Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Fixed bug in OpenID Provider MVC sample that allowed users to log in …

…as others.

Fixes #207
  • Loading branch information...
commit cdd3e95f4eac8076ffd78641bf4cf61d4422572a 1 parent 2299e0d
Andrew Arnott AArnott authored
Showing with 13 additions and 0 deletions.
  1. +13 −0 samples/OpenIdProviderMvc/Controllers/OpenIdController.cs
13 samples/OpenIdProviderMvc/Controllers/OpenIdController.cs
View
@@ -2,6 +2,7 @@ namespace OpenIdProviderMvc.Controllers {
using System;
using System.Collections.Generic;
using System.Linq;
+ using System.Net;
using System.Web;
using System.Web.Mvc;
using System.Web.Mvc.Ajax;
@@ -65,6 +66,11 @@ public class OpenIdController : Controller {
return response;
}
+ if (!ProviderEndpoint.PendingAuthenticationRequest.IsDirectedIdentity &&
+ !this.UserControlsIdentifier(ProviderEndpoint.PendingAuthenticationRequest)) {
+ return this.Redirect(this.Url.Action("LogOn", "Account", new { returnUrl = this.Request.Url }));
+ }
+
this.ViewData["Realm"] = ProviderEndpoint.PendingRequest.Realm;
return this.View();
@@ -72,6 +78,13 @@ public class OpenIdController : Controller {
[HttpPost, Authorize, ValidateAntiForgeryToken]
public ActionResult AskUserResponse(bool confirmed) {
+ if (!ProviderEndpoint.PendingAuthenticationRequest.IsDirectedIdentity &&
+ !this.UserControlsIdentifier(ProviderEndpoint.PendingAuthenticationRequest))
+ {
+ // The user shouldn't have gotten this far without controlling the identifier we'd send an assertion for.
+ return new HttpStatusCodeResult((int)HttpStatusCode.BadRequest);
+ }
+
if (ProviderEndpoint.PendingAnonymousRequest != null) {
ProviderEndpoint.PendingAnonymousRequest.IsApproved = confirmed;
} else if (ProviderEndpoint.PendingAuthenticationRequest != null) {
Please sign in to comment.
Something went wrong with that request. Please try again.