/// <summary> /// Analyzes an incoming request message payload to discover what kind of /// message is embedded in it and returns the type, or null if no match is found. /// </summary> /// <param name="recipient">The intended or actual recipient of the request message.</param> /// <param name="fields">The name/value pairs that make up the message payload.</param> /// <returns> /// A newly instantiated <see cref="IProtocolMessage"/>-derived object that this message can /// deserialize to. Null if the request isn't recognized as a valid protocol message. /// </returns> public IDirectedProtocolMessage GetNewRequestMessage(MessageReceivingEndpoint recipient, IDictionary <string, string> fields) { RequestBase message = null; // Discern the OpenID version of the message. Protocol protocol = Protocol.V11; string ns; if (fields.TryGetValue(Protocol.V20.openid.ns, out ns)) { ErrorUtilities.VerifyProtocol(string.Equals(ns, Protocol.OpenId2Namespace, StringComparison.Ordinal), MessagingStrings.UnexpectedMessagePartValue, Protocol.V20.openid.ns, ns); protocol = Protocol.V20; } string mode; if (fields.TryGetValue(protocol.openid.mode, out mode)) { if (string.Equals(mode, protocol.Args.Mode.associate)) { if (fields.ContainsKey(protocol.openid.dh_consumer_public)) { message = new AssociateDiffieHellmanProviderRequest(protocol.Version, recipient.Location); } else { message = new AssociateUnencryptedProviderRequest(protocol.Version, recipient.Location); } } else if (string.Equals(mode, protocol.Args.Mode.checkid_setup) || string.Equals(mode, protocol.Args.Mode.checkid_immediate)) { AuthenticationRequestMode authMode = string.Equals(mode, protocol.Args.Mode.checkid_immediate) ? AuthenticationRequestMode.Immediate : AuthenticationRequestMode.Setup; if (fields.ContainsKey(protocol.openid.identity)) { message = new CheckIdRequest(protocol.Version, recipient.Location, authMode); } else { ErrorUtilities.VerifyProtocol(!fields.ContainsKey(protocol.openid.claimed_id), OpenIdStrings.IdentityAndClaimedIdentifierMustBeBothPresentOrAbsent); message = new SignedResponseRequest(protocol.Version, recipient.Location, authMode); } } else if (string.Equals(mode, protocol.Args.Mode.check_authentication)) { message = new CheckAuthenticationRequest(protocol.Version, recipient.Location); } else { ErrorUtilities.ThrowProtocol(MessagingStrings.UnexpectedMessagePartValue, protocol.openid.mode, mode); } } if (message != null) { message.SetAsIncoming(); } return(message); }
void parameterizedProgrammaticOPIdentifierTest(Identifier opIdentifier, ProtocolVersion version, Identifier claimedUrl, AuthenticationRequestMode requestMode, AuthenticationStatus expectedResult, bool provideStore) { var rp = TestSupport.CreateRelyingParty(provideStore ? TestSupport.RelyingPartyStore : null, null, null); var returnTo = TestSupport.GetFullUrl(TestSupport.ConsumerPage); var realm = new Realm(TestSupport.GetFullUrl(TestSupport.ConsumerPage).AbsoluteUri); var request = rp.CreateRequest(opIdentifier, realm, returnTo); request.Mode = requestMode; var rpResponse = TestSupport.CreateRelyingPartyResponseThroughProvider(request, opReq => { opReq.IsAuthenticated = expectedResult == AuthenticationStatus.Authenticated; if (opReq.IsAuthenticated.Value) { opReq.ClaimedIdentifier = claimedUrl; } }); Assert.AreEqual(expectedResult, rpResponse.Status); if (rpResponse.Status == AuthenticationStatus.Authenticated) { Assert.AreEqual(claimedUrl, rpResponse.ClaimedIdentifier); } else if (rpResponse.Status == AuthenticationStatus.SetupRequired) { Assert.IsNull(rpResponse.ClaimedIdentifier); Assert.IsNull(rpResponse.FriendlyIdentifierForDisplay); Assert.IsNull(rpResponse.Exception); Assert.IsInstanceOfType(typeof(ISetupRequiredAuthenticationResponse), rpResponse); Assert.AreEqual(opIdentifier.ToString(), ((ISetupRequiredAuthenticationResponse)rpResponse).ClaimedOrProviderIdentifier.ToString()); } }
void parameterizedOPIdentifierTest(TestSupport.Scenarios scenario, AuthenticationRequestMode requestMode, AuthenticationStatus expectedResult) { ProtocolVersion version = ProtocolVersion.V20; // only this version supports directed identity UriIdentifier claimedIdentifier = TestSupport.GetDirectedIdentityUrl(TestSupport.Scenarios.ApproveOnSetup, version); Identifier opIdentifier = TestSupport.GetMockOPIdentifier(TestSupport.Scenarios.ApproveOnSetup, claimedIdentifier); parameterizedProgrammaticOPIdentifierTest(opIdentifier, version, claimedIdentifier, requestMode, expectedResult, true); parameterizedProgrammaticOPIdentifierTest(opIdentifier, version, claimedIdentifier, requestMode, expectedResult, false); }
void parameterizedTest(TestSupport.Scenarios scenario, ProtocolVersion version, AuthenticationRequestMode requestMode, AuthenticationStatus expectedResult) { Identifier claimedId = TestSupport.GetMockIdentifier(scenario, version); parameterizedProgrammaticTest(scenario, version, claimedId, requestMode, expectedResult, true); parameterizedProgrammaticTest(scenario, version, claimedId, requestMode, expectedResult, false); }
/// <summary> /// Gets the value of the openid.mode parameter based on the protocol version and immediate flag. /// </summary> /// <param name="version">The OpenID version to use.</param> /// <param name="mode"> /// <see cref="AuthenticationRequestMode.Immediate"/> for asynchronous javascript clients; /// <see cref="AuthenticationRequestMode.Setup"/> to allow the Provider to interact with the user in order to complete authentication. /// </param> /// <returns>checkid_immediate or checkid_setup</returns> private static string GetMode(Version version, AuthenticationRequestMode mode) { Contract.Requires <ArgumentNullException>(version != null); Protocol protocol = Protocol.Lookup(version); return(mode == AuthenticationRequestMode.Immediate ? protocol.Args.Mode.checkid_immediate : protocol.Args.Mode.checkid_setup); }
/// <summary> /// Gets the value of the openid.mode parameter based on the protocol version and immediate flag. /// </summary> /// <param name="version">The OpenID version to use.</param> /// <param name="mode"> /// <see cref="AuthenticationRequestMode.Immediate"/> for asynchronous javascript clients; /// <see cref="AuthenticationRequestMode.Setup"/> to allow the Provider to interact with the user in order to complete authentication. /// </param> /// <returns>checkid_immediate or checkid_setup</returns> private static string GetMode(Version version, AuthenticationRequestMode mode) { Requires.NotNull(version, "version"); Protocol protocol = Protocol.Lookup(version); return(mode == AuthenticationRequestMode.Immediate ? protocol.Args.Mode.checkid_immediate : protocol.Args.Mode.checkid_setup); }
void parameterizedProgrammaticTest(TestSupport.Scenarios scenario, ProtocolVersion version, Identifier claimedUrl, AuthenticationRequestMode requestMode, AuthenticationStatus expectedResult, bool provideStore) { var request = TestSupport.CreateRelyingPartyRequest(!provideStore, scenario, version); request.Mode = requestMode; var rpResponse = TestSupport.CreateRelyingPartyResponseThroughProvider(request, opReq => opReq.IsAuthenticated = expectedResult == AuthenticationStatus.Authenticated); Assert.AreEqual(expectedResult, rpResponse.Status); Assert.AreEqual(claimedUrl, rpResponse.ClaimedIdentifier); }
public void ExtensionOnlyChannelLevel() { Protocol protocol = Protocol.V20; AuthenticationRequestMode mode = AuthenticationRequestMode.Setup; var coordinator = new OpenIdCoordinator( rp => { var request = new SignedResponseRequest(protocol.Version, OPUri, mode); rp.Channel.Respond(request); }, op => { var request = op.Channel.ReadFromRequest <SignedResponseRequest>(); Assert.IsNotInstanceOf <CheckIdRequest>(request); }); coordinator.Run(); }
/// <summary> /// Analyzes an incoming request message payload to discover what kind of /// message is embedded in it and returns the type, or null if no match is found. /// </summary> /// <param name="recipient">The intended or actual recipient of the request message.</param> /// <param name="fields">The name/value pairs that make up the message payload.</param> /// <returns> /// A newly instantiated <see cref="IProtocolMessage"/>-derived object that this message can /// deserialize to. Null if the request isn't recognized as a valid protocol message. /// </returns> public IDirectedProtocolMessage GetNewRequestMessage(MessageReceivingEndpoint recipient, IDictionary <string, string> fields) { ErrorUtilities.VerifyArgumentNotNull(recipient, "recipient"); ErrorUtilities.VerifyArgumentNotNull(fields, "fields"); RequestBase message = null; // Discern the OpenID version of the message. Protocol protocol = Protocol.V11; string ns; if (fields.TryGetValue(Protocol.V20.openid.ns, out ns)) { ErrorUtilities.VerifyProtocol(string.Equals(ns, Protocol.OpenId2Namespace, StringComparison.Ordinal), MessagingStrings.UnexpectedMessagePartValue, Protocol.V20.openid.ns, ns); protocol = Protocol.V20; } string mode; if (fields.TryGetValue(protocol.openid.mode, out mode)) { if (string.Equals(mode, protocol.Args.Mode.associate)) { if (fields.ContainsKey(protocol.openid.dh_consumer_public)) { message = new AssociateDiffieHellmanRequest(protocol.Version, recipient.Location); } else { message = new AssociateUnencryptedRequest(protocol.Version, recipient.Location); } } else if (string.Equals(mode, protocol.Args.Mode.checkid_setup) || string.Equals(mode, protocol.Args.Mode.checkid_immediate)) { AuthenticationRequestMode authMode = string.Equals(mode, protocol.Args.Mode.checkid_immediate) ? AuthenticationRequestMode.Immediate : AuthenticationRequestMode.Setup; if (fields.ContainsKey(protocol.openid.identity)) { message = new CheckIdRequest(protocol.Version, recipient.Location, authMode); } else { message = new SignedResponseRequest(protocol.Version, recipient.Location, authMode); } } else if (string.Equals(mode, protocol.Args.Mode.cancel) || (string.Equals(mode, protocol.Args.Mode.setup_needed) && (protocol.Version.Major >= 2 || fields.ContainsKey(protocol.openid.user_setup_url)))) { message = new NegativeAssertionResponse(protocol.Version, recipient.Location, mode); } else if (string.Equals(mode, protocol.Args.Mode.id_res)) { if (fields.ContainsKey(protocol.openid.identity)) { message = new PositiveAssertionResponse(protocol.Version, recipient.Location); } else { message = new IndirectSignedResponse(protocol.Version, recipient.Location); } } else if (string.Equals(mode, protocol.Args.Mode.check_authentication)) { message = new CheckAuthenticationRequest(protocol.Version, recipient.Location); } else if (string.Equals(mode, protocol.Args.Mode.error)) { message = new IndirectErrorResponse(protocol.Version, recipient.Location); } else { ErrorUtilities.ThrowProtocol(MessagingStrings.UnexpectedMessagePartValue, protocol.openid.mode, mode); } } if (message != null) { message.SetAsIncoming(); } return(message); }
/// <summary> /// Initializes a new instance of the <see cref="SignedResponseRequest"/> class. /// </summary> /// <param name="version">The OpenID version to use.</param> /// <param name="providerEndpoint">The Provider endpoint that receives this message.</param> /// <param name="mode"> /// <see cref="AuthenticationRequestMode.Immediate"/> for asynchronous javascript clients; /// <see cref="AuthenticationRequestMode.Setup"/> to allow the Provider to interact with the user in order to complete authentication. /// </param> internal SignedResponseRequest(Version version, Uri providerEndpoint, AuthenticationRequestMode mode) : base(version, providerEndpoint, GetMode(version, mode), DotNetOpenAuth.Messaging.MessageTransport.Indirect) { }
/// <summary> /// Gets the value of the openid.mode parameter based on the protocol version and immediate flag. /// </summary> /// <param name="version">The OpenID version to use.</param> /// <param name="mode"> /// <see cref="AuthenticationRequestMode.Immediate"/> for asynchronous javascript clients; /// <see cref="AuthenticationRequestMode.Setup"/> to allow the Provider to interact with the user in order to complete authentication. /// </param> /// <returns>checkid_immediate or checkid_setup</returns> private static string GetMode(Version version, AuthenticationRequestMode mode) { Requires.NotNull(version, "version"); Protocol protocol = Protocol.Lookup(version); return mode == AuthenticationRequestMode.Immediate ? protocol.Args.Mode.checkid_immediate : protocol.Args.Mode.checkid_setup; }
/// <summary> /// Initializes a new instance of the <see cref="CheckIdRequest"/> class. /// </summary> /// <param name="version">The OpenID version to use.</param> /// <param name="providerEndpoint">The Provider endpoint that receives this message.</param> /// <param name="mode"> /// <see cref="AuthenticationRequestMode.Immediate"/> for asynchronous javascript clients; /// <see cref="AuthenticationRequestMode.Setup"/> to allow the Provider to interact with the user in order to complete authentication. /// </param> internal CheckIdRequest(Version version, Uri providerEndpoint, AuthenticationRequestMode mode) : base(version, providerEndpoint, mode) { }
void parameterizedWebClientTest(Identifier identityUrl, AuthenticationRequestMode requestMode, AuthenticationStatus expectedResult) { Uri redirectToProviderUrl; HttpWebRequest rpRequest = (HttpWebRequest)WebRequest.Create(TestSupport.GetFullUrl(TestSupport.ConsumerPage)); NameValueCollection query = new NameValueCollection(); using (HttpWebResponse response = (HttpWebResponse)rpRequest.GetResponse()) { using (StreamReader sr = new StreamReader(response.GetResponseStream())) { Regex regex = new Regex(@"\<input\b.*\bname=""(\w+)"".*\bvalue=""([^""]+)""", RegexOptions.IgnoreCase); while (!sr.EndOfStream) { string line = sr.ReadLine(); Match m = regex.Match(line); if (m.Success) { query[m.Groups[1].Value] = m.Groups[2].Value; } } } } query["OpenIdTextBox1$wrappedTextBox"] = identityUrl; rpRequest = (HttpWebRequest)WebRequest.Create(TestSupport.GetFullUrl(TestSupport.ConsumerPage)); rpRequest.Method = "POST"; rpRequest.AllowAutoRedirect = false; string queryString = UriUtil.CreateQueryString(query); rpRequest.ContentLength = queryString.Length; rpRequest.ContentType = "application/x-www-form-urlencoded"; using (StreamWriter sw = new StreamWriter(rpRequest.GetRequestStream())) { sw.Write(queryString); } using (HttpWebResponse response = (HttpWebResponse)rpRequest.GetResponse()) { using (StreamReader sr = new StreamReader(response.GetResponseStream())) { string doc = sr.ReadToEnd(); Debug.WriteLine(doc); } redirectToProviderUrl = new Uri(response.Headers[HttpResponseHeader.Location]); } HttpWebRequest providerRequest = (HttpWebRequest)WebRequest.Create(redirectToProviderUrl); providerRequest.AllowAutoRedirect = false; Uri redirectUrl; try { using (HttpWebResponse providerResponse = (HttpWebResponse)providerRequest.GetResponse()) { Assert.AreEqual(HttpStatusCode.Redirect, providerResponse.StatusCode); redirectUrl = new Uri(providerResponse.Headers[HttpResponseHeader.Location]); } } catch (WebException ex) { TestSupport.Logger.Error("WebException", ex); if (ex.Response != null) { using (StreamReader sr = new StreamReader(ex.Response.GetResponseStream())) { TestSupport.Logger.ErrorFormat("Response stream follows: {0}", sr.ReadToEnd()); } } throw; } rpRequest = (HttpWebRequest)WebRequest.Create(redirectUrl); rpRequest.AllowAutoRedirect = false; using (HttpWebResponse response = (HttpWebResponse)rpRequest.GetResponse()) { Assert.AreEqual(HttpStatusCode.Redirect, response.StatusCode); // redirect on login } // Try replay attack if (expectedResult == AuthenticationStatus.Authenticated) { // This simulates a network sniffing user who caught the // authenticating query en route to either the user agent or // the consumer, and tries the same query to the consumer in an // attempt to spoof the identity of the authenticating user. rpRequest = (HttpWebRequest)WebRequest.Create(redirectUrl); rpRequest.AllowAutoRedirect = false; using (HttpWebResponse response = (HttpWebResponse)rpRequest.GetResponse()) { Assert.AreEqual(HttpStatusCode.OK, response.StatusCode); // error message } } }