DotNetOpenAuth.OpenId.RelyingParty

The COM interface describing the DotNetOpenAuth functionality available to COM client OpenID relying parties.

Creates an authentication request to verify that a user controls some given Identifier.

The Identifier supplied by the user. This may be a URL, an XRI or i-name. The shorest URL that describes this relying party web site's address. For example, if your login page is found at https://www.example.com/login.aspx, your realm would typically be https://www.example.com/. The URL of the login page, or the page prepared to receive authentication responses from the OpenID Provider. A comma-delimited list of simple registration fields to request as optional. A comma-delimited list of simple registration fields to request as required. An authentication request object that describes the HTTP response to send to the user agent to initiate the authentication. Thrown if no OpenID endpoint could be found.

Gets the result of a user agent's visit to his OpenId provider in an authentication attempt. Null if no response is available.

The incoming request URL . The form data that may have been included in the case of a POST request. The Provider's response to a previous authentication request, or null if no response is present.

An Attribute Exchange and Simple Registration filter to make all incoming attribute requests look like Simple Registration requests, and to convert the response to the originally requested extension and format.

Initializes a new instance of the class.

Applies a well known set of security requirements to a default set of security settings.

The security settings to enhance with the requirements of this profile. Care should be taken to never decrease security when applying a profile. Profiles should only enhance security requirements to avoid being incompatible with each other.

Called when an authentication request is about to be sent.

The request. Implementations should be prepared to be called multiple times on the same outgoing message without malfunctioning.

Called when an incoming positive assertion is received.

The positive assertion.

Implements the Identity, Credential, & Access Management (ICAM) OpenID 2.0 Profile for the General Services Administration (GSA).

Relying parties that include this profile are always held to the terms required by the profile, but Providers are only affected by the special behaviors of the profile when the RP specifically indicates that they want to use this profile.

Initializes a new instance of the class.

Applies a well known set of security requirements.

Called when an authentication request is about to be sent.

The request.

Called when an incoming positive assertion is received.

The positive assertion.

The OpenID binding element responsible for reading/writing OpenID extensions at the Relying Party.

The security settings that apply to this relying party, if it is a relying party.

Initializes a new instance of the class.

The extension factory. The security settings.

The messaging channel for OpenID relying parties.

Initializes a new instance of the class.

The association store to use. The nonce store to use. The security settings to apply.

Initializes a new instance of the class.

The association store to use. The nonce store to use. An object that knows how to distinguish the various OpenID message types for deserialization purposes. The security settings to apply. A value indicating whether the channel is set up with no functional security binding elements.

A value indicating whether the channel is set up with no functional security binding elements.

A new instance that will not perform verification on incoming messages or apply any security to outgoing messages. A value of true allows the relying party to preview incoming messages without invalidating nonces or checking signatures. Setting this to true poses a great security risk and is only present to support the OpenIdAjaxTextBox which needs to preview messages, and will validate them later.

Initializes the binding elements.

The crypto key store. The nonce store to use. The security settings to apply. Must be an instance of either or ProviderSecuritySettings. A value indicating whether the channel is set up with no functional security binding elements. An array of binding elements which may be used to construct the channel.

Message factory for OpenID Relying Parties.

Analyzes an incoming request message payload to discover what kind of message is embedded in it and returns the type, or null if no match is found.

The intended or actual recipient of the request message. The name/value pairs that make up the message payload. A newly instantiated -derived object that this message can deserialize to. Null if the request isn't recognized as a valid protocol message.

Analyzes an incoming request message payload to discover what kind of message is embedded in it and returns the type, or null if no match is found.

The message that was sent as a request that resulted in the response. The name/value pairs that make up the message payload. A newly instantiated -derived object that this message can deserialize to. Null if the request isn't recognized as a valid protocol message.

Helps ensure compliance to some properties in the .

The security settings that are active on the relying party.

Initializes a new instance of the class.

The security settings.

Prepares a message for sending based on the rules of this channel binding element.

The message to prepare for sending. The protections (if any) that this binding element applied to the message. Null if this binding element did not even apply to this binding element. Implementations that provide message protection must honor the properties where applicable.

Performs any transformation on an incoming message that may be necessary and/or validates an incoming message based on the rules of this channel binding element.

The incoming message to process. The protections (if any) that this binding element applied to the message. Null if this binding element did not even apply to this binding element. Thrown when the binding element rules indicate that this message is invalid and should NOT be processed. Implementations that provide message protection must honor the properties where applicable.

Gets or sets the channel that this binding element belongs to.

This property is set by the channel when it is first constructed.

Gets the protection commonly offered (if any) by this binding element.

This value is used to assist in sorting binding elements in the channel stack.

The signing binding element for OpenID Relying Parties.

The association store used by Relying Parties to look up the secrets needed for signing.

Initializes a new instance of the class.

The association store used to look up the secrets needed for signing. May be null for dumb Relying Parties.

Gets a specific association referenced in a given message's association handle.

The signed message whose association handle should be used to lookup the association to return. The referenced association; or null if such an association cannot be found.

Gets the association to use to sign or verify a message.

The message to sign or verify. The association to use to sign or verify the message.

Verifies the signature by unrecognized handle.

The message. The signed message. The protections applied. The applied protections.

This binding element adds a nonce to a Relying Party's outgoing authentication request when working against an OpenID 1.0 Provider in order to protect against replay attacks or on all authentication requests to distinguish solicited from unsolicited assertions.

This nonce goes beyond the OpenID 1.x spec, but adds to security. Since this library's Provider implementation also provides special nonce protection for 1.0 messages, this security feature overlaps with that one. This means that if an RP from this library were talking to an OP from this library, but the Identifier being authenticated advertised the OP as a 1.x OP, then both RP and OP might try to use a nonce for protecting the assertion. There's no problem with that--it will still all work out. And it would be a very rare combination of elements anyway. This binding element deactivates itself for OpenID 2.0 (or later) messages since they are automatically protected in the protocol by the Provider's openid.response_nonce parameter. The exception to this is when is set to true, which will not only add a request nonce to every outgoing authentication request but also require that it be present in positive assertions, effectively disabling unsolicited assertions. In the messaging stack, this binding element looks like an ordinary transform-type of binding element rather than a protection element, due to its required order in the channel stack and that it exists only on the RP side and only on some messages.

The context within which return_to nonces must be unique -- they all go into the same bucket.

The length of the generated nonce's random part.

The nonce store that will allow us to recall which nonces we've seen before.

The security settings at the RP.

Backing field for the property.

Initializes a new instance of the class.

The nonce store to use. The security settings of the RP.

Prepares a message for sending based on the rules of this channel binding element.

Performs any transformation on an incoming message that may be necessary and/or validates an incoming message based on the rules of this channel binding element.

Determines whether a request nonce should be applied the request or should be expected in the response.

The authentication request or the positive assertion response. true if the message exchanged with an OpenID 1.x provider or if unsolicited assertions should be rejected at the RP; otherwise false.

Gets or sets the channel that this binding element belongs to.

This property is set by the channel when it is first constructed.

Gets the protection offered (if any) by this binding element.

Gets the maximum message age from the standard expiration binding element.

A special DotNetOpenAuth-only nonce used by the RP when talking to 1.0 OPs in order to protect against replay attacks.

The random bits generated for the nonce.

Initializes a new instance of the class.

The creation date of the nonce. The random bits that help make the nonce unique.

Creates a new nonce.

The newly instantiated instance.

Deserializes a nonce from the return_to parameter.

The base64-encoded value of the nonce. The instantiated and initialized nonce.

Serializes the entire nonce for adding to the return_to URL.

The base64-encoded string representing the nonce.

Gets the creation date.

Gets the random part of the nonce as a base64 encoded string.

A set of methods designed to assist in improving interop across different OpenID implementations and their extensions.

Adds an Attribute Exchange (AX) extension to the authentication request that asks for the same attributes as the Simple Registration (sreg) extension that is already applied.

The authentication request. The attribute formats to use in the AX request. If discovery on the user-supplied identifier yields hints regarding which extensions and attribute formats the Provider supports, this method MAY ignore the argument and accomodate the Provider to minimize the size of the request. If the request does not carry an sreg extension, the method logs a warning but otherwise quietly returns doing nothing.

Looks for Simple Registration and Attribute Exchange (all known formats) response extensions and returns them as a Simple Registration extension.

The authentication response. if set to true unsigned extensions will be included in the search. The Simple Registration response if found, or a fabricated one based on the Attribute Exchange extension if found, or just an empty if there was no data. Never null.

Gets the attribute value if available.

The AX fetch response extension to look for the attribute value. The type URI of the attribute, using the axschema.org format of . The AX type URI formats to search. The first value of the attribute, if available.

Tries to find the exact format of AX attribute Type URI supported by the Provider.

The authentication request. The attribute formats the RP will try if this discovery fails. The AX format(s) to use based on the Provider's advertised AX support.

The discovery service to support host-meta based discovery, such as Google Apps for Domains.

The spec for this discovery mechanism can be found at: http://groups.google.com/group/google-federated-login-api/web/openid-discovery-for-hosted-domains and the XMLDSig spec referenced in that spec can be found at: http://wiki.oasis-open.org/xri/XrdOne/XmlDsigProfile

Path to the well-known location of the host-meta document at a domain.

The URI template for discovery host-meta on domains hosted by Google Apps for Domains.

The pattern within a host-meta file to look for to obtain the URI to the XRDS document.

A set of certificate thumbprints that have been verified.

Initializes a new instance of the class.

Performs discovery on the specified identifier.

The identifier to perform discovery on. The means to place outgoing HTTP requests. if set to true, no further discovery services will be called for this identifier. A sequence of service endpoints yielded by discovery. Must not be null, but may be empty.

Gets the XRD elements that have a given CanonicalID.

The XRDS document. The CanonicalID to match on. A sequence of XRD elements.

Gets the described-by services in XRD elements.

The XRDs to search. A sequence of services.

Gets the services for an identifier that are described by an external XRDS document.

The XRD elements to search for described-by services. The identifier under discovery. The request handler. The discovered services.

Validates the XML digital signature on an XRDS document.

The XRDS document whose signature should be validated. The identifier under discovery. The response. The host name on the certificate that should be used to verify the signature in the XRDS. Thrown if the XRDS document has an invalid or a missing signature.

Verifies the cert chain.

The certs. This must be in a method of its own because there is a LinkDemand on the method. By being in a method of its own, the caller of this method may catch a that is thrown if we're not running with full trust and execute an alternative plan. Thrown if the certificate chain is invalid or unverifiable.

Gets the XRDS HTTP response for a given identifier.

The identifier. The request handler. The location of the XRDS document to retrieve. A HTTP response carrying an XRDS document. Thrown if the XRDS document could not be obtained.

Verifies that a certificate chain is trusted.

The chain of certificates to verify.

Gets the XRDS HTTP response for a given identifier.

The identifier. The request handler. The host name on the certificate that should be used to verify the signature in the XRDS. A HTTP response carrying an XRDS document, or null if one could not be obtained. Thrown if the XRDS document could not be obtained.

Gets the location of the XRDS document that describes a given identifier.

The identifier under discovery. The request handler. The host name on the certificate that should be used to verify the signature in the XRDS. An absolute URI, or null if one could not be determined.

Gets the host-meta for a given identifier.

The identifier. The request handler. The host name on the certificate that should be used to verify the signature in the XRDS. The host-meta response, or null if no host-meta document could be obtained.

Gets the URIs authorized to host host-meta documents on behalf of a given domain.

The identifier. A sequence of URIs that MAY provide the host-meta for a given identifier.

Gets the set of URI templates to use to contact host-meta hosting proxies for domain discovery.

Gets or sets a value indicating whether to trust Google to host domains' host-meta documents.

This property is just a convenient mechanism for checking or changing the set of trusted host-meta proxies in the property.

A description of a web server that hosts host-meta documents.

Initializes a new instance of the class.

The proxy formatting string. The signing host formatting string.

Gets the absolute proxy URI.

The identifier being discovered. The an absolute URI.

Gets the signing host URI.

The identifier being discovered. A host name.

Determines whether the specified is equal to the current .

The to compare with the current . true if the specified is equal to the current ; otherwise, false. The parameter is null.

Serves as a hash function for a particular type.

A hash code for the current .

Gets the URL of the host-meta proxy.

The absolute proxy URL, which may include {0} to be replaced with the host of the identifier to be discovered.

Gets the formatting string to determine the expected host name on the certificate that is expected to be used to sign the XRDS document.

Either a string literal, or a formatting string where these placeholders may exist: {0} the host on the identifier discovery was originally performed on; {1} the host on this proxy.

The COM type used to provide details of an authentication result to a relying party COM client.

The response read in by the Relying Party.

Initializes a new instance of the class.

The response.

Gets an Identifier that the end user claims to own. For use with user database storage and lookup. May be null for some failed authentications (i.e. failed directed identity authentications).

This is the secure identifier that should be used for database storage and lookup. It is not always friendly (i.e. =Arnott becomes =!9B72.7DD1.50A9.5CCD), but it protects user identities against spoofing and other attacks. For user-friendly identifiers to display, use the property.

Gets a user-friendly OpenID Identifier for display purposes ONLY.

This should be put through before sending to a browser to secure against javascript injection attacks. This property retains some aspects of the user-supplied identifier that get lost in the . For example, XRIs used as user-supplied identifiers (i.e. =Arnott) become unfriendly unique strings (i.e. =!9B72.7DD1.50A9.5CCD). For display purposes, such as text on a web page that says "You're logged in as ...", this property serves to provide the =Arnott string, or whatever else is the most friendly string close to what the user originally typed in. If the user-supplied identifier is a URI, this property will be the URI after all redirects, and with the protocol and fragment trimmed off. If the user-supplied identifier is an XRI, this property will be the original XRI. If the user-supplied identifier is an OpenID Provider identifier (i.e. yahoo.com), this property will be the Claimed Identifier, with the protocol stripped if it is a URI. It is very important that this property never be used for database storage or lookup to avoid identity spoofing and other security risks. For database storage and lookup please use the property.

Gets the provider endpoint that sent the assertion.

Gets a value indicating whether the authentication attempt succeeded.

Gets the Simple Registration response.

Gets details regarding a failed authentication attempt, if available.

A struct storing Simple Registration field values describing an authenticating user.

The Simple Registration claims response message that this shim wraps.

Initializes a new instance of the class.

The Simple Registration response to wrap.

Gets the nickname the user goes by.

Gets the user's email address.

Gets the full name of a user as a single string.

Gets the raw birth date string given by the extension.

A string in the format yyyy-MM-dd.

Gets the gender of the user.

Gets the zip code / postal code of the user.

Gets the country of the user.

Gets the primary/preferred language of the user.

Gets the user's timezone.

Implementation of , providing a subset of the functionality available to .NET clients.

The OpenIdRelyingParty instance to use for requests.

Initializes static members of the class.

Initializes a new instance of the class.

Creates an authentication request to verify that a user controls some given Identifier.

Gets the result of a user agent's visit to his OpenId provider in an authentication attempt. Null if no response is available.

The incoming request URL. The form data that may have been included in the case of a POST request. The Provider's response to a previous authentication request, or null if no response is present.

The successful Diffie-Hellman association response message.

Association response messages are described in OpenID 2.0 section 8.2. This type covers section 8.2.3.

A successful association response as it is received by the relying party.

Called to create the Association based on a request previously given by the Relying Party.

The prior request for an association. The created association.

Initializes a new instance of the class.

The OpenID version of the response message. The originating request.

Creates the association at relying party side after the association response has been received.

The original association request that was already sent and responded to. The newly created association. The resulting association is not added to the association store and must be done by the caller.

Utility methods for requesting associations from the relying party.

Creates an association request message that is appropriate for a given Provider.

The set of requirements the selected association type must comply to. The provider to create an association with. The message to send to the Provider to request an association. Null if no association could be created that meet the security requirements and the provider OpenID version.

Creates an association request message that is appropriate for a given Provider.

The set of requirements the selected association type must comply to. The provider to create an association with. Type of the association. Type of the session. The message to send to the Provider to request an association. Null if no association could be created that meet the security requirements and the provider OpenID version.

Code contract for the interface.

Checks the message state for conformity to the protocol specification and throws an exception if the message is invalid.

Thrown if the message is invalid.

Called to create the Association based on a request previously given by the Relying Party.

The prior request for an association. The created association.

Gets the level of protection this message requires.

Gets a value indicating whether this is a direct or indirect message.

Gets the version of the protocol or extension this message is prepared to implement.

Gets the extra, non-standard Protocol parameters included in the message.

A response to an unencrypted assocation request, as it is received by the relying party.

Initializes a new instance of the class.

The version. The request.

Called to create the Association based on a request previously given by the Relying Party.

The prior request for an association. The created association.

Wraps a standard so that it behaves as an association store.

Stores s for lookup by their handle, keeping associations separated by a given OP Endpoint.

Expired associations should be periodically cleared out of an association store. This should be done frequently enough to avoid a memory leak, but sparingly enough to not be a performance drain. Because this balance can vary by host, it is the responsibility of the host to initiate this cleaning.

Saves an for later recall.

The OP Endpoint with which the association is established. The association to store. If the new association conflicts (in OP endpoint and association handle) with an existing association, (which should never happen by the way) implementations may overwrite the previously saved association.

Gets the best association (the one with the longest remaining life) for a given key.

The OP Endpoint with which the association is established. The security requirements that the returned association must meet. The requested association, or null if no unexpired s exist for the given key. In the event that multiple associations exist for the given , it is important for the implementation for this method to use the to pick the best (highest grade or longest living as the host's policy may dictate) association that fits the security requirements. Associations that are returned that do not meet the security requirements will be ignored and a new association created.

Gets the association for a given key and handle.

The OP Endpoint with which the association is established. The handle of the specific association that must be recalled. The requested association, or null if no unexpired s exist for the given key and handle.

Removes a specified handle that may exist in the store.

The OP Endpoint with which the association is established. The handle of the specific association that must be deleted. Deprecated. The return value is insignificant. Previously: True if the association existed in this store previous to this call. No exception should be thrown if the association does not exist in the store before this call.

The underlying key store.

Initializes a new instance of the class.

The key store.

Saves an for later recall.

The OP Endpoint with which the association is established. The association to store.

Gets the best association (the one with the longest remaining life) for a given key.

Gets the association for a given key and handle.

Removes a specified handle that may exist in the store.

The OP Endpoint with which the association is established. The handle of the specific association that must be deleted. True if the association existed in this store previous to this call.

Constants used in implementing support for the UI extension.

Gets the window.open javascript snippet to use to open a popup window compliant with the UI extension.

The relying party. The authentication request to place in the window. The name to assign to the popup window. A string starting with 'window.open' and forming just that one method call.

Code Contract for the class.

Saves an for later recall.

The Uri (for relying parties) or Smart/Dumb (for providers). The association to store. TODO: what should implementations do on association handle conflict?

Gets the best association (the one with the longest remaining life) for a given key.

The Uri (for relying parties) or Smart/Dumb (for Providers). The security requirements that the returned association must meet. The requested association, or null if no unexpired s exist for the given key. In the event that multiple associations exist for the given , it is important for the implementation for this method to use the to pick the best (highest grade or longest living as the host's policy may dictate) association that fits the security requirements. Associations that are returned that do not meet the security requirements will be ignored and a new association created.

Gets the association for a given key and handle.

The Uri (for relying parties) or Smart/Dumb (for Providers). The handle of the specific association that must be recalled. The requested association, or null if no unexpired s exist for the given key and handle.

Removes a specified handle that may exist in the store.

The Uri (for relying parties) or Smart/Dumb (for Providers). The handle of the specific association that must be deleted. True if the association existed in this store previous to this call. No exception should be thrown if the association does not exist in the store before this call.

A dictionary of handle/Association pairs.

Each method is locked, even if it is only one line, so that they are thread safe against each other, particularly the ones that enumerate over the list, since they can break if the collection is changed by another thread during enumeration.

The lookup table where keys are the association handles and values are the associations themselves.

Initializes a new instance of the class.

Stores an in the collection.

The association to add to the collection.

Returns the with the given handle. Null if not found.

The handle to the required association. The desired association, or null if none with the given handle could be found.

Removes the with the given handle.

The handle to the required association. Whether an with the given handle was in the collection for removal.

Removes all expired associations from the collection.

Gets the s ordered in order of descending issue date (most recently issued comes first). An empty sequence if no valid associations exist.

This property is used by relying parties that are initiating authentication requests. It does not apply to Providers, which always need a specific association by handle.

Manages the establishment, storage and retrieval of associations at the relying party.

The storage to use for saving and retrieving associations. May be null.

Backing field for the property.

Initializes a new instance of the class.

The channel the relying party is using. The association store. May be null for dumb mode relying parties. The security settings.

Gets an association between this Relying Party and a given Provider if it already exists in the association store.

The provider to create an association with. The association if one exists and has useful life remaining. Otherwise null.

Gets an existing association with the specified Provider, or attempts to create a new association of one does not already exist.

The provider to get an association for. The existing or new association; null if none existed and one could not be created.

Creates a new association with a given Provider.

The provider to create an association with. The newly created association, or null if no association can be created with the given Provider given the current security settings. A new association is created and returned even if one already exists in the association store. Any new association is automatically added to the .

Creates a new association with a given Provider.

The provider to create an association with. The associate request. May be null, which will always result in a null return value.. The number of times to try the associate request again if the Provider suggests it. The newly created association, or null if no association can be created with the given Provider given the current security settings.

Gets or sets the channel to use for establishing associations.

The channel.

Gets or sets the security settings to apply in choosing association types to support.

Gets a value indicating whether this instance has an association store.

true if the relying party can act in 'smart' mode; false if the relying party must always act in 'dumb' mode.

Gets the storage to use for saving and retrieving associations. May be null.

Preferences regarding creation and use of an association between a relying party and provider for authentication.

Indicates that an association should be created for use in authentication if one has not already been established between the relying party and the selected provider.

Even with this value, if an association attempt fails or the relying party has no application store to recall associations, the authentication may proceed without an association.

Indicates that an association should be used for authentication only if it happens to already exist.

Indicates that an authentication attempt should NOT use an OpenID association between the relying party and the provider, even if an association was previously created.

Facilitates customization and creation and an authentication request that a Relying Party is preparing to send.

The name of the internal callback parameter to use to store the user-supplied identifier.

The relying party that created this request object.

How an association may or should be created or used in the formulation of the authentication request.

The extensions that have been added to this authentication request.

Arguments to add to the return_to part of the query string, so that these values come back to the consumer when the user agent returns.

A value indicating whether the return_to callback arguments must be signed.

This field defaults to false, but is set to true as soon as the first callback argument is added that indicates it must be signed. At which point, all arguments are signed even if individual ones did not need to be.

Initializes a new instance of the class.

The endpoint that describes the OpenID Identifier and Provider that will complete the authentication. The realm, or root URL, of the host web site. The base return_to URL that the Provider should return the user to to complete authentication. This should not include callback parameters as these should be added using the method. The relying party that created this instance.

Makes a dictionary of key/value pairs available when the authentication is completed.

The arguments to add to the request's return_to URI. Note that these values are NOT protected against eavesdropping in transit. No privacy-sensitive data should be stored using this method. The values stored here can be retrieved using , which will only return the value if it hasn't been tampered with in transit. Since the data set here is sent in the querystring of the request and some servers place limits on the size of a request URL, this data should be kept relatively small to ensure successful authentication. About 1.5KB is about all that should be stored.

Makes a key/value pair available when the authentication is completed.

The parameter name. The value of the argument. Note that these values are NOT protected against eavesdropping in transit. No privacy-sensitive data should be stored using this method. The value stored here can be retrieved using , which will only return the value if it hasn't been tampered with in transit. Since the data set here is sent in the querystring of the request and some servers place limits on the size of a request URL, this data should be kept relatively small to ensure successful authentication. About 1.5KB is about all that should be stored.

Makes a key/value pair available when the authentication is completed.

The parameter name. The value of the argument. Must not be null. Note that these values are NOT protected against tampering in transit. No security-sensitive data should be stored using this method. The value stored here can be retrieved using . Since the data set here is sent in the querystring of the request and some servers place limits on the size of a request URL, this data should be kept relatively small to ensure successful authentication. About 1.5KB is about all that should be stored.

Makes a key/value pair available when the authentication is completed without requiring a return_to signature to protect against tampering of the callback argument.

The parameter name. The value of the argument. Must not be null. Note that these values are NOT protected against eavesdropping or tampering in transit. No security-sensitive data should be stored using this method. The value stored here can be retrieved using . Since the data set here is sent in the querystring of the request and some servers place limits on the size of a request URL, this data should be kept relatively small to ensure successful authentication. About 1.5KB is about all that should be stored.

Adds an OpenID extension to the request directed at the OpenID provider.

The initialized extension to add to the request.

Redirects the user agent to the provider for authentication.

This method requires an ASP.NET HttpContext.

Performs identifier discovery, creates associations and generates authentication requests on-demand for as long as new ones can be generated based on the results of Identifier discovery.

The user supplied identifier. The relying party. The realm. The return_to base URL. if set to true, associations that do not exist between this Relying Party and the asserting Providers are created before the authentication request is created. A sequence of authentication requests, any of which constitutes a valid identity assertion on the Claimed Identifier. Never null, but may be empty.

Creates an instance of FOR TESTING PURPOSES ONLY.

The discovery result. The realm. The return to. The relying party. The instantiated .

Creates the request message to send to the Provider, based on the properties in this instance.

The message to send to the Provider.

Performs deferred request generation for the method.

The user supplied identifier. The relying party. The realm. The return_to base URL. The discovered service endpoints on the Claimed Identifier. if set to true, associations that do not exist between this Relying Party and the asserting Providers are created before the authentication request is created. A sequence of authentication requests, any of which constitutes a valid identity assertion on the Claimed Identifier. Never null, but may be empty. All data validation and cleansing steps must have ALREADY taken place before calling this method.

Returns a filtered and sorted list of the available OP endpoints for a discovered Identifier.

The endpoints. The relying party. A filtered and sorted list of endpoints; may be empty if the input was empty or the filter removed all endpoints.

Creates the request message to send to the Provider, based on the properties in this instance.

The message to send to the Provider.

Gets the association to use for this authentication request.

The association to use; null to use 'dumb mode'.

Gets or sets the mode the Provider should use during authentication.

Gets the HTTP response the relying party should send to the user agent to redirect it to the OpenID Provider to start the OpenID authentication process.

Gets the URL that the user agent will return to after authentication completes or fails at the Provider.

Gets the URL that identifies this consumer web application that the Provider will display to the end user.

Gets the Claimed Identifier that the User Supplied Identifier resolved to. Null if the user provided an OP Identifier (directed identity).

Null is returned if the user is using the directed identity feature of OpenID 2.0 to make it nearly impossible for a relying party site to improperly store the reserved OpenID URL used for directed identity as a user's own Identifier. However, to test for the Directed Identity feature, please test the property rather than testing this property for a null value.

Gets a value indicating whether the authenticating user has chosen to let the Provider determine and send the ClaimedIdentifier after authentication.

Gets or sets a value indicating whether this request only carries extensions and is not a request to verify that the user controls some identifier.

true if this request is merely a carrier of extensions and is not about an OpenID identifier; otherwise, false.

Gets information about the OpenId Provider, as advertised by the OpenId discovery documents found at the location.

Gets the discovery result leading to the formulation of this request.

The discovery result.

Gets or sets how an association may or should be created or used in the formulation of the authentication request.

Gets the extensions that have been added to the request.

Gets the list of extensions for this request.

An authentication request comparer that judges equality solely on the OP endpoint hostname.

The singleton instance of this comparer.

Prevents a default instance of the class from being created.

Determines whether the specified objects are equal.

The first object to compare. The second object to compare. true if the specified objects are equal; otherwise, false.

Returns a hash code for the specified object.

The for which a hash code is to be returned. A hash code for the specified object. The type of is a reference type and is null.

Gets the singleton instance of this comparer.

Wraps a negative assertion response in an instance for public consumption by the host web site.

An interface to expose useful properties and functionality for handling authentication responses that are returned from Immediate authentication requests that require a subsequent request to be made in non-immediate mode.

Gets the to pass to in a subsequent authentication attempt.

The negative assertion message that was received by the RP that was used to create this instance.

Initializes a new instance of the class.

The negative assertion response received by the Relying Party.

Gets a callback argument's value that was previously added using .

The name of the parameter whose value is sought. The value of the argument, or null if the named parameter could not be found. This may return any argument on the querystring that came with the authentication response, which may include parameters not explicitly added using . Note that these values are NOT protected against tampering in transit.

Gets a callback argument's value that was previously added using .

The name of the parameter whose value is sought. The value of the argument, or null if the named parameter could not be found. Callback parameters are only available even if the RP is in stateless mode, or the callback parameters are otherwise unverifiable as untampered with. Therefore, use this method only when the callback argument is not to be used to make a security-sensitive decision.

Gets all the callback arguments that were previously added using or as a natural part of the return_to URL.

A name-value dictionary. Never null. This MAY return any argument on the querystring that came with the authentication response, which may include parameters not explicitly added using . Note that these values are NOT protected against tampering in transit.

Gets all the callback arguments that were previously added using or as a natural part of the return_to URL.

A name-value dictionary. Never null. Callback parameters are only available even if the RP is in stateless mode, or the callback parameters are otherwise unverifiable as untampered with. Therefore, use this method only when the callback argument is not to be used to make a security-sensitive decision.

Tries to get an OpenID extension that may be present in the response.

The type of extension to look for in the response message. The extension, if it is found. Null otherwise. Extensions are returned only if the Provider signed them. Relying parties that do not care if the values were modified in transit should use the method in order to allow the Provider to not sign the extension. Unsigned extensions are completely unreliable and should be used only to prefill user forms since the user or any other third party may have tampered with the data carried by the extension. Signed extensions are only reliable if the relying party trusts the OpenID Provider that signed them. Signing does not mean the relying party can trust the values -- it only means that the values have not been tampered with since the Provider sent the message.

Tries to get an OpenID extension that may be present in the response.

Type of the extension to look for in the response. The extension, if it is found. Null otherwise. Extensions are returned only if the Provider signed them. Relying parties that do not care if the values were modified in transit should use the method in order to allow the Provider to not sign the extension. Unsigned extensions are completely unreliable and should be used only to prefill user forms since the user or any other third party may have tampered with the data carried by the extension. Signed extensions are only reliable if the relying party trusts the OpenID Provider that signed them. Signing does not mean the relying party can trust the values -- it only means that the values have not been tampered with since the Provider sent the message.

Tries to get an OpenID extension that may be present in the response, without requiring it to be signed by the Provider.

The type of extension to look for in the response message. The extension, if it is found. Null otherwise. Extensions are returned whether they are signed or not. Use the method to retrieve extension responses only if they are signed by the Provider to protect against tampering. Unsigned extensions are completely unreliable and should be used only to prefill user forms since the user or any other third party may have tampered with the data carried by the extension. Signed extensions are only reliable if the relying party trusts the OpenID Provider that signed them. Signing does not mean the relying party can trust the values -- it only means that the values have not been tampered with since the Provider sent the message.

Tries to get an OpenID extension that may be present in the response.

Type of the extension to look for in the response. The extension, if it is found. Null otherwise. Extensions are returned whether they are signed or not. Use the method to retrieve extension responses only if they are signed by the Provider to protect against tampering. Unsigned extensions are completely unreliable and should be used only to prefill user forms since the user or any other third party may have tampered with the data carried by the extension. Signed extensions are only reliable if the relying party trusts the OpenID Provider that signed them. Signing does not mean the relying party can trust the values -- it only means that the values have not been tampered with since the Provider sent the message.

Gets the Identifier that the end user claims to own. For use with user database storage and lookup. May be null for some failed authentications (i.e. failed directed identity authentications).

Gets a user-friendly OpenID Identifier for display purposes ONLY.

Gets the detailed success or failure status of the authentication attempt.

Gets information about the OpenId Provider, as advertised by the OpenID discovery documents found at the location.

The Provider endpoint that issued the positive assertion; or null if information about the Provider is unavailable.

Gets the details regarding a failed authentication attempt, if available. This will be set if and only if is .

Gets the to pass to in a subsequent authentication attempt.

Wraps an extension-only response from the OP in an instance for public consumption by the host web site.

Backin field for the property.

Information about the OP endpoint that issued this assertion.

Initializes a new instance of the class.

The response message.

Gets a callback argument's value that was previously added using .

The name of the parameter whose value is sought. The value of the argument, or null if the named parameter could not be found. Callback parameters are only available if they are complete and untampered with since the original request message (as proven by a signature). If the relying party is operating in stateless mode null is always returned since the callback arguments could not be signed to protect against tampering.

Gets a callback argument's value that was previously added using .

Gets all the callback arguments that were previously added using or as a natural part of the return_to URL.

A name-value dictionary. Never null. Callback parameters are only available if they are complete and untampered with since the original request message (as proven by a signature). If the relying party is operating in stateless mode an empty dictionary is always returned since the callback arguments could not be signed to protect against tampering.