samples/OpenIdProviderMvc/Controllers/OpenIdController.cs


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97

namespace OpenIdProviderMvc.Controllers {
	using System;
	using System.Collections.Generic;
	using System.Linq;
	using System.Web;
	using System.Web.Mvc;
	using System.Web.Mvc.Ajax;
	using DotNetOpenAuth.Messaging;
	using DotNetOpenAuth.OpenId.Provider;
	using OpenIdProviderMvc.Code;
	using DotNetOpenAuth.ApplicationBlock.Provider;
	using DotNetOpenAuth.OpenId;

	public class OpenIdController : Controller {
		internal static OpenIdProvider OpenIdProvider = new OpenIdProvider();

		internal static IAuthenticationRequest PendingAuthenticationRequest {
			get { return ProviderEndpoint.PendingAuthenticationRequest; }
			set { ProviderEndpoint.PendingAuthenticationRequest = value; }
		}

		[ValidateInput(false)]
		public ActionResult PpidProvider() {
			return DoProvider(true);
		}

		[ValidateInput(false)]
		public ActionResult Provider() {
			return DoProvider(false);
		}

		[Authorize]
		public ActionResult SendAssertion(bool pseudonymous) {
			IAuthenticationRequest authReq = PendingAuthenticationRequest;
			PendingAuthenticationRequest = null;
			if (authReq == null) {
				throw new InvalidOperationException();
			}

			Identifier localIdentifier = Models.User.GetClaimedIdentifierForUser(User.Identity.Name);

			if (pseudonymous) {
				if (!authReq.IsDirectedIdentity) {
					throw new InvalidOperationException("Directed identity is the only supported scenario for anonymous identifiers.");
				}

				var anonProvider = new AnonymousIdentifierProvider();
				authReq.ScrubPersonallyIdentifiableInformation(localIdentifier, anonProvider, true);
				authReq.IsAuthenticated = true;
			} else {
				if (authReq.IsDirectedIdentity) {
					authReq.LocalIdentifier = localIdentifier;
					authReq.ClaimedIdentifier = localIdentifier;
					authReq.IsAuthenticated = true;
				} else {
					if (authReq.LocalIdentifier == localIdentifier) {
						authReq.IsAuthenticated = true;
						if (!authReq.IsDelegatedIdentifier) {
							authReq.ClaimedIdentifier = authReq.LocalIdentifier;
						}
					} else {
						authReq.IsAuthenticated = false;
					}
				}
	
				// TODO: Respond to AX/sreg extension requests here.
				// We don't want to add these extension responses for anonymous identifiers
				// because they could leak information about the user's identity.
			}

			return OpenIdProvider.PrepareResponse(authReq).AsActionResult();
		}

		private ActionResult DoProvider(bool pseudonymous) {
			IRequest request = OpenIdProvider.GetRequest();
			if (request != null) {
				var authRequest = request as IAuthenticationRequest;
				if (authRequest != null) {
					PendingAuthenticationRequest = authRequest;
					if (User.Identity.IsAuthenticated && (authRequest.IsDirectedIdentity || Models.User.GetClaimedIdentifierForUser(User.Identity.Name) == authRequest.LocalIdentifier)) {
						return this.SendAssertion(pseudonymous);
					} else {
						return RedirectToAction("LogOn", "Account", new { returnUrl = Url.Action("SendAssertion", new { pseudonymous = pseudonymous }) });
					}
				}

				if (request.IsResponseReady) {
					return OpenIdProvider.PrepareResponse(request).AsActionResult();
				} else {
					return RedirectToAction("LogOn", "Account");
				}
			} else {
				return View();
			}
		}
	}
}