diff options
| author | Andrew Arnott <andrewarnott@gmail.com> | 2010-03-22 16:01:19 -0700 |
|---|---|---|
| committer | Andrew Arnott <andrewarnott@gmail.com> | 2010-03-22 16:01:19 -0700 |
| commit | 7564e90eefb61300f211d5d4fd2c3c9cf776ac34 (patch) | |
| tree | bdc4b2b2bbcf202ea135175cd5deb91578e9b7f8 /src | |
| parent | b44eff9447fc1335c077b47d55f2e5db1439fcfc (diff) | |
| download | DotNetOpenAuth-7564e90eefb61300f211d5d4fd2c3c9cf776ac34.zip DotNetOpenAuth-7564e90eefb61300f211d5d4fd2c3c9cf776ac34.tar.gz DotNetOpenAuth-7564e90eefb61300f211d5d4fd2c3c9cf776ac34.tar.bz2 | |
This allows RPs to allow poor OPs to include empty openid.invalidate_handle arguments.
Blogger issues positive assertions to stateless RPs with empty openid.invalidate_handle parameters.
Diffstat (limited to 'src')
| -rw-r--r-- | src/DotNetOpenAuth/OpenId/Messages/CheckAuthenticationResponse.cs | 6 | ||||
| -rw-r--r-- | src/DotNetOpenAuth/OpenId/Messages/IndirectSignedResponse.cs | 6 |
2 files changed, 9 insertions, 3 deletions
diff --git a/src/DotNetOpenAuth/OpenId/Messages/CheckAuthenticationResponse.cs b/src/DotNetOpenAuth/OpenId/Messages/CheckAuthenticationResponse.cs index 61825e8..f1bb5ac 100644 --- a/src/DotNetOpenAuth/OpenId/Messages/CheckAuthenticationResponse.cs +++ b/src/DotNetOpenAuth/OpenId/Messages/CheckAuthenticationResponse.cs @@ -47,7 +47,7 @@ namespace DotNetOpenAuth.OpenId.Messages { // really doesn't exist. OpenID 2.0 section 11.4.2.2. IndirectSignedResponse signedResponse = new IndirectSignedResponse(request, provider.Channel); string invalidateHandle = ((ITamperResistantOpenIdMessage)signedResponse).InvalidateHandle; - if (invalidateHandle != null && provider.AssociationStore.GetAssociation(AssociationRelyingPartyType.Smart, invalidateHandle) == null) { + if (!string.IsNullOrEmpty(invalidateHandle) && provider.AssociationStore.GetAssociation(AssociationRelyingPartyType.Smart, invalidateHandle) == null) { this.InvalidateHandle = invalidateHandle; } } @@ -70,8 +70,10 @@ namespace DotNetOpenAuth.OpenId.Messages { /// <para>This two-step process for invalidating associations is necessary /// to prevent an attacker from invalidating an association at will by /// adding "invalidate_handle" parameters to an authentication response.</para> + /// <para>For OpenID 1.1, we allow this to be present but empty to put up with poor implementations such as Blogger.</para> /// </remarks> - [MessagePart("invalidate_handle", IsRequired = false, AllowEmpty = false)] + [MessagePart("invalidate_handle", IsRequired = false, AllowEmpty = true, MaxVersion = "1.1")] + [MessagePart("invalidate_handle", IsRequired = false, AllowEmpty = false, MinVersion = "2.0")] internal string InvalidateHandle { get; set; } } } diff --git a/src/DotNetOpenAuth/OpenId/Messages/IndirectSignedResponse.cs b/src/DotNetOpenAuth/OpenId/Messages/IndirectSignedResponse.cs index 2f02974..fff4cf6 100644 --- a/src/DotNetOpenAuth/OpenId/Messages/IndirectSignedResponse.cs +++ b/src/DotNetOpenAuth/OpenId/Messages/IndirectSignedResponse.cs @@ -207,7 +207,11 @@ namespace DotNetOpenAuth.OpenId.Messages { /// Gets or sets the association handle that the Provider wants the Relying Party to not use any more. /// </summary> /// <value>If the Relying Party sent an invalid association handle with the request, it SHOULD be included here.</value> - [MessagePart("openid.invalidate_handle", IsRequired = false, AllowEmpty = false)] + /// <remarks> + /// For OpenID 1.1, we allow this to be present but empty to put up with poor implementations such as Blogger. + /// </remarks> + [MessagePart("openid.invalidate_handle", IsRequired = false, AllowEmpty = true, MaxVersion = "1.1")] + [MessagePart("openid.invalidate_handle", IsRequired = false, AllowEmpty = false, MinVersion = "2.0")] string ITamperResistantOpenIdMessage.InvalidateHandle { get; set; } /// <summary> |