1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
|
namespace MvcRelyingParty.Controllers {
using System;
using System.Collections.Generic;
using System.Globalization;
using System.Linq;
using System.Security.Principal;
using System.Web;
using System.Web.Mvc;
using System.Web.Security;
using System.Web.UI;
using DotNetOpenAuth.Messaging;
using DotNetOpenAuth.OpenId.Extensions.SimpleRegistration;
using DotNetOpenAuth.OpenId.RelyingParty;
using RelyingPartyLogic;
using DotNetOpenAuth.OpenId;
[HandleError]
public class AccountController : Controller {
internal static OpenIdRelyingParty relyingParty = new OpenIdRelyingParty();
// This constructor is used by the MVC framework to instantiate the controller using
// the default forms authentication and membership providers.
public AccountController()
: this(null) {
}
// This constructor is not used by the MVC framework but is instead provided for ease
// of unit testing this type. See the comments at the end of this file for more
// information.
public AccountController(IFormsAuthentication formsAuth) {
FormsAuth = formsAuth ?? new FormsAuthenticationService();
}
public IFormsAuthentication FormsAuth { get; private set; }
public Realm Realm {
get {
UriBuilder builder = new UriBuilder(Request.Url);
builder.Path = Request.ApplicationPath;
return builder.Uri;
}
}
public Uri ReturnTo {
get { return new Uri(Request.Url, Url.Action("LogOnReturnTo")); }
}
public ActionResult LogOn() {
return View();
}
[AcceptVerbs(HttpVerbs.Post), ValidateAntiForgeryToken]
public ActionResult LogOn(string openid_identifier, bool rememberMe, string returnUrl) {
try {
var request = relyingParty.CreateRequest(openid_identifier, this.Realm, this.ReturnTo);
request.SetUntrustedCallbackArgument("rememberMe", rememberMe ? "1" : "0");
// This might be signed so the OP can't send the user to a dangerous URL.
// Of course, if that itself was a danger then the site is vulnerable to XSRF attacks anyway.
if (!string.IsNullOrEmpty(returnUrl)) {
request.SetUntrustedCallbackArgument("returnUrl", returnUrl);
}
// Ask for the user's email, not because we necessarily need it to do our work,
// but so we can display something meaningful to the user as their "username"
// when they log in with a PPID from Google, for example.
request.AddExtension(new ClaimsRequest {
Email = DemandLevel.Require,
FullName = DemandLevel.Request,
});
return request.RedirectingResponse.AsActionResult();
} catch (ProtocolException ex) {
ModelState.AddModelError("OpenID", ex.Message);
return View();
}
}
[AcceptVerbs(HttpVerbs.Get | HttpVerbs.Post)]
public ActionResult LogOnReturnTo() {
var response = relyingParty.GetResponse();
if (response != null) {
switch (response.Status) {
case AuthenticationStatus.Authenticated:
bool rememberMe = response.GetUntrustedCallbackArgument("rememberMe") == "1";
FormsAuth.SignIn(response.ClaimedIdentifier, rememberMe);
string returnUrl = response.GetCallbackArgument("returnUrl");
if (!String.IsNullOrEmpty(returnUrl)) {
return Redirect(returnUrl);
} else {
return RedirectToAction("Index", "Home");
}
break;
case AuthenticationStatus.Canceled:
ModelState.AddModelError("OpenID", "It looks like you canceled login at your OpenID Provider.");
break;
case AuthenticationStatus.Failed:
ModelState.AddModelError("OpenID", response.Exception.Message);
break;
}
}
return View("LogOn");
}
public ActionResult LogOff() {
FormsAuth.SignOut();
return RedirectToAction("Index", "Home");
}
}
// The FormsAuthentication type is sealed and contains static members, so it is difficult to
// unit test code that calls its members. The interface and helper class below demonstrate
// how to create an abstract wrapper around such a type in order to make the AccountController
// code unit testable.
public interface IFormsAuthentication {
void SignIn(string claimedIdentifier, bool createPersistentCookie);
void SignOut();
}
public class FormsAuthenticationService : IFormsAuthentication {
public void SignIn(string claimedIdentifier, bool createPersistentCookie) {
FormsAuthentication.SetAuthCookie(claimedIdentifier, createPersistentCookie);
}
public void SignOut() {
FormsAuthentication.SignOut();
}
}
}
|
