DotNetOpenAuth.OpenId

Describes a collection of association type sub-elements in a .config file.

Initializes a new instance of the class.

Returns an enumerator that iterates through the collection.

A that can be used to iterate through the collection.

When overridden in a derived class, creates a new .

A new .

Gets the element key for a specified configuration element when overridden in a derived class.

The to return the key for. An that acts as the key for the specified .

Describes an association type and its maximum lifetime as an element in a .config file.

The name of the attribute that stores the association type.

The name of the attribute that stores the association's maximum lifetime.

Initializes a new instance of the class.

Gets or sets the protocol name of the association.

Gets or sets the maximum time a shared association should live.

The default value is 14 days.

The configuration element that can adjust how hostmeta discovery works.

The property name for enableCertificateValidationCache.

Initializes a new instance of the class.

Gets or sets a value indicating whether validated certificates should be cached and not validated again.

This helps to avoid unexplained 5-10 second delays in certificate validation for Google Apps for Domains that impact some servers.

Represents the <openid> element in the host's .config file.

The name of the section under which this library's settings must be found.

The name of the <relyingParty> sub-element.

The name of the <provider> sub-element.

The name of the <extensions> sub-element.

The name of the <xriResolver> sub-element.

The name of the @maxAuthenticationTime attribute.

The name of the @cacheDiscovery attribute.

Initializes a new instance of the class.

Gets the configuration section from the .config file.

Gets or sets the maximum time a user can take to complete authentication.

This time limit allows the library to decide how long to cache certain values necessary to complete authentication. The lower the time, the less demand on the server. But too short a time can frustrate the user.

Gets or sets a value indicating whether the results of Identifier discovery should be cached.

Use true to allow identifier discovery to immediately return cached results when available; otherwise, use false.to force fresh results every time at the cost of slightly slower logins. The default value is true. When enabled, caching is done according to HTTP standards.

Gets or sets the configuration specific for Relying Parties.

Gets or sets the configuration specific for Providers.

Gets or sets the registered OpenID extension factories.

Gets or sets the configuration for the XRI resolver.

The section in the .config file that allows customization of OpenID Provider behaviors.

The name of the <provider> sub-element.

The name of the security sub-element.

Gets the name of the <behaviors> sub-element.

The name of the custom store sub-element.

Initializes a new instance of the class.

Gets or sets the security settings.

Gets or sets the special behaviors to apply.

Gets or sets the type to use for storing application state.

Represents the .config file element that allows for setting the security policies of the Provider.

Gets the name of the @protectDownlevelReplayAttacks attribute.

Gets the name of the @minimumHashBitLength attribute.

Gets the name of the @maximumHashBitLength attribute.

The name of the associations collection sub-element.

The name of the @encodeAssociationSecretsInHandles attribute.

Gets the name of the @requireSsl attribute.

Gets the name of the @unsolicitedAssertionVerification attribute.

Initializes a new instance of the class.

Initializes a programmatically manipulatable bag of these security settings with the settings from the config file.

The newly created security settings object.

Gets or sets a value indicating whether all discovery and authentication should require SSL security.

Gets or sets the minimum length of the hash that protects the protocol from hijackers.

Gets or sets the maximum length of the hash that protects the protocol from hijackers.

Gets or sets a value indicating whether the Provider should take special care to protect OpenID 1.x relying parties against replay attacks.

Gets or sets the level of verification a Provider performs on an identifier before sending an unsolicited assertion for it.

The default value is .

Gets or sets the configured lifetimes of the various association types.

Gets or sets a value indicating whether the Provider should ease the burden of storing associations by encoding their secrets (in signed, encrypted form) into the association handles themselves, storing only a few rotating, private symmetric keys in the Provider's store instead.

The section in the .config file that allows customization of OpenID Relying Party behaviors.

The name of the custom store sub-element.

The name of the <relyingParty> sub-element.

The name of the attribute that specifies whether dnoa.userSuppliedIdentifier is tacked onto the openid.return_to URL.

Gets the name of the security sub-element.

The name of the <behaviors> sub-element.

The name of the <discoveryServices> sub-element.

The name of the <hostMetaDiscovery> sub-element.

The built-in set of identifier discovery services.

Initializes a new instance of the class.

Gets or sets a value indicating whether "dnoa.userSuppliedIdentifier" is tacked onto the openid.return_to URL in order to preserve what the user typed into the OpenID box.

The default value is true.

Gets or sets the security settings.

Gets or sets the special behaviors to apply.

Gets or sets the type to use for storing application state.

Gets or sets the host meta discovery configuration element.

Gets or sets the services to use for discovering service endpoints for identifiers.

If no discovery services are defined in the (web) application's .config file, the default set of discovery services built into the library are used.

Represents the .config file element that allows for setting the security policies of the Relying Party.

Gets the name of the @minimumRequiredOpenIdVersion attribute.

Gets the name of the @minimumHashBitLength attribute.

Gets the name of the @maximumHashBitLength attribute.

Gets the name of the @requireSsl attribute.

Gets the name of the @requireDirectedIdentity attribute.

Gets the name of the @requireAssociation attribute.

Gets the name of the @rejectUnsolicitedAssertions attribute.

Gets the name of the @rejectDelegatedIdentifiers attribute.

Gets the name of the @ignoreUnsignedExtensions attribute.

Gets the name of the @allowDualPurposeIdentifiers attribute.

Gets the name of the @allowApproximateIdentifierDiscovery attribute.

Gets the name of the @protectDownlevelReplayAttacks attribute.

The name of the <trustedProviders> sub-element.

Initializes a new instance of the class.

Initializes a programmatically manipulatable bag of these security settings with the settings from the config file.

The newly created security settings object.

Gets or sets a value indicating whether all discovery and authentication should require SSL security.

Gets or sets a value indicating whether only OP Identifiers will be discoverable when creating authentication requests.

Gets or sets a value indicating whether authentication requests will only be created where an association with the Provider can be established.

Gets or sets the minimum OpenID version a Provider is required to support in order for this library to interoperate with it.

Although the earliest versions of OpenID are supported, for security reasons it may be desirable to require the remote party to support a later version of OpenID.

Gets or sets the minimum length of the hash that protects the protocol from hijackers.

Gets or sets the maximum length of the hash that protects the protocol from hijackers.

Gets or sets a value indicating whether all unsolicited assertions should be ignored.

The default value is false.

Gets or sets a value indicating whether delegating identifiers are refused for authentication.

The default value is false. When set to true, login attempts that start at the RP or arrive via unsolicited assertions will be rejected if discovery on the identifier shows that OpenID delegation is used for the identifier. This is useful for an RP that should only accept identifiers directly issued by the Provider that is sending the assertion.

Gets or sets a value indicating whether unsigned extensions in authentication responses should be ignored.

The default value is false. When set to true, the methods will not return any extension that was not signed by the Provider.

Gets or sets a value indicating whether identifiers that are both OP Identifiers and Claimed Identifiers should ever be recognized as claimed identifiers.

The default value is false, per the OpenID 2.0 spec.

Gets or sets a value indicating whether certain Claimed Identifiers that exploit features that .NET does not have the ability to send exact HTTP requests for will still be allowed by using an approximate HTTP request.

The default value is true.

Gets or sets a value indicating whether the Relying Party should take special care to protect users against replay attacks when interoperating with OpenID 1.1 Providers.

Gets or sets the set of trusted OpenID Provider Endpoints.

Represents the <xriResolver> element in the host's .config file.

Gets the name of the @enabled attribute.

The default value for .

The name of the <proxy> sub-element.

The default XRI proxy resolver to use.

Initializes a new instance of the class.

Gets or sets a value indicating whether this XRI resolution is enabled.

The default value is true.

Gets or sets the proxy to use for resolving XRIs.

The default value is "xri.net".

Adds OpenID-specific extension methods to the XrdsDocument class.

Creates the service endpoints described in this document, useful for requesting authentication of one of the OpenID Providers that result from it.

The XrdsDocument instance to use in this process. The claimed identifier that was used to discover this XRDS document. The user supplied identifier. A sequence of OpenID Providers that can assert ownership of the .

Creates the service endpoints described in this document, useful for requesting authentication of one of the OpenID Providers that result from it.

The XrdsDocument instance to use in this process. The user-supplied i-name that was used to discover this XRDS document. A sequence of OpenID Providers that can assert ownership of the canonical ID given in this document.

Generates OpenID Providers that can authenticate using directed identity.

The XrdsDocument instance to use in this process. The OP Identifier entered (and resolved) by the user. Essentially the user-supplied identifier. A sequence of the providers that can offer directed identity services.

Generates the OpenID Providers that are capable of asserting ownership of a particular URI claimed identifier.

The XrdsDocument instance to use in this process. The claimed identifier. The user supplied identifier. A sequence of the providers that can assert ownership of the given identifier.

Generates the OpenID Providers that are capable of asserting ownership of a particular XRI claimed identifier.

The XrdsDocument instance to use in this process. The i-name supplied by the user. A sequence of the providers that can assert ownership of the given identifier.

Enumerates the XRDS service elements that describe OpenID Providers offering directed identity assertions.

The XrdsDocument instance to use in this process. A sequence of service elements.

Returns the OpenID-compatible services described by a given XRDS document, in priority order.

The XrdsDocument instance to use in this process. A sequence of the services offered.

Stores a secret used in signing and verifying messages.

OpenID associations may be shared between Provider and Relying Party (smart associations), or be a way for a Provider to recall its own secret for later (dumb associations).

Initializes a new instance of the class.

The handle. The secret. How long the association will be useful. The UTC time of when this association was originally issued by the Provider.

Re-instantiates an previously persisted in a database or some other shared store.

The property of the previous instance. The UTC value of the property of the previous instance. The byte array returned by a call to on the previous instance. The newly dehydrated , which can be returned from a custom association store's IRelyingPartyAssociationStore.GetAssociation method.

Returns private data required to persist this in permanent storage (a shared database for example) for deserialization later.

An opaque byte array that must be stored and returned exactly as it is provided here. The byte array may vary in length depending on the specific type of , but in current versions are no larger than 256 bytes. Values of public properties on the base class are not included in this byte array, as they are useful for fast database lookup and are persisted separately.

Tests equality of two objects.

The to compare with the current . true if the specified is equal to the current ; otherwise, false.

Returns the hash code.

A hash code for the current .

The string to pass as the assoc_type value in the OpenID protocol.

The protocol version of the message that the assoc_type value will be included in. The value that should be used for the openid.assoc_type parameter.

Generates a signature from a given blob of data.

The data to sign. This data will not be changed (the signature is the return value). The calculated signature of the data.

Returns the specific hash algorithm used for message signing.

The hash algorithm used for message signing.

Gets a unique handle by which this may be stored or retrieved.

Gets the UTC time when this will expire.

Gets a value indicating whether this has already expired.

Gets the length (in bits) of the hash this association creates when signing.

Gets a value indicating whether this instance has useful life remaining.

true if this instance has useful life remaining; otherwise, false.

Gets or sets the UTC time that this was first created.

Gets the duration a secret key used for signing dumb client requests will be good for.

Gets the number of seconds until this expires. Never negative (counter runs to zero).

Gets the shared secret key between the consumer and provider.

Gets the lifetime the OpenID provider permits this .

Gets the minimum lifetime an association must still be good for in order for it to be used for a future authentication.

Associations that are not likely to last the duration of a user login are not worth using at all.

Gets the TimeSpan till this association expires.

Indicates the mode the Provider should use while authenticating the end user.

The Provider should use whatever credentials are immediately available to determine whether the end user owns the Identifier. If sufficient credentials (i.e. cookies) are not immediately available, the Provider should fail rather than prompt the user.

The Provider should determine whether the end user owns the Identifier, displaying a web page to the user to login etc., if necessary.

An Attribute Exchange and Simple Registration filter to make all incoming attribute requests look like Simple Registration requests, and to convert the response to the originally requested extension and format.

Initializes a new instance of the class.

Gets or sets the AX attribute type URI formats this transform is willing to work with.

A strongly-typed resource class, for looking up localized strings, etc.

Returns the cached ResourceManager instance used by this class.

Overrides the current thread's CurrentUICulture property for all resource lookups using this strongly typed resource class.

Looks up a localized string similar to The PAPE request has an incomplete set of authentication policies..

Looks up a localized string similar to A PAPE response is missing or is missing required policies..

Looks up a localized string similar to No personally identifiable information should be included in authentication responses when the PAPE authentication policy http://www.idmanagement.gov/schema/2009/05/icam/no-pii.pdf is present..

Looks up a localized string similar to No personally identifiable information should be requested when the http://www.idmanagement.gov/schema/2009/05/icam/no-pii.pdf PAPE policy is present..

Looks up a localized string similar to No PPID provider has been configured..

Looks up a localized string similar to Discovery on the Realm URL MUST be performed before sending a positive assertion..

Looks up a localized string similar to The Realm in an authentication request must be an HTTPS URL..

Implements the Identity, Credential, & Access Management (ICAM) OpenID 2.0 Profile for the General Services Administration (GSA).

Relying parties that include this profile are always held to the terms required by the profile, but Providers are only affected by the special behaviors of the profile when the RP specifically indicates that they want to use this profile.

Backing field for the static property.

Initializes a new instance of the class.

Gets or sets a value indicating whether PII is allowed to be requested or received via OpenID.

The default value is false.

Gets or sets a value indicating whether to ignore the SSL requirement (for testing purposes only).

Provides a mechanism for Relying Parties to work with OpenID 1.0 Providers without losing claimed_id and op_endpoint data, which OpenID 2.0 Providers are required to send back with positive assertions.

The "dnoa.op_endpoint" callback parameter that stores the Provider Endpoint URL to tack onto the return_to URI.

The "dnoa.claimed_id" callback parameter that stores the Claimed Identifier to tack onto the return_to URI.

Prepares a message for sending based on the rules of this channel binding element.

The message to prepare for sending. The protections (if any) that this binding element applied to the message. Null if this binding element did not even apply to this binding element. Implementations that provide message protection must honor the properties where applicable.

Performs any transformation on an incoming message that may be necessary and/or validates an incoming message based on the rules of this channel binding element.

The incoming message to process. The protections (if any) that this binding element applied to the message. Null if this binding element did not even apply to this binding element. Thrown when the binding element rules indicate that this message is invalid and should NOT be processed. Implementations that provide message protection must honor the properties where applicable.

Gets or sets the channel that this binding element belongs to.

This property is set by the channel when it is first constructed.

Gets the protection offered (if any) by this binding element.

Code contract for the class.

Signs and verifies authentication assertions.

Prepares a message for sending based on the rules of this channel binding element.

The message to prepare for sending. The protections (if any) that this binding element applied to the message. Null if this binding element did not even apply to this binding element.

Performs any transformation on an incoming message that may be necessary and/or validates an incoming message based on the rules of this channel binding element.

Verifies the signature by unrecognized handle.

The message. The signed message. The protections applied. The applied protections.

Calculates the signature for a given message.

The message to sign or verify. The association to use to sign the message. The calculated signature of the method.

Gets the association to use to sign or verify a message.

The message to sign or verify. The association to use to sign or verify the message.

Gets a specific association referenced in a given message's association handle.

The signed message whose association handle should be used to lookup the association to return. The referenced association; or null if such an association cannot be found. If the association handle set in the message does not match any valid association, the association handle property is cleared, and the property is set to the handle that could not be found.

Gets a private Provider association used for signing messages in "dumb" mode.

An existing or newly created association.

Ensures that all message parameters that must be signed are in fact included in the signature.

The signed message.

Gets the protection offered (if any) by this binding element.

Gets or sets the channel that this binding element belongs to.

Gets a value indicating whether this binding element is on a Provider channel.

Verifies the signature by unrecognized handle.

The message. The signed message. The protections applied. The applied protections.

Gets the association to use to sign or verify a message.

The message to sign or verify. The association to use to sign or verify the message.

Gets a specific association referenced in a given message's association handle.

The signed message whose association handle should be used to lookup the association to return. The referenced association; or null if such an association cannot be found.

The binding element that serializes/deserializes OpenID extensions to/from their carrying OpenID messages.

False if unsigned extensions should be dropped. Must always be true on Providers, since RPs never sign extensions.

Initializes a new instance of the class.

The extension factory. The security settings. Security setting for relying parties. Should be true for Providers.

Prepares a message for sending based on the rules of this channel binding element.

Performs any transformation on an incoming message that may be necessary and/or validates an incoming message based on the rules of this channel binding element.

Gets the extensions on a message.

The carrier of the extensions. If set to true only signed extensions will be available. A optional filter that takes an extension type URI and returns a value indicating whether that extension should be deserialized and returned in the sequence. May be null. A sequence of extensions in the message.

Gets the dictionary of message parts that should be deserialized into extensions.

The message. If set to true only signed extensions will be available. A dictionary of message parts, including only signed parts when appropriate.

Gets or sets the channel that this binding element belongs to.

This property is set by the channel when it is first constructed.

Gets the extension factory.

Gets the protection offered (if any) by this binding element.

OpenID extension factory class for creating extensions based on received Type URIs.

OpenID extension factories must be registered with the library. This can be done by adding a factory to OpenIdRelyingParty.ExtensionFactories or OpenIdProvider.ExtensionFactories, or by adding a snippet such as the following to your web.config file: <dotNetOpenAuth> <openid> <extensionFactories> <add type="DotNetOpenAuth.ApplicationBlock.CustomExtensions.Acme, DotNetOpenAuth.ApplicationBlock" /> </extensionFactories> </openid> </dotNetOpenAuth>

Creates a new instance of some extension based on the received extension parameters.

The type URI of the extension. The parameters associated specifically with this extension. The OpenID message carrying this extension. A value indicating whether this extension is being received at the OpenID Provider. An instance of if the factory recognizes the extension described in the input parameters; null otherwise. This factory method need only initialize properties in the instantiated extension object that are not bound using .

An interface that OAuth messages implement to support signing.

Gets or sets the association handle used to sign the message.

The handle for the association that was used to sign this assertion.

Gets or sets the association handle that the Provider wants the Relying Party to not use any more.

If the Relying Party sent an invalid association handle with the request, it SHOULD be included here.

Gets or sets the signed parameter order.

Comma-separated list of signed fields. "op_endpoint,identity,claimed_id,return_to,assoc_handle,response_nonce" This entry consists of the fields without the "openid." prefix that the signature covers. This list MUST contain at least "op_endpoint", "return_to" "response_nonce" and "assoc_handle", and if present in the response, "claimed_id" and "identity". Additional keys MAY be signed as part of the message. See Generating Signatures.

A Uri encoder that serializes using rather than the standard .

Encodes the specified value.

The value. Guaranteed to never be null. The in string form, ready for message transport.

Decodes the specified value.

The string value carried by the transport. Guaranteed to never be null, although it may be empty. The deserialized form of the given string. Thrown when the string value given cannot be decoded into the required object type.

Indicates the level of strictness to require when decoding a Key-Value Form encoded dictionary.

Be as forgiving as possible to errors made while encoding.

Allow for certain errors in encoding attributable to ambiguities in the OpenID 1.1 spec's description of the encoding.

The strictest mode. The decoder requires the encoded dictionary to be in strict compliance with OpenID 2.0's description of the encoding.

Performs conversion to and from the Key-Value Form Encoding defined by OpenID Authentication 2.0 section 4.1.1. http://openid.net/specs/openid-authentication-2_0.html#anchor4

This class is thread safe and immutable.

The newline character sequence to use.

Characters that must not appear in parameter names.

Characters that must not appaer in parameter values.

The character encoding to use.

Initializes a new instance of the class.

How strictly an incoming Key-Value Form message will be held to the spec.

Encodes key/value pairs to Key-Value Form.

The dictionary of key/value pairs to convert to a byte stream. The UTF8 byte array. Enumerating a Dictionary<TKey, TValue> has undeterministic ordering. If ordering of the key=value pairs is important, a deterministic enumerator must be used.

Decodes bytes in Key-Value Form to key/value pairs.

The stream of Key-Value Form encoded bytes. The deserialized dictionary. Thrown when the data is not in the expected format.

Gets a value controlling how strictly an incoming Key-Value Form message will be held to the spec.

A channel that knows how to send and receive OpenID messages.

The HTTP Content-Type to use in Key-Value Form responses.

OpenID 2.0 section 5.1.2 says this SHOULD be text/plain. But this value does not prevent free hosters like GoDaddy from tacking on their ads to the end of the direct response, corrupting the data. So we deviate from the spec a bit here to improve the story for free Providers.

The encoder that understands how to read and write Key-Value Form.

Initializes a new instance of the class.

A class prepared to analyze incoming messages and indicate what concrete message types can deserialize from it. The binding elements to use in sending and receiving messages.

Verifies the integrity and applicability of an incoming message.

The message just received. Thrown when the message is somehow invalid, except for check_authentication messages. This can be due to tampering, replay attack or expiration, among other things.

Prepares an HTTP request that carries a given message.

The message to send. The prepared to send the request.

Gets the protocol message that may be in the given HTTP response.

The response that is anticipated to contain an protocol message. The deserialized message parts, if found. Null otherwise. Thrown when the response is not valid.

Called when receiving a direct response message, before deserialization begins.

The HTTP direct response. The newly instantiated message, prior to deserialization.

Queues a message for sending in the response stream where the fields are sent in the response stream in querystring style.

The message to send as a response. The pending user agent redirect based message to be sent as an HttpResponse. This method implements spec V1.0 section 5.3.

Gets the direct response of a direct HTTP request.

The web request. The response to the web request. Thrown on network or protocol errors.

This binding element signs a Relying Party's openid.return_to parameter so that upon return, it can verify that it hasn't been tampered with.

Since Providers can send unsolicited assertions, not all openid.return_to values will be signed. But those that are signed will be validated, and any invalid or missing signatures will cause this library to not trust the parameters in the return_to URL. In the messaging stack, this binding element looks like an ordinary transform-type of binding element rather than a protection element, due to its required order in the channel stack and that it doesn't sign anything except a particular message part.

The name of the callback parameter we'll tack onto the return_to value to store our signature on the return_to parameter.

The name of the callback parameter we'll tack onto the return_to value to store the handle of the association we use to sign the return_to parameter.

The URI to use for private associations at this RP.

The key store used to generate the private signature on the return_to parameter.

Initializes a new instance of the class.

The crypto key store.

Prepares a message for sending based on the rules of this channel binding element.

Performs any transformation on an incoming message that may be necessary and/or validates an incoming message based on the rules of this channel binding element.

Gets the return to signature.

The return to. The crypto key. The generated signature. Only the parameters in the return_to URI are signed, rather than the base URI itself, in order that OPs that might change the return_to's implicit port :80 part or other minor changes do not invalidate the signature.

Gets or sets the channel that this binding element belongs to.

This property is set by the channel when it is first constructed.

Gets the protection offered (if any) by this binding element.

No message protection is reported because this binding element does not protect the entire message -- only a part.

Spoofs security checks on incoming OpenID messages.

Prepares a message for sending based on the rules of this channel binding element.

Performs any transformation on an incoming message that may be necessary and/or validates an incoming message based on the rules of this channel binding element.

Gets or sets the channel that this binding element belongs to.

This property is set by the channel when it is first constructed.

Gets the protection commonly offered (if any) by this binding element.

This value is used to assist in sorting binding elements in the channel stack.

Code contract for the class.

Prevents a default instance of the class from being created.

The string to pass as the assoc_type value in the OpenID protocol.

The protocol version of the message that the assoc_type value will be included in. The value that should be used for the openid.assoc_type parameter.

Returns the specific hash algorithm used for message signing.

The hash algorithm used for message signing.

Gets the length (in bits) of the hash this association creates when signing.

Manages a fast, two-way mapping between type URIs and their aliases.

The format of auto-generated aliases.

Tracks extension Type URIs and aliases assigned to them.

Tracks extension aliases and Type URIs assigned to them.

Gets an alias assigned for a given Type URI. A new alias is assigned if necessary.

The type URI. The alias assigned to this type URI. Never null.

Sets an alias and the value that will be returned by .

The alias. The type URI.

Takes a sequence of type URIs and assigns aliases for all of them.

The type URIs to create aliases for. An optional dictionary of URI/alias pairs that suggest preferred aliases to use if available for certain type URIs.

Sets up aliases for any Type URIs in a dictionary that do not yet have aliases defined, and where the given preferred alias is still available.

A dictionary of type URI keys and alias values.

Gets the Type Uri encoded by a given alias.

The alias. The Type URI. Thrown if the given alias does not have a matching TypeURI.

Gets the Type Uri encoded by a given alias.

The alias. The Type URI for the given alias, or null if none for that alias exist.

Returns a value indicating whether an alias has already been assigned to a type URI.

The alias in question. True if the alias has already been assigned. False otherwise.

Determines whether a given TypeURI has an associated alias assigned to it.

The type URI. true if the given type URI already has an alias assigned; false otherwise.

Assigns a new alias to a given Type URI.

The type URI to assign a new alias to. The newly generated alias.

Gets the aliases that have been set.

An individual attribute to be requested of the OpenID Provider using the Attribute Exchange extension.

Backing field for the property.

Initializes a new instance of the class with = false, = 1.

The unique TypeURI for that describes the attribute being sought.

Initializes a new instance of the class with = 1.

The unique TypeURI for that describes the attribute being sought. A value indicating whether the Relying Party considers this attribute to be required for registration.

Initializes a new instance of the class.

The unique TypeURI for that describes the attribute being sought. A value indicating whether the Relying Party considers this attribute to be required for registration. The maximum number of values for this attribute the Relying Party is prepared to receive.

Used by a Provider to create a response to a request for an attribute's value(s) using a given array of strings.

The values for the requested attribute. The newly created object that should be added to the object.

Determines whether the specified is equal to the current .

The to compare with the current . true if the specified is equal to the current ; otherwise, false. The parameter is null.

Serves as a hash function for a particular type.

A hash code for the current .

Gets or sets the URI uniquely identifying the attribute being requested.

Gets or sets a value indicating whether the relying party considers this a required field. Note that even if set to true, the Provider may not provide the value.

Gets or sets the maximum number of values for this attribute the Relying Party wishes to receive from the OpenID Provider. A value of int.MaxValue is considered infinity.

An individual attribute's value(s) as supplied by an OpenID Provider in response to a prior request by an OpenID Relying Party as part of a fetch request, or by a relying party as part of a store request.

Initializes a new instance of the class.

The TypeURI that uniquely identifies the attribute. The values for the attribute.

Initializes a new instance of the class.

This is internal because web sites should be using the method to instantiate.

Initializes a new instance of the class.

The TypeURI of the attribute whose values are being provided.

Determines whether the specified is equal to the current .

The to compare with the current . true if the specified is equal to the current ; otherwise, false. The parameter is null.

Serves as a hash function for a particular type.

A hash code for the current .

Gets the URI uniquely identifying the attribute whose value is being supplied.

Gets the values supplied by the Provider.

The various Type URI formats an AX attribute may use by various remote parties.

No attribute format.

AX attributes should use the Type URI format starting with http://axschema.org/.

AX attributes should use the Type URI format starting with http://schema.openid.net/.

AX attributes should use the Type URI format starting with http://openid.net/schema/.

All known schemas.

The most common schemas.

Helper methods shared by multiple messages in the Attribute Exchange extension.

Adds a request for an attribute considering it 'required'.

The attribute request collection. The type URI of the required attribute.

Adds a request for an attribute without considering it 'required'.

The attribute request collection. The type URI of the requested attribute.

Adds a given attribute with one or more values to the request for storage. Applicable to Relying Parties only.

The collection of to add to. The type URI of the attribute. The attribute values.

Serializes a set of attribute values to a dictionary of fields to send in the message.

The dictionary to fill with serialized attributes. The attributes.

Deserializes attribute values from an incoming set of message data.

The data coming in with the message. The attribute values found in the message.

Reads through the attributes included in the response to discover the alias-TypeURI relationships.

The data included in the extension message. The alias manager that provides lookup between aliases and type URIs.

Attribute Exchange constants

The TypeURI by which the AX extension is recognized in OpenID messages and in XRDS documents.

The Attribute Exchange Fetch message, request leg.

A handy base class for built-in extensions.

The contract any OpenID extension for DotNetOpenAuth must implement.

Classes that implement this interface should be marked as [] to allow serializing state servers to cache messages, particularly responses.

Gets the TypeURI the extension uses in the OpenID protocol and in XRDS advertisements.

Gets the additional TypeURIs that are supported by this extension, in preferred order. May be empty if none other than is supported, but should not be null.

Useful for reading in messages with an older version of an extension. The value in the property is always checked before trying this list. If you do support multiple versions of an extension using this method, consider adding a CreateResponse method to your request extension class so that the response can have the context it needs to remain compatible given the version of the extension in the request message. The for an example.

Gets or sets a value indicating whether this extension was signed by the sender.

true if this instance is signed by the sender; otherwise, false.

Backing store for the property.

Initializes a new instance of the class.

The version of the extension. The type URI to use in the OpenID message. The additional supported type URIs by which this extension might be recognized. May be null.

Checks the message state for conformity to the protocol specification and throws an exception if the message is invalid.

Some messages have required fields, or combinations of fields that must relate to each other in specialized ways. After deserializing a message, this method checks the state of the message to see if it conforms to the protocol. Note that this property should not check signatures or perform any state checks outside this scope of this particular message. Thrown if the message is invalid.

Checks the message state for conformity to the protocol specification and throws an exception if the message is invalid.

Gets the TypeURI the extension uses in the OpenID protocol and in XRDS advertisements.

Gets the additional TypeURIs that are supported by this extension, in preferred order. May be empty if none other than is supported, but should not be null.

Gets or sets a value indicating whether this extension was signed by the OpenID Provider.

true if this instance is signed by the provider; otherwise, false.

Gets the version of the protocol or extension this message is prepared to implement.

Gets the extra, non-standard Protocol parameters included in the message.

Implementations of this interface should ensure that this property never returns null.

Gets the TypeURI the extension uses in the OpenID protocol and in XRDS advertisements.

Gets or sets a value indicating whether this extension was signed by the OpenID Provider.

true if this instance is signed by the provider; otherwise, false.

Gets the additional TypeURIs that are supported by this extension, in preferred order. May be empty if none other than is supported, but should not be null.

Gets the extra, non-standard Protocol parameters included in the message.

Implementations of this interface should ensure that this property never returns null.

The value for the 'mode' parameter.

The factory method that may be used in deserialization of this message.

Characters that may not appear in an attribute alias list.

Characters that may not appear in an attribute Type URI alias.

The collection of requested attributes.

Initializes a new instance of the class.

Determines whether the specified is equal to the current .

The to compare with the current . true if the specified is equal to the current ; otherwise, false. The parameter is null.

Serves as a hash function for a particular type.

A hash code for the current .

Called when the message is about to be transmitted, before it passes through the channel binding elements.

Called when the message has been received, after it passes through the channel binding elements.

Checks the message state for conformity to the protocol specification and throws an exception if the message is invalid.

Splits a list of aliases by their commas.

The comma-delimited list of aliases. May be null or empty. The list of aliases. Never null, but may be empty.

Gets a collection of the attributes whose values are requested by the Relying Party.

A collection where the keys are the attribute type URIs, and the value is all the attribute request details.

Gets or sets the URL that the OpenID Provider may re-post the fetch response message to at some time after the initial response has been sent, using an OpenID Authentication Positive Assertion to inform the relying party of updates to the requested fields.

Gets or sets a list of aliases for optional attributes.

A comma-delimited list of aliases.

Gets or sets a list of aliases for required attributes.

A comma-delimited list of aliases.

The Attribute Exchange Fetch message, response leg.

The value of the 'mode' parameter.

The factory method that may be used in deserialization of this message.

The collection of provided attributes. This field will never be null.

Initializes a new instance of the class.

Gets the first attribute value provided for a given attribute Type URI.

The type URI of the attribute. Usually a constant from . The first value provided for the attribute, or null if the attribute is missing or no values were provided. This is meant as a helper method for the common case of just wanting one attribute value. For greater flexibility or to retrieve more than just the first value for an attribute, use the collection directly.

Determines whether the specified is equal to the current .

The to compare with the current . true if the specified is equal to the current ; otherwise, false. The parameter is null.

Serves as a hash function for a particular type.

A hash code for the current .

Called when the message is about to be transmitted, before it passes through the channel binding elements.

Called when the message has been received, after it passes through the channel binding elements.

Checks the message state for conformity to the protocol specification and throws an exception if the message is invalid.

Gets a sequence of the attributes whose values are provided by the OpenID Provider.

Gets a value indicating whether the OpenID Provider intends to honor the request for updates.

Gets or sets the URL the OpenID Provider will post updates to. Must be set if the Provider supports and will use this feature.

Gets a value indicating whether this extension is signed by the Provider.

true if this instance is signed by the Provider; otherwise, false.

The Attribute Exchange Store message, request leg.

The value of the 'mode' parameter.

The factory method that may be used in deserialization of this message.

The collection of provided attribute values. This field will never be null.

Initializes a new instance of the class.

Called when the message is about to be transmitted, before it passes through the channel binding elements.

Called when the message has been received, after it passes through the channel binding elements.

Determines whether the specified is equal to the current .

The to compare with the current . true if the specified is equal to the current ; otherwise, false. The parameter is null.

Serves as a hash function for a particular type.

A hash code for the current .

Gets the collection of all the attributes that are included in the store request.

The Attribute Exchange Store message, response leg.

The value of the mode parameter used to express a successful store operation.

The value of the mode parameter used to express a store operation failure.

The factory method that may be used in deserialization of this message.

Initializes a new instance of the class to represent a successful store operation.

Initializes a new instance of the class to represent a failed store operation.

The reason for failure.

Determines whether the specified is equal to the current .

The to compare with the current . true if the specified is equal to the current ; otherwise, false. The parameter is null.

Serves as a hash function for a particular type.

A hash code for the current .

Checks the message state for conformity to the protocol specification and throws an exception if the message is invalid.

Gets or sets a value indicating whether the storage request succeeded.

Defaults to true.

Gets or sets the reason for the failure, if applicable.

Gets a value indicating whether this extension is signed by the Provider.

true if this instance is signed by the Provider; otherwise, false.

Gets or sets the mode argument.

One of 'store_response_success' or 'store_response_failure'.

Attribute types defined at http://www.axschema.org/types/.

If you don't see what you need here, check that URL to see if any have been added. You can use new ones directly without adding them to this class, and can even make up your own if you expect the other end to understand what you make up.

Inherent attributes about a personality such as gender and bio.

Gender, either "M" or "F"

"M", "F"

Biography (text)

"I am the very model of a modern Major General."

Preferences such as language and timezone.

Preferred language, as per RFC4646

"en-US"

Home time zone information (as specified in zoneinfo)

"America/Pacific"

The names a person goes by.

Subject's alias or "screen" name

"Johnny5"

Full name of subject

"John Doe"

Honorific prefix for the subject's name

"Mr.", "Mrs.", "Dr."

First or given name of subject

"John"

Last name or surname of subject

"Smith"

Middle name(s) of subject

"Robert"

Suffix of subject's name

"III", "Jr."

Business affiliation.

Company name (employer)

"Springfield Power"

Employee title

"Engineer"

Information about a person's birthdate.

Date of birth.

"1979-01-01"

Year of birth (four digits)

"1979"

Month of birth (1-12)

"05"

Day of birth

"31"

Various ways to contact a person.

Internet SMTP email address as per RFC2822

"jsmith@isp.example.com"

Various types of phone numbers.

Main phone number (preferred)

+1-800-555-1234

Home phone number

+1-800-555-1234

Business phone number

+1-800-555-1234

Cellular (or mobile) phone number

+1-800-555-1234

Fax number

+1-800-555-1234

The many fields that make up an address.

Home postal address: street number, name and apartment number

"#42 135 East 1st Street"

"Box 67"

Home city name

"Vancouver"

Home state or province name

"BC"

Home country code in ISO.3166.1988 (alpha 2) format

"CA"

Home postal code; region specific format

"V5A 4B2"

The many fields that make up an address.

Business postal address: street number, name and apartment number

"#42 135 East 1st Street"

"Box 67"

Business city name

"Vancouver"

Business state or province name

"BC"

Business country code in ISO.3166.1988 (alpha 2) format

"CA"

Business postal code; region specific format

"V5A 4B2"

Various handles for instant message clients.

AOL instant messaging service handle

"jsmith421234"

ICQ instant messaging service handle

"1234567"

MSN instant messaging service handle

"jsmith42@hotmail.com"

Yahoo! instant messaging service handle

"jsmith421234"

Jabber instant messaging service handle

"jsmith@jabber.example.com"

Skype instant messaging service handle

"jsmith42"

Various web addresses connected with this personality.

Web site URL

"http://example.com/~jsmith/"

Blog home page URL

"http://example.com/jsmith_blog/"

LinkedIn URL

"http://www.linkedin.com/pub/1/234/56"

Amazon URL

"http://www.amazon.com/gp/pdp/profile/A24DLKJ825"

Flickr URL

"http://flickr.com/photos/jsmith42/"

del.icio.us URL

"http://del.icio.us/jsmith42"

Audio and images of this personality.

Spoken name (web URL)

"http://example.com/~jsmith/john_smith.wav"

Audio greeting (web URL)

"http://example.com/~jsmith/i_greet_you.wav"

Video greeting (web URL)

"http://example.com/~jsmith/i_greet_you.mov"

Images of this personality.

Image (web URL); unspecified dimension

"http://example.com/~jsmith/image.jpg"

Image (web URL) with equal width and height

"http://example.com/~jsmith/image.jpg"

Image (web URL) 4:3 aspect ratio - landscape

"http://example.com/~jsmith/image.jpg"

Image (web URL) 4:3 aspect ratio - landscape

"http://example.com/~jsmith/image.jpg"

Image (web URL); favicon format as per FAVICON-W3C. The format for the image must be 16x16 pixels or 32x32 pixels, using either 8-bit or 24-bit colors. The format of the image must be one of PNG (a W3C standard), GIF, or ICO.

"http://example.com/~jsmith/image.jpg"

Manages the processing and construction of OpenID extensions parts.

This contains a set of aliases that we must be willing to implicitly match to namespaces for backward compatibility with other OpenID libraries.

The version of OpenID that the message is using.

Whether extensions are being read or written.

The alias manager that will track Type URI to alias mappings.

A complex dictionary where the key is the Type URI of the extension, and the value is another dictionary of the name/value args of the extension.

Prevents a default instance of the class from being created.

Creates a instance to process incoming extensions.

The parameters in the OpenID message. The newly created instance of .

Creates a instance to prepare outgoing extensions.

The protocol version used for the outgoing message. The newly created instance of .

Adds query parameters for OpenID extensions to the request directed at the OpenID provider.

The extension type URI. The arguments for this extension to add to the message.

Gets the actual arguments to add to a querystring or other response, where type URI, alias, and actual key/values are all defined.

true if the generated parameter names should include the 'openid.' prefix. This should be true for all but direct response messages. A dictionary of key=value pairs to add to the message to carry the extension.

Gets the fields carried by a given OpenId extension.

The type URI of the extension whose fields are being queried for. The fields included in the given extension, or null if the extension is not present.

Gets whether any arguments for a given extension are present.

The extension Type URI in question. true if this extension is present; false otherwise.

Gets the type URIs of all discovered extensions in the message.

A sequence of the type URIs.

Gets a value indicating whether the extensions are being read (as opposed to written).

An interface that OpenID extensions can implement to allow authentication response messages with included extensions to be processed by Javascript on the user agent.

Reads the extension information on an authentication response from the provider.

The incoming OpenID response carrying the extension. A Javascript snippet that when executed on the user agent returns an object with the information deserialized from the extension response. This method is called before the signature on the assertion response has been verified. Therefore all information in these fields should be assumed unreliable and potentially falsified.

An extension to include with an authentication request in order to also obtain authorization to access user data at the combined OpenID Provider and Service Provider.

When requesting OpenID Authentication via the protocol mode "checkid_setup" or "checkid_immediate", this extension can be used to request that the end user authorize an OAuth access token at the same time as an OpenID authentication. This is done by sending the following parameters as part of the OpenID request. (Note that the use of "oauth" as part of the parameter names here and in subsequent sections is just an example. See Section 5 for details.) See section 8.

The factory method that may be used in deserialization of this message.

Initializes a new instance of the class.

Gets or sets the consumer key agreed upon between the Consumer and Service Provider.

Gets or sets a string that encodes, in a way possibly specific to the Combined Provider, one or more scopes for the OAuth token expected in the authentication response.

The OAuth response that a Provider may include with a positive OpenID identity assertion with an approved request token.

The factory method that may be used in deserialization of this message.

Initializes a new instance of the class.

Gets or sets the user-approved request token.

The request token.

Gets or sets a string that encodes, in a way possibly specific to the Combined Provider, one or more scopes that the returned request token is valid for. This will typically indicate a subset of the scopes requested in Section 8.

Constants used in the OpenID OAuth extension.

The TypeURI for the OpenID OAuth extension.

The name of the parameter that carries the request token in the response.

The OAuth response that a Provider should include with a positive OpenID identity assertion when OAuth authorization was declined.

The factory method that may be used in deserialization of this message.

Initializes a new instance of the class.

An OpenID extension factory that only delegates extension instantiation requests to other factories.

The list of factories this factory delegates to.

Initializes a new instance of the class.

Creates a new instance of some extension based on the received extension parameters.

Loads the default factory and additional ones given by the configuration.

A new instance of .

Gets the extension factories that this aggregating factory delegates to.

A list of factories. May be empty, but never null.

Encodes/decodes the Simple Registration Gender type to its string representation.

Encodes the specified value.

The value. Guaranteed to never be null. The in string form, ready for message transport.

Decodes the specified value.

An OpenID extension factory that supports registration so that third-party extensions can add themselves to this library's supported extension list.

A collection of the registered OpenID extensions.

Initializes a new instance of the class.

Creates a new instance of some extension based on the received extension parameters.

Registers a new extension delegate.

The factory method that can create the extension.

A delegate that individual extensions may register with this factory.

Well-known authentication policies defined in the PAPE extension spec or by a recognized standards body.

This is a class of constants rather than a flags enum because policies may be freely defined and used by anyone, just by using a new Uri.

An authentication mechanism where the End User does not provide a shared secret to a party potentially under the control of the Relying Party. (Note that the potentially malicious Relying Party controls where the User-Agent is redirected to and thus may not send it to the End User's actual OpenID Provider).

An authentication mechanism where the End User authenticates to the OpenID Provider by providing over one authentication factor. Common authentication factors are something you know, something you have, and something you are. An example would be authentication using a password and a software token or digital certificate.

An authentication mechanism where the End User authenticates to the OpenID Provider by providing over one authentication factor where at least one of the factors is a physical factor such as a hardware device or biometric. Common authentication factors are something you know, something you have, and something you are. This policy also implies the Multi-Factor Authentication policy (http://schemas.openid.net/pape/policies/2007/06/multi-factor) and both policies MAY BE specified in conjunction without conflict. An example would be authentication using a password and a hardware token.

Indicates that the Provider MUST use a pair-wise pseudonym for the user that is persistent and unique across the requesting realm as the openid.claimed_id and openid.identity (see Section 4.2).

Indicates that the OP MUST only respond with a positive assertion if the requirements demonstrated by the OP to obtain certification by a Federally adopted Trust Framework Provider have been met.

Notwithstanding the RP may request this authentication policy, the RP MUST still verify that this policy appears in the positive assertion response rather than assume the OP recognized and complied with the request.

Indicates that the OP MUST not include any OpenID Attribute Exchange or Simple Registration information regarding the user in the assertion.

Used in a PAPE response to indicate that no PAPE authentication policies could be satisfied.

Used internally by the PAPE extension, so that users don't have to know about it.

OpenID Provider Authentication Policy extension constants.

The namespace used by this extension in messages.

The namespace alias to use for OpenID 1.x interop, where aliases are not defined in the message.

The string to prepend on an Auth Level Type alias definition.

Well-known assurance level Type URIs.

The Type URI of the NIST assurance level.

A mapping between the PAPE TypeURI and the alias to use if possible for backward compatibility reasons.

Parameters to be included with PAPE requests.

Optional. If the End User has not actively authenticated to the OP within the number of seconds specified in a manner fitting the requested policies, the OP SHOULD authenticate the End User for this request.

Integer value greater than or equal to zero in seconds. The OP should realize that not adhering to the request for re-authentication most likely means that the End User will not be allowed access to the services provided by the RP. If this parameter is absent in the request, the OP should authenticate the user at its own discretion.

Zero or more authentication policy URIs that the OP SHOULD conform to when authenticating the user. If multiple policies are requested, the OP SHOULD satisfy as many as it can.

Space separated list of authentication policy URIs. If no policies are requested, the RP may be interested in other information such as the authentication age.

The space separated list of the name spaces of the custom Assurance Level that RP requests, in the order of its preference.

An encoder/decoder design for DateTimes that must conform to the PAPE spec.

The timestamp MUST be formatted as specified in section 5.6 of [RFC3339] (Klyne, G. and C. Newman, “Date and Time on the Internet: Timestamps,” .), with the following restrictions: * All times must be in the UTC timezone, indicated with a "Z". * No fractional seconds are allowed For example: 2005-05-15T17:11:51Z

An array of the date/time formats allowed by the PAPE extension.

TODO: This array of formats is not yet a complete list.

Encodes the specified value.

The value. Guaranteed to never be null. The in string form, ready for message transport.

Decodes the specified value.

Descriptions for NIST-defined levels of assurance that a credential has not been compromised and therefore the extent to which an authentication assertion can be trusted.

One using this enum should review the following publication for details before asserting or interpreting what these levels signify, notwithstanding the brief summaries attached to each level in DotNetOpenAuth documentation. http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf See PAPE spec Appendix A.1.2 (NIST Assurance Levels) for high-level example classifications of authentication methods within the defined levels.

Not an assurance level defined by NIST, but rather SHOULD be used to signify that the OP recognizes the parameter and the End User authentication did not meet the requirements of Level 1.

See this document for a thorough description: http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf

Utility methods for use by the PAPE extension.

Looks at the incoming fields and figures out what the aliases and name spaces for auth level types are.

The incoming message data in which to discover TypeURIs and aliases. The initialized with the given data.

Concatenates a sequence of strings using a space as a separator.

The elements to concatenate together.. The concatenated string of elements. Thrown if any element in the sequence includes a space.

The PAPE request part of an OpenID Authentication request message.

The factory method that may be used in deserialization of this message.

The transport field for the RP's preferred authentication policies.

This field is written to/read from during custom serialization.

Initializes a new instance of the class.

Called when the message is about to be transmitted, before it passes through the channel binding elements.

Called when the message has been received, after it passes through the channel binding elements.

Determines whether the specified is equal to the current .

The to compare with the current . true if the specified is equal to the current ; otherwise, false. The parameter is null.

Serves as a hash function for a particular type.

A hash code for the current .

Serializes the policies as a single string per the PAPE spec..

The policies to include in the list. The concatenated string of the given policies.

Serializes the auth levels to a list of aliases.

The preferred auth level types. The alias manager. A space-delimited list of aliases.

Gets or sets the maximum acceptable time since the End User has actively authenticated to the OP in a manner fitting the requested policies, beyond which the Provider SHOULD authenticate the End User for this request.

The OP should realize that not adhering to the request for re-authentication most likely means that the End User will not be allowed access to the services provided by the RP. If this parameter is absent in the request, the OP should authenticate the user at its own discretion.

Gets the list of authentication policy URIs that the OP SHOULD conform to when authenticating the user. If multiple policies are requested, the OP SHOULD satisfy as many as it can.

List of authentication policy URIs obtainable from the class or from a custom list. If no policies are requested, the RP may be interested in other information such as the authentication age.

Gets the namespaces of the custom Assurance Level the Relying Party requests, in the order of its preference.

The PAPE response part of an OpenID Authentication response message.

The first part of a parameter name that gives the custom string value for the assurance level. The second part of the parameter name is the alias for that assurance level.

The factory method that may be used in deserialization of this message.

One or more authentication policy URIs that the OP conformed to when authenticating the End User.

Space separated list of authentication policy URIs. If no policies were met though the OP wishes to convey other information in the response, this parameter MUST be included with the value of "none".

Backing field for the property.

Initializes a new instance of the class.

Called when the message is about to be transmitted, before it passes through the channel binding elements.

Called when the message has been received, after it passes through the channel binding elements.

Determines whether the specified is equal to the current .

The to compare with the current . true if the specified is equal to the current ; otherwise, false. The parameter is null.

Serves as a hash function for a particular type.

A hash code for the current .

Serializes the applied policies for transmission from the Provider to the Relying Party.

The applied policies. A space-delimited list of applied policies.

Gets a list of authentication policy URIs that the OP conformed to when authenticating the End User.

Gets or sets the most recent timestamp when the End User has actively authenticated to the OP in a manner fitting the asserted policies.

If the RP's request included the "openid.pape.max_auth_age" parameter then the OP MUST include "openid.pape.auth_time" in its response. If "openid.pape.max_auth_age" was not requested, the OP MAY choose to include "openid.pape.auth_time" in its response.

Gets or sets the Assurance Level as defined by the National Institute of Standards and Technology (NIST) in Special Publication 800-63 (Burr, W., Dodson, D., and W. Polk, Ed., “Electronic Authentication Guideline,” April 2006.) [NIST_SP800‑63] corresponding to the authentication method and policies employed by the OP when authenticating the End User.

See PAPE spec Appendix A.1.2 (NIST Assurance Levels) for high-level example classifications of authentication methods within the defined levels.

Gets a dictionary where keys are the authentication level type URIs and the values are the per authentication level defined custom value.

A very common key is and values for this key are available in .

Gets a value indicating whether this extension is signed by the Provider.

true if this instance is signed by the Provider; otherwise, false.

Carries the request/require/none demand state of the simple registration fields.

The factory method that may be used in deserialization of this message.

The type URI that this particular (deserialized) extension was read in using, allowing a response to alter be crafted using the same type URI.

Initializes a new instance of the class.

Initializes a new instance of the class by deserializing from a message.

The type URI this extension was recognized by in the OpenID message.

Tests equality between two structs.

One instance to compare. Another instance to compare. The result of the operator.

Tests inequality between two structs.

One instance to compare. Another instance to compare. The result of the operator.

Tests equality between two structs.

The to compare with the current . true if the specified is equal to the current ; otherwise, false. The parameter is null.

Serves as a hash function for a particular type.

A hash code for the current .

Renders the requested information as a string.

A that represents the current .

Prepares a Simple Registration response extension that is compatible with the version of Simple Registration used in the request message.

The newly created instance.

Sets the profile request properties according to a list of field names that might have been passed in the OpenId query dictionary.

The list of field names that should receive a given . These field names should match the OpenId specification for field names, omitting the 'openid.sreg' prefix. The none/request/require state of the listed fields.

Assembles the profile parameter names that have a given .

The demand level (request, require, none). An array of the profile parameter names that meet the criteria.

Gets or sets the URL the consumer site provides for the authenticating user to review for how his claims will be used by the consumer web site.

Gets or sets the level of interest a relying party has in the nickname of the user.

Gets or sets the level of interest a relying party has in the email of the user.

Gets or sets the level of interest a relying party has in the full name of the user.

Gets or sets the level of interest a relying party has in the birthdate of the user.

Gets or sets the level of interest a relying party has in the gender of the user.

Gets or sets the level of interest a relying party has in the postal code of the user.

Gets or sets the level of interest a relying party has in the Country of the user.

Gets or sets the level of interest a relying party has in the language of the user.

Gets or sets the level of interest a relying party has in the time zone of the user.

Gets or sets a value indicating whether this instance is synthesized from an AX request at the Provider.

Gets or sets the value of the sreg.required parameter.

A comma-delimited list of sreg fields.

Gets or sets the value of the sreg.optional parameter.

A comma-delimited list of sreg fields.

A struct storing Simple Registration field values describing an authenticating user.

The factory method that may be used in deserialization of this message.

The allowed format for birthdates.

Storage for the raw string birthdate value.

Backing field for the property.

Initializes a new instance of the class using the most common, and spec prescribed type URI.

Initializes a new instance of the class.

The type URI that must be used to identify this extension in the response message. This value should be the same one the relying party used to send the extension request. Commonly used type URIs supported by relying parties are defined in the class.

Tests equality of two objects.

One instance to compare. Another instance to compare. The result of the operator.

Tests inequality of two objects.

One instance to compare. Another instance to compare. The result of the operator.

Tests equality of two objects.

The to compare with the current . true if the specified is equal to the current ; otherwise, false. The parameter is null.

Serves as a hash function for a particular type.

A hash code for the current .

Reads the extension information on an authentication response from the provider.

Called when the message is about to be transmitted, before it passes through the channel binding elements.

Called when the message has been received, after it passes through the channel binding elements.

Translates an empty string value to null, or passes through non-empty values.

The value to consider changing to null. Either null or a non-empty string.

Gets or sets the nickname the user goes by.

Gets or sets the user's email address.

Gets or sets the full name of a user as a single string.

Gets or sets the user's birthdate.

Gets or sets the raw birth date string given by the extension.

A string in the format yyyy-MM-dd.

Gets or sets the gender of the user.

Gets or sets the zip code / postal code of the user.

Gets or sets the country of the user.

Gets or sets the primary/preferred language of the user.

Gets or sets the user's timezone.

Gets a combination of the user's full name and email address.

Gets or sets a combination o the language and country of the user.

Gets a value indicating whether this extension is signed by the Provider.

true if this instance is signed by the Provider; otherwise, false.

Simple Registration constants

Additional type URIs that this extension is sometimes known by remote parties.

Commonly used type URIs to represent the Simple Registration extension.

The URI "http://openid.net/extensions/sreg/1.1".

This is the type URI prescribed by the Simple Registration 1.1 spec. http://openid.net/specs/openid-simple-registration-extension-1_1-01.html#anchor3

The URI "http://openid.net/sreg/1.0"

The URI "http://openid.net/sreg/1.1"

Specifies what level of interest a relying party has in obtaining the value of a given field offered by the Simple Registration extension.

The relying party has no interest in obtaining this field.

The relying party would like the value of this field, but wants the Provider to display the field to the user as optionally provided.

The relying party considers this a required field as part of authentication. The Provider and/or user agent MAY still choose to not provide the value of the field however, according to the Simple Registration extension specification.

Indicates the gender of a user.

The user is male.

The user is female.

Constants used to support the UI extension.

The type URI associated with this extension.

The Type URI that appears in an XRDS document when the OP supports popups through the UI extension.

The Type URI that appears in an XRDS document when the OP supports the RP specifying the user's preferred language through the UI extension.

The Type URI that appears in the XRDS document when the OP supports the RP specifying the icon for the OP to display during authentication through the UI extension.

Valid values for the mode parameter of the OpenID User Interface extension.

Indicates that the Provider's authentication page appears in a popup window.

The constant "popup". The RP SHOULD create the popup to be 450 pixels wide and 500 pixels tall. The popup MUST have the address bar displayed, and MUST be in a standalone browser window. The contents of the popup MUST NOT be framed by the RP. The RP SHOULD open the popup centered above the main browser window, and SHOULD dim the contents of the parent window while the popup is active. The RP SHOULD ensure that the user is not surprised by the appearance of the popup, and understands how to interact with it. To keep the user popup user experience consistent, it is RECOMMENDED that the OP does not resize the popup window unless the OP requires additional space to show special features that are not usually displayed as part of the default popup user experience. The OP MAY close the popup without returning a response to the RP. Closing the popup without sending a response should be interpreted as a negative assertion. The response to an authentication request in a popup is unchanged from [OpenID 2.0] (OpenID 2.0 Workgroup, “OpenID 2.0,” .). Relying Parties detecting that the popup was closed without receiving an authentication response SHOULD interpret the close event to be a negative assertion.

OpenID User Interface extension 1.0 request message.

Implements the extension described by: http://wiki.openid.net/f/openid_ui_extension_draft01.html This extension only applies to checkid_setup requests, since checkid_immediate requests display no UI to the user. For rules about how the popup window should be displayed, please see the documentation of . An RP may determine whether an arbitrary OP supports this extension (and thereby determine whether to use a standard full window redirect or a popup) via the method.

The factory method that may be used in deserialization of this message.

Additional type URIs that this extension is sometimes known by remote parties.

Backing store for .

Initializes a new instance of the class.

Checks the message state for conformity to the protocol specification and throws an exception if the message is invalid.

Called when the message is about to be transmitted, before it passes through the channel binding elements.

Called when the message has been received, after it passes through the channel binding elements.

Gets or sets the list of user's preferred languages, sorted in decreasing preferred order.

The default is the of the thread that created this instance. The user's preferred languages as a [BCP 47] language priority list, represented as a comma-separated list of BCP 47 basic language ranges in descending priority order. For instance, the value "fr-CA,fr-FR,en-CA" represents the preference for French spoken in Canada, French spoken in France, followed by English spoken in Canada.

Gets or sets the style of UI that the RP is hosting the OP's authentication page in.

Some value from the class. Defaults to .

Gets or sets a value indicating whether the Relying Party has an icon it would like the Provider to display to the user while asking them whether they would like to log in.

true if the Provider should display an icon; otherwise, false. By default, the Provider displays the relying party's favicon.ico.

Gets the TypeURI the extension uses in the OpenID protocol and in XRDS advertisements.

Gets the additional TypeURIs that are supported by this extension, in preferred order. May be empty if none other than is supported, but should not be null.

Gets or sets a value indicating whether this extension was signed by the sender.

true if this instance is signed by the sender; otherwise, false.

Gets the version of the protocol or extension this message is prepared to implement.

The value 1.0. Implementations of this interface should ensure that this property never returns null.

Gets the extra, non-standard Protocol parameters included in the message.

Implementations of this interface should ensure that this property never returns null.

Constants used in implementing support for the UI extension.

The required width of the popup window the relying party creates for the provider.

The required height of the popup window the relying party creates for the provider.

An Identifier is either a "http" or "https" URI, or an XRI.

Initializes a new instance of the class.

The original string before any normalization. Whether the derived class is prepared to guarantee end-to-end discovery and initial redirect for authentication is performed using SSL.

Converts the string representation of an Identifier to its strong type.

The identifier. The particular Identifier instance to represent the value given.

Converts a given Uri to a strongly-typed Identifier.

The identifier to convert. The result of the conversion.

Converts an Identifier to its string representation.

The identifier to convert to a string. The result of the conversion.

Parses an identifier string and automatically determines whether it is an XRI or URI.

Either a URI or XRI identifier. An instance for the given value.

Parses an identifier string and automatically determines whether it is an XRI or URI.

Either a URI or XRI identifier. if set to true this Identifier will serialize exactly as given rather than in its normalized form. An instance for the given value.

Attempts to parse a string for an OpenId Identifier.

The string to be parsed. The parsed Identifier form. True if the operation was successful. False if the string was not a valid OpenId Identifier.

Checks the validity of a given string representation of some Identifier.

The identifier. true if the specified identifier is valid; otherwise, false.

Tests equality between two s.

The first Identifier. The second Identifier. true if the two instances should be considered equal; false otherwise.

Tests inequality between two s.

The first Identifier. The second Identifier. true if the two instances should be considered unequal; false if they are equal.

Tests equality between two s.

The to compare with the current . true if the specified is equal to the current ; otherwise, false. The parameter is null.

Gets the hash code for an for storage in a hashtable.

A hash code for the current .

Reparses the specified identifier in order to be assured that the concrete type that implements the identifier is one of the well-known ones.

The identifier. Either or .

Returns an that has no URI fragment. Quietly returns the original if it is not a or no fragment exists.

A new instance if there was a fragment to remove, otherwise this same instance..

Converts a given identifier to its secure equivalent. UriIdentifiers originally created with an implied HTTP scheme change to HTTPS. Discovery is made to require SSL for the entire resolution process.

The newly created secure identifier. If the conversion fails, retains this identifiers identity, but will never discover any endpoints. True if the secure conversion was successful. False if the Identifier was originally created with an explicit HTTP scheme.

Gets the original string that was normalized to create this Identifier.

Gets the Identifier in the form in which it should be serialized.

For Identifiers that were originally deserialized, this is the exact same string that was deserialized. For Identifiers instantiated in some other way, this is the normalized form of the string used to instantiate the identifier.

Gets or sets a value indicating whether instances are considered equal based solely on their string reprsentations.

This property serves as a test hook, so that MockIdentifier instances can be considered "equal" to UriIdentifier instances.

Gets a value indicating whether this Identifier will ensure SSL is used throughout the discovery phase and initial redirect of authentication.

If this is false, a value of true may be obtained by calling .

Gets a value indicating whether this instance was initialized from deserializing a message.

This is interesting because when an Identifier comes from the network, we can't normalize it and then expect signatures to still verify. But if the Identifier is initialized locally, we can and should normalize it before serializing it.

Provides conversions to and from strings for messages that include members of this type.

Encodes the specified value as the original value that was formerly decoded.

The value. Guaranteed to never be null. The in string form, ready for message transport.

Encodes the specified value.

The value. Guaranteed to never be null. The in string form, ready for message transport.

Decodes the specified value.

Code Contract for the class.

Prevents a default instance of the IdentifierContract class from being created.

Returns an that has no URI fragment. Quietly returns the original if it is not a or no fragment exists.

A new instance if there was a fragment to remove, otherwise this same instance..

A set of methods designed to assist in improving interop across different OpenID implementations and their extensions.

The gender decoder to translate AX genders to Sreg.

Splits the AX attribute format flags into individual values for processing.

The formats to split up into individual flags. A sequence of individual flags.

Transforms an AX attribute type URI from the axschema.org format into a given format.

The ax schema org format type URI. The target format. Only one flag should be set. The AX attribute type URI in the target format.

Detects the AX attribute type URI format from a given sample.

The type URIs to scan for recognized formats. The first AX type URI format recognized in the list.

Adds an attribute fetch request if it is not already present in the AX request.

The AX request to add the attribute request to. The format of the attribute's Type URI to use. The attribute in axschema.org format. The demand level.

Gets the gender decoder to translate AX genders to Sreg.

Represents a single OP endpoint from discovery on some OpenID Identifier.

Information published about an OpenId Provider by the OpenId discovery documents found at a user's Claimed Identifier.

Because information provided by this interface is suppplied by a user's individually published documents, it may be incomplete or inaccurate.

Checks whether the OpenId Identifier claims support for a given extension.

The extension whose support is being queried. True if support for the extension is advertised. False otherwise. Note that a true or false return value is no guarantee of a Provider's support for or lack of support for an extension. The return value is determined by how the authenticating user filled out his/her XRDS document only. The only way to be sure of support for a given extension is to include the extension in the request and see if a response comes back for that extension.

Checks whether the OpenId Identifier claims support for a given extension.

Gets the detected version of OpenID implemented by the Provider.

Gets the URL that the OpenID Provider receives authentication requests at.

This value MUST be an absolute HTTP or HTTPS URL.

Backing field for the property.

Initializes a new instance of the class.

The provider endpoint. The Claimed Identifier. The User-supplied Identifier. The Provider Local Identifier. The service priority. The URI priority.

Implements the operator ==.

The first service endpoint. The second service endpoint. The result of the operator.

Implements the operator !=.

The first service endpoint. The second service endpoint. The result of the operator.

Determines whether the specified is equal to the current .

The to compare with the current . true if the specified is equal to the current ; otherwise, false. The parameter is null.

Serves as a hash function for a particular type.

A hash code for the current .

Returns a that represents the current .

A that represents the current .

Checks whether the OpenId Identifier claims support for a given extension.

Determines whether a given extension is supported by this endpoint.

An instance of the extension to check support for. true if the extension is supported by this endpoint; otherwise, false.

Creates a instance to represent some OP Identifier.

The provider identifier (actually the user-supplied identifier). The provider endpoint. The service priority. The URI priority. The created instance

Creates a instance to represent some Claimed Identifier.

The claimed identifier. The provider local identifier. The provider endpoint. The service priority. The URI priority. The created instance

Creates a instance to represent some Claimed Identifier.

The claimed identifier. The user supplied identifier. The provider local identifier. The provider endpoint. The service priority. The URI priority. The created instance

Determines whether a given type URI is present on the specified provider endpoint.

The type URI. true if the type URI is present on the specified provider endpoint; otherwise, false.

Sets the Capabilities property (this method is a test hook.)

The value. The publicize.exe tool should work for the unit tests, but for some reason it fails on the build server.

Gets the priority rating for a given type of endpoint, allowing a priority sorting of endpoints.

The endpoint to prioritize. An arbitary integer, which may be used for sorting against other returned values from this method.

Gets the detected version of OpenID implemented by the Provider.

Gets the Identifier that was presented by the end user to the Relying Party, or selected by the user at the OpenID Provider. During the initiation phase of the protocol, an end user may enter either their own Identifier or an OP Identifier. If an OP Identifier is used, the OP may then assist the end user in selecting an Identifier to share with the Relying Party.

Gets the Identifier that the end user claims to control.

Gets an alternate Identifier for an end user that is local to a particular OP and thus not necessarily under the end user's control.

Gets a more user-friendly (but NON-secure!) string to display to the user as his identifier.

A human-readable, abbreviated (but not secure) identifier the user MAY recognize as his own.

Gets the provider endpoint.

Gets the @priority given in the XRDS document for this specific OP endpoint.

Gets the @priority given in the XRDS document for this service (which may consist of several endpoints).

Gets the collection of service type URIs found in the XRDS document describing this Provider.

Should never be null, but may be empty.

Gets the URL that the OpenID Provider receives authentication requests at.

This value MUST be an absolute HTTP or HTTPS URL.

Gets an XRDS sorting routine that uses the XRDS Service/@Priority attribute to determine order.

Endpoints lacking any priority value are sorted to the end of the list.

Gets the protocol used by the OpenID Provider.

A module that provides discovery services for OpenID identifiers.

Performs discovery on the specified identifier.

The identifier to perform discovery on. The means to place outgoing HTTP requests. if set to true, no further discovery services will be called for this identifier. A sequence of service endpoints yielded by discovery. Must not be null, but may be empty.

Code contract for the interface.

Prevents a default instance of the class from being created.

Performs discovery on the specified identifier.

A service that can perform discovery on OpenID identifiers.

The RP or OP that is hosting these services.

Backing field for the property.

Initializes a new instance of the class.

The RP or OP that creates this instance.

Performs discovery on the specified identifier.

The identifier to discover services for. A non-null sequence of services discovered for the identifier.

Gets the list of services that can perform discovery on identifiers given.

An interface implemented by both providers and relying parties.

Gets the security settings.

Gets the web request handler.

Code contract for the type.

Prevents a default instance of the class from being created.

Checks whether the OpenId Identifier claims support for a given extension.

Gets the detected version of OpenID implemented by the Provider.

Gets the URL that the OpenID Provider receives authentication requests at.

Instances of this interface represent incoming authentication requests. This interface provides the details of the request and allows setting the response.

Interface exposing incoming messages to the OpenID Provider that require interaction with the host site.

Represents an incoming OpenId authentication request.

Requests may be infrastructural to OpenID and allow auto-responses, or they may be authentication requests where the Provider site has to make decisions based on its own user database and policies.

Adds an extension to the response to send to the relying party.

The extension to add to the response message.

Removes any response extensions previously added using .

This should be called before sending a negative response back to the relying party if extensions were already added, since negative responses cannot carry extensions.

Gets an extension sent from the relying party.

The type of the extension. An instance of the extension initialized with values passed in with the request.

Gets an extension sent from the relying party.

The type of the extension. An instance of the extension initialized with values passed in with the request.

Gets a value indicating whether the response is ready to be sent to the user agent.

This property returns false if there are properties that must be set on this request instance before the response can be sent.

Gets or sets the security settings that apply to this request.

Defaults to the OpenIdProvider.SecuritySettings on the OpenIdProvider.

Attempts to perform relying party discovery of the return URL claimed by the Relying Party.

The web request handler. The details of how successful the relying party discovery was. Return URL verification is only attempted if this method is called. See OpenID Authentication 2.0 spec section 9.2.1.

Gets the version of OpenID being used by the relying party that sent the request.

Gets the URL the consumer site claims to use as its 'base' address.

Gets a value indicating whether the consumer demands an immediate response. If false, the consumer is willing to wait for the identity provider to authenticate the user.

Gets or sets the provider endpoint claimed in the positive assertion.

The default value is the URL that the request came in on from the relying party. This value MUST match the value for the OP Endpoint in the discovery results for the claimed identifier being asserted in a positive response.

Adds an optional fragment (#fragment) portion to the ClaimedIdentifier. Useful for identifier recycling.

Should not include the # prefix character as that will be added internally. May be null or the empty string to clear a previously set fragment. Unlike the property, which can only be set if using directed identity, this method can be called on any URI claimed identifier. Because XRI claimed identifiers (the canonical IDs) are never recycled, this method shouldnot be called for XRIs. Thrown when this method is called on an XRI, or on a directed identity request before the property is set.

Gets a value indicating whether the Provider should help the user select a Claimed Identifier to send back to the relying party.

Gets a value indicating whether the requesting Relying Party is using a delegated URL.

When delegated identifiers are used, the should not be changed at the Provider during authentication. Delegation is only detectable on requests originating from OpenID 2.0 relying parties. A relying party implementing only OpenID 1.x may use delegation and this property will return false anyway.

Gets or sets the Local Identifier to this OpenID Provider of the user attempting to authenticate. Check to see if this value is valid.

This may or may not be the same as the Claimed Identifier that the user agent originally supplied to the relying party. The Claimed Identifier endpoint may be delegating authentication to this provider using this provider's local id, which is what this property contains. Use this identifier when looking up this user in the provider's user account list.

Gets or sets the identifier that the user agent is claiming at the relying party site. Check to see if this value is valid.

This property can only be set if is false, to prevent breaking URL delegation. This will not be the same as this provider's local identifier for the user if the user has set up his/her own identity page that points to this provider for authentication. The provider may use this identifier for displaying to the user when asking for the user's permission to authenticate to the relying party. Thrown from the setter if is true.

Gets or sets a value indicating whether the provider has determined that the belongs to the currently logged in user and wishes to share this information with the consumer.

Code contract class for the type.

Initializes a new instance of the class.

Adds an optional fragment (#fragment) portion to the ClaimedIdentifier. Useful for identifier recycling.

Attempts to perform relying party discovery of the return URL claimed by the Relying Party.

The web request handler to use for the RP discovery request. The details of how successful the relying party discovery was. Return URL verification is only attempted if this method is called. See OpenID Authentication 2.0 spec section 9.2.1.