1 files changed, 26 insertions, 43 deletions

diff --git a/samples/OpenIdProviderMvc/Controllers/OpenIdController.cs b/samples/OpenIdProviderMvc/Controllers/OpenIdController.cs
index d70401a..bd0fdbf 100644
--- a/samples/OpenIdProviderMvc/Controllers/OpenIdController.cs
+++ b/samples/OpenIdProviderMvc/Controllers/OpenIdController.cs
@@ -7,6 +7,7 @@ namespace OpenIdProviderMvc.Controllers {
 	using System.Web.Mvc.Ajax;
 	using DotNetOpenAuth.Messaging;
 	using DotNetOpenAuth.OpenId;
+	using DotNetOpenAuth.OpenId.Behaviors;
 	using DotNetOpenAuth.OpenId.Extensions.ProviderAuthenticationPolicy;
 	using DotNetOpenAuth.OpenId.Provider;
 	using OpenIdProviderMvc.Code;
@@ -14,8 +15,6 @@ namespace OpenIdProviderMvc.Controllers {
 	public class OpenIdController : Controller {
 		internal static OpenIdProvider OpenIdProvider = new OpenIdProvider();
 
-		private static AnonymousIdentifierProvider anonProvider = new AnonymousIdentifierProvider();
-
 		internal static IAuthenticationRequest PendingAuthenticationRequest {
 			get { return ProviderEndpoint.PendingAuthenticationRequest; }
 			set { ProviderEndpoint.PendingAuthenticationRequest = value; }
@@ -30,7 +29,7 @@ namespace OpenIdProviderMvc.Controllers {
 					PendingAuthenticationRequest = authRequest;
 					if (authRequest.IsReturnUrlDiscoverable(OpenIdProvider) == RelyingPartyDiscoveryResult.Success &&
 						User.Identity.IsAuthenticated &&
-						(authRequest.IsDirectedIdentity || Models.User.GetClaimedIdentifierForUser(User.Identity.Name) == authRequest.LocalIdentifier)) {
+						(authRequest.IsDirectedIdentity || this.UserControlsIdentifier(authRequest))) {
 						return this.SendAssertion();
 					} else {
 						return RedirectToAction("LogOn", "Account", new { returnUrl = Url.Action("SendAssertion") });
@@ -50,58 +49,42 @@ namespace OpenIdProviderMvc.Controllers {
 		[Authorize]
 		public ActionResult SendAssertion() {
 			IAuthenticationRequest authReq = PendingAuthenticationRequest;
-			PendingAuthenticationRequest = null;
+			PendingAuthenticationRequest = null; // clear session static so we don't do this again
 			if (authReq == null) {
-				throw new InvalidOperationException();
+				throw new InvalidOperationException("There's no pending authentication request!");
 			}
 
-			Identifier localIdentifier = Models.User.GetClaimedIdentifierForUser(User.Identity.Name);
-			if (this.IsPpidRequested(authReq)) {
-				if (!authReq.IsDirectedIdentity) {
-					throw new InvalidOperationException("Directed identity is the only supported scenario for anonymous identifiers.");
-				}
-
-				var anonymousIdentifier = anonProvider.GetIdentifier(localIdentifier, authReq.Realm);
-				authReq.ClaimedIdentifier = anonymousIdentifier;
-				authReq.LocalIdentifier = anonymousIdentifier;
-				authReq.IsAuthenticated = true;
-			} else {
-				if (authReq.IsDirectedIdentity) {
-					authReq.LocalIdentifier = localIdentifier;
-					authReq.ClaimedIdentifier = localIdentifier;
-					authReq.IsAuthenticated = true;
-				} else {
-					if (authReq.LocalIdentifier == localIdentifier) {
-						authReq.IsAuthenticated = true;
-						if (!authReq.IsDelegatedIdentifier) {
-							authReq.ClaimedIdentifier = authReq.LocalIdentifier;
-						}
-					} else {
-						authReq.IsAuthenticated = false;
-					}
-				}
-
-				// TODO: Respond to AX/sreg extension requests here.
-				// We don't want to add these extension responses for anonymous identifiers
-				// because they could leak information about the user's identity.
+			if (authReq.IsDirectedIdentity) {
+				authReq.LocalIdentifier = Models.User.GetClaimedIdentifierForUser(User.Identity.Name);
+			}
+			if (!authReq.IsDelegatedIdentifier) {
+				authReq.ClaimedIdentifier = authReq.LocalIdentifier;
 			}
 
+			// Respond to AX/sreg extension requests.
+			//// Real web sites would have code here
+
+			authReq.IsAuthenticated = this.UserControlsIdentifier(authReq);
 			return OpenIdProvider.PrepareResponse(authReq).AsActionResult();
 		}
 
-		private bool IsPpidRequested(IAuthenticationRequest authRequest) {
-			if (authRequest == null) {
-				throw new ArgumentNullException("authRequest");
+		/// <summary>
+		/// Checks whether the logged in user controls the OP local identifier in the given authentication request.
+		/// </summary>
+		/// <param name="authReq">The authentication request.</param>
+		/// <returns><c>true</c> if the user controls the identifier; <c>false</c> otherwise.</returns>
+		private bool UserControlsIdentifier(IAuthenticationRequest authReq) {
+			if (authReq == null) {
+				throw new ArgumentNullException("authReq");
 			}
 
-			var pape = authRequest.GetExtension<PolicyRequest>();
-			if (pape != null) {
-				if (pape.PreferredPolicies.Contains(AuthenticationPolicies.PrivatePersonalIdentifier)) {
-					return true;
-				}
+			if (User == null || User.Identity == null) {
+				return false;
 			}
 
-			return false;
+			Uri userLocalIdentifier = Models.User.GetClaimedIdentifierForUser(User.Identity.Name);
+			return authReq.LocalIdentifier == userLocalIdentifier ||
+				authReq.LocalIdentifier == PpidGeneration.PpidIdentifierProvider.GetIdentifier(userLocalIdentifier, authReq.Realm);
 		}
 	}
 }