/// <summary>
/// Creates an association request message that is appropriate for a given Provider.
/// </summary>
/// <param name="securityRequirements">The set of requirements the selected association type must comply to.</param>
/// <param name="provider">The provider to create an association with.</param>
/// <param name="associationType">Type of the association.</param>
/// <param name="sessionType">Type of the session.</param>
/// <returns>
/// The message to send to the Provider to request an association.
/// Null if no association could be created that meet the security requirements
/// and the provider OpenID version.
/// </returns>
internal static AssociateRequest Create(SecuritySettings securityRequirements, IProviderEndpoint provider, string associationType, string sessionType)
{
Requires.NotNull(securityRequirements, "securityRequirements");
Requires.NotNull(provider, "provider");
Requires.NotNullOrEmpty(associationType, "associationType");
Requires.NotNull(sessionType, "sessionType");
bool unencryptedAllowed = provider.Uri.IsTransportSecure();
if (unencryptedAllowed)
{
var associateRequest = new AssociateUnencryptedRequest(provider.Version, provider.Uri);
associateRequest.AssociationType = associationType;
return(associateRequest);
}
else
{
if (OpenIdUtilities.IsDiffieHellmanPresent)
{
var associateRequest = new AssociateDiffieHellmanRequest(provider.Version, provider.Uri);
associateRequest.AssociationType = associationType;
associateRequest.SessionType = sessionType;
associateRequest.InitializeRequest();
return(associateRequest);
}
else
{
return(null);
}
}
}
/// <summary>
/// Analyzes an incoming request message payload to discover what kind of
/// message is embedded in it and returns the type, or null if no match is found.
/// </summary>
/// <param name="recipient">The intended or actual recipient of the request message.</param>
/// <param name="fields">The name/value pairs that make up the message payload.</param>
/// <returns>
/// A newly instantiated <see cref="IProtocolMessage"/>-derived object that this message can
/// deserialize to. Null if the request isn't recognized as a valid protocol message.
/// </returns>
public IDirectedProtocolMessage GetNewRequestMessage(MessageReceivingEndpoint recipient, IDictionary<string, string> fields)
{
ErrorUtilities.VerifyArgumentNotNull(recipient, "recipient");
ErrorUtilities.VerifyArgumentNotNull(fields, "fields");
RequestBase message = null;
// Discern the OpenID version of the message.
Protocol protocol = Protocol.V11;
string ns;
if (fields.TryGetValue(Protocol.V20.openid.ns, out ns)) {
ErrorUtilities.VerifyProtocol(string.Equals(ns, Protocol.OpenId2Namespace, StringComparison.Ordinal), MessagingStrings.UnexpectedMessagePartValue, Protocol.V20.openid.ns, ns);
protocol = Protocol.V20;
}
string mode;
if (fields.TryGetValue(protocol.openid.mode, out mode)) {
if (string.Equals(mode, protocol.Args.Mode.associate)) {
if (fields.ContainsKey(protocol.openid.dh_consumer_public)) {
message = new AssociateDiffieHellmanRequest(protocol.Version, recipient.Location);
} else {
message = new AssociateUnencryptedRequest(protocol.Version, recipient.Location);
}
} else if (string.Equals(mode, protocol.Args.Mode.checkid_setup) ||
string.Equals(mode, protocol.Args.Mode.checkid_immediate)) {
AuthenticationRequestMode authMode = string.Equals(mode, protocol.Args.Mode.checkid_immediate) ? AuthenticationRequestMode.Immediate : AuthenticationRequestMode.Setup;
if (fields.ContainsKey(protocol.openid.identity)) {
message = new CheckIdRequest(protocol.Version, recipient.Location, authMode);
} else {
ErrorUtilities.VerifyProtocol(!fields.ContainsKey(protocol.openid.claimed_id), OpenIdStrings.IdentityAndClaimedIdentifierMustBeBothPresentOrAbsent);
message = new SignedResponseRequest(protocol.Version, recipient.Location, authMode);
}
} else if (string.Equals(mode, protocol.Args.Mode.cancel) ||
(string.Equals(mode, protocol.Args.Mode.setup_needed) && (protocol.Version.Major >= 2 || fields.ContainsKey(protocol.openid.user_setup_url)))) {
message = new NegativeAssertionResponse(protocol.Version, recipient.Location, mode);
} else if (string.Equals(mode, protocol.Args.Mode.id_res)) {
if (fields.ContainsKey(protocol.openid.identity)) {
message = new PositiveAssertionResponse(protocol.Version, recipient.Location);
} else {
ErrorUtilities.VerifyProtocol(!fields.ContainsKey(protocol.openid.claimed_id), OpenIdStrings.IdentityAndClaimedIdentifierMustBeBothPresentOrAbsent);
message = new IndirectSignedResponse(protocol.Version, recipient.Location);
}
} else if (string.Equals(mode, protocol.Args.Mode.check_authentication)) {
message = new CheckAuthenticationRequest(protocol.Version, recipient.Location);
} else if (string.Equals(mode, protocol.Args.Mode.error)) {
message = new IndirectErrorResponse(protocol.Version, recipient.Location);
} else {
ErrorUtilities.ThrowProtocol(MessagingStrings.UnexpectedMessagePartValue, protocol.openid.mode, mode);
}
}
if (message != null) {
message.SetAsIncoming();
}
return message;
}
public async Task AssociateDiffieHellmanOverHttps() {
Protocol protocol = Protocol.V20;
this.RegisterAutoProvider();
var rp = this.CreateRelyingParty();
// We have to formulate the associate request manually,
// since the DNOI RP won't voluntarily use DH on HTTPS.
var request = new AssociateDiffieHellmanRequest(protocol.Version, OPUri) {
AssociationType = protocol.Args.SignatureAlgorithm.HMAC_SHA256,
SessionType = protocol.Args.SessionType.DH_SHA256
};
request.InitializeRequest();
var response = await rp.Channel.RequestAsync<AssociateSuccessfulResponse>(request, CancellationToken.None);
Assert.IsNotNull(response);
Assert.AreEqual(request.AssociationType, response.AssociationType);
Assert.AreEqual(request.SessionType, response.SessionType);
}
public void AssociateDiffieHellmanOverHttps() {
Protocol protocol = Protocol.V20;
OpenIdCoordinator coordinator = new OpenIdCoordinator(
rp => {
// We have to formulate the associate request manually,
// since the DNOI RP won't voluntarily use DH on HTTPS.
AssociateDiffieHellmanRequest request = new AssociateDiffieHellmanRequest(protocol.Version, new Uri("https://Provider"));
request.AssociationType = protocol.Args.SignatureAlgorithm.HMAC_SHA256;
request.SessionType = protocol.Args.SessionType.DH_SHA256;
request.InitializeRequest();
var response = rp.Channel.Request<AssociateSuccessfulResponse>(request);
Assert.IsNotNull(response);
Assert.AreEqual(request.AssociationType, response.AssociationType);
Assert.AreEqual(request.SessionType, response.SessionType);
},
AutoProvider);
coordinator.Run();
}
/// <summary>
/// Creates an association request message that is appropriate for a given Provider.
/// </summary>
/// <param name="securityRequirements">The set of requirements the selected association type must comply to.</param>
/// <param name="provider">The provider to create an association with.</param>
/// <param name="associationType">Type of the association.</param>
/// <param name="sessionType">Type of the session.</param>
/// <returns>
/// The message to send to the Provider to request an association.
/// Null if no association could be created that meet the security requirements
/// and the provider OpenID version.
/// </returns>
internal static AssociateRequest Create(SecuritySettings securityRequirements, IProviderEndpoint provider, string associationType, string sessionType) {
Requires.NotNull(securityRequirements, "securityRequirements");
Requires.NotNull(provider, "provider");
Requires.NotNullOrEmpty(associationType, "associationType");
Requires.NotNull(sessionType, "sessionType");
bool unencryptedAllowed = provider.Uri.IsTransportSecure();
if (unencryptedAllowed) {
var associateRequest = new AssociateUnencryptedRequest(provider.Version, provider.Uri);
associateRequest.AssociationType = associationType;
return associateRequest;
} else {
if (OpenIdUtilities.IsDiffieHellmanPresent) {
var associateRequest = new AssociateDiffieHellmanRequest(provider.Version, provider.Uri);
associateRequest.AssociationType = associationType;
associateRequest.SessionType = sessionType;
associateRequest.InitializeRequest();
return associateRequest;
} else {
return null;
}
}
}
/// <summary>
/// Creates an association request message that is appropriate for a given Provider.
/// </summary>
/// <param name="securityRequirements">The set of requirements the selected association type must comply to.</param>
/// <param name="provider">The provider to create an association with.</param>
/// <param name="associationType">Type of the association.</param>
/// <param name="sessionType">Type of the session.</param>
/// <returns>
/// The message to send to the Provider to request an association.
/// Null if no association could be created that meet the security requirements
/// and the provider OpenID version.
/// </returns>
internal static AssociateRequest Create(SecuritySettings securityRequirements, IProviderEndpoint provider, string associationType, string sessionType)
{
Contract.Requires <ArgumentNullException>(securityRequirements != null);
Contract.Requires <ArgumentNullException>(provider != null);
Contract.Requires <ArgumentException>(!String.IsNullOrEmpty(associationType));
Contract.Requires <ArgumentNullException>(sessionType != null);
bool unencryptedAllowed = provider.Uri.IsTransportSecure();
if (unencryptedAllowed)
{
var associateRequest = new AssociateUnencryptedRequest(provider.Version, provider.Uri);
associateRequest.AssociationType = associationType;
return(associateRequest);
}
else
{
var associateRequest = new AssociateDiffieHellmanRequest(provider.Version, provider.Uri);
associateRequest.AssociationType = associationType;
associateRequest.SessionType = sessionType;
associateRequest.InitializeRequest();
return(associateRequest);
}
}
/// <summary>
/// Creates an association request message that is appropriate for a given Provider.
/// </summary>
/// <param name="securityRequirements">The set of requirements the selected association type must comply to.</param>
/// <param name="provider">The provider to create an association with.</param>
/// <param name="associationType">Type of the association.</param>
/// <param name="sessionType">Type of the session.</param>
/// <returns>
/// The message to send to the Provider to request an association.
/// Null if no association could be created that meet the security requirements
/// and the provider OpenID version.
/// </returns>
internal static AssociateRequest Create(SecuritySettings securityRequirements, ProviderEndpointDescription provider, string associationType, string sessionType)
{
ErrorUtilities.VerifyArgumentNotNull(securityRequirements, "securityRequirements");
ErrorUtilities.VerifyArgumentNotNull(provider, "provider");
ErrorUtilities.VerifyNonZeroLength(associationType, "associationType");
ErrorUtilities.VerifyArgumentNotNull(sessionType, "sessionType");
bool unencryptedAllowed = provider.Endpoint.IsTransportSecure();
if (unencryptedAllowed)
{
var associateRequest = new AssociateUnencryptedRequest(provider.ProtocolVersion, provider.Endpoint);
associateRequest.AssociationType = associationType;
return(associateRequest);
}
else
{
var associateRequest = new AssociateDiffieHellmanRequest(provider.ProtocolVersion, provider.Endpoint);
associateRequest.AssociationType = associationType;
associateRequest.SessionType = sessionType;
associateRequest.InitializeRequest();
return(associateRequest);
}
}
public void PrepareMessageForSendingNonExtendableMessage()
{
IProtocolMessage request = new AssociateDiffieHellmanRequest(Protocol.Default.Version, OpenIdTestBase.OPUri);
Assert.IsNull(this.rpElement.ProcessOutgoingMessage(request));
}
/// <summary>
/// Creates an association request message that is appropriate for a given Provider.
/// </summary>
/// <param name="securityRequirements">The set of requirements the selected association type must comply to.</param>
/// <param name="provider">The provider to create an association with.</param>
/// <param name="associationType">Type of the association.</param>
/// <param name="sessionType">Type of the session.</param>
/// <returns>
/// The message to send to the Provider to request an association.
/// Null if no association could be created that meet the security requirements
/// and the provider OpenID version.
/// </returns>
internal static AssociateRequest Create(SecuritySettings securityRequirements, IProviderEndpoint provider, string associationType, string sessionType) {
Contract.Requires<ArgumentNullException>(securityRequirements != null);
Contract.Requires<ArgumentNullException>(provider != null);
Contract.Requires<ArgumentException>(!String.IsNullOrEmpty(associationType));
Contract.Requires<ArgumentNullException>(sessionType != null);
bool unencryptedAllowed = provider.Uri.IsTransportSecure();
if (unencryptedAllowed) {
var associateRequest = new AssociateUnencryptedRequest(provider.Version, provider.Uri);
associateRequest.AssociationType = associationType;
return associateRequest;
} else {
var associateRequest = new AssociateDiffieHellmanRequest(provider.Version, provider.Uri);
associateRequest.AssociationType = associationType;
associateRequest.SessionType = sessionType;
associateRequest.InitializeRequest();
return associateRequest;
}
}
/// <summary>
/// Initializes a new instance of the <see cref="AssociateDiffieHellmanResponse"/> class.
/// </summary>
/// <param name="responseVersion">The OpenID version of the response message.</param>
/// <param name="originatingRequest">The originating request.</param>
internal AssociateDiffieHellmanResponse(Version responseVersion, AssociateDiffieHellmanRequest originatingRequest)
: base(responseVersion, originatingRequest) {
}
public async Task OPRejectsMismatchingAssociationAndSessionTypes() {
Protocol protocol = Protocol.V20;
this.RegisterAutoProvider();
var rp = this.CreateRelyingParty();
// We have to formulate the associate request manually,
// since the DNOI RP won't voluntarily mismatch the association and session types.
var request = new AssociateDiffieHellmanRequest(protocol.Version, OPUri);
request.AssociationType = protocol.Args.SignatureAlgorithm.HMAC_SHA256;
request.SessionType = protocol.Args.SessionType.DH_SHA1;
request.InitializeRequest();
var response = await rp.Channel.RequestAsync<AssociateUnsuccessfulResponse>(request, CancellationToken.None);
Assert.IsNotNull(response);
Assert.AreEqual(protocol.Args.SignatureAlgorithm.HMAC_SHA1, response.AssociationType);
Assert.AreEqual(protocol.Args.SessionType.DH_SHA1, response.SessionType);
}
/// <summary>
/// Creates an association request message that is appropriate for a given Provider.
/// </summary>
/// <param name="securityRequirements">The set of requirements the selected association type must comply to.</param>
/// <param name="provider">The provider to create an association with.</param>
/// <param name="associationType">Type of the association.</param>
/// <param name="sessionType">Type of the session.</param>
/// <returns>
/// The message to send to the Provider to request an association.
/// Null if no association could be created that meet the security requirements
/// and the provider OpenID version.
/// </returns>
internal static AssociateRequest Create(SecuritySettings securityRequirements, ProviderEndpointDescription provider, string associationType, string sessionType)
{
ErrorUtilities.VerifyArgumentNotNull(securityRequirements, "securityRequirements");
ErrorUtilities.VerifyArgumentNotNull(provider, "provider");
ErrorUtilities.VerifyNonZeroLength(associationType, "associationType");
ErrorUtilities.VerifyArgumentNotNull(sessionType, "sessionType");
bool unencryptedAllowed = provider.Endpoint.IsTransportSecure();
if (unencryptedAllowed) {
var associateRequest = new AssociateUnencryptedRequest(provider.ProtocolVersion, provider.Endpoint);
associateRequest.AssociationType = associationType;
return associateRequest;
} else {
var associateRequest = new AssociateDiffieHellmanRequest(provider.ProtocolVersion, provider.Endpoint);
associateRequest.AssociationType = associationType;
associateRequest.SessionType = sessionType;
associateRequest.InitializeRequest();
return associateRequest;
}
}
/// <summary>
/// Initializes a new instance of the <see cref="AssociateDiffieHellmanRelyingPartyResponse"/> class.
/// </summary>
/// <param name="responseVersion">The OpenID version of the response message.</param>
/// <param name="originatingRequest">The originating request.</param>
internal AssociateDiffieHellmanRelyingPartyResponse(Version responseVersion, AssociateDiffieHellmanRequest originatingRequest)
: base(responseVersion, originatingRequest)
{
}
/// <summary>
/// Initializes a new instance of the <see cref="AssociateDiffieHellmanProviderResponse"/> class.
/// </summary>
/// <param name="responseVersion">The OpenID version of the response message.</param>
/// <param name="originatingRequest">The originating request.</param>
internal AssociateDiffieHellmanProviderResponse(Version responseVersion, AssociateDiffieHellmanRequest originatingRequest)
: base(responseVersion, originatingRequest)
{
}
public void Setup() {
this.request = new AssociateDiffieHellmanRequest(Protocol.V20.Version, Recipient);
}
public async Task PrepareMessageForSendingNonExtendableMessage() {
IProtocolMessage request = new AssociateDiffieHellmanRequest(Protocol.Default.Version, OpenIdTestBase.OPUri);
Assert.IsNull(await this.rpElement.ProcessOutgoingMessageAsync(request, CancellationToken.None));
}