diff options
3 files changed, 10 insertions, 4 deletions
diff --git a/src/DotNetOpenAuth/Messaging/Reflection/MessagePart.cs b/src/DotNetOpenAuth/Messaging/Reflection/MessagePart.cs index ae54c3a..3524f41 100644 --- a/src/DotNetOpenAuth/Messaging/Reflection/MessagePart.cs +++ b/src/DotNetOpenAuth/Messaging/Reflection/MessagePart.cs @@ -189,7 +189,7 @@ namespace DotNetOpenAuth.Messaging.Reflection { try { if (this.IsConstantValue) { string constantValue = this.GetValue(message); - if (!string.Equals(constantValue, value)) { + if (!string.Equals(constantValue, value, StringComparison.OrdinalIgnoreCase)) { throw new ArgumentException(string.Format( CultureInfo.CurrentCulture, MessagingStrings.UnexpectedMessagePartValueForConstant, diff --git a/src/DotNetOpenAuth/OpenId/Messages/CheckAuthenticationResponse.cs b/src/DotNetOpenAuth/OpenId/Messages/CheckAuthenticationResponse.cs index 61825e8..f1bb5ac 100644 --- a/src/DotNetOpenAuth/OpenId/Messages/CheckAuthenticationResponse.cs +++ b/src/DotNetOpenAuth/OpenId/Messages/CheckAuthenticationResponse.cs @@ -47,7 +47,7 @@ namespace DotNetOpenAuth.OpenId.Messages { // really doesn't exist. OpenID 2.0 section 11.4.2.2. IndirectSignedResponse signedResponse = new IndirectSignedResponse(request, provider.Channel); string invalidateHandle = ((ITamperResistantOpenIdMessage)signedResponse).InvalidateHandle; - if (invalidateHandle != null && provider.AssociationStore.GetAssociation(AssociationRelyingPartyType.Smart, invalidateHandle) == null) { + if (!string.IsNullOrEmpty(invalidateHandle) && provider.AssociationStore.GetAssociation(AssociationRelyingPartyType.Smart, invalidateHandle) == null) { this.InvalidateHandle = invalidateHandle; } } @@ -70,8 +70,10 @@ namespace DotNetOpenAuth.OpenId.Messages { /// <para>This two-step process for invalidating associations is necessary /// to prevent an attacker from invalidating an association at will by /// adding "invalidate_handle" parameters to an authentication response.</para> + /// <para>For OpenID 1.1, we allow this to be present but empty to put up with poor implementations such as Blogger.</para> /// </remarks> - [MessagePart("invalidate_handle", IsRequired = false, AllowEmpty = false)] + [MessagePart("invalidate_handle", IsRequired = false, AllowEmpty = true, MaxVersion = "1.1")] + [MessagePart("invalidate_handle", IsRequired = false, AllowEmpty = false, MinVersion = "2.0")] internal string InvalidateHandle { get; set; } } } diff --git a/src/DotNetOpenAuth/OpenId/Messages/IndirectSignedResponse.cs b/src/DotNetOpenAuth/OpenId/Messages/IndirectSignedResponse.cs index 2f02974..fff4cf6 100644 --- a/src/DotNetOpenAuth/OpenId/Messages/IndirectSignedResponse.cs +++ b/src/DotNetOpenAuth/OpenId/Messages/IndirectSignedResponse.cs @@ -207,7 +207,11 @@ namespace DotNetOpenAuth.OpenId.Messages { /// Gets or sets the association handle that the Provider wants the Relying Party to not use any more. /// </summary> /// <value>If the Relying Party sent an invalid association handle with the request, it SHOULD be included here.</value> - [MessagePart("openid.invalidate_handle", IsRequired = false, AllowEmpty = false)] + /// <remarks> + /// For OpenID 1.1, we allow this to be present but empty to put up with poor implementations such as Blogger. + /// </remarks> + [MessagePart("openid.invalidate_handle", IsRequired = false, AllowEmpty = true, MaxVersion = "1.1")] + [MessagePart("openid.invalidate_handle", IsRequired = false, AllowEmpty = false, MinVersion = "2.0")] string ITamperResistantOpenIdMessage.InvalidateHandle { get; set; } /// <summary> |