From 5f2973e785be54fdafaa8907d44fba669dd392d8 Mon Sep 17 00:00:00 2001
From: Andrew Arnott <andrewarnott@gmail.com>
Date: Tue, 13 Jan 2009 16:45:23 -0800
Subject: [PATCH] Added openid.invalidate_handle handling to the RP and OP.

---
 .../ChannelElements/SigningBindingElement.cs       |  8 ++++++-
 .../OpenId/Messages/CheckAuthenticationResponse.cs | 28 +++++++++++++++++++++-
 .../OpenId/Provider/OpenIdProvider.cs              |  2 +-
 3 files changed, 35 insertions(+), 3 deletions(-)

diff --git a/src/DotNetOpenAuth/OpenId/ChannelElements/SigningBindingElement.cs b/src/DotNetOpenAuth/OpenId/ChannelElements/SigningBindingElement.cs
index d19c7aa..5fda0b7 100644
--- a/src/DotNetOpenAuth/OpenId/ChannelElements/SigningBindingElement.cs
+++ b/src/DotNetOpenAuth/OpenId/ChannelElements/SigningBindingElement.cs
@@ -127,12 +127,18 @@ namespace DotNetOpenAuth.OpenId.ChannelElements {
 
 					// We did not recognize the association the provider used to sign the message.
 					// Ask the provider to check the signature then.
-					var checkSignatureRequest = new CheckAuthenticationRequest((IndirectSignedResponse)signedMessage);
+					var indirectSignedResponse = (IndirectSignedResponse)signedMessage;
+					var checkSignatureRequest = new CheckAuthenticationRequest(indirectSignedResponse);
 					var checkSignatureResponse = this.Channel.Request<CheckAuthenticationResponse>(checkSignatureRequest);
 					if (!checkSignatureResponse.IsValid) {
 						Logger.Error("Provider reports signature verification failed.");
 						throw new InvalidSignatureException(message);
 					}
+
+					// If the OP confirms that a handle should be invalidated as well, do that.
+					if (!string.IsNullOrEmpty(checkSignatureResponse.InvalidateHandle)) {
+						this.rpAssociations.RemoveAssociation(indirectSignedResponse.ProviderEndpoint, checkSignatureResponse.InvalidateHandle);
+					}
 				}
 
 				return true;
diff --git a/src/DotNetOpenAuth/OpenId/Messages/CheckAuthenticationResponse.cs b/src/DotNetOpenAuth/OpenId/Messages/CheckAuthenticationResponse.cs
index d66d0a9..0e01231 100644
--- a/src/DotNetOpenAuth/OpenId/Messages/CheckAuthenticationResponse.cs
+++ b/src/DotNetOpenAuth/OpenId/Messages/CheckAuthenticationResponse.cs
@@ -10,6 +10,8 @@ namespace DotNetOpenAuth.OpenId.Messages {
 	using System.Linq;
 	using System.Text;
 	using DotNetOpenAuth.Messaging;
+	using DotNetOpenAuth.OpenId.ChannelElements;
+	using DotNetOpenAuth.OpenId.Provider;
 
 	/// <summary>
 	/// The message sent from the Provider to the Relying Party to confirm/deny
@@ -17,7 +19,8 @@ namespace DotNetOpenAuth.OpenId.Messages {
 	/// </summary>
 	internal class CheckAuthenticationResponse : DirectResponseBase {
 		/// <summary>
-		/// Initializes a new instance of the <see cref="CheckAuthenticationResponse"/> class.
+		/// Initializes a new instance of the <see cref="CheckAuthenticationResponse"/> class
+		/// for use by the Relying Party.
 		/// </summary>
 		/// <param name="request">The request that this message is responding to.</param>
 		internal CheckAuthenticationResponse(CheckAuthenticationRequest request)
@@ -25,6 +28,29 @@ namespace DotNetOpenAuth.OpenId.Messages {
 		}
 
 		/// <summary>
+		/// Initializes a new instance of the <see cref="CheckAuthenticationResponse"/> class
+		/// for use by the Provider.
+		/// </summary>
+		/// <param name="request">The request that this message is responding to.</param>
+		/// <param name="provider">The OpenID Provider that is preparing to send this response.</param>
+		internal CheckAuthenticationResponse(CheckAuthenticationRequest request, OpenIdProvider provider)
+			: base(request) {
+			ErrorUtilities.VerifyArgumentNotNull(provider, "provider");
+
+			// The channel's binding elements have already set the request's IsValid property
+			// appropriately.  We just copy it into the response message.
+			this.IsValid = request.IsValid;
+
+			// Confirm the RP should invalidate the association handle only if the association
+			// really doesn't exist.  OpenID 2.0 section 11.4.2.2.
+			IndirectSignedResponse signedResponse = new IndirectSignedResponse(request);
+			string invalidateHandle = ((ITamperResistantOpenIdMessage)signedResponse).InvalidateHandle;
+			if (provider.AssociationStore.GetAssociation(AssociationRelyingPartyType.Smart, invalidateHandle) == null) {
+				this.InvalidateHandle = invalidateHandle;
+			}
+		}
+
+		/// <summary>
 		/// Gets or sets a value indicating whether the signature of the verification request is valid.
 		/// </summary>
 		[MessagePart("is_valid", IsRequired = true)]
diff --git a/src/DotNetOpenAuth/OpenId/Provider/OpenIdProvider.cs b/src/DotNetOpenAuth/OpenId/Provider/OpenIdProvider.cs
index 1a4ac61..cea2c9e 100644
--- a/src/DotNetOpenAuth/OpenId/Provider/OpenIdProvider.cs
+++ b/src/DotNetOpenAuth/OpenId/Provider/OpenIdProvider.cs
@@ -124,7 +124,7 @@ namespace DotNetOpenAuth.OpenId.Provider {
 
 			var checkAuthMessage = incomingMessage as CheckAuthenticationRequest;
 			if (checkAuthMessage != null) {
-				return new AutoResponsiveRequest(this, incomingMessage, new CheckAuthenticationResponse(checkAuthMessage));
+				return new AutoResponsiveRequest(this, incomingMessage, new CheckAuthenticationResponse(checkAuthMessage, this));
 			}
 
 			var associateMessage = incomingMessage as AssociateRequest;
-- 
2.11.4.GIT