public void Sign(EncodableResponse response) {
Association assoc;
string assoc_handle = response.PreferredAssociationHandle;
if (!string.IsNullOrEmpty(assoc_handle)) {
assoc = GetAssociation(assoc_handle, AssociationRelyingPartyType.Smart);
if (assoc == null) {
Logger.WarnFormat("No associaton found with assoc_handle {0}. Setting invalidate_handle and creating new Association.", assoc_handle);
response.Fields[response.Protocol.openidnp.invalidate_handle] = assoc_handle;
assoc = CreateAssociation(AssociationRelyingPartyType.Dumb, null);
}
} else {
assoc = this.CreateAssociation(AssociationRelyingPartyType.Dumb, null);
Logger.Debug("No assoc_handle supplied. Creating new association.");
}
response.Fields[response.Protocol.openidnp.assoc_handle] = assoc.Handle;
response.Signed.Add(response.Protocol.openidnp.assoc_handle);
response.Fields[response.Protocol.openidnp.signed] = String.Join(",", response.Signed.ToArray());
response.Fields[response.Protocol.openidnp.sig] =
Convert.ToBase64String(assoc.Sign(response.Fields, response.Signed, string.Empty));
}
public void Sign(EncodableResponse response)
{
Association assoc;
string assoc_handle = response.PreferredAssociationHandle;
if (!string.IsNullOrEmpty(assoc_handle))
{
assoc = GetAssociation(assoc_handle, AssociationRelyingPartyType.Smart);
if (assoc == null)
{
Logger.WarnFormat("No associaton found with assoc_handle {0}. Setting invalidate_handle and creating new Association.", assoc_handle);
response.Fields[response.Protocol.openidnp.invalidate_handle] = assoc_handle;
assoc = CreateAssociation(AssociationRelyingPartyType.Dumb, null);
}
}
else
{
assoc = this.CreateAssociation(AssociationRelyingPartyType.Dumb, null);
Logger.Debug("No assoc_handle supplied. Creating new association.");
}
response.Fields[response.Protocol.openidnp.assoc_handle] = assoc.Handle;
response.Signed.Add(response.Protocol.openidnp.assoc_handle);
response.Fields[response.Protocol.openidnp.signed] = String.Join(",", response.Signed.ToArray());
response.Fields[response.Protocol.openidnp.sig] =
Convert.ToBase64String(assoc.Sign(response.Fields, response.Signed, string.Empty));
}
/// <summary>
/// Respond to this request.
/// </summary>
internal EncodableResponse Answer()
{
EncodableResponse response = EncodableResponse.PrepareDirectMessage(Protocol);
bool validSignature = Provider.Signatory.Verify(AssociationHandle, signature, signedFields, signedKeyOrder);
response.Fields[Protocol.openidnp.is_valid] = validSignature ?
Protocol.Args.IsValid.True : Protocol.Args.IsValid.False;
// By invalidating our dumb association, we make it impossible to
// verify the same authentication again, making a response_nonce check
// to protect against replay attacks unnecessary.
Provider.Signatory.Invalidate(AssociationHandle, AssociationRelyingPartyType.Dumb);
// The RP may be asking for confirmation that an association should
// be invalidated. If so, double-check and send a reply in our response.
string invalidate_handle = Util.GetOptionalArg(Query, Protocol.openid.invalidate_handle);
if (invalidate_handle != null)
{
Association assoc = Provider.Signatory.GetAssociation(invalidate_handle, AssociationRelyingPartyType.Smart);
if (assoc == null)
{
Logger.Warn("No matching association found. Returning invalidate_handle. ");
response.Fields[Protocol.openidnp.invalidate_handle] = invalidate_handle;
}
}
return(response);
}
public static EncodableResponse CreateAssertion(CheckIdRequest request)
{
if (request == null)
{
throw new ArgumentNullException("request");
}
if (!request.IsAuthenticated.HasValue)
{
throw new InvalidOperationException();
}
EncodableResponse response = EncodableResponse.PrepareIndirectMessage(
request.Protocol, request.ReturnTo, request.AssociationHandle);
if (request.IsAuthenticated.Value)
{
AssertionMessage.CreatePositiveAssertion(response, request.Provider,
request.LocalIdentifier, request.ClaimedIdentifier);
Logger.InfoFormat("Created positive assertion for {0}.", request.ClaimedIdentifier);
}
else
{
AssertionMessage.CreateNegativeAssertion(response, request);
Logger.InfoFormat("Created negative assertion for {0}.", request.ClaimedIdentifier);
}
return(response);
}
public static void CreatePositiveAssertion(EncodableResponse message,
OpenIdProvider provider, Identifier localIdentifier, Identifier claimedIdentifier)
{
if (message == null)
{
throw new ArgumentNullException("message");
}
Protocol protocol = message.Protocol;
message.Fields[protocol.openidnp.mode] = protocol.Args.Mode.id_res;
message.Fields[protocol.openidnp.identity] = localIdentifier;
// We use OriginalString for the return_to to help protect against interop
// problems with RPs that require an explicit port, or who knows what else.
message.Fields[protocol.openidnp.return_to] = message.RedirectUrl.OriginalString;
message.Signed.AddRange(new[] {
protocol.openidnp.return_to,
protocol.openidnp.identity,
});
if (protocol.Version.Major >= 2)
{
message.Fields[protocol.openidnp.claimed_id] = claimedIdentifier;
message.Fields[protocol.openidnp.op_endpoint] = provider.Endpoint.AbsoluteUri;
message.Fields[protocol.openidnp.response_nonce] = new Nonce().Code;
message.Signed.AddRange(new[] {
protocol.openidnp.claimed_id,
protocol.openidnp.op_endpoint,
protocol.openidnp.response_nonce,
});
}
Debug.Assert(!message.Signed.Contains(protocol.openidnp.mode), "openid.mode must not be signed because it changes in check_authentication requests.");
// The assoc_handle, signed, sig and invalidate_handle fields are added
// as appropriate by the Signatory.Sign method.
}
public static void CreateNegativeAssertion(EncodableResponse message, CheckIdRequest request)
{
if (message == null)
{
throw new ArgumentNullException("message");
}
if (request == null)
{
throw new ArgumentNullException("request");
}
Protocol protocol = message.Protocol;
if (request.Immediate)
{
if (protocol.Version.Major >= 2)
{
message.Fields[protocol.openidnp.mode] = protocol.Args.Mode.setup_needed;
}
else
{
message.Fields[protocol.openidnp.mode] = protocol.Args.Mode.id_res;
message.Fields[protocol.openidnp.user_setup_url] = request.SetupUrl.AbsoluteUri;
}
}
else
{
message.Fields[protocol.openidnp.mode] = protocol.Args.Mode.cancel;
}
}
/// <summary>
/// Creates a message that can be sent to a user agent to redirect them to a
/// relying party web site complete with authentication information to
/// automatically log them into that web site.
/// </summary>
public static IResponse CreateUnsolicitedAssertion(OpenIdProvider provider,
Realm relyingParty, Identifier claimedIdentifier, Identifier localIdentifier)
{
if (relyingParty == null)
{
throw new ArgumentNullException("relyingParty");
}
if (claimedIdentifier == null)
{
throw new ArgumentNullException("claimedIdentifier");
}
if (localIdentifier == null)
{
throw new ArgumentNullException("localIdentifier");
}
var discoveredEndpoints = new List <RelyingPartyReceivingEndpoint>(relyingParty.Discover(true));
if (discoveredEndpoints.Count == 0)
{
throw new OpenIdException(
string.Format(CultureInfo.CurrentCulture, Strings.NoRelyingPartyEndpointDiscovered,
relyingParty.NoWildcardUri));
}
var selectedEndpoint = discoveredEndpoints[0];
EncodableResponse message = EncodableResponse.PrepareIndirectMessage(
selectedEndpoint.Protocol, selectedEndpoint.RelyingPartyEndpoint, null);
CreatePositiveAssertion(message, provider, localIdentifier, claimedIdentifier);
return(provider.Encoder.Encode(message));
}
public static void CreatePositiveAssertion(EncodableResponse message,
OpenIdProvider provider, Identifier localIdentifier, Identifier claimedIdentifier)
{
if (message == null) throw new ArgumentNullException("message");
Protocol protocol = message.Protocol;
message.Fields[protocol.openidnp.mode] = protocol.Args.Mode.id_res;
message.Fields[protocol.openidnp.identity] = localIdentifier;
// We use OriginalString for the return_to to help protect against interop
// problems with RPs that require an explicit port, or who knows what else.
message.Fields[protocol.openidnp.return_to] = message.RedirectUrl.OriginalString;
message.Signed.AddRange(new[]{
protocol.openidnp.return_to,
protocol.openidnp.identity,
});
if (protocol.Version.Major >= 2) {
message.Fields[protocol.openidnp.claimed_id] = claimedIdentifier;
message.Fields[protocol.openidnp.op_endpoint] = provider.Endpoint.AbsoluteUri;
message.Fields[protocol.openidnp.response_nonce] = new Nonce().Code;
message.Signed.AddRange(new[]{
protocol.openidnp.claimed_id,
protocol.openidnp.op_endpoint,
protocol.openidnp.response_nonce,
});
}
Debug.Assert(!message.Signed.Contains(protocol.openidnp.mode), "openid.mode must not be signed because it changes in check_authentication requests.");
// The assoc_handle, signed, sig and invalidate_handle fields are added
// as appropriate by the Signatory.Sign method.
}
public static EncodableResponse PrepareIndirectMessage(Protocol protocol, Uri baseRedirectUrl, string preferredAssociationHandle)
{
EncodableResponse response = new EncodableResponse(protocol, baseRedirectUrl, preferredAssociationHandle);
if (protocol.QueryDeclaredNamespaceVersion != null)
{
response.Fields.Add(protocol.openidnp.ns, protocol.QueryDeclaredNamespaceVersion);
}
return(response);
}
public static EncodableResponse PrepareDirectMessage(Protocol protocol)
{
EncodableResponse response = new EncodableResponse(protocol);
if (protocol.QueryDeclaredNamespaceVersion != null)
{
response.Fields.Add(protocol.openidnp.ns, protocol.QueryDeclaredNamespaceVersion);
}
return(response);
}
public static void CreateNegativeAssertion(EncodableResponse message, CheckIdRequest request)
{
if (message == null) throw new ArgumentNullException("message");
if (request == null) throw new ArgumentNullException("request");
Protocol protocol = message.Protocol;
if (request.Immediate) {
if (protocol.Version.Major >= 2) {
message.Fields[protocol.openidnp.mode] = protocol.Args.Mode.setup_needed;
} else {
message.Fields[protocol.openidnp.mode] = protocol.Args.Mode.id_res;
message.Fields[protocol.openidnp.user_setup_url] = request.SetupUrl.AbsoluteUri;
}
} else {
message.Fields[protocol.openidnp.mode] = protocol.Args.Mode.cancel;
}
}
public EncodableResponse Answer()
{
Association assoc = Provider.Signatory.CreateAssociation(AssociationRelyingPartyType.Smart, Provider);
EncodableResponse response = EncodableResponse.PrepareDirectMessage(Protocol);
response.Fields[Protocol.openidnp.expires_in] = assoc.SecondsTillExpiration.ToString(CultureInfo.InvariantCulture);
response.Fields[Protocol.openidnp.assoc_type] = assoc.GetAssociationType(Protocol);
response.Fields[Protocol.openidnp.assoc_handle] = assoc.Handle;
response.Fields[Protocol.openidnp.session_type] = session.SessionType;
IDictionary <string, string> nvc = session.Answer(assoc.SecretKey);
foreach (var pair in nvc)
{
response.Fields[pair.Key] = nvc[pair.Key];
}
Logger.InfoFormat("Association {0} created.", assoc.Handle);
return(response);
}
public static EncodableResponse PrepareDirectMessage(Protocol protocol)
{
EncodableResponse response = new EncodableResponse(protocol);
if (protocol.QueryDeclaredNamespaceVersion != null)
response.Fields.Add(protocol.openidnp.ns, protocol.QueryDeclaredNamespaceVersion);
return response;
}
public static EncodableResponse PrepareIndirectMessage(Protocol protocol, Uri baseRedirectUrl, string preferredAssociationHandle)
{
EncodableResponse response = new EncodableResponse(protocol, baseRedirectUrl, preferredAssociationHandle);
if (protocol.QueryDeclaredNamespaceVersion != null)
response.Fields.Add(protocol.openidnp.ns, protocol.QueryDeclaredNamespaceVersion);
return response;
}
