summaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/DotNetOpenAuth.Test/OpenId/RelyingParty/PositiveAuthenticationResponseTests.cs12
-rw-r--r--src/DotNetOpenAuth/OpenId/OpenIdStrings.Designer.cs9
-rw-r--r--src/DotNetOpenAuth/OpenId/OpenIdStrings.resx5
-rw-r--r--src/DotNetOpenAuth/OpenId/RelyingParty/PositiveAuthenticationResponse.cs11
4 files changed, 35 insertions, 2 deletions
diff --git a/src/DotNetOpenAuth.Test/OpenId/RelyingParty/PositiveAuthenticationResponseTests.cs b/src/DotNetOpenAuth.Test/OpenId/RelyingParty/PositiveAuthenticationResponseTests.cs
index 7a18c8e..c5257a6 100644
--- a/src/DotNetOpenAuth.Test/OpenId/RelyingParty/PositiveAuthenticationResponseTests.cs
+++ b/src/DotNetOpenAuth.Test/OpenId/RelyingParty/PositiveAuthenticationResponseTests.cs
@@ -59,6 +59,18 @@ namespace DotNetOpenAuth.Test.OpenId.RelyingParty {
Assert.AreEqual(AuthenticationStatus.Failed, authResponse.Status);
}
+ /// <summary>
+ /// Verifies that the RP rejects positive assertions with HTTP Claimed
+ /// Cdentifiers when RequireSsl is set to true.
+ /// </summary>
+ [TestMethod, ExpectedException(typeof(ProtocolException))]
+ public void InsecureIdentifiersRejectedWithRequireSsl() {
+ PositiveAssertionResponse assertion = this.GetPositiveAssertion();
+ var rp = CreateRelyingParty();
+ rp.SecuritySettings.RequireSsl = true;
+ var authResponse = new PositiveAuthenticationResponse(assertion, rp);
+ }
+
[TestMethod]
public void GetCallbackArguments() {
PositiveAssertionResponse assertion = this.GetPositiveAssertion();
diff --git a/src/DotNetOpenAuth/OpenId/OpenIdStrings.Designer.cs b/src/DotNetOpenAuth/OpenId/OpenIdStrings.Designer.cs
index 3c4116a..4533f4d 100644
--- a/src/DotNetOpenAuth/OpenId/OpenIdStrings.Designer.cs
+++ b/src/DotNetOpenAuth/OpenId/OpenIdStrings.Designer.cs
@@ -470,6 +470,15 @@ namespace DotNetOpenAuth.OpenId {
}
/// <summary>
+ /// Looks up a localized string similar to Sorry. This site only accepts OpenIDs that are HTTPS-secured, but {0} is not a secure Identifier..
+ /// </summary>
+ internal static string RequireSslNotSatisfiedByAssertedClaimedId {
+ get {
+ return ResourceManager.GetString("RequireSslNotSatisfiedByAssertedClaimedId", resourceCulture);
+ }
+ }
+
+ /// <summary>
/// Looks up a localized string similar to The response is not ready. Use IsResponseReady to check whether a response is ready first..
/// </summary>
internal static string ResponseNotReady {
diff --git a/src/DotNetOpenAuth/OpenId/OpenIdStrings.resx b/src/DotNetOpenAuth/OpenId/OpenIdStrings.resx
index 7356c10..5a84f32 100644
--- a/src/DotNetOpenAuth/OpenId/OpenIdStrings.resx
+++ b/src/DotNetOpenAuth/OpenId/OpenIdStrings.resx
@@ -301,4 +301,7 @@ Discovered endpoint info:
<data name="UnsupportedChannelConfiguration" xml:space="preserve">
<value>This feature is unavailable due to an unrecognized channel configuration.</value>
</data>
-</root> \ No newline at end of file
+ <data name="RequireSslNotSatisfiedByAssertedClaimedId" xml:space="preserve">
+ <value>Sorry. This site only accepts OpenIDs that are HTTPS-secured, but {0} is not a secure Identifier.</value>
+ </data>
+</root>
diff --git a/src/DotNetOpenAuth/OpenId/RelyingParty/PositiveAuthenticationResponse.cs b/src/DotNetOpenAuth/OpenId/RelyingParty/PositiveAuthenticationResponse.cs
index b62a7c8..a065bcd 100644
--- a/src/DotNetOpenAuth/OpenId/RelyingParty/PositiveAuthenticationResponse.cs
+++ b/src/DotNetOpenAuth/OpenId/RelyingParty/PositiveAuthenticationResponse.cs
@@ -240,6 +240,15 @@ namespace DotNetOpenAuth.OpenId.RelyingParty {
private void VerifyDiscoveryMatchesAssertion() {
Logger.OpenId.Debug("Verifying assertion matches identifier discovery results...");
+ // Ensure that we abide by the RP's rules regarding RequireSsl for this discovery step.
+ Identifier claimedId = this.Response.ClaimedIdentifier;
+ if (this.relyingParty.SecuritySettings.RequireSsl) {
+ if (!claimedId.TryRequireSsl(out claimedId)) {
+ Logger.OpenId.ErrorFormat("This site is configured to accept only SSL-protected OpenIDs, but {0} was asserted and must be rejected.", this.Response.ClaimedIdentifier);
+ ErrorUtilities.ThrowProtocol(OpenIdStrings.RequireSslNotSatisfiedByAssertedClaimedId, this.Response.ClaimedIdentifier);
+ }
+ }
+
// While it LOOKS like we're performing discovery over HTTP again
// Yadis.IdentifierDiscoveryCachePolicy is set to HttpRequestCacheLevel.CacheIfAvailable
// which means that the .NET runtime is caching our discoveries for us. This turns out
@@ -249,7 +258,7 @@ namespace DotNetOpenAuth.OpenId.RelyingParty {
// is signed by the RP before it's considered reliable. In 1.x stateless mode, this RP
// doesn't (and can't) sign its own return_to URL, so its cached discovery information
// is merely a hint that must be verified by performing discovery again here.
- var discoveryResults = this.response.ClaimedIdentifier.Discover(this.relyingParty.WebRequestHandler);
+ var discoveryResults = claimedId.Discover(this.relyingParty.WebRequestHandler);
ErrorUtilities.VerifyProtocol(discoveryResults.Contains(this.endpoint), OpenIdStrings.IssuedAssertionFailsIdentifierDiscovery, this.endpoint, discoveryResults.ToStringDeferred(true));
}
}
generated by cgit v1.1 at 2025-05-22 14:10:47 +0000