WebFormsRelyingParty example

52 views
Skip to first unread message

wpeters1981

unread,
Feb 19, 2010, 4:25:11 AM2/19/10
to DotNetOpenAuth
I have created a project from the template and have got the openid
part of the example working.
However i cannot see how the OAuth part should be working?

When i create the database and change the web.config to allow
localhost requests how should i then use the oauth.ashx ?

Should i be able to connect with the WebConsumer or DesktopConsumer to
this endpoint? How do i initiate a authentication flow ?

Any concrete example code how to connect to the oauth part of the
WebFormsRelyingParty would be great, cause i cannot figure it out.

Every example that i see already defines the webconsumer key and
secret but what should these be in this example?
The database consumer tables stay empty when someone has authenticated
with openid.

Should the authentication be started true Oauth for these tables to be
filled or should i manually add these key/secrets?

Andrew Arnott

unread,
Feb 19, 2010, 9:02:02 AM2/19/10
to dotnet...@googlegroups.com
Good questions... I'll answer below.


On Fri, Feb 19, 2010 at 1:25 AM, wpeters1981 <wgtm....@gmail.com> wrote:
I have created a project from the template and have got the openid
part of the example working.
However i cannot see how the OAuth part should be working?

When i create the database and change the web.config to allow
localhost requests how should i then use the oauth.ashx ?
Actually allowing localhost requests makes logging in with a locally hosted OpenID easier, but it doesn't impact an OAuth SP at all.

Should i be able to connect with the WebConsumer or DesktopConsumer to
this endpoint?

One key difference between OpenID and OAuth is that with OpenID, the RP doesn't have to have any prior knowledge of the OP before working with it, since OpenID discovery takes care of all that.  But in OAuth, the Consumer must have preprogrammed knowledge about the SP's OAuth.ashx URL, and all the URLs that are necessary to actually access the information it wants.  And the SP must know about the consumer in advance as well, via an entry in its Consumers table with a consumer key and (possibly) secret.

Neither of these consumer samples know about your particular SP: either its URLs or how to actually retrieve and parse information it offers.  But the OAuthConsumerWPF recently gained a "Generic" tab that lets you program this information while the app is running.  The first three URLs this tab takes are all the same fully-qualified OAuth.ashx on your SP.  The Resource URL is the URL that will be pulled from once authorization has completed.  If you put a URL here from your site for a page that includes user-specific data (perhaps even just a username of the logged in user), then in the bottom box you'll see the HTML of that page and be able to see that indeed that information is present.  You also have to fill in the consumer key and secret on this tab as well, which must match the key and secret in the SP's consumer table.
 
How do i initiate a authentication flow ?

I believe what I just described is what you're looking for, although that's an authorization flow, rather than an authentication flow.
 
Any concrete example code how to connect to the oauth part of the
WebFormsRelyingParty  would be great, cause i cannot figure it out.
I hope that sample's Generic tab is just what you're looking for.  Since every SP is different, that's about as close to a working sample I can imagine.
 

Every example that i see already defines the webconsumer key and
secret but what should these be in this example?
The database consumer tables stay empty when someone has authenticated
with openid.
It's empty to avoid a security hole that would result in every SP generated by this project template having a consumer key and secret that everyone knows -- not much of a secret. :)  So you can hand-edit this table to add entries for consumers to use, but eventually what each SP may want to do is add a web interface for programmers of consumer apps to register themselves to obtain a new consumer key and secret for themselves.  That's not [yet] in the project template since that's very per-site policy specific.

Does that help?

wpeters1981

unread,
Feb 22, 2010, 7:45:18 AM2/22/10
to DotNetOpenAuth
That does clear some things up!
I want to create a mobile app (IPhone) which can use OpendID and OAuth
for authentication and indentification.
Someone wants to use the app needs to log in.
He will then be redirected to my OpenID site where he can login with a
number of openid providers (google,myopenid etc... )

After the user is logged in to my site using his openid account i want
to use OAuth to authorize the Iphone app to use the users information
from my site. ( there willl be extra profile information for this user
outsite openid info)

The app will then keep using the Oauth token to login to the
application and do whatever i has to.
Is this a way OAuth could be uses or is that not what its intended
for , or even possible?

Is it possible to use this OAuth auth token to authenticate itself to
other endpoints using OAuth?
Bit difficult to explain but the point is that the app after it
received a OAuth token needs to use this user to authenticate itself
at some Web services it will use.
Can oauth token be used for this or should i initiate a new oauth flow
for every web site/Service?

On 19 feb, 15:02, Andrew Arnott <andrewarn...@gmail.com> wrote:
> Good questions... I'll answer below.
>

> entries for consumers to use, but eventually what each SP *may* want to do

Andrew Arnott

unread,
Feb 22, 2010, 11:22:46 AM2/22/10
to dotnetopenid
2010/2/22 wpeters1981 <wgtm....@gmail.com>

Is this a way OAuth could be uses or is that not what its intended
for , or even possible?

The flow you're describing sounds good.  It's probably healthy to separate in your mind the OpenID and OAuth parts of it however.  Think of your iPhone app as just an OAuth consumer -- no OpenID is part of it at all.  As part of requesting authorization, your web site/service needs to authenticate the user, which it chooses to use OpenID for.  After authentication is done, OAuth resumes and the user is asked to authorize the iphone app.  He says yes, and the app now has an access token.  Note that with OAuth 1.0a, the user also needs to copy a PIN from the web service web page to your app.  It can be as simple or as complex as you want -- obviously with security as the trade-off.  Considering the form factor of the iphone it should probably be on the simple side.

Is it possible to use this OAuth auth token to authenticate itself to
other endpoints using OAuth?
Bit difficult to explain but the point is that the app after it
received a OAuth token needs to use this user to authenticate itself
at some Web services it will use.
Can oauth token be used for this or should i initiate a new oauth flow
for every web site/Service?

OAuth tokens are only valid for use with the service that issued them unless a set of services are operated by the same entity and they choose to allow sharing of tokens.  In the future, OAuth WRAP may provide a way for one authorization token to work for multiple independent sites/services.

wpeters1981

unread,
Feb 26, 2010, 4:32:11 AM2/26/10
to DotNetOpenAuth
I need a way to indentify the calling app.
How about deploying the iphone app with a predefined Oauth token the
app uses the first time someone uses it, when no user Oauth has been
created. That way i know which app started the oauth flow for user x
and then can create the user profile with some app specific
information.

On 22 feb, 17:22, Andrew Arnott <andrewarn...@gmail.com> wrote:
> 2010/2/22 wpeters1981 <wgtm.pet...@gmail.com>

Øyvind Sean Kinsey

unread,
Feb 26, 2010, 5:03:25 AM2/26/10
to dotnet...@googlegroups.com
This is what the application key/secret pair is for.

Andrew Arnott

unread,
Feb 26, 2010, 8:36:56 AM2/26/10
to dotnetopenid
The app key/secret is good for web apps, but a false blanket of security for installed client apps since the secret can be discovered.  However, iphone apps are sufficiently locked down that perhaps the level of difficulty vs. the security you need balances out. 

But wpeters idea of keying individual apps works perfectly well too.  And it doesn't necessarily have to be in the distribution of the app itself that you key it... it could be that the app on first startup requests a consumer token and secret from the SP and stores it.  That way the SP can assign a unique secret to each installation of the app.  Although it won't know any significant "who" is behind the token, but at least it can individualize the installations.
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre


2010/2/26 Øyvind Sean Kinsey <oyv...@kinsey.no>

wpeters1981

unread,
Feb 26, 2010, 9:21:42 AM2/26/10
to DotNetOpenAuth
I have got it working up to the point where i request a resource,
because i cannot find any resources that can be requested in the
example.
Should i be able to request accountinfo.aspx?
Is it normal that everytime i click begin in the oauthconsumerwpf i
have to allow the app access and use the returned verification
number.
Should it not save a auth token after this in the inmemorytokenmanager
and just use the existing authtoken from the previous flow?
The point is that users only complete the flow once...
Can i use OAuth to protect a webservice(which could be in the same
site and uses the same database) and also identify the person?

On 26 feb, 11:03, Øyvind Sean Kinsey <oyv...@kinsey.no> wrote:
> This is what the application key/secret pair is for.
>
> Øyvind Sean Kinsey

> oyv...@kinsey.nohttp://kinsey.no/blog/index.php/about/

wpeters1981

unread,
Feb 26, 2010, 9:32:44 AM2/26/10
to DotNetOpenAuth
all instances of app type XXX can have to same key, i just need to
identify the different applications, not the specific instance of app
XXX.
Any of you have experience with the OAuth api on Iphone?
On the server site when someone does a request to webservice A using
his access token, can i use this access token to get information about
the user behind the token? or better yet the resources the token gives
access to.
The webservice need to be protected, as in someone need to be
authenticated on the website (using a openid in this case)
It also needs to use some user specific information, ea information
saved in his profile.

On 26 feb, 14:36, Andrew Arnott <andrewarn...@gmail.com> wrote:
> The app key/secret is good for web apps, but a false blanket of security for
> installed client apps since the secret can be discovered.  However, iphone
> apps are sufficiently locked down that perhaps the level of difficulty vs.
> the security you need balances out.
>
> But wpeters idea of keying individual apps works perfectly well too.  And it
> doesn't necessarily have to be in the distribution of the app itself that
> you key it... it could be that the app on first startup requests a consumer
> token and secret from the SP and stores it.  That way the SP can assign a
> unique secret to each installation of the app.  Although it won't know any
> significant "who" is behind the token, but at least it can individualize the
> installations.
> --
> Andrew Arnott
> "I [may] not agree with what you have to say, but I'll defend to the death
> your right to say it." - S. G. Tallentyre
>
> 2010/2/26 Øyvind Sean Kinsey <oyv...@kinsey.no>
>
> > This is what the application key/secret pair is for.
>
> > Øyvind Sean Kinsey
> > oyv...@kinsey.no
> >http://kinsey.no/blog/index.php/about/
>

Andrew Arnott

unread,
Feb 26, 2010, 10:17:49 AM2/26/10
to dotnetopenid
Inline...
2010/2/26 wpeters1981 <wgtm....@gmail.com>

I have got it working up to the point where i request a resource,
because i cannot find any resources that can be requested in the
example.
Should i be able to request accountinfo.aspx?
Yes, that's an example of a page that requires the user to be logged in, or for the consumer to have an access token. 
Is it normal that everytime i click begin in the oauthconsumerwpf i
have to allow the app access and use the returned verification
number.
Yes.  Not normal in a shipping app, but normal for the sample. 
Should it not save a auth token after this in the inmemorytokenmanager
and just use the existing authtoken from the previous flow?
Yes, if it were a real app.  Or maybe even a better sample. :)  The InMemoryTokenManager is a sample-only ITokenManager anyway.  Really tokens should be saved on disk so that even across app reloads the user can still use a prior authorization rather than re-authorizing.

The point is that users only complete the flow once...
Agreed. 
Can i use OAuth to protect a webservice(which could be in the same
site and uses the same database) and also identify the person?
Absolutely.  But that's up to the service provider.  While the user is authorizing the request token with the SP, the SP is presumably already associating the user with the token in order to allow the consumer to access that user's data.  So when the token comes into the SP the SP should know who it is.  In fact the OAuthServiceProvider sample does this.  Incoming OAuth requests automatically get the HttpContext.Current.User assigned to the user, so the page can act and do all the normal things and it "just knows" who the user (or the user who authorized the token) is.

wpeters1981

unread,
Feb 26, 2010, 10:52:04 AM2/26/10
to DotNetOpenAuth
How can i get some info out of the accountinfo.aspx page from the
consumerwpf example?
What should be a valid resource url for the example?
Or what should i do to enable resource requests for that page.


On 26 feb, 16:17, Andrew Arnott <andrewarn...@gmail.com> wrote:
> Inline...
> 2010/2/26 wpeters1981 <wgtm.pet...@gmail.com>


>
> > I have got it working up to the point where i request a resource,
> > because i cannot find any resources that can be requested in the
> > example.
> > Should i be able to request accountinfo.aspx?
>
> Yes, that's an example of a page that requires the user to be logged in, or
> for the consumer to have an access token.
>
> > Is it normal that everytime i click begin in the oauthconsumerwpf i
> > have to allow the app access and use the returned verification
> > number.
>
> Yes.  Not normal in a shipping app, but normal for the sample.
>
> > Should it not save a auth token after this in the inmemorytokenmanager
> > and just use the existing authtoken from the previous flow?
>
> Yes, if it were a real app.  Or maybe even a better sample. :)  The
> InMemoryTokenManager is a sample-only ITokenManager anyway.  Really tokens
> should be saved on disk so that even across app reloads the user can still
> use a prior authorization rather than re-authorizing.
>
> The point is that users only complete the flow once...
>
> Agreed.
>
> > Can i use OAuth to protect a webservice(which could be in the same
> > site and uses the same database) and also identify the person?
>
> Absolutely.  But that's up to the service provider.  While the user is
> authorizing the request token with the SP, the SP is presumably already
> associating the user with the token in order to allow the consumer to access

> *that user's* data.  So when the token comes into the SP the SP should know

Andrew Arnott

unread,
Feb 26, 2010, 10:58:41 AM2/26/10
to dotnet...@googlegroups.com
Just enter the full URL to the accountinfo.aspx page into the WPF consumer sample and it should pull the HTML for the page into the app's textbox.  No other special steps should be necessary.

Or are you expecting web service-like XML in the response instead of HTML in this case?

--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre


wpeters1981

unread,
Mar 5, 2010, 8:22:10 AM3/5/10
to DotNetOpenAuth
How can i protect a WCF service with OAuth?
Should i just pass the token as parameter with the calls to the
service and then check the token service side (outside normal Oauth
flow)
Or can i initiate the flow from a Web service call as wel?
so call to web service starts a OAuth flow when the token is invalid
or not send with the request.

On 26 feb, 16:58, Andrew Arnott <andrewarn...@gmail.com> wrote:
> Just enter the full URL to the accountinfo.aspx page into the WPF consumer
> sample and it should pull the HTML for the page into the app's textbox.  No
> other special steps should be necessary.
>
> Or are you expecting web service-like XML in the response instead of HTML in
> this case?
> --
> Andrew Arnott
> "I [may] not agree with what you have to say, but I'll defend to the death
> your right to say it." - S. G. Tallentyre
>

Øyvind Sean Kinsey

unread,
Mar 5, 2010, 8:25:34 AM3/5/10
to dotnet...@googlegroups.com
Take a look at the OAuthServiceProvider sample, at the OAuthAuthorizationManager class.
This is applied to the binding using
<serviceBehaviors>
<behavior name="DataApiBehavior">
<serviceMetadata httpGetEnabled="true"/>
<serviceDebug includeExceptionDetailInFaults="true"/>
<serviceAuthorization
serviceAuthorizationManagerType="OAuthAuthorizationManager, __code"
principalPermissionMode="Custom" />
</behavior>
</serviceBehaviors>

This is the class that reads the token and that converts the claims into an IIdentity for .net

wpeters1981

unread,
Mar 12, 2010, 5:47:33 AM3/12/10
to DotNetOpenAuth
Ah i see,
I need to change to code so that i adds scopes (method names )
correcT?

On 5 mrt, 14:25, Øyvind Sean Kinsey <oyv...@kinsey.no> wrote:
> Take a look at the OAuthServiceProvider sample, at
> the OAuthAuthorizationManager class.
> This is applied to the binding using
> <serviceBehaviors>
> <behavior name="DataApiBehavior">
> <serviceMetadata httpGetEnabled="true"/>
> <serviceDebug includeExceptionDetailInFaults="true"/>
> <serviceAuthorization
> serviceAuthorizationManagerType="OAuthAuthorizationManager, __code"
> principalPermissionMode="Custom" />
> </behavior>
> </serviceBehaviors>
>
> This is the class that reads the token and that converts the claims into an
> IIdentity for .net
>
> Øyvind Sean Kinsey

> oyv...@kinsey.nohttp://kinsey.no/blog/index.php/about/

Øyvind Sean Kinsey

unread,
Mar 12, 2010, 5:53:47 AM3/12/10
to dotnet...@googlegroups.com
The token it self only verfies that the holder can prove its identity and that the claim can be converted to an IPrincipal via the 'name' claim.
Addtional claims can be added to grant access to resources (methods, files, roles etc), but is not required.

I you only want the identity then you can remove the part that checks for claims and just return true.

wpeters1981

unread,
Apr 26, 2010, 5:37:56 AM4/26/10
to DotNetOpenAuth
i have been working on a prototype a bit further how ever now i get an
exception on
D:\AArnott-dotnetopenid-ec4a40e\src\DotNetOpenAuth\Messaging\Bindings
\StandardReplayProtectionBindingElement.cs
line 132 return MessageProtections.ReplayProtection;

This happens when after authing in the AuthConsumerWpf example i call
a web service as a resource .
This service is running in same website as where the OAuth/openid
authentication happend, so it does work fine calling the service
however i always need to manually skip the replyprotection bit,
somehow he always gets the same nonce more then once.

I use the same code to call the webservice (with different generated
wcf client /end point ) as the authconsumerwpf example does.


so after normal auth i do

HttpDeliveryMethods resourceHttpMethod =
HttpDeliveryMethods.GetRequest;

if (useAuthHeaderForResource)
{
resourceHttpMethod |=
HttpDeliveryMethods.AuthorizationHeaderRequest;
}

wcf = consumer;

try
{
//use consumer oauth, error when retrying somehow,
also seems to save nonce more then once and therefore gives errors
serviceInfo = CallService(.......)


On 12 mrt, 12:53, Øyvind Sean Kinsey <oyv...@kinsey.no> wrote:
> The token it self only verfies that the holder can prove its identity and
> that the claim can be converted to an IPrincipal via the 'name' claim.
> Addtional claims can be added to grant access to resources (methods, files,
> roles etc), but is not required.
>
> I you only want the identity then you can remove the part that checks for
> claims and just return true.
>
> Øyvind Sean Kinsey
> oyv...@kinsey.nohttp://kinsey.no/blog/index.php/about/
--
You received this message because you are subscribed to the Google Groups "DotNetOpenAuth" group.
To post to this group, send email to dotnet...@googlegroups.com.
To unsubscribe from this group, send email to dotnetopenid...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/dotnetopenid?hl=en.

Andrew Arnott

unread,
Apr 26, 2010, 9:41:45 AM4/26/10
to dotnet...@googlegroups.com
I'm a bit confused on some parts of what you're saying, wpeters1981...

How are you disabling the replay protection bit?  A customized build of DNOA?  If so, I recommend you figure out why the other party is consuming their nonce more than one time as that's a bug on their end I think.

But you also mentioned in the code comment about nonce failing when retrying.  What retry are we talking about here?  Certainly yes, if you send the same request twice there will be a nonce collision.  If you need to retry a request, OAuth should sign it over again to avoid that on the consumer side.  But I'd also be curious why retry is necessary.

--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre


wpeters1981

unread,
Apr 27, 2010, 4:14:49 AM4/27/10
to DotNetOpenAuth
I have not disabled it but when debugging i simply step over the
second time i see the same nonce.
Because i cant figure out why it sends the same nonce twice but i
still want to continue working on my code.
In the oauthconsumerwpf example after Authorize.xaml accepting the
validation code from the website it all goes well.
Then it comes to serviceinfo = callservice(...) part and there it
somehow sends a accessprotectedresourcerequest with the same nonce
twice.
after i in debugging jump the second nonce check from
dataserviceuri= ... works fine.



try
{
ServiceInfo = CallService(client =>
client.GetDataServiceInfo("41D"));
DataServiceUri = serviceInfo.Location;
Data = CallServiceData(client =>
client.GetData(serviceInfo));
}
catch (Exception exs)
{
//MessageBox.Show(this, exs.Message);
}
}
catch (DotNetOpenAuth.Messaging.ProtocolException ex)
{
//MessageBox.Show(this, ex.Message);
}
}


private T CallService<T>(Func<ZNSServiceClient, T> predicate)
{
var client = new
ZNSServiceClient("WSHttpBinding_IZNSService", resourceUrl);
var serviceEndpoint = new
MessageReceivingEndpoint(client.Endpoint.Address.Uri,

HttpDeliveryMethods.AuthorizationHeaderRequest |

HttpDeliveryMethods.PostRequest);
if (wcfAccessToken == null)
{
throw new InvalidOperationException("No access
token!");
}
WebRequest httpRequest =
wcf.PrepareAuthorizedRequest(serviceEndpoint, wcfAccessToken);

var httpDetails = new HttpRequestMessageProperty();
httpDetails.Headers[HttpRequestHeader.Authorization] =
httpRequest.Headers[HttpRequestHeader.Authorization];
using (var scope = new
OperationContextScope(client.InnerChannel))
{

OperationContext.Current.OutgoingMessageProperties[HttpRequestMessageProperty.Name]
= httpDetails;
return predicate(client);
> > dotnetopenid...@googlegroups.com<dotnetopenid%2Bunsu...@googlegroups.com>
> > .
> > For more options, visit this group at
> >http://groups.google.com/group/dotnetopenid?hl=en.
>
> --
> You received this message because you are subscribed to the Google Groups "DotNetOpenAuth" group.
> To post to this group, send email to dotnet...@googlegroups.com.
> To unsubscribe from this group, send email to dotnetopenid...@googlegroups.com.
> For more options, visit this group athttp://groups.google.com/group/dotnetopenid?hl=en.

Andrew Arnott

unread,
Apr 27, 2010, 8:56:30 AM4/27/10
to dotnet...@googlegroups.com
Thanks.  It's starting to make sense.  One more question: you say that the consumer sends the same nonce twice.  Why is it sending the second request?  Do you click the button twice, or is it sending two requests for one click?

--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre


wpeters1981

unread,
May 7, 2010, 4:21:16 AM5/7/10
to DotNetOpenAuth
Thats exactly what i cannot figure out :)
The call seems to result in 2 requests with the same nonce. I will try
and home in on the problem a bit closer and try and figure out what
sends the second request.


On 27 apr, 14:56, Andrew Arnott <andrewarn...@gmail.com> wrote:
> Thanks.  It's starting to make sense.  One more question: you say that the
> consumer sends the same nonce twice.  Why is it sending the second request?
>  Do you click the button twice, or is it sending two requests for one click?
>
> --
> Andrew Arnott
> "I [may] not agree with what you have to say, but I'll defend to the death
> your right to say it." - S. G. Tallentyre
>
> ...
>
> meer lezen »

wpeters1981

unread,
May 7, 2010, 5:32:27 AM5/7/10
to DotNetOpenAuth
it seems to be 1 request that does it.

Somehow it triggers StandardReplayProtectionElement.cs twice within
the same request.

stacktrace for first is :

> DotNetOpenAuth.DLL!DotNetOpenAuth.Messaging.Bindings.StandardReplayProtectionBindingElement.ProcessIncomingMessage(DotNetOpenAuth.Messaging.IProtocolMessage message = {DotNetOpenAuth.OAuth.Messages.AccessProtectedResourceRequest}) Line 127 C#
DotNetOpenAuth.DLL!
DotNetOpenAuth.Messaging.Channel.ProcessIncomingMessage(DotNetOpenAuth.Messaging.IProtocolMessage
message =
{DotNetOpenAuth.OAuth.Messages.AccessProtectedResourceRequest}) Line
990 + 0x15 bytes C#
DotNetOpenAuth.DLL!
DotNetOpenAuth.Messaging.Channel.ReadFromRequest(DotNetOpenAuth.Messaging.HttpRequestInfo
httpRequest = {DotNetOpenAuth.Messaging.HttpRequestInfo}) Line 378 C#
DotNetOpenAuth.DLL!
DotNetOpenAuth.OAuth.ServiceProvider.ReadRequest(DotNetOpenAuth.Messaging.HttpRequestInfo
request = {DotNetOpenAuth.Messaging.HttpRequestInfo}) Line 224 + 0x1a
bytes C#
RelyingPartyLogic.DLL!
RelyingPartyLogic.OAuthAuthenticationModule.context_AuthenticateRequest(object
sender = {ASP.global_asax}, System.EventArgs e = {System.EventArgs})
Line 63 + 0x4c bytes C#


Second time is with same nonce:

> DotNetOpenAuth.DLL!DotNetOpenAuth.Messaging.Bindings.StandardReplayProtectionBindingElement.ProcessIncomingMessage(DotNetOpenAuth.Messaging.IProtocolMessage message = {DotNetOpenAuth.OAuth.Messages.AccessProtectedResourceRequest}) Line 127 C#
DotNetOpenAuth.DLL!
DotNetOpenAuth.Messaging.Channel.ProcessIncomingMessage(DotNetOpenAuth.Messaging.IProtocolMessage
message =
{DotNetOpenAuth.OAuth.Messages.AccessProtectedResourceRequest}) Line
990 + 0x15 bytes C#
DotNetOpenAuth.DLL!
DotNetOpenAuth.Messaging.Channel.ReadFromRequest(DotNetOpenAuth.Messaging.HttpRequestInfo
httpRequest = {DotNetOpenAuth.Messaging.HttpRequestInfo}) Line 378 C#
DotNetOpenAuth.DLL!
DotNetOpenAuth.Messaging.Channel.TryReadFromRequest<DotNetOpenAuth.OAuth.Messages.AccessProtectedResourceRequest>(DotNetOpenAuth.Messaging.HttpRequestInfo
httpRequest = {DotNetOpenAuth.Messaging.HttpRequestInfo}, out
DotNetOpenAuth.OAuth.Messages.AccessProtectedResourceRequest request =
null) Line 314 + 0xb bytes C#
DotNetOpenAuth.DLL!
DotNetOpenAuth.OAuth.ServiceProvider.ReadProtectedResourceAuthorization(DotNetOpenAuth.Messaging.HttpRequestInfo
request = {DotNetOpenAuth.Messaging.HttpRequestInfo}) Line 529 + 0x22
bytes C#
DotNetOpenAuth.DLL!
DotNetOpenAuth.OAuth.ServiceProvider.ReadProtectedResourceAuthorization(System.ServiceModel.Channels.HttpRequestMessageProperty
request = {System.ServiceModel.Channels.HttpRequestMessageProperty},
System.Uri requestUri = {http://localhost:59514/ZNSService.svc}) Line
511 + 0x28 bytes C#
RelyingPartyLogic.DLL!
RelyingPartyLogic.OAuthAuthorizationManager.CheckAccessCore(System.ServiceModel.OperationContext
operationContext = {System.ServiceModel.OperationContext}) Line 39 +
0x1a bytes C#

wpeters1981

unread,
May 7, 2010, 5:37:53 AM5/7/10
to DotNetOpenAuth
btw the config for the service where the errors occurs is

<behavior name="ZNSService.ZNSServiceBehavior">
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="false" />
<serviceDebug includeExceptionDetailInFaults="true" />
<serviceAuthorization principalPermissionMode="Custom"
serviceAuthorizationManagerType="RelyingPartyLogic.OAuthAuthorizationManager,
RelyingPartyLogic" />
</behavior>


On 7 mei, 10:21, wpeters1981 <wgtm.pet...@gmail.com> wrote:

Andrew Arnott

unread,
May 7, 2010, 10:41:43 AM5/7/10
to dotnetopenid
Excellent! The two stack traces were most helpful.  

What's happening here is that when you combine the WCF-authorizing OAuthAuthorizationManager and the general ASP.NET OAuthAuthenticationModule, they each take a turn servicing the same incoming request.  The two cannot stack together.  I never noticed this because none of the samples or project templates use both WCF and the OAuthAuthenticationModule.  

I'll have to think about how to generally solve this.  But if this helps you (because you actually only need one or the other on your web site, for example) then great.

--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre


wpeters1981

unread,
May 10, 2010, 11:07:53 AM5/10/10
to DotNetOpenAuth
I was thinking that something like this was happening, however where
can i disbale the wcf auth,
cause i was thinking that the settings in the webconfig would be doing
this for me?


On 7 mei, 16:41, Andrew Arnott <andrewarn...@gmail.com> wrote:
> Excellent! The two stack traces were *most *helpful.
>
> What's happening here is that when you combine the WCF-authorizing
> OAuthAuthorizationManager and the general ASP.NET OAuthAuthenticationModule,
> they each take a turn servicing the same incoming request.  The two cannot
> stack together.  I never noticed this because none of the samples or project
> templates use *both* WCF and the OAuthAuthenticationModule.
>
> I'll have to think about how to generally solve this.  But if this helps you
> (because you actually only need one or the other on your web site, for
> example) then great.
>
> --
> Andrew Arnott
> "I [may] not agree with what you have to say, but I'll defend to the death
> your right to say it." - S. G. Tallentyre
>

Andrew Arnott

unread,
May 10, 2010, 11:17:16 AM5/10/10
to dotnetopenid
Both security gates are expressed in the web.config file.  Look for OAuthAuthorizationManager and OAuthAuthenticationModule.  If you're only protecting the WCF service, I suggest you keep the WCF one.  If you're protecting more than that, it gets more complicated since the OAuthAuthorizationManager does more for WCF than the generic one will do.


--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre


wpeters1981

unread,
May 12, 2010, 6:29:46 AM5/12/10
to DotNetOpenAuth
excellent that fixed it, i removed OAuthAuthenticationModule and now
it seems to work.
still have one bug that when i am not logged in the openid relying
site when doing the oauth wcf request i first need to login using for
example a google account , thats all great but after logging in i do
not get redirected to the oauth page to accept the request and get the
confirmation code.
This only happens when i am request oauth when i am already logged in
to the site.

On 7 mei, 16:41, Andrew Arnott <andrewarn...@gmail.com> wrote:
> Excellent! The two stack traces were *most *helpful.
>
> What's happening here is that when you combine the WCF-authorizing
> OAuthAuthorizationManager and the general ASP.NET OAuthAuthenticationModule,
> they each take a turn servicing the same incoming request.  The two cannot
> stack together.  I never noticed this because none of the samples or project
> templates use *both* WCF and the OAuthAuthenticationModule.
>
> I'll have to think about how to generally solve this.  But if this helps you
> (because you actually only need one or the other on your web site, for
> example) then great.
>
> --
> Andrew Arnott
> "I [may] not agree with what you have to say, but I'll defend to the death
> your right to say it." - S. G. Tallentyre
>

Andrew Arnott

unread,
May 12, 2010, 9:04:12 AM5/12/10
to dotnet...@googlegroups.com
On 5/12/2010 3:29 AM, wpeters1981 wrote:
excellent that fixed it, i removed  OAuthAuthenticationModule and now
it seems to work.
  
Great.

still have one bug that when i am not logged in the openid relying
site when doing the oauth wcf request i first need to login using for
example a google account , thats all great but after logging in i do
not get redirected to the oauth page to accept the request and get the
confirmation code.
  
I believe the samples and project template handle this correctly.  So what you need to do is check that
  1. Your OAuth.ashx page (or wherever you receive the token authorization request) stores the pending authorization request in a Session variable and redirects to the authorization page directly and not your login page.
  2. That ASP.NET diverts the redirect to the authorization page to login.aspx?redirectUrl=authorizationpage.aspx
  3. That your login page completes user login by calling FormsAuthentication.RedirectFromLoginPage
  4. That your authorizationpage.aspx checks the session variable and finds the pending authorization request.
This only happens when i am request oauth when i am already logged in
to the site.
  
I assume this is a typo, as it seems to be the opposite of what has gone before.  If you're already logged in, I thought you were describing it as working?
Reply all
Reply to author
Forward
0 new messages