@@ -42,6 +42,15 @@ public OpenIdAuthenticationHandler(
4242
4343 protected override async Task < HandleRequestResult > HandleRemoteAuthenticateAsync ( )
4444 {
45+ // OpenID 2.0 responses MUST necessarily be made using either GET or POST.
46+ // See http://openid.net/specs/openid-authentication-2_0.html#anchor4
47+ if ( ! string . Equals ( Request . Method , "GET" , StringComparison . OrdinalIgnoreCase ) &&
48+ ! string . Equals ( Request . Method , "POST" , StringComparison . OrdinalIgnoreCase ) )
49+ {
50+ return HandleRequestResult . Fail ( "The authentication response was rejected because it was made " +
51+ "using an invalid method: make sure to use either GET or POST." ) ;
52+ }
53+
4554 // Always extract the "state" parameter from the query string.
4655 var state = Request . Query [ OpenIdAuthenticationConstants . Parameters . State ] ;
4756 if ( string . IsNullOrEmpty ( state ) )
@@ -66,15 +75,6 @@ protected override async Task<HandleRequestResult> HandleRemoteAuthenticateAsync
6675
6776 OpenIdAuthenticationMessage message ;
6877
69- // OpenID 2.0 responses MUST necessarily be made using either GET or POST.
70- // See http://openid.net/specs/openid-authentication-2_0.html#anchor4
71- if ( ! string . Equals ( Request . Method , "GET" , StringComparison . OrdinalIgnoreCase ) &&
72- ! string . Equals ( Request . Method , "POST" , StringComparison . OrdinalIgnoreCase ) )
73- {
74- return HandleRequestResult . Fail ( "The authentication response was rejected because it was made " +
75- "using an invalid method: make sure to use either GET or POST." ) ;
76- }
77-
7878 if ( string . Equals ( Request . Method , "GET" , StringComparison . OrdinalIgnoreCase ) )
7979 {
8080 message = new OpenIdAuthenticationMessage ( Request . Query ) ;
0 commit comments