search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Added openid.invalidate_handle handling to the RP and OP.
[dotnetoauth.git] / src / DotNetOpenAuth / OpenId / Messages / CheckAuthenticationResponse.cs
blob0e012315164497ab24678285cb9f68fbc46d18ea
1 //-----------------------------------------------------------------------
2 // <copyright file="CheckAuthenticationResponse.cs" company="Andrew Arnott">
3 // Copyright (c) Andrew Arnott. All rights reserved.
4 // </copyright>
5 //-----------------------------------------------------------------------
6
7 namespace DotNetOpenAuth.OpenId.Messages {
8 using System;
9 using System.Collections.Generic;
10 using System.Linq;
11 using System.Text;
12 using DotNetOpenAuth.Messaging;
13 using DotNetOpenAuth.OpenId.ChannelElements;
14 using DotNetOpenAuth.OpenId.Provider;
15
16 /// <summary>
17 /// The message sent from the Provider to the Relying Party to confirm/deny
18 /// the validity of an assertion that was signed by a private Provider secret.
19 /// </summary>
20 internal class CheckAuthenticationResponse : DirectResponseBase {
21 /// <summary>
22 /// Initializes a new instance of the <see cref="CheckAuthenticationResponse"/> class
23 /// for use by the Relying Party.
24 /// </summary>
25 /// <param name="request">The request that this message is responding to.</param>
26 internal CheckAuthenticationResponse(CheckAuthenticationRequest request)
27 : base(request) {
28 }
29
30 /// <summary>
31 /// Initializes a new instance of the <see cref="CheckAuthenticationResponse"/> class
32 /// for use by the Provider.
33 /// </summary>
34 /// <param name="request">The request that this message is responding to.</param>
35 /// <param name="provider">The OpenID Provider that is preparing to send this response.</param>
36 internal CheckAuthenticationResponse(CheckAuthenticationRequest request, OpenIdProvider provider)
37 : base(request) {
38 ErrorUtilities.VerifyArgumentNotNull(provider, "provider");
39
40 // The channel's binding elements have already set the request's IsValid property
41 // appropriately. We just copy it into the response message.
42 this.IsValid = request.IsValid;
43
44 // Confirm the RP should invalidate the association handle only if the association
45 // really doesn't exist. OpenID 2.0 section 11.4.2.2.
46 IndirectSignedResponse signedResponse = new IndirectSignedResponse(request);
47 string invalidateHandle = ((ITamperResistantOpenIdMessage)signedResponse).InvalidateHandle;
48 if (provider.AssociationStore.GetAssociation(AssociationRelyingPartyType.Smart, invalidateHandle) == null) {
49 this.InvalidateHandle = invalidateHandle;
50 }
51 }
52
53 /// <summary>
54 /// Gets or sets a value indicating whether the signature of the verification request is valid.
55 /// </summary>
56 [MessagePart("is_valid", IsRequired = true)]
57 internal bool IsValid { get; set; }
58
59 /// <summary>
60 /// Gets or sets the handle the relying party should invalidate if <see cref="IsValid"/> is true.
61 /// </summary>
62 /// <value>The "invalidate_handle" value sent in the verification request, if the OP confirms it is invalid.</value>
63 /// <remarks>
64 /// <para>If present in a verification response with "is_valid" set to "true",
65 /// the Relying Party SHOULD remove the corresponding association from
66 /// its store and SHOULD NOT send further authentication requests with
67 /// this handle.</para>
68 /// <para>This two-step process for invalidating associations is necessary
69 /// to prevent an attacker from invalidating an association at will by
70 /// adding "invalidate_handle" parameters to an authentication response.</para>
71 /// </remarks>
72 [MessagePart("invalidate_handle", IsRequired = false, AllowEmpty = false)]
73 internal string InvalidateHandle { get; set; }
74 }
75 }
OAuth running on .NET