Fixes build breaks in DNOA.OpenId.

23 files changed, 885 insertions, 202 deletions

diff --git a/src/DotNetOpenAuth.Core/DotNetOpenAuth.Core.csproj b/src/DotNetOpenAuth.Core/DotNetOpenAuth.Core.csproj
index a71223a..e539ea1 100644
--- a/src/DotNetOpenAuth.Core/DotNetOpenAuth.Core.csproj
+++ b/src/DotNetOpenAuth.Core/DotNetOpenAuth.Core.csproj
@@ -20,6 +20,7 @@
   </PropertyGroup>
   <ItemGroup>
     <Compile Include="Assumes.cs" />
+    <Compile Include="IHostFactories.cs" />
     <Compile Include="Messaging\Base64WebEncoder.cs" />
     <Compile Include="Messaging\Bindings\AsymmetricCryptoKeyStoreWrapper.cs" />
     <Compile Include="Messaging\Bindings\CryptoKey.cs" />
diff --git a/src/DotNetOpenAuth.Core/IHostFactories.cs b/src/DotNetOpenAuth.Core/IHostFactories.cs
new file mode 100644
index 0000000..d171ed8
--- /dev/null
+++ b/src/DotNetOpenAuth.Core/IHostFactories.cs
@@ -0,0 +1,41 @@
+//-----------------------------------------------------------------------
+// <copyright file="IHostFactories.cs" company="Andrew Arnott">
+//     Copyright (c) Andrew Arnott. All rights reserved.
+// </copyright>
+//-----------------------------------------------------------------------
+
+namespace DotNetOpenAuth {
+	using System;
+	using System.Collections.Generic;
+	using System.Linq;
+	using System.Net.Http;
+	using System.Text;
+	using System.Threading.Tasks;
+
+	/// <summary>
+	/// Provides the host application or tests with the ability to create standard message handlers or stubs.
+	/// </summary>
+	public interface IHostFactories {
+		/// <summary>
+		/// Initializes a new instance of a concrete derivation of <see cref="HttpMessageHandler"/> 
+		/// to be used for outbound HTTP traffic.
+		/// </summary>
+		/// <returns>An instance of <see cref="HttpMessageHandler"/>.</returns>
+		/// <remarks>
+		/// An instance of <see cref="WebRequestHandler"/> is recommended where available;
+		/// otherwise an instance of <see cref="HttpClientHandler"/> is recommended.
+		/// </remarks>
+		HttpMessageHandler CreateHttpMessageHandler();
+
+		/// <summary>
+		/// Initializes a new instance of the <see cref="HttpClient"/> class
+		/// to be used for outbound HTTP traffic.
+		/// </summary>
+		/// <param name="handler">
+		/// The handler to pass to the <see cref="HttpClient"/> constructor.
+		/// May be null to use the default that would be provided by <see cref="CreateHttpMessageHandler"/>.
+		/// </param>
+		/// <returns>An instance of <see cref="HttpClient"/>.</returns>
+		HttpClient CreateHttpClient(HttpMessageHandler handler = null);
+	}
+}
diff --git a/src/DotNetOpenAuth.Core/Messaging/Channel.cs b/src/DotNetOpenAuth.Core/Messaging/Channel.cs
index ad094e0..bff44e7 100644
--- a/src/DotNetOpenAuth.Core/Messaging/Channel.cs
+++ b/src/DotNetOpenAuth.Core/Messaging/Channel.cs
@@ -149,30 +149,19 @@ namespace DotNetOpenAuth.Messaging {
 		private int maximumIndirectMessageUrlLength = Configuration.DotNetOpenAuthSection.Messaging.MaximumIndirectMessageUrlLength;
 
 		/// <summary>
-		/// Initializes a new instance of the <see cref="Channel"/> class.
-		/// </summary>
-		/// <param name="messageTypeProvider">
-		/// A class prepared to analyze incoming messages and indicate what concrete
-		/// message types can deserialize from it.
-		/// </param>
-		/// <param name="bindingElements">
-		/// The binding elements to use in sending and receiving messages.
-		/// The order they are provided is used for outgoing messgaes, and reversed for incoming messages.
-		/// </param>
-		/// <param name="messageHandler">The HTTP handler to use for outgoing HTTP requests.</param>
-		protected Channel(IMessageFactory messageTypeProvider, IChannelBindingElement[] bindingElements, HttpMessageHandler messageHandler = null) {
+		/// Initializes a new instance of the <see cref="Channel" /> class.
+		/// </summary>
+		/// <param name="messageTypeProvider">A class prepared to analyze incoming messages and indicate what concrete
+		/// message types can deserialize from it.</param>
+		/// <param name="bindingElements">The binding elements to use in sending and receiving messages.
+		/// The order they are provided is used for outgoing messgaes, and reversed for incoming messages.</param>
+		/// <param name="hostFactories">The host factories.</param>
+		protected Channel(IMessageFactory messageTypeProvider, IChannelBindingElement[] bindingElements, IHostFactories hostFactories) {
 			Requires.NotNull(messageTypeProvider, "messageTypeProvider");
-
-			messageHandler = messageHandler ?? new WebRequestHandler();
-			var httpHandler = messageHandler as WebRequestHandler;
-			if (httpHandler != null) {
-				// TODO: provide this as a recommendation to derived Channel types, but without tampering with 
-				// the setting once it has been provided to this constructor.
-				httpHandler.CachePolicy = new RequestCachePolicy(RequestCacheLevel.NoCacheNoStore);
-			}
+			Requires.NotNull(hostFactories, "hostFactories");
 
 			this.messageTypeProvider = messageTypeProvider;
-			this.WebRequestHandler = new HttpClient(messageHandler);
+			this.HostFactories = hostFactories;
 			this.XmlDictionaryReaderQuotas = DefaultUntrustedXmlDictionaryReaderQuotas;
 
 			this.outgoingBindingElements = new List<IChannelBindingElement>(ValidateAndPrepareBindingElements(bindingElements));
@@ -190,14 +179,9 @@ namespace DotNetOpenAuth.Messaging {
 		internal event EventHandler<ChannelEventArgs> Sending;
 
 		/// <summary>
-		/// Gets or sets an instance to a <see cref="HttpClient"/> that will be used when 
-		/// submitting HTTP requests and waiting for responses.
+		/// Gets the host factories instance to use.
 		/// </summary>
-		/// <remarks>
-		/// This defaults to a straightforward implementation, but can be set
-		/// to a mock object for testing purposes.
-		/// </remarks>
-		public HttpClient WebRequestHandler { get; set; }
+		public IHostFactories HostFactories { get; private set; }
 
 		/// <summary>
 		/// Gets or sets the maximum allowable size for a 301 Redirect response before we send
@@ -557,8 +541,8 @@ namespace DotNetOpenAuth.Messaging {
 		/// <param name="response">The response that is anticipated to contain an protocol message.</param>
 		/// <returns>The deserialized message parts, if found.  Null otherwise.</returns>
 		/// <exception cref="ProtocolException">Thrown when the response is not valid.</exception>
-		internal IDictionary<string, string> ReadFromResponseCoreTestHook(HttpResponseMessage response) {
-			return this.ReadFromResponseCore(response);
+		internal Task<IDictionary<string, string>> ReadFromResponseCoreAsyncTestHook(HttpResponseMessage response) {
+			return this.ReadFromResponseCoreAsync(response);
 		}
 
 		/// <remarks>
@@ -689,22 +673,24 @@ namespace DotNetOpenAuth.Messaging {
 			IDictionary<string, string> responseFields;
 			IDirectResponseProtocolMessage responseMessage;
 
-			using (HttpResponseMessage response = await this.WebRequestHandler.SendAsync(webRequest)) {
-				if (response.Content == null) {
-					return null;
-				}
+			using (var httpClient = this.HostFactories.CreateHttpClient()) {
+				using (HttpResponseMessage response = await httpClient.SendAsync(webRequest)) {
+					if (response.Content == null) {
+						return null;
+					}
 
-				responseFields = this.ReadFromResponseCore(response);
-				if (responseFields == null) {
-					return null;
-				}
+					responseFields = await this.ReadFromResponseCoreAsync(response);
+					if (responseFields == null) {
+						return null;
+					}
 
-				responseMessage = this.MessageFactory.GetNewResponseMessage(request, responseFields);
-				if (responseMessage == null) {
-					return null;
-				}
+					responseMessage = this.MessageFactory.GetNewResponseMessage(request, responseFields);
+					if (responseMessage == null) {
+						return null;
+					}
 
-				this.OnReceivingDirectResponse(response, responseMessage);
+					this.OnReceivingDirectResponse(response, responseMessage);
+				}
 			}
 
 			var messageAccessor = this.MessageDescriptions.GetAccessor(responseMessage);
@@ -713,6 +699,11 @@ namespace DotNetOpenAuth.Messaging {
 			return responseMessage;
 		}
 
+		protected virtual HttpMessageHandler WrapMessageHandler(HttpMessageHandler innerHandler) {
+			// No wrapping by default.
+			return innerHandler;
+		}
+
 		/// <summary>
 		/// Called when receiving a direct response message, before deserialization begins.
 		/// </summary>
@@ -898,7 +889,7 @@ namespace DotNetOpenAuth.Messaging {
 		/// <param name="response">The response that is anticipated to contain an protocol message.</param>
 		/// <returns>The deserialized message parts, if found.  Null otherwise.</returns>
 		/// <exception cref="ProtocolException">Thrown when the response is not valid.</exception>
-		protected abstract IDictionary<string, string> ReadFromResponseCore(HttpResponseMessage response);
+		protected abstract Task<IDictionary<string, string>> ReadFromResponseCoreAsync(HttpResponseMessage response);
 
 		/// <summary>
 		/// Prepares an HTTP request that carries a given message.
diff --git a/src/DotNetOpenAuth.Core/Messaging/MessagingUtilities.cs b/src/DotNetOpenAuth.Core/Messaging/MessagingUtilities.cs
index 3da62e9..267b003 100644
--- a/src/DotNetOpenAuth.Core/Messaging/MessagingUtilities.cs
+++ b/src/DotNetOpenAuth.Core/Messaging/MessagingUtilities.cs
@@ -378,6 +378,29 @@ namespace DotNetOpenAuth.Messaging {
 			return GetPublicFacingUrl(request, request.ServerVariables);
 		}
 
+		internal static void DisposeIfNotNull(this IDisposable disposable) {
+			if (disposable != null) {
+				disposable.Dispose();
+			}
+		}
+
+		internal static HttpRequestMessage Clone(this HttpRequestMessage original, Uri newRequestUri = null) {
+			Requires.NotNull(original, "original");
+
+			var clone = new HttpRequestMessage(original.Method, newRequestUri ?? original.RequestUri);
+			clone.Content = original.Content;
+			foreach (var header in original.Headers) {
+				clone.Headers.Add(header.Key, header.Value);
+			}
+
+			foreach (var property in original.Properties) {
+				clone.Properties[property.Key] = property.Value;
+			}
+
+			clone.Version = original.Version;
+			return clone;
+		}
+
 		/// <summary>
 		/// Gets the URL to the root of a web site, which may include a virtual directory path.
 		/// </summary>
diff --git a/src/DotNetOpenAuth.Core/Messaging/StandardMessageFactoryChannel.cs b/src/DotNetOpenAuth.Core/Messaging/StandardMessageFactoryChannel.cs
index 9cb80b0..be37dc4 100644
--- a/src/DotNetOpenAuth.Core/Messaging/StandardMessageFactoryChannel.cs
+++ b/src/DotNetOpenAuth.Core/Messaging/StandardMessageFactoryChannel.cs
@@ -35,8 +35,8 @@ namespace DotNetOpenAuth.Messaging {
 		/// The binding elements to use in sending and receiving messages.
 		/// The order they are provided is used for outgoing messgaes, and reversed for incoming messages.
 		/// </param>
-		protected StandardMessageFactoryChannel(ICollection<Type> messageTypes, ICollection<Version> versions, params IChannelBindingElement[] bindingElements)
-			: base(new StandardMessageFactory(), bindingElements) {
+		protected StandardMessageFactoryChannel(ICollection<Type> messageTypes, ICollection<Version> versions, IChannelBindingElement[] bindingElements, IHostFactories hostFactories)
+			: base(new StandardMessageFactory(), bindingElements, hostFactories) {
 			Requires.NotNull(messageTypes, "messageTypes");
 			Requires.NotNull(versions, "versions");
 
diff --git a/src/DotNetOpenAuth.OpenId/DefaultOpenIdHostFactories.cs b/src/DotNetOpenAuth.OpenId/DefaultOpenIdHostFactories.cs
new file mode 100644
index 0000000..18ad727
--- /dev/null
+++ b/src/DotNetOpenAuth.OpenId/DefaultOpenIdHostFactories.cs
@@ -0,0 +1,54 @@
+//-----------------------------------------------------------------------
+// <copyright file="DefaultHostFactories.cs" company="Andrew Arnott">
+//     Copyright (c) Andrew Arnott. All rights reserved.
+// </copyright>
+//-----------------------------------------------------------------------
+
+namespace DotNetOpenAuth.OpenId {
+	using System;
+	using System.Collections.Generic;
+	using System.Linq;
+	using System.Net.Cache;
+	using System.Net.Http;
+	using System.Text;
+	using System.Threading.Tasks;
+
+	/// <summary>
+	/// Creates default instances of required dependencies.
+	/// </summary>
+	public class DefaultOpenIdHostFactories : IHostFactories {
+		/// <summary>
+		/// Initializes a new instance of a concrete derivation of <see cref="HttpMessageHandler" />
+		/// to be used for outbound HTTP traffic.
+		/// </summary>
+		/// <returns>An instance of <see cref="HttpMessageHandler"/>.</returns>
+		/// <remarks>
+		/// An instance of <see cref="WebRequestHandler" /> is recommended where available;
+		/// otherwise an instance of <see cref="HttpClientHandler" /> is recommended.
+		/// </remarks>
+		public virtual HttpMessageHandler CreateHttpMessageHandler() {
+			var handler = new UntrustedWebRequestHandler();
+			handler.CachePolicy = new RequestCachePolicy(RequestCacheLevel.NoCacheNoStore);
+			return handler;
+		}
+
+		/// <summary>
+		/// Initializes a new instance of the <see cref="HttpClient" /> class
+		/// to be used for outbound HTTP traffic.
+		/// </summary>
+		/// <param name="handler">The handler to pass to the <see cref="HttpClient" /> constructor.
+		/// May be null to use the default that would be provided by <see cref="CreateHttpMessageHandler" />.</param>
+		/// <returns>
+		/// An instance of <see cref="HttpClient" />.
+		/// </returns>
+		public HttpClient CreateHttpClient(HttpMessageHandler handler) {
+			handler = handler ?? this.CreateHttpMessageHandler();
+			var untrustedHandler = handler as UntrustedWebRequestHandler;
+			if (untrustedHandler != null) {
+				return untrustedHandler.CreateClient();
+			} else {
+				return new HttpClient(handler);
+			}
+		}
+	}
+}
diff --git a/src/DotNetOpenAuth.OpenId/DotNetOpenAuth.OpenId.csproj b/src/DotNetOpenAuth.OpenId/DotNetOpenAuth.OpenId.csproj
index e238d58..e785719 100644
--- a/src/DotNetOpenAuth.OpenId/DotNetOpenAuth.OpenId.csproj
+++ b/src/DotNetOpenAuth.OpenId/DotNetOpenAuth.OpenId.csproj
@@ -30,6 +30,7 @@
     <Compile Include="Configuration\OpenIdRelyingPartyElement.cs" />
     <Compile Include="Configuration\OpenIdRelyingPartySecuritySettingsElement.cs" />
     <Compile Include="Configuration\XriResolverElement.cs" />
+    <Compile Include="DefaultOpenIdHostFactories.cs" />
     <Compile Include="OpenIdXrdsHelperRelyingParty.cs" />
     <Compile Include="OpenId\Association.cs" />
     <Compile Include="OpenId\AuthenticationRequestMode.cs" />
@@ -141,6 +142,7 @@
     <Compile Include="OpenId\Protocol.cs" />
     <Compile Include="OpenId\IOpenIdApplicationStore.cs" />
     <Compile Include="OpenId\RelyingParty\RelyingPartySecuritySettings.cs" />
+    <Compile Include="OpenId\UntrustedWebRequestHandler.cs" />
     <Compile Include="OpenId\UriDiscoveryService.cs" />
     <Compile Include="OpenId\XriDiscoveryProxyService.cs" />
     <Compile Include="OpenId\SecuritySettings.cs" />
@@ -183,6 +185,8 @@
     </ProjectReference>
   </ItemGroup>
   <ItemGroup>
+    <Reference Include="System.Net.Http" />
+    <Reference Include="System.Net.Http.WebRequest" />
     <Reference Include="Validation">
       <HintPath>..\packages\Validation.2.0.1.12362\lib\portable-windows8+net40+sl5+windowsphone8\Validation.dll</HintPath>
       <Private>True</Private>
diff --git a/src/DotNetOpenAuth.OpenId/OpenId/ChannelElements/KeyValueFormEncoding.cs b/src/DotNetOpenAuth.OpenId/OpenId/ChannelElements/KeyValueFormEncoding.cs
index 6ad66c0..c74a636 100644
--- a/src/DotNetOpenAuth.OpenId/OpenId/ChannelElements/KeyValueFormEncoding.cs
+++ b/src/DotNetOpenAuth.OpenId/OpenId/ChannelElements/KeyValueFormEncoding.cs
@@ -11,6 +11,7 @@ namespace DotNetOpenAuth.OpenId.ChannelElements {
 	using System.Globalization;
 	using System.IO;
 	using System.Text;
+	using System.Threading.Tasks;
 	using DotNetOpenAuth.Messaging;
 	using Validation;
 
@@ -131,12 +132,12 @@ namespace DotNetOpenAuth.OpenId.ChannelElements {
 		/// <param name="data">The stream of Key-Value Form encoded bytes.</param>
 		/// <returns>The deserialized dictionary.</returns>
 		/// <exception cref="FormatException">Thrown when the data is not in the expected format.</exception>
-		public IDictionary<string, string> GetDictionary(Stream data) {
+		public async Task<IDictionary<string, string>> GetDictionaryAsync(Stream data) {
 			using (StreamReader reader = new StreamReader(data, textEncoding)) {
 				var dict = new Dictionary<string, string>();
 				int line_num = 0;
 				string line;
-				while ((line = reader.ReadLine()) != null) {
+				while ((line = await reader.ReadLineAsync()) != null) {
 					line_num++;
 					if (this.ConformanceLevel == KeyValueFormConformanceLevel.Loose) {
 						line = line.Trim();
diff --git a/src/DotNetOpenAuth.OpenId/OpenId/ChannelElements/OpenIdChannel.cs b/src/DotNetOpenAuth.OpenId/OpenId/ChannelElements/OpenIdChannel.cs
index 5a6b8bb..eb4ca65 100644
--- a/src/DotNetOpenAuth.OpenId/OpenId/ChannelElements/OpenIdChannel.cs
+++ b/src/DotNetOpenAuth.OpenId/OpenId/ChannelElements/OpenIdChannel.cs
@@ -7,12 +7,18 @@
 namespace DotNetOpenAuth.OpenId.ChannelElements {
 	using System;
 	using System.Collections.Generic;
+	using System.Diagnostics;
 	using System.Diagnostics.CodeAnalysis;
 	using System.Globalization;
 	using System.IO;
 	using System.Linq;
 	using System.Net;
+	using System.Net.Http;
+	using System.Net.Http.Headers;
 	using System.Text;
+	using System.Threading.Tasks;
+
+	using DotNetOpenAuth.Configuration;
 	using DotNetOpenAuth.Messaging;
 	using DotNetOpenAuth.Messaging.Bindings;
 	using DotNetOpenAuth.OpenId.Extensions;
@@ -45,8 +51,8 @@ namespace DotNetOpenAuth.OpenId.ChannelElements {
 		/// <param name="messageTypeProvider">A class prepared to analyze incoming messages and indicate what concrete
 		/// message types can deserialize from it.</param>
 		/// <param name="bindingElements">The binding elements to use in sending and receiving messages.</param>
-		protected OpenIdChannel(IMessageFactory messageTypeProvider, IChannelBindingElement[] bindingElements)
-			: base(messageTypeProvider, bindingElements) {
+		protected OpenIdChannel(IMessageFactory messageTypeProvider, IChannelBindingElement[] bindingElements, IHostFactories hostFactories)
+			: base(messageTypeProvider, bindingElements, hostFactories ?? new DefaultOpenIdHostFactories()) {
 			Requires.NotNull(messageTypeProvider, "messageTypeProvider");
 
 			// Customize the binding element order, since we play some tricks for higher
@@ -68,11 +74,6 @@ namespace DotNetOpenAuth.OpenId.ChannelElements {
 			}
 
 			this.CustomizeBindingElementOrder(outgoingBindingElements, incomingBindingElements);
-
-			// Change out the standard web request handler to reflect the standard
-			// OpenID pattern that outgoing web requests are to unknown and untrusted
-			// servers on the Internet.
-			this.WebRequestHandler = new UntrustedWebRequestHandler();
 		}
 
 		/// <summary>
@@ -120,7 +121,7 @@ namespace DotNetOpenAuth.OpenId.ChannelElements {
 		/// <returns>
 		/// The <see cref="HttpWebRequest"/> prepared to send the request.
 		/// </returns>
-		protected override HttpWebRequest CreateHttpRequest(IDirectedProtocolMessage request) {
+		protected override HttpRequestMessage CreateHttpRequest(IDirectedProtocolMessage request) {
 			return this.InitializeRequestAsPost(request);
 		}
 
@@ -132,9 +133,11 @@ namespace DotNetOpenAuth.OpenId.ChannelElements {
 		/// The deserialized message parts, if found.  Null otherwise.
 		/// </returns>
 		/// <exception cref="ProtocolException">Thrown when the response is not valid.</exception>
-		protected override IDictionary<string, string> ReadFromResponseCore(IncomingWebResponse response) {
+		protected override async Task<IDictionary<string, string>> ReadFromResponseCoreAsync(HttpResponseMessage response) {
 			try {
-				return this.keyValueForm.GetDictionary(response.ResponseStream);
+				using (var responseStream = await response.Content.ReadAsStreamAsync()) {
+					return await this.keyValueForm.GetDictionaryAsync(responseStream);
+				}
 			} catch (FormatException ex) {
 				throw ErrorUtilities.Wrap(ex, ex.Message);
 			}
@@ -145,7 +148,7 @@ namespace DotNetOpenAuth.OpenId.ChannelElements {
 		/// </summary>
 		/// <param name="response">The HTTP direct response.</param>
 		/// <param name="message">The newly instantiated message, prior to deserialization.</param>
-		protected override void OnReceivingDirectResponse(IncomingWebResponse response, IDirectResponseProtocolMessage message) {
+		protected override void OnReceivingDirectResponse(HttpResponseMessage response, IDirectResponseProtocolMessage message) {
 			base.OnReceivingDirectResponse(response, message);
 
 			// Verify that the expected HTTP status code was used for the message,
@@ -155,10 +158,10 @@ namespace DotNetOpenAuth.OpenId.ChannelElements {
 				var httpDirectResponse = message as IHttpDirectResponse;
 				if (httpDirectResponse != null) {
 					ErrorUtilities.VerifyProtocol(
-						httpDirectResponse.HttpStatusCode == response.Status,
+						httpDirectResponse.HttpStatusCode == response.StatusCode,
 						MessagingStrings.UnexpectedHttpStatusCode,
 						(int)httpDirectResponse.HttpStatusCode,
-						(int)response.Status);
+						(int)response.StatusCode);
 				}
 			}
 		}
@@ -174,55 +177,58 @@ namespace DotNetOpenAuth.OpenId.ChannelElements {
 		/// <remarks>
 		/// This method implements spec V1.0 section 5.3.
 		/// </remarks>
-		protected override OutgoingWebResponse PrepareDirectResponse(IProtocolMessage response) {
+		protected override HttpResponseMessage PrepareDirectResponse(IProtocolMessage response) {
 			var messageAccessor = this.MessageDescriptions.GetAccessor(response);
 			var fields = messageAccessor.Serialize();
 			byte[] keyValueEncoding = KeyValueFormEncoding.GetBytes(fields);
 
-			OutgoingWebResponse preparedResponse = new OutgoingWebResponse();
+			var preparedResponse = new HttpResponseMessage();
 			ApplyMessageTemplate(response, preparedResponse);
-			preparedResponse.Headers.Add(HttpResponseHeader.ContentType, KeyValueFormContentType);
-			preparedResponse.OriginalMessage = response;
-			preparedResponse.ResponseStream = new MemoryStream(keyValueEncoding);
+			var content = new StreamContent(new MemoryStream(keyValueEncoding));
+			content.Headers.ContentType = new MediaTypeHeaderValue(KeyValueFormContentType);
+			preparedResponse.Content = content;
 
 			IHttpDirectResponse httpMessage = response as IHttpDirectResponse;
 			if (httpMessage != null) {
-				preparedResponse.Status = httpMessage.HttpStatusCode;
+				preparedResponse.StatusCode = httpMessage.HttpStatusCode;
 			}
 
 			return preparedResponse;
 		}
 
-		/// <summary>
-		/// Gets the direct response of a direct HTTP request.
-		/// </summary>
-		/// <param name="webRequest">The web request.</param>
-		/// <returns>The response to the web request.</returns>
-		/// <exception cref="ProtocolException">Thrown on network or protocol errors.</exception>
-		protected override IncomingWebResponse GetDirectResponse(HttpWebRequest webRequest) {
-			IncomingWebResponse response = this.WebRequestHandler.GetResponse(webRequest, DirectWebRequestOptions.AcceptAllHttpResponses);
-
-			// Filter the responses to the allowable set of HTTP status codes.
-			if (response.Status != HttpStatusCode.OK && response.Status != HttpStatusCode.BadRequest) {
-				if (Logger.Channel.IsErrorEnabled) {
-					using (var reader = new StreamReader(response.ResponseStream)) {
+		protected override HttpMessageHandler WrapMessageHandler(HttpMessageHandler innerHandler) {
+			return new ErrorFilteringMessageHandler(base.WrapMessageHandler(innerHandler));
+		}
+
+		private class ErrorFilteringMessageHandler : DelegatingHandler {
+			internal ErrorFilteringMessageHandler(HttpMessageHandler innerHandler)
+				: base(innerHandler) {
+			}
+
+			protected override async Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, System.Threading.CancellationToken cancellationToken) {
+				var response = await base.SendAsync(request, cancellationToken);
+
+				// Filter the responses to the allowable set of HTTP status codes.
+				if (response.StatusCode != HttpStatusCode.OK && response.StatusCode != HttpStatusCode.BadRequest) {
+					if (Logger.Channel.IsErrorEnabled) {
+						var content = await response.Content.ReadAsStringAsync();
 						Logger.Channel.ErrorFormat(
 							"Unexpected HTTP status code {0} {1} received in direct response:{2}{3}",
-							(int)response.Status,
-							response.Status,
+							(int)response.StatusCode,
+							response.StatusCode,
 							Environment.NewLine,
-							reader.ReadToEnd());
+							content);
 					}
-				}
 
-				// Call dispose before throwing since we're not including the response in the
-				// exception we're throwing.
-				response.Dispose();
+					// Call dispose before throwing since we're not including the response in the
+					// exception we're throwing.
+					response.Dispose();
 
-				ErrorUtilities.ThrowProtocol(OpenIdStrings.UnexpectedHttpStatusCode, (int)response.Status, response.Status);
-			}
+					ErrorUtilities.ThrowProtocol(OpenIdStrings.UnexpectedHttpStatusCode, (int)response.StatusCode, response.StatusCode);
+				}
 
-			return response;
+				return response;
+			}
 		}
 	}
 }
diff --git a/src/DotNetOpenAuth.OpenId/OpenId/IIdentifierDiscoveryService.cs b/src/DotNetOpenAuth.OpenId/OpenId/IIdentifierDiscoveryService.cs
index 20b8f1c..4d1450e 100644
--- a/src/DotNetOpenAuth.OpenId/OpenId/IIdentifierDiscoveryService.cs
+++ b/src/DotNetOpenAuth.OpenId/OpenId/IIdentifierDiscoveryService.cs
@@ -10,7 +10,11 @@ namespace DotNetOpenAuth.OpenId {
 	using System.Diagnostics.CodeAnalysis;
 	using System.Diagnostics.Contracts;
 	using System.Linq;
+	using System.Net.Http;
+	using System.Runtime.CompilerServices;
 	using System.Text;
+	using System.Threading;
+	using System.Threading.Tasks;
 	using DotNetOpenAuth.Messaging;
 	using DotNetOpenAuth.OpenId.RelyingParty;
 	using Validation;
@@ -23,13 +27,38 @@ namespace DotNetOpenAuth.OpenId {
 		/// Performs discovery on the specified identifier.
 		/// </summary>
 		/// <param name="identifier">The identifier to perform discovery on.</param>
-		/// <param name="requestHandler">The means to place outgoing HTTP requests.</param>
 		/// <param name="abortDiscoveryChain">if set to <c>true</c>, no further discovery services will be called for this identifier.</param>
 		/// <returns>
 		/// A sequence of service endpoints yielded by discovery.  Must not be null, but may be empty.
 		/// </returns>
 		[SuppressMessage("Microsoft.Design", "CA1021:AvoidOutParameters", MessageId = "2#", Justification = "By design")]
-		[Pure]
-		IEnumerable<IdentifierDiscoveryResult> Discover(Identifier identifier, IDirectWebRequestHandler requestHandler, out bool abortDiscoveryChain);
+		Task<IdentifierDiscoveryServiceResult> DiscoverAsync(Identifier identifier, CancellationToken cancellationToken);
+	}
+
+	/// <summary>
+	/// Describes the result of <see cref="IIdentifierDiscoveryService.DiscoverAsync"/>.
+	/// </summary>
+	public class IdentifierDiscoveryServiceResult {
+		/// <summary>
+		/// Initializes a new instance of the <see cref="IdentifierDiscoveryServiceResult" /> class.
+		/// </summary>
+		/// <param name="results">The results.</param>
+		/// <param name="abortDiscoveryChain">if set to <c>true</c>, no further discovery services will be called for this identifier.</param>
+		public IdentifierDiscoveryServiceResult(IEnumerable<IdentifierDiscoveryResult> results, bool abortDiscoveryChain = false) {
+			Requires.NotNull(results, "results");
+
+			this.Results = results;
+			this.AbortDiscoveryChain = abortDiscoveryChain;
+		}
+
+		/// <summary>
+		/// Gets the results from this individual discovery service.
+		/// </summary>
+		public IEnumerable<IdentifierDiscoveryResult> Results { get; private set; }
+
+		/// <summary>
+		/// Gets a value indicating whether no further discovery services should be called for this identifier.
+		/// </summary>
+		public bool AbortDiscoveryChain { get; private set; }
 	}
 }
diff --git a/src/DotNetOpenAuth.OpenId/OpenId/IOpenIdHost.cs b/src/DotNetOpenAuth.OpenId/OpenId/IOpenIdHost.cs
index 419cc84..0c5bf80 100644
--- a/src/DotNetOpenAuth.OpenId/OpenId/IOpenIdHost.cs
+++ b/src/DotNetOpenAuth.OpenId/OpenId/IOpenIdHost.cs
@@ -8,6 +8,7 @@ namespace DotNetOpenAuth.OpenId {
 	using System;
 	using System.Collections.Generic;
 	using System.Linq;
+	using System.Net.Http;
 	using System.Text;
 	using DotNetOpenAuth.Messaging;
 
@@ -23,6 +24,6 @@ namespace DotNetOpenAuth.OpenId {
 		/// <summary>
 		/// Gets the web request handler.
 		/// </summary>
-		IDirectWebRequestHandler WebRequestHandler { get; }
+		IHostFactories HostFactories { get; }
 	}
 }
diff --git a/src/DotNetOpenAuth.OpenId/OpenId/IdentifierDiscoveryServices.cs b/src/DotNetOpenAuth.OpenId/OpenId/IdentifierDiscoveryServices.cs
index 1b20d4e..4d55c5c 100644
--- a/src/DotNetOpenAuth.OpenId/OpenId/IdentifierDiscoveryServices.cs
+++ b/src/DotNetOpenAuth.OpenId/OpenId/IdentifierDiscoveryServices.cs
@@ -7,6 +7,9 @@
 namespace DotNetOpenAuth.OpenId {
 	using System.Collections.Generic;
 	using System.Linq;
+	using System.Runtime.CompilerServices;
+	using System.Threading;
+	using System.Threading.Tasks;
 	using DotNetOpenAuth.Configuration;
 	using DotNetOpenAuth.Messaging;
 	using Validation;
@@ -48,15 +51,14 @@ namespace DotNetOpenAuth.OpenId {
 		/// </summary>
 		/// <param name="identifier">The identifier to discover services for.</param>
 		/// <returns>A non-null sequence of services discovered for the identifier.</returns>
-		public IEnumerable<IdentifierDiscoveryResult> Discover(Identifier identifier) {
+		public async Task<IEnumerable<IdentifierDiscoveryResult>> DiscoverAsync(Identifier identifier, CancellationToken cancellationToken) {
 			Requires.NotNull(identifier, "identifier");
 
 			IEnumerable<IdentifierDiscoveryResult> results = Enumerable.Empty<IdentifierDiscoveryResult>();
 			foreach (var discoverer in this.DiscoveryServices) {
-				bool abortDiscoveryChain;
-				var discoveryResults = discoverer.Discover(identifier, this.host.WebRequestHandler, out abortDiscoveryChain).CacheGeneratedResults();
-				results = results.Concat(discoveryResults);
-				if (abortDiscoveryChain) {
+				var discoveryResults = await discoverer.DiscoverAsync(identifier, cancellationToken);
+				results = results.Concat(discoveryResults.Results.CacheGeneratedResults());
+				if (discoveryResults.AbortDiscoveryChain) {
 					Logger.OpenId.InfoFormat("Further discovery on '{0}' was stopped by the {1} discovery service.", identifier, discoverer.GetType().Name);
 					break;
 				}
diff --git a/src/DotNetOpenAuth.OpenId/OpenId/Messages/NegativeAssertionResponse.cs b/src/DotNetOpenAuth.OpenId/OpenId/Messages/NegativeAssertionResponse.cs
index 9aac107..d67e9fe 100644
--- a/src/DotNetOpenAuth.OpenId/OpenId/Messages/NegativeAssertionResponse.cs
+++ b/src/DotNetOpenAuth.OpenId/OpenId/Messages/NegativeAssertionResponse.cs
@@ -9,6 +9,7 @@ namespace DotNetOpenAuth.OpenId.Messages {
 	using System.Collections.Generic;
 	using System.Linq;
 	using System.Text;
+	using System.Threading.Tasks;
 	using DotNetOpenAuth.Messaging;
 	using Validation;
 
@@ -123,7 +124,8 @@ namespace DotNetOpenAuth.OpenId.Messages {
 			setupRequest.ReturnTo = immediateRequest.ReturnTo;
 			setupRequest.Realm = immediateRequest.Realm;
 			setupRequest.AssociationHandle = immediateRequest.AssociationHandle;
-			return channel.PrepareResponse(setupRequest).GetDirectUriRequest(channel);
+			var response = channel.PrepareResponse(setupRequest);
+			return response.GetDirectUriRequest();
 		}
 
 		/// <summary>
diff --git a/src/DotNetOpenAuth.OpenId/OpenId/OpenIdUtilities.cs b/src/DotNetOpenAuth.OpenId/OpenId/OpenIdUtilities.cs
index e04a633..f0ed946 100644
--- a/src/DotNetOpenAuth.OpenId/OpenId/OpenIdUtilities.cs
+++ b/src/DotNetOpenAuth.OpenId/OpenId/OpenIdUtilities.cs
@@ -11,7 +11,11 @@ namespace DotNetOpenAuth.OpenId {
 	using System.Globalization;
 	using System.IO;
 	using System.Linq;
+	using System.Net;
+	using System.Net.Cache;
+	using System.Net.Http;
 	using System.Text.RegularExpressions;
+	using System.Threading.Tasks;
 	using System.Web;
 	using System.Web.UI;
 	using DotNetOpenAuth.Messaging;
@@ -180,6 +184,50 @@ namespace DotNetOpenAuth.OpenId {
 			return fullyQualifiedRealm;
 		}
 
+		internal static HttpClient CreateHttpClient(this IHostFactories hostFactories, bool requireSsl, RequestCachePolicy cachePolicy = null) {
+			Requires.NotNull(hostFactories, "hostFactories");
+
+			var handler = hostFactories.CreateHttpMessageHandler();
+			var webRequestHandler = handler as WebRequestHandler;
+			var untrustedHandler = handler as UntrustedWebRequestHandler;
+			if (webRequestHandler != null) {
+				if (cachePolicy != null) {
+					webRequestHandler.CachePolicy = cachePolicy;
+				}
+			} else if (untrustedHandler != null) {
+				if (cachePolicy != null) {
+					untrustedHandler.CachePolicy = cachePolicy;
+				}
+
+				untrustedHandler.IsSslRequired = requireSsl;
+			} else {
+				Logger.Http.DebugFormat("Unable to set cache policy on unsupported {0}.", handler.GetType().FullName);
+			}
+
+			return hostFactories.CreateHttpClient(handler);
+		}
+
+		internal static Uri GetDirectUriRequest(this HttpResponseMessage response) {
+			Requires.NotNull(response, "response");
+			Requires.Argument(
+				response.StatusCode == HttpStatusCode.Redirect || response.StatusCode == HttpStatusCode.RedirectKeepVerb
+				|| response.StatusCode == HttpStatusCode.RedirectMethod || response.StatusCode == HttpStatusCode.TemporaryRedirect,
+				"response",
+				"Redirecting response expected.");
+			Requires.Argument(response.Headers.Location != null, "response", "Redirect URL header expected.");
+			Requires.Argument(response.Content == null || response.Content is FormUrlEncodedContent, "response", "FormUrlEncodedContent expected");
+
+			var builder = new UriBuilder(response.Headers.Location);
+			if (response.Content != null) {
+				var content = response.Content.ReadAsStringAsync();
+				Assumes.True(content.IsCompleted); // cached in memory, so it should never complete asynchronously.
+				var formFields = HttpUtility.ParseQueryString(content.Result).ToDictionary();
+				MessagingUtilities.AppendQueryArgs(builder, formFields);
+			}
+
+			return builder.Uri;
+		}
+
 		/// <summary>
 		/// Gets the extension factories from the extension aggregator on an OpenID channel.
 		/// </summary>
diff --git a/src/DotNetOpenAuth.OpenId/OpenId/Provider/IHostProcessedRequest.cs b/src/DotNetOpenAuth.OpenId/OpenId/Provider/IHostProcessedRequest.cs
index 4a464b9..0b96f7a 100644
--- a/src/DotNetOpenAuth.OpenId/OpenId/Provider/IHostProcessedRequest.cs
+++ b/src/DotNetOpenAuth.OpenId/OpenId/Provider/IHostProcessedRequest.cs
@@ -6,6 +6,8 @@
 
 namespace DotNetOpenAuth.OpenId.Provider {
 	using System;
+	using System.Net.Http;
+	using System.Threading.Tasks;
 	using DotNetOpenAuth.Messaging;
 	using DotNetOpenAuth.OpenId.Messages;
 	using Validation;
@@ -53,6 +55,6 @@ namespace DotNetOpenAuth.OpenId.Provider {
 		///   <para>Return URL verification is only attempted if this method is called.</para>
 		///   <para>See OpenID Authentication 2.0 spec section 9.2.1.</para>
 		/// </remarks>
-		RelyingPartyDiscoveryResult IsReturnUrlDiscoverable(IDirectWebRequestHandler webRequestHandler);
+		Task<RelyingPartyDiscoveryResult> IsReturnUrlDiscoverableAsync(HttpMessageHandler webRequestHandler);
 	}
 }
diff --git a/src/DotNetOpenAuth.OpenId/OpenId/Realm.cs b/src/DotNetOpenAuth.OpenId/OpenId/Realm.cs
index c1a959e..eaf8088 100644
--- a/src/DotNetOpenAuth.OpenId/OpenId/Realm.cs
+++ b/src/DotNetOpenAuth.OpenId/OpenId/Realm.cs
@@ -12,7 +12,10 @@ namespace DotNetOpenAuth.OpenId {
 	using System.Diagnostics.Contracts;
 	using System.Globalization;
 	using System.Linq;
+	using System.Net.Http;
 	using System.Text.RegularExpressions;
+	using System.Threading;
+	using System.Threading.Tasks;
 	using System.Web;
 	using System.Xml;
 	using DotNetOpenAuth.Messaging;
@@ -415,15 +418,16 @@ namespace DotNetOpenAuth.OpenId {
 		/// Searches for an XRDS document at the realm URL, and if found, searches
 		/// for a description of a relying party endpoints (OpenId login pages).
 		/// </summary>
-		/// <param name="requestHandler">The mechanism to use for sending HTTP requests.</param>
+		/// <param name="hostFactories">The host factories.</param>
 		/// <param name="allowRedirects">Whether redirects may be followed when discovering the Realm.
 		/// This may be true when creating an unsolicited assertion, but must be
 		/// false when performing return URL verification per 2.0 spec section 9.2.1.</param>
+		/// <param name="cancellationToken">The cancellation token.</param>
 		/// <returns>
 		/// The details of the endpoints if found; or <c>null</c> if no service document was discovered.
 		/// </returns>
-		internal virtual IEnumerable<RelyingPartyEndpointDescription> DiscoverReturnToEndpoints(IDirectWebRequestHandler requestHandler, bool allowRedirects) {
-			XrdsDocument xrds = this.Discover(requestHandler, allowRedirects);
+		internal virtual async Task<IEnumerable<RelyingPartyEndpointDescription>> DiscoverReturnToEndpointsAsync(IHostFactories hostFactories, bool allowRedirects, CancellationToken cancellationToken) {
+			XrdsDocument xrds = await this.DiscoverAsync(hostFactories, allowRedirects, cancellationToken);
 			if (xrds != null) {
 				return xrds.FindRelyingPartyReceivingEndpoints();
 			}
@@ -441,9 +445,9 @@ namespace DotNetOpenAuth.OpenId {
 		/// <returns>
 		/// The XRDS document if found; or <c>null</c> if no service document was discovered.
 		/// </returns>
-		internal virtual XrdsDocument Discover(IDirectWebRequestHandler requestHandler, bool allowRedirects) {
+		internal virtual async Task<XrdsDocument> DiscoverAsync(IHostFactories hostFactories, bool allowRedirects, CancellationToken cancellationToken) {
 			// Attempt YADIS discovery
-			DiscoveryResult yadisResult = Yadis.Discover(requestHandler, this.UriWithWildcardChangedToWww, false);
+			DiscoveryResult yadisResult = await Yadis.DiscoverAsync(hostFactories, this.UriWithWildcardChangedToWww, false, cancellationToken);
 			if (yadisResult != null) {
 				// Detect disallowed redirects, since realm discovery never allows them for security.
 				ErrorUtilities.VerifyProtocol(allowRedirects || yadisResult.NormalizedUri == yadisResult.RequestUri, OpenIdStrings.RealmCausedRedirectUponDiscovery, yadisResult.RequestUri);
diff --git a/src/DotNetOpenAuth.OpenId/OpenId/RelyingParty/IAuthenticationRequest.cs b/src/DotNetOpenAuth.OpenId/OpenId/RelyingParty/IAuthenticationRequest.cs
index 886029c..35a92e1 100644
--- a/src/DotNetOpenAuth.OpenId/OpenId/RelyingParty/IAuthenticationRequest.cs
+++ b/src/DotNetOpenAuth.OpenId/OpenId/RelyingParty/IAuthenticationRequest.cs
@@ -8,6 +8,7 @@ namespace DotNetOpenAuth.OpenId.RelyingParty {
 	using System;
 	using System.Collections.Generic;
 	using System.Linq;
+	using System.Net.Http;
 	using System.Text;
 	using DotNetOpenAuth.Messaging;
 	using DotNetOpenAuth.OpenId.Messages;
@@ -27,7 +28,7 @@ namespace DotNetOpenAuth.OpenId.RelyingParty {
 		/// Gets the HTTP response the relying party should send to the user agent 
 		/// to redirect it to the OpenID Provider to start the OpenID authentication process.
 		/// </summary>
-		OutgoingWebResponse RedirectingResponse { get; }
+		HttpResponseMessage RedirectingResponse { get; }
 
 		/// <summary>
 		/// Gets the URL that the user agent will return to after authentication
diff --git a/src/DotNetOpenAuth.OpenId/OpenId/UntrustedWebRequestHandler.cs b/src/DotNetOpenAuth.OpenId/OpenId/UntrustedWebRequestHandler.cs
new file mode 100644
index 0000000..c61ac7f
--- /dev/null
+++ b/src/DotNetOpenAuth.OpenId/OpenId/UntrustedWebRequestHandler.cs
@@ -0,0 +1,405 @@
+//-----------------------------------------------------------------------
+// <copyright file="UntrustedWebRequestHandler.cs" company="Outercurve Foundation">
+//     Copyright (c) Outercurve Foundation. All rights reserved.
+// </copyright>
+//-----------------------------------------------------------------------
+
+namespace DotNetOpenAuth.OpenId {
+	using System;
+	using System.Collections.Generic;
+	using System.Diagnostics;
+	using System.Diagnostics.CodeAnalysis;
+	using System.Diagnostics.Contracts;
+	using System.Globalization;
+	using System.IO;
+	using System.Net;
+	using System.Net.Cache;
+	using System.Net.Http;
+	using System.Text.RegularExpressions;
+	using System.Threading;
+	using System.Threading.Tasks;
+	using DotNetOpenAuth.Configuration;
+	using DotNetOpenAuth.Messaging;
+	using Validation;
+
+	/// <summary>
+	/// A paranoid HTTP get/post request engine.  It helps to protect against attacks from remote
+	/// server leaving dangling connections, sending too much data, causing requests against 
+	/// internal servers, etc.
+	/// </summary>
+	/// <remarks>
+	/// Protections include:
+	/// * Conservative maximum time to receive the complete response.
+	/// * Only HTTP and HTTPS schemes are permitted.
+	/// * Internal IP address ranges are not permitted: 127.*.*.*, 1::*
+	/// * Internal host names are not permitted (periods must be found in the host name)
+	/// If a particular host would be permitted but is in the blacklist, it is not allowed.
+	/// If a particular host would not be permitted but is in the whitelist, it is allowed.
+	/// </remarks>
+	public class UntrustedWebRequestHandler : HttpMessageHandler {
+		/// <summary>
+		/// The set of URI schemes allowed in untrusted web requests.
+		/// </summary>
+		private ICollection<string> allowableSchemes = new List<string> { "http", "https" };
+
+		/// <summary>
+		/// The collection of blacklisted hosts.
+		/// </summary>
+		private ICollection<string> blacklistHosts = new List<string>(Configuration.BlacklistHosts.KeysAsStrings);
+
+		/// <summary>
+		/// The collection of regular expressions used to identify additional blacklisted hosts.
+		/// </summary>
+		private ICollection<Regex> blacklistHostsRegex = new List<Regex>(Configuration.BlacklistHostsRegex.KeysAsRegexs);
+
+		/// <summary>
+		/// The collection of whitelisted hosts.
+		/// </summary>
+		private ICollection<string> whitelistHosts = new List<string>(Configuration.WhitelistHosts.KeysAsStrings);
+
+		/// <summary>
+		/// The collection of regular expressions used to identify additional whitelisted hosts.
+		/// </summary>
+		private ICollection<Regex> whitelistHostsRegex = new List<Regex>(Configuration.WhitelistHostsRegex.KeysAsRegexs);
+
+		/// <summary>
+		/// The maximum redirections to follow in the course of a single request.
+		/// </summary>
+		[DebuggerBrowsable(DebuggerBrowsableState.Never)]
+		private int maximumRedirections = Configuration.MaximumRedirections;
+
+		private readonly InternalWebRequestHandler innerHandler;
+
+		/// <summary>
+		/// Initializes a new instance of the <see cref="UntrustedWebRequestHandler" /> class.
+		/// </summary>
+		/// <param name="innerHandler">
+		/// The inner handler. This handler will be modified to suit the purposes of this wrapping handler,
+		/// and should not be used independently of this wrapper after construction of this object.
+		/// </param>
+		public UntrustedWebRequestHandler(WebRequestHandler innerHandler = null) {
+			this.innerHandler = new InternalWebRequestHandler(innerHandler ?? new WebRequestHandler());
+
+			// If SSL is required throughout, we cannot allow auto redirects because
+			// it may include a pass through an unprotected HTTP request.
+			// We have to follow redirects manually.
+			// It also allows us to ignore HttpWebResponse.FinalUri since that can be affected by
+			// the Content-Location header and open security holes.
+			this.MaxAutomaticRedirections = Configuration.MaximumRedirections;
+			this.InnerWebRequestHandler.AllowAutoRedirect = false;
+
+			if (Debugger.IsAttached) {
+				// Since a debugger is attached, requests may be MUCH slower,
+				// so give ourselves huge timeouts.
+				this.InnerWebRequestHandler.ReadWriteTimeout = (int)TimeSpan.FromHours(1).TotalMilliseconds;
+			} else {
+				this.InnerWebRequestHandler.ReadWriteTimeout = (int)Configuration.ReadWriteTimeout.TotalMilliseconds;
+			}
+		}
+
+		protected WebRequestHandler InnerWebRequestHandler {
+			get { return (WebRequestHandler)this.innerHandler.InnerHandler; }
+		}
+
+		/// <summary>
+		/// Gets or sets a value indicating whether all requests must use SSL.
+		/// </summary>
+		/// <value>
+		/// <c>true</c> if SSL is required; otherwise, <c>false</c>.
+		/// </value>
+		public bool IsSslRequired { get; set; }
+
+		/// <summary>
+		/// Gets or sets the cache policy.
+		/// </summary>
+		public RequestCachePolicy CachePolicy {
+			get { return this.InnerWebRequestHandler.CachePolicy; }
+			set { this.InnerWebRequestHandler.CachePolicy = value; }
+		}
+
+		/// <summary>
+		/// Gets or sets the total number of redirections to allow on any one request.
+		/// Default is 10.
+		/// </summary>
+		public int MaxAutomaticRedirections {
+			get {
+				return this.maximumRedirections;
+			}
+
+			set {
+				Requires.Range(value >= 0, "value");
+				this.maximumRedirections = value;
+			}
+		}
+
+		/// <summary>
+		/// Gets or sets the time (in milliseconds) allowed to wait for single read or write operation to complete.
+		/// Default is 500 milliseconds.
+		/// </summary>
+		public int ReadWriteTimeout {
+			get { return this.InnerWebRequestHandler.ReadWriteTimeout; }
+			set { this.InnerWebRequestHandler.ReadWriteTimeout = value; }
+		}
+
+		/// <summary>
+		/// Gets a collection of host name literals that should be allowed even if they don't
+		/// pass standard security checks.
+		/// </summary>
+		[SuppressMessage("Microsoft.Naming", "CA1704:IdentifiersShouldBeSpelledCorrectly", MessageId = "Whitelist",
+			Justification = "Spelling as intended.")]
+		public ICollection<string> WhitelistHosts {
+			get {
+				return this.whitelistHosts;
+			}
+		}
+
+		/// <summary>
+		/// Gets a collection of host name regular expressions that indicate hosts that should
+		/// be allowed even though they don't pass standard security checks.
+		/// </summary>
+		[SuppressMessage("Microsoft.Naming", "CA1704:IdentifiersShouldBeSpelledCorrectly", MessageId = "Whitelist",
+			Justification = "Spelling as intended.")]
+		public ICollection<Regex> WhitelistHostsRegex {
+			get {
+				return this.whitelistHostsRegex;
+			}
+		}
+
+		/// <summary>
+		/// Gets a collection of host name literals that should be rejected even if they 
+		/// pass standard security checks.
+		/// </summary>
+		public ICollection<string> BlacklistHosts {
+			get {
+				return this.blacklistHosts;
+			}
+		}
+
+		/// <summary>
+		/// Gets a collection of host name regular expressions that indicate hosts that should
+		/// be rejected even if they pass standard security checks.
+		/// </summary>
+		public ICollection<Regex> BlacklistHostsRegex {
+			get {
+				return this.blacklistHostsRegex;
+			}
+		}
+
+		/// <summary>
+		/// Gets the configuration for this class that is specified in the host's .config file.
+		/// </summary>
+		private static UntrustedWebRequestElement Configuration {
+			get { return DotNetOpenAuthSection.Messaging.UntrustedWebRequest; }
+		}
+
+		public HttpClient CreateClient() {
+			var client = new HttpClient(this);
+			client.MaxResponseContentBufferSize = Configuration.MaximumBytesToRead;
+
+			if (Debugger.IsAttached) {
+				// Since a debugger is attached, requests may be MUCH slower,
+				// so give ourselves huge timeouts.
+				client.Timeout = TimeSpan.FromHours(1);
+			} else {
+				client.Timeout = Configuration.Timeout;
+			}
+
+			return client;
+		}
+
+		protected override async Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken) {
+			this.EnsureAllowableRequestUri(request.RequestUri);
+
+			// Since we may require SSL for every redirect, we handle each redirect manually
+			// in order to detect and fail if any redirect sends us to an HTTP url.
+			// We COULD allow automatic redirect in the cases where HTTPS is not required,
+			// but our mock request infrastructure can't do redirects on its own either.
+			Uri originalRequestUri = request.RequestUri;
+			int i;
+			for (i = 0; i < this.MaxAutomaticRedirections; i++) {
+				this.EnsureAllowableRequestUri(request.RequestUri);
+				var response = await this.innerHandler.SendAsync(request, cancellationToken);
+				if (response.StatusCode == HttpStatusCode.MovedPermanently || response.StatusCode == HttpStatusCode.Redirect
+					|| response.StatusCode == HttpStatusCode.RedirectMethod || response.StatusCode == HttpStatusCode.RedirectKeepVerb) {
+					// We have no copy of the post entity stream to repeat on our manually
+					// cloned HttpWebRequest, so we have to bail.
+					ErrorUtilities.VerifyProtocol(request.Method != HttpMethod.Post, MessagingStrings.UntrustedRedirectsOnPOSTNotSupported);
+					Uri redirectUri = new Uri(request.RequestUri, response.Headers.Location);
+					request = request.Clone(redirectUri);
+				} else {
+					return response;
+				}
+			}
+
+			throw ErrorUtilities.ThrowProtocol(MessagingStrings.TooManyRedirects, originalRequestUri);
+		}
+
+		/// <summary>
+		/// Determines whether an IP address is the IPv6 equivalent of "localhost/127.0.0.1".
+		/// </summary>
+		/// <param name="ip">The ip address to check.</param>
+		/// <returns>
+		/// 	<c>true</c> if this is a loopback IP address; <c>false</c> otherwise.
+		/// </returns>
+		private static bool IsIPv6Loopback(IPAddress ip) {
+			Requires.NotNull(ip, "ip");
+			byte[] addressBytes = ip.GetAddressBytes();
+			for (int i = 0; i < addressBytes.Length - 1; i++) {
+				if (addressBytes[i] != 0) {
+					return false;
+				}
+			}
+			if (addressBytes[addressBytes.Length - 1] != 1) {
+				return false;
+			}
+			return true;
+		}
+
+		/// <summary>
+		/// Determines whether the given host name is in a host list or host name regex list.
+		/// </summary>
+		/// <param name="host">The host name.</param>
+		/// <param name="stringList">The list of host names.</param>
+		/// <param name="regexList">The list of regex patterns of host names.</param>
+		/// <returns>
+		/// 	<c>true</c> if the specified host falls within at least one of the given lists; otherwise, <c>false</c>.
+		/// </returns>
+		private static bool IsHostInList(string host, ICollection<string> stringList, ICollection<Regex> regexList) {
+			Requires.NotNullOrEmpty(host, "host");
+			Requires.NotNull(stringList, "stringList");
+			Requires.NotNull(regexList, "regexList");
+			foreach (string testHost in stringList) {
+				if (string.Equals(host, testHost, StringComparison.OrdinalIgnoreCase)) {
+					return true;
+				}
+			}
+			foreach (Regex regex in regexList) {
+				if (regex.IsMatch(host)) {
+					return true;
+				}
+			}
+			return false;
+		}
+
+		/// <summary>
+		/// Determines whether a given host is whitelisted.
+		/// </summary>
+		/// <param name="host">The host name to test.</param>
+		/// <returns>
+		/// 	<c>true</c> if the host is whitelisted; otherwise, <c>false</c>.
+		/// </returns>
+		private bool IsHostWhitelisted(string host) {
+			return IsHostInList(host, this.WhitelistHosts, this.WhitelistHostsRegex);
+		}
+
+		/// <summary>
+		/// Determines whether a given host is blacklisted.
+		/// </summary>
+		/// <param name="host">The host name to test.</param>
+		/// <returns>
+		/// 	<c>true</c> if the host is blacklisted; otherwise, <c>false</c>.
+		/// </returns>
+		private bool IsHostBlacklisted(string host) {
+			return IsHostInList(host, this.BlacklistHosts, this.BlacklistHostsRegex);
+		}
+
+		/// <summary>
+		/// Verify that the request qualifies under our security policies
+		/// </summary>
+		/// <param name="requestUri">The request URI.</param>
+		/// <param name="requireSsl">If set to <c>true</c>, only web requests that can be made entirely over SSL will succeed.</param>
+		/// <exception cref="ProtocolException">Thrown when the URI is disallowed for security reasons.</exception>
+		private void EnsureAllowableRequestUri(Uri requestUri) {
+			ErrorUtilities.VerifyProtocol(
+				this.IsUriAllowable(requestUri), MessagingStrings.UnsafeWebRequestDetected, requestUri);
+			ErrorUtilities.VerifyProtocol(
+				!this.IsSslRequired || string.Equals(requestUri.Scheme, Uri.UriSchemeHttps, StringComparison.OrdinalIgnoreCase),
+				MessagingStrings.InsecureWebRequestWithSslRequired,
+				requestUri);
+		}
+
+		/// <summary>
+		/// Determines whether a URI is allowed based on scheme and host name.
+		/// No requireSSL check is done here
+		/// </summary>
+		/// <param name="uri">The URI to test for whether it should be allowed.</param>
+		/// <returns>
+		/// 	<c>true</c> if [is URI allowable] [the specified URI]; otherwise, <c>false</c>.
+		/// </returns>
+		private bool IsUriAllowable(Uri uri) {
+			Requires.NotNull(uri, "uri");
+			if (!this.allowableSchemes.Contains(uri.Scheme)) {
+				Logger.Http.WarnFormat("Rejecting URL {0} because it uses a disallowed scheme.", uri);
+				return false;
+			}
+
+			// Allow for whitelist or blacklist to override our detection.
+			Func<string, bool> failsUnlessWhitelisted = (string reason) => {
+				if (IsHostWhitelisted(uri.DnsSafeHost)) {
+					return true;
+				}
+				Logger.Http.WarnFormat("Rejecting URL {0} because {1}.", uri, reason);
+				return false;
+			};
+
+			// Try to interpret the hostname as an IP address so we can test for internal
+			// IP address ranges.  Note that IP addresses can appear in many forms 
+			// (e.g. http://127.0.0.1, http://2130706433, http://0x0100007f, http://::1
+			// So we convert them to a canonical IPAddress instance, and test for all
+			// non-routable IP ranges: 10.*.*.*, 127.*.*.*, ::1
+			// Note that Uri.IsLoopback is very unreliable, not catching many of these variants.
+			IPAddress hostIPAddress;
+			if (IPAddress.TryParse(uri.DnsSafeHost, out hostIPAddress)) {
+				byte[] addressBytes = hostIPAddress.GetAddressBytes();
+
+				// The host is actually an IP address.
+				switch (hostIPAddress.AddressFamily) {
+					case System.Net.Sockets.AddressFamily.InterNetwork:
+						if (addressBytes[0] == 127 || addressBytes[0] == 10) {
+							return failsUnlessWhitelisted("it is a loopback address.");
+						}
+						break;
+					case System.Net.Sockets.AddressFamily.InterNetworkV6:
+						if (IsIPv6Loopback(hostIPAddress)) {
+							return failsUnlessWhitelisted("it is a loopback address.");
+						}
+						break;
+					default:
+						return failsUnlessWhitelisted("it does not use an IPv4 or IPv6 address.");
+				}
+			} else {
+				// The host is given by name.  We require names to contain periods to
+				// help make sure it's not an internal address.
+				if (!uri.Host.Contains(".")) {
+					return failsUnlessWhitelisted("it does not contain a period in the host name.");
+				}
+			}
+			if (this.IsHostBlacklisted(uri.DnsSafeHost)) {
+				Logger.Http.WarnFormat("Rejected URL {0} because it is blacklisted.", uri);
+				return false;
+			}
+			return true;
+		}
+
+		/// <summary>
+		/// A <see cref="DelegatingHandler"/> derived type that makes its SendAsync method available internally.
+		/// </summary>
+		private class InternalWebRequestHandler : DelegatingHandler {
+			internal InternalWebRequestHandler(HttpMessageHandler innerHandler)
+				: base(innerHandler) {
+			}
+
+			/// <summary>
+			/// Creates an instance of  <see cref="T:System.Net.Http.HttpResponseMessage" /> based on the information provided in the <see cref="T:System.Net.Http.HttpRequestMessage" /> as an operation that will not block.
+			/// </summary>
+			/// <param name="request">The HTTP request message.</param>
+			/// <param name="cancellationToken">A cancellation token to cancel the operation.</param>
+			/// <returns>
+			/// Returns <see cref="T:System.Threading.Tasks.Task`1" />.The task object representing the asynchronous operation.
+			/// </returns>
+			protected internal new Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken) {
+				return base.SendAsync(request, cancellationToken);
+			}
+		}
+	}
+}
diff --git a/src/DotNetOpenAuth.OpenId/OpenId/UriDiscoveryService.cs b/src/DotNetOpenAuth.OpenId/OpenId/UriDiscoveryService.cs
index c262ac9..25eebe6 100644
--- a/src/DotNetOpenAuth.OpenId/OpenId/UriDiscoveryService.cs
+++ b/src/DotNetOpenAuth.OpenId/OpenId/UriDiscoveryService.cs
@@ -8,14 +8,19 @@ namespace DotNetOpenAuth.OpenId {
 	using System;
 	using System.Collections.Generic;
 	using System.Linq;
+	using System.Net.Http;
+	using System.Runtime.CompilerServices;
 	using System.Text;
 	using System.Text.RegularExpressions;
+	using System.Threading;
+	using System.Threading.Tasks;
 	using System.Web.UI.HtmlControls;
 	using System.Xml;
 	using DotNetOpenAuth.Messaging;
 	using DotNetOpenAuth.OpenId.RelyingParty;
 	using DotNetOpenAuth.Xrds;
 	using DotNetOpenAuth.Yadis;
+	using Validation;
 
 	/// <summary>
 	/// The discovery service for URI identifiers.
@@ -24,10 +29,14 @@ namespace DotNetOpenAuth.OpenId {
 		/// <summary>
 		/// Initializes a new instance of the <see cref="UriDiscoveryService"/> class.
 		/// </summary>
-		public UriDiscoveryService() {
+		public UriDiscoveryService(IHostFactories hostFactories) {
+			Requires.NotNull(hostFactories, "hostFactories");
+			this.HostFactories = hostFactories;
 		}
 
-		#region IDiscoveryService Members
+		public IHostFactories HostFactories { get; private set; }
+
+		#region IIdentifierDiscoveryService Members
 
 		/// <summary>
 		/// Performs discovery on the specified identifier.
@@ -38,17 +47,20 @@ namespace DotNetOpenAuth.OpenId {
 		/// <returns>
 		/// A sequence of service endpoints yielded by discovery.  Must not be null, but may be empty.
 		/// </returns>
-		public IEnumerable<IdentifierDiscoveryResult> Discover(Identifier identifier, IDirectWebRequestHandler requestHandler, out bool abortDiscoveryChain) {
-			abortDiscoveryChain = false;
+		public async Task<IdentifierDiscoveryServiceResult> DiscoverAsync(Identifier identifier, CancellationToken cancellationToken) {
+			Requires.NotNull(identifier, "identifier");
+			cancellationToken.ThrowIfCancellationRequested();
+
 			var uriIdentifier = identifier as UriIdentifier;
 			if (uriIdentifier == null) {
-				return Enumerable.Empty<IdentifierDiscoveryResult>();
+				return new IdentifierDiscoveryServiceResult(Enumerable.Empty<IdentifierDiscoveryResult>());
 			}
 
 			var endpoints = new List<IdentifierDiscoveryResult>();
 
 			// Attempt YADIS discovery
-			DiscoveryResult yadisResult = Yadis.Discover(requestHandler, uriIdentifier, identifier.IsDiscoverySecureEndToEnd);
+			DiscoveryResult yadisResult = await Yadis.DiscoverAsync(this.HostFactories, uriIdentifier, identifier.IsDiscoverySecureEndToEnd, cancellationToken);
+			cancellationToken.ThrowIfCancellationRequested();
 			if (yadisResult != null) {
 				if (yadisResult.IsXrds) {
 					try {
@@ -67,7 +79,7 @@ namespace DotNetOpenAuth.OpenId {
 
 				// Failing YADIS discovery of an XRDS document, we try HTML discovery.
 				if (endpoints.Count == 0) {
-					yadisResult.TryRevertToHtmlResponse();
+					await yadisResult.TryRevertToHtmlResponseAsync();
 					var htmlEndpoints = new List<IdentifierDiscoveryResult>(DiscoverFromHtml(yadisResult.NormalizedUri, uriIdentifier, yadisResult.ResponseText));
 					if (htmlEndpoints.Any()) {
 						Logger.Yadis.DebugFormat("Total services discovered in HTML: {0}", htmlEndpoints.Count);
@@ -83,7 +95,8 @@ namespace DotNetOpenAuth.OpenId {
 					Logger.Yadis.Debug("Skipping HTML discovery because XRDS contained service endpoints.");
 				}
 			}
-			return endpoints;
+
+			return new IdentifierDiscoveryServiceResult(endpoints);
 		}
 
 		#endregion
diff --git a/src/DotNetOpenAuth.OpenId/OpenId/XriDiscoveryProxyService.cs b/src/DotNetOpenAuth.OpenId/OpenId/XriDiscoveryProxyService.cs
index a3e8345..0f9b746 100644
--- a/src/DotNetOpenAuth.OpenId/OpenId/XriDiscoveryProxyService.cs
+++ b/src/DotNetOpenAuth.OpenId/OpenId/XriDiscoveryProxyService.cs
@@ -10,7 +10,11 @@ namespace DotNetOpenAuth.OpenId {
 	using System.Diagnostics.CodeAnalysis;
 	using System.Globalization;
 	using System.Linq;
+	using System.Net.Http;
+	using System.Runtime.CompilerServices;
 	using System.Text;
+	using System.Threading;
+	using System.Threading.Tasks;
 	using System.Xml;
 	using DotNetOpenAuth.Configuration;
 	using DotNetOpenAuth.Messaging;
@@ -39,28 +43,34 @@ namespace DotNetOpenAuth.OpenId {
 		/// <summary>
 		/// Initializes a new instance of the <see cref="XriDiscoveryProxyService"/> class.
 		/// </summary>
-		public XriDiscoveryProxyService() {
+		public XriDiscoveryProxyService(IHostFactories hostFactories) {
+			Requires.NotNull(hostFactories, "hostFactories");
+			this.HostFactories = hostFactories;
 		}
 
+		public IHostFactories HostFactories { get; private set; }
+
 		#region IDiscoveryService Members
 
 		/// <summary>
 		/// Performs discovery on the specified identifier.
 		/// </summary>
 		/// <param name="identifier">The identifier to perform discovery on.</param>
-		/// <param name="requestHandler">The means to place outgoing HTTP requests.</param>
-		/// <param name="abortDiscoveryChain">if set to <c>true</c>, no further discovery services will be called for this identifier.</param>
+		/// <param name="cancellationToken">The cancellation token.</param>
 		/// <returns>
 		/// A sequence of service endpoints yielded by discovery.  Must not be null, but may be empty.
 		/// </returns>
-		public IEnumerable<IdentifierDiscoveryResult> Discover(Identifier identifier, IDirectWebRequestHandler requestHandler, out bool abortDiscoveryChain) {
-			abortDiscoveryChain = false;
+		public async Task<IdentifierDiscoveryServiceResult> DiscoverAsync(Identifier identifier, CancellationToken cancellationToken) {
+			Requires.NotNull(identifier, "identifier");
+
 			var xriIdentifier = identifier as XriIdentifier;
 			if (xriIdentifier == null) {
-				return Enumerable.Empty<IdentifierDiscoveryResult>();
+				return new IdentifierDiscoveryServiceResult(Enumerable.Empty<IdentifierDiscoveryResult>());
 			}
 
-			return DownloadXrds(xriIdentifier, requestHandler).XrdElements.CreateServiceEndpoints(xriIdentifier);
+			var xrds = await DownloadXrdsAsync(xriIdentifier, this.HostFactories, cancellationToken);
+			var endpoints = xrds.XrdElements.CreateServiceEndpoints(xriIdentifier);
+			return new IdentifierDiscoveryServiceResult(endpoints);
 		}
 
 		#endregion
@@ -71,14 +81,19 @@ namespace DotNetOpenAuth.OpenId {
 		/// <param name="identifier">The identifier.</param>
 		/// <param name="requestHandler">The request handler.</param>
 		/// <returns>The XRDS document.</returns>
-		private static XrdsDocument DownloadXrds(XriIdentifier identifier, IDirectWebRequestHandler requestHandler) {
+		private static async Task<XrdsDocument> DownloadXrdsAsync(XriIdentifier identifier, IHostFactories hostFactories, CancellationToken cancellationToken) {
 			Requires.NotNull(identifier, "identifier");
-			Requires.NotNull(requestHandler, "requestHandler");
+			Requires.NotNull(hostFactories, "hostFactories");
+
 			XrdsDocument doc;
-			using (var xrdsResponse = Yadis.Request(requestHandler, GetXrdsUrl(identifier), identifier.IsDiscoverySecureEndToEnd)) {
+			using (var xrdsResponse = await Yadis.RequestAsync(GetXrdsUrl(identifier), identifier.IsDiscoverySecureEndToEnd, hostFactories, cancellationToken)) {
 				var readerSettings = MessagingUtilities.CreateUntrustedXmlReaderSettings();
-				doc = new XrdsDocument(XmlReader.Create(xrdsResponse.ResponseStream, readerSettings));
+				await xrdsResponse.Content.LoadIntoBufferAsync();
+				using (var xrdsStream = await xrdsResponse.Content.ReadAsStreamAsync()) {
+					doc = new XrdsDocument(XmlReader.Create(xrdsStream, readerSettings));
+				}
 			}
+
 			ErrorUtilities.VerifyProtocol(doc.IsXrdResolutionSuccessful, OpenIdStrings.XriResolutionFailed);
 			return doc;
 		}
diff --git a/src/DotNetOpenAuth.OpenId/Yadis/DiscoveryResult.cs b/src/DotNetOpenAuth.OpenId/Yadis/DiscoveryResult.cs
index 06c6fc7..64f7b66 100644
--- a/src/DotNetOpenAuth.OpenId/Yadis/DiscoveryResult.cs
+++ b/src/DotNetOpenAuth.OpenId/Yadis/DiscoveryResult.cs
@@ -7,10 +7,15 @@
 namespace DotNetOpenAuth.Yadis {
 	using System;
 	using System.IO;
+	using System.Net;
+	using System.Net.Http;
+	using System.Net.Http.Headers;
 	using System.Net.Mime;
+	using System.Threading.Tasks;
 	using System.Web.UI.HtmlControls;
 	using System.Xml;
 	using DotNetOpenAuth.Messaging;
+	using Validation;
 
 	/// <summary>
 	/// Contains the result of YADIS discovery.
@@ -20,7 +25,7 @@ namespace DotNetOpenAuth.Yadis {
 		/// The original web response, backed up here if the final web response is the preferred response to use
 		/// in case it turns out to not work out.
 		/// </summary>
-		private CachedDirectWebResponse htmlFallback;
+		private HttpResponseMessage htmlFallback;
 
 		/// <summary>
 		/// Initializes a new instance of the <see cref="DiscoveryResult"/> class.
@@ -28,22 +33,7 @@ namespace DotNetOpenAuth.Yadis {
 		/// <param name="requestUri">The user-supplied identifier.</param>
 		/// <param name="initialResponse">The initial response.</param>
 		/// <param name="finalResponse">The final response.</param>
-		public DiscoveryResult(Uri requestUri, CachedDirectWebResponse initialResponse, CachedDirectWebResponse finalResponse) {
-			this.RequestUri = requestUri;
-			this.NormalizedUri = initialResponse.FinalUri;
-			if (finalResponse == null || finalResponse.Status != System.Net.HttpStatusCode.OK) {
-				this.ApplyHtmlResponse(initialResponse);
-			} else {
-				this.ContentType = finalResponse.ContentType;
-				this.ResponseText = finalResponse.GetResponseString();
-				this.IsXrds = true;
-				if (initialResponse != finalResponse) {
-					this.YadisLocation = finalResponse.RequestUri;
-				}
-
-				// Back up the initial HTML response in case the XRDS is not useful.
-				this.htmlFallback = initialResponse;
-			}
+		private DiscoveryResult() {
 		}
 
 		/// <summary>
@@ -68,7 +58,7 @@ namespace DotNetOpenAuth.Yadis {
 		/// <summary>
 		/// Gets the Content-Type associated with the <see cref="ResponseText"/>.
 		/// </summary>
-		public ContentType ContentType { get; private set; }
+		public MediaTypeHeaderValue ContentType { get; private set; }
 
 		/// <summary>
 		/// Gets the text in the final response.
@@ -83,12 +73,35 @@ namespace DotNetOpenAuth.Yadis {
 		/// </summary>
 		public bool IsXrds { get; private set; }
 
+		internal static async Task<DiscoveryResult> CreateAsync(
+			Uri requestUri, HttpResponseMessage initialResponse, HttpResponseMessage finalResponse) {
+
+			var result = new DiscoveryResult();
+			result.RequestUri = requestUri;
+			result.NormalizedUri = initialResponse.RequestMessage.RequestUri;
+			if (finalResponse == null || finalResponse.StatusCode != HttpStatusCode.OK) {
+				await result.ApplyHtmlResponseAsync(initialResponse);
+			} else {
+				result.ContentType = finalResponse.Content.Headers.ContentType;
+				result.ResponseText = await finalResponse.Content.ReadAsStringAsync();
+				result.IsXrds = true;
+				if (initialResponse != finalResponse) {
+					result.YadisLocation = finalResponse.RequestMessage.RequestUri;
+				}
+
+				// Back up the initial HTML response in case the XRDS is not useful.
+				result.htmlFallback = initialResponse;
+			}
+
+			return result;
+		}
+
 		/// <summary>
 		/// Reverts to the HTML response after the XRDS response didn't work out.
 		/// </summary>
-		internal void TryRevertToHtmlResponse() {
+		internal async Task TryRevertToHtmlResponseAsync() {
 			if (this.htmlFallback != null) {
-				this.ApplyHtmlResponse(this.htmlFallback);
+				await this.ApplyHtmlResponseAsync(this.htmlFallback);
 				this.htmlFallback = null;
 			}
 		}
@@ -96,10 +109,12 @@ namespace DotNetOpenAuth.Yadis {
 		/// <summary>
 		/// Applies the HTML response to the object.
 		/// </summary>
-		/// <param name="initialResponse">The initial response.</param>
-		private void ApplyHtmlResponse(CachedDirectWebResponse initialResponse) {
-			this.ContentType = initialResponse.ContentType;
-			this.ResponseText = initialResponse.GetResponseString();
+		/// <param name="response">The initial response.</param>
+		private async Task ApplyHtmlResponseAsync(HttpResponseMessage response) {
+			Requires.NotNull(response, "response");
+
+			this.ContentType = response.Content.Headers.ContentType;
+			this.ResponseText = await response.Content.ReadAsStringAsync();
 			this.IsXrds = this.ContentType != null && this.ContentType.MediaType == ContentTypes.Xrds;
 		}
 	}
diff --git a/src/DotNetOpenAuth.OpenId/Yadis/Yadis.cs b/src/DotNetOpenAuth.OpenId/Yadis/Yadis.cs
index 4a06ea7..f0d5402 100644
--- a/src/DotNetOpenAuth.OpenId/Yadis/Yadis.cs
+++ b/src/DotNetOpenAuth.OpenId/Yadis/Yadis.cs
@@ -9,6 +9,10 @@ namespace DotNetOpenAuth.Yadis {
 	using System.IO;
 	using System.Net;
 	using System.Net.Cache;
+	using System.Net.Http;
+	using System.Net.Http.Headers;
+	using System.Threading;
+	using System.Threading.Tasks;
 	using System.Web.UI.HtmlControls;
 	using System.Xml;
 	using DotNetOpenAuth.Configuration;
@@ -17,6 +21,9 @@ namespace DotNetOpenAuth.Yadis {
 	using DotNetOpenAuth.Xrds;
 	using Validation;
 
+	using System.Linq;
+	using System.Collections.Generic;
+
 	/// <summary>
 	/// YADIS discovery manager.
 	/// </summary>
@@ -53,16 +60,21 @@ namespace DotNetOpenAuth.Yadis {
 		/// or if <paramref name="requireSsl"/> is true but part of discovery
 		/// is not protected by SSL.
 		/// </returns>
-		public static DiscoveryResult Discover(IDirectWebRequestHandler requestHandler, UriIdentifier uri, bool requireSsl) {
-			CachedDirectWebResponse response;
+		public static async Task<DiscoveryResult> DiscoverAsync(IHostFactories hostFactories, UriIdentifier uri, bool requireSsl, CancellationToken cancellationToken) {
+			Requires.NotNull(hostFactories, "hostFactories");
+			Requires.NotNull(uri, "uri");
+
+			HttpResponseMessage response;
 			try {
 				if (requireSsl && !string.Equals(uri.Uri.Scheme, Uri.UriSchemeHttps, StringComparison.OrdinalIgnoreCase)) {
 					Logger.Yadis.WarnFormat("Discovery on insecure identifier '{0}' aborted.", uri);
 					return null;
 				}
-				response = Request(requestHandler, uri, requireSsl, ContentTypes.Html, ContentTypes.XHtml, ContentTypes.Xrds).GetSnapshot(MaximumResultToScan);
-				if (response.Status != System.Net.HttpStatusCode.OK) {
-					Logger.Yadis.ErrorFormat("HTTP error {0} {1} while performing discovery on {2}.", (int)response.Status, response.Status, uri);
+
+				response = await RequestAsync(uri, requireSsl, hostFactories, cancellationToken, ContentTypes.Html, ContentTypes.XHtml, ContentTypes.Xrds);
+				await response.Content.LoadIntoBufferAsync();
+				if (response.StatusCode != System.Net.HttpStatusCode.OK) {
+					Logger.Yadis.ErrorFormat("HTTP error {0} {1} while performing discovery on {2}.", (int)response.StatusCode, response.StatusCode, uri);
 					return null;
 				}
 			} catch (ArgumentException ex) {
@@ -70,13 +82,18 @@ namespace DotNetOpenAuth.Yadis {
 				Logger.Yadis.WarnFormat("Unsafe OpenId URL detected ({0}).  Request aborted.  {1}", uri, ex);
 				return null;
 			}
-			CachedDirectWebResponse response2 = null;
-			if (IsXrdsDocument(response)) {
+			HttpResponseMessage response2 = null;
+			if (await IsXrdsDocumentAsync(response)) {
 				Logger.Yadis.Debug("An XRDS response was received from GET at user-supplied identifier.");
 				Reporting.RecordEventOccurrence("Yadis", "XRDS in initial response");
 				response2 = response;
 			} else {
-				string uriString = response.Headers.Get(HeaderName);
+				IEnumerable<string> uriStrings;
+				string uriString = null;
+				if (response.Headers.TryGetValues(HeaderName, out uriStrings)) {
+					uriString = uriStrings.FirstOrDefault();
+				}
+
 				Uri url = null;
 				if (uriString != null) {
 					if (Uri.TryCreate(uriString, UriKind.Absolute, out url)) {
@@ -84,8 +101,10 @@ namespace DotNetOpenAuth.Yadis {
 						Reporting.RecordEventOccurrence("Yadis", "XRDS referenced in HTTP header");
 					}
 				}
-				if (url == null && response.ContentType != null && (response.ContentType.MediaType == ContentTypes.Html || response.ContentType.MediaType == ContentTypes.XHtml)) {
-					url = FindYadisDocumentLocationInHtmlMetaTags(response.GetResponseString());
+
+				var contentType = response.Content.Headers.ContentType;
+				if (url == null && contentType != null && (contentType.MediaType == ContentTypes.Html || contentType.MediaType == ContentTypes.XHtml)) {
+					url = FindYadisDocumentLocationInHtmlMetaTags(await response.Content.ReadAsStringAsync());
 					if (url != null) {
 						Logger.Yadis.DebugFormat("{0} found in HTML Http-Equiv tag.  Preparing to pull XRDS from {1}", HeaderName, url);
 						Reporting.RecordEventOccurrence("Yadis", "XRDS referenced in HTML");
@@ -93,16 +112,17 @@ namespace DotNetOpenAuth.Yadis {
 				}
 				if (url != null) {
 					if (!requireSsl || string.Equals(url.Scheme, Uri.UriSchemeHttps, StringComparison.OrdinalIgnoreCase)) {
-						response2 = Request(requestHandler, url, requireSsl, ContentTypes.Xrds).GetSnapshot(MaximumResultToScan);
-						if (response2.Status != HttpStatusCode.OK) {
-							Logger.Yadis.ErrorFormat("HTTP error {0} {1} while performing discovery on {2}.", (int)response2.Status, response2.Status, uri);
+						response2 = await RequestAsync(url, requireSsl, hostFactories, cancellationToken, ContentTypes.Xrds);
+						if (response2.StatusCode != HttpStatusCode.OK) {
+							Logger.Yadis.ErrorFormat("HTTP error {0} {1} while performing discovery on {2}.", (int)response2.StatusCode, response2.StatusCode, uri);
 						}
 					} else {
 						Logger.Yadis.WarnFormat("XRDS document at insecure location '{0}'.  Aborting YADIS discovery.", url);
 					}
 				}
 			}
-			return new DiscoveryResult(uri, response, response2);
+
+			return await DiscoveryResult.CreateAsync(uri, response, response2);
 		}
 
 		/// <summary>
@@ -129,43 +149,46 @@ namespace DotNetOpenAuth.Yadis {
 		/// <summary>
 		/// Sends a YADIS HTTP request as part of identifier discovery.
 		/// </summary>
-		/// <param name="requestHandler">The request handler to use to actually submit the request.</param>
 		/// <param name="uri">The URI to GET.</param>
 		/// <param name="requireSsl">Whether only HTTPS URLs should ever be retrieved.</param>
+		/// <param name="hostFactories">The host factories.</param>
+		/// <param name="cancellationToken">The cancellation token.</param>
 		/// <param name="acceptTypes">The value of the Accept HTTP header to include in the request.</param>
-		/// <returns>The HTTP response retrieved from the request.</returns>
-		internal static IncomingWebResponse Request(IDirectWebRequestHandler requestHandler, Uri uri, bool requireSsl, params string[] acceptTypes) {
-			Requires.NotNull(requestHandler, "requestHandler");
+		/// <returns>
+		/// The HTTP response retrieved from the request.
+		/// </returns>
+		internal static async Task<HttpResponseMessage> RequestAsync(Uri uri, bool requireSsl, IHostFactories hostFactories, CancellationToken cancellationToken, params string[] acceptTypes) {
 			Requires.NotNull(uri, "uri");
+			Requires.NotNull(hostFactories, "hostFactories");
 
-			HttpWebRequest request = (HttpWebRequest)WebRequest.Create(uri);
-			request.CachePolicy = IdentifierDiscoveryCachePolicy;
-			if (acceptTypes != null) {
-				request.Accept = string.Join(",", acceptTypes);
-			}
-
-			DirectWebRequestOptions options = DirectWebRequestOptions.None;
-			if (requireSsl) {
-				options |= DirectWebRequestOptions.RequireSsl;
-			}
+			using (var httpClient = hostFactories.CreateHttpClient(requireSsl, IdentifierDiscoveryCachePolicy)) {
+				var request = new HttpRequestMessage(HttpMethod.Get, uri);
+				if (acceptTypes != null) {
+					request.Headers.Accept.AddRange(acceptTypes.Select(at => new MediaTypeWithQualityHeaderValue(at)));
+				}
 
-			try {
-				return requestHandler.GetResponse(request, options);
-			} catch (ProtocolException ex) {
-				var webException = ex.InnerException as WebException;
-				if (webException != null) {
-					var response = webException.Response as HttpWebResponse;
-					if (response != null && response.IsFromCache) {
+				HttpResponseMessage response = null;
+				try {
+					response = await httpClient.SendAsync(request, cancellationToken);
+					// http://stackoverflow.com/questions/14103154/how-to-determine-if-an-httpresponsemessage-was-fulfilled-from-cache-using-httpcl
+					if (!response.IsSuccessStatusCode && response.Headers.Age.HasValue && response.Headers.Age.Value > TimeSpan.Zero) {
 						// We don't want to report error responses from the cache, since the server may have fixed
 						// whatever was causing the problem.  So try again with cache disabled.
-						Logger.Messaging.Error("An HTTP error response was obtained from the cache.  Retrying with cache disabled.", ex);
+						Logger.Messaging.ErrorFormat("An HTTP {0} response was obtained from the cache.  Retrying with cache disabled.", response.StatusCode);
+						response.Dispose(); // discard the old one
+
 						var nonCachingRequest = request.Clone();
-						nonCachingRequest.CachePolicy = new HttpRequestCachePolicy(HttpRequestCacheLevel.Reload);
-						return requestHandler.GetResponse(nonCachingRequest, options);
+						using (var nonCachingHttpClient = hostFactories.CreateHttpClient(requireSsl, new RequestCachePolicy(RequestCacheLevel.Reload))) {
+							response = await nonCachingHttpClient.SendAsync(nonCachingRequest, cancellationToken);
+						}
 					}
-				}
 
-				throw;
+					response.EnsureSuccessStatusCode();
+					return response;
+				} catch {
+					response.DisposeIfNotNull();
+					throw;
+				}
 			}
 		}
 
@@ -176,25 +199,26 @@ namespace DotNetOpenAuth.Yadis {
 		/// <returns>
 		/// 	<c>true</c> if the response constains an XRDS document; otherwise, <c>false</c>.
 		/// </returns>
-		private static bool IsXrdsDocument(CachedDirectWebResponse response) {
-			if (response.ContentType == null) {
+		private static async Task<bool> IsXrdsDocumentAsync(HttpResponseMessage response) {
+			if (response.Content.Headers.ContentType == null) {
 				return false;
 			}
 
-			if (response.ContentType.MediaType == ContentTypes.Xrds) {
+			if (response.Content.Headers.ContentType.MediaType == ContentTypes.Xrds) {
 				return true;
 			}
 
-			if (response.ContentType.MediaType == ContentTypes.Xml) {
+			if (response.Content.Headers.ContentType.MediaType == ContentTypes.Xml) {
 				// This COULD be an XRDS document with an imprecise content-type.
-				response.ResponseStream.Seek(0, SeekOrigin.Begin);
-				var readerSettings = MessagingUtilities.CreateUntrustedXmlReaderSettings();
-				XmlReader reader = XmlReader.Create(response.ResponseStream, readerSettings);
-				while (reader.Read() && reader.NodeType != XmlNodeType.Element) {
-					// intentionally blank
-				}
-				if (reader.NamespaceURI == XrdsNode.XrdsNamespace && reader.Name == "XRDS") {
-					return true;
+				using (var responseStream = await response.Content.ReadAsStreamAsync()) {
+					var readerSettings = MessagingUtilities.CreateUntrustedXmlReaderSettings();
+					XmlReader reader = XmlReader.Create(responseStream, readerSettings);
+					while (await reader.ReadAsync() && reader.NodeType != XmlNodeType.Element) {
+						// intentionally blank
+					}
+					if (reader.NamespaceURI == XrdsNode.XrdsNamespace && reader.Name == "XRDS") {
+						return true;
+					}
 				}
 			}
 
diff --git a/src/DotNetOpenAuth.OpenId/packages.config b/src/DotNetOpenAuth.OpenId/packages.config
index 58890d8..1d93cf5 100644
--- a/src/DotNetOpenAuth.OpenId/packages.config
+++ b/src/DotNetOpenAuth.OpenId/packages.config
@@ -1,4 +1,5 @@
 <?xml version="1.0" encoding="utf-8"?>
 <packages>
+  <package id="Microsoft.Net.Http" version="2.0.20710.0" targetFramework="net45" />
   <package id="Validation" version="2.0.1.12362" targetFramework="net45" />
 </packages>
\ No newline at end of file