/// <summary>
		/// Gets the protocol message that may be embedded in the given HTTP request.
		/// </summary>
		/// <param name="request">The request to search for an embedded message.</param>
		/// <returns>
		/// The deserialized message, if one is found.  Null otherwise.
		/// </returns>
		protected override IDirectedProtocolMessage ReadFromRequestCore(HttpRequestInfo request) {
			Logger.Channel.DebugFormat("Incoming HTTP request: {0} {1}", request.HttpMethod, request.UrlBeforeRewriting.AbsoluteUri);

			var fields = request.QueryStringBeforeRewriting.ToDictionary();

			// Also read parameters from the fragment, if it's available.
			// Typically the fragment is not available because the browser doesn't send it to a web server
			// but this request may have been fabricated by an installed desktop app, in which case
			// the fragment is available.
			string fragment = request.UrlBeforeRewriting.Fragment;
			if (!string.IsNullOrEmpty(fragment)) {
				foreach (var pair in HttpUtility.ParseQueryString(fragment.Substring(1)).ToDictionary()) {
					fields.Add(pair.Key, pair.Value);
				}
			}

			MessageReceivingEndpoint recipient;
			try {
				recipient = request.GetRecipient();
			} catch (ArgumentException ex) {
				Logger.Messaging.WarnFormat("Unrecognized HTTP request: ", ex);
				return null;
			}

			return (IDirectedProtocolMessage)this.Receive(fields, recipient);
		}

		public void UserSetupUrl() {
			// Construct a V1 immediate request
			Protocol protocol = Protocol.V11;
			OpenIdProvider provider = this.CreateProvider();
			CheckIdRequest immediateRequest = new CheckIdRequest(protocol.Version, OPUri, DotNetOpenAuth.OpenId.RelyingParty.AuthenticationRequestMode.Immediate);
			immediateRequest.Realm = RPRealmUri;
			immediateRequest.ReturnTo = RPUri;
			immediateRequest.LocalIdentifier = "http://somebody";
			AuthenticationRequest request = new AuthenticationRequest(provider, immediateRequest);

			// Now simulate the request being rejected and extract the user_setup_url
			request.IsAuthenticated = false;
			Uri userSetupUrl = ((NegativeAssertionResponse)request.Response).UserSetupUrl;
			Assert.IsNotNull(userSetupUrl);

			// Now construct a new request as if it had just come in.
			HttpRequestInfo httpRequest = new HttpRequestInfo { UrlBeforeRewriting = userSetupUrl };
			var setupRequest = AuthenticationRequest_Accessor.AttachShadow(provider.GetRequest(httpRequest));
			CheckIdRequest_Accessor setupRequestMessage = setupRequest.RequestMessage;

			// And make sure all the right properties are set.
			Assert.IsFalse(setupRequestMessage.Immediate);
			Assert.AreEqual(immediateRequest.Realm, setupRequestMessage.Realm);
			Assert.AreEqual(immediateRequest.ReturnTo, setupRequestMessage.ReturnTo);
			Assert.AreEqual(immediateRequest.LocalIdentifier, setupRequestMessage.LocalIdentifier);
			Assert.AreEqual(immediateRequest.Version, setupRequestMessage.Version);
		}

		internal static HttpRequestInfo CreateHttpRequestInfo(string method, IDictionary<string, string> fields) {
			string query = MessagingUtilities.CreateQueryString(fields);
			UriBuilder requestUri = new UriBuilder("http://localhost/path");
			WebHeaderCollection headers = new WebHeaderCollection();
			MemoryStream ms = new MemoryStream();
			if (method == "POST") {
				headers.Add(HttpRequestHeader.ContentType, "application/x-www-form-urlencoded");
				StreamWriter sw = new StreamWriter(ms);
				sw.Write(query);
				sw.Flush();
				ms.Position = 0;
			} else if (method == "GET") {
				requestUri.Query = query;
			} else {
				throw new ArgumentOutOfRangeException("method", method, "Expected POST or GET");
			}
			HttpRequestInfo request = new HttpRequestInfo {
				HttpMethod = method,
				UrlBeforeRewriting = requestUri.Uri,
				Headers = headers,
				InputStream = ms,
			};

			return request;
		}

		/// <summary>
		/// Reads in a client's request for the Authorization Server to obtain permission from
		/// the user to authorize the Client's access of some protected resource(s).
		/// </summary>
		/// <param name="request">The HTTP request to read from.</param>
		/// <returns>The incoming request, or null if no OAuth message was attached.</returns>
		/// <exception cref="ProtocolException">Thrown if an unexpected OAuth message is attached to the incoming request.</exception>
		public EndUserAuthorizationRequest ReadAuthorizationRequest(HttpRequestInfo request = null) {
			if (request == null) {
				request = this.Channel.GetRequestFromContext();
			}

			EndUserAuthorizationRequest message;
			this.Channel.TryReadFromRequest(request, out message);
			return message;
		}

		public void GetAccessTokenWithTotallyFakeToken() {
			var resourceServer = new ResourceServer(new StandardAccessTokenAnalyzer(AsymmetricKey, null));

			var requestHeaders = new NameValueCollection {
				{ "Authorization", "Bearer foobar" },
			};
			var request = new HttpRequestInfo("GET", new Uri("http://localhost/resource"), headers: requestHeaders);
			Assert.That(() => resourceServer.GetAccessToken(request), Throws.InstanceOf<ProtocolException>());
		}

		public void GetPrincipalWithMissingAccessToken() {
			var resourceServer = new ResourceServer(new StandardAccessTokenAnalyzer(AsymmetricKey, null));

			var requestHeaders = new NameValueCollection {
				{ "Authorization", "Bearer " },
			};
			var request = new HttpRequestInfo("GET", new Uri("http://localhost/resource"), headers: requestHeaders);
			Assert.That(() => resourceServer.GetPrincipalAsync(request).GetAwaiter().GetResult(), Throws.InstanceOf<ProtocolException>());
		}

		public void GetAccessTokenWithCorruptedToken() {
			var accessToken = this.ObtainValidAccessToken();

			var resourceServer = new ResourceServer(new StandardAccessTokenAnalyzer(AsymmetricKey, null));

			var requestHeaders = new NameValueCollection {
				{ "Authorization", "Bearer " + accessToken.Substring(0, accessToken.Length - 1) + "zzz" },
			};
			var request = new HttpRequestInfo("GET", new Uri("http://localhost/resource"), headers: requestHeaders);
			Assert.That(() => resourceServer.GetAccessToken(request), Throws.InstanceOf<ProtocolException>());
		}

 public void CtorRequest()
 {
     HttpRequest request = new HttpRequest("file", "http://someserver?a=b", "a=b");
     ////request.Headers["headername"] = "headervalue"; // PlatformNotSupportedException prevents us mocking this up
     HttpRequestInfo info = new HttpRequestInfo(request);
     Assert.AreEqual(request.Headers["headername"], info.Headers["headername"]);
     Assert.AreEqual(request.Url.Query, info.Query);
     Assert.AreEqual(request.QueryString["a"], info.QueryString["a"]);
     Assert.AreEqual(request.Url, info.Url);
     Assert.AreEqual(request.HttpMethod, info.HttpMethod);
 }

		public void GetAccessTokenWithValidToken() {
			var accessToken = this.ObtainValidAccessToken();

			var resourceServer = new ResourceServer(new StandardAccessTokenAnalyzer(AsymmetricKey, null));

			var requestHeaders = new NameValueCollection {
				{ "Authorization", "Bearer " + accessToken },
			};
			var request = new HttpRequestInfo("GET", new Uri("http://localhost/resource"), headers: requestHeaders);
			var resourceServerDecodedToken = resourceServer.GetAccessToken(request);
			Assert.That(resourceServerDecodedToken, Is.Not.Null);
		}

		/// <summary>
		/// Processes an incoming authorization-granted message from an SP and obtains an access token.
		/// </summary>
		/// <param name="request">The incoming HTTP request.</param>
		/// <returns>The access token, or null if no incoming authorization message was recognized.</returns>
		public AuthorizedTokenResponse ProcessUserAuthorization(HttpRequestInfo request) {
			Requires.NotNull(request, "request");

			UserAuthorizationResponse authorizationMessage;
			if (this.Channel.TryReadFromRequest<UserAuthorizationResponse>(request, out authorizationMessage)) {
				string requestToken = authorizationMessage.RequestToken;
				string verifier = authorizationMessage.VerificationCode;
				return this.ProcessUserAuthorization(requestToken, verifier);
			} else {
				return null;
			}
		}

		/// <summary>
		/// Reads in a client's request for the Authorization Server to obtain permission from
		/// the user to authorize the Client's access of some protected resource(s).
		/// </summary>
		/// <param name="request">The HTTP request to read from.</param>
		/// <returns>The incoming request, or null if no OAuth message was attached.</returns>
		/// <exception cref="ProtocolException">Thrown if an unexpected OAuth message is attached to the incoming request.</exception>
		public EndUserAuthorizationRequest ReadAuthorizationRequest(HttpRequestInfo request = null) {
			if (request == null) {
				request = this.Channel.GetRequestFromContext();
			}

			EndUserAuthorizationRequest message;
			if (this.Channel.TryReadFromRequest(request, out message)) {
				if (message.ResponseType == EndUserAuthorizationResponseType.AuthorizationCode) {
					// Clients with no secrets can only request implicit grant types.
					var client = this.AuthorizationServerServices.GetClientOrThrow(message.ClientIdentifier);
					ErrorUtilities.VerifyProtocol(!String.IsNullOrEmpty(client.Secret), Protocol.unauthorized_client);
				}
			}

			return message;
		}

		/// <summary>
		/// Gets the protocol message that may be embedded in the given HTTP request.
		/// </summary>
		/// <param name="request">The request to search for an embedded message.</param>
		/// <returns>
		/// The deserialized message, if one is found.  Null otherwise.
		/// </returns>
		protected override IDirectedProtocolMessage ReadFromRequestCore(HttpRequestInfo request) {
			if (!string.IsNullOrEmpty(request.Url.Fragment)) {
				var fields = HttpUtility.ParseQueryString(request.Url.Fragment.Substring(1)).ToDictionary();

				MessageReceivingEndpoint recipient;
				try {
					recipient = request.GetRecipient();
				} catch (ArgumentException ex) {
					Logger.Messaging.WarnFormat("Unrecognized HTTP request: " + ex.ToString());
					return null;
				}

				return (IDirectedProtocolMessage)this.Receive(fields, recipient);
			}

			return base.ReadFromRequestCore(request);
		}

		/// <summary>
		/// Gets the protocol message that may be embedded in the given HTTP request.
		/// </summary>
		/// <param name="request">The request to search for an embedded message.</param>
		/// <returns>
		/// The deserialized message, if one is found.  Null otherwise.
		/// </returns>
		protected override IDirectedProtocolMessage ReadFromRequestCore(HttpRequestInfo request) {
			var fields = new Dictionary<string, string>();
			string accessToken;
			if ((accessToken = SearchForBearerAccessTokenInRequest(request)) != null) {
				fields["token_type"] = Protocol.AccessTokenTypes.Bearer;
				fields["access_token"] = accessToken;
			}

			if (fields.Count > 0) {
				MessageReceivingEndpoint recipient;
				try {
					recipient = request.GetRecipient();
				} catch (ArgumentException ex) {
					Logger.OAuth.WarnFormat("Unrecognized HTTP request: " + ex.ToString());
					return null;
				}

				// Deserialize the message using all the data we've collected.
				var message = (IDirectedProtocolMessage)this.Receive(fields, recipient);
				return message;
			}

			return null;
		}

		/// <summary>
		/// Checks the incoming HTTP request for an access token request and prepares a response if the request message was found.
		/// </summary>
		/// <param name="httpRequestInfo">The HTTP request info.</param>
		/// <param name="response">The formulated response, or <c>null</c> if the request was not found..</param>
		/// <returns>A value indicating whether any access token request was found in the HTTP request.</returns>
		/// <remarks>
		/// This method assumes that the authorization server and the resource server are the same and that they share a single
		/// asymmetric key for signing and encrypting the access token.  If this is not true, use the <see cref="ReadAccessTokenRequest"/> method instead.
		/// </remarks>
		public bool TryPrepareAccessTokenResponse(HttpRequestInfo httpRequestInfo, out IDirectResponseProtocolMessage response) {
			Contract.Requires<ArgumentNullException>(httpRequestInfo != null);
			Contract.Ensures(Contract.Result<bool>() == (Contract.ValueAtReturn<IDirectResponseProtocolMessage>(out response) != null));

			var request = this.ReadAccessTokenRequest(httpRequestInfo);
			if (request != null) {
				response = this.PrepareAccessTokenResponse(request);
				return true;
			}

			response = null;
			return false;
		}

        /// <summary>
        /// Handles incoming HTTP requests.
        /// </summary>
        /// <param name="context">The HttpListener context.</param>
        private void RequestHandler(HttpListenerContext context)
        {
            Contract.Requires(context != null);
            Contract.Requires(context.Response.OutputStream != null);
            Stream outputStream = context.Response.OutputStream;
            Contract.Assume(outputStream != null); // CC static verification shortcoming.

            if (context.Request.Url.AbsolutePath == ProviderPath) {
                HttpRequestInfo requestInfo = new HttpRequestInfo(context.Request);
                IRequest providerRequest = this.provider.GetRequest(requestInfo);
                if (providerRequest == null) {
                    App.Logger.Error("A request came in that did not carry an OpenID message.");
                    context.Response.StatusCode = (int)HttpStatusCode.BadRequest;
                    using (StreamWriter sw = new StreamWriter(outputStream)) {
                        sw.WriteLine("<html><body>This is an OpenID Provider endpoint.</body></html>");
                    }
                    return;
                }

                if (!providerRequest.IsResponseReady) {
                    var authRequest = providerRequest as IAuthenticationRequest;
                    if (authRequest.IsDirectedIdentity) {
                        throw new NotImplementedException();
                    }

                    authRequest.IsAuthenticated = new Uri(authRequest.ClaimedIdentifier).AbsolutePath == YesIdentity;
                }

                this.provider.PrepareResponse(providerRequest).Send(context.Response);
            } else if (context.Request.Url.AbsolutePath == YesIdentity || context.Request.Url.AbsolutePath == NoIdentity) {
                using (StreamWriter sw = new StreamWriter(outputStream)) {
                    string providerEndpoint = string.Format("http://localhost:{0}{1}", context.Request.Url.Port, ProviderPath);
                    string localId = null; // string.Format("http://localhost:{0}/user", context.Request.Url.Port);
                    string html = GenerateHtmlDiscoveryDocument(providerEndpoint, localId);
                    sw.WriteLine(html);
                }

                context.Response.StatusCode = (int)HttpStatusCode.OK;
                context.Response.OutputStream.Close();
            } else {
                context.Response.StatusCode = (int)HttpStatusCode.NotFound;
                context.Response.OutputStream.Close();
            }
        }

		/// <summary>
		/// Scans the incoming request for an authorization response message.
		/// </summary>
		/// <param name="actualRedirectUrl">The actual URL of the incoming HTTP request.</param>
		/// <param name="authorizationState">The authorization.</param>
		/// <returns>The granted authorization, or <c>null</c> if the incoming HTTP request did not contain an authorization server response or authorization was rejected.</returns>
		public IAuthorizationState ProcessUserAuthorization(Uri actualRedirectUrl, IAuthorizationState authorizationState = null) {
			Contract.Requires<ArgumentNullException>(actualRedirectUrl != null);

			if (authorizationState == null) {
				authorizationState = new AuthorizationState();
			}

			var carrier = new HttpRequestInfo("GET", actualRedirectUrl, actualRedirectUrl.PathAndQuery, new System.Net.WebHeaderCollection(), null);
			IDirectedProtocolMessage response = this.Channel.ReadFromRequest(carrier);
			if (response == null) {
				return null;
			}

			EndUserAuthorizationSuccessAccessTokenResponse accessTokenSuccess;
			EndUserAuthorizationSuccessAuthCodeResponse authCodeSuccess;
			EndUserAuthorizationFailedResponse failure;
			if ((accessTokenSuccess = response as EndUserAuthorizationSuccessAccessTokenResponse) != null) {
				UpdateAuthorizationWithResponse(authorizationState, accessTokenSuccess);
			} else if ((authCodeSuccess = response as EndUserAuthorizationSuccessAuthCodeResponse) != null) {
				this.UpdateAuthorizationWithResponse(authorizationState, authCodeSuccess);
			} else if ((failure = response as EndUserAuthorizationFailedResponse) != null) {
				authorizationState.Delete();
				return null;
			}

			return authorizationState;
		}

        public ActionResult LogOnPostAssertion(string openid_openidAuthData)
        {
            IAuthenticationResponse Response;

            if (!string.IsNullOrEmpty(openid_openidAuthData))
            {
                Uri Auth = new Uri(openid_openidAuthData);
                WebHeaderCollection Headers = new WebHeaderCollection();

                foreach (string Key in Request.Headers)
                {
                    Headers[Key] = Request.Headers[Key];
                }

                HttpRequestInfo ResponseInfo = new HttpRequestInfo("GET", Auth, Auth.PathAndQuery, Headers, null);
                Response = AjaxParty.GetResponse(ResponseInfo);
            }
            else
                Response = AjaxParty.GetResponse();

            if (Response != null)
            {
                switch(Response.Status)
                {
                    case AuthenticationStatus.Authenticated:
                        var Claim = Response.GetExtension<ClaimsResponse>();
                        Authorizer.DataModels.User UserInfo = null;

                        using (IAuthorizerDataService DataService = DataServiceProvider.Instance.CreateAuthorizerDataService())
                        {
                            DataService.RegisterUserLogIn(new DataModels.User()
                                {
                                    EmailFull = Claim.Email,
                                    EmailUserName = Claim.MailAddress.User,
                                    OpenId = Response.ClaimedIdentifier
                                });

                            UserInfo = DataService.RetrieveUserInfo(Response.ClaimedIdentifier);

                            FormsAuthenticationTicket Authorization = AuthService.Service.CreateAuthTicket(Response.ClaimedIdentifier
                            , UserInfo != null && UserInfo.Alias != null ? UserInfo.Alias.Name : !string.IsNullOrEmpty(Claim.FullName) ? Claim.FullName : !string.IsNullOrEmpty(Claim.MailAddress.User) ? Claim.MailAddress.User : Response.FriendlyIdentifierForDisplay);

                            string EncryptedAuthorization = FormsAuthentication.Encrypt(Authorization);

                            this.Response.Cookies.Add(new HttpCookie(FormsAuthentication.FormsCookieName, EncryptedAuthorization));
                        }

                        return RedirectToAction("Index", "Home", new { area = string.Empty });
                    case AuthenticationStatus.Canceled:
                        ModelState.AddModelError("OpenID", "You need to complete the authorization process to be logged in");
                        break;
                    case AuthenticationStatus.Failed:
                        ModelState.AddModelError("OpenID", Response.Exception.Message);
                        break;
                }
            }

            return View("LogOn");
        }

		/// <summary>
		/// Prepares the return value for the GetRequest method in the event of an exception.
		/// </summary>
		/// <param name="ex">The exception that forms the basis of the error response.  Must not be null.</param>
		/// <param name="httpRequestInfo">The incoming HTTP request.  Must not be null.</param>
		/// <param name="incomingMessage">The incoming message.  May be null in the case that it was malformed.</param>
		/// <returns>
		/// Either the <see cref="IRequest"/> to return to the host site or null to indicate no response could be reasonably created and that the caller should rethrow the exception.
		/// </returns>
		private IRequest GetErrorResponse(ProtocolException ex, HttpRequestInfo httpRequestInfo, IDirectedProtocolMessage incomingMessage) {
			Contract.Requires<ArgumentNullException>(ex != null);
			Contract.Requires<ArgumentNullException>(httpRequestInfo != null);

			Logger.OpenId.Error("An exception was generated while processing an incoming OpenID request.", ex);
			IErrorMessage errorMessage;

			// We must create the appropriate error message type (direct vs. indirect)
			// based on what we see in the request.
			string returnTo = httpRequestInfo.QueryString[Protocol.Default.openid.return_to];
			if (returnTo != null) {
				// An indirect request message from the RP
				// We need to return an indirect response error message so the RP can consume it.
				// Consistent with OpenID 2.0 section 5.2.3.
				var indirectRequest = incomingMessage as SignedResponseRequest;
				if (indirectRequest != null) {
					errorMessage = new IndirectErrorResponse(indirectRequest);
				} else {
					errorMessage = new IndirectErrorResponse(Protocol.Default.Version, new Uri(returnTo));
				}
			} else if (httpRequestInfo.HttpMethod == "POST") {
				// A direct request message from the RP
				// We need to return a direct response error message so the RP can consume it.
				// Consistent with OpenID 2.0 section 5.1.2.2.
				errorMessage = new DirectErrorResponse(Protocol.Default.Version, incomingMessage);
			} else {
				// This may be an indirect request from an RP that was so badly
				// formed that we cannot even return an error to the RP.
				// The best we can do is display an error to the user.
				// Returning null cues the caller to "throw;"
				return null;
			}

			errorMessage.ErrorMessage = ex.ToStringDescriptive();

			// Allow host to log this error and issue a ticket #.
			// We tear off the field to a local var for thread safety.
			IErrorReporting hostErrorHandler = this.ErrorReporting;
			if (hostErrorHandler != null) {
				errorMessage.Contact = hostErrorHandler.Contact;
				errorMessage.Reference = hostErrorHandler.LogError(ex);
			}

			if (incomingMessage != null) {
				return new AutoResponsiveRequest(incomingMessage, errorMessage, this.SecuritySettings);
			} else {
				return new AutoResponsiveRequest(errorMessage, this.SecuritySettings);
			}
		}

        // GetAuthorization
        /// <summary>
        /// Gets the authorization object for the client-side flow
        /// </summary>
        /// <param name="client">The web server client used for authorization</param>
        /// <returns>An authorization state that can be used for API queries </returns>
        private IAuthorizationState GetAuthorization(WebServerClient client)
        {
            if (_authstate == null)
            {
              if (_refreshToken != null)
              {
                _authstate = CreateState(_refreshToken, false);
              }
              if (_accessToken != null)
              {
                _authstate = CreateState(_accessToken, true);
              }
            }

            // If this user is already authenticated, then just return the auth state.
            IAuthorizationState state = _authstate;
            if (state != null)
            {
                return state;
            }

            // Check if an authorization request already is in progress.
            HttpRequestInfo reqinfo = new HttpRequestInfo(HttpContext.Current.Request);
            //if (reqinfo)
            state = client.ProcessUserAuthorization(reqinfo);

            // Check to see if we have an access token and use that to generate the state.
            if (_accessToken != null)
            {
                state = CreateState(_accessToken, true);
                // Check to see if we have a refresh token and use that to get the auth state.
            }
            else if (_refreshToken != null)
            {
                state = CreateState(_refreshToken);
                bool worked = client.RefreshToken(state);
                if (state != null)
                {
                    return state;
                }
            }

            if (state != null && (!string.IsNullOrEmpty(state.AccessToken) || !string.IsNullOrEmpty(state.RefreshToken)))
            {
                // Store and return the credentials.
                HttpContext.Current.Session["AUTH_STATE"] = _authstate = state;
                _accessToken = state.AccessToken;
                _refreshToken = state.RefreshToken;
                return state;
            }

            // Otherwise do a new authorization request.
            string scope = "https://www.googleapis.com/auth/plus.login";
            OutgoingWebResponse response = client.PrepareRequestUserAuthorization(new[] { scope });
            response.Send(); // Will throw a ThreadAbortException to prevent sending another response.
            return null;
        }

		/// <summary>
		/// Gets the result of a user agent's visit to his OpenId provider in an
		/// authentication attempt.  Null if no response is available.
		/// </summary>
		/// <param name="url">The incoming request URL.</param>
		/// <param name="form">The form data that may have been included in the case of a POST request.</param>
		/// <returns>The Provider's response to a previous authentication request, or null if no response is present.</returns>
		public AuthenticationResponseShim ProcessAuthentication(string url, string form) {
			string method = "GET";
			NameValueCollection formMap = null;
			if (!string.IsNullOrEmpty(form)) {
				method = "POST";
				formMap = HttpUtility.ParseQueryString(form);
			}

			HttpRequestBase requestInfo = new HttpRequestInfo(method, new Uri(url), form: formMap);
			var response = relyingParty.GetResponse(requestInfo);
			if (response != null) {
				return new AuthenticationResponseShim(response);
			}

			return null;
		}