DotNetOpenAuth.OpenId
Describes a collection of association type sub-elements in a .config file.
Initializes a new instance of the class.
Returns an enumerator that iterates through the collection.
A that can be used to iterate through the collection.
When overridden in a derived class, creates a new .
A new .
Gets the element key for a specified configuration element when overridden in a derived class.
The to return the key for.
An that acts as the key for the specified .
Describes an association type and its maximum lifetime as an element
in a .config file.
The name of the attribute that stores the association type.
The name of the attribute that stores the association's maximum lifetime.
Initializes a new instance of the class.
Gets or sets the protocol name of the association.
Gets or sets the maximum time a shared association should live.
The default value is 14 days.
The configuration element that can adjust how hostmeta discovery works.
The property name for enableCertificateValidationCache.
Initializes a new instance of the class.
Gets or sets a value indicating whether validated certificates should be cached and not validated again.
This helps to avoid unexplained 5-10 second delays in certificate validation for Google Apps for Domains that impact some servers.
Represents the <openid> element in the host's .config file.
The name of the section under which this library's settings must be found.
The name of the <relyingParty> sub-element.
The name of the <provider> sub-element.
The name of the <extensions> sub-element.
The name of the <xriResolver> sub-element.
The name of the @maxAuthenticationTime attribute.
The name of the @cacheDiscovery attribute.
Initializes a new instance of the class.
Gets the configuration section from the .config file.
Gets or sets the maximum time a user can take to complete authentication.
This time limit allows the library to decide how long to cache certain values
necessary to complete authentication. The lower the time, the less demand on
the server. But too short a time can frustrate the user.
Gets or sets a value indicating whether the results of Identifier discovery
should be cached.
Use true to allow identifier discovery to immediately return cached results when available;
otherwise, use false.to force fresh results every time at the cost of slightly slower logins.
The default value is true.
When enabled, caching is done according to HTTP standards.
Gets or sets the configuration specific for Relying Parties.
Gets or sets the configuration specific for Providers.
Gets or sets the registered OpenID extension factories.
Gets or sets the configuration for the XRI resolver.
The section in the .config file that allows customization of OpenID Provider behaviors.
The name of the <provider> sub-element.
The name of the security sub-element.
Gets the name of the <behaviors> sub-element.
The name of the custom store sub-element.
Initializes a new instance of the class.
Gets or sets the security settings.
Gets or sets the special behaviors to apply.
Gets or sets the type to use for storing application state.
Represents the .config file element that allows for setting the security policies of the Provider.
Gets the name of the @protectDownlevelReplayAttacks attribute.
Gets the name of the @minimumHashBitLength attribute.
Gets the name of the @maximumHashBitLength attribute.
The name of the associations collection sub-element.
The name of the @encodeAssociationSecretsInHandles attribute.
Gets the name of the @requireSsl attribute.
Gets the name of the @unsolicitedAssertionVerification attribute.
Initializes a new instance of the class.
Initializes a programmatically manipulatable bag of these security settings with the settings from the config file.
The newly created security settings object.
Gets or sets a value indicating whether all discovery and authentication should require SSL security.
Gets or sets the minimum length of the hash that protects the protocol from hijackers.
Gets or sets the maximum length of the hash that protects the protocol from hijackers.
Gets or sets a value indicating whether the Provider should take special care
to protect OpenID 1.x relying parties against replay attacks.
Gets or sets the level of verification a Provider performs on an identifier before
sending an unsolicited assertion for it.
The default value is .
Gets or sets the configured lifetimes of the various association types.
Gets or sets a value indicating whether the Provider should ease the burden of storing associations
by encoding their secrets (in signed, encrypted form) into the association handles themselves, storing only
a few rotating, private symmetric keys in the Provider's store instead.
The section in the .config file that allows customization of OpenID Relying Party behaviors.
The name of the custom store sub-element.
The name of the <relyingParty> sub-element.
The name of the attribute that specifies whether dnoa.userSuppliedIdentifier is tacked onto the openid.return_to URL.
Gets the name of the security sub-element.
The name of the <behaviors> sub-element.
The name of the <discoveryServices> sub-element.
The name of the <hostMetaDiscovery> sub-element.
The built-in set of identifier discovery services.
Initializes a new instance of the class.
Gets or sets a value indicating whether "dnoa.userSuppliedIdentifier" is tacked onto the openid.return_to URL in order to preserve what the user typed into the OpenID box.
The default value is true.
Gets or sets the security settings.
Gets or sets the special behaviors to apply.
Gets or sets the type to use for storing application state.
Gets or sets the host meta discovery configuration element.
Gets or sets the services to use for discovering service endpoints for identifiers.
If no discovery services are defined in the (web) application's .config file,
the default set of discovery services built into the library are used.
Represents the .config file element that allows for setting the security policies of the Relying Party.
Gets the name of the @minimumRequiredOpenIdVersion attribute.
Gets the name of the @minimumHashBitLength attribute.
Gets the name of the @maximumHashBitLength attribute.
Gets the name of the @requireSsl attribute.
Gets the name of the @requireDirectedIdentity attribute.
Gets the name of the @requireAssociation attribute.
Gets the name of the @rejectUnsolicitedAssertions attribute.
Gets the name of the @rejectDelegatedIdentifiers attribute.
Gets the name of the @ignoreUnsignedExtensions attribute.
Gets the name of the @allowDualPurposeIdentifiers attribute.
Gets the name of the @allowApproximateIdentifierDiscovery attribute.
Gets the name of the @protectDownlevelReplayAttacks attribute.
The name of the <trustedProviders> sub-element.
Initializes a new instance of the class.
Initializes a programmatically manipulatable bag of these security settings with the settings from the config file.
The newly created security settings object.
Gets or sets a value indicating whether all discovery and authentication should require SSL security.
Gets or sets a value indicating whether only OP Identifiers will be discoverable
when creating authentication requests.
Gets or sets a value indicating whether authentication requests
will only be created where an association with the Provider can be established.
Gets or sets the minimum OpenID version a Provider is required to support in order for this library to interoperate with it.
Although the earliest versions of OpenID are supported, for security reasons it may be desirable to require the
remote party to support a later version of OpenID.
Gets or sets the minimum length of the hash that protects the protocol from hijackers.
Gets or sets the maximum length of the hash that protects the protocol from hijackers.
Gets or sets a value indicating whether all unsolicited assertions should be ignored.
The default value is false.
Gets or sets a value indicating whether delegating identifiers are refused for authentication.
The default value is false.
When set to true, login attempts that start at the RP or arrive via unsolicited
assertions will be rejected if discovery on the identifier shows that OpenID delegation
is used for the identifier. This is useful for an RP that should only accept identifiers
directly issued by the Provider that is sending the assertion.
Gets or sets a value indicating whether unsigned extensions in authentication responses should be ignored.
The default value is false.
When set to true, the methods
will not return any extension that was not signed by the Provider.
Gets or sets a value indicating whether identifiers that are both OP Identifiers and Claimed Identifiers
should ever be recognized as claimed identifiers.
The default value is false, per the OpenID 2.0 spec.
Gets or sets a value indicating whether certain Claimed Identifiers that exploit
features that .NET does not have the ability to send exact HTTP requests for will
still be allowed by using an approximate HTTP request.
The default value is true.
Gets or sets a value indicating whether the Relying Party should take special care
to protect users against replay attacks when interoperating with OpenID 1.1 Providers.
Gets or sets the set of trusted OpenID Provider Endpoints.
Represents the <xriResolver> element in the host's .config file.
Gets the name of the @enabled attribute.
The default value for .
The name of the <proxy> sub-element.
The default XRI proxy resolver to use.
Initializes a new instance of the class.
Gets or sets a value indicating whether this XRI resolution is enabled.
The default value is true.
Gets or sets the proxy to use for resolving XRIs.
The default value is "xri.net".
Adds OpenID-specific extension methods to the XrdsDocument class.
Creates the service endpoints described in this document, useful for requesting
authentication of one of the OpenID Providers that result from it.
The XrdsDocument instance to use in this process.
The claimed identifier that was used to discover this XRDS document.
The user supplied identifier.
A sequence of OpenID Providers that can assert ownership of the .
Creates the service endpoints described in this document, useful for requesting
authentication of one of the OpenID Providers that result from it.
The XrdsDocument instance to use in this process.
The user-supplied i-name that was used to discover this XRDS document.
A sequence of OpenID Providers that can assert ownership of the canonical ID given in this document.
Generates OpenID Providers that can authenticate using directed identity.
The XrdsDocument instance to use in this process.
The OP Identifier entered (and resolved) by the user. Essentially the user-supplied identifier.
A sequence of the providers that can offer directed identity services.
Generates the OpenID Providers that are capable of asserting ownership
of a particular URI claimed identifier.
The XrdsDocument instance to use in this process.
The claimed identifier.
The user supplied identifier.
A sequence of the providers that can assert ownership of the given identifier.
Generates the OpenID Providers that are capable of asserting ownership
of a particular XRI claimed identifier.
The XrdsDocument instance to use in this process.
The i-name supplied by the user.
A sequence of the providers that can assert ownership of the given identifier.
Enumerates the XRDS service elements that describe OpenID Providers offering directed identity assertions.
The XrdsDocument instance to use in this process.
A sequence of service elements.
Returns the OpenID-compatible services described by a given XRDS document,
in priority order.
The XrdsDocument instance to use in this process.
A sequence of the services offered.
Stores a secret used in signing and verifying messages.
OpenID associations may be shared between Provider and Relying Party (smart
associations), or be a way for a Provider to recall its own secret for later
(dumb associations).
Initializes a new instance of the class.
The handle.
The secret.
How long the association will be useful.
The UTC time of when this association was originally issued by the Provider.
Re-instantiates an previously persisted in a database or some
other shared store.
The property of the previous instance.
The UTC value of the property of the previous instance.
The byte array returned by a call to on the previous
instance.
The newly dehydrated , which can be returned
from a custom association store's
IRelyingPartyAssociationStore.GetAssociation method.
Returns private data required to persist this in
permanent storage (a shared database for example) for deserialization later.
An opaque byte array that must be stored and returned exactly as it is provided here.
The byte array may vary in length depending on the specific type of ,
but in current versions are no larger than 256 bytes.
Values of public properties on the base class are not included
in this byte array, as they are useful for fast database lookup and are persisted separately.
Tests equality of two objects.
The to compare with the current .
true if the specified is equal to the current ; otherwise, false.
Returns the hash code.
A hash code for the current .
The string to pass as the assoc_type value in the OpenID protocol.
The protocol version of the message that the assoc_type value will be included in.
The value that should be used for the openid.assoc_type parameter.
Generates a signature from a given blob of data.
The data to sign. This data will not be changed (the signature is the return value).
The calculated signature of the data.
Returns the specific hash algorithm used for message signing.
The hash algorithm used for message signing.
Gets a unique handle by which this may be stored or retrieved.
Gets the UTC time when this will expire.
Gets a value indicating whether this has already expired.
Gets the length (in bits) of the hash this association creates when signing.
Gets a value indicating whether this instance has useful life remaining.
true if this instance has useful life remaining; otherwise, false.
Gets or sets the UTC time that this was first created.
Gets the duration a secret key used for signing dumb client requests will be good for.
Gets the number of seconds until this expires.
Never negative (counter runs to zero).
Gets the shared secret key between the consumer and provider.
Gets the lifetime the OpenID provider permits this .
Gets the minimum lifetime an association must still be good for in order for it to be used for a future authentication.
Associations that are not likely to last the duration of a user login are not worth using at all.
Gets the TimeSpan till this association expires.
Indicates the mode the Provider should use while authenticating the end user.
The Provider should use whatever credentials are immediately available
to determine whether the end user owns the Identifier. If sufficient
credentials (i.e. cookies) are not immediately available, the Provider
should fail rather than prompt the user.
The Provider should determine whether the end user owns the Identifier,
displaying a web page to the user to login etc., if necessary.
An Attribute Exchange and Simple Registration filter to make all incoming attribute
requests look like Simple Registration requests, and to convert the response
to the originally requested extension and format.
Initializes a new instance of the class.
Gets or sets the AX attribute type URI formats this transform is willing to work with.
A strongly-typed resource class, for looking up localized strings, etc.
Returns the cached ResourceManager instance used by this class.
Overrides the current thread's CurrentUICulture property for all
resource lookups using this strongly typed resource class.
Looks up a localized string similar to The PAPE request has an incomplete set of authentication policies..
Looks up a localized string similar to A PAPE response is missing or is missing required policies..
Looks up a localized string similar to No personally identifiable information should be included in authentication responses when the PAPE authentication policy http://www.idmanagement.gov/schema/2009/05/icam/no-pii.pdf is present..
Looks up a localized string similar to No personally identifiable information should be requested when the http://www.idmanagement.gov/schema/2009/05/icam/no-pii.pdf PAPE policy is present..
Looks up a localized string similar to No PPID provider has been configured..
Looks up a localized string similar to Discovery on the Realm URL MUST be performed before sending a positive assertion..
Looks up a localized string similar to The Realm in an authentication request must be an HTTPS URL..
Implements the Identity, Credential, & Access Management (ICAM) OpenID 2.0 Profile
for the General Services Administration (GSA).
Relying parties that include this profile are always held to the terms required by the profile,
but Providers are only affected by the special behaviors of the profile when the RP specifically
indicates that they want to use this profile.
Backing field for the static property.
Initializes a new instance of the class.
Gets or sets a value indicating whether PII is allowed to be requested or received via OpenID.
The default value is false.
Gets or sets a value indicating whether to ignore the SSL requirement (for testing purposes only).
Provides a mechanism for Relying Parties to work with OpenID 1.0 Providers
without losing claimed_id and op_endpoint data, which OpenID 2.0 Providers
are required to send back with positive assertions.
The "dnoa.op_endpoint" callback parameter that stores the Provider Endpoint URL
to tack onto the return_to URI.
The "dnoa.claimed_id" callback parameter that stores the Claimed Identifier
to tack onto the return_to URI.
Prepares a message for sending based on the rules of this channel binding element.
The message to prepare for sending.
The protections (if any) that this binding element applied to the message.
Null if this binding element did not even apply to this binding element.
Implementations that provide message protection must honor the
properties where applicable.
Performs any transformation on an incoming message that may be necessary and/or
validates an incoming message based on the rules of this channel binding element.
The incoming message to process.
The protections (if any) that this binding element applied to the message.
Null if this binding element did not even apply to this binding element.
Thrown when the binding element rules indicate that this message is invalid and should
NOT be processed.
Implementations that provide message protection must honor the
properties where applicable.
Gets or sets the channel that this binding element belongs to.
This property is set by the channel when it is first constructed.
Gets the protection offered (if any) by this binding element.
Code contract for the class.
Signs and verifies authentication assertions.
Prepares a message for sending based on the rules of this channel binding element.
The message to prepare for sending.
The protections (if any) that this binding element applied to the message.
Null if this binding element did not even apply to this binding element.
Performs any transformation on an incoming message that may be necessary and/or
validates an incoming message based on the rules of this channel binding element.
The incoming message to process.
The protections (if any) that this binding element applied to the message.
Null if this binding element did not even apply to this binding element.
Thrown when the binding element rules indicate that this message is invalid and should
NOT be processed.
Verifies the signature by unrecognized handle.
The message.
The signed message.
The protections applied.
The applied protections.
Calculates the signature for a given message.
The message to sign or verify.
The association to use to sign the message.
The calculated signature of the method.
Gets the association to use to sign or verify a message.
The message to sign or verify.
The association to use to sign or verify the message.
Gets a specific association referenced in a given message's association handle.
The signed message whose association handle should be used to lookup the association to return.
The referenced association; or null if such an association cannot be found.
If the association handle set in the message does not match any valid association,
the association handle property is cleared, and the
property is set to the
handle that could not be found.
Gets a private Provider association used for signing messages in "dumb" mode.
An existing or newly created association.
Ensures that all message parameters that must be signed are in fact included
in the signature.
The signed message.
Gets the protection offered (if any) by this binding element.
Gets or sets the channel that this binding element belongs to.
Gets a value indicating whether this binding element is on a Provider channel.
Verifies the signature by unrecognized handle.
The message.
The signed message.
The protections applied.
The applied protections.
Gets the association to use to sign or verify a message.
The message to sign or verify.
The association to use to sign or verify the message.
Gets a specific association referenced in a given message's association handle.
The signed message whose association handle should be used to lookup the association to return.
The referenced association; or null if such an association cannot be found.
The binding element that serializes/deserializes OpenID extensions to/from
their carrying OpenID messages.
False if unsigned extensions should be dropped. Must always be true on Providers, since RPs never sign extensions.
Initializes a new instance of the class.
The extension factory.
The security settings.
Security setting for relying parties. Should be true for Providers.
Prepares a message for sending based on the rules of this channel binding element.
The message to prepare for sending.
The protections (if any) that this binding element applied to the message.
Null if this binding element did not even apply to this binding element.
Implementations that provide message protection must honor the
properties where applicable.
Performs any transformation on an incoming message that may be necessary and/or
validates an incoming message based on the rules of this channel binding element.
The incoming message to process.
The protections (if any) that this binding element applied to the message.
Null if this binding element did not even apply to this binding element.
Thrown when the binding element rules indicate that this message is invalid and should
NOT be processed.
Implementations that provide message protection must honor the
properties where applicable.
Gets the extensions on a message.
The carrier of the extensions.
If set to true only signed extensions will be available.
A optional filter that takes an extension type URI and
returns a value indicating whether that extension should be deserialized and
returned in the sequence. May be null.
A sequence of extensions in the message.
Gets the dictionary of message parts that should be deserialized into extensions.
The message.
If set to true only signed extensions will be available.
A dictionary of message parts, including only signed parts when appropriate.
Gets or sets the channel that this binding element belongs to.
This property is set by the channel when it is first constructed.
Gets the extension factory.
Gets the protection offered (if any) by this binding element.
OpenID extension factory class for creating extensions based on received Type URIs.
OpenID extension factories must be registered with the library. This can be
done by adding a factory to OpenIdRelyingParty.ExtensionFactories
or OpenIdProvider.ExtensionFactories, or by adding a snippet
such as the following to your web.config file:
<dotNetOpenAuth>
<openid>
<extensionFactories>
<add type="DotNetOpenAuth.ApplicationBlock.CustomExtensions.Acme, DotNetOpenAuth.ApplicationBlock" />
</extensionFactories>
</openid>
</dotNetOpenAuth>
Creates a new instance of some extension based on the received extension parameters.
The type URI of the extension.
The parameters associated specifically with this extension.
The OpenID message carrying this extension.
A value indicating whether this extension is being received at the OpenID Provider.
An instance of if the factory recognizes
the extension described in the input parameters; null otherwise.
This factory method need only initialize properties in the instantiated extension object
that are not bound using .
An interface that OAuth messages implement to support signing.
Gets or sets the association handle used to sign the message.
The handle for the association that was used to sign this assertion.
Gets or sets the association handle that the Provider wants the Relying Party to not use any more.
If the Relying Party sent an invalid association handle with the request, it SHOULD be included here.
Gets or sets the signed parameter order.
Comma-separated list of signed fields.
"op_endpoint,identity,claimed_id,return_to,assoc_handle,response_nonce"
This entry consists of the fields without the "openid." prefix that the signature covers.
This list MUST contain at least "op_endpoint", "return_to" "response_nonce" and "assoc_handle",
and if present in the response, "claimed_id" and "identity".
Additional keys MAY be signed as part of the message. See Generating Signatures.
A Uri encoder that serializes using
rather than the standard .
Encodes the specified value.
The value. Guaranteed to never be null.
The in string form, ready for message transport.
Decodes the specified value.
The string value carried by the transport. Guaranteed to never be null, although it may be empty.
The deserialized form of the given string.
Thrown when the string value given cannot be decoded into the required object type.
Indicates the level of strictness to require when decoding a
Key-Value Form encoded dictionary.
Be as forgiving as possible to errors made while encoding.
Allow for certain errors in encoding attributable to ambiguities
in the OpenID 1.1 spec's description of the encoding.
The strictest mode. The decoder requires the encoded dictionary
to be in strict compliance with OpenID 2.0's description of
the encoding.
Performs conversion to and from the Key-Value Form Encoding defined by
OpenID Authentication 2.0 section 4.1.1.
http://openid.net/specs/openid-authentication-2_0.html#anchor4
This class is thread safe and immutable.
The newline character sequence to use.
Characters that must not appear in parameter names.
Characters that must not appaer in parameter values.
The character encoding to use.
Initializes a new instance of the class.
Initializes a new instance of the class.
How strictly an incoming Key-Value Form message will be held to the spec.
Encodes key/value pairs to Key-Value Form.
The dictionary of key/value pairs to convert to a byte stream.
The UTF8 byte array.
Enumerating a Dictionary<TKey, TValue> has undeterministic ordering.
If ordering of the key=value pairs is important, a deterministic enumerator must
be used.
Decodes bytes in Key-Value Form to key/value pairs.
The stream of Key-Value Form encoded bytes.
The deserialized dictionary.
Thrown when the data is not in the expected format.
Gets a value controlling how strictly an incoming Key-Value Form message will be held to the spec.
A channel that knows how to send and receive OpenID messages.
The HTTP Content-Type to use in Key-Value Form responses.
OpenID 2.0 section 5.1.2 says this SHOULD be text/plain. But this value
does not prevent free hosters like GoDaddy from tacking on their ads
to the end of the direct response, corrupting the data. So we deviate
from the spec a bit here to improve the story for free Providers.
The encoder that understands how to read and write Key-Value Form.
Initializes a new instance of the class.
A class prepared to analyze incoming messages and indicate what concrete
message types can deserialize from it.
The binding elements to use in sending and receiving messages.
Verifies the integrity and applicability of an incoming message.
The message just received.
Thrown when the message is somehow invalid, except for check_authentication messages.
This can be due to tampering, replay attack or expiration, among other things.
Prepares an HTTP request that carries a given message.
The message to send.
The prepared to send the request.
Gets the protocol message that may be in the given HTTP response.
The response that is anticipated to contain an protocol message.
The deserialized message parts, if found. Null otherwise.
Thrown when the response is not valid.
Called when receiving a direct response message, before deserialization begins.
The HTTP direct response.
The newly instantiated message, prior to deserialization.
Queues a message for sending in the response stream where the fields
are sent in the response stream in querystring style.
The message to send as a response.
The pending user agent redirect based message to be sent as an HttpResponse.
This method implements spec V1.0 section 5.3.
Gets the direct response of a direct HTTP request.
The web request.
The response to the web request.
Thrown on network or protocol errors.
This binding element signs a Relying Party's openid.return_to parameter
so that upon return, it can verify that it hasn't been tampered with.
Since Providers can send unsolicited assertions, not all openid.return_to
values will be signed. But those that are signed will be validated, and
any invalid or missing signatures will cause this library to not trust
the parameters in the return_to URL.
In the messaging stack, this binding element looks like an ordinary
transform-type of binding element rather than a protection element,
due to its required order in the channel stack and that it doesn't sign
anything except a particular message part.
The name of the callback parameter we'll tack onto the return_to value
to store our signature on the return_to parameter.
The name of the callback parameter we'll tack onto the return_to value
to store the handle of the association we use to sign the return_to parameter.
The URI to use for private associations at this RP.
The key store used to generate the private signature on the return_to parameter.
Initializes a new instance of the class.
The crypto key store.
Prepares a message for sending based on the rules of this channel binding element.
The message to prepare for sending.
The protections (if any) that this binding element applied to the message.
Null if this binding element did not even apply to this binding element.
Implementations that provide message protection must honor the
properties where applicable.
Performs any transformation on an incoming message that may be necessary and/or
validates an incoming message based on the rules of this channel binding element.
The incoming message to process.
The protections (if any) that this binding element applied to the message.
Null if this binding element did not even apply to this binding element.
Thrown when the binding element rules indicate that this message is invalid and should
NOT be processed.
Implementations that provide message protection must honor the
properties where applicable.
Gets the return to signature.
The return to.
The crypto key.
The generated signature.
Only the parameters in the return_to URI are signed, rather than the base URI
itself, in order that OPs that might change the return_to's implicit port :80 part
or other minor changes do not invalidate the signature.
Gets or sets the channel that this binding element belongs to.
This property is set by the channel when it is first constructed.
Gets the protection offered (if any) by this binding element.
No message protection is reported because this binding element
does not protect the entire message -- only a part.
Spoofs security checks on incoming OpenID messages.
Prepares a message for sending based on the rules of this channel binding element.
The message to prepare for sending.
The protections (if any) that this binding element applied to the message.
Null if this binding element did not even apply to this binding element.
Implementations that provide message protection must honor the
properties where applicable.
Performs any transformation on an incoming message that may be necessary and/or
validates an incoming message based on the rules of this channel binding element.
The incoming message to process.
The protections (if any) that this binding element applied to the message.
Null if this binding element did not even apply to this binding element.
Thrown when the binding element rules indicate that this message is invalid and should
NOT be processed.
Implementations that provide message protection must honor the
properties where applicable.
Gets or sets the channel that this binding element belongs to.
This property is set by the channel when it is first constructed.
Gets the protection commonly offered (if any) by this binding element.
This value is used to assist in sorting binding elements in the channel stack.
Code contract for the class.
Prevents a default instance of the class from being created.
The string to pass as the assoc_type value in the OpenID protocol.
The protocol version of the message that the assoc_type value will be included in.
The value that should be used for the openid.assoc_type parameter.
Returns the specific hash algorithm used for message signing.
The hash algorithm used for message signing.
Gets the length (in bits) of the hash this association creates when signing.
Manages a fast, two-way mapping between type URIs and their aliases.
The format of auto-generated aliases.
Tracks extension Type URIs and aliases assigned to them.
Tracks extension aliases and Type URIs assigned to them.
Gets an alias assigned for a given Type URI. A new alias is assigned if necessary.
The type URI.
The alias assigned to this type URI. Never null.
Sets an alias and the value that will be returned by .
The alias.
The type URI.
Takes a sequence of type URIs and assigns aliases for all of them.
The type URIs to create aliases for.
An optional dictionary of URI/alias pairs that suggest preferred aliases to use if available for certain type URIs.
Sets up aliases for any Type URIs in a dictionary that do not yet have aliases defined,
and where the given preferred alias is still available.
A dictionary of type URI keys and alias values.
Gets the Type Uri encoded by a given alias.
The alias.
The Type URI.
Thrown if the given alias does not have a matching TypeURI.
Gets the Type Uri encoded by a given alias.
The alias.
The Type URI for the given alias, or null if none for that alias exist.
Returns a value indicating whether an alias has already been assigned to a type URI.
The alias in question.
True if the alias has already been assigned. False otherwise.
Determines whether a given TypeURI has an associated alias assigned to it.
The type URI.
true if the given type URI already has an alias assigned; false otherwise.
Assigns a new alias to a given Type URI.
The type URI to assign a new alias to.
The newly generated alias.
Gets the aliases that have been set.
An individual attribute to be requested of the OpenID Provider using
the Attribute Exchange extension.
Backing field for the property.
Initializes a new instance of the class
with = false, = 1.
Initializes a new instance of the class
with = false, = 1.
The unique TypeURI for that describes the attribute being sought.
Initializes a new instance of the class
with = 1.
The unique TypeURI for that describes the attribute being sought.
A value indicating whether the Relying Party considers this attribute to be required for registration.
Initializes a new instance of the class.
The unique TypeURI for that describes the attribute being sought.
A value indicating whether the Relying Party considers this attribute to be required for registration.
The maximum number of values for this attribute the Relying Party is prepared to receive.
Used by a Provider to create a response to a request for an attribute's value(s)
using a given array of strings.
The values for the requested attribute.
The newly created object that should be added to
the object.
Determines whether the specified is equal to the current .
The to compare with the current .
true if the specified is equal to the current ; otherwise, false.
The parameter is null.
Serves as a hash function for a particular type.
A hash code for the current .
Gets or sets the URI uniquely identifying the attribute being requested.
Gets or sets a value indicating whether the relying party considers this a required field.
Note that even if set to true, the Provider may not provide the value.
Gets or sets the maximum number of values for this attribute the
Relying Party wishes to receive from the OpenID Provider.
A value of int.MaxValue is considered infinity.
An individual attribute's value(s) as supplied by an OpenID Provider
in response to a prior request by an OpenID Relying Party as part of
a fetch request, or by a relying party as part of a store request.
Initializes a new instance of the class.
The TypeURI that uniquely identifies the attribute.
The values for the attribute.
Initializes a new instance of the class.
This is internal because web sites should be using the
method to instantiate.
Initializes a new instance of the class.
The TypeURI of the attribute whose values are being provided.
Determines whether the specified is equal to the current .
The to compare with the current .
true if the specified is equal to the current ; otherwise, false.
The parameter is null.
Serves as a hash function for a particular type.
A hash code for the current .
Gets the URI uniquely identifying the attribute whose value is being supplied.
Gets the values supplied by the Provider.
The various Type URI formats an AX attribute may use by various remote parties.
No attribute format.
AX attributes should use the Type URI format starting with http://axschema.org/.
AX attributes should use the Type URI format starting with http://schema.openid.net/.
AX attributes should use the Type URI format starting with http://openid.net/schema/.
All known schemas.
The most common schemas.
Helper methods shared by multiple messages in the Attribute Exchange extension.
Adds a request for an attribute considering it 'required'.
The attribute request collection.
The type URI of the required attribute.
Adds a request for an attribute without considering it 'required'.
The attribute request collection.
The type URI of the requested attribute.
Adds a given attribute with one or more values to the request for storage.
Applicable to Relying Parties only.
The collection of to add to.
The type URI of the attribute.
The attribute values.
Serializes a set of attribute values to a dictionary of fields to send in the message.
The dictionary to fill with serialized attributes.
The attributes.
Deserializes attribute values from an incoming set of message data.
The data coming in with the message.
The attribute values found in the message.
Reads through the attributes included in the response to discover
the alias-TypeURI relationships.
The data included in the extension message.
The alias manager that provides lookup between aliases and type URIs.
Attribute Exchange constants
The TypeURI by which the AX extension is recognized in
OpenID messages and in XRDS documents.
The Attribute Exchange Fetch message, request leg.
A handy base class for built-in extensions.
The contract any OpenID extension for DotNetOpenAuth must implement.
Classes that implement this interface should be marked as
[] to allow serializing state servers
to cache messages, particularly responses.
Gets the TypeURI the extension uses in the OpenID protocol and in XRDS advertisements.
Gets the additional TypeURIs that are supported by this extension, in preferred order.
May be empty if none other than is supported, but
should not be null.
Useful for reading in messages with an older version of an extension.
The value in the property is always checked before
trying this list.
If you do support multiple versions of an extension using this method,
consider adding a CreateResponse method to your request extension class
so that the response can have the context it needs to remain compatible
given the version of the extension in the request message.
The for an example.
Gets or sets a value indicating whether this extension was
signed by the sender.
true if this instance is signed by the sender; otherwise, false.
Backing store for the property.
Backing store for the property.
Backing store for the property.
Initializes a new instance of the class.
The version of the extension.
The type URI to use in the OpenID message.
The additional supported type URIs by which this extension might be recognized. May be null.
Checks the message state for conformity to the protocol specification
and throws an exception if the message is invalid.
Some messages have required fields, or combinations of fields that must relate to each other
in specialized ways. After deserializing a message, this method checks the state of the
message to see if it conforms to the protocol.
Note that this property should not check signatures or perform any state checks
outside this scope of this particular message.
Thrown if the message is invalid.
Checks the message state for conformity to the protocol specification
and throws an exception if the message is invalid.
Some messages have required fields, or combinations of fields that must relate to each other
in specialized ways. After deserializing a message, this method checks the state of the
message to see if it conforms to the protocol.
Note that this property should not check signatures or perform any state checks
outside this scope of this particular message.
Thrown if the message is invalid.
Gets the TypeURI the extension uses in the OpenID protocol and in XRDS advertisements.
Gets the additional TypeURIs that are supported by this extension, in preferred order.
May be empty if none other than is supported, but
should not be null.
Useful for reading in messages with an older version of an extension.
The value in the property is always checked before
trying this list.
If you do support multiple versions of an extension using this method,
consider adding a CreateResponse method to your request extension class
so that the response can have the context it needs to remain compatible
given the version of the extension in the request message.
The for an example.
Gets or sets a value indicating whether this extension was
signed by the OpenID Provider.
true if this instance is signed by the provider; otherwise, false.
Gets the version of the protocol or extension this message is prepared to implement.
Gets the extra, non-standard Protocol parameters included in the message.
Implementations of this interface should ensure that this property never returns null.
Gets the TypeURI the extension uses in the OpenID protocol and in XRDS advertisements.
Gets or sets a value indicating whether this extension was
signed by the OpenID Provider.
true if this instance is signed by the provider; otherwise, false.
Gets the additional TypeURIs that are supported by this extension, in preferred order.
May be empty if none other than is supported, but
should not be null.
Useful for reading in messages with an older version of an extension.
The value in the property is always checked before
trying this list.
If you do support multiple versions of an extension using this method,
consider adding a CreateResponse method to your request extension class
so that the response can have the context it needs to remain compatible
given the version of the extension in the request message.
The for an example.
Gets the extra, non-standard Protocol parameters included in the message.
Implementations of this interface should ensure that this property never returns null.
The value for the 'mode' parameter.
The factory method that may be used in deserialization of this message.
Characters that may not appear in an attribute alias list.
Characters that may not appear in an attribute Type URI alias.
The collection of requested attributes.
Initializes a new instance of the class.
Determines whether the specified is equal to the current .
The to compare with the current .
true if the specified is equal to the current ; otherwise, false.
The parameter is null.
Serves as a hash function for a particular type.
A hash code for the current .
Called when the message is about to be transmitted,
before it passes through the channel binding elements.
Called when the message has been received,
after it passes through the channel binding elements.
Checks the message state for conformity to the protocol specification
and throws an exception if the message is invalid.
Some messages have required fields, or combinations of fields that must relate to each other
in specialized ways. After deserializing a message, this method checks the state of the
message to see if it conforms to the protocol.
Note that this property should not check signatures or perform any state checks
outside this scope of this particular message.
Thrown if the message is invalid.
Splits a list of aliases by their commas.
The comma-delimited list of aliases. May be null or empty.
The list of aliases. Never null, but may be empty.
Gets a collection of the attributes whose values are
requested by the Relying Party.
A collection where the keys are the attribute type URIs, and the value
is all the attribute request details.
Gets or sets the URL that the OpenID Provider may re-post the fetch response
message to at some time after the initial response has been sent, using an
OpenID Authentication Positive Assertion to inform the relying party of updates
to the requested fields.
Gets or sets a list of aliases for optional attributes.
A comma-delimited list of aliases.
Gets or sets a list of aliases for required attributes.
A comma-delimited list of aliases.
The Attribute Exchange Fetch message, response leg.
The value of the 'mode' parameter.
The factory method that may be used in deserialization of this message.
The collection of provided attributes. This field will never be null.
Initializes a new instance of the class.
Gets the first attribute value provided for a given attribute Type URI.
The type URI of the attribute.
Usually a constant from .
The first value provided for the attribute, or null if the attribute is missing or no values were provided.
This is meant as a helper method for the common case of just wanting one attribute value.
For greater flexibility or to retrieve more than just the first value for an attribute,
use the collection directly.
Determines whether the specified is equal to the current .
The to compare with the current .
true if the specified is equal to the current ; otherwise, false.
The parameter is null.
Serves as a hash function for a particular type.
A hash code for the current .
Called when the message is about to be transmitted,
before it passes through the channel binding elements.
Called when the message has been received,
after it passes through the channel binding elements.
Checks the message state for conformity to the protocol specification
and throws an exception if the message is invalid.
Some messages have required fields, or combinations of fields that must relate to each other
in specialized ways. After deserializing a message, this method checks the state of the
message to see if it conforms to the protocol.
Note that this property should not check signatures or perform any state checks
outside this scope of this particular message.
Thrown if the message is invalid.
Gets a sequence of the attributes whose values are provided by the OpenID Provider.
Gets a value indicating whether the OpenID Provider intends to
honor the request for updates.
Gets or sets the URL the OpenID Provider will post updates to.
Must be set if the Provider supports and will use this feature.
Gets a value indicating whether this extension is signed by the Provider.
true if this instance is signed by the Provider; otherwise, false.
The Attribute Exchange Store message, request leg.
The value of the 'mode' parameter.
The factory method that may be used in deserialization of this message.
The collection of provided attribute values. This field will never be null.
Initializes a new instance of the class.
Called when the message is about to be transmitted,
before it passes through the channel binding elements.
Called when the message has been received,
after it passes through the channel binding elements.
Determines whether the specified is equal to the current .
The to compare with the current .
true if the specified is equal to the current ; otherwise, false.
The parameter is null.
Serves as a hash function for a particular type.
A hash code for the current .
Gets the collection of all the attributes that are included in the store request.
The Attribute Exchange Store message, response leg.
The value of the mode parameter used to express a successful store operation.
The value of the mode parameter used to express a store operation failure.
The factory method that may be used in deserialization of this message.
Initializes a new instance of the class
to represent a successful store operation.
Initializes a new instance of the class
to represent a failed store operation.
The reason for failure.
Determines whether the specified is equal to the current .
The to compare with the current .
true if the specified is equal to the current ; otherwise, false.
The parameter is null.
Serves as a hash function for a particular type.
A hash code for the current .
Checks the message state for conformity to the protocol specification
and throws an exception if the message is invalid.
Some messages have required fields, or combinations of fields that must relate to each other
in specialized ways. After deserializing a message, this method checks the state of the
message to see if it conforms to the protocol.
Note that this property should not check signatures or perform any state checks
outside this scope of this particular message.
Thrown if the message is invalid.
Gets or sets a value indicating whether the storage request succeeded.
Defaults to true.
Gets or sets the reason for the failure, if applicable.
Gets a value indicating whether this extension is signed by the Provider.
true if this instance is signed by the Provider; otherwise, false.
Gets or sets the mode argument.
One of 'store_response_success' or 'store_response_failure'.
Attribute types defined at http://www.axschema.org/types/.
If you don't see what you need here, check that URL to see if any have been added.
You can use new ones directly without adding them to this class, and can even make
up your own if you expect the other end to understand what you make up.
Inherent attributes about a personality such as gender and bio.
Gender, either "M" or "F"
"M", "F"
Biography (text)
"I am the very model of a modern Major General."
Preferences such as language and timezone.
Preferred language, as per RFC4646
"en-US"
Home time zone information (as specified in zoneinfo)
"America/Pacific"
The names a person goes by.
Subject's alias or "screen" name
"Johnny5"
Full name of subject
"John Doe"
Honorific prefix for the subject's name
"Mr.", "Mrs.", "Dr."
First or given name of subject
"John"
Last name or surname of subject
"Smith"
Middle name(s) of subject
"Robert"
Suffix of subject's name
"III", "Jr."
Business affiliation.
Company name (employer)
"Springfield Power"
Employee title
"Engineer"
Information about a person's birthdate.
Date of birth.
"1979-01-01"
Year of birth (four digits)
"1979"
Month of birth (1-12)
"05"
Day of birth
"31"
Various ways to contact a person.
Internet SMTP email address as per RFC2822
"jsmith@isp.example.com"
Various types of phone numbers.
Main phone number (preferred)
+1-800-555-1234
Home phone number
+1-800-555-1234
Business phone number
+1-800-555-1234
Cellular (or mobile) phone number
+1-800-555-1234
Fax number
+1-800-555-1234
The many fields that make up an address.
Home postal address: street number, name and apartment number
"#42 135 East 1st Street"
"#42 135 East 1st Street"
"Box 67"
Home city name
"Vancouver"
Home state or province name
"BC"
Home country code in ISO.3166.1988 (alpha 2) format
"CA"
Home postal code; region specific format
"V5A 4B2"
The many fields that make up an address.
Business postal address: street number, name and apartment number
"#42 135 East 1st Street"
"#42 135 East 1st Street"
"Box 67"
Business city name
"Vancouver"
Business state or province name
"BC"
Business country code in ISO.3166.1988 (alpha 2) format
"CA"
Business postal code; region specific format
"V5A 4B2"
Various handles for instant message clients.
AOL instant messaging service handle
"jsmith421234"
ICQ instant messaging service handle
"1234567"
MSN instant messaging service handle
"jsmith42@hotmail.com"
Yahoo! instant messaging service handle
"jsmith421234"
Jabber instant messaging service handle
"jsmith@jabber.example.com"
Skype instant messaging service handle
"jsmith42"
Various web addresses connected with this personality.
Web site URL
"http://example.com/~jsmith/"
Blog home page URL
"http://example.com/jsmith_blog/"
LinkedIn URL
"http://www.linkedin.com/pub/1/234/56"
Amazon URL
"http://www.amazon.com/gp/pdp/profile/A24DLKJ825"
Flickr URL
"http://flickr.com/photos/jsmith42/"
del.icio.us URL
"http://del.icio.us/jsmith42"
Audio and images of this personality.
Spoken name (web URL)
"http://example.com/~jsmith/john_smith.wav"
Audio greeting (web URL)
"http://example.com/~jsmith/i_greet_you.wav"
Video greeting (web URL)
"http://example.com/~jsmith/i_greet_you.mov"
Images of this personality.
Image (web URL); unspecified dimension
"http://example.com/~jsmith/image.jpg"
Image (web URL) with equal width and height
"http://example.com/~jsmith/image.jpg"
Image (web URL) 4:3 aspect ratio - landscape
"http://example.com/~jsmith/image.jpg"
Image (web URL) 4:3 aspect ratio - landscape
"http://example.com/~jsmith/image.jpg"
Image (web URL); favicon format as per FAVICON-W3C. The format for the image must be 16x16 pixels or 32x32 pixels, using either 8-bit or 24-bit colors. The format of the image must be one of PNG (a W3C standard), GIF, or ICO.
"http://example.com/~jsmith/image.jpg"
Manages the processing and construction of OpenID extensions parts.
This contains a set of aliases that we must be willing to implicitly
match to namespaces for backward compatibility with other OpenID libraries.
The version of OpenID that the message is using.
Whether extensions are being read or written.
The alias manager that will track Type URI to alias mappings.
A complex dictionary where the key is the Type URI of the extension,
and the value is another dictionary of the name/value args of the extension.
Prevents a default instance of the class from being created.
Creates a instance to process incoming extensions.
The parameters in the OpenID message.
The newly created instance of .
Creates a instance to prepare outgoing extensions.
The protocol version used for the outgoing message.
The newly created instance of .
Adds query parameters for OpenID extensions to the request directed
at the OpenID provider.
The extension type URI.
The arguments for this extension to add to the message.
Gets the actual arguments to add to a querystring or other response,
where type URI, alias, and actual key/values are all defined.
true if the generated parameter names should include the 'openid.' prefix.
This should be true for all but direct response messages.
A dictionary of key=value pairs to add to the message to carry the extension.
Gets the fields carried by a given OpenId extension.
The type URI of the extension whose fields are being queried for.
The fields included in the given extension, or null if the extension is not present.
Gets whether any arguments for a given extension are present.
The extension Type URI in question.
true if this extension is present; false otherwise.
Gets the type URIs of all discovered extensions in the message.
A sequence of the type URIs.
Gets a value indicating whether the extensions are being read (as opposed to written).
An interface that OpenID extensions can implement to allow authentication response
messages with included extensions to be processed by Javascript on the user agent.
Reads the extension information on an authentication response from the provider.
The incoming OpenID response carrying the extension.
A Javascript snippet that when executed on the user agent returns an object with
the information deserialized from the extension response.
This method is called before the signature on the assertion response has been
verified. Therefore all information in these fields should be assumed unreliable
and potentially falsified.
An extension to include with an authentication request in order to also
obtain authorization to access user data at the combined OpenID Provider
and Service Provider.
When requesting OpenID Authentication via the protocol mode "checkid_setup"
or "checkid_immediate", this extension can be used to request that the end
user authorize an OAuth access token at the same time as an OpenID
authentication. This is done by sending the following parameters as part
of the OpenID request. (Note that the use of "oauth" as part of the parameter
names here and in subsequent sections is just an example. See Section 5 for details.)
See section 8.
The factory method that may be used in deserialization of this message.
Initializes a new instance of the class.
Gets or sets the consumer key agreed upon between the Consumer and Service Provider.
Gets or sets a string that encodes, in a way possibly specific to the Combined Provider, one or more scopes for the OAuth token expected in the authentication response.
The OAuth response that a Provider may include with a positive
OpenID identity assertion with an approved request token.
The factory method that may be used in deserialization of this message.
Initializes a new instance of the class.
Gets or sets the user-approved request token.
The request token.
Gets or sets a string that encodes, in a way possibly specific to the Combined Provider, one or more scopes that the returned request token is valid for. This will typically indicate a subset of the scopes requested in Section 8.
Constants used in the OpenID OAuth extension.
The TypeURI for the OpenID OAuth extension.
The name of the parameter that carries the request token in the response.
The OAuth response that a Provider should include with a positive
OpenID identity assertion when OAuth authorization was declined.
The factory method that may be used in deserialization of this message.
Initializes a new instance of the class.
An OpenID extension factory that only delegates extension
instantiation requests to other factories.
The list of factories this factory delegates to.
Initializes a new instance of the class.
Creates a new instance of some extension based on the received extension parameters.
The type URI of the extension.
The parameters associated specifically with this extension.
The OpenID message carrying this extension.
A value indicating whether this extension is being received at the OpenID Provider.
An instance of if the factory recognizes
the extension described in the input parameters; null otherwise.
This factory method need only initialize properties in the instantiated extension object
that are not bound using .
Loads the default factory and additional ones given by the configuration.
A new instance of .
Gets the extension factories that this aggregating factory delegates to.
A list of factories. May be empty, but never null.
Encodes/decodes the Simple Registration Gender type to its string representation.
Encodes the specified value.
The value. Guaranteed to never be null.
The in string form, ready for message transport.
Decodes the specified value.
The string value carried by the transport. Guaranteed to never be null, although it may be empty.
The deserialized form of the given string.
Thrown when the string value given cannot be decoded into the required object type.
An OpenID extension factory that supports registration so that third-party
extensions can add themselves to this library's supported extension list.
A collection of the registered OpenID extensions.
Initializes a new instance of the class.
Creates a new instance of some extension based on the received extension parameters.
The type URI of the extension.
The parameters associated specifically with this extension.
The OpenID message carrying this extension.
A value indicating whether this extension is being received at the OpenID Provider.
An instance of if the factory recognizes
the extension described in the input parameters; null otherwise.
This factory method need only initialize properties in the instantiated extension object
that are not bound using .
Registers a new extension delegate.
The factory method that can create the extension.
A delegate that individual extensions may register with this factory.
The type URI of the extension.
The parameters associated specifically with this extension.
The OpenID message carrying this extension.
A value indicating whether this extension is being received at the OpenID Provider.
An instance of if the factory recognizes
the extension described in the input parameters; null otherwise.
Well-known authentication policies defined in the PAPE extension spec or by a recognized
standards body.
This is a class of constants rather than a flags enum because policies may be
freely defined and used by anyone, just by using a new Uri.
An authentication mechanism where the End User does not provide a shared secret to a party potentially under the control of the Relying Party. (Note that the potentially malicious Relying Party controls where the User-Agent is redirected to and thus may not send it to the End User's actual OpenID Provider).
An authentication mechanism where the End User authenticates to the OpenID Provider by providing over one authentication factor. Common authentication factors are something you know, something you have, and something you are. An example would be authentication using a password and a software token or digital certificate.
An authentication mechanism where the End User authenticates to the OpenID Provider by providing over one authentication factor where at least one of the factors is a physical factor such as a hardware device or biometric. Common authentication factors are something you know, something you have, and something you are. This policy also implies the Multi-Factor Authentication policy (http://schemas.openid.net/pape/policies/2007/06/multi-factor) and both policies MAY BE specified in conjunction without conflict. An example would be authentication using a password and a hardware token.
Indicates that the Provider MUST use a pair-wise pseudonym for the user that is persistent
and unique across the requesting realm as the openid.claimed_id and openid.identity (see Section 4.2).
Indicates that the OP MUST only respond with a positive assertion if the requirements demonstrated
by the OP to obtain certification by a Federally adopted Trust Framework Provider have been met.
Notwithstanding the RP may request this authentication policy, the RP MUST still
verify that this policy appears in the positive assertion response rather than assume the OP
recognized and complied with the request.
Indicates that the OP MUST not include any OpenID Attribute Exchange or Simple Registration
information regarding the user in the assertion.
Used in a PAPE response to indicate that no PAPE authentication policies could be satisfied.
Used internally by the PAPE extension, so that users don't have to know about it.
OpenID Provider Authentication Policy extension constants.
The namespace used by this extension in messages.
The namespace alias to use for OpenID 1.x interop, where aliases are not defined in the message.
The string to prepend on an Auth Level Type alias definition.
Well-known assurance level Type URIs.
The Type URI of the NIST assurance level.
A mapping between the PAPE TypeURI and the alias to use if
possible for backward compatibility reasons.
Parameters to be included with PAPE requests.
Optional. If the End User has not actively authenticated to the OP within the number of seconds specified in a manner fitting the requested policies, the OP SHOULD authenticate the End User for this request.
Integer value greater than or equal to zero in seconds.
The OP should realize that not adhering to the request for re-authentication most likely means that the End User will not be allowed access to the services provided by the RP. If this parameter is absent in the request, the OP should authenticate the user at its own discretion.
Zero or more authentication policy URIs that the OP SHOULD conform to when authenticating the user. If multiple policies are requested, the OP SHOULD satisfy as many as it can.
Space separated list of authentication policy URIs.
If no policies are requested, the RP may be interested in other information such as the authentication age.
The space separated list of the name spaces of the custom Assurance Level that RP requests, in the order of its preference.
An encoder/decoder design for DateTimes that must conform to the PAPE spec.
The timestamp MUST be formatted as specified in section 5.6 of [RFC3339] (Klyne, G. and C. Newman, “Date and Time on the Internet: Timestamps,” .), with the following restrictions:
* All times must be in the UTC timezone, indicated with a "Z".
* No fractional seconds are allowed
For example: 2005-05-15T17:11:51Z
An array of the date/time formats allowed by the PAPE extension.
TODO: This array of formats is not yet a complete list.
Encodes the specified value.
The value. Guaranteed to never be null.
The in string form, ready for message transport.
Decodes the specified value.
The string value carried by the transport. Guaranteed to never be null, although it may be empty.
The deserialized form of the given string.
Thrown when the string value given cannot be decoded into the required object type.
Descriptions for NIST-defined levels of assurance that a credential
has not been compromised and therefore the extent to which an
authentication assertion can be trusted.
One using this enum should review the following publication for details
before asserting or interpreting what these levels signify, notwithstanding
the brief summaries attached to each level in DotNetOpenAuth documentation.
http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf
See PAPE spec Appendix A.1.2 (NIST Assurance Levels) for high-level example classifications of authentication methods within the defined levels.
Not an assurance level defined by NIST, but rather SHOULD be used to
signify that the OP recognizes the parameter and the End User
authentication did not meet the requirements of Level 1.
See this document for a thorough description:
http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf
See this document for a thorough description:
http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf
See this document for a thorough description:
http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf
See this document for a thorough description:
http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf
Utility methods for use by the PAPE extension.
Looks at the incoming fields and figures out what the aliases and name spaces for auth level types are.
The incoming message data in which to discover TypeURIs and aliases.
The initialized with the given data.
Concatenates a sequence of strings using a space as a separator.
The elements to concatenate together..
The concatenated string of elements.
Thrown if any element in the sequence includes a space.
The PAPE request part of an OpenID Authentication request message.
The factory method that may be used in deserialization of this message.
The transport field for the RP's preferred authentication policies.
This field is written to/read from during custom serialization.
Initializes a new instance of the class.
Called when the message is about to be transmitted,
before it passes through the channel binding elements.
Called when the message has been received,
after it passes through the channel binding elements.
Determines whether the specified is equal to the current .
The to compare with the current .
true if the specified is equal to the current ; otherwise, false.
The parameter is null.
Serves as a hash function for a particular type.
A hash code for the current .
Serializes the policies as a single string per the PAPE spec..
The policies to include in the list.
The concatenated string of the given policies.
Serializes the auth levels to a list of aliases.
The preferred auth level types.
The alias manager.
A space-delimited list of aliases.
Gets or sets the maximum acceptable time since the End User has
actively authenticated to the OP in a manner fitting the requested
policies, beyond which the Provider SHOULD authenticate the
End User for this request.
The OP should realize that not adhering to the request for re-authentication
most likely means that the End User will not be allowed access to the
services provided by the RP. If this parameter is absent in the request,
the OP should authenticate the user at its own discretion.
Gets the list of authentication policy URIs that the OP SHOULD
conform to when authenticating the user. If multiple policies are
requested, the OP SHOULD satisfy as many as it can.
List of authentication policy URIs obtainable from
the class or from a custom
list.
If no policies are requested, the RP may be interested in other
information such as the authentication age.
Gets the namespaces of the custom Assurance Level the
Relying Party requests, in the order of its preference.
The PAPE response part of an OpenID Authentication response message.
The first part of a parameter name that gives the custom string value for
the assurance level. The second part of the parameter name is the alias for
that assurance level.
The factory method that may be used in deserialization of this message.
One or more authentication policy URIs that the OP conformed to when authenticating the End User.
Space separated list of authentication policy URIs.
If no policies were met though the OP wishes to convey other information in the response, this parameter MUST be included with the value of "none".
Backing field for the property.
Initializes a new instance of the class.
Called when the message is about to be transmitted,
before it passes through the channel binding elements.
Called when the message has been received,
after it passes through the channel binding elements.
Determines whether the specified is equal to the current .
The to compare with the current .
true if the specified is equal to the current ; otherwise, false.
The parameter is null.
Serves as a hash function for a particular type.
A hash code for the current .
Serializes the applied policies for transmission from the Provider
to the Relying Party.
The applied policies.
A space-delimited list of applied policies.
Gets a list of authentication policy URIs that the
OP conformed to when authenticating the End User.
Gets or sets the most recent timestamp when the End User has
actively authenticated to the OP in a manner fitting the asserted policies.
If the RP's request included the "openid.pape.max_auth_age" parameter
then the OP MUST include "openid.pape.auth_time" in its response.
If "openid.pape.max_auth_age" was not requested, the OP MAY choose to include
"openid.pape.auth_time" in its response.
Gets or sets the Assurance Level as defined by the National
Institute of Standards and Technology (NIST) in Special Publication
800-63 (Burr, W., Dodson, D., and W. Polk, Ed., “Electronic
Authentication Guideline,” April 2006.) [NIST_SP800‑63] corresponding
to the authentication method and policies employed by the OP when
authenticating the End User.
See PAPE spec Appendix A.1.2 (NIST Assurance Levels) for high-level
example classifications of authentication methods within the defined
levels.
Gets a dictionary where keys are the authentication level type URIs and
the values are the per authentication level defined custom value.
A very common key is
and values for this key are available in .
Gets a value indicating whether this extension is signed by the Provider.
true if this instance is signed by the Provider; otherwise, false.
Carries the request/require/none demand state of the simple registration fields.
The factory method that may be used in deserialization of this message.
The type URI that this particular (deserialized) extension was read in using,
allowing a response to alter be crafted using the same type URI.
Initializes a new instance of the class.
Initializes a new instance of the class
by deserializing from a message.
The type URI this extension was recognized by in the OpenID message.
Tests equality between two structs.
One instance to compare.
Another instance to compare.
The result of the operator.
Tests inequality between two structs.
One instance to compare.
Another instance to compare.
The result of the operator.
Tests equality between two structs.
The to compare with the current .
true if the specified is equal to the current ; otherwise, false.
The parameter is null.
Serves as a hash function for a particular type.
A hash code for the current .
Renders the requested information as a string.
A that represents the current .
Prepares a Simple Registration response extension that is compatible with the
version of Simple Registration used in the request message.
The newly created instance.
Sets the profile request properties according to a list of
field names that might have been passed in the OpenId query dictionary.
The list of field names that should receive a given
. These field names should match
the OpenId specification for field names, omitting the 'openid.sreg' prefix.
The none/request/require state of the listed fields.
Assembles the profile parameter names that have a given .
The demand level (request, require, none).
An array of the profile parameter names that meet the criteria.
Gets or sets the URL the consumer site provides for the authenticating user to review
for how his claims will be used by the consumer web site.
Gets or sets the level of interest a relying party has in the nickname of the user.
Gets or sets the level of interest a relying party has in the email of the user.
Gets or sets the level of interest a relying party has in the full name of the user.
Gets or sets the level of interest a relying party has in the birthdate of the user.
Gets or sets the level of interest a relying party has in the gender of the user.
Gets or sets the level of interest a relying party has in the postal code of the user.
Gets or sets the level of interest a relying party has in the Country of the user.
Gets or sets the level of interest a relying party has in the language of the user.
Gets or sets the level of interest a relying party has in the time zone of the user.
Gets or sets a value indicating whether this instance
is synthesized from an AX request at the Provider.
Gets or sets the value of the sreg.required parameter.
A comma-delimited list of sreg fields.
Gets or sets the value of the sreg.optional parameter.
A comma-delimited list of sreg fields.
A struct storing Simple Registration field values describing an
authenticating user.
The factory method that may be used in deserialization of this message.
The allowed format for birthdates.
Storage for the raw string birthdate value.
Backing field for the property.
Backing field for the property.
Initializes a new instance of the class
using the most common, and spec prescribed type URI.
Initializes a new instance of the class.
The type URI that must be used to identify this extension in the response message.
This value should be the same one the relying party used to send the extension request.
Commonly used type URIs supported by relying parties are defined in the
class.
Tests equality of two objects.
One instance to compare.
Another instance to compare.
The result of the operator.
Tests inequality of two objects.
One instance to compare.
Another instance to compare.
The result of the operator.
Tests equality of two objects.
The to compare with the current .
true if the specified is equal to the current ; otherwise, false.
The parameter is null.
Serves as a hash function for a particular type.
A hash code for the current .
Reads the extension information on an authentication response from the provider.
The incoming OpenID response carrying the extension.
A Javascript snippet that when executed on the user agent returns an object with
the information deserialized from the extension response.
This method is called before the signature on the assertion response has been
verified. Therefore all information in these fields should be assumed unreliable
and potentially falsified.
Called when the message is about to be transmitted,
before it passes through the channel binding elements.
Called when the message has been received,
after it passes through the channel binding elements.
Translates an empty string value to null, or passes through non-empty values.
The value to consider changing to null.
Either null or a non-empty string.
Gets or sets the nickname the user goes by.
Gets or sets the user's email address.
Gets or sets the full name of a user as a single string.
Gets or sets the user's birthdate.
Gets or sets the raw birth date string given by the extension.
A string in the format yyyy-MM-dd.
Gets or sets the gender of the user.
Gets or sets the zip code / postal code of the user.
Gets or sets the country of the user.
Gets or sets the primary/preferred language of the user.
Gets or sets the user's timezone.
Gets a combination of the user's full name and email address.
Gets or sets a combination o the language and country of the user.
Gets a value indicating whether this extension is signed by the Provider.
true if this instance is signed by the Provider; otherwise, false.
Simple Registration constants
Additional type URIs that this extension is sometimes known by remote parties.
Commonly used type URIs to represent the Simple Registration extension.
The URI "http://openid.net/extensions/sreg/1.1".
This is the type URI prescribed by the Simple Registration 1.1 spec.
http://openid.net/specs/openid-simple-registration-extension-1_1-01.html#anchor3
The URI "http://openid.net/sreg/1.0"
The URI "http://openid.net/sreg/1.1"
Specifies what level of interest a relying party has in obtaining the value
of a given field offered by the Simple Registration extension.
The relying party has no interest in obtaining this field.
The relying party would like the value of this field, but wants
the Provider to display the field to the user as optionally provided.
The relying party considers this a required field as part of
authentication. The Provider and/or user agent MAY still choose to
not provide the value of the field however, according to the
Simple Registration extension specification.
Indicates the gender of a user.
The user is male.
The user is female.
Constants used to support the UI extension.
The type URI associated with this extension.
The Type URI that appears in an XRDS document when the OP supports popups through the UI extension.
The Type URI that appears in an XRDS document when the OP supports the RP
specifying the user's preferred language through the UI extension.
The Type URI that appears in the XRDS document when the OP supports the RP
specifying the icon for the OP to display during authentication through the UI extension.
Valid values for the mode parameter of the OpenID User Interface extension.
Indicates that the Provider's authentication page appears in a popup window.
The constant "popup".
The RP SHOULD create the popup to be 450 pixels wide and 500 pixels tall. The popup MUST have the address bar displayed, and MUST be in a standalone browser window. The contents of the popup MUST NOT be framed by the RP.
The RP SHOULD open the popup centered above the main browser window, and SHOULD dim the contents of the parent window while the popup is active. The RP SHOULD ensure that the user is not surprised by the appearance of the popup, and understands how to interact with it.
To keep the user popup user experience consistent, it is RECOMMENDED that the OP does not resize the popup window unless the OP requires additional space to show special features that are not usually displayed as part of the default popup user experience.
The OP MAY close the popup without returning a response to the RP. Closing the popup without sending a response should be interpreted as a negative assertion.
The response to an authentication request in a popup is unchanged from [OpenID 2.0] (OpenID 2.0 Workgroup, “OpenID 2.0,” .). Relying Parties detecting that the popup was closed without receiving an authentication response SHOULD interpret the close event to be a negative assertion.
OpenID User Interface extension 1.0 request message.
Implements the extension described by: http://wiki.openid.net/f/openid_ui_extension_draft01.html
This extension only applies to checkid_setup requests, since checkid_immediate requests display
no UI to the user.
For rules about how the popup window should be displayed, please see the documentation of
.
An RP may determine whether an arbitrary OP supports this extension (and thereby determine
whether to use a standard full window redirect or a popup) via the
method.
The factory method that may be used in deserialization of this message.
Additional type URIs that this extension is sometimes known by remote parties.
Backing store for .
Initializes a new instance of the class.
Checks the message state for conformity to the protocol specification
and throws an exception if the message is invalid.
Some messages have required fields, or combinations of fields that must relate to each other
in specialized ways. After deserializing a message, this method checks the state of the
message to see if it conforms to the protocol.
Note that this property should not check signatures or perform any state checks
outside this scope of this particular message.
Thrown if the message is invalid.
Called when the message is about to be transmitted,
before it passes through the channel binding elements.
Called when the message has been received,
after it passes through the channel binding elements.
Gets or sets the list of user's preferred languages, sorted in decreasing preferred order.
The default is the of the thread that created this instance.
The user's preferred languages as a [BCP 47] language priority list, represented as a comma-separated list of BCP 47 basic language ranges in descending priority order. For instance, the value "fr-CA,fr-FR,en-CA" represents the preference for French spoken in Canada, French spoken in France, followed by English spoken in Canada.
Gets or sets the style of UI that the RP is hosting the OP's authentication page in.
Some value from the class. Defaults to .
Gets or sets a value indicating whether the Relying Party has an icon
it would like the Provider to display to the user while asking them
whether they would like to log in.
true if the Provider should display an icon; otherwise, false.
By default, the Provider displays the relying party's favicon.ico.
Gets the TypeURI the extension uses in the OpenID protocol and in XRDS advertisements.
Gets the additional TypeURIs that are supported by this extension, in preferred order.
May be empty if none other than is supported, but
should not be null.
Useful for reading in messages with an older version of an extension.
The value in the property is always checked before
trying this list.
If you do support multiple versions of an extension using this method,
consider adding a CreateResponse method to your request extension class
so that the response can have the context it needs to remain compatible
given the version of the extension in the request message.
The for an example.
Gets or sets a value indicating whether this extension was
signed by the sender.
true if this instance is signed by the sender; otherwise, false.
Gets the version of the protocol or extension this message is prepared to implement.
The value 1.0.
Implementations of this interface should ensure that this property never returns null.
Gets the extra, non-standard Protocol parameters included in the message.
Implementations of this interface should ensure that this property never returns null.
Constants used in implementing support for the UI extension.
The required width of the popup window the relying party creates for the provider.
The required height of the popup window the relying party creates for the provider.
An Identifier is either a "http" or "https" URI, or an XRI.
Initializes a new instance of the class.
The original string before any normalization.
Whether the derived class is prepared to guarantee end-to-end discovery
and initial redirect for authentication is performed using SSL.
Converts the string representation of an Identifier to its strong type.
The identifier.
The particular Identifier instance to represent the value given.
Converts a given Uri to a strongly-typed Identifier.
The identifier to convert.
The result of the conversion.
Converts an Identifier to its string representation.
The identifier to convert to a string.
The result of the conversion.
Parses an identifier string and automatically determines
whether it is an XRI or URI.
Either a URI or XRI identifier.
An instance for the given value.
Parses an identifier string and automatically determines
whether it is an XRI or URI.
Either a URI or XRI identifier.
if set to true this Identifier will serialize exactly as given rather than in its normalized form.
An instance for the given value.
Attempts to parse a string for an OpenId Identifier.
The string to be parsed.
The parsed Identifier form.
True if the operation was successful. False if the string was not a valid OpenId Identifier.
Checks the validity of a given string representation of some Identifier.
The identifier.
true if the specified identifier is valid; otherwise, false.
Tests equality between two s.
The first Identifier.
The second Identifier.
true if the two instances should be considered equal; false otherwise.
Tests inequality between two s.
The first Identifier.
The second Identifier.
true if the two instances should be considered unequal; false if they are equal.
Tests equality between two s.
The to compare with the current .
true if the specified is equal to the current ; otherwise, false.
The parameter is null.
Gets the hash code for an for storage in a hashtable.
A hash code for the current .
Reparses the specified identifier in order to be assured that the concrete type that
implements the identifier is one of the well-known ones.
The identifier.
Either or .
Returns an that has no URI fragment.
Quietly returns the original if it is not
a or no fragment exists.
A new instance if there was a
fragment to remove, otherwise this same instance..
Converts a given identifier to its secure equivalent.
UriIdentifiers originally created with an implied HTTP scheme change to HTTPS.
Discovery is made to require SSL for the entire resolution process.
The newly created secure identifier.
If the conversion fails, retains
this identifiers identity, but will never discover any endpoints.
True if the secure conversion was successful.
False if the Identifier was originally created with an explicit HTTP scheme.
Gets the original string that was normalized to create this Identifier.
Gets the Identifier in the form in which it should be serialized.
For Identifiers that were originally deserialized, this is the exact same
string that was deserialized. For Identifiers instantiated in some other way, this is
the normalized form of the string used to instantiate the identifier.
Gets or sets a value indicating whether instances are considered equal
based solely on their string reprsentations.
This property serves as a test hook, so that MockIdentifier instances can be considered "equal"
to UriIdentifier instances.
Gets a value indicating whether this Identifier will ensure SSL is
used throughout the discovery phase and initial redirect of authentication.
If this is false, a value of true may be obtained by calling
.
Gets a value indicating whether this instance was initialized from
deserializing a message.
This is interesting because when an Identifier comes from the network,
we can't normalize it and then expect signatures to still verify.
But if the Identifier is initialized locally, we can and should normalize it
before serializing it.
Provides conversions to and from strings for messages that include members of this type.
Encodes the specified value as the original value that was formerly decoded.
The value. Guaranteed to never be null.
The in string form, ready for message transport.
Encodes the specified value.
The value. Guaranteed to never be null.
The in string form, ready for message transport.
Decodes the specified value.
The string value carried by the transport. Guaranteed to never be null, although it may be empty.
The deserialized form of the given string.
Thrown when the string value given cannot be decoded into the required object type.
Code Contract for the class.
Prevents a default instance of the IdentifierContract class from being created.
Returns an that has no URI fragment.
Quietly returns the original if it is not
a or no fragment exists.
A new instance if there was a
fragment to remove, otherwise this same instance..
Converts a given identifier to its secure equivalent.
UriIdentifiers originally created with an implied HTTP scheme change to HTTPS.
Discovery is made to require SSL for the entire resolution process.
The newly created secure identifier.
If the conversion fails, retains
this identifiers identity, but will never discover any endpoints.
True if the secure conversion was successful.
False if the Identifier was originally created with an explicit HTTP scheme.
A set of methods designed to assist in improving interop across different
OpenID implementations and their extensions.
The gender decoder to translate AX genders to Sreg.
Splits the AX attribute format flags into individual values for processing.
The formats to split up into individual flags.
A sequence of individual flags.
Transforms an AX attribute type URI from the axschema.org format into a given format.
The ax schema org format type URI.
The target format. Only one flag should be set.
The AX attribute type URI in the target format.
Detects the AX attribute type URI format from a given sample.
The type URIs to scan for recognized formats.
The first AX type URI format recognized in the list.
Adds an attribute fetch request if it is not already present in the AX request.
The AX request to add the attribute request to.
The format of the attribute's Type URI to use.
The attribute in axschema.org format.
The demand level.
Gets the gender decoder to translate AX genders to Sreg.
Represents a single OP endpoint from discovery on some OpenID Identifier.
Information published about an OpenId Provider by the
OpenId discovery documents found at a user's Claimed Identifier.
Because information provided by this interface is suppplied by a
user's individually published documents, it may be incomplete or inaccurate.
Checks whether the OpenId Identifier claims support for a given extension.
The extension whose support is being queried.
True if support for the extension is advertised. False otherwise.
Note that a true or false return value is no guarantee of a Provider's
support for or lack of support for an extension. The return value is
determined by how the authenticating user filled out his/her XRDS document only.
The only way to be sure of support for a given extension is to include
the extension in the request and see if a response comes back for that extension.
Checks whether the OpenId Identifier claims support for a given extension.
The extension whose support is being queried.
True if support for the extension is advertised. False otherwise.
Note that a true or false return value is no guarantee of a Provider's
support for or lack of support for an extension. The return value is
determined by how the authenticating user filled out his/her XRDS document only.
The only way to be sure of support for a given extension is to include
the extension in the request and see if a response comes back for that extension.
Gets the detected version of OpenID implemented by the Provider.
Gets the URL that the OpenID Provider receives authentication requests at.
This value MUST be an absolute HTTP or HTTPS URL.
Backing field for the property.
Backing field for the property.
Backing field for the property.
Initializes a new instance of the class.
The provider endpoint.
The Claimed Identifier.
The User-supplied Identifier.
The Provider Local Identifier.
The service priority.
The URI priority.
Implements the operator ==.
The first service endpoint.
The second service endpoint.
The result of the operator.
Implements the operator !=.
The first service endpoint.
The second service endpoint.
The result of the operator.
Determines whether the specified is equal to the current .
The to compare with the current .
true if the specified is equal to the current ; otherwise, false.
The parameter is null.
Serves as a hash function for a particular type.
A hash code for the current .
Returns a that represents the current .
A that represents the current .
Checks whether the OpenId Identifier claims support for a given extension.
The extension whose support is being queried.
True if support for the extension is advertised. False otherwise.
Note that a true or false return value is no guarantee of a Provider's
support for or lack of support for an extension. The return value is
determined by how the authenticating user filled out his/her XRDS document only.
The only way to be sure of support for a given extension is to include
the extension in the request and see if a response comes back for that extension.
Checks whether the OpenId Identifier claims support for a given extension.
The extension whose support is being queried.
True if support for the extension is advertised. False otherwise.
Note that a true or false return value is no guarantee of a Provider's
support for or lack of support for an extension. The return value is
determined by how the authenticating user filled out his/her XRDS document only.
The only way to be sure of support for a given extension is to include
the extension in the request and see if a response comes back for that extension.
Determines whether a given extension is supported by this endpoint.
An instance of the extension to check support for.
true if the extension is supported by this endpoint; otherwise, false.
Creates a instance to represent some OP Identifier.
The provider identifier (actually the user-supplied identifier).
The provider endpoint.
The service priority.
The URI priority.
The created instance
Creates a instance to represent some Claimed Identifier.
The claimed identifier.
The provider local identifier.
The provider endpoint.
The service priority.
The URI priority.
The created instance
Creates a instance to represent some Claimed Identifier.
The claimed identifier.
The user supplied identifier.
The provider local identifier.
The provider endpoint.
The service priority.
The URI priority.
The created instance
Determines whether a given type URI is present on the specified provider endpoint.
The type URI.
true if the type URI is present on the specified provider endpoint; otherwise, false.
Sets the Capabilities property (this method is a test hook.)
The value.
The publicize.exe tool should work for the unit tests, but for some reason it fails on the build server.
Gets the priority rating for a given type of endpoint, allowing a
priority sorting of endpoints.
The endpoint to prioritize.
An arbitary integer, which may be used for sorting against other returned values from this method.
Gets the detected version of OpenID implemented by the Provider.
Gets the Identifier that was presented by the end user to the Relying Party,
or selected by the user at the OpenID Provider.
During the initiation phase of the protocol, an end user may enter
either their own Identifier or an OP Identifier. If an OP Identifier
is used, the OP may then assist the end user in selecting an Identifier
to share with the Relying Party.
Gets the Identifier that the end user claims to control.
Gets an alternate Identifier for an end user that is local to a
particular OP and thus not necessarily under the end user's
control.
Gets a more user-friendly (but NON-secure!) string to display to the user as his identifier.
A human-readable, abbreviated (but not secure) identifier the user MAY recognize as his own.
Gets the provider endpoint.
Gets the @priority given in the XRDS document for this specific OP endpoint.
Gets the @priority given in the XRDS document for this service
(which may consist of several endpoints).
Gets the collection of service type URIs found in the XRDS document describing this Provider.
Should never be null, but may be empty.
Gets the URL that the OpenID Provider receives authentication requests at.
This value MUST be an absolute HTTP or HTTPS URL.
Gets an XRDS sorting routine that uses the XRDS Service/@Priority
attribute to determine order.
Endpoints lacking any priority value are sorted to the end of the list.
Gets the protocol used by the OpenID Provider.
A module that provides discovery services for OpenID identifiers.
Performs discovery on the specified identifier.
The identifier to perform discovery on.
The means to place outgoing HTTP requests.
if set to true, no further discovery services will be called for this identifier.
A sequence of service endpoints yielded by discovery. Must not be null, but may be empty.
Code contract for the interface.
Prevents a default instance of the class from being created.
Performs discovery on the specified identifier.
The identifier to perform discovery on.
The means to place outgoing HTTP requests.
if set to true, no further discovery services will be called for this identifier.
A sequence of service endpoints yielded by discovery. Must not be null, but may be empty.
A service that can perform discovery on OpenID identifiers.
The RP or OP that is hosting these services.
Backing field for the property.
Initializes a new instance of the class.
The RP or OP that creates this instance.
Performs discovery on the specified identifier.
The identifier to discover services for.
A non-null sequence of services discovered for the identifier.
Gets the list of services that can perform discovery on identifiers given.
An interface implemented by both providers and relying parties.
Gets the security settings.
Gets the web request handler.
Code contract for the type.
Prevents a default instance of the class from being created.
Checks whether the OpenId Identifier claims support for a given extension.
The extension whose support is being queried.
True if support for the extension is advertised. False otherwise.
Note that a true or false return value is no guarantee of a Provider's
support for or lack of support for an extension. The return value is
determined by how the authenticating user filled out his/her XRDS document only.
The only way to be sure of support for a given extension is to include
the extension in the request and see if a response comes back for that extension.
Checks whether the OpenId Identifier claims support for a given extension.
The extension whose support is being queried.
True if support for the extension is advertised. False otherwise.
Note that a true or false return value is no guarantee of a Provider's
support for or lack of support for an extension. The return value is
determined by how the authenticating user filled out his/her XRDS document only.
The only way to be sure of support for a given extension is to include
the extension in the request and see if a response comes back for that extension.
Gets the detected version of OpenID implemented by the Provider.
Gets the URL that the OpenID Provider receives authentication requests at.
Instances of this interface represent incoming authentication requests.
This interface provides the details of the request and allows setting
the response.
Interface exposing incoming messages to the OpenID Provider that
require interaction with the host site.
Represents an incoming OpenId authentication request.
Requests may be infrastructural to OpenID and allow auto-responses, or they may
be authentication requests where the Provider site has to make decisions based
on its own user database and policies.
Adds an extension to the response to send to the relying party.
The extension to add to the response message.
Removes any response extensions previously added using .
This should be called before sending a negative response back to the relying party
if extensions were already added, since negative responses cannot carry extensions.
Gets an extension sent from the relying party.
The type of the extension.
An instance of the extension initialized with values passed in with the request.
Gets an extension sent from the relying party.
The type of the extension.
An instance of the extension initialized with values passed in with the request.
Gets a value indicating whether the response is ready to be sent to the user agent.
This property returns false if there are properties that must be set on this
request instance before the response can be sent.
Gets or sets the security settings that apply to this request.
Defaults to the OpenIdProvider.SecuritySettings on the OpenIdProvider.
Attempts to perform relying party discovery of the return URL claimed by the Relying Party.
The web request handler.
The details of how successful the relying party discovery was.
Return URL verification is only attempted if this method is called.
See OpenID Authentication 2.0 spec section 9.2.1.
Gets the version of OpenID being used by the relying party that sent the request.
Gets the URL the consumer site claims to use as its 'base' address.
Gets a value indicating whether the consumer demands an immediate response.
If false, the consumer is willing to wait for the identity provider
to authenticate the user.
Gets or sets the provider endpoint claimed in the positive assertion.
The default value is the URL that the request came in on from the relying party.
This value MUST match the value for the OP Endpoint in the discovery results for the
claimed identifier being asserted in a positive response.
Adds an optional fragment (#fragment) portion to the ClaimedIdentifier.
Useful for identifier recycling.
Should not include the # prefix character as that will be added internally.
May be null or the empty string to clear a previously set fragment.
Unlike the property, which can only be set if
using directed identity, this method can be called on any URI claimed identifier.
Because XRI claimed identifiers (the canonical IDs) are never recycled,
this method shouldnot be called for XRIs.
Thrown when this method is called on an XRI, or on a directed identity
request before the property is set.
Gets a value indicating whether the Provider should help the user
select a Claimed Identifier to send back to the relying party.
Gets a value indicating whether the requesting Relying Party is using a delegated URL.
When delegated identifiers are used, the should not
be changed at the Provider during authentication.
Delegation is only detectable on requests originating from OpenID 2.0 relying parties.
A relying party implementing only OpenID 1.x may use delegation and this property will
return false anyway.
Gets or sets the Local Identifier to this OpenID Provider of the user attempting
to authenticate. Check to see if
this value is valid.
This may or may not be the same as the Claimed Identifier that the user agent
originally supplied to the relying party. The Claimed Identifier
endpoint may be delegating authentication to this provider using
this provider's local id, which is what this property contains.
Use this identifier when looking up this user in the provider's user account
list.
Gets or sets the identifier that the user agent is claiming at the relying party site.
Check to see if this value is valid.
This property can only be set if is
false, to prevent breaking URL delegation.
This will not be the same as this provider's local identifier for the user
if the user has set up his/her own identity page that points to this
provider for authentication.
The provider may use this identifier for displaying to the user when
asking for the user's permission to authenticate to the relying party.
Thrown from the setter
if is true.
Gets or sets a value indicating whether the provider has determined that the
belongs to the currently logged in user
and wishes to share this information with the consumer.
Code contract class for the type.
Initializes a new instance of the class.
Adds an optional fragment (#fragment) portion to the ClaimedIdentifier.
Useful for identifier recycling.
Should not include the # prefix character as that will be added internally.
May be null or the empty string to clear a previously set fragment.
Unlike the property, which can only be set if
using directed identity, this method can be called on any URI claimed identifier.
Because XRI claimed identifiers (the canonical IDs) are never recycled,
this method shouldnot be called for XRIs.
Thrown when this method is called on an XRI, or on a directed identity
request before the property is set.
Attempts to perform relying party discovery of the return URL claimed by the Relying Party.
The web request handler to use for the RP discovery request.
The details of how successful the relying party discovery was.
Return URL verification is only attempted if this method is called.
See OpenID Authentication 2.0 spec section 9.2.1.
Adds an extension to the response to send to the relying party.
The extension to add to the response message.
Removes any response extensions previously added using .
This should be called before sending a negative response back to the relying party
if extensions were already added, since negative responses cannot carry extensions.
Gets an extension sent from the relying party.
The type of the extension.
An instance of the extension initialized with values passed in with the request.
Gets an extension sent from the relying party.
The type of the extension.
An instance of the extension initialized with values passed in with the request.
Gets a value indicating whether the Provider should help the user
select a Claimed Identifier to send back to the relying party.
Gets a value indicating whether the requesting Relying Party is using a delegated URL.
When delegated identifiers are used, the should not
be changed at the Provider during authentication.
Delegation is only detectable on requests originating from OpenID 2.0 relying parties.
A relying party implementing only OpenID 1.x may use delegation and this property will
return false anyway.
Gets or sets the Local Identifier to this OpenID Provider of the user attempting
to authenticate. Check to see if
this value is valid.
This may or may not be the same as the Claimed Identifier that the user agent
originally supplied to the relying party. The Claimed Identifier
endpoint may be delegating authentication to this provider using
this provider's local id, which is what this property contains.
Use this identifier when looking up this user in the provider's user account
list.
Gets or sets the identifier that the user agent is claiming at the relying party site.
Check to see if this value is valid.
This property can only be set if is
false, to prevent breaking URL delegation.
This will not be the same as this provider's local identifier for the user
if the user has set up his/her own identity page that points to this
provider for authentication.
The provider may use this identifier for displaying to the user when
asking for the user's permission to authenticate to the relying party.
Thrown from the setter
if is true.
Gets or sets a value indicating whether the provider has determined that the
belongs to the currently logged in user
and wishes to share this information with the consumer.
Gets the version of OpenID being used by the relying party that sent the request.
Gets the URL the consumer site claims to use as its 'base' address.
Gets a value indicating whether the consumer demands an immediate response.
If false, the consumer is willing to wait for the identity provider
to authenticate the user.
Gets or sets the provider endpoint claimed in the positive assertion.
The default value is the URL that the request came in on from the relying party.
This value MUST match the value for the OP Endpoint in the discovery results for the
claimed identifier being asserted in a positive response.
Gets a value indicating whether the response is ready to be sent to the user agent.
This property returns false if there are properties that must be set on this
request instance before the response can be sent.
Gets or sets the security settings that apply to this request.
Defaults to the OpenIdProvider.SecuritySettings on the OpenIdProvider.
Code contract for the type.
Initializes a new instance of the class.
Adds an extension to the response to send to the relying party.
The extension to add to the response message.
Removes any response extensions previously added using .
This should be called before sending a negative response back to the relying party
if extensions were already added, since negative responses cannot carry extensions.
Gets an extension sent from the relying party.
The type of the extension.
An instance of the extension initialized with values passed in with the request.
Gets an extension sent from the relying party.
The type of the extension.
An instance of the extension initialized with values passed in with the request.
Attempts to perform relying party discovery of the return URL claimed by the Relying Party.
The web request handler.
The details of how successful the relying party discovery was.
Return URL verification is only attempted if this method is called.
See OpenID Authentication 2.0 spec section 9.2.1.
Gets the version of OpenID being used by the relying party that sent the request.
Gets the URL the consumer site claims to use as its 'base' address.
Gets a value indicating whether the consumer demands an immediate response.
If false, the consumer is willing to wait for the identity provider
to authenticate the user.
Gets or sets the provider endpoint.
The default value is the URL that the request came in on from the relying party.
Gets or sets the security settings that apply to this request.
Defaults to the OpenIdProvider.SecuritySettings on the OpenIdProvider.
Gets a value indicating whether the response is ready to be sent to the user agent.
This property returns false if there are properties that must be set on this
request instance before the response can be sent.
Applies a custom security policy to certain OpenID security settings and behaviors.
Applies a well known set of security requirements to a default set of security settings.
The security settings to enhance with the requirements of this profile.
Care should be taken to never decrease security when applying a profile.
Profiles should only enhance security requirements to avoid being
incompatible with each other.
Called when a request is received by the Provider.
The incoming request.
true if this behavior owns this request and wants to stop other behaviors
from handling it; false to allow other behaviors to process this request.
Implementations may set a new value to but
should not change the properties on the instance of
itself as that instance may be shared across many requests.
Called when the Provider is preparing to send a response to an authentication request.
The request that is configured to generate the outgoing response.
true if this behavior owns this request and wants to stop other behaviors
from handling it; false to allow other behaviors to process this request.
Code contract for the type.
Initializes a new instance of the class.
Applies a well known set of security requirements to a default set of security settings.
The security settings to enhance with the requirements of this profile.
Care should be taken to never decrease security when applying a profile.
Profiles should only enhance security requirements to avoid being
incompatible with each other.
Called when a request is received by the Provider.
The incoming request.
true if this behavior owns this request and wants to stop other behaviors
from handling it; false to allow other behaviors to process this request.
Implementations may set a new value to but
should not change the properties on the instance of
itself as that instance may be shared across many requests.
Called when the Provider is preparing to send a response to an authentication request.
The request that is configured to generate the outgoing response.
true if this behavior owns this request and wants to stop other behaviors
from handling it; false to allow other behaviors to process this request.
Code contract for the interface.
Prevents a default instance of the class from being created.
Adds an extension to the response to send to the relying party.
The extension to add to the response message.
Removes any response extensions previously added using .
This should be called before sending a negative response back to the relying party
if extensions were already added, since negative responses cannot carry extensions.
Gets an extension sent from the relying party.
The type of the extension.
An instance of the extension initialized with values passed in with the request.
Gets an extension sent from the relying party.
The type of the extension.
An instance of the extension initialized with values passed in with the request.
Gets or sets the security settings that apply to this request.
Defaults to the OpenIdProvider.SecuritySettings on the OpenIdProvider.
Gets a value indicating whether the response is ready to be sent to the user agent.
This property returns false if there are properties that must be set on this
request instance before the response can be sent.
Security settings that are applicable to providers.
Security settings that may be applicable to both relying parties and providers.
Gets the default minimum hash bit length.
Gets the maximum hash bit length default for relying parties.
Gets the maximum hash bit length default for providers.
Initializes a new instance of the class.
A value indicating whether this class is being instantiated for a Provider.
Determines whether a named association fits the security requirements.
The protocol carrying the association.
The value of the openid.assoc_type parameter.
true if the association is permitted given the security requirements; otherwise, false.
Determines whether a given association fits the security requirements.
The association to check.
true if the association is permitted given the security requirements; otherwise, false.
Gets or sets the minimum hash length (in bits) allowed to be used in an
with the remote party. The default is 160.
SHA-1 (160 bits) has been broken. The minimum secure hash length is now 256 bits.
The default is still a 160 bit minimum to allow interop with common remote parties,
such as Yahoo! that only supports 160 bits.
For sites that require high security such as to store bank account information and
health records, 256 is the recommended value.
Gets or sets the maximum hash length (in bits) allowed to be used in an
with the remote party. The default is 256 for relying parties and 512 for providers.
The longer the bit length, the more secure the identities of your visitors are.
Setting a value higher than 256 on a relying party site may reduce performance
as many association requests will be denied, causing secondary requests or even
authentication failures.
Setting a value higher than 256 on a provider increases security where possible
without these side-effects.
Gets or sets a value indicating whether identifiers that are both OP Identifiers and Claimed Identifiers
should ever be recognized as claimed identifiers.
The default value is false, per the OpenID 2.0 spec.
OpenID 2.0 sections 7.3.2.2 and 11.2 specify that OP Identifiers never be recognized as Claimed Identifiers.
However, for some scenarios it may be desirable for an RP to override this behavior and allow this.
The security ramifications of setting this property to true have not been fully explored and
therefore this setting should only be changed with caution.
The default value for the property.
The default value for the property.
The default value for the property.
The default value for the property.
The subset of association types and their customized lifetimes.
Initializes a new instance of the class.
Creates a deep clone of this instance.
A new instance that is a deep clone of this instance.
Gets a subset of the available association types and their
customized maximum lifetimes.
Gets or sets a value indicating whether Relying Party discovery will only
succeed if done over a secure HTTPS channel.
Default is false.
Gets or sets the level of verification a Provider performs on an identifier before
sending an unsolicited assertion for it.
The default value is .
Gets or sets a value indicating whether the Provider should ease the burden of storing associations
by encoding them in signed, encrypted form into the association handles themselves, storing only
a few rotating, private symmetric keys in the Provider's store instead.
The default value for this property is true.
Gets or sets a value indicating whether OpenID 1.x relying parties that may not be
protecting their users from replay attacks are protected from
replay attacks by this provider.
The default value is true.
Nonces for protection against replay attacks were not mandated
by OpenID 1.x, which leaves users open to replay attacks.
This feature works by preventing associations from being used
with OpenID 1.x relying parties, thereby forcing them into
"dumb" mode and verifying every claim with this provider.
This gives the provider an opportunity to verify its own nonce
to protect against replay attacks.
Gets or sets a value indicating whether outgoing extensions are always signed.
true if outgoing extensions should be signed; otherwise, false.
The default is true.
This property is internal because Providers should never turn it off, but it is
needed for testing the RP's rejection of unsigned extensions.
The behavior a Provider takes when verifying that it is authoritative for an
identifier it is about to send an unsolicited assertion for.
Always verify that the Provider is authoritative for an identifier before
sending an unsolicited assertion for it and fail if it is not.
Always check that the Provider is authoritative for an identifier before
sending an unsolicited assertion for it, but only log failures, and proceed
to send the unsolicited assertion.
Never verify that the Provider is authoritative for an identifier before
sending an unsolicited assertion for it.
This setting is useful for web servers that refuse to allow a Provider to
introspectively perform an HTTP GET on itself, when sending unsolicited assertions
for identifiers that the OP controls.
The result codes that may be returned from an attempt at relying party discovery.
Relying Party discovery failed to find an XRDS document or the document was invalid.
This can happen either when a relying party does not offer a service document at all,
or when a man-in-the-middle attack is in progress that prevents the Provider from being
able to discover that document.
Relying Party discovery yielded a valid XRDS document, but no matching return_to URI was found.
This is perhaps the most dangerous rating for a relying party, since it suggests that
they are implementing OpenID 2.0 securely, but that a hijack operation may be in progress.
Relying Party discovery succeeded, and a matching return_to URI was found.
An enumeration of the possible results of an authentication attempt.
The authentication was canceled by the user agent while at the provider.
The authentication failed because an error was detected in the OpenId communication.
The Provider responded to a request for immediate authentication approval
with a message stating that additional user agent interaction is required
before authentication can be completed.
Casting the to a
ISetupRequiredAuthenticationResponse in this case can help
you retry the authentication using setup (non-immediate) mode.
Authentication is completed successfully.
The Provider sent a message that did not contain an identity assertion,
but may carry OpenID extensions.
Instances of this interface represent relying party authentication
requests that may be queried/modified in specific ways before being
routed to the OpenID Provider.
Makes a dictionary of key/value pairs available when the authentication is completed.
The arguments to add to the request's return_to URI. Values must not be null.
Note that these values are NOT protected against eavesdropping in transit. No
privacy-sensitive data should be stored using this method.
The values stored here can be retrieved using
, which will only return the value
if it can be verified as untampered with in transit.
Since the data set here is sent in the querystring of the request and some
servers place limits on the size of a request URL, this data should be kept relatively
small to ensure successful authentication. About 1.5KB is about all that should be stored.
Makes a key/value pair available when the authentication is completed.
The parameter name.
The value of the argument. Must not be null.
Note that these values are NOT protected against eavesdropping in transit. No
privacy-sensitive data should be stored using this method.
The value stored here can be retrieved using
, which will only return the value
if it can be verified as untampered with in transit.
Since the data set here is sent in the querystring of the request and some
servers place limits on the size of a request URL, this data should be kept relatively
small to ensure successful authentication. About 1.5KB is about all that should be stored.
Makes a key/value pair available when the authentication is completed.
The parameter name.
The value of the argument. Must not be null.
Note that these values are NOT protected against eavesdropping in transit. No
security-sensitive data should be stored using this method.
The value stored here can be retrieved using
.
Since the data set here is sent in the querystring of the request and some
servers place limits on the size of a request URL, this data should be kept relatively
small to ensure successful authentication. About 1.5KB is about all that should be stored.
Makes a key/value pair available when the authentication is completed without
requiring a return_to signature to protect against tampering of the callback argument.
The parameter name.
The value of the argument. Must not be null.
Note that these values are NOT protected against eavesdropping or tampering in transit. No
security-sensitive data should be stored using this method.
The value stored here can be retrieved using
.
Since the data set here is sent in the querystring of the request and some
servers place limits on the size of a request URL, this data should be kept relatively
small to ensure successful authentication. About 1.5KB is about all that should be stored.
Adds an OpenID extension to the request directed at the OpenID provider.
The initialized extension to add to the request.
Redirects the user agent to the provider for authentication.
Execution of the current page terminates after this call.
This method requires an ASP.NET HttpContext.
Gets or sets the mode the Provider should use during authentication.
Gets the HTTP response the relying party should send to the user agent
to redirect it to the OpenID Provider to start the OpenID authentication process.
Gets the URL that the user agent will return to after authentication
completes or fails at the Provider.
Gets the URL that identifies this consumer web application that
the Provider will display to the end user.
Gets the Claimed Identifier that the User Supplied Identifier
resolved to. Null if the user provided an OP Identifier
(directed identity).
Null is returned if the user is using the directed identity feature
of OpenID 2.0 to make it nearly impossible for a relying party site
to improperly store the reserved OpenID URL used for directed identity
as a user's own Identifier.
However, to test for the Directed Identity feature, please test the
property rather than testing this
property for a null value.
Gets a value indicating whether the authenticating user has chosen to let the Provider
determine and send the ClaimedIdentifier after authentication.
Gets or sets a value indicating whether this request only carries extensions
and is not a request to verify that the user controls some identifier.
true if this request is merely a carrier of extensions and is not
about an OpenID identifier; otherwise, false.
Although OpenID is first and primarily an authentication protocol, its extensions
can be interesting all by themselves. For instance, a relying party might want
to know that its user is over 21 years old, or perhaps a member of some organization.
OpenID extensions can provide this, without any need for asserting the identity of the user.
Constructing an OpenID request for only extensions can be done by calling
OpenIdRelyingParty.CreateRequest with any valid OpenID identifier
(claimed identifier or OP identifier). But once this property is set to true,
the claimed identifier value in the request is not included in the transmitted message.
It is anticipated that an RP would only issue these types of requests to OPs that
trusts to make assertions regarding the individual holding an account at that OP, so it
is not likely that the RP would allow the user to type in an arbitrary claimed identifier
without checking that it resolved to an OP endpoint the RP has on a trust whitelist.
Gets information about the OpenId Provider, as advertised by the
OpenID discovery documents found at the
location.
Gets the discovery result leading to the formulation of this request.
The discovery result.
An instance of this interface represents an identity assertion
from an OpenID Provider. It may be in response to an authentication
request previously put to it by a Relying Party site or it may be an
unsolicited assertion.
Relying party web sites should handle both solicited and unsolicited
assertions. This interface does not offer a way to discern between
solicited and unsolicited assertions as they should be treated equally.
Gets a callback argument's value that was previously added using
.
The name of the parameter whose value is sought.
The value of the argument, or null if the named parameter could not be found.
Callback parameters are only available if they are complete and untampered with
since the original request message (as proven by a signature).
If the relying party is operating in stateless mode null is always
returned since the callback arguments could not be signed to protect against
tampering.
Gets a callback argument's value that was previously added using
.
The name of the parameter whose value is sought.
The value of the argument, or null if the named parameter could not be found.
Callback parameters are only available even if the RP is in stateless mode,
or the callback parameters are otherwise unverifiable as untampered with.
Therefore, use this method only when the callback argument is not to be
used to make a security-sensitive decision.
Gets all the callback arguments that were previously added using
or as a natural part
of the return_to URL.
A name-value dictionary. Never null.
Callback parameters are only available if they are complete and untampered with
since the original request message (as proven by a signature).
If the relying party is operating in stateless mode an empty dictionary is always
returned since the callback arguments could not be signed to protect against
tampering.
Gets all the callback arguments that were previously added using
or as a natural part
of the return_to URL.
A name-value dictionary. Never null.
Callback parameters are only available even if the RP is in stateless mode,
or the callback parameters are otherwise unverifiable as untampered with.
Therefore, use this method only when the callback argument is not to be
used to make a security-sensitive decision.
Tries to get an OpenID extension that may be present in the response.
The type of extension to look for in the response message.
The extension, if it is found. Null otherwise.
Extensions are returned only if the Provider signed them.
Relying parties that do not care if the values were modified in
transit should use the method
in order to allow the Provider to not sign the extension.
Unsigned extensions are completely unreliable and should be
used only to prefill user forms since the user or any other third
party may have tampered with the data carried by the extension.
Signed extensions are only reliable if the relying party
trusts the OpenID Provider that signed them. Signing does not mean
the relying party can trust the values -- it only means that the values
have not been tampered with since the Provider sent the message.
Tries to get an OpenID extension that may be present in the response.
Type of the extension to look for in the response.
The extension, if it is found. Null otherwise.
Extensions are returned only if the Provider signed them.
Relying parties that do not care if the values were modified in
transit should use the method
in order to allow the Provider to not sign the extension.
Unsigned extensions are completely unreliable and should be
used only to prefill user forms since the user or any other third
party may have tampered with the data carried by the extension.
Signed extensions are only reliable if the relying party
trusts the OpenID Provider that signed them. Signing does not mean
the relying party can trust the values -- it only means that the values
have not been tampered with since the Provider sent the message.
Tries to get an OpenID extension that may be present in the response, without
requiring it to be signed by the Provider.
The type of extension to look for in the response message.
The extension, if it is found. Null otherwise.
Extensions are returned whether they are signed or not.
Use the method to retrieve
extension responses only if they are signed by the Provider to
protect against tampering.
Unsigned extensions are completely unreliable and should be
used only to prefill user forms since the user or any other third
party may have tampered with the data carried by the extension.
Signed extensions are only reliable if the relying party
trusts the OpenID Provider that signed them. Signing does not mean
the relying party can trust the values -- it only means that the values
have not been tampered with since the Provider sent the message.
Tries to get an OpenID extension that may be present in the response, without
requiring it to be signed by the Provider.
Type of the extension to look for in the response.
The extension, if it is found. Null otherwise.
Extensions are returned whether they are signed or not.
Use the method to retrieve
extension responses only if they are signed by the Provider to
protect against tampering.
Unsigned extensions are completely unreliable and should be
used only to prefill user forms since the user or any other third
party may have tampered with the data carried by the extension.
Signed extensions are only reliable if the relying party
trusts the OpenID Provider that signed them. Signing does not mean
the relying party can trust the values -- it only means that the values
have not been tampered with since the Provider sent the message.
Gets the Identifier that the end user claims to own. For use with user database storage and lookup.
May be null for some failed authentications (i.e. failed directed identity authentications).
This is the secure identifier that should be used for database storage and lookup.
It is not always friendly (i.e. =Arnott becomes =!9B72.7DD1.50A9.5CCD), but it protects
user identities against spoofing and other attacks.
For user-friendly identifiers to display, use the
property.
Gets a user-friendly OpenID Identifier for display purposes ONLY.
This should be put through before
sending to a browser to secure against javascript injection attacks.
This property retains some aspects of the user-supplied identifier that get lost
in the . For example, XRIs used as user-supplied
identifiers (i.e. =Arnott) become unfriendly unique strings (i.e. =!9B72.7DD1.50A9.5CCD).
For display purposes, such as text on a web page that says "You're logged in as ...",
this property serves to provide the =Arnott string, or whatever else is the most friendly
string close to what the user originally typed in.
If the user-supplied identifier is a URI, this property will be the URI after all
redirects, and with the protocol and fragment trimmed off.
If the user-supplied identifier is an XRI, this property will be the original XRI.
If the user-supplied identifier is an OpenID Provider identifier (i.e. yahoo.com),
this property will be the Claimed Identifier, with the protocol stripped if it is a URI.
It is very important that this property never be used for database storage
or lookup to avoid identity spoofing and other security risks. For database storage
and lookup please use the property.
Gets the detailed success or failure status of the authentication attempt.
Gets information about the OpenId Provider, as advertised by the
OpenID discovery documents found at the
location, if available.
The Provider endpoint that issued the positive assertion;
or null if information about the Provider is unavailable.
Gets the details regarding a failed authentication attempt, if available.
This will be set if and only if is .
Code contract for the type.
Initializes a new instance of the class.
Gets a callback argument's value that was previously added using
.
The name of the parameter whose value is sought.
The value of the argument, or null if the named parameter could not be found.
This may return any argument on the querystring that came with the authentication response,
which may include parameters not explicitly added using
.
Note that these values are NOT protected against tampering in transit.
Gets all the callback arguments that were previously added using
or as a natural part
of the return_to URL.
A name-value dictionary. Never null.
This MAY return any argument on the querystring that came with the authentication response,
which may include parameters not explicitly added using
.
Note that these values are NOT protected against tampering in transit.
Tries to get an OpenID extension that may be present in the response.
The type of extension to look for in the response message.
The extension, if it is found. Null otherwise.
Extensions are returned only if the Provider signed them.
Relying parties that do not care if the values were modified in
transit should use the method
in order to allow the Provider to not sign the extension.
Unsigned extensions are completely unreliable and should be
used only to prefill user forms since the user or any other third
party may have tampered with the data carried by the extension.
Signed extensions are only reliable if the relying party
trusts the OpenID Provider that signed them. Signing does not mean
the relying party can trust the values -- it only means that the values
have not been tampered with since the Provider sent the message.
Tries to get an OpenID extension that may be present in the response.
Type of the extension to look for in the response.
The extension, if it is found. Null otherwise.
Extensions are returned only if the Provider signed them.
Relying parties that do not care if the values were modified in
transit should use the method
in order to allow the Provider to not sign the extension.
Unsigned extensions are completely unreliable and should be
used only to prefill user forms since the user or any other third
party may have tampered with the data carried by the extension.
Signed extensions are only reliable if the relying party
trusts the OpenID Provider that signed them. Signing does not mean
the relying party can trust the values -- it only means that the values
have not been tampered with since the Provider sent the message.
Tries to get an OpenID extension that may be present in the response, without
requiring it to be signed by the Provider.
The type of extension to look for in the response message.
The extension, if it is found. Null otherwise.
Extensions are returned whether they are signed or not.
Use the method to retrieve
extension responses only if they are signed by the Provider to
protect against tampering.
Unsigned extensions are completely unreliable and should be
used only to prefill user forms since the user or any other third
party may have tampered with the data carried by the extension.
Signed extensions are only reliable if the relying party
trusts the OpenID Provider that signed them. Signing does not mean
the relying party can trust the values -- it only means that the values
have not been tampered with since the Provider sent the message.
Tries to get an OpenID extension that may be present in the response, without
requiring it to be signed by the Provider.
Type of the extension to look for in the response.
The extension, if it is found. Null otherwise.
Extensions are returned whether they are signed or not.
Use the method to retrieve
extension responses only if they are signed by the Provider to
protect against tampering.
Unsigned extensions are completely unreliable and should be
used only to prefill user forms since the user or any other third
party may have tampered with the data carried by the extension.
Signed extensions are only reliable if the relying party
trusts the OpenID Provider that signed them. Signing does not mean
the relying party can trust the values -- it only means that the values
have not been tampered with since the Provider sent the message.
Gets a callback argument's value that was previously added using
.
The name of the parameter whose value is sought.
The value of the argument, or null if the named parameter could not be found.
Callback parameters are only available even if the RP is in stateless mode,
or the callback parameters are otherwise unverifiable as untampered with.
Therefore, use this method only when the callback argument is not to be
used to make a security-sensitive decision.
Gets all the callback arguments that were previously added using
or as a natural part
of the return_to URL.
A name-value dictionary. Never null.
Callback parameters are only available even if the RP is in stateless mode,
or the callback parameters are otherwise unverifiable as untampered with.
Therefore, use this method only when the callback argument is not to be
used to make a security-sensitive decision.
Gets the Identifier that the end user claims to own. For use with user database storage and lookup.
May be null for some failed authentications (i.e. failed directed identity authentications).
This is the secure identifier that should be used for database storage and lookup.
It is not always friendly (i.e. =Arnott becomes =!9B72.7DD1.50A9.5CCD), but it protects
user identities against spoofing and other attacks.
For user-friendly identifiers to display, use the
property.
Gets a user-friendly OpenID Identifier for display purposes ONLY.
This should be put through before
sending to a browser to secure against javascript injection attacks.
This property retains some aspects of the user-supplied identifier that get lost
in the . For example, XRIs used as user-supplied
identifiers (i.e. =Arnott) become unfriendly unique strings (i.e. =!9B72.7DD1.50A9.5CCD).
For display purposes, such as text on a web page that says "You're logged in as ...",
this property serves to provide the =Arnott string, or whatever else is the most friendly
string close to what the user originally typed in.
If the user-supplied identifier is a URI, this property will be the URI after all
redirects, and with the protocol and fragment trimmed off.
If the user-supplied identifier is an XRI, this property will be the original XRI.
If the user-supplied identifier is an OpenID Provider identifier (i.e. yahoo.com),
this property will be the Claimed Identifier, with the protocol stripped if it is a URI.
It is very important that this property never be used for database storage
or lookup to avoid identity spoofing and other security risks. For database storage
and lookup please use the property.
Gets the detailed success or failure status of the authentication attempt.
Gets information about the OpenId Provider, as advertised by the
OpenID discovery documents found at the
location, if available.
The Provider endpoint that issued the positive assertion;
or null if information about the Provider is unavailable.
Gets the details regarding a failed authentication attempt, if available.
This will be set if and only if is .
Applies a custom security policy to certain OpenID security settings and behaviors.
Applies a well known set of security requirements to a default set of security settings.
The security settings to enhance with the requirements of this profile.
Care should be taken to never decrease security when applying a profile.
Profiles should only enhance security requirements to avoid being
incompatible with each other.
Called when an authentication request is about to be sent.
The request.
Implementations should be prepared to be called multiple times on the same outgoing message
without malfunctioning.
Called when an incoming positive assertion is received.
The positive assertion.
Contract class for the interface.
Prevents a default instance of the class from being created.
Applies a well known set of security requirements to a default set of security settings.
The security settings to enhance with the requirements of this profile.
Care should be taken to never decrease security when applying a profile.
Profiles should only enhance security requirements to avoid being
incompatible with each other.
Called when an authentication request is about to be sent.
The request.
Implementations should be prepared to be called multiple times on the same outgoing message
without malfunctioning.
Called when an incoming positive assertion is received.
The positive assertion.
A message a Relying Party sends to a Provider to confirm the validity
of a positive assertion that was signed by a Provider-only secret.
The significant payload of this message depends entirely upon the
assertion message, and therefore is all in the
property bag.
A common base class for OpenID request messages and indirect responses (since they are ultimately requests).
The openid.ns parameter in the message.
"http://specs.openid.net/auth/2.0"
This particular value MUST be present for the request to be a valid OpenID Authentication 2.0 request. Future versions of the specification may define different values in order to allow message recipients to properly interpret the request.
Backing store for the property.
Backing store for the property.
Initializes a new instance of the class.
The OpenID version this message must comply with.
The OpenID Provider endpoint.
The value for the openid.mode parameter.
A value indicating whether the message will be transmitted directly or indirectly.
Checks the message state for conformity to the protocol specification
and throws an exception if the message is invalid.
Some messages have required fields, or combinations of fields that must relate to each other
in specialized ways. After deserializing a message, this method checks the state of the
message to see if it conforms to the protocol.
Note that this property should not check signatures or perform any state checks
outside this scope of this particular message.
Thrown if the message is invalid.
Sets a flag indicating that this message is received (as opposed to sent).
Gets some string from a given version of the OpenID protocol.
The protocol version to use for lookup.
A function that can retrieve the desired protocol constant.
The value of the constant.
This method can be used by a constructor to throw an
instead of a .
Gets the value of the openid.mode parameter.
Gets the preferred method of transport for the message.
For direct messages this is the OpenID mandated POST.
For indirect messages both GET and POST are allowed.
Gets the recipient of the message.
The OP endpoint, or the RP return_to.
Gets the version of the protocol this message is prepared to implement.
Version 2.0
Gets the level of protection this message requires.
Gets a value indicating whether this is a direct or indirect message.
Gets the extra parameters included in the message.
An empty dictionary.
Gets a value indicating whether this message was deserialized as an incoming message.
Gets the protocol used by this message.
Initializes a new instance of the class.
The OpenID version this message must comply with.
The OpenID Provider endpoint.
Initializes a new instance of the class
based on the contents of some signed message whose signature must be verified.
The message whose signature should be verified.
The channel. This is used only within the constructor and is not stored in a field.
Gets or sets a value indicating whether the signature being verified by this request
is in fact valid.
true if the signature is valid; otherwise, false.
This property is automatically set as the message is received by the channel's
signing binding element.
Gets or sets the ReturnTo that existed in the original signed message.
This exists strictly for convenience in recreating the
message.
The message sent from the Provider to the Relying Party to confirm/deny
the validity of an assertion that was signed by a private Provider secret.
A common base class for OpenID direct message responses.
The openid.ns parameter in the message.
"http://specs.openid.net/auth/2.0"
OpenID 2.0 Section 5.1.2:
This particular value MUST be present for the response to be a valid OpenID 2.0 response.
Future versions of the specification may define different values in order to allow message
recipients to properly interpret the request.
Backing store for the properties.
Backing store for the properties.
The dictionary of parameters that are not part of the OpenID specification.
Initializes a new instance of the class.
The OpenID version of the response message.
The originating request. May be null in case the request is unrecognizable and this is an error response.
Checks the message state for conformity to the protocol specification
and throws an exception if the message is invalid.
Some messages have required fields, or combinations of fields that must relate to each other
in specialized ways. After deserializing a message, this method checks the state of the
message to see if it conforms to the protocol.
Note that this property should not check signatures or perform any state checks
outside this scope of this particular message.
Thrown if the message is invalid.
Sets a flag indicating that this message is received (as opposed to sent).
Gets the version of the protocol this message is prepared to implement.
Version 2.0
Gets the level of protection this message requires.
Gets a value indicating whether this is a direct or indirect message.
Gets the extra, non-OAuth parameters included in the message.
Gets the originating request message that caused this response to be formed.
This property may be null if the request message was undecipherable.
Gets a value indicating whether this message was deserialized as an incoming message.
Gets the protocol used by this message.
Gets the originating request message that caused this response to be formed.
Initializes a new instance of the class
for use by the Relying Party.
The OpenID version of the response message.
The request that this message is responding to.
Gets or sets a value indicating whether the signature of the verification request is valid.
Gets or sets the handle the relying party should invalidate if is true.
The "invalidate_handle" value sent in the verification request, if the OP confirms it is invalid.
If present in a verification response with "is_valid" set to "true",
the Relying Party SHOULD remove the corresponding association from
its store and SHOULD NOT send further authentication requests with
this handle.
This two-step process for invalidating associations is necessary
to prevent an attacker from invalidating an association at will by
adding "invalidate_handle" parameters to an authentication response.
For OpenID 1.1, we allow this to be present but empty to put up with poor implementations such as Blogger.
An authentication request from a Relying Party to a Provider.
This message type satisfies OpenID 2.0 section 9.1.
An indirect request from a Relying Party to a Provider where the response
is expected to be signed.
Backing store for the property.
Initializes a new instance of the class.
The OpenID version to use.
The Provider endpoint that receives this message.
for asynchronous javascript clients;
to allow the Provider to interact with the user in order to complete authentication.
Checks the message state for conformity to the protocol specification
and throws an exception if the message is invalid.
Some messages have required fields, or combinations of fields that must relate to each other
in specialized ways. After deserializing a message, this method checks the state of the
message to see if it conforms to the protocol.
Note that this property should not check signatures or perform any state checks
outside this scope of this particular message.
Thrown if the message is invalid.
Adds parameters to the return_to querystring.
The keys=value pairs to add to the return_to query string.
This method is useful if the Relying Party wants to recall some value
when and if a positive assertion comes back from the Provider.
Adds a parameter to the return_to querystring.
The name of the parameter.
The value of the argument.
This method is useful if the Relying Party wants to recall some value
when and if a positive assertion comes back from the Provider.
Gets the value of the openid.mode parameter based on the protocol version and immediate flag.
The OpenID version to use.
for asynchronous javascript clients;
to allow the Provider to interact with the user in order to complete authentication.
checkid_immediate or checkid_setup
Gets the list of extensions that are included with this message.
Implementations of this interface should ensure that this property never returns null.
Gets a value indicating whether the Provider is allowed to interact with the user
as part of authentication.
true if using OpenID immediate mode; otherwise, false.
Gets or sets the handle of the association the RP would like the Provider
to use for signing a positive assertion in the response message.
A handle for an association between the Relying Party and the OP
that SHOULD be used to sign the response.
If no association handle is sent, the transaction will take place in Stateless Mode
(Verifying Directly with the OpenID Provider).
Gets or sets the URL the Provider should redirect the user agent to following
the authentication attempt.
URL to which the OP SHOULD return the User-Agent with the response
indicating the status of the request.
If this value is not sent in the request it signifies that the Relying Party
does not wish for the end user to be returned.
The return_to URL MAY be used as a mechanism for the Relying Party to attach
context about the authentication request to the authentication response.
This document does not define a mechanism by which the RP can ensure that query
parameters are not modified by outside parties; such a mechanism can be defined
by the RP itself.
Gets or sets the Relying Party discovery URL the Provider may use to verify the
source of the authentication request.
URL pattern the OP SHOULD ask the end user to trust. See Section 9.2 (Realms).
This value MUST be sent if openid.return_to is omitted.
Default: The URL.
Gets or sets a value indicating whether the return_to value should be signed.
Initializes a new instance of the class.
The OpenID version to use.
The Provider endpoint that receives this message.
for asynchronous javascript clients;
to allow the Provider to interact with the user in order to complete authentication.
Checks the message state for conformity to the protocol specification
and throws an exception if the message is invalid.
Some messages have required fields, or combinations of fields that must relate to each other
in specialized ways. After deserializing a message, this method checks the state of the
message to see if it conforms to the protocol.
Note that this property should not check signatures or perform any state checks
outside this scope of this particular message.
Thrown if the message is invalid.
Gets or sets the Claimed Identifier.
"openid.claimed_id" and "openid.identity" SHALL be either both present or both absent.
If neither value is present, the assertion is not about an identifier,
and will contain other information in its payload, using extensions (Extensions).
It is RECOMMENDED that OPs accept XRI identifiers with or without the "xri://" prefix, as specified in the Normalization (Normalization) section.
Gets or sets the OP Local Identifier.
The OP-Local Identifier.
If a different OP-Local Identifier is not specified, the claimed
identifier MUST be used as the value for openid.identity.
Note: If this is set to the special value
"http://specs.openid.net/auth/2.0/identifier_select" then the OP SHOULD
choose an Identifier that belongs to the end user. This parameter MAY
be omitted if the request is not about an identifier (for instance if
an extension is in use that makes the request meaningful without it;
see openid.claimed_id above).
The base class that all successful association response messages derive from.
Association response messages are described in OpenID 2.0 section 8.2. This type covers section 8.2.1.
Initializes a new instance of the class.
The OpenID version of the response message.
The originating request.
Checks the message state for conformity to the protocol specification
and throws an exception if the message is invalid.
Some messages have required fields, or combinations of fields that must relate to each other
in specialized ways. After deserializing a message, this method checks the state of the
message to see if it conforms to the protocol.
Note that this property should not check signatures or perform any state checks
outside this scope of this particular message.
Thrown if the message is invalid.
Gets or sets the association handle is used as a key to refer to this association in subsequent messages.
A string 255 characters or less in length. It MUST consist only of ASCII characters in the range 33-126 inclusive (printable non-whitespace characters).
Gets or sets the preferred association type. The association type defines the algorithm to be used to sign subsequent messages.
Value: A valid association type from Section 8.3.
Gets or sets the value of the "openid.session_type" parameter from the request.
If the OP is unwilling or unable to support this association type, it MUST return an
unsuccessful response (Unsuccessful Response Parameters).
Value: A valid association session type from Section 8.4 (Association Session Types).
Note: Unless using transport layer encryption, "no-encryption" MUST NOT be used.
Gets or sets the lifetime, in seconds, of this association. The Relying Party MUST NOT use the association after this time has passed.
An integer, represented in base 10 ASCII.
Members found on error response messages sent from a Provider
to a Relying Party in response to direct and indirect message
requests that result in an error.
Gets or sets a human-readable message indicating why the request failed.
Gets or sets the contact address for the administrator of the server.
The contact address may take any form, as it is intended to be displayed to a person.
Gets or sets a reference token, such as a support ticket number or a URL to a news blog, etc.
A common base class from which indirect response messages should derive.
Backing store for the property.
Initializes a new instance of the class.
The request that caused this response message to be constructed.
The value of the openid.mode parameter.
Initializes a new instance of the class
for unsolicited assertion scenarios.
The OpenID version supported at the Relying Party.
The URI at which the Relying Party receives OpenID indirect messages.
The value to use for the openid.mode parameter.
Gets the property of a message.
The message to fetch the protocol version from.
The value of the property.
This method can be used by a constructor to throw an
instead of a .
Gets the property of a message.
The message to fetch the ReturnTo from.
The value of the property.
This method can be used by a constructor to throw an
instead of a .
Gets the list of extensions that are included with this message.
Implementations of this interface should ensure that this property never returns null.
Gets the signed extensions on this message.
Gets the unsigned extensions on this message.
Gets the originating request message, if applicable.
An indirect message from a Provider to a Relying Party where at least part of the
payload is signed so the Relying Party can verify it has not been tampered with.
The allowed date/time formats for the response_nonce parameter.
This array of formats is not yet a complete list.
Backing field for the property.
The field initializer being DateTime.UtcNow allows for OpenID 1.x messages
to pass through the StandardExpirationBindingElement.
Backing store for the property.
Initializes a new instance of the class.
The authentication request that caused this assertion to be generated.
Initializes a new instance of the class
in order to perform signature verification at the Provider.
The previously signed message.
The channel. This is used only within the constructor and is not stored in a field.
Initializes a new instance of the class
for unsolicited assertions.
The OpenID version to use.
The return_to URL of the Relying Party.
This value will commonly be from ,
but for unsolicited assertions may come from the Provider performing RP discovery
to find the appropriate return_to URL to use.
Checks the message state for conformity to the protocol specification
and throws an exception if the message is invalid.
Some messages have required fields, or combinations of fields that must relate to each other
in specialized ways. After deserializing a message, this method checks the state of the
message to see if it conforms to the protocol.
Note that this property should not check signatures or perform any state checks
outside this scope of this particular message.
Thrown if the message is invalid.
Gets the value of a named parameter in the return_to URL without signature protection.
The full name of the parameter whose value is being sought.
The value of the parameter if it is present and unaltered from when
the Relying Party signed it; null otherwise.
This method will always return null on the Provider-side, since Providers
cannot verify the private signature made by the relying party.
Gets the names of the callback parameters added to the original authentication request
without signature protection.
A sequence of the callback parameter names.
Gets a dictionary of all the message part names and values
that are included in the message signature.
The channel.
A dictionary of the signed message parts.
Determines whether one querystring contains every key=value pair that
another querystring contains.
The querystring that should contain at least all the key=value pairs of the other.
The querystring containing the set of key=value pairs to test for in the other.
true if contains all the query parameters that does; false otherwise.
Verifies that the openid.return_to field matches the URL of the actual HTTP request.
From OpenId Authentication 2.0 section 11.1:
To verify that the "openid.return_to" URL matches the URL that is processing this assertion:
* The URL scheme, authority, and path MUST be the same between the two URLs.
* Any query parameters that are present in the "openid.return_to" URL MUST
also be present with the same values in the URL of the HTTP request the RP received.
Gets the level of protection this message requires.
for OpenID 2.0 messages.
for OpenID 1.x messages.
Although the required protection is reduced for OpenID 1.x,
this library will provide Relying Party hosts with all protections
by adding its own specially-crafted nonce to the authentication request
messages except for stateless RPs in OpenID 1.x messages.
Gets or sets the message signature.
Base 64 encoded signature calculated as specified in Section 6 (Generating Signatures).
Gets or sets the signed parameter order.
Comma-separated list of signed fields.
"op_endpoint,identity,claimed_id,return_to,assoc_handle,response_nonce"
This entry consists of the fields without the "openid." prefix that the signature covers.
This list MUST contain at least "op_endpoint", "return_to" "response_nonce" and "assoc_handle",
and if present in the response, "claimed_id" and "identity".
Additional keys MAY be signed as part of the message. See Generating Signatures.
Gets or sets the association handle used to sign the message.
The handle for the association that was used to sign this assertion.
Gets or sets the nonce that will protect the message from replay attacks.
Gets the context within which the nonce must be unique.
Gets or sets the UTC date/time the message was originally sent onto the network.
The property setter should ensure a UTC date/time,
and throw an exception if this is not possible.
Thrown when a DateTime that cannot be converted to UTC is set.
Gets or sets the association handle that the Provider wants the Relying Party to not use any more.
If the Relying Party sent an invalid association handle with the request, it SHOULD be included here.
For OpenID 1.1, we allow this to be present but empty to put up with poor implementations such as Blogger.
Gets or sets the Provider Endpoint URI.
Gets or sets the return_to parameter as the relying party provided
it in .
Verbatim copy of the return_to URL parameter sent in the
request, before the Provider modified it.
Gets or sets a value indicating whether the
URI's query string is unaltered between when the Relying Party
sent the original request and when the response was received.
This property is not persisted in the transmitted message, and
has no effect on the Provider-side of the communication.
Gets or sets the nonce that will protect the message from replay attacks.
A string 255 characters or less in length, that MUST be unique to
this particular successful authentication response. The nonce MUST start
with the current time on the server, and MAY contain additional ASCII
characters in the range 33-126 inclusive (printable non-whitespace characters),
as necessary to make each response unique. The date and time MUST be
formatted as specified in section 5.6 of [RFC3339]
(Klyne, G. and C. Newman, “Date and Time on the Internet: Timestamps,” .),
with the following restrictions:
- All times must be in the UTC timezone, indicated with a "Z".
- No fractional seconds are allowed
2005-05-15T17:11:51ZUNIQUE
Gets or sets the nonce that will protect the message from replay attacks.
A string 255 characters or less in length, that MUST be unique to
this particular successful authentication response. The nonce MUST start
with the current time on the server, and MAY contain additional ASCII
characters in the range 33-126 inclusive (printable non-whitespace characters),
as necessary to make each response unique. The date and time MUST be
formatted as specified in section 5.6 of [RFC3339]
(Klyne, G. and C. Newman, “Date and Time on the Internet: Timestamps,” .),
with the following restrictions:
- All times must be in the UTC timezone, indicated with a "Z".
- No fractional seconds are allowed
2005-05-15T17:11:51ZUNIQUE
Gets the querystring key=value pairs in the return_to URL.
Code contract class for the IOpenIdMessageExtension interface.
Prevents a default instance of the class from being created.
Checks the message state for conformity to the protocol specification
and throws an exception if the message is invalid.
Some messages have required fields, or combinations of fields that must relate to each other
in specialized ways. After deserializing a message, this method checks the state of the
message to see if it conforms to the protocol.
Note that this property should not check signatures or perform any state checks
outside this scope of this particular message.
Thrown if the message is invalid.
Gets the TypeURI the extension uses in the OpenID protocol and in XRDS advertisements.
Gets the additional TypeURIs that are supported by this extension, in preferred order.
May be empty if none other than is supported, but
should not be null.
Useful for reading in messages with an older version of an extension.
The value in the property is always checked before
trying this list.
If you do support multiple versions of an extension using this method,
consider adding a CreateResponse method to your request extension class
so that the response can have the context it needs to remain compatible
given the version of the extension in the request message.
The for an example.
Gets or sets a value indicating whether this extension was
signed by the sender.
true if this instance is signed by the sender; otherwise, false.
Gets the version of the protocol or extension this message is prepared to implement.
Implementations of this interface should ensure that this property never returns null.
Gets the extra, non-standard Protocol parameters included in the message.
Implementations of this interface should ensure that this property never returns null.
The message OpenID Providers send back to Relying Parties to refuse
to assert the identity of a user.
Initializes a new instance of the class.
The request that the relying party sent.
Initializes a new instance of the class.
The request that the relying party sent.
The channel to use to simulate construction of the user_setup_url, if applicable. May be null, but the user_setup_url will not be constructed.
Initializes a new instance of the class.
The version.
The relying party return to.
The value of the openid.mode parameter.
Checks the message state for conformity to the protocol specification
and throws an exception if the message is invalid.
Some messages have required fields, or combinations of fields that must relate to each other
in specialized ways. After deserializing a message, this method checks the state of the
message to see if it conforms to the protocol.
Note that this property should not check signatures or perform any state checks
outside this scope of this particular message.
Thrown if the message is invalid.
Constructs the value for the user_setup_url parameter to be sent back
in negative assertions in response to OpenID 1.x RP's checkid_immediate requests.
The immediate request.
The channel to use to simulate construction of the message.
The value to use for the user_setup_url parameter.
Gets the value for the openid.mode that is appropriate for this response.
The request that we're responding to.
The value of the openid.mode parameter to use.
Gets or sets the URL the relying party can use to upgrade their authentication
request from an immediate to a setup message.
URL to redirect User-Agent to so the End User can do whatever's necessary to fulfill the assertion.
This part is only included in OpenID 1.x responses.
Gets a value indicating whether this
is in response to an authentication request made in immediate mode.
true if the request was in immediate mode; otherwise, false.
An identity assertion from a Provider to a Relying Party, stating that the
user operating the user agent is in fact some specific user known to the Provider.
Initializes a new instance of the class.
The authentication request that caused this assertion to be generated.
Initializes a new instance of the class
for unsolicited assertions.
The OpenID version to use.
The return_to URL of the Relying Party.
This value will commonly be from ,
but for unsolicited assertions may come from the Provider performing RP discovery
to find the appropriate return_to URL to use.
Initializes a new instance of the class.
The relying party return_to endpoint that will receive this positive assertion.
Gets or sets the Claimed Identifier.
"openid.claimed_id" and "openid.identity" SHALL be either both present or both absent.
If neither value is present, the assertion is not about an identifier,
and will contain other information in its payload, using extensions (Extensions).
Gets or sets the OP Local Identifier.
The OP-Local Identifier.
OpenID Providers MAY assist the end user in selecting the Claimed
and OP-Local Identifiers about which the assertion is made.
The openid.identity field MAY be omitted if an extension is in use that
makes the response meaningful without it (see openid.claimed_id above).
Wraps an existing Identifier and prevents it from performing discovery.
The wrapped identifier.
Initializes a new instance of the class.
The ordinary Identifier whose discovery is being masked.
Whether this Identifier should claim to be SSL-secure, although no discovery will never generate service endpoints anyway.
Returns a that represents the current .
A that represents the current .
Tests equality between two s.
The to compare with the current .
true if the specified is equal to the current ; otherwise, false.
The parameter is null.
Gets the hash code for an for storage in a hashtable.
A hash code for the current .
Returns an that has no URI fragment.
Quietly returns the original if it is not
a or no fragment exists.
A new instance if there was a
fragment to remove, otherwise this same instance..
Converts a given identifier to its secure equivalent.
UriIdentifiers originally created with an implied HTTP scheme change to HTTPS.
Discovery is made to require SSL for the entire resolution process.
The newly created secure identifier.
If the conversion fails, retains
this identifiers identity, but will never discover any endpoints.
True if the secure conversion was successful.
False if the Identifier was originally created with an explicit HTTP scheme.
A set of utilities especially useful to OpenID.
The prefix to designate this library's proprietary parameters added to the protocol.
A static variable that carries the results of a check for the presence of
assemblies that are required for the Diffie-Hellman algorithm.
Creates a random association handle.
The association handle.
Gets the OpenID protocol instance for the version in a message.
The message.
The OpenID protocol instance.
Changes the position of some element in a list.
The type of elements stored in the list.
The list to be modified.
The new position for the given element.
The element to move within the list.
Thrown if the element does not already exist in the list.
Corrects any URI decoding the Provider may have inappropriately done
to our return_to URL, resulting in an otherwise corrupted base64 encoded value.
The base64 encoded value. May be null.
The value; corrected if corruption had occurred.
AOL may have incorrectly URI-decoded the token for us in the return_to,
resulting in a token URI-decoded twice by the time we see it, and no
longer being a valid base64 string.
It turns out that the only symbols from base64 that is also encoded
in URI encoding rules are the + and / characters.
AOL decodes the %2b sequence to the + character
and the %2f sequence to the / character (it shouldn't decode at all).
When we do our own URI decoding, the + character becomes a space (corrupting base64)
but the / character remains a /, so no further corruption happens to this character.
So to correct this we just need to change any spaces we find in the token
back to + characters.
Rounds the given downward to the whole second.
The DateTime object to adjust.
The new value.
Gets the fully qualified Realm URL, given a Realm that may be relative to a particular page.
The hosting page that has the realm value to resolve.
The realm, which may begin with "*." or "~/".
The request context.
The fully-qualified realm.
Gets the extension factories from the extension aggregator on an OpenID channel.
The channel.
The list of factories that will be used to generate extension instances.
This is an extension method on rather than an instance
method on because the OpenIdRelyingParty
and OpenIdProvider classes don't strong-type to
to allow flexibility in the specific type of channel the user (or tests)
can plug in.
Loads the Diffie-Hellman assemblies.
Thrown if the DH assemblies are missing.
Gets a value indicating whether Diffie Hellman is available in this installation.
true if Diffie-Hellman functionality is present; otherwise, false.
Utility methods for working with XRDS documents.
Finds the Relying Party return_to receiving endpoints.
The XrdsDocument instance to use in this process.
A sequence of Relying Party descriptors for the return_to endpoints.
This is useful for Providers to send unsolicited assertions to Relying Parties,
or for Provider's to perform RP discovery/verification as part of authentication.
Finds the icons the relying party wants an OP to display as part of authentication,
per the UI extension spec.
The XrdsDocument to search.
A sequence of the icon URLs in preferred order.
Enumerates the XRDS service elements that describe OpenID Relying Party return_to URLs
that can receive authentication assertions.
The XrdsDocument instance to use in this process.
A sequence of service elements.
Describes some OpenID Provider endpoint and its capabilities.
This is an immutable type.
Initializes a new instance of the class.
The OpenID Provider endpoint URL.
The OpenID version supported by this particular endpoint.
Initializes a new instance of the class.
The URI the provider listens on for OpenID requests.
The set of services offered by this endpoint.
Checks whether the OpenId Identifier claims support for a given extension.
The extension whose support is being queried.
True if support for the extension is advertised. False otherwise.
Note that a true or false return value is no guarantee of a Provider's
support for or lack of support for an extension. The return value is
determined by how the authenticating user filled out his/her XRDS document only.
The only way to be sure of support for a given extension is to include
the extension in the request and see if a response comes back for that extension.
Checks whether the OpenId Identifier claims support for a given extension.
The extension whose support is being queried.
True if support for the extension is advertised. False otherwise.
Note that a true or false return value is no guarantee of a Provider's
support for or lack of support for an extension. The return value is
determined by how the authenticating user filled out his/her XRDS document only.
The only way to be sure of support for a given extension is to include
the extension in the request and see if a response comes back for that extension.
Gets the URL that the OpenID Provider listens for incoming OpenID messages on.
Gets the OpenID protocol version this endpoint supports.
If an endpoint supports multiple versions, each version must be represented
by its own object.
Gets the collection of service type URIs found in the XRDS document describing this Provider.
A trust root to validate requests and match return URLs against.
This fills the OpenID Authentication 2.0 specification for realms.
See http://openid.net/specs/openid-authentication-2_0.html#realms
A regex used to detect a wildcard that is being used in the realm.
A (more or less) comprehensive list of top-level (i.e. ".com") domains,
for use by in order to disallow overly-broad realms
that allow all web sites ending with '.com', for example.
The Uri of the realm, with the wildcard (if any) removed.
Initializes a new instance of the class.
The realm URL to use in the new instance.
Initializes a new instance of the class.
The realm URL of the Relying Party.
Initializes a new instance of the class.
The realm URI builder.
This is useful because UriBuilder can construct a host with a wildcard
in the Host property, but once there it can't be converted to a Uri.
Implicitly converts the string-form of a URI to a object.
The URI that the new Realm instance will represent.
The result of the conversion.
Implicitly converts a to a object.
The URI to convert to a realm.
The result of the conversion.
Implicitly converts a object to its form.
The realm to convert to a string value.
The result of the conversion.
Checks whether one is equal to another.
The to compare with the current .
true if the specified is equal to the current ; otherwise, false.
The parameter is null.
Returns the hash code used for storing this object in a hash table.
A hash code for the current .
Returns the string form of this .
A that represents the current .
Validates a URL against this trust root.
A string specifying URL to check.
Whether the given URL is within this trust root.
Validates a URL against this trust root.
The URL to check.
Whether the given URL is within this trust root.
Searches for an XRDS document at the realm URL, and if found, searches
for a description of a relying party endpoints (OpenId login pages).
The mechanism to use for sending HTTP requests.
Whether redirects may be followed when discovering the Realm.
This may be true when creating an unsolicited assertion, but must be
false when performing return URL verification per 2.0 spec section 9.2.1.
The details of the endpoints if found; or null if no service document was discovered.
Searches for an XRDS document at the realm URL.
The mechanism to use for sending HTTP requests.
Whether redirects may be followed when discovering the Realm.
This may be true when creating an unsolicited assertion, but must be
false when performing return URL verification per 2.0 spec section 9.2.1.
The XRDS document if found; or null if no service document was discovered.
Calls if the argument is non-null.
Otherwise throws .
The realm URI builder.
The result of UriBuilder.ToString()
This simple method is worthwhile because it checks for null
before dereferencing the UriBuilder. Since this is called from
within a constructor's base(...) call, this avoids a
when we should be throwing an .
Gets the suggested realm to use for the calling web application.
A realm that matches this applications root URL.
For most circumstances the Realm generated by this property is sufficient.
However a wildcard Realm, such as "http://*.microsoft.com/" may at times be more
desirable than "http://www.microsoft.com/" in order to allow identifier
correlation across related web sites for directed identity Providers.
Requires an HttpContext.Current context.
Gets a value indicating whether a '*.' prefix to the hostname is
used in the realm to allow subdomains or hosts to be added to the URL.
Gets the host component of this instance.
Gets the scheme name for this URI.
Gets the port number of this URI.
Gets the absolute path of the URI.
Gets the System.Uri.AbsolutePath and System.Uri.Query properties separated
by a question mark (?).
Gets the original string.
The original string.
Gets the realm URL. If the realm includes a wildcard, it is not included here.
Gets the Realm discovery URL, where the wildcard (if present) is replaced with "www.".
See OpenID 2.0 spec section 9.2.1 for the explanation on the addition of
the "www" prefix.
Gets a value indicating whether this realm represents a reasonable (sane) set of URLs.
'http://*.com/', for example is not a reasonable pattern, as it cannot meaningfully
specify the site claiming it. This function attempts to find many related examples,
but it can only work via heuristics. Negative responses from this method should be
treated as advisory, used only to alert the user to examine the trust root carefully.
Provides conversions to and from strings for messages that include members of this type.
Encodes the specified value.
The value. Guaranteed to never be null.
The in string form, ready for message transport.
Decodes the specified value.
The string value carried by the transport. Guaranteed to never be null, although it may be empty.
The deserialized form of the given string.
Thrown when the string value given cannot be decoded into the required object type.
Encodes the specified value as the original value that was formerly decoded.
The value. Guaranteed to never be null.
The in string form, ready for message transport.
A description of some OpenID Relying Party endpoint.
This is an immutable type.
Initializes a new instance of the class.
The return to.
The Type URIs of supported services advertised on a relying party's XRDS document.
Derives the highest OpenID protocol that this library and the OpenID Provider have
in common.
The supported service type URIs.
The best OpenID protocol version to use when communicating with this Provider.
Gets the URL to the login page on the discovered relying party web site.
Gets the OpenId protocol that the discovered relying party supports.
Diffie-Hellman encryption methods used by both the relying party and provider.
An array of known Diffie Hellman sessions, sorted by decreasing hash size.
Finds the hashing algorithm to use given an openid.session_type value.
The protocol version of the message that named the session_type to be used.
The value of the openid.session_type parameter.
The hashing algorithm to use.
Thrown if no match could be found for the given .
Looks up the value to be used for the openid.session_type parameter.
The protocol version that is to be used.
The hash size (in bits) that the DH session must have.
The value to be used for the openid.session_type parameter, or null if no match was found.
Encrypts/decrypts a shared secret.
The hashing algorithm that is agreed by both parties to use as part of the secret exchange.
If the secret is being encrypted, this is the new Diffie Hellman object to use.
If the secret is being decrypted, this must be the same Diffie Hellman object used to send the original request message.
The public key of the remote party.
The secret to encode, or the encoded secret. Whichever one is given will generate the opposite in the return value.
The encrypted version of the secret if the secret itself was given in .
The secret itself if the encrypted version of the secret was given in .
Ensures that the big integer represented by a given series of bytes
is a positive integer.
The bytes that make up the big integer.
A byte array (possibly new if a change was required) whose
integer is guaranteed to be positive.
This is to be consistent with OpenID spec section 4.2.
Returns the value used to initialize the static field storing DH session types.
A non-null, non-empty array.
>
This is a method rather than being inlined to the field initializer to try to avoid
the CLR bug that crops up sometimes if we initialize arrays using object initializer syntax.
Provides access to a Diffie-Hellman session algorithm and its name.
Initializes a new instance of the class.
The hashing algorithm used in this particular Diffie-Hellman session type.
A function that will return the value of the openid.session_type parameter for a given version of OpenID.
Gets the function that will return the value of the openid.session_type parameter for a given version of OpenID.
Gets the hashing algorithm used in this particular Diffie-Hellman session type
An association that uses the HMAC-SHA family of algorithms for message signing.
A list of HMAC-SHA algorithms in order of decreasing bit lengths.
The specific variety of HMAC-SHA this association is based on (whether it be HMAC-SHA1, HMAC-SHA256, etc.)
Initializes a new instance of the class.
The specific variety of HMAC-SHA this association is based on (whether it be HMAC-SHA1, HMAC-SHA256, etc.)
The association handle.
The association secret.
The time duration the association will be good for.
Creates an HMAC-SHA association.
The OpenID protocol version that the request for an association came in on.
The value of the openid.assoc_type parameter.
The association handle.
The association secret.
How long the association will be good for.
The newly created association.
Creates an association with the specified handle, secret, and lifetime.
The handle.
The secret.
Total lifetime.
The newly created association.
Returns the length of the shared secret (in bytes).
The protocol version being used that will be used to lookup the text in
The value of the protocol argument specifying the type of association. For example: "HMAC-SHA1".
The length (in bytes) of the association secret.
Thrown if no association can be found by the given name.
Looks for the first association type in a preferred-order list that is
likely to be supported given a specific OpenID version and the security settings,
and perhaps a matching Diffie-Hellman session type.
The OpenID version that dictates which associations are available.
A value indicating whether to consider higher strength security to be better. Use true for initial association requests from the Relying Party; use false from Providers when the Relying Party asks for an unrecognized association in order to pick a suggested alternative that is likely to be supported on both sides.
The set of requirements the selected association type must comply to.
Use true for HTTP associations, false for HTTPS associations.
The resulting association type's well known protocol name. (i.e. HMAC-SHA256)
The resulting session type's well known protocol name, if a matching one is available. (i.e. DH-SHA256)
True if a qualifying association could be found; false otherwise.
Determines whether a named Diffie-Hellman session type and association type can be used together.
The protocol carrying the names of the session and association types.
The value of the openid.assoc_type parameter.
The value of the openid.session_type parameter.
true if the named association and session types are compatible; otherwise, false.
Gets the string to pass as the assoc_type value in the OpenID protocol.
The protocol version of the message that the assoc_type value will be included in.
The value that should be used for the openid.assoc_type parameter.
Returns the specific hash algorithm used for message signing.
The hash algorithm used for message signing.
Returns the value used to initialize the static field storing association types.
A non-null, non-empty array.
>
This is a method rather than being inlined to the field initializer to try to avoid
the CLR bug that crops up sometimes if we initialize arrays using object initializer syntax.
Gets the length (in bits) of the hash this association creates when signing.
Provides information about some HMAC-SHA hashing algorithm that OpenID supports.
Creates the using a given shared secret for the mac.
The HMAC secret.
The algorithm.
Gets or sets the function that takes a particular OpenID version and returns the value of the openid.assoc_type parameter in that protocol.
Gets or sets the name of the HMAC-SHA algorithm. (e.g. "HMAC-SHA256")
Gets or sets the base hash algorithm.
Gets the size of the hash (in bytes).
Represents an association request that is sent using HTTPS and otherwise communicates the shared secret in plain text.
An OpenID direct request from Relying Party to Provider to initiate an association.
Initializes a new instance of the class.
The OpenID version this message must comply with.
The OpenID Provider endpoint.
Checks the message state for conformity to the protocol specification
and throws an exception if the message is invalid.
Some messages have required fields, or combinations of fields that must relate to each other
in specialized ways. After deserializing a message, this method checks the state of the
message to see if it conforms to the protocol.
Note that this property should not check signatures or perform any state checks
outside this scope of this particular message.
Thrown if the message is invalid.
Gets or sets the preferred association type. The association type defines the algorithm to be used to sign subsequent messages.
Value: A valid association type from Section 8.3.
Gets or sets the preferred association session type. This defines the method used to encrypt the association's MAC key in transit.
Value: A valid association session type from Section 8.4 (Association Session Types).
Note: Unless using transport layer encryption, "no-encryption" MUST NOT be used.
Initializes a new instance of the class.
The OpenID version this message must comply with.
The OpenID Provider endpoint.
Checks the message state for conformity to the protocol specification
and throws an exception if the message is invalid.
Some messages have required fields, or combinations of fields that must relate to each other
in specialized ways. After deserializing a message, this method checks the state of the
message to see if it conforms to the protocol.
Note that this property should not check signatures or perform any state checks
outside this scope of this particular message.
Thrown if the message is invalid.
An OpenID direct request from Relying Party to Provider to initiate an association that uses Diffie-Hellman encryption.
The (only) value we use for the X variable in the Diffie-Hellman algorithm.
The default gen value for the Diffie-Hellman algorithm.
The default modulus value for the Diffie-Hellman algorithm.
Initializes a new instance of the class.
The OpenID version this message must comply with.
The OpenID Provider endpoint.
Called by the Relying Party to initialize the Diffie-Hellman algorithm and consumer public key properties.
Gets or sets the openid.dh_modulus value.
May be null if the default value given in the OpenID spec is to be used.
Gets or sets the openid.dh_gen value.
May be null if the default value given in the OpenID spec is to be used.
Gets or sets the openid.dh_consumer_public value.
This property is initialized with a call to .
Gets the Diffie-Hellman algorithm.
This property is initialized with a call to .
The successful Diffie-Hellman association response message.
Association response messages are described in OpenID 2.0 section 8.2. This type covers section 8.2.3.
Initializes a new instance of the class.
The OpenID version of the response message.
The originating request.
Gets or sets the Provider's Diffie-Hellman public key.
btwoc(g ^ xb mod p)
Gets or sets the MAC key (shared secret), encrypted with the secret Diffie-Hellman value.
H(btwoc(g ^ (xa * xb) mod p)) XOR MAC key. H is either "SHA1" or "SHA256" depending on the session type.
The successful unencrypted association response message.
Association response messages are described in OpenID 2.0 section 8.2. This type covers section 8.2.2.
Initializes a new instance of the class.
The OpenID version of the response message.
The originating request.
Gets or sets the MAC key (shared secret) for this association, Base 64 (Josefsson, S., “The Base16, Base32, and Base64 Data Encodings,” .) [RFC3548] encoded.
The Provider's response to a Relying Party that requested an association that the Provider does not support.
This message type described in OpenID 2.0 section 8.2.4.
A message sent from a Provider to a Relying Party in response to a direct message request that resulted in an error.
This message must be sent with an HTTP status code of 400.
This class satisfies OpenID 2.0 section 5.1.2.2.
Initializes a new instance of the class.
The OpenID version of the response message.
The originating request.
Gets the HTTP status code that the direct respones should be sent with.
Gets the HTTP headers to add to the response.
May be an empty collection, but must not be null.
Gets or sets a human-readable message indicating why the request failed.
Gets or sets the contact address for the administrator of the server.
The contact address may take any form, as it is intended to be displayed to a person.
Gets or sets a reference token, such as a support ticket number or a URL to a news blog, etc.
A hard-coded string indicating an error occurred.
"unsupported-type"
Initializes a new instance of the class.
The OpenID version of the response message.
The originating request.
Gets or sets an association type supported by the OP from Section 8.3 (Association Types).
Gets or sets a valid association session type from Section 8.4 (Association Session Types) that the OP supports.
A message sent from a Provider to a Relying Party in response to an indirect message request that resulted in an error.
This class satisfies OpenID 2.0 section 5.2.3.
Initializes a new instance of the class.
The request that resulted in this error on the Provider.
Initializes a new instance of the class.
The OpenID version this message should comply with.
The recipient of this message.
Gets or sets a human-readable message indicating why the request failed.
Gets or sets the contact address for the administrator of the server.
The contact address may take any form, as it is intended to be displayed to a person.
Gets or sets a reference token, such as a support ticket number or a URL to a news blog, etc.
A strongly-typed resource class, for looking up localized strings, etc.
Returns the cached ResourceManager instance used by this class.
Overrides the current thread's CurrentUICulture property for all
resource lookups using this strongly typed resource class.
Looks up a localized string similar to An absolute URI is required for this value..
Looks up a localized string similar to This is already a PPID Identifier..
Looks up a localized string similar to The requested association type '{0}' with session type '{1}' is unrecognized or not supported by this Provider due to security requirements..
Looks up a localized string similar to The length of the shared secret ({0}) does not match the length required by the association type ('{1}')..
Looks up a localized string similar to The length of the encrypted shared secret ({0}) does not match the length of the hashing algorithm ({1})..
Looks up a localized string similar to No association store has been given but is required for the current configuration..
Looks up a localized string similar to If an association store is given, a nonce store must also be provided..
Looks up a localized string similar to An attribute with type URI '{0}' has already been added..
Looks up a localized string similar to Only {0} values for attribute '{1}' were requested, but {2} were supplied..
Looks up a localized string similar to The private data supplied does not meet the requirements of any known Association type. Its length may be too short, or it may have been corrupted..
Looks up a localized string similar to The {0} extension failed to deserialize and will be skipped. {1}.
Looks up a localized string similar to Callback arguments are only supported when a {0} is provided to the {1}..
Looks up a localized string similar to A Simple Registration request can only generate a response on the receiving end..
Looks up a localized string similar to The openid.claimed_id and openid.identity parameters must both be present or both be absent..
Looks up a localized string similar to The ClaimedIdentifier property cannot be set when IsDelegatedIdentifier is true to avoid breaking OpenID URL delegation..
Looks up a localized string similar to This OpenID exploits features that this relying party cannot reliably verify. Please try logging in with a human-readable OpenID or from a different OpenID Provider..
Looks up a localized string similar to The ClaimedIdentifier property must be set first..
Looks up a localized string similar to An extension with this property name ('{0}') has already been registered..
Looks up a localized string similar to The extension '{0}' has already been registered..
Looks up a localized string similar to An authentication request has already been created using CreateRequest()..
Looks up a localized string similar to Only OpenIDs issued directly by their OpenID Provider are allowed here..
Looks up a localized string similar to The associate request instance must be a Diffie-Hellman instance..
Looks up a localized string similar to The following properties must be set before the Diffie-Hellman algorithm can generate a public key: {0}.
Looks up a localized string similar to URI is not SSL yet requireSslDiscovery is set to true..
Looks up a localized string similar to An extension sharing namespace '{0}' has already been added. Only one extension per namespace is allowed in a given request..
Looks up a localized string similar to Cannot lookup extension support on a rehydrated ServiceEndpoint..
Looks up a localized string similar to Fragment segments do not apply to XRI identifiers..
Looks up a localized string similar to The HTML head tag must include runat="server"..
Looks up a localized string similar to ClaimedIdentifier and LocalIdentifier must be the same when IsIdentifierSelect is true..
Looks up a localized string similar to The openid.identity and openid.claimed_id parameters must either be both present or both absent from the message..
Looks up a localized string similar to The Provider requested association type '{0}' and session type '{1}', which are not compatible with each other..
Looks up a localized string similar to {0} (Contact: {1}, Reference: {2}).
Looks up a localized string similar to Cannot encode '{0}' because it contains an illegal character for Key-Value Form encoding. (line {1}: '{2}').
Looks up a localized string similar to Invalid XmlDSig signature on XRDS document..
Looks up a localized string similar to Cannot decode Key-Value Form because a line was found without a '{0}' character. (line {1}: '{2}').
Looks up a localized string similar to The scheme must be http or https but was '{0}'..
Looks up a localized string similar to The value '{0}' is not a valid URI..
Looks up a localized string similar to Not a recognized XRI format..
Looks up a localized string similar to The OpenID Provider issued an assertion for an Identifier whose discovery information did not match.
Assertion endpoint info:
{0}
Discovered endpoint info:
{1}.
Looks up a localized string similar to The list of keys do not match the provided dictionary..
Looks up a localized string similar to The '{0}' and '{1}' parameters must both be or not be '{2}'..
Looks up a localized string similar to The maximum time allowed to complete authentication has been exceeded. Please try again..
Looks up a localized string similar to X.509 signing certificate issued to {0}, but a certificate for {1} was expected..
Looks up a localized string similar to Missing {0} element..
Looks up a localized string similar to No recognized association type matches the requested length of {0}..
Looks up a localized string similar to No recognized association type matches the requested name of '{0}'..
Looks up a localized string similar to Unless using transport layer encryption, "no-encryption" MUST NOT be used..
Looks up a localized string similar to No identifier has been set..
Looks up a localized string similar to No XRDS document containing OpenID relying party endpoint information could be found at {0}..
Looks up a localized string similar to Diffie-Hellman session type '{0}' not found for OpenID {1}..
Looks up a localized string similar to This operation is not supported by serialized authentication responses. Try this operation from the LoggedIn event handler..
Looks up a localized string similar to No OpenID endpoint found..
Looks up a localized string similar to No OpenID url is provided..
Looks up a localized string similar to This operation is only allowed when IAuthenticationResponse.State == AuthenticationStatus.SetupRequired..
Looks up a localized string similar to OpenID popup window or iframe did not recognize an OpenID response in the request..
Looks up a localized string similar to An positive OpenID assertion was received from OP endpoint {0} and was rejected based on this site's security settings..
Looks up a localized string similar to Unable to find the signing secret by the handle '{0}'..
Looks up a localized string similar to The {0} property must be set first..
Looks up a localized string similar to This property value is not supported by this control..
Looks up a localized string similar to Unable to determine the version of the OpenID protocol implemented by the Provider at endpoint '{0}'..
Looks up a localized string similar to An HTTP request to the realm URL ({0}) resulted in a redirect, which is not allowed during relying party discovery..
Looks up a localized string similar to Sorry. This site only accepts OpenIDs that are HTTPS-secured, but {0} is not a secure Identifier..
Looks up a localized string similar to The response is not ready. Use IsResponseReady to check whether a response is ready first..
Looks up a localized string similar to return_to '{0}' not under realm '{1}'..
Looks up a localized string similar to The {0} parameter ({1}) does not match the actual URL ({2}) the request was made with..
Looks up a localized string similar to The ReturnTo property must not be null to support this operation..
Looks up a localized string similar to The openid.return_to parameter is required in the request message in order to construct a response, but that parameter was missing..
Looks up a localized string similar to The following parameter(s) are not included in the signature but must be: {0}.
Looks up a localized string similar to Invalid birthdate value. Must be in the form yyyy-MM-dd..
Looks up a localized string similar to The type must implement {0}..
Looks up a localized string similar to The property {0} had unexpected value {1}..
Looks up a localized string similar to Unexpected HTTP status code {0} {1} received in direct response..
Looks up a localized string similar to An unsolicited assertion cannot be sent for the claimed identifier {0} because this is not an authorized Provider for that identifier..
Looks up a localized string similar to Rejecting unsolicited assertions requires a nonce store and an association store..
Looks up a localized string similar to Unsolicited assertions are not allowed at this relying party..
Looks up a localized string similar to Unsolicited assertions are not allowed from 1.0 OpenID Providers..
Looks up a localized string similar to Providing a DateTime whose Kind is Unspecified is not allowed..
Looks up a localized string similar to Unrecognized or missing canonicalization method..
Looks up a localized string similar to This feature is unavailable due to an unrecognized channel configuration..
Looks up a localized string similar to Unrecognized or missing signature method..
Looks up a localized string similar to The openid.user_setup_url parameter is required when sending negative assertion messages in response to immediate mode requests..
Looks up a localized string similar to The X.509 certificate used to sign this document is not trusted..
Looks up a localized string similar to XRI support has been disabled at this site..
Looks up a localized string similar to XRI resolution failed..
An enumeration of the OpenID protocol versions supported by this library.
OpenID Authentication 1.0
OpenID Authentication 1.1
OpenID Authentication 2.0
Tracks the several versions of OpenID this library supports and the unique
constants to each version used in the protocol.
The value of the openid.ns parameter in the OpenID 2.0 specification.
The parameter of the callback parameter we tack onto the return_to URL
to store the replay-detection nonce.
Scans a list for matches with some element of the OpenID protocol,
searching from newest to oldest protocol for the first and best match.
The type of element retrieved from the instance.
Takes a instance and returns an element of it.
The list to scan for matches.
The protocol with the element that matches some item in the list.
A list of all supported OpenID versions, in order starting from newest version.
A list of all supported OpenID versions, in order starting from newest version.
V1.1 and V1.0 are considered the same and only V1.1 is in the list.
The default (or most recent) supported version of the OpenID protocol.
Attempts to detect the right OpenID protocol version based on the contents
of an incoming OpenID indirect message or direct request.
Attempts to detect the right OpenID protocol version based on the contents
of an incoming OpenID direct response message.
Attemps to detect the highest OpenID protocol version supported given a set
of XRDS Service Type URIs included for some service.
The OpenID version that this instance describes.
The namespace of OpenId 1.x elements in XRDS documents.
The value of the openid.ns parameter that appears on the query string
whenever data is passed between relying party and provider for OpenID 2.0
and later.
The XRD/Service/Type value discovered in an XRDS document when
"discovering" on a Claimed Identifier (http://andrewarnott.yahoo.com)
The XRD/Service/Type value discovered in an XRDS document when
"discovering" on an OP Identifier rather than a Claimed Identifier.
(http://yahoo.com)
The XRD/Service/Type value discovered in an XRDS document when
"discovering" on a Realm URL and looking for the endpoint URL
that can receive authentication assertions.
Used as the Claimed Identifier and the OP Local Identifier when
the User Supplied Identifier is an OP Identifier.
The value of the 'rel' attribute in an HTML document's LINK tag
when the same LINK tag's HREF attribute value contains the URL to an
OP Endpoint URL.
The value of the 'rel' attribute in an HTML document's LINK tag
when the same LINK tag's HREF attribute value contains the URL to use
as the OP Local Identifier.
Parts of the protocol that define parameter names that appear in the
query string. Each parameter name is prefixed with 'openid.'.
Parts of the protocol that define parameter names that appear in the
query string. Each parameter name is NOT prefixed with 'openid.'.
The various 'constants' that appear as parameter arguments (values).
The maximum time a user can be allowed to take to complete authentication.
This is used to calculate the length of time that nonces are stored.
This is internal until we can decide whether to leave this static, or make
it an instance member, or put it inside the IConsumerApplicationStore interface.
The maximum permissible difference in clocks between relying party and
provider web servers, discounting time zone differences.
This is used when storing/validating nonces from the provider.
If it is conceivable that a server's clock could be up to five minutes
off from true UTC time, then the maximum time skew should be set to
ten minutes to allow one server to be five minutes ahead and the remote
server to be five minutes behind and still be able to communicate.
Checks whether a given Protocol version practically equals this one
for purposes of verifying a match for assertion verification.
The other version to check against this one.
true if this and the given Protocol versions are essentially the same.
OpenID v1.0 never had a spec, and 1.0 and 1.1 are indistinguishable because of that.
Therefore for assertion verification, 1.0 and 1.1 are considered equivalent.
Returns the enum value for the instance.
The value "openid."
A preference order list of all supported session types.
A preference order list of signature algorithms we support.
A hybrid of the store interfaces that an OpenID Provider must implement, and
an OpenID Relying Party may implement to operate in stateful (smart) mode.
Security settings that are applicable to relying parties.
The default value for the property.
Initializes a new instance of the class.
Filters out any disallowed endpoints.
The endpoints discovered on an Identifier.
A sequence of endpoints that satisfy all security requirements.
Gets or sets a value indicating whether the entire pipeline from Identifier discovery to
Provider redirect is guaranteed to be encrypted using HTTPS for authentication to succeed.
Setting this property to true is appropriate for RPs with highly sensitive
personal information behind the authentication (money management, health records, etc.)
When set to true, some behavioral changes and additional restrictions are placed:
- User-supplied identifiers lacking a scheme are prepended with
HTTPS:// rather than the standard HTTP:// automatically.
- User-supplied identifiers are not allowed to use HTTP for the scheme.
- All redirects during discovery on the user-supplied identifier must be HTTPS.
- Any XRDS file found by discovery on the User-supplied identifier must be protected using HTTPS.
- Only Provider endpoints found at HTTPS URLs will be considered.
- If the discovered identifier is an OP Identifier (directed identity), the
Claimed Identifier eventually asserted by the Provider must be an HTTPS identifier.
- In the case of an unsolicited assertion, the asserted Identifier, discovery on it and
the asserting provider endpoint must all be secured by HTTPS.
Although the first redirect from this relying party to the Provider is required
to use HTTPS, any additional redirects within the Provider cannot be protected and MAY
revert the user's connection to HTTP, based on individual Provider implementation.
There is nothing that the RP can do to detect or prevent this.
A is thrown during discovery or authentication when a secure pipeline cannot be established.
Gets or sets a value indicating whether only OP Identifiers will be discoverable
when creating authentication requests.
Gets or sets the oldest version of OpenID the remote party is allowed to implement.
Defaults to
Gets or sets the maximum allowable age of the secret a Relying Party
uses to its return_to URLs and nonces with 1.0 Providers.
The default value is 7 days.
Gets or sets a value indicating whether all unsolicited assertions should be ignored.
The default value is false.
Gets or sets a value indicating whether delegating identifiers are refused for authentication.
The default value is false.
When set to true, login attempts that start at the RP or arrive via unsolicited
assertions will be rejected if discovery on the identifier shows that OpenID delegation
is used for the identifier. This is useful for an RP that should only accept identifiers
directly issued by the Provider that is sending the assertion.
Gets or sets a value indicating whether unsigned extensions in authentication responses should be ignored.
The default value is false.
When set to true, the methods
will not return any extension that was not signed by the Provider.
Gets or sets a value indicating whether authentication requests will only be
sent to Providers with whom we can create a shared association.
true to immediately fail authentication if an association with the Provider cannot be established; otherwise, false.
The default value is false.
Gets or sets a value indicating whether certain Claimed Identifiers that exploit
features that .NET does not have the ability to send exact HTTP requests for will
still be allowed by using an approximate HTTP request.
The default value is true.
Gets the set of trusted OpenID Provider Endpoint URIs.
Gets or sets a value indicating whether any login attempt coming from an OpenID Provider Endpoint that is not on this
whitelist of trusted OP Endpoints will be rejected. If the trusted providers list is empty and this value
is true, all assertions are rejected.
Default is false.
Gets or sets a value indicating whether special measures are taken to
protect users from replay attacks when those users' identities are hosted
by OpenID 1.x Providers.
The default value is true.
Nonces for protection against replay attacks were not mandated
by OpenID 1.x, which leaves users open to replay attacks.
This feature works by adding a signed nonce to the authentication request.
This might increase the request size beyond what some OpenID 1.1 Providers
(such as Blogger) are capable of handling.
The discovery service for URI identifiers.
Initializes a new instance of the class.
Performs discovery on the specified identifier.
The identifier to perform discovery on.
The means to place outgoing HTTP requests.
if set to true, no further discovery services will be called for this identifier.
A sequence of service endpoints yielded by discovery. Must not be null, but may be empty.
Searches HTML for the HEAD META tags that describe OpenID provider services.
The final URL that provided this HTML document.
This may not be the same as (this) userSuppliedIdentifier if the
userSuppliedIdentifier pointed to a 301 Redirect.
The user supplied identifier.
The HTML that was downloaded and should be searched.
A sequence of any discovered ServiceEndpoints.
The discovery service for XRI identifiers that uses an XRI proxy resolver for discovery.
The magic URL that will provide us an XRDS document for a given XRI identifier.
We use application/xrd+xml instead of application/xrds+xml because it gets
xri.net to automatically give us exactly the right XRD element for community i-names
automatically, saving us having to choose which one to use out of the result.
The ssl=true parameter tells the proxy resolver to accept only SSL connections
when resolving community i-names.
Initializes a new instance of the class.
Performs discovery on the specified identifier.
The identifier to perform discovery on.
The means to place outgoing HTTP requests.
if set to true, no further discovery services will be called for this identifier.
A sequence of service endpoints yielded by discovery. Must not be null, but may be empty.
Downloads the XRDS document for this XRI.
The identifier.
The request handler.
The XRDS document.
Gets the URL from which this XRI's XRDS document may be downloaded.
The identifier.
The URI to HTTP GET from to get the services.
A URI style of OpenID Identifier.
The allowed protocol schemes in a URI Identifier.
The special scheme to use for HTTP URLs that should not have their paths compressed.
The special scheme to use for HTTPS URLs that should not have their paths compressed.
The special scheme to use for HTTP URLs that should not have their paths compressed.
The special scheme to use for HTTPS URLs that should not have their paths compressed.
A value indicating whether scheme substitution is being used to workaround
.NET path compression that invalidates some OpenIDs that have trailing periods
in one of their path segments.
Initializes static members of the class.
This method attempts to workaround the .NET Uri class parsing bug described here:
https://connect.microsoft.com/VisualStudio/feedback/details/386695/system-uri-incorrectly-strips-trailing-dots?wa=wsignin1.0#tabs
since some identifiers (like some of the pseudonymous identifiers from Yahoo) include path segments
that end with periods, which the Uri class will typically trim off.
Initializes a new instance of the class.
The value this identifier will represent.
Initializes a new instance of the class.
The value this identifier will represent.
if set to true [require SSL discovery].
Initializes a new instance of the class.
The value this identifier will represent.
Initializes a new instance of the class.
The value this identifier will represent.
if set to true [require SSL discovery].
Converts a instance to a instance.
The identifier to convert to an ordinary instance.
The result of the conversion.
Converts a instance to a instance.
The instance to turn into a .
The result of the conversion.
Tests equality between this URI and another URI.
The to compare with the current .
true if the specified is equal to the current ; otherwise, false.
The parameter is null.
Returns the hash code of this XRI.
A hash code for the current .
Returns the string form of the URI.
A that represents the current .
Determines whether a URI is a valid OpenID Identifier (of any kind).
The URI to test for OpenID validity.
true if the identifier is valid; otherwise, false.
A valid URI is absolute (not relative) and uses an http(s) scheme.
Determines whether a URI is a valid OpenID Identifier (of any kind).
The URI to test for OpenID validity.
true if the identifier is valid; otherwise, false.
A valid URI is absolute (not relative) and uses an http(s) scheme.
Returns an that has no URI fragment.
Quietly returns the original if it is not
a or no fragment exists.
A new instance if there was a
fragment to remove, otherwise this same instance..
Converts a given identifier to its secure equivalent.
UriIdentifiers originally created with an implied HTTP scheme change to HTTPS.
Discovery is made to require SSL for the entire resolution process.
The newly created secure identifier.
If the conversion fails, retains
this identifiers identity, but will never discover any endpoints.
True if the secure conversion was successful.
False if the Identifier was originally created with an explicit HTTP scheme.
Determines whether the given URI is using a scheme in the list of allowed schemes.
The URI whose scheme is to be checked.
true if the scheme is allowed; otherwise, false.
false is also returned if is null.
Determines whether the given URI is using a scheme in the list of allowed schemes.
The URI whose scheme is to be checked.
true if the scheme is allowed; otherwise, false.
false is also returned if is null.
Tries to canonicalize a user-supplied identifier.
This does NOT convert a user-supplied identifier to a Claimed Identifier!
The user-supplied identifier.
The resulting canonical URI.
If set to true and the user-supplied identifier lacks a scheme, the "https://" scheme will be prepended instead of the standard "http://" one.
if set to true [scheme prepended].
true if the identifier was valid and could be canonicalized.
false if the identifier is outside the scope of allowed inputs and should be rejected.
Canonicalization is done by adding a scheme in front of an
identifier if it isn't already present. Other trivial changes that do not
require network access are also done, such as lower-casing the hostname in the URI.
Fixes up the scheme if appropriate.
The URI, already in legal form (with http(s):// prepended if necessary).
The resulting canonical URI.
true if the canonicalization was successful; false otherwise.
This does NOT standardize an OpenID URL for storage in a database, as
it does nothing to convert the URL to a Claimed Identifier, besides the fact
that it only deals with URLs whereas OpenID 2.0 supports XRIs.
For this, you should lookup the value stored in IAuthenticationResponse.ClaimedIdentifier.
Gets the special non-compressing scheme or URL for a standard scheme or URL.
The ordinary URL or scheme name.
The non-compressing equivalent scheme or URL for the given value.
Performs the minimal URL normalization to allow a string to be passed to the constructor.
The user-supplied identifier URI to normalize.
if set to true, a missing scheme should result in HTTPS being prepended instead of HTTP.
if set to true, the scheme was prepended during normalization.
The somewhat normalized URL.
Gets or sets a value indicating whether scheme substitution is being used to workaround
.NET path compression that invalidates some OpenIDs that have trailing periods
in one of their path segments.
Gets the URI this instance represents.
Gets a value indicating whether the scheme was missing when this
Identifier was created and added automatically as part of the
normalization process.
Gets a value indicating whether this Identifier has characters or patterns that
the class normalizes away and invalidating the Identifier.
A simple URI class that doesn't suffer from the parsing problems of the class.
URI characters that separate the URI Path from subsequent elements.
Initializes a new instance of the class.
The value.
Returns a that represents this instance.
A that represents this instance.
Determines whether the specified is equal to this instance.
The to compare with this instance.
true if the specified is equal to this instance; otherwise, false.
The parameter is null.
Returns a hash code for this instance.
A hash code for this instance, suitable for use in hashing algorithms and data structures like a hash table.
Normalizes the characters that are escaped in the given URI path.
The path to normalize.
The given path, with exactly those characters escaped which should be.
Gets the scheme.
The scheme.
Gets the authority.
The authority.
Gets the path of the URI.
The path from the URI.
Gets the query.
The query.
Gets the fragment.
The fragment.
A URI parser that does not compress paths, such as trimming trailing periods from path segments.
The field that stores the scheme that this parser is registered under.
The standard "http" or "https" scheme that this parser is subverting.
Initializes a new instance of the class.
The standard scheme that this parser will be subverting.
Initializes this parser with the actual scheme it should appear to be.
if set to true Uris using this scheme will look like they're using the original standard scheme.
Gets the scheme this parser is registered under.
The registered scheme.
An XRI style of OpenID Identifier.
The scheme and separator "xri://"
An XRI always starts with one of these symbols.
Backing store for the property.
Initializes a new instance of the class.
The string value of the XRI.
Initializes a new instance of the class.
The XRI that this Identifier will represent.
If set to true, discovery and the initial authentication redirect will
only succeed if it can be done entirely using SSL.
Tests equality between this XRI and another XRI.
The to compare with the current .
true if the specified is equal to the current ; otherwise, false.
The parameter is null.
Returns the hash code of this XRI.
A hash code for the current .
Returns the canonical string form of the XRI.
A that represents the current .
Tests whether a given string represents a valid XRI format.
The value to test for XRI validity.
true if the given string constitutes a valid XRI; otherwise, false.
Returns an that has no URI fragment.
Quietly returns the original if it is not
a or no fragment exists.
A new instance if there was a
fragment to remove, otherwise this same instance..
XRI Identifiers never have a fragment part, and thus this method
always returns this same instance.
Converts a given identifier to its secure equivalent.
UriIdentifiers originally created with an implied HTTP scheme change to HTTPS.
Discovery is made to require SSL for the entire resolution process.
The newly created secure identifier.
If the conversion fails, retains
this identifiers identity, but will never discover any endpoints.
True if the secure conversion was successful.
False if the Identifier was originally created with an explicit HTTP scheme.
Takes any valid form of XRI string and returns the canonical form of the same XRI.
The xri to canonicalize.
The canonicalized form of the XRI.
The canonical form, per the OpenID spec, is no scheme and no whitespace on either end.
Gets the original XRI supplied to the constructor.
Gets the canonical form of the XRI string.
A strongly-typed resource class, for looking up localized strings, etc.
Returns the cached ResourceManager instance used by this class.
Overrides the current thread's CurrentUICulture property for all
resource lookups using this strongly typed resource class.
Looks up a localized string similar to XRI CanonicalID verification failed..
Looks up a localized string similar to Failure parsing XRDS document..
Looks up a localized string similar to The XRDS document for XRI {0} is missing the required CanonicalID element..
Looks up a localized string similar to Could not find XRI resolution Status tag or code attribute was invalid..
String constants for various content-type header values used in YADIS discovery.
The text/html content-type
The application/xhtml+xml content-type
The application/xrds+xml content-type
The text/xml content type
Contains the result of YADIS discovery.
The original web response, backed up here if the final web response is the preferred response to use
in case it turns out to not work out.
Initializes a new instance of the class.
The user-supplied identifier.
The initial response.
The final response.
Reverts to the HTML response after the XRDS response didn't work out.
Applies the HTML response to the object.
The initial response.
Gets the URI of the original YADIS discovery request.
This is the user supplied Identifier as given in the original
YADIS discovery request.
Gets the fully resolved (after redirects) URL of the user supplied Identifier.
This becomes the ClaimedIdentifier.
Gets the location the XRDS document was downloaded from, if different
from the user supplied Identifier.
Gets the Content-Type associated with the .
Gets the text in the final response.
This may be an XRDS document or it may be an HTML document,
as determined by the property.
Gets a value indicating whether the
represents an XRDS document. False if the response is an HTML document.
An HTML HEAD tag parser.
Common flags to use on regex tests.
A regular expression designed to select tags (?)
A regular expression designed to select start tags (?)
A regular expression designed to select attributes within a tag.
A regular expression designed to select the HEAD tag.
A regular expression designed to select the HTML tag.
A regular expression designed to remove all comments and scripts from a string.
Finds all the HTML HEAD tag child elements that match the tag name of a given type.
The HTML tag of interest.
The HTML to scan.
A sequence of the matching elements.
Filters a list of controls based on presence of an attribute.
The type of HTML controls being filtered.
The sequence.
The attribute.
A filtered sequence of attributes.
Generates a regular expression that will find a given HTML tag.
Name of the tag.
The close tags (?).
The created regular expression.
Generates a regular expression designed to find a given tag.
The tag to find.
The created regular expression.
The Service element in an XRDS document.
A node in an XRDS document.
The XRD namespace xri://$xrd*($v*2.0)
The XRDS namespace xri://$xrds
Initializes a new instance of the class.
The node represented by this instance.
The parent node.
Initializes a new instance of the class.
The document's root node, which this instance represents.
Gets the node.
Gets the parent node, or null if this is the root node.
Gets the XML namespace resolver to use in XPath expressions.
Initializes a new instance of the class.
The service element.
The parent.
Compares the current object with another object of the same type.
An object to compare with this object.
A 32-bit signed integer that indicates the relative order of the objects being compared. The return value has the following meanings:
Value
Meaning
Less than zero
This object is less than the parameter.
Zero
This object is equal to .
Greater than zero
This object is greater than .
Gets the XRD parent element.
Gets the priority.
Gets the URI child elements.
Gets the type child elements.
The type elements.
Gets the type child element's URIs.
Gets the OP Local Identifier.
The Type element in an XRDS document.
Initializes a new instance of the class.
The type element.
The parent.
Gets the URI.
The Uri element in an XRDS document.
Initializes a new instance of the class.
The URI element.
The service.
Compares the current object with another object of the same type.
An object to compare with this object.
A 32-bit signed integer that indicates the relative order of the objects being compared. The return value has the following meanings:
Value
Meaning
Less than zero
This object is less than the parameter.
Zero
This object is equal to .
Greater than zero
This object is greater than .
Gets the priority.
Gets the URI.
Gets the parent service.
The Xrd element in an XRDS document.
Initializes a new instance of the class.
The XRD element.
The parent.
Searches for service sub-elements that have Type URI sub-elements that match
one that we have for a known OpenID protocol version.
A function that selects what element of the OpenID Protocol we're interested in finding.
A sequence of service elements that match the search criteria, sorted in XRDS @priority attribute order.
Gets the child service elements.
The services.
Gets a value indicating whether this XRD element's resolution at the XRI resolver was successful.
true if this XRD's resolution was successful; otherwise, false.
Gets the canonical ID (i-number) for this element.
Gets a value indicating whether the was verified.
Gets the services for OP Identifiers.
Gets the services for Claimed Identifiers.
Gets the services that would be discoverable at an RP for return_to verification.
Gets the services that would be discoverable at an RP for the UI extension icon.
Gets an enumeration of all Service/URI elements, sorted in priority order.
Gets the XRI resolution status code.
An XRDS document.
The namespace used by XML digital signatures.
The namespace used by Google Apps for Domains for OpenID URI templates.
Initializes a new instance of the class.
The root node of the XRDS document.
Initializes a new instance of the class.
The Xml reader positioned at the root node of the XRDS document.
Initializes a new instance of the class.
The text that is the XRDS document.
Gets the XRD child elements of the document.
Gets a value indicating whether all child XRD elements were resolved successfully.
YADIS discovery manager.
The HTTP header to look for in responses to declare where the XRDS document should be found.
The maximum number of bytes to read from an HTTP response
in searching for a link to a YADIS document.
Gets or sets the cache that can be used for HTTP requests made during identifier discovery.
Performs YADIS discovery on some identifier.
The mechanism to use for sending HTTP requests.
The URI to perform discovery on.
Whether discovery should fail if any step of it is not encrypted.
The result of discovery on the given URL.
Null may be returned if an error occurs,
or if is true but part of discovery
is not protected by SSL.
Searches an HTML document for a
<meta http-equiv="X-XRDS-Location" content="{YadisURL}">
tag and returns the content of YadisURL.
The HTML to search.
The URI of the XRDS document if found; otherwise null.
Sends a YADIS HTTP request as part of identifier discovery.
The request handler to use to actually submit the request.
The URI to GET.
Whether only HTTPS URLs should ever be retrieved.
The value of the Accept HTTP header to include in the request.
The HTTP response retrieved from the request.
Determines whether a given HTTP response constitutes an XRDS document.
The response to test.
true if the response constains an XRDS document; otherwise, false.