CancellationToken cancellationToken) {
+			return Task.FromResult(this.response);
 		}
 	}
 }
diff --git a/src/DotNetOpenAuth.OpenId.Provider/OpenId/Provider/Behaviors/AXFetchAsSregTransform.cs b/src/DotNetOpenAuth.OpenId.Provider/OpenId/Provider/Behaviors/AXFetchAsSregTransform.cs
index d5f3f4e..34f7cd0 100644
--- a/src/DotNetOpenAuth.OpenId.Provider/OpenId/Provider/Behaviors/AXFetchAsSregTransform.cs
+++ b/src/DotNetOpenAuth.OpenId.Provider/OpenId/Provider/Behaviors/AXFetchAsSregTransform.cs
@@ -10,6 +10,8 @@ namespace DotNetOpenAuth.OpenId.Provider.Behaviors {
 	using System.Diagnostics.CodeAnalysis;
 	using System.Linq;
 	using System.Text;
+	using System.Threading;
+	using System.Threading.Tasks;
 	using DotNetOpenAuth.Messaging;
 	using DotNetOpenAuth.OpenId.Behaviors;
 	using DotNetOpenAuth.OpenId.Extensions;
@@ -77,8 +79,8 @@ namespace DotNetOpenAuth.OpenId.Provider.Behaviors {
 		/// 	<c>true</c> if this behavior owns this request and wants to stop other behaviors
 		/// from handling it; <c>false</c> to allow other behaviors to process this request.
 		/// </returns>
-		bool IProviderBehavior.OnOutgoingResponse(Provider.IAuthenticationRequest request) {
-			request.ConvertSregToMatchRequest();
+		async Task<bool> IProviderBehavior.OnOutgoingResponseAsync(Provider.IAuthenticationRequest request, CancellationToken cancellationToken) {
+			await request.ConvertSregToMatchRequestAsync(cancellationToken);
 			return false;
 		}
 
diff --git a/src/DotNetOpenAuth.OpenId.Provider/OpenId/Provider/Behaviors/GsaIcamProfile.cs b/src/DotNetOpenAuth.OpenId.Provider/OpenId/Provider/Behaviors/GsaIcamProfile.cs
index e12ca39..3b43391 100644
--- a/src/DotNetOpenAuth.OpenId.Provider/OpenId/Provider/Behaviors/GsaIcamProfile.cs
+++ b/src/DotNetOpenAuth.OpenId.Provider/OpenId/Provider/Behaviors/GsaIcamProfile.cs
@@ -8,6 +8,8 @@ namespace DotNetOpenAuth.OpenId.Provider.Behaviors {
 	using System;
 	using System.Diagnostics.CodeAnalysis;
 	using System.Linq;
+	using System.Threading;
+	using System.Threading.Tasks;
 	using DotNetOpenAuth.Configuration;
 	using DotNetOpenAuth.Messaging;
 	using DotNetOpenAuth.OpenId.Behaviors;
@@ -107,7 +109,7 @@ namespace DotNetOpenAuth.OpenId.Provider.Behaviors {
 		/// 	<c>true</c> if this behavior owns this request and wants to stop other behaviors
 		/// from handling it; <c>false</c> to allow other behaviors to process this request.
 		/// </returns>
-		bool IProviderBehavior.OnOutgoingResponse(Provider.IAuthenticationRequest request) {
+		async Task<bool> IProviderBehavior.OnOutgoingResponseAsync(Provider.IAuthenticationRequest request, CancellationToken cancellationToken) {
 			bool result = false;
 
 			// Nothing to do for negative assertions.
@@ -116,7 +118,7 @@ namespace DotNetOpenAuth.OpenId.Provider.Behaviors {
 			}
 
 			var requestInternal = (Provider.AuthenticationRequest)request;
-			var responseMessage = (IProtocolMessageWithExtensions)requestInternal.Response;
+			var responseMessage = (IProtocolMessageWithExtensions)await requestInternal.GetResponseAsync(cancellationToken);
 
 			// Only apply our special policies if the RP requested it.
 			var papeRequest = request.GetExtension<PolicyRequest>();
diff --git a/src/DotNetOpenAuth.OpenId.Provider/OpenId/Provider/Behaviors/PpidGeneration.cs b/src/DotNetOpenAuth.OpenId.Provider/OpenId/Provider/Behaviors/PpidGeneration.cs
index c8bdd93..34b6735 100644
--- a/src/DotNetOpenAuth.OpenId.Provider/OpenId/Provider/Behaviors/PpidGeneration.cs
+++ b/src/DotNetOpenAuth.OpenId.Provider/OpenId/Provider/Behaviors/PpidGeneration.cs
@@ -8,6 +8,8 @@ namespace DotNetOpenAuth.OpenId.Provider.Behaviors {
 	using System;
 	using System.Diagnostics.CodeAnalysis;
 	using System.Linq;
+	using System.Threading;
+	using System.Threading.Tasks;
 	using DotNetOpenAuth.Messaging;
 	using DotNetOpenAuth.OpenId.Behaviors;
 	using DotNetOpenAuth.OpenId.Extensions.ProviderAuthenticationPolicy;
@@ -73,14 +75,14 @@ namespace DotNetOpenAuth.OpenId.Provider.Behaviors {
 		/// 	<c>true</c> if this behavior owns this request and wants to stop other behaviors
 		/// from handling it; <c>false</c> to allow other behaviors to process this request.
 		/// </returns>
-		bool IProviderBehavior.OnOutgoingResponse(IAuthenticationRequest request) {
+		async Task<bool> IProviderBehavior.OnOutgoingResponseAsync(IAuthenticationRequest request, CancellationToken cancellationToken) {
 			// Nothing to do for negative assertions.
 			if (!request.IsAuthenticated.Value) {
 				return false;
 			}
 
 			var requestInternal = (Provider.AuthenticationRequest)request;
-			var responseMessage = (IProtocolMessageWithExtensions)requestInternal.Response;
+			var responseMessage = (IProtocolMessageWithExtensions)await requestInternal.GetResponseAsync(cancellationToken);
 
 			// Only apply our special policies if the RP requested it.
 			var papeRequest = request.GetExtension<PolicyRequest>();
diff --git a/src/DotNetOpenAuth.OpenId.Provider/OpenId/Provider/Extensions/ExtensionsInteropHelper.cs b/src/DotNetOpenAuth.OpenId.Provider/OpenId/Provider/Extensions/ExtensionsInteropHelper.cs
index d4332d2..26225b3 100644
--- a/src/DotNetOpenAuth.OpenId.Provider/OpenId/Provider/Extensions/ExtensionsInteropHelper.cs
+++ b/src/DotNetOpenAuth.OpenId.Provider/OpenId/Provider/Extensions/ExtensionsInteropHelper.cs
@@ -9,6 +9,8 @@ namespace DotNetOpenAuth.OpenId.Provider.Extensions {
 	using System.Collections.Generic;
 	using System.Diagnostics.CodeAnalysis;
 	using System.Linq;
+	using System.Threading;
+	using System.Threading.Tasks;
 	using DotNetOpenAuth.Messaging;
 	using DotNetOpenAuth.OpenId.Extensions;
 	using DotNetOpenAuth.OpenId.Extensions.AttributeExchange;
@@ -78,9 +80,9 @@ namespace DotNetOpenAuth.OpenId.Provider.Extensions {
 		/// If the original attribute request came in as AX, the Simple Registration extension is converted
 		/// to an AX response and then the Simple Registration extension is removed from the response.
 		/// </remarks>
-		internal static void ConvertSregToMatchRequest(this Provider.IHostProcessedRequest request) {
+		internal static async Task ConvertSregToMatchRequestAsync(this Provider.IHostProcessedRequest request, CancellationToken cancellationToken) {
 			var req = (Provider.HostProcessedRequest)request;
-			var response = req.Response as IProtocolMessageWithExtensions; // negative responses don't support extensions.
+			var response = (await req.GetResponseAsync(cancellationToken)) as IProtocolMessageWithExtensions; // negative responses don't support extensions.
 			var sregRequest = request.GetExtension<ClaimsRequest>();
 			if (sregRequest != null && response != null) {
 				if (sregRequest.Synthesized) {
diff --git a/src/DotNetOpenAuth.OpenId.Provider/OpenId/Provider/Extensions/UI/UIRequestTools.cs b/src/DotNetOpenAuth.OpenId.Provider/OpenId/Provider/Extensions/UI/UIRequestTools.cs
index 278ad6c..09d0b21 100644
--- a/src/DotNetOpenAuth.OpenId.Provider/OpenId/Provider/Extensions/UI/UIRequestTools.cs
+++ b/src/DotNetOpenAuth.OpenId.Provider/OpenId/Provider/Extensions/UI/UIRequestTools.cs
@@ -10,6 +10,8 @@ namespace DotNetOpenAuth.OpenId.Provider.Extensions.UI {
 	using System.Diagnostics.CodeAnalysis;
 	using System.Globalization;
 	using System.Linq;
+	using System.Threading;
+	using System.Threading.Tasks;
 	using DotNetOpenAuth.Messaging;
 	using DotNetOpenAuth.OpenId.Extensions.UI;
 	using DotNetOpenAuth.OpenId.Messages;
@@ -51,13 +53,11 @@ namespace DotNetOpenAuth.OpenId.Provider.Extensions.UI {
 		/// &lt;/Service&gt;
 		/// </example>
 		/// </remarks>
-		public static IEnumerable<Uri> GetRelyingPartyIconUrls(Realm realm, IDirectWebRequestHandler webRequestHandler) {
+		public static async Task<IEnumerable<Uri>> GetRelyingPartyIconUrlsAsync(Realm realm, IHostFactories hostFactories, CancellationToken cancellationToken) {
 			Requires.NotNull(realm, "realm");
-			Requires.NotNull(webRequestHandler, "webRequestHandler");
-			ErrorUtilities.VerifyArgumentNotNull(realm, "realm");
-			ErrorUtilities.VerifyArgumentNotNull(webRequestHandler, "webRequestHandler");
+			Requires.NotNull(hostFactories, "hostFactories");
 
-			XrdsDocument xrds = realm.Discover(webRequestHandler, false);
+			XrdsDocument xrds = await realm.DiscoverAsync(hostFactories, false, cancellationToken);
 			if (xrds == null) {
 				return Enumerable.Empty<Uri>();
 			} else {
diff --git a/src/DotNetOpenAuth.OpenId.Provider/OpenId/Provider/HostProcessedRequest.cs b/src/DotNetOpenAuth.OpenId.Provider/OpenId/Provider/HostProcessedRequest.cs
index 9c5004c..85d111e 100644
--- a/src/DotNetOpenAuth.OpenId.Provider/OpenId/Provider/HostProcessedRequest.cs
+++ b/src/DotNetOpenAuth.OpenId.Provider/OpenId/Provider/HostProcessedRequest.cs
@@ -10,6 +10,8 @@ namespace DotNetOpenAuth.OpenId.Provider {
 	using System.Linq;
 	using System.Net;
 	using System.Text;
+	using System.Threading;
+	using System.Threading.Tasks;
 	using DotNetOpenAuth.Messaging;
 	using DotNetOpenAuth.OpenId.Messages;
 	using Validation;
@@ -22,7 +24,7 @@ namespace DotNetOpenAuth.OpenId.Provider {
 		/// <summary>
 		/// The negative assertion to send, if the host site chooses to send it.
 		/// </summary>
-		private readonly NegativeAssertionResponse negativeResponse;
+		private readonly Lazy<Task<NegativeAssertionResponse>> negativeResponse;
 
 		/// <summary>
 		/// A cache of the result from discovery of the Realm URL.
@@ -38,7 +40,7 @@ namespace DotNetOpenAuth.OpenId.Provider {
 			: base(request, provider.SecuritySettings) {
 			Requires.NotNull(provider, "provider");
 
-			this.negativeResponse = new NegativeAssertionResponse(request, provider.Channel);
+			this.negativeResponse = new Lazy<Task<NegativeAssertionResponse>>(() => NegativeAssertionResponse.CreateAsync(request, CancellationToken.None, provider.Channel));
 			Reporting.RecordEventOccurrence(this, request.Realm);
 		}
 
@@ -85,13 +87,6 @@ namespace DotNetOpenAuth.OpenId.Provider {
 		}
 
 		/// <summary>
-		/// Gets the negative response.
-		/// </summary>
-		protected NegativeAssertionResponse NegativeResponse {
-			get { return this.negativeResponse; }
-		}
-
-		/// <summary>
 		/// Gets the original request message.
 		/// </summary>
 		/// <value>This may be null in the case of an unrecognizable message.</value>
@@ -105,7 +100,7 @@ namespace DotNetOpenAuth.OpenId.Provider {
 		/// Gets a value indicating whether verification of the return URL claimed by the Relying Party
 		/// succeeded.
 		/// </summary>
-		/// <param name="requestHandler">The request handler.</param>
+		/// <param name="hostFactories">The host factories.</param>
 		/// <returns>
 		/// Result of realm discovery.
 		/// </returns>
@@ -115,9 +110,9 @@ namespace DotNetOpenAuth.OpenId.Provider {
 		/// property getter multiple times in one request is not a performance hit.
 		/// See OpenID Authentication 2.0 spec section 9.2.1.
 		/// </remarks>
-		public RelyingPartyDiscoveryResult IsReturnUrlDiscoverable(IDirectWebRequestHandler requestHandler) {
+		public async Task<RelyingPartyDiscoveryResult> IsReturnUrlDiscoverableAsync(IHostFactories hostFactories, CancellationToken cancellationToken) {
 			if (!this.realmDiscoveryResult.HasValue) {
-				this.realmDiscoveryResult = this.IsReturnUrlDiscoverableCore(requestHandler);
+				this.realmDiscoveryResult = await this.IsReturnUrlDiscoverableCoreAsync(hostFactories, cancellationToken);
 			}
 
 			return this.realmDiscoveryResult.Value;
@@ -127,13 +122,12 @@ namespace DotNetOpenAuth.OpenId.Provider {
 		/// Gets a value indicating whether verification of the return URL claimed by the Relying Party
 		/// succeeded.
 		/// </summary>
-		/// <param name="requestHandler">The request handler.</param>
+		/// <param name="hostFactories">The host factories.</param>
 		/// <returns>
 		/// Result of realm discovery.
 		/// </returns>
-		private RelyingPartyDiscoveryResult IsReturnUrlDiscoverableCore(IDirectWebRequestHandler requestHandler) {
-			Requires.NotNull(requestHandler, "requestHandler");
-
+		private async Task<RelyingPartyDiscoveryResult> IsReturnUrlDiscoverableCoreAsync(IHostFactories hostFactories, CancellationToken cancellationToken) {
+			Requires.NotNull(hostFactories, "hostFactories");
 			ErrorUtilities.VerifyInternal(this.Realm != null, "Realm should have been read or derived by now.");
 
 			try {
@@ -142,7 +136,7 @@ namespace DotNetOpenAuth.OpenId.Provider {
 					return RelyingPartyDiscoveryResult.NoServiceDocument;
 				}
 
-				var returnToEndpoints = this.Realm.DiscoverReturnToEndpoints(requestHandler, false);
+				var returnToEndpoints = await this.Realm.DiscoverReturnToEndpointsAsync(hostFactories, false, cancellationToken);
 				if (returnToEndpoints == null) {
 					return RelyingPartyDiscoveryResult.NoServiceDocument;
 				}
@@ -178,5 +172,12 @@ namespace DotNetOpenAuth.OpenId.Provider {
 		}
 
 		#endregion
+
+		/// <summary>
+		/// Gets the negative response.
+		/// </summary>
+		protected Task<NegativeAssertionResponse> GetNegativeResponseAsync() {
+			return this.negativeResponse.Value;
+		}
 	}
 }
diff --git a/src/DotNetOpenAuth.OpenId.Provider/OpenId/Provider/OpenIdProvider.cs b/src/DotNetOpenAuth.OpenId.Provider/OpenId/Provider/OpenIdProvider.cs
index d96e5c9..2c8f2b6 100644
--- a/src/DotNetOpenAuth.OpenId.Provider/OpenId/Provider/OpenIdProvider.cs
+++ b/src/DotNetOpenAuth.OpenId.Provider/OpenId/Provider/OpenIdProvider.cs
@@ -12,7 +12,9 @@ namespace DotNetOpenAuth.OpenId.Provider {
 	using System.ComponentModel;
 	using System.Diagnostics.CodeAnalysis;
 	using System.Linq;
+	using System.Net.Http;
 	using System.Threading;
+	using System.Threading.Tasks;
 	using System.Web;
 	using DotNetOpenAuth.Configuration;
 	using DotNetOpenAuth.Messaging;
@@ -53,7 +55,7 @@ namespace DotNetOpenAuth.OpenId.Provider {
 		/// Initializes a new instance of the <see cref="OpenIdProvider"/> class.
 		/// </summary>
 		public OpenIdProvider()
-			: this(OpenIdElement.Configuration.Provider.ApplicationStore.CreateInstance(HttpApplicationStore)) {
+			: this(OpenIdElement.Configuration.Provider.ApplicationStore.CreateInstance(GetHttpApplicationStore(), null)) {
 		}
 
 		/// <summary>
@@ -76,7 +78,7 @@ namespace DotNetOpenAuth.OpenId.Provider {
 
 			this.SecuritySettings = OpenIdElement.Configuration.Provider.SecuritySettings.CreateSecuritySettings();
 			this.behaviors.CollectionChanged += this.OnBehaviorsChanged;
-			foreach (var behavior in OpenIdElement.Configuration.Provider.Behaviors.CreateInstances(false)) {
+			foreach (var behavior in OpenIdElement.Configuration.Provider.Behaviors.CreateInstances(false, null)) {
 				this.behaviors.Add(behavior);
 			}
 
@@ -92,25 +94,25 @@ namespace DotNetOpenAuth.OpenId.Provider {
 		/// Gets the standard state storage mechanism that uses ASP.NET's
 		/// HttpApplication state dictionary to store associations and nonces.
 		/// </summary>
-		[EditorBrowsable(EditorBrowsableState.Advanced)]
-		public static IOpenIdApplicationStore HttpApplicationStore {
-			get {
-				RequiresEx.ValidState(HttpContext.Current != null && HttpContext.Current.Request != null, MessagingStrings.HttpContextRequired);
-				HttpContext context = HttpContext.Current;
-				var store = (IOpenIdApplicationStore)context.Application[ApplicationStoreKey];
-				if (store == null) {
-					context.Application.Lock();
-					try {
-						if ((store = (IOpenIdApplicationStore)context.Application[ApplicationStoreKey]) == null) {
-							context.Application[ApplicationStoreKey] = store = new StandardProviderApplicationStore();
-						}
-					} finally {
-						context.Application.UnLock();
+		public static IOpenIdApplicationStore GetHttpApplicationStore(HttpContextBase context = null) {
+			if (context == null) {
+				ErrorUtilities.VerifyOperation(HttpContext.Current != null, Strings.StoreRequiredWhenNoHttpContextAvailable, typeof(IOpenIdApplicationStore).Name);
+				context = new HttpContextWrapper(HttpContext.Current);
+			}
+
+			var store = (IOpenIdApplicationStore)context.Application[ApplicationStoreKey];
+			if (store == null) {
+				context.Application.Lock();
+				try {
+					if ((store = (IOpenIdApplicationStore)context.Application[ApplicationStoreKey]) == null) {
+						context.Application[ApplicationStoreKey] = store = new StandardProviderApplicationStore();
 					}
+				} finally {
+					context.Application.UnLock();
 				}
-
-				return store;
 			}
+
+			return store;
 		}
 
 		/// <summary>
@@ -170,11 +172,10 @@ namespace DotNetOpenAuth.OpenId.Provider {
 		public ICryptoKeyStore CryptoKeyStore { get; private set; }
 
 		/// <summary>
-		/// Gets the web request handler to use for discovery and the part of
-		/// authentication where direct messages are sent to an untrusted remote party.
+		/// Gets the factory for various dependencies.
 		/// </summary>
-		IDirectWebRequestHandler IOpenIdHost.WebRequestHandler {
-			get { return this.Channel.WebRequestHandler; }
+		IHostFactories IOpenIdHost.HostFactories {
+			get { return this.Channel.HostFactories; }
 		}
 
 		/// <summary>
@@ -197,14 +198,6 @@ namespace DotNetOpenAuth.OpenId.Provider {
 		}
 
 		/// <summary>
-		/// Gets the web request handler to use for discovery and the part of
-		/// authentication where direct messages are sent to an untrusted remote party.
-		/// </summary>
-		internal IDirectWebRequestHandler WebRequestHandler {
-			get { return this.Channel.WebRequestHandler; }
-		}
-
-		/// <summary>
 		/// Gets the incoming OpenID request if there is one, or null if none was detected.
 		/// </summary>
 		/// <returns>The request that the hosting Provider should possibly process and then transmit the response for.</returns>
@@ -216,8 +209,8 @@ namespace DotNetOpenAuth.OpenId.Provider {
 		/// </remarks>
 		/// <exception cref="InvalidOperationException">Thrown if <see cref="HttpContext.Current">HttpContext.Current</see> == <c>null</c>.</exception>
 		/// <exception cref="ProtocolException">Thrown if the incoming message is recognized but deviates from the protocol specification irrecoverably.</exception>
-		public IRequest GetRequest() {
-			return this.GetRequest(this.Channel.GetRequestFromContext());
+		public Task<IRequest> GetRequestAsync(CancellationToken cancellationToken) {
+			return this.GetRequestAsync(this.Channel.GetRequestFromContext(), cancellationToken);
 		}
 
 		/// <summary>
@@ -235,12 +228,12 @@ namespace DotNetOpenAuth.OpenId.Provider {
 		/// </remarks>
 		/// <exception cref="ProtocolException">Thrown if the incoming message is recognized
 		/// but deviates from the protocol specification irrecoverably.</exception>
-		public IRequest GetRequest(HttpRequestBase httpRequestInfo) {
+		public async Task<IRequest> GetRequestAsync(HttpRequestBase httpRequestInfo, CancellationToken cancellationToken) {
 			Requires.NotNull(httpRequestInfo, "httpRequestInfo");
 			IDirectedProtocolMessage incomingMessage = null;
 
 			try {
-				incomingMessage = this.Channel.ReadFromRequest(httpRequestInfo);
+				incomingMessage = await this.Channel.ReadFromRequestAsync(httpRequestInfo, cancellationToken);
 				if (incomingMessage == null) {
 					// If the incoming request does not resemble an OpenID message at all,
 					// it's probably a user who just navigated to this URL, and we should
@@ -303,89 +296,20 @@ namespace DotNetOpenAuth.OpenId.Provider {
 		}
 
 		/// <summary>
-		/// Sends the response to a received request.
-		/// </summary>
-		/// <param name="request">The incoming OpenID request whose response is to be sent.</param>
-		/// <exception cref="ThreadAbortException">Thrown by ASP.NET in order to prevent additional data from the page being sent to the client and corrupting the response.</exception>
-		/// <remarks>
-		/// <para>Requires an HttpContext.Current context.  If one is not available, the caller should use
-		/// <see cref="PrepareResponse"/> instead and manually send the <see cref="OutgoingWebResponse"/> 
-		/// to the client.</para>
-		/// </remarks>
-		/// <exception cref="InvalidOperationException">Thrown if <see cref="IRequest.IsResponseReady"/> is <c>false</c>.</exception>
-		[SuppressMessage("Microsoft.Performance", "CA1800:DoNotCastUnnecessarily", Justification = "Code Contract requires that we cast early.")]
-		[EditorBrowsable(EditorBrowsableState.Never)]
-		public void SendResponse(IRequest request) {
-			RequiresEx.ValidState(HttpContext.Current != null, MessagingStrings.CurrentHttpContextRequired);
-			Requires.NotNull(request, "request");
-			Requires.That(request.IsResponseReady, "request", OpenIdStrings.ResponseNotReady);
-
-			this.ApplyBehaviorsToResponse(request);
-			Request requestInternal = (Request)request;
-			this.Channel.Send(requestInternal.Response);
-		}
-
-		/// <summary>
-		/// Sends the response to a received request.
-		/// </summary>
-		/// <param name="request">The incoming OpenID request whose response is to be sent.</param>
-		/// <remarks>
-		/// <para>Requires an HttpContext.Current context.  If one is not available, the caller should use
-		/// <see cref="PrepareResponse"/> instead and manually send the <see cref="OutgoingWebResponse"/> 
-		/// to the client.</para>
-		/// </remarks>
-		/// <exception cref="InvalidOperationException">Thrown if <see cref="IRequest.IsResponseReady"/> is <c>false</c>.</exception>
-		[SuppressMessage("Microsoft.Performance", "CA1800:DoNotCastUnnecessarily", Justification = "Code Contract requires that we cast early.")]
-		public void Respond(IRequest request) {
-			RequiresEx.ValidState(HttpContext.Current != null, MessagingStrings.CurrentHttpContextRequired);
-			Requires.NotNull(request, "request");
-			Requires.That(request.IsResponseReady, "request", OpenIdStrings.ResponseNotReady);
-
-			this.ApplyBehaviorsToResponse(request);
-			Request requestInternal = (Request)request;
-			this.Channel.Respond(requestInternal.Response);
-		}
-
-		/// <summary>
 		/// Gets the response to a received request.
 		/// </summary>
 		/// <param name="request">The request.</param>
 		/// <returns>The response that should be sent to the client.</returns>
 		/// <exception cref="InvalidOperationException">Thrown if <see cref="IRequest.IsResponseReady"/> is <c>false</c>.</exception>
 		[SuppressMessage("Microsoft.Performance", "CA1800:DoNotCastUnnecessarily", Justification = "Code Contract requires that we cast early.")]
-		public OutgoingWebResponse PrepareResponse(IRequest request) {
+		public async Task<HttpResponseMessage> PrepareResponseAsync(IRequest request, CancellationToken cancellationToken) {
 			Requires.NotNull(request, "request");
 			Requires.That(request.IsResponseReady, "request", OpenIdStrings.ResponseNotReady);
 
-			this.ApplyBehaviorsToResponse(request);
+			await this.ApplyBehaviorsToResponseAsync(request, cancellationToken);
 			Request requestInternal = (Request)request;
-			return this.Channel.PrepareResponse(requestInternal.Response);
-		}
-
-		/// <summary>
-		/// Sends an identity assertion on behalf of one of this Provider's
-		/// members in order to redirect the user agent to a relying party
-		/// web site and log him/her in immediately in one uninterrupted step.
-		/// </summary>
-		/// <param name="providerEndpoint">The absolute URL on the Provider site that receives OpenID messages.</param>
-		/// <param name="relyingPartyRealm">The URL of the Relying Party web site.
-		/// This will typically be the home page, but may be a longer URL if
-		/// that Relying Party considers the scope of its realm to be more specific.
-		/// The URL provided here must allow discovery of the Relying Party's
-		/// XRDS document that advertises its OpenID RP endpoint.</param>
-		/// <param name="claimedIdentifier">The Identifier you are asserting your member controls.</param>
-		/// <param name="localIdentifier">The Identifier you know your user by internally.  This will typically
-		/// be the same as <paramref name="claimedIdentifier"/>.</param>
-		/// <param name="extensions">The extensions.</param>
-		public void SendUnsolicitedAssertion(Uri providerEndpoint, Realm relyingPartyRealm, Identifier claimedIdentifier, Identifier localIdentifier, params IExtensionMessage[] extensions) {
-			RequiresEx.ValidState(HttpContext.Current != null, MessagingStrings.HttpContextRequired);
-			Requires.NotNull(providerEndpoint, "providerEndpoint");
-			Requires.That(providerEndpoint.IsAbsoluteUri, "providerEndpoint", OpenIdStrings.AbsoluteUriRequired);
-			Requires.NotNull(relyingPartyRealm, "relyingPartyRealm");
-			Requires.NotNull(claimedIdentifier, "claimedIdentifier");
-			Requires.NotNull(localIdentifier, "localIdentifier");
-
-			this.PrepareUnsolicitedAssertion(providerEndpoint, relyingPartyRealm, claimedIdentifier, localIdentifier, extensions).Send();
+			var response = await requestInternal.GetResponseAsync(cancellationToken);
+			return await this.Channel.PrepareResponseAsync(response, cancellationToken);
 		}
 
 		/// <summary>
@@ -407,13 +331,13 @@ namespace DotNetOpenAuth.OpenId.Provider {
 		/// A <see cref="OutgoingWebResponse"/> object describing the HTTP response to send
 		/// the user agent to allow the redirect with assertion to happen.
 		/// </returns>
-		public OutgoingWebResponse PrepareUnsolicitedAssertion(Uri providerEndpoint, Realm relyingPartyRealm, Identifier claimedIdentifier, Identifier localIdentifier, params IExtensionMessage[] extensions) {
+		public async Task<HttpResponseMessage> PrepareUnsolicitedAssertionAsync(Uri providerEndpoint, Realm relyingPartyRealm, Identifier claimedIdentifier, Identifier localIdentifier, CancellationToken cancellationToken = default(CancellationToken), params IExtensionMessage[] extensions) {
 			Requires.NotNull(providerEndpoint, "providerEndpoint");
 			Requires.That(providerEndpoint.IsAbsoluteUri, "providerEndpoint", OpenIdStrings.AbsoluteUriRequired);
 			Requires.NotNull(relyingPartyRealm, "relyingPartyRealm");
 			Requires.NotNull(claimedIdentifier, "claimedIdentifier");
 			Requires.NotNull(localIdentifier, "localIdentifier");
-			RequiresEx.ValidState(this.Channel.WebRequestHandler != null);
+			RequiresEx.ValidState(this.Channel.HostFactories != null);
 
 			// Although the RP should do their due diligence to make sure that this OP
 			// is authorized to send an assertion for the given claimed identifier,
@@ -421,7 +345,7 @@ namespace DotNetOpenAuth.OpenId.Provider {
 			// and make sure that it is tied to this OP and OP local identifier.
 			if (this.SecuritySettings.UnsolicitedAssertionVerification != ProviderSecuritySettings.UnsolicitedAssertionVerificationLevel.NeverVerify) {
 				var serviceEndpoint = IdentifierDiscoveryResult.CreateForClaimedIdentifier(claimedIdentifier, localIdentifier, new ProviderEndpointDescription(providerEndpoint, Protocol.Default.Version), null, null);
-				var discoveredEndpoints = this.discoveryServices.Discover(claimedIdentifier);
+				var discoveredEndpoints = await this.discoveryServices.DiscoverAsync(claimedIdentifier, cancellationToken);
 				if (!discoveredEndpoints.Contains(serviceEndpoint)) {
 					Logger.OpenId.WarnFormat(
 						"Failed to send unsolicited assertion for {0} because its discovered services did not include this endpoint: {1}{2}{1}Discovered endpoints: {1}{3}",
@@ -439,7 +363,7 @@ namespace DotNetOpenAuth.OpenId.Provider {
 
 			Logger.OpenId.InfoFormat("Preparing unsolicited assertion for {0}", claimedIdentifier);
 			RelyingPartyEndpointDescription returnToEndpoint = null;
-			var returnToEndpoints = relyingPartyRealm.DiscoverReturnToEndpoints(this.WebRequestHandler, true);
+			var returnToEndpoints = await relyingPartyRealm.DiscoverReturnToEndpointsAsync(this.Channel.HostFactories, true, cancellationToken);
 			if (returnToEndpoints != null) {
 				returnToEndpoint = returnToEndpoints.FirstOrDefault();
 			}
@@ -458,7 +382,7 @@ namespace DotNetOpenAuth.OpenId.Provider {
 			}
 
 			Reporting.RecordEventOccurrence(this, "PrepareUnsolicitedAssertion");
-			return this.Channel.PrepareResponse(positiveAssertion);
+			return await this.Channel.PrepareResponseAsync(positiveAssertion, cancellationToken);
 		}
 
 		#region IDisposable Members
@@ -491,11 +415,11 @@ namespace DotNetOpenAuth.OpenId.Provider {
 		/// Applies all behaviors to the response message.
 		/// </summary>
 		/// <param name="request">The request.</param>
-		private void ApplyBehaviorsToResponse(IRequest request) {
+		private async Task ApplyBehaviorsToResponseAsync(IRequest request, CancellationToken cancellationToken) {
 			var authRequest = request as IAuthenticationRequest;
 			if (authRequest != null) {
 				foreach (var behavior in this.Behaviors) {
-					if (behavior.OnOutgoingResponse(authRequest)) {
+					if (await behavior.OnOutgoingResponseAsync(authRequest, cancellationToken)) {
 						// This behavior matched this request.
 						break;
 					}
diff --git a/src/DotNetOpenAuth.OpenId.Provider/OpenId/Provider/Request.cs b/src/DotNetOpenAuth.OpenId.Provider/OpenId/Provider/Request.cs
index ceabab3..93f8107 100644
--- a/src/DotNetOpenAuth.OpenId.Provider/OpenId/Provider/Request.cs
+++ b/src/DotNetOpenAuth.OpenId.Provider/OpenId/Provider/Request.cs
@@ -6,12 +6,14 @@
 
 namespace DotNetOpenAuth.OpenId.Provider {
 	using System;
-	using System.Collections.Generic;
-	using System.Linq;
-	using System.Text;
-	using DotNetOpenAuth.Messaging;
-	using DotNetOpenAuth.OpenId.Messages;
-	using Validation;
+using System.Collections.Generic;
+using System.Linq;
+using System.Text;
+using System.Threading;
+using System.Threading.Tasks;
+using DotNetOpenAuth.Messaging;
+using DotNetOpenAuth.OpenId.Messages;
+using Validation;
 
 	/// <summary>
 	/// Implements the <see cref="IRequest"/> interface for all incoming
@@ -95,27 +97,26 @@ namespace DotNetOpenAuth.OpenId.Provider {
 		/// Gets the response to send to the user agent.
 		/// </summary>
 		/// <exception cref="InvalidOperationException">Thrown if <see cref="IsResponseReady"/> is <c>false</c>.</exception>
-		internal IProtocolMessage Response {
-			get {
-				RequiresEx.ValidState(this.IsResponseReady, OpenIdStrings.ResponseNotReady);
-
-				if (this.responseExtensions.Count > 0) {
-					var extensibleResponse = this.ResponseMessage as IProtocolMessageWithExtensions;
-					ErrorUtilities.VerifyOperation(extensibleResponse != null, MessagingStrings.MessageNotExtensible, this.ResponseMessage.GetType().Name);
-					foreach (var extension in this.responseExtensions) {
-						// It's possible that a prior call to this property
-						// has already added some/all of the extensions to the message.
-						// We don't have to worry about deleting old ones because
-						// this class provides no facility for removing extensions
-						// that are previously added.
-						if (!extensibleResponse.Extensions.Contains(extension)) {
-							extensibleResponse.Extensions.Add(extension);
-						}
+		internal async Task<IProtocolMessage> GetResponseAsync(CancellationToken cancellationToken) {
+			RequiresEx.ValidState(this.IsResponseReady, OpenIdStrings.ResponseNotReady);
+
+			if (this.responseExtensions.Count > 0) {
+				var responseMessage = await this.GetResponseMessageAsync(cancellationToken);
+				var extensibleResponse = responseMessage as IProtocolMessageWithExtensions;
+				ErrorUtilities.VerifyOperation(extensibleResponse != null, MessagingStrings.MessageNotExtensible, responseMessage.GetType().Name);
+				foreach (var extension in this.responseExtensions) {
+					// It's possible that a prior call to this property
+					// has already added some/all of the extensions to the message.
+					// We don't have to worry about deleting old ones because
+					// this class provides no facility for removing extensions
+					// that are previously added.
+					if (!extensibleResponse.Extensions.Contains(extension)) {
+						extensibleResponse.Extensions.Add(extension);
 					}
 				}
-
-				return this.ResponseMessage;
 			}
+
+			return await this.GetResponseMessageAsync(cancellationToken);
 		}
 
 		#endregion
@@ -129,11 +130,6 @@ namespace DotNetOpenAuth.OpenId.Provider {
 		}
 
 		/// <summary>
-		/// Gets the response message, once <see cref="IsResponseReady"/> is <c>true</c>.
-		/// </summary>
-		protected abstract IProtocolMessage ResponseMessage { get; }
-
-		/// <summary>
 		/// Gets the protocol version used in the request.
 		/// </summary>
 		protected Protocol Protocol {
@@ -203,5 +199,10 @@ namespace DotNetOpenAuth.OpenId.Provider {
 		}
 
 		#endregion
+
+		/// <summary>
+		/// Gets the response message, once <see cref="IsResponseReady"/> is <c>true</c>.
+		/// </summary>
+		protected abstract Task<IProtocolMessage> GetResponseMessageAsync(CancellationToken cancellationToken);
 	}
 }
diff --git a/src/DotNetOpenAuth.OpenId.Provider/packages.config b/src/DotNetOpenAuth.OpenId.Provider/packages.config
index 58890d8..1d93cf5 100644
--- a/src/DotNetOpenAuth.OpenId.Provider/packages.config
+++ b/src/DotNetOpenAuth.OpenId.Provider/packages.config
@@ -1,4 +1,5 @@
 <?xml version="1.0" encoding="utf-8"?>
 <packages>
+  <package id="Microsoft.Net.Http" version="2.0.20710.0" targetFramework="net45" />
   <package id="Validation" version="2.0.1.12362" targetFramework="net45" />
 </packages>
\ No newline at end of file
diff --git a/src/DotNetOpenAuth.OpenId.RelyingParty/OpenId/RelyingParty/OpenIdRelyingParty.cs b/src/DotNetOpenAuth.OpenId.RelyingParty/OpenId/RelyingParty/OpenIdRelyingParty.cs
index 1841f6a..54f7cce 100644
--- a/src/DotNetOpenAuth.OpenId.RelyingParty/OpenId/RelyingParty/OpenIdRelyingParty.cs
+++ b/src/DotNetOpenAuth.OpenId.RelyingParty/OpenId/RelyingParty/OpenIdRelyingParty.cs
@@ -160,7 +160,6 @@ namespace DotNetOpenAuth.OpenId.RelyingParty {
 		/// Gets the standard state storage mechanism that uses ASP.NET's
 		/// HttpApplication state dictionary to store associations and nonces.
 		/// </summary>
-		[EditorBrowsable(EditorBrowsableState.Advanced)]
 		public static IOpenIdApplicationStore GetHttpApplicationStore(HttpContextBase context = null) {
 			if (context == null) {
 				ErrorUtilities.VerifyOperation(HttpContext.Current != null, Strings.StoreRequiredWhenNoHttpContextAvailable, typeof(IOpenIdApplicationStore).Name);
diff --git a/src/DotNetOpenAuth.OpenId/OpenId/Provider/IHostProcessedRequest.cs b/src/DotNetOpenAuth.OpenId/OpenId/Provider/IHostProcessedRequest.cs
index 0b96f7a..8f7767b 100644
--- a/src/DotNetOpenAuth.OpenId/OpenId/Provider/IHostProcessedRequest.cs
+++ b/src/DotNetOpenAuth.OpenId/OpenId/Provider/IHostProcessedRequest.cs
@@ -7,6 +7,7 @@
 namespace DotNetOpenAuth.OpenId.Provider {
 	using System;
 	using System.Net.Http;
+	using System.Threading;
 	using System.Threading.Tasks;
 	using DotNetOpenAuth.Messaging;
 	using DotNetOpenAuth.OpenId.Messages;
@@ -55,6 +56,6 @@ namespace DotNetOpenAuth.OpenId.Provider {
 		///   <para>Return URL verification is only attempted if this method is called.</para>
 		///   <para>See OpenID Authentication 2.0 spec section 9.2.1.</para>
 		/// </remarks>
-		Task<RelyingPartyDiscoveryResult> IsReturnUrlDiscoverableAsync(HttpMessageHandler webRequestHandler);
+		Task<RelyingPartyDiscoveryResult> IsReturnUrlDiscoverableAsync(IHostFactories hostFactories, CancellationToken cancellationToken);
 	}
 }
diff --git a/src/DotNetOpenAuth.OpenId/OpenId/Provider/IProviderBehavior.cs b/src/DotNetOpenAuth.OpenId/OpenId/Provider/IProviderBehavior.cs
index 57fe66b..fb12763 100644
--- a/src/DotNetOpenAuth.OpenId/OpenId/Provider/IProviderBehavior.cs
+++ b/src/DotNetOpenAuth.OpenId/OpenId/Provider/IProviderBehavior.cs
@@ -6,6 +6,8 @@
 
 namespace DotNetOpenAuth.OpenId.Provider {
 	using System;
+	using System.Threading;
+	using System.Threading.Tasks;
 	using DotNetOpenAuth.OpenId.ChannelElements;
 	using Validation;
 
@@ -47,6 +49,6 @@ namespace DotNetOpenAuth.OpenId.Provider {
 		/// <c>true</c> if this behavior owns this request and wants to stop other behaviors
 		/// from handling it; <c>false</c> to allow other behaviors to process this request.
 		/// </returns>
-		bool OnOutgoingResponse(IAuthenticationRequest request);
+		Task<bool> OnOutgoingResponseAsync(IAuthenticationRequest request, CancellationToken cancellationToken);
 	}
 }