Merging in interoperability work for Blogger and other lesser OPs.

4 files changed, 35 insertions, 4 deletions

diff --git a/src/DotNetOpenAuth/Configuration/MessagingElement.cs b/src/DotNetOpenAuth/Configuration/MessagingElement.cs
index 9e957fe..b49cecf 100644
--- a/src/DotNetOpenAuth/Configuration/MessagingElement.cs
+++ b/src/DotNetOpenAuth/Configuration/MessagingElement.cs
@@ -32,6 +32,11 @@ namespace DotNetOpenAuth.Configuration {
 		private const string MaximumClockSkewConfigName = "clockSkew";
 
 		/// <summary>
+		/// The name of the attribute that controls whether messaging rules are strictly followed.
+		/// </summary>
+		private const string StrictConfigName = "strict";
+
+		/// <summary>
 		/// Gets the actual maximum message lifetime that a program should allow.
 		/// </summary>
 		/// <value>The sum of the <see cref="MaximumMessageLifetime"/> and 
@@ -83,6 +88,24 @@ namespace DotNetOpenAuth.Configuration {
 		}
 
 		/// <summary>
+		/// Gets or sets a value indicating whether messaging rules are strictly
+		/// adhered to.
+		/// </summary>
+		/// <value><c>true</c> by default.</value>
+		/// <remarks>
+		/// Strict will require that remote parties adhere strictly to the specifications,
+		/// even when a loose interpretation would not compromise security.
+		/// <c>true</c> is a good default because it shakes out interoperability bugs in remote services
+		/// so they can be identified and corrected.  But some web sites want things to Just Work
+		/// more than they want to file bugs against others, so <c>false</c> is the setting for them.
+		/// </remarks>
+		[ConfigurationProperty(StrictConfigName, DefaultValue = true)]
+		internal bool Strict {
+			get { return (bool) this[StrictConfigName]; }
+			set { this[StrictConfigName] = value; }
+		}
+
+		/// <summary>
 		/// Gets or sets the configuration for the <see cref="UntrustedWebRequestHandler"/> class.
 		/// </summary>
 		/// <value>The untrusted web request.</value>
diff --git a/src/DotNetOpenAuth/Messaging/Reflection/MessagePart.cs b/src/DotNetOpenAuth/Messaging/Reflection/MessagePart.cs
index a791e69..b876ec4 100644
--- a/src/DotNetOpenAuth/Messaging/Reflection/MessagePart.cs
+++ b/src/DotNetOpenAuth/Messaging/Reflection/MessagePart.cs
@@ -15,6 +15,7 @@ namespace DotNetOpenAuth.Messaging.Reflection {
 	using System.Net.Security;
 	using System.Reflection;
 	using System.Xml;
+	using DotNetOpenAuth.Configuration;
 	using DotNetOpenAuth.OpenId;
 
 	/// <summary>
@@ -208,7 +209,8 @@ namespace DotNetOpenAuth.Messaging.Reflection {
 			try {
 				if (this.IsConstantValue) {
 					string constantValue = this.GetValue(message);
-					if (!string.Equals(constantValue, value)) {
+					var caseSensitivity = DotNetOpenAuthSection.Configuration.Messaging.Strict ? StringComparison.Ordinal : StringComparison.OrdinalIgnoreCase;
+					if (!string.Equals(constantValue, value, caseSensitivity)) {
 						throw new ArgumentException(string.Format(
 							CultureInfo.CurrentCulture,
 							MessagingStrings.UnexpectedMessagePartValueForConstant,
diff --git a/src/DotNetOpenAuth/OpenId/Messages/CheckAuthenticationResponse.cs b/src/DotNetOpenAuth/OpenId/Messages/CheckAuthenticationResponse.cs
index 61825e8..f1bb5ac 100644
--- a/src/DotNetOpenAuth/OpenId/Messages/CheckAuthenticationResponse.cs
+++ b/src/DotNetOpenAuth/OpenId/Messages/CheckAuthenticationResponse.cs
@@ -47,7 +47,7 @@ namespace DotNetOpenAuth.OpenId.Messages {
 			// really doesn't exist.  OpenID 2.0 section 11.4.2.2.
 			IndirectSignedResponse signedResponse = new IndirectSignedResponse(request, provider.Channel);
 			string invalidateHandle = ((ITamperResistantOpenIdMessage)signedResponse).InvalidateHandle;
-			if (invalidateHandle != null && provider.AssociationStore.GetAssociation(AssociationRelyingPartyType.Smart, invalidateHandle) == null) {
+			if (!string.IsNullOrEmpty(invalidateHandle) && provider.AssociationStore.GetAssociation(AssociationRelyingPartyType.Smart, invalidateHandle) == null) {
 				this.InvalidateHandle = invalidateHandle;
 			}
 		}
@@ -70,8 +70,10 @@ namespace DotNetOpenAuth.OpenId.Messages {
 		/// <para>This two-step process for invalidating associations is necessary 
 		/// to prevent an attacker from invalidating an association at will by 
 		/// adding "invalidate_handle" parameters to an authentication response.</para>
+		/// <para>For OpenID 1.1, we allow this to be present but empty to put up with poor implementations such as Blogger.</para>
 		/// </remarks>
-		[MessagePart("invalidate_handle", IsRequired = false, AllowEmpty = false)]
+		[MessagePart("invalidate_handle", IsRequired = false, AllowEmpty = true, MaxVersion = "1.1")]
+		[MessagePart("invalidate_handle", IsRequired = false, AllowEmpty = false, MinVersion = "2.0")]
 		internal string InvalidateHandle { get; set; }
 	}
 }
diff --git a/src/DotNetOpenAuth/OpenId/Messages/IndirectSignedResponse.cs b/src/DotNetOpenAuth/OpenId/Messages/IndirectSignedResponse.cs
index 2f02974..fff4cf6 100644
--- a/src/DotNetOpenAuth/OpenId/Messages/IndirectSignedResponse.cs
+++ b/src/DotNetOpenAuth/OpenId/Messages/IndirectSignedResponse.cs
@@ -207,7 +207,11 @@ namespace DotNetOpenAuth.OpenId.Messages {
 		/// Gets or sets the association handle that the Provider wants the Relying Party to not use any more.
 		/// </summary>
 		/// <value>If the Relying Party sent an invalid association handle with the request, it SHOULD be included here.</value>
-		[MessagePart("openid.invalidate_handle", IsRequired = false, AllowEmpty = false)]
+		/// <remarks>
+		/// For OpenID 1.1, we allow this to be present but empty to put up with poor implementations such as Blogger.
+		/// </remarks>
+		[MessagePart("openid.invalidate_handle", IsRequired = false, AllowEmpty = true, MaxVersion = "1.1")]
+		[MessagePart("openid.invalidate_handle", IsRequired = false, AllowEmpty = false, MinVersion = "2.0")]
 		string ITamperResistantOpenIdMessage.InvalidateHandle { get; set; }
 
 		/// <summary>