summaryrefslogtreecommitdiffstats
path: root/samples/OpenIdProviderMvc/Controllers
diff options
context:
space:
mode:
Diffstat (limited to 'samples/OpenIdProviderMvc/Controllers')
-rw-r--r--samples/OpenIdProviderMvc/Controllers/HomeController.cs6
-rw-r--r--samples/OpenIdProviderMvc/Controllers/OpenIdController.cs103
-rw-r--r--samples/OpenIdProviderMvc/Controllers/UserController.cs37
3 files changed, 68 insertions, 78 deletions
diff --git a/samples/OpenIdProviderMvc/Controllers/HomeController.cs b/samples/OpenIdProviderMvc/Controllers/HomeController.cs
index 346e838..fb03ce2 100644
--- a/samples/OpenIdProviderMvc/Controllers/HomeController.cs
+++ b/samples/OpenIdProviderMvc/Controllers/HomeController.cs
@@ -9,6 +9,7 @@
public class HomeController : Controller {
public ActionResult Index() {
if (Request.AcceptTypes.Contains("application/xrds+xml")) {
+ ViewData["OPIdentifier"] = true;
return View("Xrds");
}
@@ -21,10 +22,7 @@
}
public ActionResult Xrds() {
- return View();
- }
-
- public ActionResult PpidXrds() {
+ ViewData["OPIdentifier"] = true;
return View();
}
}
diff --git a/samples/OpenIdProviderMvc/Controllers/OpenIdController.cs b/samples/OpenIdProviderMvc/Controllers/OpenIdController.cs
index e353268..bd0fdbf 100644
--- a/samples/OpenIdProviderMvc/Controllers/OpenIdController.cs
+++ b/samples/OpenIdProviderMvc/Controllers/OpenIdController.cs
@@ -5,9 +5,10 @@ namespace OpenIdProviderMvc.Controllers {
using System.Web;
using System.Web.Mvc;
using System.Web.Mvc.Ajax;
- using DotNetOpenAuth.ApplicationBlock.Provider;
using DotNetOpenAuth.Messaging;
using DotNetOpenAuth.OpenId;
+ using DotNetOpenAuth.OpenId.Behaviors;
+ using DotNetOpenAuth.OpenId.Extensions.ProviderAuthenticationPolicy;
using DotNetOpenAuth.OpenId.Provider;
using OpenIdProviderMvc.Code;
@@ -20,67 +21,18 @@ namespace OpenIdProviderMvc.Controllers {
}
[ValidateInput(false)]
- public ActionResult PpidProvider() {
- return this.DoProvider(true);
- }
-
- [ValidateInput(false)]
public ActionResult Provider() {
- return this.DoProvider(false);
- }
-
- [Authorize]
- public ActionResult SendAssertion(bool pseudonymous) {
- IAuthenticationRequest authReq = PendingAuthenticationRequest;
- PendingAuthenticationRequest = null;
- if (authReq == null) {
- throw new InvalidOperationException();
- }
-
- Identifier localIdentifier = Models.User.GetClaimedIdentifierForUser(User.Identity.Name);
-
- if (pseudonymous) {
- if (!authReq.IsDirectedIdentity) {
- throw new InvalidOperationException("Directed identity is the only supported scenario for anonymous identifiers.");
- }
-
- var anonProvider = new AnonymousIdentifierProvider();
- authReq.ScrubPersonallyIdentifiableInformation(localIdentifier, anonProvider, true);
- authReq.IsAuthenticated = true;
- } else {
- if (authReq.IsDirectedIdentity) {
- authReq.LocalIdentifier = localIdentifier;
- authReq.ClaimedIdentifier = localIdentifier;
- authReq.IsAuthenticated = true;
- } else {
- if (authReq.LocalIdentifier == localIdentifier) {
- authReq.IsAuthenticated = true;
- if (!authReq.IsDelegatedIdentifier) {
- authReq.ClaimedIdentifier = authReq.LocalIdentifier;
- }
- } else {
- authReq.IsAuthenticated = false;
- }
- }
-
- // TODO: Respond to AX/sreg extension requests here.
- // We don't want to add these extension responses for anonymous identifiers
- // because they could leak information about the user's identity.
- }
-
- return OpenIdProvider.PrepareResponse(authReq).AsActionResult();
- }
-
- private ActionResult DoProvider(bool pseudonymous) {
IRequest request = OpenIdProvider.GetRequest();
if (request != null) {
var authRequest = request as IAuthenticationRequest;
if (authRequest != null) {
PendingAuthenticationRequest = authRequest;
- if (User.Identity.IsAuthenticated && (authRequest.IsDirectedIdentity || Models.User.GetClaimedIdentifierForUser(User.Identity.Name) == authRequest.LocalIdentifier)) {
- return this.SendAssertion(pseudonymous);
+ if (authRequest.IsReturnUrlDiscoverable(OpenIdProvider) == RelyingPartyDiscoveryResult.Success &&
+ User.Identity.IsAuthenticated &&
+ (authRequest.IsDirectedIdentity || this.UserControlsIdentifier(authRequest))) {
+ return this.SendAssertion();
} else {
- return RedirectToAction("LogOn", "Account", new { returnUrl = Url.Action("SendAssertion", new { pseudonymous = pseudonymous }) });
+ return RedirectToAction("LogOn", "Account", new { returnUrl = Url.Action("SendAssertion") });
}
}
@@ -93,5 +45,46 @@ namespace OpenIdProviderMvc.Controllers {
return View();
}
}
+
+ [Authorize]
+ public ActionResult SendAssertion() {
+ IAuthenticationRequest authReq = PendingAuthenticationRequest;
+ PendingAuthenticationRequest = null; // clear session static so we don't do this again
+ if (authReq == null) {
+ throw new InvalidOperationException("There's no pending authentication request!");
+ }
+
+ if (authReq.IsDirectedIdentity) {
+ authReq.LocalIdentifier = Models.User.GetClaimedIdentifierForUser(User.Identity.Name);
+ }
+ if (!authReq.IsDelegatedIdentifier) {
+ authReq.ClaimedIdentifier = authReq.LocalIdentifier;
+ }
+
+ // Respond to AX/sreg extension requests.
+ //// Real web sites would have code here
+
+ authReq.IsAuthenticated = this.UserControlsIdentifier(authReq);
+ return OpenIdProvider.PrepareResponse(authReq).AsActionResult();
+ }
+
+ /// <summary>
+ /// Checks whether the logged in user controls the OP local identifier in the given authentication request.
+ /// </summary>
+ /// <param name="authReq">The authentication request.</param>
+ /// <returns><c>true</c> if the user controls the identifier; <c>false</c> otherwise.</returns>
+ private bool UserControlsIdentifier(IAuthenticationRequest authReq) {
+ if (authReq == null) {
+ throw new ArgumentNullException("authReq");
+ }
+
+ if (User == null || User.Identity == null) {
+ return false;
+ }
+
+ Uri userLocalIdentifier = Models.User.GetClaimedIdentifierForUser(User.Identity.Name);
+ return authReq.LocalIdentifier == userLocalIdentifier ||
+ authReq.LocalIdentifier == PpidGeneration.PpidIdentifierProvider.GetIdentifier(userLocalIdentifier, authReq.Realm);
+ }
}
}
diff --git a/samples/OpenIdProviderMvc/Controllers/UserController.cs b/samples/OpenIdProviderMvc/Controllers/UserController.cs
index 8b3f944..5e0c21f 100644
--- a/samples/OpenIdProviderMvc/Controllers/UserController.cs
+++ b/samples/OpenIdProviderMvc/Controllers/UserController.cs
@@ -7,38 +7,37 @@ namespace OpenIdProviderMvc.Controllers {
using System.Web.Mvc.Ajax;
public class UserController : Controller {
- public ActionResult PpidIdentity() {
- if (Request.AcceptTypes.Contains("application/xrds+xml")) {
- return View("PpidXrds");
- }
-
- return View();
- }
-
- public ActionResult Identity(string id) {
- var redirect = this.RedirectIfNotNormalizedRequestUri();
- if (redirect != null) {
- return redirect;
+ /// <summary>
+ /// Identities the specified id.
+ /// </summary>
+ /// <param name="id">The username or anonymous identifier.</param>
+ /// <param name="anon">if set to <c>true</c> then <paramref name="id"/> represents an anonymous identifier rather than a username.</param>
+ /// <returns>The view to display.</returns>
+ public ActionResult Identity(string id, bool anon) {
+ if (!anon) {
+ var redirect = this.RedirectIfNotNormalizedRequestUri(id);
+ if (redirect != null) {
+ return redirect;
+ }
}
if (Request.AcceptTypes != null && Request.AcceptTypes.Contains("application/xrds+xml")) {
return View("Xrds");
}
- this.ViewData["username"] = id;
- return View();
- }
+ if (!anon) {
+ this.ViewData["username"] = id;
+ }
- public ActionResult Xrds(string id) {
return View();
}
- public ActionResult PpidXrds() {
+ public ActionResult Xrds(string id) {
return View();
}
- private ActionResult RedirectIfNotNormalizedRequestUri() {
- Uri normalized = Models.User.GetNormalizedClaimedIdentifier(Request.Url);
+ private ActionResult RedirectIfNotNormalizedRequestUri(string user) {
+ Uri normalized = Models.User.GetClaimedIdentifierForUser(user);
if (Request.Url != normalized) {
return Redirect(normalized.AbsoluteUri);
}
generated by cgit v1.1 at 2025-05-17 23:42:24 +0000