DotNetOpenAuth 4.0.0.11165

The Message expired at 7/2/2011 5:23:50 PM and it is now 7/2/2011 5:36:29 PM.

Works locally(cassini), fails deployed. Tried using the example from http://www.dotnetopenauth.net/developers/code-snippets/configuration-options/
privateSecretMaximumAge="07:00:00"
but the attribute wasn't recognized.

Server is Microsoft Windows NT 6.0.6002 Service Pack 2 (32 bit)
Microsoft-IIS/7.0

See this Stackoverflow question (http://stackoverflow.com/questions/2466107/dotnetopenid-dotnetopenauth) for an example of how convoluted it is.

Perhaps something like:

<hostFilter>
     <add allow="www.mysite.com" />
     <add deny="www.badsite.com" />
</hostFilter>

Would provide a more tunable and obvious way to configure it.

We should also add OpenID OP Endpoint filters so people can do better filtering regardless of delegated IDs.

When using the ResourceServer to verify access to a resource, VerifyAccess leads to an instance of OAuthPrincipal containing the provided scopes as roles internally.

If one wants access to the list of scopes this is not directly available, and you are forced to use the StandardTokenAnalyzer directly, but this requires an IDirectedProtocolMessage, which is not available from the ResourceServer.

Propositions

• Alternative 1
  Set a GenericPrincipal instead of an OAuthPrincipal and also return the deserialized Access Token.
  This way we can wrap this in a custom principal if we choose, exposing both the client id as well as other data about the token.
• Alternative 2
  Provide a GetRequest on the ResourceServer that returns the IDirectedProtocolMessage used to check the access.

Some methods that should be created:
OpenIdRelyingParty.CreateRequestAsync()

It is anticipated that those participating in ASP.NET async (freeing up HTTP handler threads while doing I/O bound work for a web request) will be very interested in these DNOA async methods. Particularly when .NET 4.5 is available.

The recent changes to the HtmlHelpers class left the MVC project template broken.

Similar to OAuth 2.0's design in DotNetOpenAuth, OAuth 1.0 service providers probably ought to be able to issue self-descriptive access tokens such that no db table is required to store them.

In OAuth 1.0, request tokens probably need to have state on the SP because they can be either authorized or unauthorized, and should only be exchangeable for an access token once. So SPs may still be required to store these short-term request tokens. But this should cost considerably less than storing the longer term access tokens. Perhaps some clever trick of only storing authorized request tokens may be utilized to further decrease the number and timeframe a request token is stored for.

Beyond just reducing storage, avoiding storage of these tokens can decrease the effectiveness of a DoS attack based on occupying unbounded storage resources on the SP.

Potential solution:
Under DotNetOpenAuth-3.4.6.10357a\Project Templates
Rename
“DotNetOpenAuth SDK-3.4.6.10360-VS2010.vsix”
“DotNetOpenAuth-3.4.6.10360-VS2008.vsi”

Hi Andrew,

Thought I'd share a recent work-around... facebook doesn't return "expires_in" and therefore all generated access tokens are without an expiration value.

I ended up overloading ProcessUserAuthorization() to transfer epoch time from the token to the AuthorizationState object.
figured this might help someone in the future..

reference info:
http://www.quora.com/Do-the-OAuth2-access-tokens-in-the-new-Facebook-Graph-API-expire

-Mark

In the interest of identifying the sources of all intellectual property included with DotNetOpenAuth, we should consider re-implementing the diffie-hellman algorithm. It may also resolve the unrepro'able random test failures we see on the DH tests.

http://www.ietf.org/rfc/rfc2631.txt

The OpenIdRelyingPartyControlBase.Extensions property is ignored on all but the OpenIdSelector control, making it more difficult to retrieve user attributes during login on OpenIdButton controls.

The OAuthServiceProviderSecuritySettingsElement.MaximumRequestTokenTimeToLive property does not carry over into the ServiceProviderSecuritySettings class.

When trying to compile DotNetOpenAuth, I get a lot of errors complaining that the XML comments for a bunch of the classes don't start with exactly the right text. I couldn't figure out how to turn off this requirement in Visual Studio...

I am getting quite a few errors (caught by ELMAH) caused by the dotnetopenid library. The stack trace of the error is pasted below. My application is developed in ASP.NET MVC3 and is hosted on IIS7.0. Any help in resolving these would be appreciated.

System.Web.HttpException (0x80070057): The remote host closed the connection. The error code is 0x80070057.
   at System.Web.Hosting.IIS7WorkerRequest.RaiseCommunicationError(Int32 result, Boolean throwOnDisconnect)
   at System.Web.Hosting.IIS7WorkerRequest.ExplicitFlush()
   at System.Web.HttpResponse.Flush(Boolean finalFlush)
   at System.Web.HttpResponse.End()
   at DotNetOpenAuth.Messaging.OutgoingWebResponse.Send(HttpContext context) in c:\Users\andarno\git\dotnetopenid\src\DotNetOpenAuth\Messaging\OutgoingWebResponse.cs:line 161
   at DotNetOpenAuth.Messaging.OutgoingWebResponse.Send() in c:\Users\andarno\git\dotnetopenid\src\DotNetOpenAuth\Messaging\OutgoingWebResponse.cs:line 129
   at System.Web.Mvc.ControllerActionInvoker.<>c__DisplayClass14.<InvokeActionResultWithFilters>b__11()
   at System.Web.Mvc.ControllerActionInvoker.InvokeActionResultFilter(IResultFilter filter, ResultExecutingContext preContext, Func`1 continuation)
   at System.Web.Mvc.ControllerActionInvoker.InvokeActionResultWithFilters(ControllerContext controllerContext, IList`1 filters, ActionResult actionResult)
   at System.Web.Mvc.ControllerActionInvoker.InvokeAction(ControllerContext controllerContext, String actionName)

When certificate private keys are not exportable from the Windows certificate store, it isn't possible to obtain an RSAParameters struct to pass to DotNetOpenAuth. But obtaining an RSACryptoServiceProvider is still possible and can perform the functions that DotNetOpenAuth requires. Since an RSACryptoServiceProvider can always be created from RSAParameters, we should probably switch the APIs to use the former rather than the latter -- or at least offer overloads that take either one.

http://stackoverflow.com/questions/5064554/using-dotnetopenauth-oauth-2-with-azure-reading-certificate-difficulty-extrac

The http://tools.ietf.org/html/rfc5849 spec has made OAuth 1.0a obsolete. We should review to see what changes are necessary in DotNetOpenAuth.

IIS always defines the HTTP_HOST server variable, which defeats the URL rewriting reversal done in GetPublicFacingUrl method.

See https://groups.google.com/d/topic/dotnetopenid/pdqK8aMpPA4/discussion for a discussion on this topic.

// Authorization using OAuth2
var scope = new[] { "scope1" };
var returnTo = new Uri("relative.html", UriKind.Relative);
myClient.RequestUserAuthorization(scope, null, returnTo)

This code doesn't work because library expects only absolute URLs.
I don't think there are issues to support also relative ones.

Thanx.

Implicit grants need to be supported, namely the creation of access tokens in direct response to end user authorization.
Included in this is the provision that we do not auto-approve implicit grants, even if the requested authorization was previously given already (since the client has not been authenticated).
We also need to let the host site determine the lifetime of the access token, and whether the requested scopes are appropriate for a less secure implicit grant type.

This effectively renders the tool useless to those who aren't persistent enough to find and properly place the external dependency. We need to get this dependency ILMerge'd in just like the core library.

Google Apps asserts http:// claimed identifiers, but since host-meta based discovery doesn't actually ever perform an HTTP get on that identifier, RequireSsl should actually work with Google Apps discovery, provided the DNOA host meta discovery service skips the fallback discovery on the (insecure) domain itself.

The likely fix for this is for the HostMetaDiscoveryService in DotNetOpenAuth to be willing to perform discovery on insecure identifiers, but only to HTTPS trusted discovery hosts (such as Google Apps).

I have an MVC3/Razor View that creates an info card

This calls back to a method that calls this code..

        string xmlToken = this.HttpContext.Request.Params["xmlToken"];
        Token token = Token.Read(xmlToken);

Then when the Token is initialized this error is thrown...

Server Error in '/OrchardLocal' Application.

Attempt by method 'DynamicClass.lambda_method(System.Runtime.CompilerServices.Closure)' to access method 'System.Security.Cryptography.RSAPKCS1SHA1SignatureDescription..ctor()' failed.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.MethodAccessException: Attempt by method 'DynamicClass.lambda_method(System.Runtime.CompilerServices.Closure)' to access method 'System.Security.Cryptography.RSAPKCS1SHA1SignatureDescription..ctor()' failed.

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:

[MethodAccessException: Attempt by method 'DynamicClass.lambda_method(System.Runtime.CompilerServices.Closure)' to access method 'System.Security.Cryptography.RSAPKCS1SHA1SignatureDescription..ctor()' failed.]
lambda_method(Closure ) +55
System.IdentityModel.CryptoHelper.GetAlgorithmFromConfig(String algorithm) +584
System.IdentityModel.Tokens.RsaSecurityKey.GetHashAlgorithmForSignature(String algorithm) +45
System.IdentityModel.SignedXml.StartSignatureVerification(SecurityKey verificationKey) +324
System.IdentityModel.Tokens.SamlAssertion.VerifySignature(SignedXml signature, SecurityKey signatureVerificationKey) +35
System.IdentityModel.Tokens.SamlAssertion.ReadXml(XmlDictionaryReader reader, SamlSerializer samlSerializer, SecurityTokenSerializer keyInfoSerializer, SecurityTokenResolver outOfBandTokenResolver) +1082
System.IdentityModel.Tokens.SamlSerializer.LoadAssertion(XmlDictionaryReader reader, SecurityTokenSerializer keyInfoSerializer, SecurityTokenResolver outOfBandTokenResolver) +55
System.IdentityModel.Tokens.SamlSerializer.ReadToken(XmlReader reader, SecurityTokenSerializer keyInfoSerializer, SecurityTokenResolver outOfBandTokenResolver) +64
System.ServiceModel.Security.SamlTokenEntry.ReadTokenCore(XmlDictionaryReader reader, SecurityTokenResolver tokenResolver) +22
System.ServiceModel.Security.WSSecurityTokenSerializer.ReadTokenCore(XmlReader reader, SecurityTokenResolver tokenResolver) +140
System.IdentityModel.Selectors.SecurityTokenSerializer.ReadToken(XmlReader reader, SecurityTokenResolver tokenResolver) +22
DotNetOpenAuth.InfoCard.TokenUtility.AuthenticateToken(XmlReader reader, Uri audience) +112
DotNetOpenAuth.InfoCard.Token..ctor(String tokenXml, Uri audience, TokenDecryptor decryptor) +666
DotNetOpenAuth.InfoCard.Token.Read(String tokenXml, Uri audience, IEnumerable1 decryptionTokens) +213 DotNetOpenAuth.InfoCard.Token.Read(String tokenXml, Uri audience) +110 DotNetOpenAuth.InfoCard.Token.Read(String tokenXml) +79 NGM.OpenAuthentication.Controllers.CardSpaceAccountController.LogOn(String returnUrl) +138 lambda_method(Closure , ControllerBase , Object[] ) +140 System.Web.Mvc.ActionMethodDispatcher.Execute(ControllerBase controller, Object[] parameters) +17 System.Web.Mvc.ReflectedActionDescriptor.Execute(ControllerContext controllerContext, IDictionary2 parameters) +208
System.Web.Mvc.ControllerActionInvoker.InvokeActionMethod(ControllerContext controllerContext, ActionDescriptor actionDescriptor, IDictionary2 parameters) +27 System.Web.Mvc.<>c__DisplayClass15.<InvokeActionMethodWithFilters>b__12() +55 System.Web.Mvc.ControllerActionInvoker.InvokeActionMethodFilter(IActionFilter filter, ActionExecutingContext preContext, Func1 continuation) +263
System.Web.Mvc.<>c__DisplayClass17.b__14() +19
System.Web.Mvc.ControllerActionInvoker.InvokeActionMethodFilter(IActionFilter filter, ActionExecutingContext preContext, Func1 continuation) +263 System.Web.Mvc.<>c__DisplayClass17.<InvokeActionMethodWithFilters>b__14() +19 System.Web.Mvc.ControllerActionInvoker.InvokeActionMethodFilter(IActionFilter filter, ActionExecutingContext preContext, Func1 continuation) +263
System.Web.Mvc.<>c__DisplayClass17.b__14() +19
System.Web.Mvc.ControllerActionInvoker.InvokeActionMethodWithFilters(ControllerContext controllerContext, IList1 filters, ActionDescriptor actionDescriptor, IDictionary2 parameters) +191
System.Web.Mvc.ControllerActionInvoker.InvokeAction(ControllerContext controllerContext, String actionName) +343
System.Web.Mvc.Controller.ExecuteCore() +116
System.Web.Mvc.ControllerBase.Execute(RequestContext requestContext) +97
System.Web.Mvc.ControllerBase.System.Web.Mvc.IController.Execute(RequestContext requestContext) +10
System.Web.Mvc.<>c__DisplayClassb.b__5() +37
System.Web.Mvc.Async.<>c__DisplayClass1.b__0() +21
System.Web.Mvc.Async.<>c__DisplayClass81.<BeginSynchronous>b__7(IAsyncResult _) +12 System.Web.Mvc.Async.WrappedAsyncResult1.End() +62
System.Web.Mvc.<>c__DisplayClasse.b__d() +50
System.Web.Mvc.SecurityUtil.b__0(Action f) +7
System.Web.Mvc.SecurityUtil.ProcessInApplicationTrust(Action action) +22
System.Web.Mvc.MvcHandler.EndProcessRequest(IAsyncResult asyncResult) +60
System.Web.Mvc.MvcHandler.System.Web.IHttpAsyncHandler.EndProcessRequest(IAsyncResult result) +9
Orchard.Mvc.Routes.HttpAsyncHandler.EndProcessRequest(IAsyncResult result) +55
System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +8841105
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +184

Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.1

From looking through the code and tests, it seems there's no way to generate a signature that's decoupled from the process of running a service endpoint. Am I missing it?

I'm looking for something in the neighborhood of this (which I'll probably continue using, but wanted a 'second opinion' on some character encoding issues):

http://oauth.googlecode.com/svn/code/csharp/OAuthBase.cs

This is a straightforward one-file library with a single method to generate the signature.

Thanks!

Screenshot: https://www.scolab.com/Public/Jing/CM/2010-12-26_1514.png

Just got this in my error logs:

System.OverflowException: Value was either too large or too small for an Int32.

Generated: Tue, 08 Feb 2011 03:23:17 GMT

System.Runtime.Serialization.SerializationException: There was an error deserializing the object of type DotNetOpenAuth.ApplicationBlock.Facebook.FacebookGraph. The value '100000706054681' cannot be parsed as the type 'Int32'. ---> System.Xml.XmlException: The value '100000706054681' cannot be parsed as the type 'Int32'. ---> System.OverflowException: Value was either too large or too small for an Int32.
at System.Number.ParseInt32(String s, NumberStyles style, NumberFormatInfo info)
at System.Runtime.Serialization.Json.XmlJsonReader.ParseInt(String value, NumberStyles style)
--- End of inner exception stack trace ---
at System.Runtime.Serialization.Json.XmlJsonReader.ParseInt(String value, NumberStyles style)
at System.Xml.XmlDictionaryReader.ReadElementContentAsInt()
at ReadFacebookGraphFromJson(XmlReaderDelegator , XmlObjectSerializerReadContextComplexJson , XmlDictionaryString , XmlDictionaryString[] )
at System.Runtime.Serialization.Json.JsonClassDataContract.ReadJsonValueCore(XmlReaderDelegator jsonReader, XmlObjectSerializerReadContextComplexJson context)
at System.Runtime.Serialization.Json.JsonDataContract.ReadJsonValue(XmlReaderDelegator jsonReader, XmlObjectSerializerReadContextComplexJson context)
at System.Runtime.Serialization.XmlObjectSerializerReadContext.InternalDeserialize(XmlReaderDelegator reader, String name, String ns, Type declaredType, DataContract& dataContract)
at System.Runtime.Serialization.XmlObjectSerializerReadContext.InternalDeserialize(XmlReaderDelegator xmlReader, Type declaredType, DataContract dataContract, String name, String ns)
at System.Runtime.Serialization.Json.DataContractJsonSerializer.InternalReadObject(XmlReaderDelegator xmlReader, Boolean verifyObjectName)
at System.Runtime.Serialization.XmlObjectSerializer.ReadObjectHandleExceptions(XmlReaderDelegator reader, Boolean verifyObjectName, DataContractResolver dataContractResolver)
--- End of inner exception stack trace ---
at System.Runtime.Serialization.XmlObjectSerializer.ReadObjectHandleExceptions(XmlReaderDelegator reader, Boolean verifyObjectName, DataContractResolver dataContractResolver)
at System.Runtime.Serialization.Json.DataContractJsonSerializer.ReadObject(XmlDictionaryReader reader)
at DotNetOpenAuth.ApplicationBlock.Facebook.FacebookGraph.Deserialize(Stream jsonStream)

I have tried to build mono2 branch (on VS 2008, .net 3.5) and referenced DotNetOpenAuth.dll within ASP.NET MVC 2 application running on mono from master branch (version 2.11, default profile is 4.0), but I'm getting this exception during authentication.

What is the current status?

Could this issue be used to track the status of the OAuth 2 support?

Vkontakte (vk.com) response on oauth/access_token like: {"access_token":"{token}","expires_in":86399,"user_id":123456789}
I want to access to "user_id" with oauth2.

In oauth1 (WebConsumer) i have ExtraData in function "Provider.ProcessUserAuthorization()" result, but in oauth2 (WebServerClient) not have this parameter.

Sorry for my English.

That's why we recommend that package authors put the assemblies in a target framework specific folder:
http://docs.nuget.org/docs/creating-packages/creating-and-publishing-a-package#Common_Framework_and_Profile_Targeting_Examples

In this case, Andrew, you should put the dll in lib\net40-full and not in directly in the lib folder.

By the way, if you point the nuget pack command at a project file, we automatically create the package correctly.http://docs.nuget.org/docs/creating-packages/creating-and-publishing-a-package#From_a_project

See discussion here https://groups.google.com/d/topic/dotnetopenid/cHEsEbnpMUc/discussion

Hi,
I'm using the OAuth 2 CTP and so far it looks great - good job!
However, there is one issue I recently encountered. I've implemented my authentication server in a way similar to that of the sample. My authentication endpoint is very simple - it just reads the request and builds an appropriate response using AuthporizationServer.
var tokenRequest = this.authorizationServer.ReadAccessTokenRequest();
var response = this.authorizationServer.PrepareAccessTokenResponse( tokenRequest, ResourceServerEncryptionPublicKey );
This approach has been working great with grant_type=authorization_code. But when I tested it with none (i.e. client credentials) or password (i.e. resource owner username and password) PrepareAccessTokenResponse throws an invalid cast exception. I've taken a look at the code of the method and it seems you cast the request object to ITokenCarryingRequest. However, only the AccessTokenAuthorizationCodeRequest type implements this interface, while the other two do not - AccessTokenClientCredentialsRequest and AccessTokenResourceOwnerPasswordCredentialsRequest.
I wanted to try and change the source code to see if implementing the interface will solve this, but I couldn't find it. Is it available anywhere?

OpenID providers shouldn't be required to retain associations and their secrets in memory or in a database. For instance, Yahoo has encoded their association data within the association handle itself (making the handle ~140 characters long). DotNetOpenAuth can do that too using the new DataBag class.

The need for this was brought to light by this thread:
https://groups.google.com/d/topic/dotnetopenid/O3TVKwgU4MY/discussion

The current OAuth 2 tree allows for using a single RsaCryptoServiceProvider instance across multiple threads simultaneously. This class is documented as not thread-safe. Therefore we need to adjust the DNOA interfaces such that the host can provide a factory of these instead of just a singleton.

File: dotnetopenid / src / DotNetOpenAuth / OpenId / RelyingParty / OpenIdLogin.cs

Code position:

private const string ButtonTextDefault = "Login �";

When use Firefox and IdentitySelector (http://identityselector.codeplex.com) then displays the infocardselector control only an "undefined" message at the top of the page. There is no object tag in header definied.

Although support for an extension in a negative assertion is not in the spec, Google exercises this ability for their x-has-session addition to the UI extension response.

Since we already have an IAuthenticationResponse.GetUntrustedExtension<T>() method, it makes sense that we could actually make this method work for negative assertions. Since the extensions are not signed, they are unreliable, but the method name suggests this so this shouldn't be a problem.

Without breaking changes preferably, we should provide a convenient way for sites to send responses without relying on the built-in ASP.NET ThreadAbortException behavior.

See this discussion for more details.
https://groups.google.com/d/topic/dotnetopenid/eNO4ReD0ZQo/discussion

We provide partners with the opportunity to authenticate their users against our service using OpenID, and at times, the OpenID Identifier they provide results in 404 pages (especially during integration testing).
As discovery results are cached this often causes some users to be unable to sign in using OpenID if their identifier has previously returned 404 messages, and we must in turn disable the cache to allow them to sign in.
DNOA should apply some rules to what results are cached - that a resource returns a 404 one day does not mean it will do so the next. This also concerns delegation; if a user switches its provider and the original provider returns negatively for this user, how should DNOA respond? Something should cause it to discard the cache and perform the discovery anew.

I have asked the question on stackoverflow.com:
http://stackoverflow.com/questions/7564256/dotnetopenauth-setting-the-popup-to-do-a-post-instead-of-a-get

So following up with the request to post a ticket here.

Simplest way to recreate the issue is to download the project from NerdDinner:
http://nerddinner.codeplex.com/

Then in the "NerdDinner/Services/OpenIdRelyingPartyService.cs" change the ClaimRequest to ask for additional fields:

request.AddExtension(new ClaimsRequest
                {
                    Email = DemandLevel.Require,
                    FullName = DemandLevel.Request,
                    BirthDate = DemandLevel.Request,
                    Gender = DemandLevel.Request,
                    Country = DemandLevel.Request,
                    Nickname = DemandLevel.Request,
                    PolicyUrl = privacyPolicy,
                });

This will now generate 414 error with Google when clicking on the Google provider button in the logon page.

Please let me know if I can provide more details.

A buggy RP can cause DNOA OP to throw a KeyNotFoundException instead of a ProtocolException. A log of the problem is here:

{
"Url": "/openid/provider",
"Parameters": {
"openid.assoc_handle": "{634477555066085461}{TTYcIg==}{32}",
"openid.claimed_id": "https://openid.stackexchange.com/user/f5e91123-e5b4-43c5-871f-5f276c75d31a",
"openid.identity": "https://openid.stackexchange.com/user/f5e91123-e5b4-43c5-871f-5f276c75d31a",
"openid.mode": "check_authentication",
"openid.op_endpoint": "https://openid.stackexchange.com/openid/provider",
"openid.response_nonce": "2011-08-01T00:32:10Zvdyt3efw",
"openid.return_to": "http://openid-consumer.appspot.com/finish?session_id=1543025&janrain_nonce=2011-08-01T00%3A32%3A09ZIPGz7D",
"openid.sig": "b0Rll6Kt1KKBWWBEg/qBvW3sQYtmhOUmpI0/UREBVZ0=",
"openid.signed": "claimed_id,identity,assoc_handle,op_endpoint,return_to,response_nonce,ns.sreg,sreg.email,sreg.fullname",
"openid.sreg.email": "[email protected]",
"openid.sreg.fullname": "Kevin K Montrose",
"ALL_HTTP": "HTTP_CONTENT_LENGTH:869\r\nHTTP_CONTENT_TYPE:application/x-www-form-urlencoded\r\nHTTP_ACCEPT_ENCODING:gzip\r\nHTTP_HOST:openid.stackexchange.com\r\nHTTP_USER_AGENT:AppEngine-Google; (+http://code.google.com/appengine; appid: openid-consumer)\r\nHTTP_X_REAL_IP:209.85.224.82\r\nHTTP_X_FORWARDED_FOR:209.85.224.82\r\nHTTP_X_FORWARDED_PROTO:https\r\n",
"ALL_RAW": "Content-Length: 869\r\nContent-Type: application/x-www-form-urlencoded\r\nAccept-Encoding: gzip\r\nHost: openid.stackexchange.com\r\nUser-Agent: AppEngine-Google; (+http://code.google.com/appengine; appid: openid-consumer)\r\nX-Real-IP: 209.85.224.82\r\nX-Forwarded-For: 209.85.224.82\r\nX-Forwarded-Proto: https\r\n",
"APPL_MD_PATH": "/LM/W3SVC/14/ROOT",
"APPL_PHYSICAL_PATH": "C:\sites\openid.stackexchange.com\prod",
"AUTH_TYPE": "",
"AUTH_USER": "",
"AUTH_PASSWORD": "",
"LOGON_USER": "",
"REMOTE_USER": "",
"CERT_COOKIE": "",
"CERT_FLAGS": "",
"CERT_ISSUER": "",
"CERT_KEYSIZE": "",
"CERT_SECRETKEYSIZE": "",
"CERT_SERIALNUMBER": "",
"CERT_SERVER_ISSUER": "",
"CERT_SERVER_SUBJECT": "",
"CERT_SUBJECT": "",
"CONTENT_LENGTH": "869",
"CONTENT_TYPE": "application/x-www-form-urlencoded",
"GATEWAY_INTERFACE": "CGI/1.1",
"HTTPS": "off",
"HTTPS_KEYSIZE": "",
"HTTPS_SECRETKEYSIZE": "",
"HTTPS_SERVER_ISSUER": "",
"HTTPS_SERVER_SUBJECT": "",
"INSTANCE_ID": "14",
"INSTANCE_META_PATH": "/LM/W3SVC/14",
"LOCAL_ADDR": "64.34.119.23",
"PATH_INFO": "/openid/provider",
"PATH_TRANSLATED": "C:\sites\openid.stackexchange.com\prod\openid\provider",
"QUERY_STRING": "",
"REMOTE_ADDR": "64.34.119.10",
"REMOTE_HOST": "64.34.119.10",
"REMOTE_PORT": "51829",
"REQUEST_METHOD": "POST",
"SCRIPT_NAME": "/openid/provider",
"SERVER_NAME": "openid.stackexchange.com",
"SERVER_PORT": "80",
"SERVER_PORT_SECURE": "0",
"SERVER_PROTOCOL": "HTTP/1.0",
"SERVER_SOFTWARE": "Microsoft-IIS/7.5",
"URL": "/openid/provider",
"HTTP_CONTENT_LENGTH": "869",
"HTTP_CONTENT_TYPE": "application/x-www-form-urlencoded",
"HTTP_ACCEPT_ENCODING": "gzip",
"HTTP_HOST": "openid.stackexchange.com",
"HTTP_USER_AGENT": "AppEngine-Google; (+http://code.google.com/appengine; appid: openid-consumer)",
"HTTP_X_REAL_IP": "209.85.224.82",
"HTTP_X_FORWARDED_FOR": "209.85.224.82",
"HTTP_X_FORWARDED_PROTO": "https"
},
"ReceivedCookies": {},
"SendingCookies": {},
"ReceivedHeaders": {
"Content-Length": "869",
"Content-Type": "application/x-www-form-urlencoded",
"Accept-Encoding": "gzip",
"Host": "openid.stackexchange.com",
"User-Agent": "AppEngine-Google; (+http://code.google.com/appengine; appid: openid-consumer)",
"X-Real-IP": "209.85.224.82",
"X-Forwarded-For": "209.85.224.82",
"X-Forwarded-Proto": "https"
},
"SendingHeaders": {
"Server": "Microsoft-IIS/7.5",
"Content-Encoding": "gzip",
"Cache-Control": "private",
"X-AspNet-Version": "4.0.30319"
},
"Form": {
"openid.assoc_handle": "{634477555066085461}{TTYcIg==}{32}",
"openid.claimed_id": "https://openid.stackexchange.com/user/f5e91123-e5b4-43c5-871f-5f276c75d31a",
"openid.identity": "https://openid.stackexchange.com/user/f5e91123-e5b4-43c5-871f-5f276c75d31a",
"openid.mode": "check_authentication",
"openid.op_endpoint": "https://openid.stackexchange.com/openid/provider",
"openid.response_nonce": "2011-08-01T00:32:10Zvdyt3efw",
"openid.return_to": "http://openid-consumer.appspot.com/finish?session_id=1543025&janrain_nonce=2011-08-01T00%3A32%3A09ZIPGz7D",
"openid.sig": "b0Rll6Kt1KKBWWBEg/qBvW3sQYtmhOUmpI0/UREBVZ0=",
"openid.signed": "claimed_id,identity,assoc_handle,op_endpoint,return_to,response_nonce,ns.sreg,sreg.email,sreg.fullname",
"openid.sreg.email": "[email protected]",
"openid.sreg.fullname": "Kevin K Montrose"
},
"Message": "The given key was not present in the dictionary.",
"StackTrace": " at System.Collections.Generic.Dictionary2.get_Item(TKey key)\r\n at DotNetOpenAuth.OpenId.ChannelElements.SigningBindingElement.<>c__DisplayClassd.<GetSignature>b__b(<>f__AnonymousType22 <>h__TransparentIdentifier9)\r\n at System.Linq.Enumerable.WhereSelectArrayIterator2.MoveNext()\r\n at DotNetOpenAuth.OpenId.ChannelElements.KeyValueFormEncoding.GetBytes(IEnumerable1 keysAndValues)\r\n at DotNetOpenAuth.OpenId.ChannelElements.SigningBindingElement.GetSignature(ITamperResistantOpenIdMessage signedMessage, Association association)\r\n at DotNetOpenAuth.OpenId.ChannelElements.SigningBindingElement.ProcessIncomingMessage(IProtocolMessage message)\r\n at DotNetOpenAuth.Messaging.Channel.ProcessIncomingMessage(IProtocolMessage message)\r\n at DotNetOpenAuth.OpenId.ChannelElements.OpenIdChannel.ProcessIncomingMessage(IProtocolMessage message)\r\n at DotNetOpenAuth.Messaging.Channel.ReadFromRequest(HttpRequestInfo httpRequest)\r\n at DotNetOpenAuth.OpenId.Provider.OpenIdProvider.GetRequest(HttpRequestInfo httpRequestInfo)\r\n at OpenIdProvider.Controllers.OpenIdController.Provider() in c:\Builds\OpenIdProvider\prod\OpenIdProvider\Controllers\OpenIdController.cs:line 160\r\n at lambda_method(Closure , ControllerBase , Object[] )\r\n at System.Web.Mvc.ReflectedActionDescriptor.Execute(ControllerContext controllerContext, IDictionary2 parameters)\r\n at System.Web.Mvc.ControllerActionInvoker.InvokeActionMethod(ControllerContext controllerContext, ActionDescriptor actionDescriptor, IDictionary2 parameters)\r\n at System.Web.Mvc.ControllerActionInvoker.<>c__DisplayClass15.b__12()\r\n at System.Web.Mvc.ControllerActionInvoker.InvokeActionMethodFilter(IActionFilter filter, ActionExecutingContext preContext, Func1 continuation)\r\n at System.Web.Mvc.ControllerActionInvoker.InvokeActionMethodWithFilters(ControllerContext controllerContext, IList1 filters, ActionDescriptor actionDescriptor, IDictionary`2 parameters)\r\n at System.Web.Mvc.ControllerActionInvoker.InvokeAction(ControllerContext controllerContext, String actionName)\r\n at System.Web.Mvc.Controller.ExecuteCore()\r\n at System.Web.Mvc.ControllerBase.Execute(RequestContext requestContext)\r\n at System.Web.Mvc.MvcHandler.<>c__DisplayClass6.<>c__DisplayClassb.b__5()\r\n at System.Web.Mvc.Async.AsyncResultWrapper.<>c__DisplayClass1.b__0()\r\n at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()\r\n at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)",
"Id": "93938b5f-d973-44c8-aae5-98ad29ebea6a",
"CreationDate": "/Date(1312158730508)/",
"RemoteIP": "209.85.224.82",
"Type": "System.Collections.Generic.KeyNotFoundException",
"UserId": null
}

In order to support JSON web tokens (JWT) as access tokens in the future, the authorization server should support an extensible way of serializing, signing and encrypting access tokens.

We may also want to include in this interface a way to validate access tokens later, so that a resource server may contact the auth server on a backchannel to validate an access token.

This causes interop failures with consumers who omit the optional oauth_version parameter.
DotNetOpenAuth must be able to discern between a message part whose value was defaulted into the message, and one whose value was explicitly included.

Captured from this report: https://groups.google.com/d/topic/dotnetopenid/8W5LjAiZW_M/discussion

Unfortunately DotNetOpenAuth is using hashing algorithms that are not FIPS compliant (e.g SHA512Managed).
This means that DotNetOpenAuth will throw an error / not run on servers that enforce the FIPS policy.

More Info:
System.Security.Cryptography.SHA512Managed is not part of the Windows Platform FIPS-validated cryptographic algorithms.
http://msdn.microsoft.com/en-us/library/system.security.cryptography.sha512managed.sha512managed.aspx

You can test this by enforcing FIPS compliance on your machine:
Run C:\Windows\System32\secpol.msc
Enable Security Settings\Local Policies\Security Options\System cryptography: Use FIPS 140 compliant cryptographic algorithms, including encryption, hashing and signing algorithms

And then run the code (These SHA classes are used by 'DotNetOpenAuth.OpenId.HmacShaAssociation’):

try { var a = new SHA512Managed(); }
catch (Exception e) { Console.WriteLine(e); }

try { var a = new HMACSHA512(); }
catch (Exception e) { Console.WriteLine(e); }

Solution:

Use a FIPS compliant SHA algorithm
e.g SHA512Cng
http://msdn.microsoft.com/en-us/library/system.security.cryptography.sha512cng.aspx

Most government organisations are now implementing FIPS policies so this would be a good thing to fix.

Error:

System.TypeInitializationException:The type initializer for 'DotNetOpenAuth.OpenId.HmacShaAssociation' threw an exception.
at DotNetOpenAuth.OpenId.HmacShaAssociation.Create(Protocol protocol, String associationType, AssociationRelyingPartyType associationUse, ProviderSecuritySettings securitySettings)
at DotNetOpenAuth.OpenId.ChannelElements.SigningBindingElement.GetDumbAssociationForSigning()
at DotNetOpenAuth.OpenId.ChannelElements.SigningBindingElement.GetAssociation(ITamperResistantOpenIdMessage signedMessage)
at DotNetOpenAuth.OpenId.ChannelElements.SigningBindingElement.ProcessOutgoingMessage(IProtocolMessage message)
at DotNetOpenAuth.Messaging.Channel.ProcessOutgoingMessage(IProtocolMessage message)
at DotNetOpenAuth.Messaging.Channel.PrepareResponse(IProtocolMessage message)
at DotNetOpenAuth.OpenId.Provider.OpenIdProvider.PrepareResponse(IRequest request)
… in
System.InvalidOperationException:This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.
at System.Security.Cryptography.SHA512Managed..ctor()
at DotNetOpenAuth.OpenId.HmacShaAssociation..cctor()

The current implementation of sending a GET request passes the OAuth authentication info via query string parameters. Not all api's accept this, most notably FitBit.com

Please provide an option so that the OAuth information can be sent via an Authentication HTTP header.

thanks

Please provide also the library built only for .Net 4.0 . (Not only for .Net 3.5)

Thanks.

As reported in https://groups.google.com/forum/#!topic/dotnetopenid/X0heZE2ATZQ
2048 appears to be too long in some configurations. Users should be able to easily customize this value.

This is probably related to reporting.
Here are some stack traces from 3 threads at time of hang.

https://gist.github.com/837338

Hi

I am using dotnetopenauth library with an asp.net mvc 3 site.

It works on my local host but when I put it up on my testing server it does not work.

When I click on say to go to "google" it comes back with this message

The OpenId url sent to the server
failed to redirect. Please Try again

To get my site to work on my live site I had to remove this line from my web.config

<section name="uri" type="System.Configuration.UriSection, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />

I kept getting an error saying "There is a duplicate 'uri' section defined". I am not sure if dotnetopenauth needs that.

I am using

asp.net mvc 3
C#
.net 4.0
iis 7(on a shared hosting plan)

Submitting multiple query string parameters with the same name in a GET request fails. The OAuth 1.0a spec describes this:

OAuth 1.0a Spec - Parameters Normalization -
http://tools.ietf.org/html/rfc5849#section-3.4.1.3.2

This type of GET request can be found in APIs from Google ( http://code.google.com/apis/buzz/v1/using_rest.html#count) and LinkedIn? ( http://developer.linkedin.com/docs/DOC-1006) as examples.

Originally submitted to DNOA forum at: http://groups.google.com/group/dotnetopenid/browse_thread/thread/fc1bf73c406dc000/20e50256e96b6a53#20e50256e96b6a53

More documentation here:

http://stackoverflow.com/questions/5533488/dotnetopenauth-a-property-with-the-name-originalhttprequesturi-is-not-present