3 files changed, 229 insertions, 173 deletions
diff --git a/projecttemplates/MvcRelyingParty/Controllers/AccountController.cs b/projecttemplates/MvcRelyingParty/Controllers/AccountController.cs
index 0fa8a9a..a322f7d 100644
--- a/projecttemplates/MvcRelyingParty/Controllers/AccountController.cs
+++ b/projecttemplates/MvcRelyingParty/Controllers/AccountController.cs
@@ -3,6 +3,7 @@
 	using System.Collections.Generic;
 	using System.Globalization;
 	using System.Linq;
+	using System.Net;
 	using System.Security.Principal;
 	using System.Web;
 	using System.Web.Mvc;
@@ -19,139 +20,6 @@
 
 	[HandleError]
 	public class AccountController : Controller {
-		/// <summary>
-		/// Initializes a new instance of the <see cref="AccountController"/> class.
-		/// </summary>
-		/// <remarks>
-		/// This constructor is used by the MVC framework to instantiate the controller using
-		/// the default forms authentication and OpenID services.
-		/// </remarks>
-		public AccountController()
-			: this(null, null) {
-		}
-
-		/// <summary>
-		/// Initializes a new instance of the <see cref="AccountController"/> class.
-		/// </summary>
-		/// <param name="formsAuth">The forms auth.</param>
-		/// <param name="relyingParty">The relying party.</param>
-		/// <remarks>
-		/// This constructor is not used by the MVC framework but is instead provided for ease
-		/// of unit testing this type. 
-		/// </remarks>
-		public AccountController(IFormsAuthentication formsAuth, IOpenIdRelyingParty relyingParty) {
-			this.FormsAuth = formsAuth ?? new FormsAuthenticationService();
-			this.RelyingParty = relyingParty ?? new OpenIdRelyingPartyService();
-		}
-
-		/// <summary>
-		/// Gets the forms authentication module to use.
-		/// </summary>
-		public IFormsAuthentication FormsAuth { get; private set; }
-
-		/// <summary>
-		/// Gets the OpenID relying party to use for logging users in.
-		/// </summary>
-		public IOpenIdRelyingParty RelyingParty { get; private set; }
-
-		/// <summary>
-		/// Prepares a web page to help the user supply his login information.
-		/// </summary>
-		/// <returns>The action result.</returns>
-		public ActionResult LogOn() {
-			return View();
-		}
-
-		/// <summary>
-		/// Accepts the login information provided by the user and redirects
-		/// the user to their Provider to complete authentication.
-		/// </summary>
-		/// <param name="openid_identifier">The user-supplied identifier.</param>
-		/// <param name="rememberMe">Whether the user wants a persistent cookie.</param>
-		/// <param name="returnUrl">The URL to direct the user to after successfully authenticating.</param>
-		/// <returns>The action result.</returns>
-		[AcceptVerbs(HttpVerbs.Post), ValidateAntiForgeryToken]
-		public ActionResult LogOn(string openid_identifier, bool rememberMe, string returnUrl) {
-			Identifier userSuppliedIdentifier;
-			if (Identifier.TryParse(openid_identifier, out userSuppliedIdentifier)) {
-				try {
-					var request = this.RelyingParty.CreateRequest(openid_identifier, Realm.AutoDetect, Url.ActionFull("LogOnReturnTo"));
-					request.SetUntrustedCallbackArgument("rememberMe", rememberMe ? "1" : "0");
-
-					// This might be signed so the OP can't send the user to a dangerous URL.
-					// Of course, if that itself was a danger then the site is vulnerable to XSRF attacks anyway.
-					if (!string.IsNullOrEmpty(returnUrl)) {
-						request.SetUntrustedCallbackArgument("returnUrl", returnUrl);
-					}
-
-					// Ask for the user's email, not because we necessarily need it to do our work,
-					// but so we can display something meaningful to the user as their "username"
-					// when they log in with a PPID from Google, for example.
-					request.AddExtension(new ClaimsRequest {
-						Email = DemandLevel.Require,
-						FullName = DemandLevel.Request,
-						PolicyUrl = Url.ActionFull("PrivacyPolicy", "Home"),
-					});
-
-					return request.RedirectingResponse.AsActionResult();
-				} catch (ProtocolException ex) {
-					ModelState.AddModelError("OpenID", ex.Message);
-				}
-			} else {
-				ModelState.AddModelError("openid_identifier", "This doesn't look like a valid OpenID.");
-			}
-
-			return View();
-		}
-
-		/// <summary>
-		/// Handles the positive assertion that comes from Providers.
-		/// </summary>
-		/// <returns>The action result.</returns>
-		/// <remarks>
-		/// This method instructs ASP.NET MVC to <i>not</i> validate input
-		/// because some OpenID positive assertions messages otherwise look like
-		/// hack attempts and result in errors when validation is turned on.
-		/// </remarks>
-		[AcceptVerbs(HttpVerbs.Get | HttpVerbs.Post), ValidateInput(false)]
-		public ActionResult LogOnReturnTo() {
-			var response = this.RelyingParty.GetResponse();
-			if (response != null) {
-				switch (response.Status) {
-					case AuthenticationStatus.Authenticated:
-						var token = RelyingPartyLogic.User.ProcessUserLogin(response);
-						bool rememberMe = response.GetUntrustedCallbackArgument("rememberMe") == "1";
-						this.FormsAuth.SignIn(token.ClaimedIdentifier, rememberMe);
-						string returnUrl = response.GetUntrustedCallbackArgument("returnUrl");
-						if (!String.IsNullOrEmpty(returnUrl)) {
-							return Redirect(returnUrl);
-						} else {
-							return RedirectToAction("Index", "Home");
-						}
-					case AuthenticationStatus.Canceled:
-						ModelState.AddModelError("OpenID", "It looks like you canceled login at your OpenID Provider.");
-						break;
-					case AuthenticationStatus.Failed:
-						ModelState.AddModelError("OpenID", response.Exception.Message);
-						break;
-				}
-			}
-
-			// If we're to this point, login didn't complete successfully.
-			// Show the LogOn view again to show the user any errors and
-			// give another chance to complete login.
-			return View("LogOn");
-		}
-
-		/// <summary>
-		/// Logs the user out of the site and redirects the browser to our home page.
-		/// </summary>
-		/// <returns>The action result.</returns>
-		public ActionResult LogOff() {
-			this.FormsAuth.SignOut();
-			return RedirectToAction("Index", "Home");
-		}
-
 		[Authorize]
 		public ActionResult Edit() {
 			return View(GetAccountInfoModel());
@@ -243,47 +111,10 @@
 			return PartialView("AuthorizedApps", GetAccountInfoModel());
 		}
 
-		[Authorize, AcceptVerbs(HttpVerbs.Get | HttpVerbs.Post)]
-		public ActionResult AddAuthenticationTokenReturnTo(string openid_identifier) {
-			var response = this.RelyingParty.GetResponse();
-			if (response != null) {
-				switch (response.Status) {
-					case AuthenticationStatus.Authenticated:
-						Database.LoggedInUser.AuthenticationTokens.Add(new AuthenticationToken {
-							ClaimedIdentifier = response.ClaimedIdentifier,
-							FriendlyIdentifier = response.FriendlyIdentifierForDisplay,
-						});
-						Database.DataContext.SaveChanges();
-						break;
-					default:
-						break;
-				}
-			}
-
-			return RedirectToAction("Edit");
-		}
-
-		[Authorize, AcceptVerbs(HttpVerbs.Post), ValidateAntiForgeryToken]
-		public ActionResult AddAuthenticationToken(string openid_identifier) {
-			Identifier userSuppliedIdentifier;
-			if (Identifier.TryParse(openid_identifier, out userSuppliedIdentifier)) {
-				try {
-					var request = this.RelyingParty.CreateRequest(userSuppliedIdentifier, Realm.AutoDetect, Url.ActionFull("AddAuthenticationTokenReturnTo"));
-					return request.RedirectingResponse.AsActionResult();
-				} catch (ProtocolException ex) {
-					ModelState.AddModelError("openid_identifier", ex);
-				}
-			} else {
-				ModelState.AddModelError("openid_identifier", "This doesn't look like a valid OpenID.");
-			}
-
-			return View("Edit", GetAccountInfoModel());
-		}
-
 		private static AccountInfoModel GetAccountInfoModel() {
 			var authorizedApps = from token in Database.DataContext.IssuedTokens.OfType<IssuedAccessToken>()
-			                     where token.User.UserId == Database.LoggedInUser.UserId
-			                     select new AccountInfoModel.AuthorizedApp { AppName = token.Consumer.Name, Token = token.Token };
+								 where token.User.UserId == Database.LoggedInUser.UserId
+								 select new AccountInfoModel.AuthorizedApp { AppName = token.Consumer.Name, Token = token.Token };
 			Database.LoggedInUser.AuthenticationTokens.Load();
 			var model = new AccountInfoModel {
 				FirstName = Database.LoggedInUser.FirstName,
diff --git a/projecttemplates/MvcRelyingParty/Controllers/AuthController.cs b/projecttemplates/MvcRelyingParty/Controllers/AuthController.cs
new file mode 100644
index 0000000..be5e4b1
--- /dev/null
+++ b/projecttemplates/MvcRelyingParty/Controllers/AuthController.cs
@@ -0,0 +1,225 @@
+//-----------------------------------------------------------------------
+// <copyright file="AuthController.cs" company="Andrew Arnott">
+//     Copyright (c) Andrew Arnott. All rights reserved.
+// </copyright>
+//-----------------------------------------------------------------------
+
+namespace MvcRelyingParty.Controllers {
+	using System;
+	using System.Collections.Generic;
+	using System.Linq;
+	using System.Net;
+	using System.Web;
+	using System.Web.Mvc;
+	using DotNetOpenAuth.Messaging;
+	using DotNetOpenAuth.OpenId;
+	using DotNetOpenAuth.OpenId.RelyingParty;
+	using RelyingPartyLogic;
+
+	public class AuthController : Controller {
+		/// <summary>
+		/// Initializes a new instance of the <see cref="AuthController"/> class.
+		/// </summary>
+		/// <remarks>
+		/// This constructor is used by the MVC framework to instantiate the controller using
+		/// the default forms authentication and OpenID services.
+		/// </remarks>
+		public AuthController()
+			: this(null, null) {
+		}
+
+		/// <summary>
+		/// Initializes a new instance of the <see cref="AuthController"/> class.
+		/// </summary>
+		/// <param name="formsAuth">The forms auth.</param>
+		/// <param name="relyingParty">The relying party.</param>
+		/// <remarks>
+		/// This constructor is not used by the MVC framework but is instead provided for ease
+		/// of unit testing this type. 
+		/// </remarks>
+		public AuthController(IFormsAuthentication formsAuth, IOpenIdRelyingParty relyingParty) {
+			this.FormsAuth = formsAuth ?? new FormsAuthenticationService();
+			this.RelyingParty = relyingParty ?? new OpenIdRelyingPartyService();
+		}
+
+		/// <summary>
+		/// Gets the forms authentication module to use.
+		/// </summary>
+		public IFormsAuthentication FormsAuth { get; private set; }
+
+		/// <summary>
+		/// Gets the OpenID relying party to use for logging users in.
+		/// </summary>
+		public IOpenIdRelyingParty RelyingParty { get; private set; }
+
+		private Uri PrivacyPolicyUrl {
+			get {
+				return Url.ActionFull("PrivacyPolicy", "Home");
+			}
+		}
+
+		/// <summary>
+		/// Performs discovery on a given identifier.
+		/// </summary>
+		/// <param name="identifier">The identifier on which to perform discovery.</param>
+		/// <returns>The JSON result of discovery.</returns>
+		public ActionResult Discover(string identifier) {
+			if (!this.Request.IsAjaxRequest()) {
+				throw new InvalidOperationException();
+			}
+
+			return this.RelyingParty.AjaxDiscovery(
+				identifier,
+				Realm.AutoDetect,
+				Url.ActionFull("PopUpReturnTo"),
+				this.PrivacyPolicyUrl);
+		}
+
+		/// <summary>
+		/// Prepares a web page to help the user supply his login information.
+		/// </summary>
+		/// <returns>The action result.</returns>
+		public ActionResult LogOn() {
+			this.PreloadDiscoveryResults();
+			return View();
+		}
+
+		/// <summary>
+		/// Prepares a web page to help the user supply his login information.
+		/// </summary>
+		/// <returns>The action result.</returns>
+		public ActionResult LogOnPopUp() {
+			this.PreloadDiscoveryResults();
+			return View();
+		}
+
+		/// <summary>
+		/// Handles the positive assertion that comes from Providers to Javascript running in the browser.
+		/// </summary>
+		/// <returns>The action result.</returns>
+		/// <remarks>
+		/// This method instructs ASP.NET MVC to <i>not</i> validate input
+		/// because some OpenID positive assertions messages otherwise look like
+		/// hack attempts and result in errors when validation is turned on.
+		/// </remarks>
+		[AcceptVerbs(HttpVerbs.Get | HttpVerbs.Post), ValidateInput(false)]
+		public ActionResult PopUpReturnTo() {
+			return this.RelyingParty.ProcessAjaxOpenIdResponse();
+		}
+
+		/// <summary>
+		/// Handles the positive assertion that comes from Providers.
+		/// </summary>
+		/// <param name="openid_openidAuthData">The positive assertion obtained via AJAX.</param>
+		/// <returns>The action result.</returns>
+		/// <remarks>
+		/// This method instructs ASP.NET MVC to <i>not</i> validate input
+		/// because some OpenID positive assertions messages otherwise look like
+		/// hack attempts and result in errors when validation is turned on.
+		/// </remarks>
+		[AcceptVerbs(HttpVerbs.Post), ValidateInput(false)]
+		public ActionResult LogOnPostAssertion(string openid_openidAuthData) {
+			IAuthenticationResponse response;
+			if (!string.IsNullOrEmpty(openid_openidAuthData)) {
+				var auth = new Uri(openid_openidAuthData);
+				var headers = new WebHeaderCollection();
+				foreach (string header in Request.Headers) {
+					headers[header] = Request.Headers[header];
+				}
+
+				// Always say it's a GET since the payload is all in the URL, even the large ones.
+				HttpRequestInfo clientResponseInfo = new HttpRequestInfo("GET", auth, auth.PathAndQuery, headers, null);
+				response = this.RelyingParty.GetResponse(clientResponseInfo);
+			} else {
+				response = this.RelyingParty.GetResponse();
+			}
+			if (response != null) {
+				switch (response.Status) {
+					case AuthenticationStatus.Authenticated:
+						var token = RelyingPartyLogic.User.ProcessUserLogin(response);
+						this.FormsAuth.SignIn(token.ClaimedIdentifier, false);
+						string returnUrl = Request.Form["returnUrl"];
+						if (!String.IsNullOrEmpty(returnUrl)) {
+							return Redirect(returnUrl);
+						} else {
+							return RedirectToAction("Index", "Home");
+						}
+					case AuthenticationStatus.Canceled:
+						ModelState.AddModelError("OpenID", "It looks like you canceled login at your OpenID Provider.");
+						break;
+					case AuthenticationStatus.Failed:
+						ModelState.AddModelError("OpenID", response.Exception.Message);
+						break;
+				}
+			}
+
+			// If we're to this point, login didn't complete successfully.
+			// Show the LogOn view again to show the user any errors and
+			// give another chance to complete login.
+			return View("LogOn");
+		}
+
+		[Authorize, AcceptVerbs(HttpVerbs.Post), ValidateAntiForgeryToken, ValidateInput(false)]
+		public ActionResult AddAuthenticationToken(string openid_openidAuthData) {
+			IAuthenticationResponse response;
+			if (!string.IsNullOrEmpty(openid_openidAuthData)) {
+				var auth = new Uri(openid_openidAuthData);
+				var headers = new WebHeaderCollection();
+				foreach (string header in Request.Headers) {
+					headers[header] = Request.Headers[header];
+				}
+
+				// Always say it's a GET since the payload is all in the URL, even the large ones.
+				HttpRequestInfo clientResponseInfo = new HttpRequestInfo("GET", auth, auth.PathAndQuery, headers, null);
+				response = this.RelyingParty.GetResponse(clientResponseInfo);
+			} else {
+				response = this.RelyingParty.GetResponse();
+			}
+			if (response != null) {
+				switch (response.Status) {
+					case AuthenticationStatus.Authenticated:
+						string identifierString = response.ClaimedIdentifier;
+						var existing = Database.DataContext.AuthenticationTokens.Include("User").FirstOrDefault(token => token.ClaimedIdentifier == identifierString);
+						if (existing == null) {
+							Database.LoggedInUser.AuthenticationTokens.Add(new AuthenticationToken {
+								ClaimedIdentifier = response.ClaimedIdentifier,
+								FriendlyIdentifier = response.FriendlyIdentifierForDisplay,
+							});
+							Database.DataContext.SaveChanges();
+						} else {
+							if (existing.User != Database.LoggedInUser) {
+								// The supplied token is already bound to a different user account.
+								// TODO: communicate the problem to the user.
+							}
+						}
+						break;
+					default:
+						break;
+				}
+			}
+
+			return RedirectToAction("Edit", "Account");
+		}
+
+		/// <summary>
+		/// Logs the user out of the site and redirects the browser to our home page.
+		/// </summary>
+		/// <returns>The action result.</returns>
+		public ActionResult LogOff() {
+			this.FormsAuth.SignOut();
+			return RedirectToAction("Index", "Home");
+		}
+
+		/// <summary>
+		/// Preloads discovery results for the OP buttons we display on the selector in the ViewData.
+		/// </summary>
+		private void PreloadDiscoveryResults() {
+			this.ViewData["PreloadedDiscoveryResults"] = this.RelyingParty.PreloadDiscoveryResults(
+				Realm.AutoDetect,
+				Url.ActionFull("PopUpReturnTo"),
+				this.PrivacyPolicyUrl,
+				"https://me.yahoo.com/",
+				"https://www.google.com/accounts/o8/id");
+		}
+	}
+}
diff --git a/projecttemplates/MvcRelyingParty/Controllers/HomeController.cs b/projecttemplates/MvcRelyingParty/Controllers/HomeController.cs
index 7182862..0bf7ab3 100644
--- a/projecttemplates/MvcRelyingParty/Controllers/HomeController.cs
+++ b/projecttemplates/MvcRelyingParty/Controllers/HomeController.cs
@@ -8,7 +8,7 @@
 	[HandleError]
 	public class HomeController : Controller {
 		public ActionResult Index() {
-			ViewData["Message"] = "Welcome to ASP.NET MVC!";
+			ViewData["Message"] = "Welcome to ASP.NET MVC with OpenID RP + OAuth SP support!";
 
 			return View();
 		}