1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
|
namespace DotNetOpenId.RelyingParty {
using System;
using System.Collections;
using System.Collections.Specialized;
using System.Collections.Generic;
using System.Web;
using System.Globalization;
using System.Diagnostics;
using DotNetOpenId.Extensions;
/// <summary>
/// An enumeration of the possible results of an authentication attempt.
/// </summary>
public enum AuthenticationStatus {
/// <summary>
/// The authentication was canceled by the user agent while at the provider.
/// </summary>
Canceled,
/// <summary>
/// The authentication failed because an error was detected in the OpenId communication.
/// </summary>
Failed,
/// <summary>
/// <para>The Provider responded to a request for immediate authentication approval
/// with a message stating that additional user agent interaction is required
/// before authentication can be completed.</para>
/// <para>Casting the <see cref="IAuthenticationResponse"/> to a
/// <see cref="ISetupRequiredAuthenticationResponse"/> in this case can help
/// you retry the authentication using setup (non-immediate) mode.</para>
/// </summary>
SetupRequired,
/// <summary>
/// Authentication is completed successfully.
/// </summary>
Authenticated,
}
[DebuggerDisplay("Status: {Status}, ClaimedIdentifier: {ClaimedIdentifier}")]
class AuthenticationResponse : IAuthenticationResponse, ISetupRequiredAuthenticationResponse {
internal AuthenticationResponse(AuthenticationStatus status, ServiceEndpoint provider, IDictionary<string, string> query) {
if (provider == null) throw new ArgumentNullException("provider");
if (query == null) throw new ArgumentNullException("query");
if (status == AuthenticationStatus.Authenticated) {
Logger.InfoFormat("Verified positive authentication assertion for: {0}", provider.ClaimedIdentifier);
} else {
Logger.InfoFormat("Negative authentication assertion received: {0}", status);
}
// TODO: verify signature on callback args
CallbackArguments = cleanQueryForCallbackArguments(query);
Status = status;
Provider = provider;
signedArguments = new Dictionary<string, string>();
string signed;
if (query.TryGetValue(Provider.Protocol.openid.signed, out signed)) {
foreach (string fieldNoPrefix in signed.Split(',')) {
string fieldWithPrefix = Provider.Protocol.openid.Prefix + fieldNoPrefix;
string val;
if (!query.TryGetValue(fieldWithPrefix, out val)) val = string.Empty;
signedArguments[fieldWithPrefix] = val;
}
}
// Only read extensions from signed argument list.
IncomingExtensions = ExtensionArgumentsManager.CreateIncomingExtensions(signedArguments);
}
internal IDictionary<string, string> CallbackArguments;
public IDictionary<string, string> GetCallbackArguments() {
// Return a copy so that the caller cannot change the contents.
return new Dictionary<string, string>(CallbackArguments);
}
/// <summary>
/// Gets a callback argument's value that was previously added using
/// <see cref="IAuthenticationRequest.AddCallbackArguments(string, string)"/>.
/// </summary>
/// <returns>The value of the argument, or null if the named parameter could not be found.</returns>
public string GetCallbackArgument(string key) {
if (String.IsNullOrEmpty(key)) throw new ArgumentNullException("key");
string value;
if (CallbackArguments.TryGetValue(key, out value)) {
return value;
}
return null;
}
/// <summary>
/// The detailed success or failure status of the authentication attempt.
/// </summary>
public AuthenticationStatus Status { get; private set; }
/// <summary>
/// Details regarding a failed authentication attempt, if available.
/// This will only be set if <see cref="Status"/> is <see cref="AuthenticationStatus.Failed"/>,
/// but may sometimes by null in this case as well.
/// </summary>
public Exception Exception { get { return null; } }
/// <summary>
/// An Identifier that the end user claims to own.
/// </summary>
public Identifier ClaimedIdentifier {
get {
if (Provider.ClaimedIdentifier == Provider.Protocol.ClaimedIdentifierForOPIdentifier) {
return null; // no claimed identifier -- failed directed identity authentication
}
return Provider.ClaimedIdentifier;
}
}
/// <summary>
/// Gets a user-friendly OpenID Identifier for display purposes ONLY.
/// </summary>
/// <remarks>
/// See <see cref="IAuthenticationResponse.FriendlyIdentifierForDisplay"/>.
/// </remarks>
public string FriendlyIdentifierForDisplay {
[DebuggerStepThrough]
get { return Provider.FriendlyIdentifierForDisplay; }
}
/// <summary>
/// The discovered endpoint information.
/// </summary>
internal ServiceEndpoint Provider { get; private set; }
/// <summary>
/// The arguments returned from the OP that were signed.
/// </summary>
IDictionary<string, string> signedArguments;
/// <summary>
/// Gets the set of arguments that the Provider included as extensions.
/// </summary>
public ExtensionArgumentsManager IncomingExtensions { get; private set; }
internal Uri ReturnTo {
get { return new Uri(Util.GetRequiredArg(signedArguments, Provider.Protocol.openid.return_to)); }
}
internal string GetExtensionClientScript(Type extensionType) {
if (extensionType == null) throw new ArgumentNullException("extensionType");
if (!typeof(DotNetOpenId.Extensions.IClientScriptExtensionResponse).IsAssignableFrom(extensionType))
throw new ArgumentException(string.Format(CultureInfo.CurrentCulture,
Strings.TypeMustImplementX, typeof(IClientScriptExtensionResponse).FullName),
"extensionType");
var extension = (IClientScriptExtensionResponse)Activator.CreateInstance(extensionType);
return GetExtensionClientScript(extension);
}
internal string GetExtensionClientScript(IClientScriptExtensionResponse extension) {
var fields = IncomingExtensions.GetExtensionArguments(extension.TypeUri);
if (fields != null) {
// The extension was found using the preferred TypeUri.
return extension.InitializeJavaScriptData(fields, this, extension.TypeUri);
} else {
// The extension may still be found using secondary TypeUris.
if (extension.AdditionalSupportedTypeUris != null) {
foreach (string typeUri in extension.AdditionalSupportedTypeUris) {
fields = IncomingExtensions.GetExtensionArguments(typeUri);
if (fields != null) {
// We found one of the older ones.
return extension.InitializeJavaScriptData(fields, this, typeUri);
}
}
}
}
return null;
}
bool getExtension(IExtensionResponse extension) {
var fields = IncomingExtensions.GetExtensionArguments(extension.TypeUri);
if (fields != null) {
// The extension was found using the preferred TypeUri.
return extension.Deserialize(fields, this, extension.TypeUri);
} else {
// The extension may still be found using secondary TypeUris.
if (extension.AdditionalSupportedTypeUris != null) {
foreach (string typeUri in extension.AdditionalSupportedTypeUris) {
fields = IncomingExtensions.GetExtensionArguments(typeUri);
if (fields != null) {
// We found one of the older ones.
return extension.Deserialize(fields, this, typeUri);
}
}
}
}
return false;
}
/// <summary>
/// Tries to get an OpenID extension that may be present in the response.
/// </summary>
/// <typeparam name="T">The extension to retrieve.</typeparam>
/// <returns>The extension, if it is found. Null otherwise.</returns>
public T GetExtension<T>() where T : IExtensionResponse, new() {
T extension = new T();
return getExtension(extension) ? extension : default(T);
}
public IExtensionResponse GetExtension(Type extensionType) {
if (extensionType == null) throw new ArgumentNullException("extensionType");
if (!typeof(DotNetOpenId.Extensions.IExtensionResponse).IsAssignableFrom(extensionType))
throw new ArgumentException(string.Format(CultureInfo.CurrentCulture,
Strings.TypeMustImplementX, typeof(IExtensionResponse).FullName),
"extensionType");
var extension = (IExtensionResponse)Activator.CreateInstance(extensionType);
return getExtension(extension) ? extension : null;
}
internal static AuthenticationResponse Parse(IDictionary<string, string> query,
OpenIdRelyingParty relyingParty, Uri requestUrl, bool verifySignature) {
if (query == null) throw new ArgumentNullException("query");
if (requestUrl == null) throw new ArgumentNullException("requestUrl");
Logger.DebugFormat("OpenID authentication response received:{0}{1}", Environment.NewLine, Util.ToString(query));
ServiceEndpoint tokenEndpoint = null;
// The query parameter may be the POST query or the GET query,
// but the token parameter will always be in the GET query because
// it was added to the return_to parameter list.
IDictionary<string, string> requestUrlQuery = Util.NameValueCollectionToDictionary(
HttpUtility.ParseQueryString(requestUrl.Query));
string token = Util.GetOptionalArg(requestUrlQuery, Token.TokenKey);
if (token != null) {
token = FixDoublyUriDecodedToken(token);
tokenEndpoint = Token.Deserialize(token, relyingParty.Store).Endpoint;
}
Protocol protocol = Protocol.Detect(query);
string mode = Util.GetRequiredArg(query, protocol.openid.mode);
if (mode.Equals(protocol.Args.Mode.cancel, StringComparison.Ordinal)) {
return new AuthenticationResponse(AuthenticationStatus.Canceled, tokenEndpoint, query);
} else if (mode.Equals(protocol.Args.Mode.setup_needed, StringComparison.Ordinal)) {
return new AuthenticationResponse(AuthenticationStatus.SetupRequired, tokenEndpoint, query);
} else if (mode.Equals(protocol.Args.Mode.error, StringComparison.Ordinal)) {
throw new OpenIdException(string.Format(CultureInfo.CurrentCulture,
"The provider returned an error: {0}", query[protocol.openid.error]));
} else if (mode.Equals(protocol.Args.Mode.id_res, StringComparison.Ordinal)) {
// We allow unsolicited assertions (that won't have our own token on it)
// only for OpenID 2.0 providers.
ServiceEndpoint responseEndpoint = null;
if (protocol.Version.Major < 2) {
if (tokenEndpoint == null)
throw new OpenIdException(string.Format(CultureInfo.CurrentCulture,
Strings.MissingInternalQueryParameter, Token.TokenKey));
} else {
// 2.0 OPs provide enough information to assemble the entire endpoint info,
// except perhaps for the original user supplied identifier, which if available
// allows us to display a friendly XRI.
Identifier friendlyIdentifier = tokenEndpoint != null ? tokenEndpoint.UserSuppliedIdentifier : null;
responseEndpoint = ServiceEndpoint.ParseFromAuthResponse(query, friendlyIdentifier);
// If this is a solicited assertion, we'll have a token with endpoint data too,
// which we can use to more quickly confirm the validity of the claimed
// endpoint info.
}
// At this point, we are guaranteed to have tokenEndpoint ?? responseEndpoint
// set to endpoint data (one or the other or both).
// tokenEndpoint is known good data, whereas responseEndpoint must still be
// verified.
// For the error-handling and cancellation cases, the info does not have to
// be verified, so we'll use whichever one is available.
return parseIdResResponse(query, tokenEndpoint, responseEndpoint, relyingParty, requestUrl, verifySignature);
} else {
throw new OpenIdException(string.Format(CultureInfo.CurrentCulture,
Strings.InvalidOpenIdQueryParameterValue,
protocol.openid.mode, mode), query);
}
}
/// <summary>
/// Corrects any URI decoding the Provider may have inappropriately done
/// to our return_to URL, resulting in an otherwise corrupted base64 token.
/// </summary>
/// <param name="token">The token, which MAY have been corrupted by an extra URI decode.</param>
/// <returns>The token; corrected if corruption had occurred.</returns>
/// <remarks>
/// AOL may have incorrectly URI-decoded the token for us in the return_to,
/// resulting in a token URI-decoded twice by the time we see it, and no
/// longer being a valid base64 string.
/// It turns out that the only symbols from base64 that is also encoded
/// in URI encoding rules are the + and / characters.
/// AOL decodes the %2b sequence to the + character
/// and the %2f sequence to the / character (it shouldn't decode at all).
/// When we do our own URI decoding, the + character becomes a space (corrupting base64)
/// but the / character remains a /, so no further corruption happens to this character.
/// So to correct this we just need to change any spaces we find in the token
/// back to + characters.
/// </remarks>
private static string FixDoublyUriDecodedToken(string token) {
if (token == null) throw new ArgumentNullException("token");
if (token.Contains(" ")) {
Logger.Error("Deserializing a corrupted token. The OpenID Provider may have inappropriately decoded the return_to URL before sending it back to us.");
token = token.Replace(' ', '+'); // Undo any extra decoding the Provider did
}
return token;
}
static AuthenticationResponse parseIdResResponse(IDictionary<string, string> query,
ServiceEndpoint tokenEndpoint, ServiceEndpoint responseEndpoint,
OpenIdRelyingParty relyingParty, Uri requestUrl, bool verifyMessageSignature) {
// Use responseEndpoint if it is available so we get the
// Claimed Identifer correct in the AuthenticationResponse.
ServiceEndpoint unverifiedEndpoint = responseEndpoint ?? tokenEndpoint;
if (unverifiedEndpoint.Protocol.Version.Major < 2) {
string user_setup_url = Util.GetOptionalArg(query, unverifiedEndpoint.Protocol.openid.user_setup_url);
if (user_setup_url != null) {
return new AuthenticationResponse(AuthenticationStatus.SetupRequired, unverifiedEndpoint, query);
}
}
verifyReturnTo(query, unverifiedEndpoint, requestUrl);
verifyDiscoveredInfoMatchesAssertedInfo(relyingParty, query, tokenEndpoint, responseEndpoint);
if (verifyMessageSignature) {
verifyNonceUnused(query, unverifiedEndpoint, relyingParty.Store);
verifySignature(relyingParty, query, unverifiedEndpoint);
}
return new AuthenticationResponse(AuthenticationStatus.Authenticated, unverifiedEndpoint, query);
}
/// <summary>
/// Verifies that the openid.return_to field matches the URL of the actual HTTP request.
/// </summary>
/// <remarks>
/// From OpenId Authentication 2.0 section 11.1:
/// To verify that the "openid.return_to" URL matches the URL that is processing this assertion:
/// * The URL scheme, authority, and path MUST be the same between the two URLs.
/// * Any query parameters that are present in the "openid.return_to" URL MUST
/// also be present with the same values in the URL of the HTTP request the RP received.
/// </remarks>
static void verifyReturnTo(IDictionary<string, string> query, ServiceEndpoint endpoint, Uri requestUrl) {
Debug.Assert(query != null);
Debug.Assert(endpoint != null);
Debug.Assert(requestUrl != null);
Logger.Debug("Verifying return_to...");
Uri return_to = new Uri(Util.GetRequiredArg(query, endpoint.Protocol.openid.return_to));
if (return_to.Scheme != requestUrl.Scheme ||
return_to.Authority != requestUrl.Authority ||
return_to.AbsolutePath != requestUrl.AbsolutePath)
throw new OpenIdException(string.Format(CultureInfo.CurrentCulture,
Strings.ReturnToParamDoesNotMatchRequestUrl, endpoint.Protocol.openid.return_to,
return_to, requestUrl));
NameValueCollection returnToArgs = HttpUtility.ParseQueryString(return_to.Query);
NameValueCollection requestArgs = HttpUtility.ParseQueryString(requestUrl.Query);
foreach (string paramName in returnToArgs) {
if (requestArgs[paramName] != returnToArgs[paramName])
throw new OpenIdException(string.Format(CultureInfo.CurrentCulture,
Strings.ReturnToParamDoesNotMatchRequestUrl, endpoint.Protocol.openid.return_to,
return_to, requestUrl));
}
}
/// <remarks>
/// This is documented in OpenId Authentication 2.0 section 11.2.
/// </remarks>
static void verifyDiscoveredInfoMatchesAssertedInfo(OpenIdRelyingParty relyingParty,
IDictionary<string, string> query,
ServiceEndpoint tokenEndpoint, ServiceEndpoint responseEndpoint) {
Logger.Debug("Verifying assertion matches identifier discovery results...");
// Verify that the actual version of the OP endpoint matches discovery.
Protocol actualProtocol = Protocol.Detect(query);
Protocol discoveredProtocol = (tokenEndpoint ?? responseEndpoint).Protocol;
if (!actualProtocol.Equals(discoveredProtocol)) {
// Allow an exception so that v1.1 and v1.0 can be seen as identical for this
// verification. v1.0 has no spec, and v1.1 and v1.0 cannot be clearly distinguished
// from the protocol, so detecting their differences is meaningless, and throwing here
// would just break thing unnecessarily.
if (!(actualProtocol.Version.Major == 1 && discoveredProtocol.Version.Major == 1)) {
throw new OpenIdException(string.Format(CultureInfo.CurrentCulture,
Strings.OpenIdDiscoveredAndActualVersionMismatch,
actualProtocol.Version, discoveredProtocol.Version));
}
}
if ((tokenEndpoint ?? responseEndpoint).Protocol.Version.Major < 2) {
Debug.Assert(tokenEndpoint != null, "Our OpenID 1.x implementation requires an RP token. And this should have been verified by our caller.");
// For 1.x OPs, we only need to verify that the OP Local Identifier
// hasn't changed since we made the request.
if (tokenEndpoint.ProviderLocalIdentifier !=
((Identifier)Util.GetRequiredArg(query, tokenEndpoint.Protocol.openid.identity))) {
throw new OpenIdException(string.Format(CultureInfo.CurrentCulture,
Strings.TamperingDetected, tokenEndpoint.Protocol.openid.identity,
tokenEndpoint.ProviderLocalIdentifier,
Util.GetRequiredArg(query, tokenEndpoint.Protocol.openid.identity)));
}
} else {
// In 2.0, we definitely have a responseEndpoint, but may not have a
// tokenEndpoint. If we don't have a tokenEndpoint, or it doesn't match the assertion,
// or if the user gave us an OP Identifier originally, then we need to perform discovery on
// the responseEndpoint.ClaimedIdentifier to verify the OP has authority
// to speak for it.
if (tokenEndpoint == null || // no token included (unsolicited assertion)
tokenEndpoint != responseEndpoint || // the OP is asserting something different than we asked for
tokenEndpoint.ClaimedIdentifier == ((Identifier)tokenEndpoint.Protocol.ClaimedIdentifierForOPIdentifier)) { // or directed identity is in effect
Identifier claimedIdentifier = Util.GetRequiredArg(query, responseEndpoint.Protocol.openid.claimed_id);
// Require SSL where appropriate. This will filter out insecure identifiers,
// redirects and provider endpoints automatically. If we find a match after all that
// filtering with the responseEndpoint, then the unsolicited assertion is secure.
if (relyingParty.Settings.RequireSsl && !claimedIdentifier.TryRequireSsl(out claimedIdentifier)) {
throw new OpenIdException(Strings.InsecureWebRequestWithSslRequired, query);
}
Logger.InfoFormat("Provider asserted an identifier that requires (re)discovery to confirm.");
List<ServiceEndpoint> discoveredEndpoints = new List<ServiceEndpoint>(claimedIdentifier.Discover());
// Make sure the response endpoint matches one of the discovered endpoints.
if (!discoveredEndpoints.Contains(responseEndpoint)) {
throw new OpenIdException(string.Format(CultureInfo.CurrentCulture,
Strings.IssuedAssertionFailsIdentifierDiscovery,
responseEndpoint, Util.ToString(discoveredEndpoints)));
}
}
}
}
static void verifyNonceUnused(IDictionary<string, string> query, ServiceEndpoint endpoint, IRelyingPartyApplicationStore store) {
if (endpoint.Protocol.Version.Major < 2) return; // nothing to validate
if (store == null) return; // we'll pass verifying the nonce responsibility to the OP
Logger.Debug("Verifying nonce is unused...");
var nonce = new Nonce(Util.GetRequiredArg(query, endpoint.Protocol.openid.response_nonce), true);
nonce.Consume(store);
}
static void verifySignature(OpenIdRelyingParty relyingParty, IDictionary<string, string> query, ServiceEndpoint endpoint) {
string signed = Util.GetRequiredArg(query, endpoint.Protocol.openid.signed);
string[] signedFields = signed.Split(',');
// Check that all fields that are required to be signed are indeed signed
if (endpoint.Protocol.Version.Major >= 2) {
verifyFieldsAreSigned(signedFields,
endpoint.Protocol.openidnp.op_endpoint,
endpoint.Protocol.openidnp.return_to,
endpoint.Protocol.openidnp.response_nonce,
endpoint.Protocol.openidnp.assoc_handle);
if (query.ContainsKey(endpoint.Protocol.openid.claimed_id))
verifyFieldsAreSigned(signedFields,
endpoint.Protocol.openidnp.claimed_id,
endpoint.Protocol.openidnp.identity);
} else {
verifyFieldsAreSigned(signedFields,
endpoint.Protocol.openidnp.identity,
endpoint.Protocol.openidnp.return_to);
}
// Now actually validate the signature itself.
string assoc_handle = Util.GetRequiredArg(query, endpoint.Protocol.openid.assoc_handle);
Association assoc = relyingParty.Store != null ? relyingParty.Store.GetAssociation(endpoint.ProviderEndpoint, assoc_handle) : null;
if (assoc == null) {
// It's not an association we know about. Dumb mode is our
// only possible path for recovery.
Logger.Debug("Passing signature back to Provider for verification (no association available)...");
verifySignatureByProvider(relyingParty, query, endpoint);
} else {
if (assoc.IsExpired)
throw new OpenIdException(string.Format(CultureInfo.CurrentCulture,
"Association with {0} expired", endpoint.ProviderEndpoint), endpoint.ClaimedIdentifier);
Logger.Debug("Verifying signature by association...");
verifySignatureByAssociation(query, endpoint.Protocol, signedFields, assoc);
}
}
/// <summary>
/// Checks that fields that must be signed are in fact signed.
/// </summary>
static void verifyFieldsAreSigned(string[] fieldsThatAreSigned, params string[] fieldsThatShouldBeSigned) {
Debug.Assert(fieldsThatAreSigned != null);
Debug.Assert(fieldsThatShouldBeSigned != null);
foreach (string field in fieldsThatShouldBeSigned) {
if (Array.IndexOf(fieldsThatAreSigned, field) < 0)
throw new OpenIdException(string.Format(CultureInfo.CurrentCulture,
Strings.FieldMustBeSigned, field));
}
}
/// <summary>
/// Verifies that a query is signed and that the signed fields have not been tampered with.
/// </summary>
/// <exception cref="OpenIdException">Thrown when the signature is missing or the query has been tampered with.</exception>
static void verifySignatureByAssociation(IDictionary<string, string> query, Protocol protocol, string[] signedFields, Association assoc) {
string sig = Util.GetRequiredArg(query, protocol.openid.sig);
string v_sig = Convert.ToBase64String(assoc.Sign(query, signedFields, protocol.openid.Prefix));
if (v_sig != sig)
throw new OpenIdException(Strings.InvalidSignature);
}
/// <summary>
/// Performs a dumb-mode authentication verification by making an extra
/// request to the provider after the user agent was redirected back
/// to the consumer site with an authenticated status.
/// </summary>
/// <returns>Whether the authentication is valid.</returns>
static void verifySignatureByProvider(OpenIdRelyingParty relyingParty, IDictionary<string, string> query, ServiceEndpoint provider) {
var request = CheckAuthRequest.Create(relyingParty, provider, query);
if (request.Response.InvalidatedAssociationHandle != null && relyingParty.Store != null)
relyingParty.Store.RemoveAssociation(provider.ProviderEndpoint, request.Response.InvalidatedAssociationHandle);
if (!request.Response.IsAuthenticationValid)
throw new OpenIdException(Strings.InvalidSignature);
}
static IDictionary<string, string> cleanQueryForCallbackArguments(IDictionary<string, string> query) {
var dictionary = new Dictionary<string, string>();
foreach (var pair in query) {
// Disallow lookup of any openid parameters.
if (pair.Key.StartsWith("openid.", StringComparison.OrdinalIgnoreCase)) {
continue;
}
dictionary.Add(pair.Key, pair.Value);
}
return dictionary;
}
#region ISetupRequiredAuthenticationResponse Members
/// <summary>
/// The <see cref="Identifier"/> to pass to <see cref="OpenIdRelyingParty.CreateRequest(Identifier)"/>
/// in a subsequent authentication attempt.
/// </summary>
/// <remarks>
/// When directed identity is used, this will be the Provider Identifier given by the user.
/// Otherwise it will be the Claimed Identifier derived from the user-supplied identifier.
/// </remarks>
public Identifier ClaimedOrProviderIdentifier {
get {
if (Status != AuthenticationStatus.SetupRequired) {
throw new InvalidOperationException(Strings.OperationOnlyValidForSetupRequiredState);
}
return ClaimedIdentifier ?? Provider.UserSuppliedIdentifier;
}
}
#endregion
}
}
|
