DotNetOpenAuth.OpenId.RelyingParty
The COM interface describing the DotNetOpenAuth functionality available to
COM client OpenID relying parties.
Creates an authentication request to verify that a user controls
some given Identifier.
The Identifier supplied by the user. This may be a URL, an XRI or i-name.
The shorest URL that describes this relying party web site's address.
For example, if your login page is found at https://www.example.com/login.aspx,
your realm would typically be https://www.example.com/.
The URL of the login page, or the page prepared to receive authentication
responses from the OpenID Provider.
An authentication request object that describes the HTTP response to
send to the user agent to initiate the authentication.
Thrown if no OpenID endpoint could be found.
Creates an authentication request to verify that a user controls
some given Identifier.
The Identifier supplied by the user. This may be a URL, an XRI or i-name.
The shorest URL that describes this relying party web site's address.
For example, if your login page is found at https://www.example.com/login.aspx,
your realm would typically be https://www.example.com/.
The URL of the login page, or the page prepared to receive authentication
responses from the OpenID Provider.
A comma-delimited list of simple registration fields to request as optional.
A comma-delimited list of simple registration fields to request as required.
An authentication request object that describes the HTTP response to
send to the user agent to initiate the authentication.
Thrown if no OpenID endpoint could be found.
Gets the result of a user agent's visit to his OpenId provider in an
authentication attempt. Null if no response is available.
The incoming request URL .
The form data that may have been included in the case of a POST request.
The Provider's response to a previous authentication request, or null if no response is present.
An Attribute Exchange and Simple Registration filter to make all incoming attribute
requests look like Simple Registration requests, and to convert the response
to the originally requested extension and format.
Initializes a new instance of the class.
Applies a well known set of security requirements to a default set of security settings.
The security settings to enhance with the requirements of this profile.
Care should be taken to never decrease security when applying a profile.
Profiles should only enhance security requirements to avoid being
incompatible with each other.
Called when an authentication request is about to be sent.
The request.
Implementations should be prepared to be called multiple times on the same outgoing message
without malfunctioning.
Called when an incoming positive assertion is received.
The positive assertion.
Implements the Identity, Credential, & Access Management (ICAM) OpenID 2.0 Profile
for the General Services Administration (GSA).
Relying parties that include this profile are always held to the terms required by the profile,
but Providers are only affected by the special behaviors of the profile when the RP specifically
indicates that they want to use this profile.
Initializes a new instance of the class.
Applies a well known set of security requirements.
The security settings to enhance with the requirements of this profile.
Care should be taken to never decrease security when applying a profile.
Profiles should only enhance security requirements to avoid being
incompatible with each other.
Called when an authentication request is about to be sent.
The request.
Called when an incoming positive assertion is received.
The positive assertion.
The OpenID binding element responsible for reading/writing OpenID extensions
at the Relying Party.
The security settings that apply to this relying party, if it is a relying party.
Initializes a new instance of the class.
The extension factory.
The security settings.
The messaging channel for OpenID relying parties.
Initializes a new instance of the class.
The association store to use.
The nonce store to use.
The security settings to apply.
Initializes a new instance of the class.
The association store to use.
The nonce store to use.
An object that knows how to distinguish the various OpenID message types for deserialization purposes.
The security settings to apply.
A value indicating whether the channel is set up with no functional security binding elements.
A value indicating whether the channel is set up
with no functional security binding elements.
A new instance that will not perform verification on incoming messages or apply any security to outgoing messages.
A value of true allows the relying party to preview incoming
messages without invalidating nonces or checking signatures.
Setting this to true poses a great security risk and is only
present to support the OpenIdAjaxTextBox which needs to preview
messages, and will validate them later.
Initializes the binding elements.
The crypto key store.
The nonce store to use.
The security settings to apply. Must be an instance of either or ProviderSecuritySettings.
A value indicating whether the channel is set up with no functional security binding elements.
An array of binding elements which may be used to construct the channel.
Message factory for OpenID Relying Parties.
Analyzes an incoming request message payload to discover what kind of
message is embedded in it and returns the type, or null if no match is found.
The intended or actual recipient of the request message.
The name/value pairs that make up the message payload.
A newly instantiated -derived object that this message can
deserialize to. Null if the request isn't recognized as a valid protocol message.
Analyzes an incoming request message payload to discover what kind of
message is embedded in it and returns the type, or null if no match is found.
The message that was sent as a request that resulted in the response.
The name/value pairs that make up the message payload.
A newly instantiated -derived object that this message can
deserialize to. Null if the request isn't recognized as a valid protocol message.
Helps ensure compliance to some properties in the .
The security settings that are active on the relying party.
Initializes a new instance of the class.
The security settings.
Prepares a message for sending based on the rules of this channel binding element.
The message to prepare for sending.
The protections (if any) that this binding element applied to the message.
Null if this binding element did not even apply to this binding element.
Implementations that provide message protection must honor the
properties where applicable.
Performs any transformation on an incoming message that may be necessary and/or
validates an incoming message based on the rules of this channel binding element.
The incoming message to process.
The protections (if any) that this binding element applied to the message.
Null if this binding element did not even apply to this binding element.
Thrown when the binding element rules indicate that this message is invalid and should
NOT be processed.
Implementations that provide message protection must honor the
properties where applicable.
Gets or sets the channel that this binding element belongs to.
This property is set by the channel when it is first constructed.
Gets the protection commonly offered (if any) by this binding element.
This value is used to assist in sorting binding elements in the channel stack.
The signing binding element for OpenID Relying Parties.
The association store used by Relying Parties to look up the secrets needed for signing.
Initializes a new instance of the class.
The association store used to look up the secrets needed for signing. May be null for dumb Relying Parties.
Gets a specific association referenced in a given message's association handle.
The signed message whose association handle should be used to lookup the association to return.
The referenced association; or null if such an association cannot be found.
Gets the association to use to sign or verify a message.
The message to sign or verify.
The association to use to sign or verify the message.
Verifies the signature by unrecognized handle.
The message.
The signed message.
The protections applied.
The applied protections.
This binding element adds a nonce to a Relying Party's outgoing
authentication request when working against an OpenID 1.0 Provider
in order to protect against replay attacks or on all authentication
requests to distinguish solicited from unsolicited assertions.
This nonce goes beyond the OpenID 1.x spec, but adds to security.
Since this library's Provider implementation also provides special nonce
protection for 1.0 messages, this security feature overlaps with that one.
This means that if an RP from this library were talking to an OP from this
library, but the Identifier being authenticated advertised the OP as a 1.x
OP, then both RP and OP might try to use a nonce for protecting the assertion.
There's no problem with that--it will still all work out. And it would be a
very rare combination of elements anyway.
This binding element deactivates itself for OpenID 2.0 (or later) messages
since they are automatically protected in the protocol by the Provider's
openid.response_nonce parameter. The exception to this is when
is
set to true, which will not only add a request nonce to every outgoing
authentication request but also require that it be present in positive
assertions, effectively disabling unsolicited assertions.
In the messaging stack, this binding element looks like an ordinary
transform-type of binding element rather than a protection element,
due to its required order in the channel stack and that it exists
only on the RP side and only on some messages.
The context within which return_to nonces must be unique -- they all go into the same bucket.
The length of the generated nonce's random part.
The nonce store that will allow us to recall which nonces we've seen before.
The security settings at the RP.
Backing field for the property.
Initializes a new instance of the class.
The nonce store to use.
The security settings of the RP.
Prepares a message for sending based on the rules of this channel binding element.
The message to prepare for sending.
The protections (if any) that this binding element applied to the message.
Null if this binding element did not even apply to this binding element.
Implementations that provide message protection must honor the
properties where applicable.
Performs any transformation on an incoming message that may be necessary and/or
validates an incoming message based on the rules of this channel binding element.
The incoming message to process.
The protections (if any) that this binding element applied to the message.
Null if this binding element did not even apply to this binding element.
Thrown when the binding element rules indicate that this message is invalid and should
NOT be processed.
Implementations that provide message protection must honor the
properties where applicable.
Determines whether a request nonce should be applied the request
or should be expected in the response.
The authentication request or the positive assertion response.
true if the message exchanged with an OpenID 1.x provider
or if unsolicited assertions should be rejected at the RP; otherwise false.
Gets or sets the channel that this binding element belongs to.
This property is set by the channel when it is first constructed.
Gets the protection offered (if any) by this binding element.
Gets the maximum message age from the standard expiration binding element.
A special DotNetOpenAuth-only nonce used by the RP when talking to 1.0 OPs in order
to protect against replay attacks.
The random bits generated for the nonce.
Initializes a new instance of the class.
The creation date of the nonce.
The random bits that help make the nonce unique.
Creates a new nonce.
The newly instantiated instance.
Deserializes a nonce from the return_to parameter.
The base64-encoded value of the nonce.
The instantiated and initialized nonce.
Serializes the entire nonce for adding to the return_to URL.
The base64-encoded string representing the nonce.
Gets the creation date.
Gets the random part of the nonce as a base64 encoded string.
A set of methods designed to assist in improving interop across different
OpenID implementations and their extensions.
Adds an Attribute Exchange (AX) extension to the authentication request
that asks for the same attributes as the Simple Registration (sreg) extension
that is already applied.
The authentication request.
The attribute formats to use in the AX request.
If discovery on the user-supplied identifier yields hints regarding which
extensions and attribute formats the Provider supports, this method MAY ignore the
argument and accomodate the Provider to minimize
the size of the request.
If the request does not carry an sreg extension, the method logs a warning but
otherwise quietly returns doing nothing.
Looks for Simple Registration and Attribute Exchange (all known formats)
response extensions and returns them as a Simple Registration extension.
The authentication response.
if set to true unsigned extensions will be included in the search.
The Simple Registration response if found,
or a fabricated one based on the Attribute Exchange extension if found,
or just an empty if there was no data.
Never null.
Gets the attribute value if available.
The AX fetch response extension to look for the attribute value.
The type URI of the attribute, using the axschema.org format of .
The AX type URI formats to search.
The first value of the attribute, if available.
Tries to find the exact format of AX attribute Type URI supported by the Provider.
The authentication request.
The attribute formats the RP will try if this discovery fails.
The AX format(s) to use based on the Provider's advertised AX support.
The discovery service to support host-meta based discovery, such as Google Apps for Domains.
The spec for this discovery mechanism can be found at:
http://groups.google.com/group/google-federated-login-api/web/openid-discovery-for-hosted-domains
and the XMLDSig spec referenced in that spec can be found at:
http://wiki.oasis-open.org/xri/XrdOne/XmlDsigProfile
Path to the well-known location of the host-meta document at a domain.
The URI template for discovery host-meta on domains hosted by
Google Apps for Domains.
The pattern within a host-meta file to look for to obtain the URI to the XRDS document.
A set of certificate thumbprints that have been verified.
Initializes a new instance of the class.
Performs discovery on the specified identifier.
The identifier to perform discovery on.
The means to place outgoing HTTP requests.
if set to true, no further discovery services will be called for this identifier.
A sequence of service endpoints yielded by discovery. Must not be null, but may be empty.
Gets the XRD elements that have a given CanonicalID.
The XRDS document.
The CanonicalID to match on.
A sequence of XRD elements.
Gets the described-by services in XRD elements.
The XRDs to search.
A sequence of services.
Gets the services for an identifier that are described by an external XRDS document.
The XRD elements to search for described-by services.
The identifier under discovery.
The request handler.
The discovered services.
Validates the XML digital signature on an XRDS document.
The XRDS document whose signature should be validated.
The identifier under discovery.
The response.
The host name on the certificate that should be used to verify the signature in the XRDS.
Thrown if the XRDS document has an invalid or a missing signature.
Verifies the cert chain.
The certs.
This must be in a method of its own because there is a LinkDemand on the
method. By being in a method of its own, the caller of this method may catch a
that is thrown if we're not running with full trust and execute
an alternative plan.
Thrown if the certificate chain is invalid or unverifiable.
Gets the XRDS HTTP response for a given identifier.
The identifier.
The request handler.
The location of the XRDS document to retrieve.
A HTTP response carrying an XRDS document.
Thrown if the XRDS document could not be obtained.
Verifies that a certificate chain is trusted.
The chain of certificates to verify.
Gets the XRDS HTTP response for a given identifier.
The identifier.
The request handler.
The host name on the certificate that should be used to verify the signature in the XRDS.
A HTTP response carrying an XRDS document, or null if one could not be obtained.
Thrown if the XRDS document could not be obtained.
Gets the location of the XRDS document that describes a given identifier.
The identifier under discovery.
The request handler.
The host name on the certificate that should be used to verify the signature in the XRDS.
An absolute URI, or null if one could not be determined.
Gets the host-meta for a given identifier.
The identifier.
The request handler.
The host name on the certificate that should be used to verify the signature in the XRDS.
The host-meta response, or null if no host-meta document could be obtained.
Gets the URIs authorized to host host-meta documents on behalf of a given domain.
The identifier.
A sequence of URIs that MAY provide the host-meta for a given identifier.
Gets the set of URI templates to use to contact host-meta hosting proxies
for domain discovery.
Gets or sets a value indicating whether to trust Google to host domains' host-meta documents.
This property is just a convenient mechanism for checking or changing the set of
trusted host-meta proxies in the property.
A description of a web server that hosts host-meta documents.
Initializes a new instance of the class.
The proxy formatting string.
The signing host formatting string.
Gets the absolute proxy URI.
The identifier being discovered.
The an absolute URI.
Gets the signing host URI.
The identifier being discovered.
A host name.
Determines whether the specified is equal to the current .
The to compare with the current .
true if the specified is equal to the current ; otherwise, false.
The parameter is null.
Serves as a hash function for a particular type.
A hash code for the current .
Gets the URL of the host-meta proxy.
The absolute proxy URL, which may include {0} to be replaced with the host of the identifier to be discovered.
Gets the formatting string to determine the expected host name on the certificate
that is expected to be used to sign the XRDS document.
Either a string literal, or a formatting string where these placeholders may exist:
{0} the host on the identifier discovery was originally performed on;
{1} the host on this proxy.
The COM type used to provide details of an authentication result to a relying party COM client.
The response read in by the Relying Party.
Initializes a new instance of the class.
The response.
Gets an Identifier that the end user claims to own. For use with user database storage and lookup.
May be null for some failed authentications (i.e. failed directed identity authentications).
This is the secure identifier that should be used for database storage and lookup.
It is not always friendly (i.e. =Arnott becomes =!9B72.7DD1.50A9.5CCD), but it protects
user identities against spoofing and other attacks.
For user-friendly identifiers to display, use the
property.
Gets a user-friendly OpenID Identifier for display purposes ONLY.
This should be put through before
sending to a browser to secure against javascript injection attacks.
This property retains some aspects of the user-supplied identifier that get lost
in the . For example, XRIs used as user-supplied
identifiers (i.e. =Arnott) become unfriendly unique strings (i.e. =!9B72.7DD1.50A9.5CCD).
For display purposes, such as text on a web page that says "You're logged in as ...",
this property serves to provide the =Arnott string, or whatever else is the most friendly
string close to what the user originally typed in.
If the user-supplied identifier is a URI, this property will be the URI after all
redirects, and with the protocol and fragment trimmed off.
If the user-supplied identifier is an XRI, this property will be the original XRI.
If the user-supplied identifier is an OpenID Provider identifier (i.e. yahoo.com),
this property will be the Claimed Identifier, with the protocol stripped if it is a URI.
It is very important that this property never be used for database storage
or lookup to avoid identity spoofing and other security risks. For database storage
and lookup please use the property.
Gets the provider endpoint that sent the assertion.
Gets a value indicating whether the authentication attempt succeeded.
Gets the Simple Registration response.
Gets details regarding a failed authentication attempt, if available.
A struct storing Simple Registration field values describing an
authenticating user.
The Simple Registration claims response message that this shim wraps.
Initializes a new instance of the class.
The Simple Registration response to wrap.
Gets the nickname the user goes by.
Gets the user's email address.
Gets the full name of a user as a single string.
Gets the raw birth date string given by the extension.
A string in the format yyyy-MM-dd.
Gets the gender of the user.
Gets the zip code / postal code of the user.
Gets the country of the user.
Gets the primary/preferred language of the user.
Gets the user's timezone.
Implementation of , providing a subset of the
functionality available to .NET clients.
The OpenIdRelyingParty instance to use for requests.
Initializes static members of the class.
Initializes a new instance of the class.
Creates an authentication request to verify that a user controls
some given Identifier.
The Identifier supplied by the user. This may be a URL, an XRI or i-name.
The shorest URL that describes this relying party web site's address.
For example, if your login page is found at https://www.example.com/login.aspx,
your realm would typically be https://www.example.com/.
The URL of the login page, or the page prepared to receive authentication
responses from the OpenID Provider.
An authentication request object that describes the HTTP response to
send to the user agent to initiate the authentication.
Thrown if no OpenID endpoint could be found.
Creates an authentication request to verify that a user controls
some given Identifier.
The Identifier supplied by the user. This may be a URL, an XRI or i-name.
The shorest URL that describes this relying party web site's address.
For example, if your login page is found at https://www.example.com/login.aspx,
your realm would typically be https://www.example.com/.
The URL of the login page, or the page prepared to receive authentication
responses from the OpenID Provider.
A comma-delimited list of simple registration fields to request as optional.
A comma-delimited list of simple registration fields to request as required.
An authentication request object that describes the HTTP response to
send to the user agent to initiate the authentication.
Thrown if no OpenID endpoint could be found.
Gets the result of a user agent's visit to his OpenId provider in an
authentication attempt. Null if no response is available.
The incoming request URL.
The form data that may have been included in the case of a POST request.
The Provider's response to a previous authentication request, or null if no response is present.
The successful Diffie-Hellman association response message.
Association response messages are described in OpenID 2.0 section 8.2. This type covers section 8.2.3.
A successful association response as it is received by the relying party.
Called to create the Association based on a request previously given by the Relying Party.
The prior request for an association.
The created association.
Initializes a new instance of the class.
The OpenID version of the response message.
The originating request.
Creates the association at relying party side after the association response has been received.
The original association request that was already sent and responded to.
The newly created association.
The resulting association is not added to the association store and must be done by the caller.
Utility methods for requesting associations from the relying party.
Creates an association request message that is appropriate for a given Provider.
The set of requirements the selected association type must comply to.
The provider to create an association with.
The message to send to the Provider to request an association.
Null if no association could be created that meet the security requirements
and the provider OpenID version.
Creates an association request message that is appropriate for a given Provider.
The set of requirements the selected association type must comply to.
The provider to create an association with.
Type of the association.
Type of the session.
The message to send to the Provider to request an association.
Null if no association could be created that meet the security requirements
and the provider OpenID version.
Code contract for the interface.
Checks the message state for conformity to the protocol specification
and throws an exception if the message is invalid.
Thrown if the message is invalid.
Called to create the Association based on a request previously given by the Relying Party.
The prior request for an association.
The created association.
Gets the level of protection this message requires.
Gets a value indicating whether this is a direct or indirect message.
Gets the version of the protocol or extension this message is prepared to implement.
Gets the extra, non-standard Protocol parameters included in the message.
A response to an unencrypted assocation request, as it is received by the relying party.
Initializes a new instance of the class.
The version.
The request.
Called to create the Association based on a request previously given by the Relying Party.
The prior request for an association.
The created association.
Wraps a standard so that it behaves as an association store.
Stores s for lookup by their handle, keeping
associations separated by a given OP Endpoint.
Expired associations should be periodically cleared out of an association store.
This should be done frequently enough to avoid a memory leak, but sparingly enough
to not be a performance drain. Because this balance can vary by host, it is the
responsibility of the host to initiate this cleaning.
Saves an for later recall.
The OP Endpoint with which the association is established.
The association to store.
If the new association conflicts (in OP endpoint and association handle) with an existing association,
(which should never happen by the way) implementations may overwrite the previously saved association.
Gets the best association (the one with the longest remaining life) for a given key.
The OP Endpoint with which the association is established.
The security requirements that the returned association must meet.
The requested association, or null if no unexpired s exist for the given key.
In the event that multiple associations exist for the given
, it is important for the
implementation for this method to use the
to pick the best (highest grade or longest living as the host's policy may dictate)
association that fits the security requirements.
Associations that are returned that do not meet the security requirements will be
ignored and a new association created.
Gets the association for a given key and handle.
The OP Endpoint with which the association is established.
The handle of the specific association that must be recalled.
The requested association, or null if no unexpired s exist for the given key and handle.
Removes a specified handle that may exist in the store.
The OP Endpoint with which the association is established.
The handle of the specific association that must be deleted.
Deprecated. The return value is insignificant.
Previously: True if the association existed in this store previous to this call.
No exception should be thrown if the association does not exist in the store
before this call.
The underlying key store.
Initializes a new instance of the class.
The key store.
Saves an for later recall.
The OP Endpoint with which the association is established.
The association to store.
Gets the best association (the one with the longest remaining life) for a given key.
The OP Endpoint with which the association is established.
The security requirements that the returned association must meet.
The requested association, or null if no unexpired s exist for the given key.
Gets the association for a given key and handle.
The OP Endpoint with which the association is established.
The handle of the specific association that must be recalled.
The requested association, or null if no unexpired s exist for the given key and handle.
Removes a specified handle that may exist in the store.
The OP Endpoint with which the association is established.
The handle of the specific association that must be deleted.
True if the association existed in this store previous to this call.
Constants used in implementing support for the UI extension.
Gets the window.open javascript snippet to use to open a popup window
compliant with the UI extension.
The relying party.
The authentication request to place in the window.
The name to assign to the popup window.
A string starting with 'window.open' and forming just that one method call.
Code Contract for the class.
Saves an for later recall.
The Uri (for relying parties) or Smart/Dumb (for providers).
The association to store.
TODO: what should implementations do on association handle conflict?
Gets the best association (the one with the longest remaining life) for a given key.
The Uri (for relying parties) or Smart/Dumb (for Providers).
The security requirements that the returned association must meet.
The requested association, or null if no unexpired s exist for the given key.
In the event that multiple associations exist for the given
, it is important for the
implementation for this method to use the
to pick the best (highest grade or longest living as the host's policy may dictate)
association that fits the security requirements.
Associations that are returned that do not meet the security requirements will be
ignored and a new association created.
Gets the association for a given key and handle.
The Uri (for relying parties) or Smart/Dumb (for Providers).
The handle of the specific association that must be recalled.
The requested association, or null if no unexpired s exist for the given key and handle.
Removes a specified handle that may exist in the store.
The Uri (for relying parties) or Smart/Dumb (for Providers).
The handle of the specific association that must be deleted.
True if the association existed in this store previous to this call.
No exception should be thrown if the association does not exist in the store
before this call.
A dictionary of handle/Association pairs.
Each method is locked, even if it is only one line, so that they are thread safe
against each other, particularly the ones that enumerate over the list, since they
can break if the collection is changed by another thread during enumeration.
The lookup table where keys are the association handles and values are the associations themselves.
Initializes a new instance of the class.
Stores an in the collection.
The association to add to the collection.
Returns the with the given handle. Null if not found.
The handle to the required association.
The desired association, or null if none with the given handle could be found.
Removes the with the given handle.
The handle to the required association.
Whether an with the given handle was in the collection for removal.
Removes all expired associations from the collection.
Gets the s ordered in order of descending issue date
(most recently issued comes first). An empty sequence if no valid associations exist.
This property is used by relying parties that are initiating authentication requests.
It does not apply to Providers, which always need a specific association by handle.
Manages the establishment, storage and retrieval of associations at the relying party.
The storage to use for saving and retrieving associations. May be null.
Backing field for the property.
Backing field for the property.
Initializes a new instance of the class.
The channel the relying party is using.
The association store. May be null for dumb mode relying parties.
The security settings.
Gets an association between this Relying Party and a given Provider
if it already exists in the association store.
The provider to create an association with.
The association if one exists and has useful life remaining. Otherwise null.
Gets an existing association with the specified Provider, or attempts to create
a new association of one does not already exist.
The provider to get an association for.
The existing or new association; null if none existed and one could not be created.
Creates a new association with a given Provider.
The provider to create an association with.
The newly created association, or null if no association can be created with
the given Provider given the current security settings.
A new association is created and returned even if one already exists in the
association store.
Any new association is automatically added to the .
Creates a new association with a given Provider.
The provider to create an association with.
The associate request. May be null, which will always result in a null return value..
The number of times to try the associate request again if the Provider suggests it.
The newly created association, or null if no association can be created with
the given Provider given the current security settings.
Gets or sets the channel to use for establishing associations.
The channel.
Gets or sets the security settings to apply in choosing association types to support.
Gets a value indicating whether this instance has an association store.
true if the relying party can act in 'smart' mode;
false if the relying party must always act in 'dumb' mode.
Gets the storage to use for saving and retrieving associations. May be null.
Preferences regarding creation and use of an association between a relying party
and provider for authentication.
Indicates that an association should be created for use in authentication
if one has not already been established between the relying party and the
selected provider.
Even with this value, if an association attempt fails or the relying party
has no application store to recall associations, the authentication may
proceed without an association.
Indicates that an association should be used for authentication only if
it happens to already exist.
Indicates that an authentication attempt should NOT use an OpenID association
between the relying party and the provider, even if an association was previously
created.
Facilitates customization and creation and an authentication request
that a Relying Party is preparing to send.
The name of the internal callback parameter to use to store the user-supplied identifier.
The relying party that created this request object.
How an association may or should be created or used in the formulation of the
authentication request.
The extensions that have been added to this authentication request.
Arguments to add to the return_to part of the query string, so that
these values come back to the consumer when the user agent returns.
A value indicating whether the return_to callback arguments must be signed.
This field defaults to false, but is set to true as soon as the first callback argument
is added that indicates it must be signed. At which point, all arguments are signed
even if individual ones did not need to be.
Initializes a new instance of the class.
The endpoint that describes the OpenID Identifier and Provider that will complete the authentication.
The realm, or root URL, of the host web site.
The base return_to URL that the Provider should return the user to to complete authentication. This should not include callback parameters as these should be added using the method.
The relying party that created this instance.
Makes a dictionary of key/value pairs available when the authentication is completed.
The arguments to add to the request's return_to URI.
Note that these values are NOT protected against eavesdropping in transit. No
privacy-sensitive data should be stored using this method.
The values stored here can be retrieved using
, which will only return the value
if it hasn't been tampered with in transit.
Since the data set here is sent in the querystring of the request and some
servers place limits on the size of a request URL, this data should be kept relatively
small to ensure successful authentication. About 1.5KB is about all that should be stored.
Makes a key/value pair available when the authentication is completed.
The parameter name.
The value of the argument.
Note that these values are NOT protected against eavesdropping in transit. No
privacy-sensitive data should be stored using this method.
The value stored here can be retrieved using
, which will only return the value
if it hasn't been tampered with in transit.
Since the data set here is sent in the querystring of the request and some
servers place limits on the size of a request URL, this data should be kept relatively
small to ensure successful authentication. About 1.5KB is about all that should be stored.
Makes a key/value pair available when the authentication is completed.
The parameter name.
The value of the argument. Must not be null.
Note that these values are NOT protected against tampering in transit. No
security-sensitive data should be stored using this method.
The value stored here can be retrieved using
.
Since the data set here is sent in the querystring of the request and some
servers place limits on the size of a request URL, this data should be kept relatively
small to ensure successful authentication. About 1.5KB is about all that should be stored.
Makes a key/value pair available when the authentication is completed without
requiring a return_to signature to protect against tampering of the callback argument.
The parameter name.
The value of the argument. Must not be null.
Note that these values are NOT protected against eavesdropping or tampering in transit. No
security-sensitive data should be stored using this method.
The value stored here can be retrieved using
.
Since the data set here is sent in the querystring of the request and some
servers place limits on the size of a request URL, this data should be kept relatively
small to ensure successful authentication. About 1.5KB is about all that should be stored.
Adds an OpenID extension to the request directed at the OpenID provider.
The initialized extension to add to the request.
Redirects the user agent to the provider for authentication.
This method requires an ASP.NET HttpContext.
Performs identifier discovery, creates associations and generates authentication requests
on-demand for as long as new ones can be generated based on the results of Identifier discovery.
The user supplied identifier.
The relying party.
The realm.
The return_to base URL.
if set to true, associations that do not exist between this Relying Party and the asserting Providers are created before the authentication request is created.
A sequence of authentication requests, any of which constitutes a valid identity assertion on the Claimed Identifier.
Never null, but may be empty.
Creates an instance of FOR TESTING PURPOSES ONLY.
The discovery result.
The realm.
The return to.
The relying party.
The instantiated .
Creates the request message to send to the Provider,
based on the properties in this instance.
The message to send to the Provider.
Performs deferred request generation for the method.
The user supplied identifier.
The relying party.
The realm.
The return_to base URL.
The discovered service endpoints on the Claimed Identifier.
if set to true, associations that do not exist between this Relying Party and the asserting Providers are created before the authentication request is created.
A sequence of authentication requests, any of which constitutes a valid identity assertion on the Claimed Identifier.
Never null, but may be empty.
All data validation and cleansing steps must have ALREADY taken place
before calling this method.
Returns a filtered and sorted list of the available OP endpoints for a discovered Identifier.
The endpoints.
The relying party.
A filtered and sorted list of endpoints; may be empty if the input was empty or the filter removed all endpoints.
Creates the request message to send to the Provider,
based on the properties in this instance.
The message to send to the Provider.
Gets the association to use for this authentication request.
The association to use; null to use 'dumb mode'.
Gets or sets the mode the Provider should use during authentication.
Gets the HTTP response the relying party should send to the user agent
to redirect it to the OpenID Provider to start the OpenID authentication process.
Gets the URL that the user agent will return to after authentication
completes or fails at the Provider.
Gets the URL that identifies this consumer web application that
the Provider will display to the end user.
Gets the Claimed Identifier that the User Supplied Identifier
resolved to. Null if the user provided an OP Identifier
(directed identity).
Null is returned if the user is using the directed identity feature
of OpenID 2.0 to make it nearly impossible for a relying party site
to improperly store the reserved OpenID URL used for directed identity
as a user's own Identifier.
However, to test for the Directed Identity feature, please test the
property rather than testing this
property for a null value.
Gets a value indicating whether the authenticating user has chosen to let the Provider
determine and send the ClaimedIdentifier after authentication.
Gets or sets a value indicating whether this request only carries extensions
and is not a request to verify that the user controls some identifier.
true if this request is merely a carrier of extensions and is not
about an OpenID identifier; otherwise, false.
Gets information about the OpenId Provider, as advertised by the
OpenId discovery documents found at the
location.
Gets the discovery result leading to the formulation of this request.
The discovery result.
Gets or sets how an association may or should be created or used
in the formulation of the authentication request.
Gets the extensions that have been added to the request.
Gets the list of extensions for this request.
An authentication request comparer that judges equality solely on the OP endpoint hostname.
The singleton instance of this comparer.
Prevents a default instance of the class from being created.
Determines whether the specified objects are equal.
The first object to compare.
The second object to compare.
true if the specified objects are equal; otherwise, false.
Returns a hash code for the specified object.
The for which a hash code is to be returned.
A hash code for the specified object.
The type of is a reference type and is null.
Gets the singleton instance of this comparer.
Wraps a negative assertion response in an instance
for public consumption by the host web site.
An interface to expose useful properties and functionality for handling
authentication responses that are returned from Immediate authentication
requests that require a subsequent request to be made in non-immediate mode.
Gets the to pass to
in a subsequent authentication attempt.
The negative assertion message that was received by the RP that was used
to create this instance.
Initializes a new instance of the class.
The negative assertion response received by the Relying Party.
Gets a callback argument's value that was previously added using
.
The name of the parameter whose value is sought.
The value of the argument, or null if the named parameter could not be found.
This may return any argument on the querystring that came with the authentication response,
which may include parameters not explicitly added using
.
Note that these values are NOT protected against tampering in transit.
Gets a callback argument's value that was previously added using
.
The name of the parameter whose value is sought.
The value of the argument, or null if the named parameter could not be found.
Callback parameters are only available even if the RP is in stateless mode,
or the callback parameters are otherwise unverifiable as untampered with.
Therefore, use this method only when the callback argument is not to be
used to make a security-sensitive decision.
Gets all the callback arguments that were previously added using
or as a natural part
of the return_to URL.
A name-value dictionary. Never null.
This MAY return any argument on the querystring that came with the authentication response,
which may include parameters not explicitly added using
.
Note that these values are NOT protected against tampering in transit.
Gets all the callback arguments that were previously added using
or as a natural part
of the return_to URL.
A name-value dictionary. Never null.
Callback parameters are only available even if the RP is in stateless mode,
or the callback parameters are otherwise unverifiable as untampered with.
Therefore, use this method only when the callback argument is not to be
used to make a security-sensitive decision.
Tries to get an OpenID extension that may be present in the response.
The type of extension to look for in the response message.
The extension, if it is found. Null otherwise.
Extensions are returned only if the Provider signed them.
Relying parties that do not care if the values were modified in
transit should use the method
in order to allow the Provider to not sign the extension.
Unsigned extensions are completely unreliable and should be
used only to prefill user forms since the user or any other third
party may have tampered with the data carried by the extension.
Signed extensions are only reliable if the relying party
trusts the OpenID Provider that signed them. Signing does not mean
the relying party can trust the values -- it only means that the values
have not been tampered with since the Provider sent the message.
Tries to get an OpenID extension that may be present in the response.
Type of the extension to look for in the response.
The extension, if it is found. Null otherwise.
Extensions are returned only if the Provider signed them.
Relying parties that do not care if the values were modified in
transit should use the method
in order to allow the Provider to not sign the extension.
Unsigned extensions are completely unreliable and should be
used only to prefill user forms since the user or any other third
party may have tampered with the data carried by the extension.
Signed extensions are only reliable if the relying party
trusts the OpenID Provider that signed them. Signing does not mean
the relying party can trust the values -- it only means that the values
have not been tampered with since the Provider sent the message.
Tries to get an OpenID extension that may be present in the response, without
requiring it to be signed by the Provider.
The type of extension to look for in the response message.
The extension, if it is found. Null otherwise.
Extensions are returned whether they are signed or not.
Use the method to retrieve
extension responses only if they are signed by the Provider to
protect against tampering.
Unsigned extensions are completely unreliable and should be
used only to prefill user forms since the user or any other third
party may have tampered with the data carried by the extension.
Signed extensions are only reliable if the relying party
trusts the OpenID Provider that signed them. Signing does not mean
the relying party can trust the values -- it only means that the values
have not been tampered with since the Provider sent the message.
Tries to get an OpenID extension that may be present in the response.
Type of the extension to look for in the response.
The extension, if it is found. Null otherwise.
Extensions are returned whether they are signed or not.
Use the method to retrieve
extension responses only if they are signed by the Provider to
protect against tampering.
Unsigned extensions are completely unreliable and should be
used only to prefill user forms since the user or any other third
party may have tampered with the data carried by the extension.
Signed extensions are only reliable if the relying party
trusts the OpenID Provider that signed them. Signing does not mean
the relying party can trust the values -- it only means that the values
have not been tampered with since the Provider sent the message.
Gets the Identifier that the end user claims to own. For use with user database storage and lookup.
May be null for some failed authentications (i.e. failed directed identity authentications).
This is the secure identifier that should be used for database storage and lookup.
It is not always friendly (i.e. =Arnott becomes =!9B72.7DD1.50A9.5CCD), but it protects
user identities against spoofing and other attacks.
For user-friendly identifiers to display, use the
property.
Gets a user-friendly OpenID Identifier for display purposes ONLY.
This should be put through before
sending to a browser to secure against javascript injection attacks.
This property retains some aspects of the user-supplied identifier that get lost
in the . For example, XRIs used as user-supplied
identifiers (i.e. =Arnott) become unfriendly unique strings (i.e. =!9B72.7DD1.50A9.5CCD).
For display purposes, such as text on a web page that says "You're logged in as ...",
this property serves to provide the =Arnott string, or whatever else is the most friendly
string close to what the user originally typed in.
If the user-supplied identifier is a URI, this property will be the URI after all
redirects, and with the protocol and fragment trimmed off.
If the user-supplied identifier is an XRI, this property will be the original XRI.
If the user-supplied identifier is an OpenID Provider identifier (i.e. yahoo.com),
this property will be the Claimed Identifier, with the protocol stripped if it is a URI.
It is very important that this property never be used for database storage
or lookup to avoid identity spoofing and other security risks. For database storage
and lookup please use the property.
Gets the detailed success or failure status of the authentication attempt.
Gets information about the OpenId Provider, as advertised by the
OpenID discovery documents found at the
location.
The Provider endpoint that issued the positive assertion;
or null if information about the Provider is unavailable.
Gets the details regarding a failed authentication attempt, if available.
This will be set if and only if is .
Gets the to pass to
in a subsequent authentication attempt.
Wraps an extension-only response from the OP in an instance
for public consumption by the host web site.
Backin field for the property.
Information about the OP endpoint that issued this assertion.
Initializes a new instance of the class.
The response message.
Gets a callback argument's value that was previously added using
.
The name of the parameter whose value is sought.
The value of the argument, or null if the named parameter could not be found.
Callback parameters are only available if they are complete and untampered with
since the original request message (as proven by a signature).
If the relying party is operating in stateless mode null is always
returned since the callback arguments could not be signed to protect against
tampering.
Gets a callback argument's value that was previously added using
.
The name of the parameter whose value is sought.
The value of the argument, or null if the named parameter could not be found.
Callback parameters are only available even if the RP is in stateless mode,
or the callback parameters are otherwise unverifiable as untampered with.
Therefore, use this method only when the callback argument is not to be
used to make a security-sensitive decision.
Gets all the callback arguments that were previously added using
or as a natural part
of the return_to URL.
A name-value dictionary. Never null.
Callback parameters are only available if they are complete and untampered with
since the original request message (as proven by a signature).
If the relying party is operating in stateless mode an empty dictionary is always
returned since the callback arguments could not be signed to protect against
tampering.
Gets all the callback arguments that were previously added using
or as a natural part
of the return_to URL.
A name-value dictionary. Never null.
Callback parameters are only available if they are complete and untampered with
since the original request message (as proven by a signature).
If the relying party is operating in stateless mode an empty dictionary is always
returned since the callback arguments could not be signed to protect against
tampering.
Tries to get an OpenID extension that may be present in the response.
The type of extension to look for in the response message.
The extension, if it is found. Null otherwise.
Extensions are returned only if the Provider signed them.
Relying parties that do not care if the values were modified in
transit should use the method
in order to allow the Provider to not sign the extension.
Unsigned extensions are completely unreliable and should be
used only to prefill user forms since the user or any other third
party may have tampered with the data carried by the extension.
Signed extensions are only reliable if the relying party
trusts the OpenID Provider that signed them. Signing does not mean
the relying party can trust the values -- it only means that the values
have not been tampered with since the Provider sent the message.
Tries to get an OpenID extension that may be present in the response.
Type of the extension to look for in the response.
The extension, if it is found. Null otherwise.
Extensions are returned only if the Provider signed them.
Relying parties that do not care if the values were modified in
transit should use the method
in order to allow the Provider to not sign the extension.
Unsigned extensions are completely unreliable and should be
used only to prefill user forms since the user or any other third
party may have tampered with the data carried by the extension.
Signed extensions are only reliable if the relying party
trusts the OpenID Provider that signed them. Signing does not mean
the relying party can trust the values -- it only means that the values
have not been tampered with since the Provider sent the message.
Tries to get an OpenID extension that may be present in the response, without
requiring it to be signed by the Provider.
The type of extension to look for in the response message.
The extension, if it is found. Null otherwise.
Extensions are returned whether they are signed or not.
Use the method to retrieve
extension responses only if they are signed by the Provider to
protect against tampering.
Unsigned extensions are completely unreliable and should be
used only to prefill user forms since the user or any other third
party may have tampered with the data carried by the extension.
Signed extensions are only reliable if the relying party
trusts the OpenID Provider that signed them. Signing does not mean
the relying party can trust the values -- it only means that the values
have not been tampered with since the Provider sent the message.
Tries to get an OpenID extension that may be present in the response.
Type of the extension to look for in the response.
The extension, if it is found. Null otherwise.
Extensions are returned whether they are signed or not.
Use the method to retrieve
extension responses only if they are signed by the Provider to
protect against tampering.
Unsigned extensions are completely unreliable and should be
used only to prefill user forms since the user or any other third
party may have tampered with the data carried by the extension.
Signed extensions are only reliable if the relying party
trusts the OpenID Provider that signed them. Signing does not mean
the relying party can trust the values -- it only means that the values
have not been tampered with since the Provider sent the message.
Gets the Identifier that the end user claims to own. For use with user database storage and lookup.
May be null for some failed authentications (i.e. failed directed identity authentications).
This is the secure identifier that should be used for database storage and lookup.
It is not always friendly (i.e. =Arnott becomes =!9B72.7DD1.50A9.5CCD), but it protects
user identities against spoofing and other attacks.
For user-friendly identifiers to display, use the
property.
Gets a user-friendly OpenID Identifier for display purposes ONLY.
This should be put through before
sending to a browser to secure against javascript injection attacks.
This property retains some aspects of the user-supplied identifier that get lost
in the . For example, XRIs used as user-supplied
identifiers (i.e. =Arnott) become unfriendly unique strings (i.e. =!9B72.7DD1.50A9.5CCD).
For display purposes, such as text on a web page that says "You're logged in as ...",
this property serves to provide the =Arnott string, or whatever else is the most friendly
string close to what the user originally typed in.
If the user-supplied identifier is a URI, this property will be the URI after all
redirects, and with the protocol and fragment trimmed off.
If the user-supplied identifier is an XRI, this property will be the original XRI.
If the user-supplied identifier is an OpenID Provider identifier (i.e. yahoo.com),
this property will be the Claimed Identifier, with the protocol stripped if it is a URI.
It is very important that this property never be used for database storage
or lookup to avoid identity spoofing and other security risks. For database storage
and lookup please use the property.
Gets the detailed success or failure status of the authentication attempt.
Gets information about the OpenId Provider, as advertised by the
OpenID discovery documents found at the
location.
The Provider endpoint that issued the positive assertion;
or null if information about the Provider is unavailable.
Gets the details regarding a failed authentication attempt, if available.
This will be set if and only if is .
Gets a value indicating whether trusted callback arguments are available.
We use this internally to avoid logging a warning during a standard snapshot creation.
Gets the positive extension-only message the Relying Party received that this instance wraps.
Wraps a positive assertion response in an instance
for public consumption by the host web site.
Initializes a new instance of the class.
The positive assertion response that was just received by the Relying Party.
The relying party.
Verifies that the positive assertion data matches the results of
discovery on the Claimed Identifier.
The relying party.
Thrown when the Provider is asserting that a user controls an Identifier
when discovery on that Identifier contradicts what the Provider says.
This would be an indication of either a misconfigured Provider or
an attempt by someone to spoof another user's identity with a rogue Provider.
Gets the Identifier that the end user claims to own. For use with user database storage and lookup.
May be null for some failed authentications (i.e. failed directed identity authentications).
This is the secure identifier that should be used for database storage and lookup.
It is not always friendly (i.e. =Arnott becomes =!9B72.7DD1.50A9.5CCD), but it protects
user identities against spoofing and other attacks.
For user-friendly identifiers to display, use the
property.
Gets a user-friendly OpenID Identifier for display purposes ONLY.
This should be put through before
sending to a browser to secure against javascript injection attacks.
This property retains some aspects of the user-supplied identifier that get lost
in the . For example, XRIs used as user-supplied
identifiers (i.e. =Arnott) become unfriendly unique strings (i.e. =!9B72.7DD1.50A9.5CCD).
For display purposes, such as text on a web page that says "You're logged in as ...",
this property serves to provide the =Arnott string, or whatever else is the most friendly
string close to what the user originally typed in.
If the user-supplied identifier is a URI, this property will be the URI after all
redirects, and with the protocol and fragment trimmed off.
If the user-supplied identifier is an XRI, this property will be the original XRI.
If the user-supplied identifier is an OpenID Provider identifier (i.e. yahoo.com),
this property will be the Claimed Identifier, with the protocol stripped if it is a URI.
It is very important that this property never be used for database storage
or lookup to avoid identity spoofing and other security risks. For database storage
and lookup please use the property.
Gets the detailed success or failure status of the authentication attempt.
Gets the OpenID service endpoint reconstructed from the assertion message.
This information is straight from the Provider, and therefore must not
be trusted until verified as matching the discovery information for
the claimed identifier to avoid a Provider asserting an Identifier
for which it has no authority.
Gets the positive assertion response message.
Wraps a failed authentication response in an instance
for public consumption by the host web site.
Initializes a new instance of the class.
The exception that resulted in the failed authentication.
Gets all the callback arguments that were previously added using
or as a natural part
of the return_to URL.
A name-value dictionary. Never null.
This MAY return any argument on the querystring that came with the authentication response,
which may include parameters not explicitly added using
.
Note that these values are NOT protected against tampering in transit.
Gets all the callback arguments that were previously added using
or as a natural part
of the return_to URL.
A name-value dictionary. Never null.
Callback parameters are only available even if the RP is in stateless mode,
or the callback parameters are otherwise unverifiable as untampered with.
Therefore, use this method only when the callback argument is not to be
used to make a security-sensitive decision.
Gets a callback argument's value that was previously added using
.
The name of the parameter whose value is sought.
The value of the argument, or null if the named parameter could not be found.
This may return any argument on the querystring that came with the authentication response,
which may include parameters not explicitly added using
.
Note that these values are NOT protected against tampering in transit.
Gets a callback argument's value that was previously added using
.
The name of the parameter whose value is sought.
The value of the argument, or null if the named parameter could not be found.
Callback parameters are only available even if the RP is in stateless mode,
or the callback parameters are otherwise unverifiable as untampered with.
Therefore, use this method only when the callback argument is not to be
used to make a security-sensitive decision.
Tries to get an OpenID extension that may be present in the response.
The type of extension to look for in the response message.
The extension, if it is found. Null otherwise.
Extensions are returned only if the Provider signed them.
Relying parties that do not care if the values were modified in
transit should use the method
in order to allow the Provider to not sign the extension.
Unsigned extensions are completely unreliable and should be
used only to prefill user forms since the user or any other third
party may have tampered with the data carried by the extension.
Signed extensions are only reliable if the relying party
trusts the OpenID Provider that signed them. Signing does not mean
the relying party can trust the values -- it only means that the values
have not been tampered with since the Provider sent the message.
Tries to get an OpenID extension that may be present in the response.
Type of the extension to look for in the response.
The extension, if it is found. Null otherwise.
Extensions are returned only if the Provider signed them.
Relying parties that do not care if the values were modified in
transit should use the method
in order to allow the Provider to not sign the extension.
Unsigned extensions are completely unreliable and should be
used only to prefill user forms since the user or any other third
party may have tampered with the data carried by the extension.
Signed extensions are only reliable if the relying party
trusts the OpenID Provider that signed them. Signing does not mean
the relying party can trust the values -- it only means that the values
have not been tampered with since the Provider sent the message.
Tries to get an OpenID extension that may be present in the response, without
requiring it to be signed by the Provider.
The type of extension to look for in the response message.
The extension, if it is found. Null otherwise.
Extensions are returned whether they are signed or not.
Use the method to retrieve
extension responses only if they are signed by the Provider to
protect against tampering.
Unsigned extensions are completely unreliable and should be
used only to prefill user forms since the user or any other third
party may have tampered with the data carried by the extension.
Signed extensions are only reliable if the relying party
trusts the OpenID Provider that signed them. Signing does not mean
the relying party can trust the values -- it only means that the values
have not been tampered with since the Provider sent the message.
Tries to get an OpenID extension that may be present in the response.
Type of the extension to look for in the response.
The extension, if it is found. Null otherwise.
Extensions are returned whether they are signed or not.
Use the method to retrieve
extension responses only if they are signed by the Provider to
protect against tampering.
Unsigned extensions are completely unreliable and should be
used only to prefill user forms since the user or any other third
party may have tampered with the data carried by the extension.
Signed extensions are only reliable if the relying party
trusts the OpenID Provider that signed them. Signing does not mean
the relying party can trust the values -- it only means that the values
have not been tampered with since the Provider sent the message.
Gets the Identifier that the end user claims to own. For use with user database storage and lookup.
May be null for some failed authentications (i.e. failed directed identity authentications).
This is the secure identifier that should be used for database storage and lookup.
It is not always friendly (i.e. =Arnott becomes =!9B72.7DD1.50A9.5CCD), but it protects
user identities against spoofing and other attacks.
For user-friendly identifiers to display, use the
property.
Gets a user-friendly OpenID Identifier for display purposes ONLY.
This should be put through before
sending to a browser to secure against javascript injection attacks.
This property retains some aspects of the user-supplied identifier that get lost
in the . For example, XRIs used as user-supplied
identifiers (i.e. =Arnott) become unfriendly unique strings (i.e. =!9B72.7DD1.50A9.5CCD).
For display purposes, such as text on a web page that says "You're logged in as ...",
this property serves to provide the =Arnott string, or whatever else is the most friendly
string close to what the user originally typed in.
If the user-supplied identifier is a URI, this property will be the URI after all
redirects, and with the protocol and fragment trimmed off.
If the user-supplied identifier is an XRI, this property will be the original XRI.
If the user-supplied identifier is an OpenID Provider identifier (i.e. yahoo.com),
this property will be the Claimed Identifier, with the protocol stripped if it is a URI.
It is very important that this property never be used for database storage
or lookup to avoid identity spoofing and other security risks. For database storage
and lookup please use the property.
Gets the detailed success or failure status of the authentication attempt.
Gets information about the OpenId Provider, as advertised by the
OpenID discovery documents found at the
location.
The Provider endpoint that issued the positive assertion;
or null if information about the Provider is unavailable.
Gets the details regarding a failed authentication attempt, if available.
This will be set if and only if is .
Code contract class for the type.
Initializes a new instance of the class.
Gets the to pass to
in a subsequent authentication attempt.
A delegate that decides whether a given OpenID Provider endpoint may be
considered for authenticating a user.
The endpoint for consideration.
True if the endpoint should be considered.
False to remove it from the pool of acceptable providers.
Provides the programmatic facilities to act as an OpenID relying party.
The name of the key to use in the HttpApplication cache to store the
instance of to use.
Backing store for the property.
The discovery services to use for identifiers.
Backing field for the property.
The lock to obtain when initializing the member.
A dictionary of extension response types and the javascript member
name to map them to on the user agent.
Backing field for the property.
Backing store for the property.
Backing field for the property.
Initializes a new instance of the class.
Initializes a new instance of the class.
The application store. If null, the relying party will always operate in "stateless/dumb mode".
Initializes a new instance of the class.
The association store. If null, the relying party will always operate in "stateless/dumb mode".
The nonce store to use. If null, the relying party will always operate in "stateless/dumb mode".
Creates an authentication request to verify that a user controls
some given Identifier.
The Identifier supplied by the user. This may be a URL, an XRI or i-name.
The shorest URL that describes this relying party web site's address.
For example, if your login page is found at https://www.example.com/login.aspx,
your realm would typically be https://www.example.com/.
The URL of the login page, or the page prepared to receive authentication
responses from the OpenID Provider.
An authentication request object to customize the request and generate
an object to send to the user agent to initiate the authentication.
Thrown if no OpenID endpoint could be found.
Creates an authentication request to verify that a user controls
some given Identifier.
The Identifier supplied by the user. This may be a URL, an XRI or i-name.
The shorest URL that describes this relying party web site's address.
For example, if your login page is found at https://www.example.com/login.aspx,
your realm would typically be https://www.example.com/.
An authentication request object that describes the HTTP response to
send to the user agent to initiate the authentication.
Requires an HttpContext.Current context.
Thrown if no OpenID endpoint could be found.
Thrown if HttpContext.Current == null.
Creates an authentication request to verify that a user controls
some given Identifier.
The Identifier supplied by the user. This may be a URL, an XRI or i-name.
An authentication request object that describes the HTTP response to
send to the user agent to initiate the authentication.
Requires an HttpContext.Current context.
Thrown if no OpenID endpoint could be found.
Thrown if HttpContext.Current == null.
Generates the authentication requests that can satisfy the requirements of some OpenID Identifier.
The Identifier supplied by the user. This may be a URL, an XRI or i-name.
The shorest URL that describes this relying party web site's address.
For example, if your login page is found at https://www.example.com/login.aspx,
your realm would typically be https://www.example.com/.
The URL of the login page, or the page prepared to receive authentication
responses from the OpenID Provider.
A sequence of authentication requests, any of which constitutes a valid identity assertion on the Claimed Identifier.
Never null, but may be empty.
Any individual generated request can satisfy the authentication.
The generated requests are sorted in preferred order.
Each request is generated as it is enumerated to. Associations are created only as
is called.
No exception is thrown if no OpenID endpoints were discovered.
An empty enumerable is returned instead.
Generates the authentication requests that can satisfy the requirements of some OpenID Identifier.
The Identifier supplied by the user. This may be a URL, an XRI or i-name.
The shorest URL that describes this relying party web site's address.
For example, if your login page is found at https://www.example.com/login.aspx,
your realm would typically be https://www.example.com/.
A sequence of authentication requests, any of which constitutes a valid identity assertion on the Claimed Identifier.
Never null, but may be empty.
Any individual generated request can satisfy the authentication.
The generated requests are sorted in preferred order.
Each request is generated as it is enumerated to. Associations are created only as
is called.
No exception is thrown if no OpenID endpoints were discovered.
An empty enumerable is returned instead.
Requires an HttpContext.Current context.
Thrown if HttpContext.Current == null.
Generates the authentication requests that can satisfy the requirements of some OpenID Identifier.
The Identifier supplied by the user. This may be a URL, an XRI or i-name.
A sequence of authentication requests, any of which constitutes a valid identity assertion on the Claimed Identifier.
Never null, but may be empty.
Any individual generated request can satisfy the authentication.
The generated requests are sorted in preferred order.
Each request is generated as it is enumerated to. Associations are created only as
is called.
No exception is thrown if no OpenID endpoints were discovered.
An empty enumerable is returned instead.
Requires an HttpContext.Current context.
Thrown if HttpContext.Current == null.
Gets an authentication response from a Provider.
The processed authentication response if there is any; null otherwise.
Requires an HttpContext.Current context.
Gets an authentication response from a Provider.
The HTTP request that may be carrying an authentication response from the Provider.
The processed authentication response if there is any; null otherwise.
Processes the response received in a popup window or iframe to an AJAX-directed OpenID authentication.
The HTTP response to send to this HTTP request.
Requires an HttpContext.Current context.
Processes the response received in a popup window or iframe to an AJAX-directed OpenID authentication.
The incoming HTTP request that is expected to carry an OpenID authentication response.
The HTTP response to send to this HTTP request.
Allows an OpenID extension to read data out of an unverified positive authentication assertion
and send it down to the client browser so that Javascript running on the page can perform
some preprocessing on the extension data.
The extension response type that will read data from the assertion.
The property name on the openid_identifier input box object that will be used to store the extension data. For example: sreg
This method should be called before .
Performs application-defined tasks associated with freeing, releasing, or resetting unmanaged resources.
Determines whether some parameter name belongs to OpenID or this library
as a protocol or internal parameter name.
Name of the parameter.
true if the named parameter is a library- or protocol-specific parameter; otherwise, false.
Creates a relying party that does not verify incoming messages against
nonce or association stores.
The instantiated .
Useful for previewing messages while
allowing them to be fully processed and verified later.
Processes the response received in a popup window or iframe to an AJAX-directed OpenID authentication.
The incoming HTTP request that is expected to carry an OpenID authentication response.
The callback fired after the response status has been determined but before the Javascript response is formulated.
The HTTP response to send to this HTTP request.
Performs discovery on the specified identifier.
The identifier to discover services for.
A non-null sequence of services discovered for the identifier.
Checks whether a given OP Endpoint is permitted by the host relying party.
The OP endpoint.
true if the OP Endpoint is allowed; false otherwise.
Releases unmanaged and - optionally - managed resources
true to release both managed and unmanaged resources; false to release only unmanaged resources.
Invokes a method on a parent frame or window and closes the calling popup window if applicable.
The method to call on the parent window, including
parameters. (i.e. "callback('arg1', 2)"). No escaping is done by this method.
The entire HTTP response to send to the popup window or iframe to perform the invocation.
Called by derived classes when behaviors are added or removed.
The collection being modified.
The instance containing the event data.
Gets an XRDS sorting routine that uses the XRDS Service/@Priority
attribute to determine order.
Endpoints lacking any priority value are sorted to the end of the list.
Gets the standard state storage mechanism that uses ASP.NET's
HttpApplication state dictionary to store associations and nonces.
Gets or sets the channel to use for sending/receiving messages.
Gets the security settings used by this Relying Party.
Gets the security settings.
Gets or sets the optional Provider Endpoint filter to use.
Provides a way to optionally filter the providers that may be used in authenticating a user.
If provided, the delegate should return true to accept an endpoint, and false to reject it.
If null, all identity providers will be accepted. This is the default.
Gets or sets the ordering routine that will determine which XRDS
Service element to try first
Default is .
This may never be null. To reset to default behavior this property
can be set to the value of .
Gets the extension factories.
Gets a list of custom behaviors to apply to OpenID actions.
Adding behaviors can impact the security settings of this
instance in ways that subsequently removing the behaviors will not reverse.
Gets the list of services that can perform discovery on identifiers given to this relying party.
Gets the web request handler to use for discovery and the part of
authentication where direct messages are sent to an untrusted remote party.
Gets a value indicating whether this Relying Party can sign its return_to
parameter in outgoing authentication requests.
Gets the web request handler to use for discovery and the part of
authentication where direct messages are sent to an untrusted remote party.
Gets the association manager.
Gets the instance used to process authentication responses
without verifying the assertion or consuming nonces.
A serializable snapshot of a verified authentication message.
The callback arguments that came with the authentication response.
The untrusted callback arguments that came with the authentication response.
Initializes a new instance of the class.
The authentication response to copy from.
Tries to get an OpenID extension that may be present in the response.
The type of extension to look for in the response message.
The extension, if it is found. Null otherwise.
Extensions are returned only if the Provider signed them.
Relying parties that do not care if the values were modified in
transit should use the method
in order to allow the Provider to not sign the extension.
Unsigned extensions are completely unreliable and should be
used only to prefill user forms since the user or any other third
party may have tampered with the data carried by the extension.
Signed extensions are only reliable if the relying party
trusts the OpenID Provider that signed them. Signing does not mean
the relying party can trust the values -- it only means that the values
have not been tampered with since the Provider sent the message.
Tries to get an OpenID extension that may be present in the response.
Type of the extension to look for in the response.
The extension, if it is found. Null otherwise.
Extensions are returned only if the Provider signed them.
Relying parties that do not care if the values were modified in
transit should use the method
in order to allow the Provider to not sign the extension.
Unsigned extensions are completely unreliable and should be
used only to prefill user forms since the user or any other third
party may have tampered with the data carried by the extension.
Signed extensions are only reliable if the relying party
trusts the OpenID Provider that signed them. Signing does not mean
the relying party can trust the values -- it only means that the values
have not been tampered with since the Provider sent the message.
Tries to get an OpenID extension that may be present in the response, without
requiring it to be signed by the Provider.
The type of extension to look for in the response message.
The extension, if it is found. Null otherwise.
Extensions are returned whether they are signed or not.
Use the method to retrieve
extension responses only if they are signed by the Provider to
protect against tampering.
Unsigned extensions are completely unreliable and should be
used only to prefill user forms since the user or any other third
party may have tampered with the data carried by the extension.
Signed extensions are only reliable if the relying party
trusts the OpenID Provider that signed them. Signing does not mean
the relying party can trust the values -- it only means that the values
have not been tampered with since the Provider sent the message.
Tries to get an OpenID extension that may be present in the response.
Type of the extension to look for in the response.
The extension, if it is found. Null otherwise.
Extensions are returned whether they are signed or not.
Use the method to retrieve
extension responses only if they are signed by the Provider to
protect against tampering.
Unsigned extensions are completely unreliable and should be
used only to prefill user forms since the user or any other third
party may have tampered with the data carried by the extension.
Signed extensions are only reliable if the relying party
trusts the OpenID Provider that signed them. Signing does not mean
the relying party can trust the values -- it only means that the values
have not been tampered with since the Provider sent the message.
Gets all the callback arguments that were previously added using
or as a natural part
of the return_to URL.
A name-value dictionary. Never null.
This MAY return any argument on the querystring that came with the authentication response,
which may include parameters not explicitly added using
.
Note that these values are NOT protected against tampering in transit.
Gets all the callback arguments that were previously added using
or as a natural part
of the return_to URL.
A name-value dictionary. Never null.
Callback parameters are only available even if the RP is in stateless mode,
or the callback parameters are otherwise unverifiable as untampered with.
Therefore, use this method only when the callback argument is not to be
used to make a security-sensitive decision.
Gets a callback argument's value that was previously added using
.
The name of the parameter whose value is sought.
The value of the argument, or null if the named parameter could not be found.
This may return any argument on the querystring that came with the authentication response,
which may include parameters not explicitly added using
.
Note that these values are NOT protected against tampering in transit.
Gets a callback argument's value that was previously added using
.
The name of the parameter whose value is sought.
The value of the argument, or null if the named parameter could not be found.
Callback parameters are only available even if the RP is in stateless mode,
or the callback parameters are otherwise unverifiable as untampered with.
Therefore, use this method only when the callback argument is not to be
used to make a security-sensitive decision.
Gets the Identifier that the end user claims to own. For use with user database storage and lookup.
May be null for some failed authentications (i.e. failed directed identity authentications).
This is the secure identifier that should be used for database storage and lookup.
It is not always friendly (i.e. =Arnott becomes =!9B72.7DD1.50A9.5CCD), but it protects
user identities against spoofing and other attacks.
For user-friendly identifiers to display, use the
property.
Gets a user-friendly OpenID Identifier for display purposes ONLY.
This should be put through before
sending to a browser to secure against javascript injection attacks.
This property retains some aspects of the user-supplied identifier that get lost
in the . For example, XRIs used as user-supplied
identifiers (i.e. =Arnott) become unfriendly unique strings (i.e. =!9B72.7DD1.50A9.5CCD).
For display purposes, such as text on a web page that says "You're logged in as ...",
this property serves to provide the =Arnott string, or whatever else is the most friendly
string close to what the user originally typed in.
If the user-supplied identifier is a URI, this property will be the URI after all
redirects, and with the protocol and fragment trimmed off.
If the user-supplied identifier is an XRI, this property will be the original XRI.
If the user-supplied identifier is an OpenID Provider identifier (i.e. yahoo.com),
this property will be the Claimed Identifier, with the protocol stripped if it is a URI.
It is very important that this property never be used for database storage
or lookup to avoid identity spoofing and other security risks. For database storage
and lookup please use the property.
Gets the detailed success or failure status of the authentication attempt.
Gets information about the OpenId Provider, as advertised by the
OpenID discovery documents found at the
location.
The Provider endpoint that issued the positive assertion;
or null if information about the Provider is unavailable.
Gets the details regarding a failed authentication attempt, if available.
This will be set if and only if is .
A very simple IXrdsProviderEndpoint implementation for verifying that all positive
assertions (particularly unsolicited ones) are received from OP endpoints that
are deemed permissible by the host RP.
Initializes a new instance of the class.
The positive assertion.
Checks whether the OpenId Identifier claims support for a given extension.
The extension whose support is being queried.
True if support for the extension is advertised. False otherwise.
Note that a true or false return value is no guarantee of a Provider's
support for or lack of support for an extension. The return value is
determined by how the authenticating user filled out his/her XRDS document only.
The only way to be sure of support for a given extension is to include
the extension in the request and see if a response comes back for that extension.
Checks whether the OpenId Identifier claims support for a given extension.
The extension whose support is being queried.
True if support for the extension is advertised. False otherwise.
Note that a true or false return value is no guarantee of a Provider's
support for or lack of support for an extension. The return value is
determined by how the authenticating user filled out his/her XRDS document only.
The only way to be sure of support for a given extension is to include
the extension in the request and see if a response comes back for that extension.
Gets the detected version of OpenID implemented by the Provider.
Gets the URL that the OpenID Provider receives authentication requests at.
An in-memory store for Relying Parties, suitable for single server, single process
ASP.NET web sites.
The nonce store to use.
The association store to use.
Initializes a new instance of the class.
Gets the key in a given bucket and handle.
The bucket name. Case sensitive.
The key handle. Case sensitive.
The cryptographic key, or null if no matching key was found.
Gets a sequence of existing keys within a given bucket.
The bucket name. Case sensitive.
A sequence of handles and keys, ordered by descending .
Stores a cryptographic key.
The name of the bucket to store the key in. Case sensitive.
The handle to the key, unique within the bucket. Case sensitive.
The key to store.
Thrown in the event of a conflict with an existing key in the same bucket and with the same handle.
Removes the key.
The bucket name. Case sensitive.
The key handle. Case sensitive.
Stores a given nonce and timestamp.
The context, or namespace, within which the must be unique.
A series of random characters.
The timestamp that together with the nonce string make it unique.
The timestamp may also be used by the data store to clear out old nonces.
True if the nonce+timestamp (combination) was not previously in the database.
False if the nonce was stored previously with the same timestamp.
The nonce must be stored for no less than the maximum time window a message may
be processed within before being discarded as an expired message.
If the binding element is applicable to your channel, this expiration window
is retrieved or set using the
property.
Common OpenID Provider Identifiers.
The Yahoo OP Identifier.
The Google OP Identifier.
The MyOpenID OP Identifier.
The Verisign OP Identifier.
The MyVidoop OP Identifier.
Prevents a default instance of the class from being created.