Background (which may be already evident from the multitude of questions I’ve asked about DNOA thus far): I’m working on a web application portal running in my employer’s intranet. However, since this is an intranet, all of the various relying parties (and the provider) have urls that look like this: http://servername/path; notably missing a TLD.
This code in DotNetOpenAuth (UntrustedWebRequestHandler.IsUriAllowable(Uri uri)) performs the following check:
if (!uri.Host.Contains(".")) {
return failsUnlessWhitelisted("it does not contain a period in the host name.");
}
Obviously since all of my RP’s are simply server names with no TLDs they all fail this check.
Now, I realize I could just add them all to the web.config whitelist (which I’ve tried for a few and it works as expected), but seeing as new servers will be added dynamically I don’t see this as an ideal solution.
So my question is: Should I be trying to modify web.config dynamically? (preliminary research I’ve done on this indicates it would be a pain)
Or, is there some way to programatically set the whitelist?
There is no programmatic way to modify the host whitelist, unfortunately.
If you are in a trusted environment, you can circumvent the
UntrustedWebRequestHandlerclass and use a web request handler which doesn’t include the host name check (or checks that it matches whatever policy you need). There is a built-inDotNetOpenAuth.Messaging.StandardWebRequestHandlerthat you can use that is a straight pass-through (doesn’t add any extra network-level security checks) that is recommended if you trust all the servers you will ask DotNetOpenAuth to connect to.If you want to apply some more cautious policy (perhaps have some centralized list of whitelisted hosts), you can implement the
IDirectWebRequestHandleryourself, and you can use the existingUntrustedWebRequestHandlerclass for inspiration if necessary. Then of course set the above properties to your own implementation.