public void InsecureIdentifiersRejectedWithRequireSsl()
{
PositiveAssertionResponse assertion = this.GetPositiveAssertion();
var rp = CreateRelyingParty();
rp.SecuritySettings.RequireSsl = true;
var authResponse = new PositiveAuthenticationResponse(assertion, rp);
}
public void SpoofedClaimedIdDetectionSolicited() {
PositiveAssertionResponse assertion = this.GetPositiveAssertion();
assertion.ProviderEndpoint = new Uri("http://rogueOP");
var rp = CreateRelyingParty();
var authResponse = new PositiveAuthenticationResponse(assertion, rp);
Assert.AreEqual(AuthenticationStatus.Failed, authResponse.Status);
}
/// <summary>
/// Initializes a new instance of the <see cref="PositiveAuthenticationResponse"/> class
/// after verifying that discovery on the identifier matches the asserted data.
/// </summary>
/// <param name="response">The response.</param>
/// <param name="relyingParty">The relying party.</param>
/// <param name="cancellationToken">The cancellation token.</param>
/// <returns>The newly initialized instance.</returns>
internal static async Task <PositiveAuthenticationResponse> CreateAsync(
PositiveAssertionResponse response, OpenIdRelyingParty relyingParty, CancellationToken cancellationToken)
{
var result = new PositiveAuthenticationResponse(response, relyingParty);
await result.VerifyDiscoveryMatchesAssertionAsync(relyingParty, cancellationToken);
return(result);
}
public void Valid() {
PositiveAssertionResponse assertion = this.GetPositiveAssertion();
ClaimsResponse extension = new ClaimsResponse();
assertion.Extensions.Add(extension);
var rp = CreateRelyingParty();
var authResponse = new PositiveAuthenticationResponse(assertion, rp);
Assert.AreEqual(AuthenticationStatus.Authenticated, authResponse.Status);
Assert.IsNull(authResponse.Exception);
Assert.AreEqual((string)assertion.ClaimedIdentifier, (string)authResponse.ClaimedIdentifier);
Assert.AreEqual(authResponse.Endpoint.FriendlyIdentifierForDisplay, authResponse.FriendlyIdentifierForDisplay);
Assert.AreSame(extension, authResponse.GetUntrustedExtension(typeof(ClaimsResponse)));
Assert.AreSame(extension, authResponse.GetUntrustedExtension<ClaimsResponse>());
Assert.IsNull(authResponse.GetCallbackArgument("a"));
Assert.AreEqual(0, authResponse.GetCallbackArguments().Count);
}
/// <summary>
/// Gets an authentication response from a Provider.
/// </summary>
/// <param name="httpRequestInfo">The HTTP request that may be carrying an authentication response from the Provider.</param>
/// <returns>The processed authentication response if there is any; <c>null</c> otherwise.</returns>
public IAuthenticationResponse GetResponse(HttpRequestInfo httpRequestInfo)
{
Contract.Requires <ArgumentNullException>(httpRequestInfo != null);
try {
var message = this.Channel.ReadFromRequest(httpRequestInfo);
PositiveAssertionResponse positiveAssertion;
NegativeAssertionResponse negativeAssertion;
IndirectSignedResponse positiveExtensionOnly;
if ((positiveAssertion = message as PositiveAssertionResponse) != null)
{
if (this.EndpointFilter != null)
{
// We need to make sure that this assertion is coming from an endpoint
// that the host deems acceptable.
var providerEndpoint = new SimpleXrdsProviderEndpoint(positiveAssertion);
ErrorUtilities.VerifyProtocol(
this.EndpointFilter(providerEndpoint),
OpenIdStrings.PositiveAssertionFromNonWhitelistedProvider,
providerEndpoint.Uri);
}
var response = new PositiveAuthenticationResponse(positiveAssertion, this);
foreach (var behavior in this.Behaviors)
{
behavior.OnIncomingPositiveAssertion(response);
}
return(response);
}
else if ((positiveExtensionOnly = message as IndirectSignedResponse) != null)
{
return(new PositiveAnonymousResponse(positiveExtensionOnly));
}
else if ((negativeAssertion = message as NegativeAssertionResponse) != null)
{
return(new NegativeAuthenticationResponse(negativeAssertion));
}
else if (message != null)
{
Logger.OpenId.WarnFormat("Received unexpected message type {0} when expecting an assertion message.", message.GetType().Name);
}
return(null);
} catch (ProtocolException ex) {
return(new FailedAuthenticationResponse(ex));
}
}
/// <summary>
/// Gets an authentication response from a Provider.
/// </summary>
/// <param name="request">The request.</param>
/// <param name="cancellationToken">The cancellation token.</param>
/// <returns>
/// The processed authentication response if there is any; <c>null</c> otherwise.
/// </returns>
/// <remarks>
/// Requires an <see cref="HttpContext.Current">HttpContext.Current</see> context.
/// </remarks>
public async Task <IAuthenticationResponse> GetResponseAsync_ccp(IProtocolMessage msg, CancellationToken cancellationToken = default(CancellationToken))
{
try
{
var message = await this.Channel.ReadFromRequestAsync_ccp(msg, cancellationToken);
PositiveAssertionResponse positiveAssertion;
NegativeAssertionResponse negativeAssertion;
IndirectSignedResponse positiveExtensionOnly;
if ((positiveAssertion = message as PositiveAssertionResponse) != null)
{
// We need to make sure that this assertion is coming from an endpoint
// that the host deems acceptable.
var providerEndpoint = new SimpleXrdsProviderEndpoint(positiveAssertion);
ErrorUtilities.VerifyProtocol(
this.FilterEndpoint(providerEndpoint),
OpenIdStrings.PositiveAssertionFromNonQualifiedProvider,
providerEndpoint.Uri);
var response = await PositiveAuthenticationResponse.CreateAsync_ccp(positiveAssertion, this, cancellationToken);
foreach (var behavior in this.Behaviors)
{
behavior.OnIncomingPositiveAssertion(response);
}
var sreg = ExtensionsInteropHelper.UnifyExtensionsAsSreg(response, true);
Debug.Assert(sreg.Email != null, "No email field!");
return(response);
}
else if ((positiveExtensionOnly = message as IndirectSignedResponse) != null)
{
return(new PositiveAnonymousResponse(positiveExtensionOnly));
}
else if ((negativeAssertion = message as NegativeAssertionResponse) != null)
{
return(new NegativeAuthenticationResponse(negativeAssertion));
}
return(null);
}
catch (ProtocolException ex)
{
return(new FailedAuthenticationResponse(ex));
}
}
/// <summary>
/// Gets an authentication response from a Provider.
/// </summary>
/// <param name="request">The HTTP request that may be carrying an authentication response from the Provider.</param>
/// <param name="cancellationToken">The cancellation token.</param>
/// <returns>
/// The processed authentication response if there is any; <c>null</c> otherwise.
/// </returns>
public async Task <IAuthenticationResponse> GetResponseAsync(HttpRequestMessage request, CancellationToken cancellationToken = default(CancellationToken))
{
Requires.NotNull(request, "httpRequestInfo");
try {
var message = await this.Channel.ReadFromRequestAsync(request, cancellationToken);
PositiveAssertionResponse positiveAssertion;
NegativeAssertionResponse negativeAssertion;
IndirectSignedResponse positiveExtensionOnly;
if ((positiveAssertion = message as PositiveAssertionResponse) != null)
{
// We need to make sure that this assertion is coming from an endpoint
// that the host deems acceptable.
var providerEndpoint = new SimpleXrdsProviderEndpoint(positiveAssertion);
ErrorUtilities.VerifyProtocol(
this.FilterEndpoint(providerEndpoint),
OpenIdStrings.PositiveAssertionFromNonQualifiedProvider,
providerEndpoint.Uri);
var response = await PositiveAuthenticationResponse.CreateAsync(positiveAssertion, this, cancellationToken);
foreach (var behavior in this.Behaviors)
{
behavior.OnIncomingPositiveAssertion(response);
}
return(response);
}
else if ((positiveExtensionOnly = message as IndirectSignedResponse) != null)
{
return(new PositiveAnonymousResponse(positiveExtensionOnly));
}
else if ((negativeAssertion = message as NegativeAssertionResponse) != null)
{
return(new NegativeAuthenticationResponse(negativeAssertion));
}
else if (message != null)
{
Logger.OpenId.WarnFormat("Received unexpected message type {0} when expecting an assertion message.", message.GetType().Name);
}
return(null);
} catch (ProtocolException ex) {
return(new FailedAuthenticationResponse(ex));
}
}
public void GetCallbackArguments()
{
PositiveAssertionResponse assertion = this.GetPositiveAssertion();
var rp = CreateRelyingParty();
UriBuilder returnToBuilder = new UriBuilder(assertion.ReturnTo);
returnToBuilder.AppendQueryArgs(new Dictionary<string, string> { { "a", "b" } });
assertion.ReturnTo = returnToBuilder.Uri;
var authResponse = new PositiveAuthenticationResponse(assertion, rp);
// First pretend that the return_to args were signed.
assertion.ReturnToParametersSignatureValidated = true;
Assert.AreEqual(1, authResponse.GetCallbackArguments().Count);
Assert.IsTrue(authResponse.GetCallbackArguments().ContainsKey("a"));
Assert.AreEqual("b", authResponse.GetCallbackArgument("a"));
// Now simulate them NOT being signed.
assertion.ReturnToParametersSignatureValidated = false;
Assert.AreEqual(0, authResponse.GetCallbackArguments().Count);
Assert.IsFalse(authResponse.GetCallbackArguments().ContainsKey("a"));
Assert.IsNull(authResponse.GetCallbackArgument("a"));
}
public void ProblematicClaimedId() {
var providerEndpoint = new ProviderEndpointDescription(OpenIdTestBase.OPUri, Protocol.Default.Version);
string claimed_id = BaseMockUri + "a./b.";
var se = IdentifierDiscoveryResult.CreateForClaimedIdentifier(claimed_id, claimed_id, providerEndpoint, null, null);
UriIdentifier identityUri = (UriIdentifier)se.ClaimedIdentifier;
var mockId = new MockIdentifier(identityUri, this.MockResponder, new IdentifierDiscoveryResult[] { se });
var positiveAssertion = this.GetPositiveAssertion();
positiveAssertion.ClaimedIdentifier = mockId;
positiveAssertion.LocalIdentifier = mockId;
var rp = CreateRelyingParty();
var authResponse = new PositiveAuthenticationResponse(positiveAssertion, rp);
Assert.AreEqual(AuthenticationStatus.Authenticated, authResponse.Status);
Assert.AreEqual(claimed_id, authResponse.ClaimedIdentifier.ToString());
}
/// <summary>
/// Gets an authentication response from a Provider.
/// </summary>
/// <param name="httpRequestInfo">The HTTP request that may be carrying an authentication response from the Provider.</param>
/// <returns>The processed authentication response if there is any; <c>null</c> otherwise.</returns>
public IAuthenticationResponse GetResponse(HttpRequestInfo httpRequestInfo) {
Contract.Requires<ArgumentNullException>(httpRequestInfo != null);
try {
var message = this.Channel.ReadFromRequest(httpRequestInfo);
PositiveAssertionResponse positiveAssertion;
NegativeAssertionResponse negativeAssertion;
IndirectSignedResponse positiveExtensionOnly;
if ((positiveAssertion = message as PositiveAssertionResponse) != null) {
if (this.EndpointFilter != null) {
// We need to make sure that this assertion is coming from an endpoint
// that the host deems acceptable.
var providerEndpoint = new SimpleXrdsProviderEndpoint(positiveAssertion);
ErrorUtilities.VerifyProtocol(
this.EndpointFilter(providerEndpoint),
OpenIdStrings.PositiveAssertionFromNonWhitelistedProvider,
providerEndpoint.Uri);
}
var response = new PositiveAuthenticationResponse(positiveAssertion, this);
foreach (var behavior in this.Behaviors) {
behavior.OnIncomingPositiveAssertion(response);
}
return response;
} else if ((positiveExtensionOnly = message as IndirectSignedResponse) != null) {
return new PositiveAnonymousResponse(positiveExtensionOnly);
} else if ((negativeAssertion = message as NegativeAssertionResponse) != null) {
return new NegativeAuthenticationResponse(negativeAssertion);
} else if (message != null) {
Logger.OpenId.WarnFormat("Received unexpected message type {0} when expecting an assertion message.", message.GetType().Name);
}
return null;
} catch (ProtocolException ex) {
return new FailedAuthenticationResponse(ex);
}
}
/// <summary>
/// Initializes a new instance of the <see cref="PositiveAuthenticationResponse"/> class
/// after verifying that discovery on the identifier matches the asserted data.
/// </summary>
/// <param name="response">The response.</param>
/// <param name="relyingParty">The relying party.</param>
/// <param name="cancellationToken">The cancellation token.</param>
/// <returns>The newly initialized instance.</returns>
internal static async Task<PositiveAuthenticationResponse> CreateAsync(
PositiveAssertionResponse response, OpenIdRelyingParty relyingParty, CancellationToken cancellationToken) {
var result = new PositiveAuthenticationResponse(response, relyingParty);
await result.VerifyDiscoveryMatchesAssertionAsync(relyingParty, cancellationToken);
return result;
}