7 files changed, 94 insertions, 64 deletions

diff --git a/samples/OpenIdProviderMvc/Controllers/OpenIdController.cs b/samples/OpenIdProviderMvc/Controllers/OpenIdController.cs
index d70401a..bd0fdbf 100644
--- a/samples/OpenIdProviderMvc/Controllers/OpenIdController.cs
+++ b/samples/OpenIdProviderMvc/Controllers/OpenIdController.cs
@@ -7,6 +7,7 @@ namespace OpenIdProviderMvc.Controllers {
 	using System.Web.Mvc.Ajax;
 	using DotNetOpenAuth.Messaging;
 	using DotNetOpenAuth.OpenId;
+	using DotNetOpenAuth.OpenId.Behaviors;
 	using DotNetOpenAuth.OpenId.Extensions.ProviderAuthenticationPolicy;
 	using DotNetOpenAuth.OpenId.Provider;
 	using OpenIdProviderMvc.Code;
@@ -14,8 +15,6 @@ namespace OpenIdProviderMvc.Controllers {
 	public class OpenIdController : Controller {
 		internal static OpenIdProvider OpenIdProvider = new OpenIdProvider();
 
-		private static AnonymousIdentifierProvider anonProvider = new AnonymousIdentifierProvider();
-
 		internal static IAuthenticationRequest PendingAuthenticationRequest {
 			get { return ProviderEndpoint.PendingAuthenticationRequest; }
 			set { ProviderEndpoint.PendingAuthenticationRequest = value; }
@@ -30,7 +29,7 @@ namespace OpenIdProviderMvc.Controllers {
 					PendingAuthenticationRequest = authRequest;
 					if (authRequest.IsReturnUrlDiscoverable(OpenIdProvider) == RelyingPartyDiscoveryResult.Success &&
 						User.Identity.IsAuthenticated &&
-						(authRequest.IsDirectedIdentity || Models.User.GetClaimedIdentifierForUser(User.Identity.Name) == authRequest.LocalIdentifier)) {
+						(authRequest.IsDirectedIdentity || this.UserControlsIdentifier(authRequest))) {
 						return this.SendAssertion();
 					} else {
 						return RedirectToAction("LogOn", "Account", new { returnUrl = Url.Action("SendAssertion") });
@@ -50,58 +49,42 @@ namespace OpenIdProviderMvc.Controllers {
 		[Authorize]
 		public ActionResult SendAssertion() {
 			IAuthenticationRequest authReq = PendingAuthenticationRequest;
-			PendingAuthenticationRequest = null;
+			PendingAuthenticationRequest = null; // clear session static so we don't do this again
 			if (authReq == null) {
-				throw new InvalidOperationException();
+				throw new InvalidOperationException("There's no pending authentication request!");
 			}
 
-			Identifier localIdentifier = Models.User.GetClaimedIdentifierForUser(User.Identity.Name);
-			if (this.IsPpidRequested(authReq)) {
-				if (!authReq.IsDirectedIdentity) {
-					throw new InvalidOperationException("Directed identity is the only supported scenario for anonymous identifiers.");
-				}
-
-				var anonymousIdentifier = anonProvider.GetIdentifier(localIdentifier, authReq.Realm);
-				authReq.ClaimedIdentifier = anonymousIdentifier;
-				authReq.LocalIdentifier = anonymousIdentifier;
-				authReq.IsAuthenticated = true;
-			} else {
-				if (authReq.IsDirectedIdentity) {
-					authReq.LocalIdentifier = localIdentifier;
-					authReq.ClaimedIdentifier = localIdentifier;
-					authReq.IsAuthenticated = true;
-				} else {
-					if (authReq.LocalIdentifier == localIdentifier) {
-						authReq.IsAuthenticated = true;
-						if (!authReq.IsDelegatedIdentifier) {
-							authReq.ClaimedIdentifier = authReq.LocalIdentifier;
-						}
-					} else {
-						authReq.IsAuthenticated = false;
-					}
-				}
-
-				// TODO: Respond to AX/sreg extension requests here.
-				// We don't want to add these extension responses for anonymous identifiers
-				// because they could leak information about the user's identity.
+			if (authReq.IsDirectedIdentity) {
+				authReq.LocalIdentifier = Models.User.GetClaimedIdentifierForUser(User.Identity.Name);
+			}
+			if (!authReq.IsDelegatedIdentifier) {
+				authReq.ClaimedIdentifier = authReq.LocalIdentifier;
 			}
 
+			// Respond to AX/sreg extension requests.
+			//// Real web sites would have code here
+
+			authReq.IsAuthenticated = this.UserControlsIdentifier(authReq);
 			return OpenIdProvider.PrepareResponse(authReq).AsActionResult();
 		}
 
-		private bool IsPpidRequested(IAuthenticationRequest authRequest) {
-			if (authRequest == null) {
-				throw new ArgumentNullException("authRequest");
+		/// <summary>
+		/// Checks whether the logged in user controls the OP local identifier in the given authentication request.
+		/// </summary>
+		/// <param name="authReq">The authentication request.</param>
+		/// <returns><c>true</c> if the user controls the identifier; <c>false</c> otherwise.</returns>
+		private bool UserControlsIdentifier(IAuthenticationRequest authReq) {
+			if (authReq == null) {
+				throw new ArgumentNullException("authReq");
 			}
 
-			var pape = authRequest.GetExtension<PolicyRequest>();
-			if (pape != null) {
-				if (pape.PreferredPolicies.Contains(AuthenticationPolicies.PrivatePersonalIdentifier)) {
-					return true;
-				}
+			if (User == null || User.Identity == null) {
+				return false;
 			}
 
-			return false;
+			Uri userLocalIdentifier = Models.User.GetClaimedIdentifierForUser(User.Identity.Name);
+			return authReq.LocalIdentifier == userLocalIdentifier ||
+				authReq.LocalIdentifier == PpidGeneration.PpidIdentifierProvider.GetIdentifier(userLocalIdentifier, authReq.Realm);
 		}
 	}
 }
diff --git a/src/DotNetOpenAuth/DotNetOpenAuth.csproj b/src/DotNetOpenAuth/DotNetOpenAuth.csproj
index 7da3a47..4b0a843 100644
--- a/src/DotNetOpenAuth/DotNetOpenAuth.csproj
+++ b/src/DotNetOpenAuth/DotNetOpenAuth.csproj
@@ -397,7 +397,7 @@
     <Compile Include="OpenId\Provider\HostProcessedRequest.cs" />
     <Compile Include="OpenId\Provider\IAnonymousRequest.cs" />
     <Compile Include="OpenId\Provider\IAuthenticationRequest.cs" />
-    <Compile Include="OpenId\Provider\IDirectedIdentityCustomIdentifier.cs" />
+    <Compile Include="OpenId\Provider\IDirectedIdentityIdentifierProvider.cs" />
     <Compile Include="OpenId\Provider\IHostProcessedRequest.cs" />
     <Compile Include="OpenId\Provider\IdentityEndpoint.cs" />
     <Compile Include="OpenId\Provider\IdentityEndpointNormalizationEventArgs.cs" />
diff --git a/src/DotNetOpenAuth/OpenId/Behaviors/PpidGeneration.cs b/src/DotNetOpenAuth/OpenId/Behaviors/PpidGeneration.cs
index 3d2836e..befc138 100644
--- a/src/DotNetOpenAuth/OpenId/Behaviors/PpidGeneration.cs
+++ b/src/DotNetOpenAuth/OpenId/Behaviors/PpidGeneration.cs
@@ -20,7 +20,7 @@ namespace DotNetOpenAuth.OpenId.Behaviors {
 	/// the <see cref="AuthenticationPolicies.PrivatePersonalIdentifier"/> authentication policy.</para>
 	/// <para>The static member <see cref="PpidGeneration.PpidIdentifierProvider"/> MUST
 	/// be set prior to any PPID requests come in.  Typically this should be set in the
-	/// <see cref="HttpApplication.Start"/> event handler in the global.asax.cs file.</para>
+	/// <c>Application_Start</c> method in the global.asax.cs file.</para>
 	/// </remarks>
 	[Serializable]
 	public sealed class PpidGeneration : IProviderBehavior {
@@ -57,13 +57,11 @@ namespace DotNetOpenAuth.OpenId.Behaviors {
 		/// from handling it; <c>false</c> to allow other behaviors to process this request.
 		/// </returns>
 		bool IProviderBehavior.OnOutgoingResponse(IAuthenticationRequest request) {
-						ErrorUtilities.VerifyArgumentNotNull(request, "request");
-
-			bool result = false;
+			ErrorUtilities.VerifyArgumentNotNull(request, "request");
 
 			// Nothing to do for negative assertions.
 			if (!request.IsAuthenticated.Value) {
-				return result;
+				return false;
 			}
 
 			var requestInternal = (Provider.AuthenticationRequest)request;
@@ -72,26 +70,33 @@ namespace DotNetOpenAuth.OpenId.Behaviors {
 			// Only apply our special policies if the RP requested it.
 			var papeRequest = request.GetExtension<PolicyRequest>();
 			if (papeRequest != null) {
-				var papeResponse = responseMessage.Extensions.OfType<PolicyResponse>().SingleOrDefault();
-				if (papeResponse == null) {
-					request.AddResponseExtension(papeResponse = new PolicyResponse());
-				}
-
 				if (papeRequest.PreferredPolicies.Contains(AuthenticationPolicies.PrivatePersonalIdentifier)) {
 					ErrorUtilities.VerifyProtocol(request.ClaimedIdentifier == request.LocalIdentifier, OpenIdStrings.DelegatingIdentifiersNotAllowed);
 
+					if (PpidIdentifierProvider == null) {
+						Logger.OpenId.Error(BehaviorStrings.PpidProviderNotGiven);
+						return false;
+					}
+
 					// Mask the user's identity with a PPID.
-					ErrorUtilities.VerifyHost(PpidIdentifierProvider != null, BehaviorStrings.PpidProviderNotGiven);
-					Identifier ppidIdentifier = PpidIdentifierProvider.GetIdentifier(request.LocalIdentifier, request.Realm);
-					requestInternal.ResetClaimedAndLocalIdentifiers(ppidIdentifier);
+					if (PpidIdentifierProvider.IsUserLocalIdentifier(request.LocalIdentifier)) {
+						Identifier ppidIdentifier = PpidIdentifierProvider.GetIdentifier(request.LocalIdentifier, request.Realm);
+						requestInternal.ResetClaimedAndLocalIdentifiers(ppidIdentifier);
+					}
 
 					// Indicate that the RP is receiving a PPID claimed_id
+					var papeResponse = responseMessage.Extensions.OfType<PolicyResponse>().SingleOrDefault();
+					if (papeResponse == null) {
+						request.AddResponseExtension(papeResponse = new PolicyResponse());
+					}
+
 					if (!papeResponse.ActualPolicies.Contains(AuthenticationPolicies.PrivatePersonalIdentifier)) {
 						papeResponse.ActualPolicies.Add(AuthenticationPolicies.PrivatePersonalIdentifier);
 					}
 				}
 			}
-			return result;
+
+			return false;
 		}
 
 		#endregion
diff --git a/src/DotNetOpenAuth/OpenId/OpenIdStrings.Designer.cs b/src/DotNetOpenAuth/OpenId/OpenIdStrings.Designer.cs
index 5d9903f..27dacfd 100644
--- a/src/DotNetOpenAuth/OpenId/OpenIdStrings.Designer.cs
+++ b/src/DotNetOpenAuth/OpenId/OpenIdStrings.Designer.cs
@@ -70,6 +70,15 @@ namespace DotNetOpenAuth.OpenId {
         }
         
         /// <summary>
+        ///   Looks up a localized string similar to This is already a PPID Identifier..
+        /// </summary>
+        internal static string ArgumentIsPpidIdentifier {
+            get {
+                return ResourceManager.GetString("ArgumentIsPpidIdentifier", resourceCulture);
+            }
+        }
+        
+        /// <summary>
         ///   Looks up a localized string similar to The requested association type &apos;{0}&apos; with session type &apos;{1}&apos; is unrecognized or not supported by this Provider due to security requirements..
         /// </summary>
         internal static string AssociationOrSessionTypeUnrecognizedOrNotSupported {
diff --git a/src/DotNetOpenAuth/OpenId/OpenIdStrings.resx b/src/DotNetOpenAuth/OpenId/OpenIdStrings.resx
index c9df6b3..bca813b 100644
--- a/src/DotNetOpenAuth/OpenId/OpenIdStrings.resx
+++ b/src/DotNetOpenAuth/OpenId/OpenIdStrings.resx
@@ -331,4 +331,7 @@ Discovered endpoint info:
   <data name="PropertyValueNotSupported" xml:space="preserve">
     <value>This property value is not supported by this control.</value>
   </data>
+  <data name="ArgumentIsPpidIdentifier" xml:space="preserve">
+    <value>This is already a PPID Identifier.</value>
+  </data>
 </root>
\ No newline at end of file
diff --git a/src/DotNetOpenAuth/OpenId/Provider/IDirectedIdentityCustomIdentifier.cs b/src/DotNetOpenAuth/OpenId/Provider/IDirectedIdentityIdentifierProvider.cs
index 63f9cdf..de24f74 100644
--- a/src/DotNetOpenAuth/OpenId/Provider/IDirectedIdentityCustomIdentifier.cs
+++ b/src/DotNetOpenAuth/OpenId/Provider/IDirectedIdentityIdentifierProvider.cs
@@ -1,5 +1,5 @@
 //-----------------------------------------------------------------------
-// <copyright file="IDirectedIdentityCustomIdentifier.cs" company="Andrew Arnott">
+// <copyright file="IDirectedIdentityIdentifierProvider.cs" company="Andrew Arnott">
 //     Copyright (c) Andrew Arnott. All rights reserved.
 // </copyright>
 //-----------------------------------------------------------------------
@@ -29,6 +29,15 @@ namespace DotNetOpenAuth.OpenId.Provider {
 		/// openid.claimed_id and openid.local_id parameters.  Must not be null.
 		/// </returns>
 		Uri GetIdentifier(Identifier localIdentifier, Realm relyingPartyRealm);
+
+		/// <summary>
+		/// Determines whether a given identifier is the primary (non-PPID) local identifier for some user.
+		/// </summary>
+		/// <param name="identifier">The identifier in question.</param>
+		/// <returns>
+		/// 	<c>true</c> if the given identifier is the valid, unique identifier for some uesr (and NOT a PPID); otherwise, <c>false</c>.
+		/// </returns>
+		bool IsUserLocalIdentifier(Identifier identifier);
 	}
 
 	/// <summary>
@@ -55,6 +64,19 @@ namespace DotNetOpenAuth.OpenId.Provider {
 			throw new NotImplementedException();
 		}
 
+		/// <summary>
+		/// Determines whether a given identifier is the primary (non-PPID) local identifier for some user.
+		/// </summary>
+		/// <param name="identifier">The identifier in question.</param>
+		/// <returns>
+		/// 	<c>true</c> if the given identifier is the valid, unique identifier for some uesr (and NOT a PPID); otherwise, <c>false</c>.
+		/// </returns>
+		public bool IsUserLocalIdentifier(Identifier identifier) {
+			Contract.Requires(identifier != null);
+
+			throw new NotImplementedException();
+		}
+
 		#endregion
 	}
 }
diff --git a/src/DotNetOpenAuth/OpenId/Provider/PrivatePersonalIdentifierProviderBase.cs b/src/DotNetOpenAuth/OpenId/Provider/PrivatePersonalIdentifierProviderBase.cs
index 43b258c..64d2908 100644
--- a/src/DotNetOpenAuth/OpenId/Provider/PrivatePersonalIdentifierProviderBase.cs
+++ b/src/DotNetOpenAuth/OpenId/Provider/PrivatePersonalIdentifierProviderBase.cs
@@ -122,11 +122,7 @@ namespace DotNetOpenAuth.OpenId.Provider {
 		public Uri GetIdentifier(Identifier localIdentifier, Realm relyingPartyRealm) {
 			ErrorUtilities.VerifyArgumentNotNull(localIdentifier, "localIdentifier");
 			ErrorUtilities.VerifyArgumentNotNull(relyingPartyRealm, "relyingPartyRealm");
-
-			if (localIdentifier.ToString().StartsWith(this.BaseIdentifier.AbsoluteUri, StringComparison.Ordinal)) {
-				Logger.OpenId.Warn("Trying to generate a PPID from a PPID.  Returning original PPID.");
-				return new Uri(localIdentifier);
-			}
+			ErrorUtilities.VerifyArgumentNamed(this.IsUserLocalIdentifier(localIdentifier), "localIdentifier", OpenIdStrings.ArgumentIsPpidIdentifier);
 
 			byte[] salt = this.GetHashSaltForLocalIdentifier(localIdentifier);
 			string valueToHash = localIdentifier + "#";
@@ -158,6 +154,18 @@ namespace DotNetOpenAuth.OpenId.Provider {
 			return anonymousIdentifier;
 		}
 
+		/// <summary>
+		/// Determines whether a given identifier is the primary (non-PPID) local identifier for some user.
+		/// </summary>
+		/// <param name="identifier">The identifier in question.</param>
+		/// <returns>
+		/// 	<c>true</c> if the given identifier is the valid, unique identifier for some uesr (and NOT a PPID); otherwise, <c>false</c>.
+		/// </returns>
+		public virtual bool IsUserLocalIdentifier(Identifier identifier)
+		{
+			return !identifier.ToString().StartsWith(this.BaseIdentifier.AbsoluteUri, StringComparison.Ordinal);
+		}
+
 		#endregion
 
 		/// <summary>