diff options
Diffstat (limited to 'src/DotNetOpenAuth.OpenId.RelyingParty/OpenId/RelyingParty')
6 files changed, 0 insertions, 1151 deletions
diff --git a/src/DotNetOpenAuth.OpenId.RelyingParty/OpenId/RelyingParty/AuthenticationStatus.cs b/src/DotNetOpenAuth.OpenId.RelyingParty/OpenId/RelyingParty/AuthenticationStatus.cs deleted file mode 100644 index d9e5d0a..0000000 --- a/src/DotNetOpenAuth.OpenId.RelyingParty/OpenId/RelyingParty/AuthenticationStatus.cs +++ /dev/null @@ -1,43 +0,0 @@ -//----------------------------------------------------------------------- -// <copyright file="AuthenticationStatus.cs" company="Andrew Arnott"> -// Copyright (c) Andrew Arnott. All rights reserved. -// </copyright> -//----------------------------------------------------------------------- - -namespace DotNetOpenAuth.OpenId.RelyingParty { - /// <summary> - /// An enumeration of the possible results of an authentication attempt. - /// </summary> - public enum AuthenticationStatus { - /// <summary> - /// The authentication was canceled by the user agent while at the provider. - /// </summary> - Canceled, - - /// <summary> - /// The authentication failed because an error was detected in the OpenId communication. - /// </summary> - Failed, - - /// <summary> - /// <para>The Provider responded to a request for immediate authentication approval - /// with a message stating that additional user agent interaction is required - /// before authentication can be completed.</para> - /// <para>Casting the <see cref="IAuthenticationResponse"/> to a - /// <see cref="ISetupRequiredAuthenticationResponse"/> in this case can help - /// you retry the authentication using setup (non-immediate) mode.</para> - /// </summary> - SetupRequired, - - /// <summary> - /// Authentication is completed successfully. - /// </summary> - Authenticated, - - /// <summary> - /// The Provider sent a message that did not contain an identity assertion, - /// but may carry OpenID extensions. - /// </summary> - ExtensionsOnly, - } -} diff --git a/src/DotNetOpenAuth.OpenId.RelyingParty/OpenId/RelyingParty/IAuthenticationRequest.cs b/src/DotNetOpenAuth.OpenId.RelyingParty/OpenId/RelyingParty/IAuthenticationRequest.cs deleted file mode 100644 index 65db0bd..0000000 --- a/src/DotNetOpenAuth.OpenId.RelyingParty/OpenId/RelyingParty/IAuthenticationRequest.cs +++ /dev/null @@ -1,186 +0,0 @@ -//----------------------------------------------------------------------- -// <copyright file="IAuthenticationRequest.cs" company="Andrew Arnott"> -// Copyright (c) Andrew Arnott. All rights reserved. -// </copyright> -//----------------------------------------------------------------------- - -namespace DotNetOpenAuth.OpenId.RelyingParty { - using System; - using System.Collections.Generic; - using System.Diagnostics.Contracts; - using System.Linq; - using System.Text; - using DotNetOpenAuth.Messaging; - using DotNetOpenAuth.OpenId.Messages; - - /// <summary> - /// Instances of this interface represent relying party authentication - /// requests that may be queried/modified in specific ways before being - /// routed to the OpenID Provider. - /// </summary> - [ContractClass(typeof(IAuthenticationRequestContract))] - public interface IAuthenticationRequest { - /// <summary> - /// Gets or sets the mode the Provider should use during authentication. - /// </summary> - AuthenticationRequestMode Mode { get; set; } - - /// <summary> - /// Gets the HTTP response the relying party should send to the user agent - /// to redirect it to the OpenID Provider to start the OpenID authentication process. - /// </summary> - OutgoingWebResponse RedirectingResponse { get; } - - /// <summary> - /// Gets the URL that the user agent will return to after authentication - /// completes or fails at the Provider. - /// </summary> - Uri ReturnToUrl { get; } - - /// <summary> - /// Gets the URL that identifies this consumer web application that - /// the Provider will display to the end user. - /// </summary> - Realm Realm { get; } - - /// <summary> - /// Gets the Claimed Identifier that the User Supplied Identifier - /// resolved to. Null if the user provided an OP Identifier - /// (directed identity). - /// </summary> - /// <remarks> - /// Null is returned if the user is using the directed identity feature - /// of OpenID 2.0 to make it nearly impossible for a relying party site - /// to improperly store the reserved OpenID URL used for directed identity - /// as a user's own Identifier. - /// However, to test for the Directed Identity feature, please test the - /// <see cref="IsDirectedIdentity"/> property rather than testing this - /// property for a null value. - /// </remarks> - Identifier ClaimedIdentifier { get; } - - /// <summary> - /// Gets a value indicating whether the authenticating user has chosen to let the Provider - /// determine and send the ClaimedIdentifier after authentication. - /// </summary> - bool IsDirectedIdentity { get; } - - /// <summary> - /// Gets or sets a value indicating whether this request only carries extensions - /// and is not a request to verify that the user controls some identifier. - /// </summary> - /// <value> - /// <c>true</c> if this request is merely a carrier of extensions and is not - /// about an OpenID identifier; otherwise, <c>false</c>. - /// </value> - /// <remarks> - /// <para>Although OpenID is first and primarily an authentication protocol, its extensions - /// can be interesting all by themselves. For instance, a relying party might want - /// to know that its user is over 21 years old, or perhaps a member of some organization. - /// OpenID extensions can provide this, without any need for asserting the identity of the user.</para> - /// <para>Constructing an OpenID request for only extensions can be done by calling - /// <see cref="OpenIdRelyingParty.CreateRequest(Identifier)"/> with any valid OpenID identifier - /// (claimed identifier or OP identifier). But once this property is set to <c>true</c>, - /// the claimed identifier value in the request is not included in the transmitted message.</para> - /// <para>It is anticipated that an RP would only issue these types of requests to OPs that - /// trusts to make assertions regarding the individual holding an account at that OP, so it - /// is not likely that the RP would allow the user to type in an arbitrary claimed identifier - /// without checking that it resolved to an OP endpoint the RP has on a trust whitelist.</para> - /// </remarks> - bool IsExtensionOnly { get; set; } - - /// <summary> - /// Gets information about the OpenId Provider, as advertised by the - /// OpenID discovery documents found at the <see cref="ClaimedIdentifier"/> - /// location. - /// </summary> - IProviderEndpoint Provider { get; } - - /// <summary> - /// Gets the discovery result leading to the formulation of this request. - /// </summary> - /// <value>The discovery result.</value> - IdentifierDiscoveryResult DiscoveryResult { get; } - - /// <summary> - /// Makes a dictionary of key/value pairs available when the authentication is completed. - /// </summary> - /// <param name="arguments">The arguments to add to the request's return_to URI. Values must not be null.</param> - /// <remarks> - /// <para>Note that these values are NOT protected against eavesdropping in transit. No - /// privacy-sensitive data should be stored using this method.</para> - /// <para>The values stored here can be retrieved using - /// <see cref="IAuthenticationResponse.GetCallbackArgument"/>, which will only return the value - /// if it can be verified as untampered with in transit.</para> - /// <para>Since the data set here is sent in the querystring of the request and some - /// servers place limits on the size of a request URL, this data should be kept relatively - /// small to ensure successful authentication. About 1.5KB is about all that should be stored.</para> - /// </remarks> - void AddCallbackArguments(IDictionary<string, string> arguments); - - /// <summary> - /// Makes a key/value pair available when the authentication is completed. - /// </summary> - /// <param name="key">The parameter name.</param> - /// <param name="value">The value of the argument. Must not be null.</param> - /// <remarks> - /// <para>Note that these values are NOT protected against eavesdropping in transit. No - /// privacy-sensitive data should be stored using this method.</para> - /// <para>The value stored here can be retrieved using - /// <see cref="IAuthenticationResponse.GetCallbackArgument"/>, which will only return the value - /// if it can be verified as untampered with in transit.</para> - /// <para>Since the data set here is sent in the querystring of the request and some - /// servers place limits on the size of a request URL, this data should be kept relatively - /// small to ensure successful authentication. About 1.5KB is about all that should be stored.</para> - /// </remarks> - void AddCallbackArguments(string key, string value); - - /// <summary> - /// Makes a key/value pair available when the authentication is completed. - /// </summary> - /// <param name="key">The parameter name.</param> - /// <param name="value">The value of the argument. Must not be null.</param> - /// <remarks> - /// <para>Note that these values are NOT protected against eavesdropping in transit. No - /// security-sensitive data should be stored using this method.</para> - /// <para>The value stored here can be retrieved using - /// <see cref="IAuthenticationResponse.GetCallbackArgument"/>.</para> - /// <para>Since the data set here is sent in the querystring of the request and some - /// servers place limits on the size of a request URL, this data should be kept relatively - /// small to ensure successful authentication. About 1.5KB is about all that should be stored.</para> - /// </remarks> - void SetCallbackArgument(string key, string value); - - /// <summary> - /// Makes a key/value pair available when the authentication is completed without - /// requiring a return_to signature to protect against tampering of the callback argument. - /// </summary> - /// <param name="key">The parameter name.</param> - /// <param name="value">The value of the argument. Must not be null.</param> - /// <remarks> - /// <para>Note that these values are NOT protected against eavesdropping or tampering in transit. No - /// security-sensitive data should be stored using this method. </para> - /// <para>The value stored here can be retrieved using - /// <see cref="IAuthenticationResponse.GetCallbackArgument"/>.</para> - /// <para>Since the data set here is sent in the querystring of the request and some - /// servers place limits on the size of a request URL, this data should be kept relatively - /// small to ensure successful authentication. About 1.5KB is about all that should be stored.</para> - /// </remarks> - void SetUntrustedCallbackArgument(string key, string value); - - /// <summary> - /// Adds an OpenID extension to the request directed at the OpenID provider. - /// </summary> - /// <param name="extension">The initialized extension to add to the request.</param> - void AddExtension(IOpenIdMessageExtension extension); - - /// <summary> - /// Redirects the user agent to the provider for authentication. - /// Execution of the current page terminates after this call. - /// </summary> - /// <remarks> - /// This method requires an ASP.NET HttpContext. - /// </remarks> - void RedirectToProvider(); - } -} diff --git a/src/DotNetOpenAuth.OpenId.RelyingParty/OpenId/RelyingParty/IAuthenticationRequestContract.cs b/src/DotNetOpenAuth.OpenId.RelyingParty/OpenId/RelyingParty/IAuthenticationRequestContract.cs deleted file mode 100644 index cd36cc7..0000000 --- a/src/DotNetOpenAuth.OpenId.RelyingParty/OpenId/RelyingParty/IAuthenticationRequestContract.cs +++ /dev/null @@ -1,111 +0,0 @@ -// <auto-generated /> - -namespace DotNetOpenAuth.OpenId.RelyingParty { - using System; - using System.Collections.Generic; - using System.Diagnostics.Contracts; - using System.Linq; - using System.Text; - using DotNetOpenAuth.Messaging; - using DotNetOpenAuth.OpenId.Messages; - - [ContractClassFor(typeof(IAuthenticationRequest))] - internal abstract class IAuthenticationRequestContract : IAuthenticationRequest { - #region IAuthenticationRequest Members - - AuthenticationRequestMode IAuthenticationRequest.Mode { - get { - throw new NotImplementedException(); - } - - set { - throw new NotImplementedException(); - } - } - - OutgoingWebResponse IAuthenticationRequest.RedirectingResponse { - get { throw new NotImplementedException(); } - } - - Uri IAuthenticationRequest.ReturnToUrl { - get { throw new NotImplementedException(); } - } - - Realm IAuthenticationRequest.Realm { - get { - Contract.Ensures(Contract.Result<Realm>() != null); - throw new NotImplementedException(); - } - } - - Identifier IAuthenticationRequest.ClaimedIdentifier { - get { - throw new NotImplementedException(); - } - } - - bool IAuthenticationRequest.IsDirectedIdentity { - get { throw new NotImplementedException(); } - } - - bool IAuthenticationRequest.IsExtensionOnly { - get { - throw new NotImplementedException(); - } - - set { - throw new NotImplementedException(); - } - } - - IProviderEndpoint IAuthenticationRequest.Provider { - get { - Contract.Ensures(Contract.Result<IProviderEndpoint>() != null); - throw new NotImplementedException(); - } - } - - IdentifierDiscoveryResult IAuthenticationRequest.DiscoveryResult { - get { - Contract.Ensures(Contract.Result<IdentifierDiscoveryResult>() != null); - throw new NotImplementedException(); - } - } - - void IAuthenticationRequest.AddCallbackArguments(IDictionary<string, string> arguments) { - Contract.Requires<ArgumentNullException>(arguments != null); - Contract.Requires<ArgumentException>(arguments.Keys.All(k => !String.IsNullOrEmpty(k))); - Contract.Requires<ArgumentException>(arguments.Values.All(v => v != null)); - throw new NotImplementedException(); - } - - void IAuthenticationRequest.AddCallbackArguments(string key, string value) { - Contract.Requires<ArgumentException>(!String.IsNullOrEmpty(key)); - Contract.Requires<ArgumentNullException>(value != null); - throw new NotImplementedException(); - } - - void IAuthenticationRequest.SetCallbackArgument(string key, string value) { - Contract.Requires<ArgumentException>(!String.IsNullOrEmpty(key)); - Contract.Requires<ArgumentNullException>(value != null); - throw new NotImplementedException(); - } - - void IAuthenticationRequest.AddExtension(IOpenIdMessageExtension extension) { - Contract.Requires<ArgumentNullException>(extension != null); - throw new NotImplementedException(); - } - - void IAuthenticationRequest.RedirectToProvider() { - throw new NotImplementedException(); - } - - void IAuthenticationRequest.SetUntrustedCallbackArgument(string key, string value) { - Contract.Requires<ArgumentException>(!string.IsNullOrEmpty(key)); - Contract.Requires<ArgumentNullException>(value != null); - throw new NotImplementedException(); - } - - #endregion - } -} diff --git a/src/DotNetOpenAuth.OpenId.RelyingParty/OpenId/RelyingParty/IAuthenticationResponse.cs b/src/DotNetOpenAuth.OpenId.RelyingParty/OpenId/RelyingParty/IAuthenticationResponse.cs deleted file mode 100644 index a24220f..0000000 --- a/src/DotNetOpenAuth.OpenId.RelyingParty/OpenId/RelyingParty/IAuthenticationResponse.cs +++ /dev/null @@ -1,532 +0,0 @@ -//----------------------------------------------------------------------- -// <copyright file="IAuthenticationResponse.cs" company="Andrew Arnott"> -// Copyright (c) Andrew Arnott. All rights reserved. -// </copyright> -//----------------------------------------------------------------------- - -namespace DotNetOpenAuth.OpenId.RelyingParty { - using System; - using System.Collections.Generic; - using System.Diagnostics.CodeAnalysis; - using System.Diagnostics.Contracts; - using System.Globalization; - using System.Text; - using System.Web; - using DotNetOpenAuth.OpenId.Extensions; - using DotNetOpenAuth.OpenId.Messages; - - /// <summary> - /// An instance of this interface represents an identity assertion - /// from an OpenID Provider. It may be in response to an authentication - /// request previously put to it by a Relying Party site or it may be an - /// unsolicited assertion. - /// </summary> - /// <remarks> - /// Relying party web sites should handle both solicited and unsolicited - /// assertions. This interface does not offer a way to discern between - /// solicited and unsolicited assertions as they should be treated equally. - /// </remarks> - [ContractClass(typeof(IAuthenticationResponseContract))] - public interface IAuthenticationResponse { - /// <summary> - /// Gets the Identifier that the end user claims to own. For use with user database storage and lookup. - /// May be null for some failed authentications (i.e. failed directed identity authentications). - /// </summary> - /// <remarks> - /// <para> - /// This is the secure identifier that should be used for database storage and lookup. - /// It is not always friendly (i.e. =Arnott becomes =!9B72.7DD1.50A9.5CCD), but it protects - /// user identities against spoofing and other attacks. - /// </para> - /// <para> - /// For user-friendly identifiers to display, use the - /// <see cref="FriendlyIdentifierForDisplay"/> property. - /// </para> - /// </remarks> - Identifier ClaimedIdentifier { get; } - - /// <summary> - /// Gets a user-friendly OpenID Identifier for display purposes ONLY. - /// </summary> - /// <remarks> - /// <para> - /// This <i>should</i> be put through <see cref="HttpUtility.HtmlEncode(string)"/> before - /// sending to a browser to secure against javascript injection attacks. - /// </para> - /// <para> - /// This property retains some aspects of the user-supplied identifier that get lost - /// in the <see cref="ClaimedIdentifier"/>. For example, XRIs used as user-supplied - /// identifiers (i.e. =Arnott) become unfriendly unique strings (i.e. =!9B72.7DD1.50A9.5CCD). - /// For display purposes, such as text on a web page that says "You're logged in as ...", - /// this property serves to provide the =Arnott string, or whatever else is the most friendly - /// string close to what the user originally typed in. - /// </para> - /// <para> - /// If the user-supplied identifier is a URI, this property will be the URI after all - /// redirects, and with the protocol and fragment trimmed off. - /// If the user-supplied identifier is an XRI, this property will be the original XRI. - /// If the user-supplied identifier is an OpenID Provider identifier (i.e. yahoo.com), - /// this property will be the Claimed Identifier, with the protocol stripped if it is a URI. - /// </para> - /// <para> - /// It is <b>very</b> important that this property <i>never</i> be used for database storage - /// or lookup to avoid identity spoofing and other security risks. For database storage - /// and lookup please use the <see cref="ClaimedIdentifier"/> property. - /// </para> - /// </remarks> - string FriendlyIdentifierForDisplay { get; } - - /// <summary> - /// Gets the detailed success or failure status of the authentication attempt. - /// </summary> - AuthenticationStatus Status { get; } - - /// <summary> - /// Gets information about the OpenId Provider, as advertised by the - /// OpenID discovery documents found at the <see cref="ClaimedIdentifier"/> - /// location, if available. - /// </summary> - /// <value> - /// The Provider endpoint that issued the positive assertion; - /// or <c>null</c> if information about the Provider is unavailable. - /// </value> - IProviderEndpoint Provider { get; } - - /// <summary> - /// Gets the details regarding a failed authentication attempt, if available. - /// This will be set if and only if <see cref="Status"/> is <see cref="AuthenticationStatus.Failed"/>. - /// </summary> - Exception Exception { get; } - - /// <summary> - /// Gets a callback argument's value that was previously added using - /// <see cref="IAuthenticationRequest.AddCallbackArguments(string, string)"/>. - /// </summary> - /// <param name="key">The name of the parameter whose value is sought.</param> - /// <returns> - /// The value of the argument, or null if the named parameter could not be found. - /// </returns> - /// <remarks> - /// Callback parameters are only available if they are complete and untampered with - /// since the original request message (as proven by a signature). - /// If the relying party is operating in stateless mode <c>null</c> is always - /// returned since the callback arguments could not be signed to protect against - /// tampering. - /// </remarks> - string GetCallbackArgument(string key); - - /// <summary> - /// Gets a callback argument's value that was previously added using - /// <see cref="IAuthenticationRequest.AddCallbackArguments(string, string)"/>. - /// </summary> - /// <param name="key">The name of the parameter whose value is sought.</param> - /// <returns> - /// The value of the argument, or null if the named parameter could not be found. - /// </returns> - /// <remarks> - /// Callback parameters are only available even if the RP is in stateless mode, - /// or the callback parameters are otherwise unverifiable as untampered with. - /// Therefore, use this method only when the callback argument is not to be - /// used to make a security-sensitive decision. - /// </remarks> - string GetUntrustedCallbackArgument(string key); - - /// <summary> - /// Gets all the callback arguments that were previously added using - /// <see cref="IAuthenticationRequest.AddCallbackArguments(string, string)"/> or as a natural part - /// of the return_to URL. - /// </summary> - /// <returns>A name-value dictionary. Never null.</returns> - /// <remarks> - /// Callback parameters are only available if they are complete and untampered with - /// since the original request message (as proven by a signature). - /// If the relying party is operating in stateless mode an empty dictionary is always - /// returned since the callback arguments could not be signed to protect against - /// tampering. - /// </remarks> - [SuppressMessage("Microsoft.Design", "CA1024:UsePropertiesWhereAppropriate", Justification = "Historically an expensive operation.")] - IDictionary<string, string> GetCallbackArguments(); - - /// <summary> - /// Gets all the callback arguments that were previously added using - /// <see cref="IAuthenticationRequest.AddCallbackArguments(string, string)"/> or as a natural part - /// of the return_to URL. - /// </summary> - /// <returns>A name-value dictionary. Never null.</returns> - /// <remarks> - /// Callback parameters are only available even if the RP is in stateless mode, - /// or the callback parameters are otherwise unverifiable as untampered with. - /// Therefore, use this method only when the callback argument is not to be - /// used to make a security-sensitive decision. - /// </remarks> - [SuppressMessage("Microsoft.Design", "CA1024:UsePropertiesWhereAppropriate", Justification = "Historically an expensive operation.")] - IDictionary<string, string> GetUntrustedCallbackArguments(); - - /// <summary> - /// Tries to get an OpenID extension that may be present in the response. - /// </summary> - /// <typeparam name="T">The type of extension to look for in the response message.</typeparam> - /// <returns> - /// The extension, if it is found. Null otherwise. - /// </returns> - /// <remarks> - /// <para>Extensions are returned only if the Provider signed them. - /// Relying parties that do not care if the values were modified in - /// transit should use the <see cref="GetUntrustedExtension<T>"/> method - /// in order to allow the Provider to not sign the extension. </para> - /// <para>Unsigned extensions are completely unreliable and should be - /// used only to prefill user forms since the user or any other third - /// party may have tampered with the data carried by the extension.</para> - /// <para>Signed extensions are only reliable if the relying party - /// trusts the OpenID Provider that signed them. Signing does not mean - /// the relying party can trust the values -- it only means that the values - /// have not been tampered with since the Provider sent the message.</para> - /// </remarks> - [SuppressMessage("Microsoft.Design", "CA1004:GenericMethodsShouldProvideTypeParameter", Justification = "No parameter at all is required. T is used for return type.")] - T GetExtension<T>() where T : IOpenIdMessageExtension; - - /// <summary> - /// Tries to get an OpenID extension that may be present in the response. - /// </summary> - /// <param name="extensionType">Type of the extension to look for in the response.</param> - /// <returns> - /// The extension, if it is found. Null otherwise. - /// </returns> - /// <remarks> - /// <para>Extensions are returned only if the Provider signed them. - /// Relying parties that do not care if the values were modified in - /// transit should use the <see cref="GetUntrustedExtension"/> method - /// in order to allow the Provider to not sign the extension. </para> - /// <para>Unsigned extensions are completely unreliable and should be - /// used only to prefill user forms since the user or any other third - /// party may have tampered with the data carried by the extension.</para> - /// <para>Signed extensions are only reliable if the relying party - /// trusts the OpenID Provider that signed them. Signing does not mean - /// the relying party can trust the values -- it only means that the values - /// have not been tampered with since the Provider sent the message.</para> - /// </remarks> - IOpenIdMessageExtension GetExtension(Type extensionType); - - /// <summary> - /// Tries to get an OpenID extension that may be present in the response, without - /// requiring it to be signed by the Provider. - /// </summary> - /// <typeparam name="T">The type of extension to look for in the response message.</typeparam> - /// <returns> - /// The extension, if it is found. Null otherwise. - /// </returns> - /// <remarks> - /// <para>Extensions are returned whether they are signed or not. - /// Use the <see cref="GetExtension<T>"/> method to retrieve - /// extension responses only if they are signed by the Provider to - /// protect against tampering. </para> - /// <para>Unsigned extensions are completely unreliable and should be - /// used only to prefill user forms since the user or any other third - /// party may have tampered with the data carried by the extension.</para> - /// <para>Signed extensions are only reliable if the relying party - /// trusts the OpenID Provider that signed them. Signing does not mean - /// the relying party can trust the values -- it only means that the values - /// have not been tampered with since the Provider sent the message.</para> - /// </remarks> - [SuppressMessage("Microsoft.Design", "CA1004:GenericMethodsShouldProvideTypeParameter", Justification = "No parameter at all is required. T is used for return type.")] - T GetUntrustedExtension<T>() where T : IOpenIdMessageExtension; - - /// <summary> - /// Tries to get an OpenID extension that may be present in the response, without - /// requiring it to be signed by the Provider. - /// </summary> - /// <param name="extensionType">Type of the extension to look for in the response.</param> - /// <returns> - /// The extension, if it is found. Null otherwise. - /// </returns> - /// <remarks> - /// <para>Extensions are returned whether they are signed or not. - /// Use the <see cref="GetExtension"/> method to retrieve - /// extension responses only if they are signed by the Provider to - /// protect against tampering. </para> - /// <para>Unsigned extensions are completely unreliable and should be - /// used only to prefill user forms since the user or any other third - /// party may have tampered with the data carried by the extension.</para> - /// <para>Signed extensions are only reliable if the relying party - /// trusts the OpenID Provider that signed them. Signing does not mean - /// the relying party can trust the values -- it only means that the values - /// have not been tampered with since the Provider sent the message.</para> - /// </remarks> - IOpenIdMessageExtension GetUntrustedExtension(Type extensionType); - } - - /// <summary> - /// Code contract for the <see cref="IAuthenticationResponse"/> type. - /// </summary> - [ContractClassFor(typeof(IAuthenticationResponse))] - internal abstract class IAuthenticationResponseContract : IAuthenticationResponse { - /// <summary> - /// Initializes a new instance of the <see cref="IAuthenticationResponseContract"/> class. - /// </summary> - protected IAuthenticationResponseContract() { - } - - #region IAuthenticationResponse Members - - /// <summary> - /// Gets the Identifier that the end user claims to own. For use with user database storage and lookup. - /// May be null for some failed authentications (i.e. failed directed identity authentications). - /// </summary> - /// <value></value> - /// <remarks> - /// <para> - /// This is the secure identifier that should be used for database storage and lookup. - /// It is not always friendly (i.e. =Arnott becomes =!9B72.7DD1.50A9.5CCD), but it protects - /// user identities against spoofing and other attacks. - /// </para> - /// <para> - /// For user-friendly identifiers to display, use the - /// <see cref="IAuthenticationResponse.FriendlyIdentifierForDisplay"/> property. - /// </para> - /// </remarks> - Identifier IAuthenticationResponse.ClaimedIdentifier { - get { throw new NotImplementedException(); } - } - - /// <summary> - /// Gets a user-friendly OpenID Identifier for display purposes ONLY. - /// </summary> - /// <value></value> - /// <remarks> - /// <para> - /// This <i>should</i> be put through <see cref="HttpUtility.HtmlEncode(string)"/> before - /// sending to a browser to secure against javascript injection attacks. - /// </para> - /// <para> - /// This property retains some aspects of the user-supplied identifier that get lost - /// in the <see cref="IAuthenticationResponse.ClaimedIdentifier"/>. For example, XRIs used as user-supplied - /// identifiers (i.e. =Arnott) become unfriendly unique strings (i.e. =!9B72.7DD1.50A9.5CCD). - /// For display purposes, such as text on a web page that says "You're logged in as ...", - /// this property serves to provide the =Arnott string, or whatever else is the most friendly - /// string close to what the user originally typed in. - /// </para> - /// <para> - /// If the user-supplied identifier is a URI, this property will be the URI after all - /// redirects, and with the protocol and fragment trimmed off. - /// If the user-supplied identifier is an XRI, this property will be the original XRI. - /// If the user-supplied identifier is an OpenID Provider identifier (i.e. yahoo.com), - /// this property will be the Claimed Identifier, with the protocol stripped if it is a URI. - /// </para> - /// <para> - /// It is <b>very</b> important that this property <i>never</i> be used for database storage - /// or lookup to avoid identity spoofing and other security risks. For database storage - /// and lookup please use the <see cref="IAuthenticationResponse.ClaimedIdentifier"/> property. - /// </para> - /// </remarks> - string IAuthenticationResponse.FriendlyIdentifierForDisplay { - get { throw new NotImplementedException(); } - } - - /// <summary> - /// Gets the detailed success or failure status of the authentication attempt. - /// </summary> - /// <value></value> - AuthenticationStatus IAuthenticationResponse.Status { - get { throw new NotImplementedException(); } - } - - /// <summary> - /// Gets information about the OpenId Provider, as advertised by the - /// OpenID discovery documents found at the <see cref="IAuthenticationResponse.ClaimedIdentifier"/> - /// location, if available. - /// </summary> - /// <value> - /// The Provider endpoint that issued the positive assertion; - /// or <c>null</c> if information about the Provider is unavailable. - /// </value> - IProviderEndpoint IAuthenticationResponse.Provider { - get { throw new NotImplementedException(); } - } - - /// <summary> - /// Gets the details regarding a failed authentication attempt, if available. - /// This will be set if and only if <see cref="IAuthenticationResponse.Status"/> is <see cref="AuthenticationStatus.Failed"/>. - /// </summary> - /// <value></value> - Exception IAuthenticationResponse.Exception { - get { throw new NotImplementedException(); } - } - - /// <summary> - /// Gets a callback argument's value that was previously added using - /// <see cref="IAuthenticationRequest.AddCallbackArguments(string, string)"/>. - /// </summary> - /// <param name="key">The name of the parameter whose value is sought.</param> - /// <returns> - /// The value of the argument, or null if the named parameter could not be found. - /// </returns> - /// <remarks> - /// <para>This may return any argument on the querystring that came with the authentication response, - /// which may include parameters not explicitly added using - /// <see cref="IAuthenticationRequest.AddCallbackArguments(string, string)"/>.</para> - /// <para>Note that these values are NOT protected against tampering in transit.</para> - /// </remarks> - string IAuthenticationResponse.GetCallbackArgument(string key) { - Contract.Requires<ArgumentException>(!String.IsNullOrEmpty(key)); - throw new NotImplementedException(); - } - - /// <summary> - /// Gets all the callback arguments that were previously added using - /// <see cref="IAuthenticationRequest.AddCallbackArguments(string, string)"/> or as a natural part - /// of the return_to URL. - /// </summary> - /// <returns>A name-value dictionary. Never null.</returns> - /// <remarks> - /// <para>This MAY return any argument on the querystring that came with the authentication response, - /// which may include parameters not explicitly added using - /// <see cref="IAuthenticationRequest.AddCallbackArguments(string, string)"/>.</para> - /// <para>Note that these values are NOT protected against tampering in transit.</para> - /// </remarks> - IDictionary<string, string> IAuthenticationResponse.GetCallbackArguments() { - throw new NotImplementedException(); - } - - /// <summary> - /// Tries to get an OpenID extension that may be present in the response. - /// </summary> - /// <typeparam name="T">The type of extension to look for in the response message.</typeparam> - /// <returns> - /// The extension, if it is found. Null otherwise. - /// </returns> - /// <remarks> - /// <para>Extensions are returned only if the Provider signed them. - /// Relying parties that do not care if the values were modified in - /// transit should use the <see cref="IAuthenticationResponse.GetUntrustedExtension<T>"/> method - /// in order to allow the Provider to not sign the extension. </para> - /// <para>Unsigned extensions are completely unreliable and should be - /// used only to prefill user forms since the user or any other third - /// party may have tampered with the data carried by the extension.</para> - /// <para>Signed extensions are only reliable if the relying party - /// trusts the OpenID Provider that signed them. Signing does not mean - /// the relying party can trust the values -- it only means that the values - /// have not been tampered with since the Provider sent the message.</para> - /// </remarks> - T IAuthenticationResponse.GetExtension<T>() { - throw new NotImplementedException(); - } - - /// <summary> - /// Tries to get an OpenID extension that may be present in the response. - /// </summary> - /// <param name="extensionType">Type of the extension to look for in the response.</param> - /// <returns> - /// The extension, if it is found. Null otherwise. - /// </returns> - /// <remarks> - /// <para>Extensions are returned only if the Provider signed them. - /// Relying parties that do not care if the values were modified in - /// transit should use the <see cref="IAuthenticationResponse.GetUntrustedExtension"/> method - /// in order to allow the Provider to not sign the extension. </para> - /// <para>Unsigned extensions are completely unreliable and should be - /// used only to prefill user forms since the user or any other third - /// party may have tampered with the data carried by the extension.</para> - /// <para>Signed extensions are only reliable if the relying party - /// trusts the OpenID Provider that signed them. Signing does not mean - /// the relying party can trust the values -- it only means that the values - /// have not been tampered with since the Provider sent the message.</para> - /// </remarks> - IOpenIdMessageExtension IAuthenticationResponse.GetExtension(Type extensionType) { - Contract.Requires<ArgumentNullException>(extensionType != null); - Contract.Requires<ArgumentException>(typeof(IOpenIdMessageExtension).IsAssignableFrom(extensionType)); - ////ErrorUtilities.VerifyArgument(typeof(IOpenIdMessageExtension).IsAssignableFrom(extensionType), string.Format(CultureInfo.CurrentCulture, OpenIdStrings.TypeMustImplementX, typeof(IOpenIdMessageExtension).FullName)); - throw new NotImplementedException(); - } - - /// <summary> - /// Tries to get an OpenID extension that may be present in the response, without - /// requiring it to be signed by the Provider. - /// </summary> - /// <typeparam name="T">The type of extension to look for in the response message.</typeparam> - /// <returns> - /// The extension, if it is found. Null otherwise. - /// </returns> - /// <remarks> - /// <para>Extensions are returned whether they are signed or not. - /// Use the <see cref="IAuthenticationResponse.GetExtension<T>"/> method to retrieve - /// extension responses only if they are signed by the Provider to - /// protect against tampering. </para> - /// <para>Unsigned extensions are completely unreliable and should be - /// used only to prefill user forms since the user or any other third - /// party may have tampered with the data carried by the extension.</para> - /// <para>Signed extensions are only reliable if the relying party - /// trusts the OpenID Provider that signed them. Signing does not mean - /// the relying party can trust the values -- it only means that the values - /// have not been tampered with since the Provider sent the message.</para> - /// </remarks> - T IAuthenticationResponse.GetUntrustedExtension<T>() { - throw new NotImplementedException(); - } - - /// <summary> - /// Tries to get an OpenID extension that may be present in the response, without - /// requiring it to be signed by the Provider. - /// </summary> - /// <param name="extensionType">Type of the extension to look for in the response.</param> - /// <returns> - /// The extension, if it is found. Null otherwise. - /// </returns> - /// <remarks> - /// <para>Extensions are returned whether they are signed or not. - /// Use the <see cref="IAuthenticationResponse.GetExtension"/> method to retrieve - /// extension responses only if they are signed by the Provider to - /// protect against tampering. </para> - /// <para>Unsigned extensions are completely unreliable and should be - /// used only to prefill user forms since the user or any other third - /// party may have tampered with the data carried by the extension.</para> - /// <para>Signed extensions are only reliable if the relying party - /// trusts the OpenID Provider that signed them. Signing does not mean - /// the relying party can trust the values -- it only means that the values - /// have not been tampered with since the Provider sent the message.</para> - /// </remarks> - IOpenIdMessageExtension IAuthenticationResponse.GetUntrustedExtension(Type extensionType) { - Contract.Requires<ArgumentNullException>(extensionType != null); - Contract.Requires<ArgumentException>(typeof(IOpenIdMessageExtension).IsAssignableFrom(extensionType)); - ////ErrorUtilities.VerifyArgument(typeof(IOpenIdMessageExtension).IsAssignableFrom(extensionType), string.Format(CultureInfo.CurrentCulture, OpenIdStrings.TypeMustImplementX, typeof(IOpenIdMessageExtension).FullName)); - throw new NotImplementedException(); - } - - /// <summary> - /// Gets a callback argument's value that was previously added using - /// <see cref="IAuthenticationRequest.AddCallbackArguments(string, string)"/>. - /// </summary> - /// <param name="key">The name of the parameter whose value is sought.</param> - /// <returns> - /// The value of the argument, or null if the named parameter could not be found. - /// </returns> - /// <remarks> - /// Callback parameters are only available even if the RP is in stateless mode, - /// or the callback parameters are otherwise unverifiable as untampered with. - /// Therefore, use this method only when the callback argument is not to be - /// used to make a security-sensitive decision. - /// </remarks> - string IAuthenticationResponse.GetUntrustedCallbackArgument(string key) { - Contract.Requires<ArgumentException>(!string.IsNullOrEmpty(key)); - throw new NotImplementedException(); - } - - /// <summary> - /// Gets all the callback arguments that were previously added using - /// <see cref="IAuthenticationRequest.AddCallbackArguments(string, string)"/> or as a natural part - /// of the return_to URL. - /// </summary> - /// <returns>A name-value dictionary. Never null.</returns> - /// <remarks> - /// Callback parameters are only available even if the RP is in stateless mode, - /// or the callback parameters are otherwise unverifiable as untampered with. - /// Therefore, use this method only when the callback argument is not to be - /// used to make a security-sensitive decision. - /// </remarks> - IDictionary<string, string> IAuthenticationResponse.GetUntrustedCallbackArguments() { - Contract.Ensures(Contract.Result<IDictionary<string, string>>() != null); - throw new NotImplementedException(); - } - - #endregion - } -} diff --git a/src/DotNetOpenAuth.OpenId.RelyingParty/OpenId/RelyingParty/IRelyingPartyBehavior.cs b/src/DotNetOpenAuth.OpenId.RelyingParty/OpenId/RelyingParty/IRelyingPartyBehavior.cs deleted file mode 100644 index 1bfa0db..0000000 --- a/src/DotNetOpenAuth.OpenId.RelyingParty/OpenId/RelyingParty/IRelyingPartyBehavior.cs +++ /dev/null @@ -1,92 +0,0 @@ -//----------------------------------------------------------------------- -// <copyright file="IRelyingPartyBehavior.cs" company="Andrew Arnott"> -// Copyright (c) Andrew Arnott. All rights reserved. -// </copyright> -//----------------------------------------------------------------------- - -namespace DotNetOpenAuth.OpenId.RelyingParty { - using System; - using System.Diagnostics.Contracts; - - /// <summary> - /// Applies a custom security policy to certain OpenID security settings and behaviors. - /// </summary> - [ContractClass(typeof(IRelyingPartyBehaviorContract))] - public interface IRelyingPartyBehavior { - /// <summary> - /// Applies a well known set of security requirements to a default set of security settings. - /// </summary> - /// <param name="securitySettings">The security settings to enhance with the requirements of this profile.</param> - /// <remarks> - /// Care should be taken to never decrease security when applying a profile. - /// Profiles should only enhance security requirements to avoid being - /// incompatible with each other. - /// </remarks> - void ApplySecuritySettings(RelyingPartySecuritySettings securitySettings); - - /// <summary> - /// Called when an authentication request is about to be sent. - /// </summary> - /// <param name="request">The request.</param> - /// <remarks> - /// Implementations should be prepared to be called multiple times on the same outgoing message - /// without malfunctioning. - /// </remarks> - void OnOutgoingAuthenticationRequest(IAuthenticationRequest request); - - /// <summary> - /// Called when an incoming positive assertion is received. - /// </summary> - /// <param name="assertion">The positive assertion.</param> - void OnIncomingPositiveAssertion(IAuthenticationResponse assertion); - } - - /// <summary> - /// Contract class for the <see cref="IRelyingPartyBehavior"/> interface. - /// </summary> - [ContractClassFor(typeof(IRelyingPartyBehavior))] - internal abstract class IRelyingPartyBehaviorContract : IRelyingPartyBehavior { - /// <summary> - /// Prevents a default instance of the <see cref="IRelyingPartyBehaviorContract"/> class from being created. - /// </summary> - private IRelyingPartyBehaviorContract() { - } - - #region IRelyingPartyBehavior Members - - /// <summary> - /// Applies a well known set of security requirements to a default set of security settings. - /// </summary> - /// <param name="securitySettings">The security settings to enhance with the requirements of this profile.</param> - /// <remarks> - /// Care should be taken to never decrease security when applying a profile. - /// Profiles should only enhance security requirements to avoid being - /// incompatible with each other. - /// </remarks> - void IRelyingPartyBehavior.ApplySecuritySettings(RelyingPartySecuritySettings securitySettings) { - Contract.Requires<ArgumentNullException>(securitySettings != null); - } - - /// <summary> - /// Called when an authentication request is about to be sent. - /// </summary> - /// <param name="request">The request.</param> - /// <remarks> - /// Implementations should be prepared to be called multiple times on the same outgoing message - /// without malfunctioning. - /// </remarks> - void IRelyingPartyBehavior.OnOutgoingAuthenticationRequest(IAuthenticationRequest request) { - Contract.Requires<ArgumentNullException>(request != null); - } - - /// <summary> - /// Called when an incoming positive assertion is received. - /// </summary> - /// <param name="assertion">The positive assertion.</param> - void IRelyingPartyBehavior.OnIncomingPositiveAssertion(IAuthenticationResponse assertion) { - Contract.Requires<ArgumentNullException>(assertion != null); - } - - #endregion - } -} diff --git a/src/DotNetOpenAuth.OpenId.RelyingParty/OpenId/RelyingParty/RelyingPartySecuritySettings.cs b/src/DotNetOpenAuth.OpenId.RelyingParty/OpenId/RelyingParty/RelyingPartySecuritySettings.cs deleted file mode 100644 index fc6d4c7..0000000 --- a/src/DotNetOpenAuth.OpenId.RelyingParty/OpenId/RelyingParty/RelyingPartySecuritySettings.cs +++ /dev/null @@ -1,187 +0,0 @@ -//----------------------------------------------------------------------- -// <copyright file="RelyingPartySecuritySettings.cs" company="Andrew Arnott"> -// Copyright (c) Andrew Arnott. All rights reserved. -// </copyright> -//----------------------------------------------------------------------- - -namespace DotNetOpenAuth.OpenId.RelyingParty { - using System; - using System.Collections.Generic; - using System.Collections.ObjectModel; - using System.Diagnostics.CodeAnalysis; - using System.Diagnostics.Contracts; - using System.Linq; - using DotNetOpenAuth.Messaging; - - /// <summary> - /// Security settings that are applicable to relying parties. - /// </summary> - public sealed class RelyingPartySecuritySettings : SecuritySettings { - /// <summary> - /// The default value for the <see cref="ProtectDownlevelReplayAttacks"/> property. - /// </summary> - internal const bool ProtectDownlevelReplayAttacksDefault = true; - - /// <summary> - /// Initializes a new instance of the <see cref="RelyingPartySecuritySettings"/> class. - /// </summary> - internal RelyingPartySecuritySettings() - : base(false) { - this.PrivateSecretMaximumAge = TimeSpan.FromDays(7); - this.ProtectDownlevelReplayAttacks = ProtectDownlevelReplayAttacksDefault; - this.AllowApproximateIdentifierDiscovery = true; - this.TrustedProviderEndpoints = new HashSet<Uri>(); - } - - /// <summary> - /// Gets or sets a value indicating whether the entire pipeline from Identifier discovery to - /// Provider redirect is guaranteed to be encrypted using HTTPS for authentication to succeed. - /// </summary> - /// <remarks> - /// <para>Setting this property to true is appropriate for RPs with highly sensitive - /// personal information behind the authentication (money management, health records, etc.)</para> - /// <para>When set to true, some behavioral changes and additional restrictions are placed:</para> - /// <list> - /// <item>User-supplied identifiers lacking a scheme are prepended with - /// HTTPS:// rather than the standard HTTP:// automatically.</item> - /// <item>User-supplied identifiers are not allowed to use HTTP for the scheme.</item> - /// <item>All redirects during discovery on the user-supplied identifier must be HTTPS.</item> - /// <item>Any XRDS file found by discovery on the User-supplied identifier must be protected using HTTPS.</item> - /// <item>Only Provider endpoints found at HTTPS URLs will be considered.</item> - /// <item>If the discovered identifier is an OP Identifier (directed identity), the - /// Claimed Identifier eventually asserted by the Provider must be an HTTPS identifier.</item> - /// <item>In the case of an unsolicited assertion, the asserted Identifier, discovery on it and - /// the asserting provider endpoint must all be secured by HTTPS.</item> - /// </list> - /// <para>Although the first redirect from this relying party to the Provider is required - /// to use HTTPS, any additional redirects within the Provider cannot be protected and MAY - /// revert the user's connection to HTTP, based on individual Provider implementation. - /// There is nothing that the RP can do to detect or prevent this.</para> - /// <para> - /// A <see cref="ProtocolException"/> is thrown during discovery or authentication when a secure pipeline cannot be established. - /// </para> - /// </remarks> - public bool RequireSsl { get; set; } - - /// <summary> - /// Gets or sets a value indicating whether only OP Identifiers will be discoverable - /// when creating authentication requests. - /// </summary> - public bool RequireDirectedIdentity { get; set; } - - /// <summary> - /// Gets or sets the oldest version of OpenID the remote party is allowed to implement. - /// </summary> - /// <value>Defaults to <see cref="ProtocolVersion.V10"/></value> - public ProtocolVersion MinimumRequiredOpenIdVersion { get; set; } - - /// <summary> - /// Gets or sets the maximum allowable age of the secret a Relying Party - /// uses to its return_to URLs and nonces with 1.0 Providers. - /// </summary> - /// <value>The default value is 7 days.</value> - public TimeSpan PrivateSecretMaximumAge { get; set; } - - /// <summary> - /// Gets or sets a value indicating whether all unsolicited assertions should be ignored. - /// </summary> - /// <value>The default value is <c>false</c>.</value> - public bool RejectUnsolicitedAssertions { get; set; } - - /// <summary> - /// Gets or sets a value indicating whether delegating identifiers are refused for authentication. - /// </summary> - /// <value>The default value is <c>false</c>.</value> - /// <remarks> - /// When set to <c>true</c>, login attempts that start at the RP or arrive via unsolicited - /// assertions will be rejected if discovery on the identifier shows that OpenID delegation - /// is used for the identifier. This is useful for an RP that should only accept identifiers - /// directly issued by the Provider that is sending the assertion. - /// </remarks> - public bool RejectDelegatingIdentifiers { get; set; } - - /// <summary> - /// Gets or sets a value indicating whether unsigned extensions in authentication responses should be ignored. - /// </summary> - /// <value>The default value is <c>false</c>.</value> - /// <remarks> - /// When set to true, the <see cref="IAuthenticationResponse.GetUntrustedExtension"/> methods - /// will not return any extension that was not signed by the Provider. - /// </remarks> - public bool IgnoreUnsignedExtensions { get; set; } - - /// <summary> - /// Gets or sets a value indicating whether authentication requests will only be - /// sent to Providers with whom we can create a shared association. - /// </summary> - /// <value> - /// <c>true</c> to immediately fail authentication if an association with the Provider cannot be established; otherwise, <c>false</c>. - /// The default value is <c>false</c>. - /// </value> - public bool RequireAssociation { get; set; } - - /// <summary> - /// Gets or sets a value indicating whether identifiers that are both OP Identifiers and Claimed Identifiers - /// should ever be recognized as claimed identifiers. - /// </summary> - /// <value> - /// The default value is <c>false</c>, per the OpenID 2.0 spec. - /// </value> - /// <remarks> - /// OpenID 2.0 sections 7.3.2.2 and 11.2 specify that OP Identifiers never be recognized as Claimed Identifiers. - /// However, for some scenarios it may be desirable for an RP to override this behavior and allow this. - /// The security ramifications of setting this property to <c>true</c> have not been fully explored and - /// therefore this setting should only be changed with caution. - /// </remarks> - public bool AllowDualPurposeIdentifiers { get; set; } - - /// <summary> - /// Gets or sets a value indicating whether certain Claimed Identifiers that exploit - /// features that .NET does not have the ability to send exact HTTP requests for will - /// still be allowed by using an approximate HTTP request. - /// </summary> - /// <value> - /// The default value is <c>true</c>. - /// </value> - public bool AllowApproximateIdentifierDiscovery { get; set; } - - /// <summary> - /// Gets the set of trusted OpenID Provider Endpoint URIs. - /// </summary> - public HashSet<Uri> TrustedProviderEndpoints { get; private set; } - - /// <summary> - /// Gets or sets a value indicating whether any login attempt coming from an OpenID Provider Endpoint that is not on this - /// whitelist of trusted OP Endpoints will be rejected. If the trusted providers list is empty and this value - /// is true, all assertions are rejected. - /// </summary> - /// <value>Default is <c>false</c>.</value> - public bool RejectAssertionsFromUntrustedProviders { get; set; } - - /// <summary> - /// Gets or sets a value indicating whether special measures are taken to - /// protect users from replay attacks when those users' identities are hosted - /// by OpenID 1.x Providers. - /// </summary> - /// <value>The default value is <c>true</c>.</value> - /// <remarks> - /// <para>Nonces for protection against replay attacks were not mandated - /// by OpenID 1.x, which leaves users open to replay attacks.</para> - /// <para>This feature works by adding a signed nonce to the authentication request. - /// This might increase the request size beyond what some OpenID 1.1 Providers - /// (such as Blogger) are capable of handling.</para> - /// </remarks> - internal bool ProtectDownlevelReplayAttacks { get; set; } - - /// <summary> - /// Filters out any disallowed endpoints. - /// </summary> - /// <param name="endpoints">The endpoints discovered on an Identifier.</param> - /// <returns>A sequence of endpoints that satisfy all security requirements.</returns> - internal IEnumerable<IdentifierDiscoveryResult> FilterEndpoints(IEnumerable<IdentifierDiscoveryResult> endpoints) { - return endpoints - .Where(se => !this.RejectDelegatingIdentifiers || se.ClaimedIdentifier == se.ProviderLocalIdentifier) - .Where(se => !this.RequireDirectedIdentity || se.ClaimedIdentifier == se.Protocol.ClaimedIdentifierForOPIdentifier); - } - } -} |