DotNetOpenAuth not working with MVC 5 RC

Question

I have been working a lot with DotNetOpenAuth. First we used 5.0.0-alpha1 but we switched over to v4.0.30319 because we couldn't find what was causing our problems.

We are building a C# Web API project on .NET 4.5.1 RC with MVC 5 RC in Visual Studio 2013. We have implemented IAuthorizationServerHost, INonceStore, and ICryptoKeyStore.

The problem that we have are around the following case:

public class TokensController : Controller {     private readonly AuthorizationServer authorizationServer = new AuthorizationServer(new MyAuthorizationServer());      /// <summary>     /// This action will handle all token requests.      /// </summary>     /// <returns>The action result that will output the token response.</returns>     [HttpPost]     public ActionResult Index()     {         var outgoingWebResponse = this.authorizationServer.HandleTokenRequest(this.Request);         return outgoingWebResponse.AsActionResult();     } } 

return outgoingWebResponse.AsActionResult(); a method with origins in DotNetOpenAuth.Messaging and the MessagingUtilities static class. The DotNetOpenAuth.Core (which contains this code) references MVC 4.0 and the HttpResponseMessageActionResult class inherits from ActionResult.

This means the current version of DotNetOpenAuth in not compatible with MVC 5. Compiling and trying to run this will just case 500 errors.

Does anyone have any ideas how this could be easily fixed (or maybe not)?

I didn't notice that the DotNetOpenAuth Nuget package wrote over my packages for 5.0. So after reinstalling the packages and adding the assemblyBinding again:

<assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">   <dependentAssembly>     <assemblyIdentity name="System.Web.Mvc" publicKeyToken="31bf3856ad364e35" />     <bindingRedirect oldVersion="1.0.0.0-4.0.0.0" newVersion="5.0.0.0" />   </dependentAssembly> </assemblyBinding> 

This got us a little further. Now the error comes down to:

Attempt by security transparent method 'DotNetOpenAuth.Messaging.MessagingUtilities.AsActionResult(DotNetOpenAuth.Messaging.OutgoingWebResponse)' to access security critical type 'System.Web.Mvc.ActionResult' failed.

Answer 1

Fix available.

Install NuGet package DotNetOpenAuth.Mvc5 and change all uses of AsActionResult() to AsActionResultMvc5()

Answer 2

After further debugging and talking to the people at DotNetOpenAuth at GitHub https://github.com/DotNetOpenAuth/DotNetOpenAuth/issues/307 the conclusion is that MVC 5 has a new security model.

Binding redirect will therefore not be enough. Until further there are two choices:

1) Grab the DotNetOpenAuth source code and removing the [assembly: AllowPartiallyTrustedCallers] from all projects. Recompile and member to disable strong name verfication sn -Vr *. After this code cannot be run on Medium Trust environments.

2) Grab the DotNetOpenAuth source code and recompiling it against MVC 5.

According to the discussion on GitHub the best future solution would be moving out all related MVC stuff to a separate assembly.