1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
|
using System;
using System.Collections.Generic;
using System.Collections.Specialized;
using System.ComponentModel;
using System.Configuration;
using System.Diagnostics;
using System.Web;
using DotNetOpenId.Configuration;
namespace DotNetOpenId.RelyingParty {
/// <summary>
/// Provides the programmatic facilities to act as an OpenId consumer.
/// </summary>
/// <remarks>
/// For easier, ASP.NET designer drop-in support for adding OpenID login support,
/// see the <see cref="OpenIdLogin"/> or <see cref="OpenIdTextBox"/> controls.
/// </remarks>
/// <example>
/// <code language="ASP.NET">
///<h2>Login Page </h2>
///<asp:Label ID="Label1" runat="server" Text="OpenID Login" />
///<asp:TextBox ID="openIdBox" runat="server" />
///<asp:Button ID="loginButton" runat="server" Text="Login" OnClick="loginButton_Click" />
///<asp:CustomValidator runat="server" ID="openidValidator" ErrorMessage="Invalid OpenID Identifier"
/// ControlToValidate="openIdBox" EnableViewState="false" OnServerValidate="openidValidator_ServerValidate" />
///<br />
///<asp:Label ID="loginFailedLabel" runat="server" EnableViewState="False" Text="Login failed"
/// Visible="False" />
///<asp:Label ID="loginCanceledLabel" runat="server" EnableViewState="False" Text="Login canceled"
/// Visible="False" />
/// </code>
/// <code language="c#">
///protected void openidValidator_ServerValidate(object source, ServerValidateEventArgs args) {
/// // This catches common typos that result in an invalid OpenID Identifier.
/// args.IsValid = Identifier.IsValid(args.Value);
///}
///
///protected void loginButton_Click(object sender, EventArgs e) {
/// if (!Page.IsValid) return; // don't login if custom validation failed.
/// OpenIdRelyingParty openid = new OpenIdRelyingParty();
/// try {
/// IAuthenticationRequest request = openid.CreateRequest(openIdBox.Text);
/// // This is where you would add any OpenID extensions you wanted
/// // to include in the authentication request.
/// // request.AddExtension(someExtensionRequestInstance);
///
/// // Send your visitor to their Provider for authentication.
/// request.RedirectToProvider();
/// } catch (OpenIdException ex) {
/// // The user probably entered an Identifier that
/// // was not a valid OpenID endpoint.
/// openidValidator.Text = ex.Message;
/// openidValidator.IsValid = false;
/// }
///}
///
///protected void Page_Load(object sender, EventArgs e) {
/// openIdBox.Focus();
///
/// OpenIdRelyingParty openid = new OpenIdRelyingParty();
/// if (openid.Response != null) {
/// switch (openid.Response.Status) {
/// case AuthenticationStatus.Authenticated:
/// // This is where you would look for any OpenID extension responses included
/// // in the authentication assertion.
/// // var extension = openid.Response.GetExtension<SomeExtensionResponseType>();
///
/// // Use FormsAuthentication to tell ASP.NET that the user is now logged in,
/// // with the OpenID Claimed Identifier as their username.
/// FormsAuthentication.RedirectFromLoginPage(openid.Response.ClaimedIdentifier, false);
/// break;
/// case AuthenticationStatus.Canceled:
/// loginCanceledLabel.Visible = true;
/// break;
/// case AuthenticationStatus.Failed:
/// loginFailedLabel.Visible = true;
/// break;
/// // We don't need to handle SetupRequired because we're not setting
/// // IAuthenticationRequest.Mode to immediate mode.
/// //case AuthenticationStatus.SetupRequired:
/// // break;
/// }
/// }
///}
/// </code>
/// </example>
[DebuggerDisplay("isAuthenticationResponseReady: {isAuthenticationResponseReady}, stateless: {Store == null}")]
public class OpenIdRelyingParty {
internal IRelyingPartyApplicationStore Store;
Uri request;
IDictionary<string, string> query;
MessageEncoder encoder = new MessageEncoder();
internal IDirectMessageChannel DirectMessageChannel = new DirectMessageHttpChannel();
internal static Uri DefaultRequestUrl { get { return Util.GetRequestUrlFromContext(); } }
internal static NameValueCollection DefaultQuery { get { return Util.GetQueryOrFormFromContextNVC(); } }
/// <summary>
/// Constructs an OpenId consumer that uses the current HttpContext request
/// and uses the HttpApplication dictionary as its association store.
/// </summary>
/// <remarks>
/// This method requires a current ASP.NET HttpContext.
/// </remarks>
public OpenIdRelyingParty()
: this(Configuration.Store.CreateInstanceOfStore(HttpApplicationStore),
Util.GetRequestUrlFromContext(), Util.GetQueryOrFormFromContext()) { }
/// <summary>
/// Constructs an OpenId consumer that uses a given querystring and IAssociationStore.
/// </summary>
/// <param name="store">
/// The application-level store where associations with other OpenId providers can be
/// preserved for optimized authentication and information about nonces can be stored.
/// In a multi-server web farm environment, this store MUST be shared across
/// all servers. Optional: if null, the relying party will operate in stateless mode.
/// </param>
/// <param name="requestUrl">
/// Optional. The current incoming HTTP request that may contain an OpenId assertion.
/// If not included, any OpenId authentication assertions will not be processed.
/// </param>
/// <param name="query">
/// The name/value pairs that came in on the
/// QueryString of a GET request or in the entity of a POST request.
/// For example: (Request.HttpMethod == "GET" ? Request.QueryString : Request.Form).
/// This must be supplied if <paramref name="requestUrl"/> is supplied.
/// </param>
/// <remarks>
/// The IRelyingPartyApplicationStore must be shared across an entire web farm
/// because of the design of how nonces are stored/retrieved. Even if
/// a given visitor is guaranteed to have affinity toward one server,
/// replay attacks from another host may be directed at another server,
/// which must therefore share the nonce information in the application
/// state store in order to stop the intruder.
/// </remarks>
[EditorBrowsable(EditorBrowsableState.Advanced)]
public OpenIdRelyingParty(IRelyingPartyApplicationStore store, Uri requestUrl, NameValueCollection query) :
this(store, requestUrl, Util.NameValueCollectionToDictionary(query)) {
}
OpenIdRelyingParty(IRelyingPartyApplicationStore store, Uri requestUrl, IDictionary<string, string> query) {
// Initialize settings with defaults and config section
Settings = Configuration.SecuritySettings.CreateSecuritySettings();
Settings.RequireSslChanged += new EventHandler(Settings_RequireSslChanged);
this.Store = store;
if (store != null) {
store.ClearExpiredAssociations(); // every so often we should do this.
}
if (requestUrl != null) {
if (query == null) throw new ArgumentNullException("query");
this.request = requestUrl;
this.query = query;
}
}
/// <summary>
/// Creates an authentication request to verify that a user controls
/// some given Identifier.
/// </summary>
/// <param name="userSuppliedIdentifier">
/// The Identifier supplied by the user. This may be a URL, an XRI or i-name.
/// </param>
/// <param name="realm">
/// The shorest URL that describes this relying party web site's address.
/// For example, if your login page is found at https://www.example.com/login.aspx,
/// your realm would typically be https://www.example.com/.
/// </param>
/// <param name="returnToUrl">
/// The URL of the login page, or the page prepared to receive authentication
/// responses from the OpenID Provider.
/// </param>
/// <returns>
/// An authentication request object that describes the HTTP response to
/// send to the user agent to initiate the authentication.
/// </returns>
public IAuthenticationRequest CreateRequest(Identifier userSuppliedIdentifier, Realm realm, Uri returnToUrl) {
if (userSuppliedIdentifier == null) throw new ArgumentNullException("userSuppliedIdentifier");
if (realm == null) throw new ArgumentNullException("realm");
if (returnToUrl == null) throw new ArgumentNullException("returnToUrl");
// Normalize the portion of the return_to path that correlates to the realm for capitalization.
// (so that if a web app base path is /MyApp/, but the URL of this request happens to be
// /myapp/login.aspx, we bump up the return_to Url to use /MyApp/ so it matches the realm.
UriBuilder returnTo = new UriBuilder(returnToUrl);
if (returnTo.Path.StartsWith(realm.AbsolutePath, StringComparison.OrdinalIgnoreCase) &&
!returnTo.Path.StartsWith(realm.AbsolutePath, StringComparison.Ordinal)) {
returnTo.Path = realm.AbsolutePath + returnTo.Path.Substring(realm.AbsolutePath.Length);
}
return AuthenticationRequest.Create(userSuppliedIdentifier, this, realm, returnTo.Uri);
}
/// <summary>
/// Creates an authentication request to verify that a user controls
/// some given Identifier.
/// </summary>
/// <param name="userSuppliedIdentifier">
/// The Identifier supplied by the user. This may be a URL, an XRI or i-name.
/// </param>
/// <param name="realm">
/// The shorest URL that describes this relying party web site's address.
/// For example, if your login page is found at https://www.example.com/login.aspx,
/// your realm would typically be https://www.example.com/.
/// </param>
/// <returns>
/// An authentication request object that describes the HTTP response to
/// send to the user agent to initiate the authentication.
/// </returns>
/// <remarks>
/// This method requires an ASP.NET HttpContext.
/// </remarks>
public IAuthenticationRequest CreateRequest(Identifier userSuppliedIdentifier, Realm realm) {
if (HttpContext.Current == null) throw new InvalidOperationException(Strings.CurrentHttpContextRequired);
// Build the return_to URL
UriBuilder returnTo = new UriBuilder(Util.GetRequestUrlFromContext());
// Trim off any parameters with an "openid." prefix, and a few known others
// to avoid carrying state from a prior login attempt.
returnTo.Query = string.Empty;
NameValueCollection queryParams = Util.GetQueryFromContextNVC();
var returnToParams = new Dictionary<string, string>(queryParams.Count);
foreach (string key in queryParams) {
if (!ShouldParameterBeStrippedFromReturnToUrl(key)) {
returnToParams.Add(key, queryParams[key]);
}
}
UriUtil.AppendQueryArgs(returnTo, returnToParams);
return CreateRequest(userSuppliedIdentifier, realm, returnTo.Uri);
}
internal static bool ShouldParameterBeStrippedFromReturnToUrl(string parameterName) {
Protocol protocol = Protocol.Default;
return parameterName.StartsWith(protocol.openid.Prefix, StringComparison.OrdinalIgnoreCase)
|| parameterName == Token.TokenKey;
}
/// <summary>
/// Creates an authentication request to verify that a user controls
/// some given Identifier.
/// </summary>
/// <param name="userSuppliedIdentifier">
/// The Identifier supplied by the user. This may be a URL, an XRI or i-name.
/// </param>
/// <returns>
/// An authentication request object that describes the HTTP response to
/// send to the user agent to initiate the authentication.
/// </returns>
/// <remarks>
/// This method requires an ASP.NET HttpContext.
/// </remarks>
public IAuthenticationRequest CreateRequest(Identifier userSuppliedIdentifier) {
if (HttpContext.Current == null) throw new InvalidOperationException(Strings.CurrentHttpContextRequired);
// Build the realm URL
UriBuilder realmUrl = new UriBuilder(Util.GetRequestUrlFromContext());
realmUrl.Path = HttpContext.Current.Request.ApplicationPath;
realmUrl.Query = null;
realmUrl.Fragment = null;
// For RP discovery, the realm url MUST NOT redirect. To prevent this for
// virtual directory hosted apps, we need to make sure that the realm path ends
// in a slash (since our calculation above guarantees it doesn't end in a specific
// page like default.aspx).
if (!realmUrl.Path.EndsWith("/", StringComparison.Ordinal))
realmUrl.Path += "/";
return CreateRequest(userSuppliedIdentifier, new Realm(realmUrl.Uri));
}
/// <summary>
/// Gets whether an OpenId provider's response to a prior authentication challenge
/// is embedded in this web request.
/// </summary>
bool isAuthenticationResponseReady {
get {
if (query == null) return false;
Protocol protocol = Protocol.Detect(query);
if (!query.ContainsKey(protocol.openid.mode))
return false;
return true;
}
}
IAuthenticationResponse response;
/// <summary>
/// Gets the result of a user agent's visit to his OpenId provider in an
/// authentication attempt. Null if no response is available.
/// </summary>
[DebuggerBrowsable(DebuggerBrowsableState.Never)] // getter does lots of processing, so avoid debugger calling it.
public IAuthenticationResponse Response {
get {
if (response == null && isAuthenticationResponseReady) {
try {
response = AuthenticationResponse.Parse(query, this, request, true);
} catch (OpenIdException ex) {
response = new FailedAuthenticationResponse(ex);
}
}
return response;
}
}
/// <summary>
/// The message encoder to use.
/// </summary>
internal MessageEncoder Encoder { get { return encoder; } }
private Comparison<IXrdsProviderEndpoint> endpointOrder = DefaultEndpointOrder;
/// <summary>
/// Gets/sets the ordering routine that will determine which XRDS
/// Service element to try first
/// </summary>
/// <remarks>
/// This may never be null. To reset to default behavior this property
/// can be set to the value of <see cref="DefaultEndpointOrder"/>.
/// </remarks>
[EditorBrowsable(EditorBrowsableState.Advanced)]
public Comparison<IXrdsProviderEndpoint> EndpointOrder {
get { return endpointOrder; }
set {
if (value == null) throw new ArgumentNullException("value");
endpointOrder = value;
}
}
/// <summary>
/// Gets an XRDS sorting routine that uses the XRDS Service/@Priority
/// attribute to determine order.
/// </summary>
/// <remarks>
/// Endpoints lacking any priority value are sorted to the end of the list.
/// </remarks>
[EditorBrowsable(EditorBrowsableState.Advanced)]
public static Comparison<IXrdsProviderEndpoint> DefaultEndpointOrder {
get {
// Sort first by service type (OpenID 2.0, 1.1, 1.0),
// then by Service/@priority, then by Service/Uri/@priority
return (se1, se2) => {
int result = getEndpointPrecedenceOrderByServiceType(se1).CompareTo(getEndpointPrecedenceOrderByServiceType(se2));
if (result != 0) return result;
if (se1.ServicePriority.HasValue && se2.ServicePriority.HasValue) {
result = se1.ServicePriority.Value.CompareTo(se2.ServicePriority.Value);
if (result != 0) return result;
if (se1.UriPriority.HasValue && se2.UriPriority.HasValue) {
return se1.UriPriority.Value.CompareTo(se2.UriPriority.Value);
} else if (se1.UriPriority.HasValue) {
return -1;
} else if (se2.UriPriority.HasValue) {
return 1;
} else {
return 0;
}
} else {
if (se1.ServicePriority.HasValue) {
return -1;
} else if (se2.ServicePriority.HasValue) {
return 1;
} else {
// neither service defines a priority, so base ordering by uri priority.
if (se1.UriPriority.HasValue && se2.UriPriority.HasValue) {
return se1.UriPriority.Value.CompareTo(se2.UriPriority.Value);
} else if (se1.UriPriority.HasValue) {
return -1;
} else if (se2.UriPriority.HasValue) {
return 1;
} else {
return 0;
}
}
}
};
}
}
static double getEndpointPrecedenceOrderByServiceType(IXrdsProviderEndpoint endpoint) {
// The numbers returned from this method only need to compare against other numbers
// from this method, which makes them arbitrary but relational to only others here.
if (endpoint.IsTypeUriPresent(Protocol.v20.OPIdentifierServiceTypeURI)) {
return 0;
}
if (endpoint.IsTypeUriPresent(Protocol.v20.ClaimedIdentifierServiceTypeURI)) {
return 1;
}
if (endpoint.IsTypeUriPresent(Protocol.v11.ClaimedIdentifierServiceTypeURI)) {
return 2;
}
if (endpoint.IsTypeUriPresent(Protocol.v10.ClaimedIdentifierServiceTypeURI)) {
return 3;
}
return 10;
}
/// <summary>
/// Provides a way to optionally filter the providers that may be used in authenticating a user.
/// </summary>
/// <remarks>
/// If provided, the delegate should return true to accept an endpoint, and false to reject it.
/// If null, all identity providers will be accepted. This is the default.
/// </remarks>
[EditorBrowsable(EditorBrowsableState.Advanced)]
public EndpointSelector EndpointFilter { get; set; }
const string associationStoreKey = "DotNetOpenId.RelyingParty.RelyingParty.AssociationStore";
/// <summary>
/// The standard state storage mechanism that uses ASP.NET's HttpApplication state dictionary
/// to store associations and nonces.
/// </summary>
[EditorBrowsable(EditorBrowsableState.Advanced)]
public static IRelyingPartyApplicationStore HttpApplicationStore {
get {
HttpContext context = HttpContext.Current;
if (context == null)
throw new InvalidOperationException(Strings.IAssociationStoreRequiredWhenNoHttpContextAvailable);
var store = (IRelyingPartyApplicationStore)context.Application[associationStoreKey];
if (store == null) {
context.Application.Lock();
try {
if ((store = (IRelyingPartyApplicationStore)context.Application[associationStoreKey]) == null) {
context.Application[associationStoreKey] = store = new ApplicationMemoryStore();
}
} finally {
context.Application.UnLock();
}
}
return store;
}
}
/// <summary>
/// Provides access to the adjustable security settings of this instance
/// of <see cref="OpenIdRelyingParty"/>.
/// </summary>
public RelyingPartySecuritySettings Settings { get; private set; }
void Settings_RequireSslChanged(object sender, EventArgs e) {
// reset response that may have been calculated to force
// reconsideration with new security policy.
response = null;
}
/// <summary>
/// Gets the relevant Configuration section for this OpenIdRelyingParty.
/// </summary>
internal static RelyingPartySection Configuration {
get { return RelyingPartySection.Configuration; }
}
}
/// <summary>
/// A delegate that decides whether a given OpenID Provider endpoint may be
/// considered for authenticating a user.
/// </summary>
/// <returns>
/// True if the endpoint should be considered.
/// False to remove it from the pool of acceptable providers.
/// </returns>
public delegate bool EndpointSelector(IXrdsProviderEndpoint endpoint);
}
|
