1

I'm using the following sample code from the DotnetOpenAuth Samples (OpenId Controller in OpenIdProviderMvc)

public ActionResult ProcessAuthRequest() {
        if (ProviderEndpoint.PendingRequest == null) {
            return this.RedirectToAction("Index", "Home");
        }

        // Try responding immediately if possible.
        ActionResult response;
        if (this.AutoRespondIfPossible(out response)) {
            return response;
        }

        // We can't respond immediately with a positive result.  But if we still have to respond immediately...
        if (ProviderEndpoint.PendingRequest.Immediate) {
            // We can't stop to prompt the user -- we must just return a negative response.
            return this.SendAssertion();
        }

        return this.RedirectToAction("AskUser");
    }

private bool AutoRespondIfPossible(out ActionResult response)
    {
        if (ProviderEndpoint.PendingRequest.IsReturnUrlDiscoverable(OpenIdProvider.Channel.WebRequestHandler) == RelyingPartyDiscoveryResult.Success
            && User.Identity.IsAuthenticated) {
                if (ProviderEndpoint.PendingAuthenticationRequest != null) {
                    if (ProviderEndpoint.PendingAuthenticationRequest.IsDirectedIdentity
                        || this.UserControlsIdentifier(ProviderEndpoint.PendingAuthenticationRequest)) {
                            ProviderEndpoint.PendingAuthenticationRequest.IsAuthenticated = true;
                            response = this.SendAssertion();
                            return true;
                    }
                }

                if (ProviderEndpoint.PendingAnonymousRequest != null) {
                    ProviderEndpoint.PendingAnonymousRequest.IsApproved = true;
                    response = this.SendAssertion();
                    return true;
                }
        }

        response = null;
        return false;
    }

However, I don't want to ask the user anything. I'm trying to set up a web application portal that should automatically respond positively to the RP if the user is logged in (which he is). Yet AutoRespondIfPossible returns false, because ProviderEndpoint.PendingRequest.IsReturnUrlDiscoverable returns false and I'm not sure why. What action should I be taking here?

Logs:

RP: http://pastebin.com/0EX2ZE1C EP: http://pastebin.com/q5CPrWp6

Previous related questions:

SSO - No OpenID endpoint found

OpenIdProvider.GetRequest() returns null

Does an OpenID realm have to be the base URL of the web site?

Community
  • 1
  • 1
Mansfield
  • 14,445
  • 18
  • 76
  • 112
  • Since `AutoRespondIfPossible` is a method defined in your code, and it's returning `false` when you want it to return `true`, why are you asking *us* why your method returns the wrong result? – Andrew Arnott Oct 11 '12 at 21:54
  • Sorry - I should have mentioned that method is copied straight from the samples. I'll add it to the question tomorrow. – Mansfield Oct 12 '12 at 04:02
  • I've clarified my question (added more code). – Mansfield Oct 12 '12 at 11:36

1 Answers1

1

IsReturnUrlDiscoverable performs what OpenID calls "RP Discovery". And it's important anyway, but particularly if you will be auto-logging users in, it's critical for security. The fact that it's returning false tells you the RP needs some work to do this correctly.

This blog post explains what the RP must do to pass "RP Discovery" tests.

Andrew Arnott
  • 80,040
  • 26
  • 132
  • 171
  • I did have xrds document already being served but I didn't have the section that specifically advertised the `return_to`. Once I added that (from your blog post) not only did it get me over the error in this particular question but it also finally went through the entire process and successfully logged me into my RP. Hopefully this means the end of all my questions - and thank you once again very much for all your help! – Mansfield Oct 25 '12 at 18:30