summaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/DotNetOpenAuth/OpenId/ChannelElements/SigningBindingElement.cs8
-rw-r--r--src/DotNetOpenAuth/OpenId/Messages/CheckAuthenticationResponse.cs28
-rw-r--r--src/DotNetOpenAuth/OpenId/Provider/OpenIdProvider.cs2
3 files changed, 35 insertions, 3 deletions
diff --git a/src/DotNetOpenAuth/OpenId/ChannelElements/SigningBindingElement.cs b/src/DotNetOpenAuth/OpenId/ChannelElements/SigningBindingElement.cs
index d19c7aa..5fda0b7 100644
--- a/src/DotNetOpenAuth/OpenId/ChannelElements/SigningBindingElement.cs
+++ b/src/DotNetOpenAuth/OpenId/ChannelElements/SigningBindingElement.cs
@@ -127,12 +127,18 @@ namespace DotNetOpenAuth.OpenId.ChannelElements {
// We did not recognize the association the provider used to sign the message.
// Ask the provider to check the signature then.
- var checkSignatureRequest = new CheckAuthenticationRequest((IndirectSignedResponse)signedMessage);
+ var indirectSignedResponse = (IndirectSignedResponse)signedMessage;
+ var checkSignatureRequest = new CheckAuthenticationRequest(indirectSignedResponse);
var checkSignatureResponse = this.Channel.Request<CheckAuthenticationResponse>(checkSignatureRequest);
if (!checkSignatureResponse.IsValid) {
Logger.Error("Provider reports signature verification failed.");
throw new InvalidSignatureException(message);
}
+
+ // If the OP confirms that a handle should be invalidated as well, do that.
+ if (!string.IsNullOrEmpty(checkSignatureResponse.InvalidateHandle)) {
+ this.rpAssociations.RemoveAssociation(indirectSignedResponse.ProviderEndpoint, checkSignatureResponse.InvalidateHandle);
+ }
}
return true;
diff --git a/src/DotNetOpenAuth/OpenId/Messages/CheckAuthenticationResponse.cs b/src/DotNetOpenAuth/OpenId/Messages/CheckAuthenticationResponse.cs
index d66d0a9..0e01231 100644
--- a/src/DotNetOpenAuth/OpenId/Messages/CheckAuthenticationResponse.cs
+++ b/src/DotNetOpenAuth/OpenId/Messages/CheckAuthenticationResponse.cs
@@ -10,6 +10,8 @@ namespace DotNetOpenAuth.OpenId.Messages {
using System.Linq;
using System.Text;
using DotNetOpenAuth.Messaging;
+ using DotNetOpenAuth.OpenId.ChannelElements;
+ using DotNetOpenAuth.OpenId.Provider;
/// <summary>
/// The message sent from the Provider to the Relying Party to confirm/deny
@@ -17,7 +19,8 @@ namespace DotNetOpenAuth.OpenId.Messages {
/// </summary>
internal class CheckAuthenticationResponse : DirectResponseBase {
/// <summary>
- /// Initializes a new instance of the <see cref="CheckAuthenticationResponse"/> class.
+ /// Initializes a new instance of the <see cref="CheckAuthenticationResponse"/> class
+ /// for use by the Relying Party.
/// </summary>
/// <param name="request">The request that this message is responding to.</param>
internal CheckAuthenticationResponse(CheckAuthenticationRequest request)
@@ -25,6 +28,29 @@ namespace DotNetOpenAuth.OpenId.Messages {
}
/// <summary>
+ /// Initializes a new instance of the <see cref="CheckAuthenticationResponse"/> class
+ /// for use by the Provider.
+ /// </summary>
+ /// <param name="request">The request that this message is responding to.</param>
+ /// <param name="provider">The OpenID Provider that is preparing to send this response.</param>
+ internal CheckAuthenticationResponse(CheckAuthenticationRequest request, OpenIdProvider provider)
+ : base(request) {
+ ErrorUtilities.VerifyArgumentNotNull(provider, "provider");
+
+ // The channel's binding elements have already set the request's IsValid property
+ // appropriately. We just copy it into the response message.
+ this.IsValid = request.IsValid;
+
+ // Confirm the RP should invalidate the association handle only if the association
+ // really doesn't exist. OpenID 2.0 section 11.4.2.2.
+ IndirectSignedResponse signedResponse = new IndirectSignedResponse(request);
+ string invalidateHandle = ((ITamperResistantOpenIdMessage)signedResponse).InvalidateHandle;
+ if (provider.AssociationStore.GetAssociation(AssociationRelyingPartyType.Smart, invalidateHandle) == null) {
+ this.InvalidateHandle = invalidateHandle;
+ }
+ }
+
+ /// <summary>
/// Gets or sets a value indicating whether the signature of the verification request is valid.
/// </summary>
[MessagePart("is_valid", IsRequired = true)]
diff --git a/src/DotNetOpenAuth/OpenId/Provider/OpenIdProvider.cs b/src/DotNetOpenAuth/OpenId/Provider/OpenIdProvider.cs
index 1a4ac61..cea2c9e 100644
--- a/src/DotNetOpenAuth/OpenId/Provider/OpenIdProvider.cs
+++ b/src/DotNetOpenAuth/OpenId/Provider/OpenIdProvider.cs
@@ -124,7 +124,7 @@ namespace DotNetOpenAuth.OpenId.Provider {
var checkAuthMessage = incomingMessage as CheckAuthenticationRequest;
if (checkAuthMessage != null) {
- return new AutoResponsiveRequest(this, incomingMessage, new CheckAuthenticationResponse(checkAuthMessage));
+ return new AutoResponsiveRequest(this, incomingMessage, new CheckAuthenticationResponse(checkAuthMessage, this));
}
var associateMessage = incomingMessage as AssociateRequest;
generated by cgit v1.1 at 2025-06-07 12:56:27 +0000