Why is my ClaimsRequest coming back null?

Question

I have just begun experimenting with the DotNetOpenAuth project. Modifying the sample OpenIdRelyingPartyMvc project, I was able to get a ClaimRequest for Email to work with Google.

However, when I tried to add OpenID to my own project, the ClaimResponse always comes back null. I'm wondering if there is a project or environment setting that I'm missing?

Here's my Authenticate method:

public ActionResult Authenticate(string returnUrl)
{
    var response = openid.GetResponse();
    if (response == null)
    {
        // Stage 2: user submitting Identifier
        Identifier id;
        if (Identifier.TryParse(Request.Form["openid_identifier"], out id))
        {
            try
            {
                IAuthenticationRequest req = openid.CreateRequest(Request.Form["openid_identifier"]);
                req.AddExtension(new ClaimsRequest { Email = DemandLevel.Require });
                return req.RedirectingResponse.AsActionResult();
            }
            catch (ProtocolException ex)
            {
                ViewData["Message"] = ex.Message;
                return View("Login");
            }
        }
        else
        {
            ViewData["Message"] = "Invalid identifier";
            return View("Login");
        }
    }
    else
    {
        // Stage 3: OpenID Provider sending assertion response
        switch (response.Status)
        {
            case AuthenticationStatus.Authenticated:
                ClaimsResponse sreg = response.GetExtension<ClaimsResponse>();
                if (sreg != null)
                {
                    var email = sreg.Email;
                    Session["Email"] = email;
                }
                Session["FriendlyIdentifier"] = response.FriendlyIdentifierForDisplay;
                FormsAuthentication.SetAuthCookie(response.ClaimedIdentifier, false);
                if (!string.IsNullOrEmpty(returnUrl))
                {
                    return Redirect(returnUrl);
                }
                else
                {
                    return RedirectToAction("Index", "Home");
                }
            case AuthenticationStatus.Canceled:
                ViewData["Message"] = "Canceled at provider";
                return View("Login");
            case AuthenticationStatus.Failed:
                ViewData["Message"] = response.Exception.Message;
                return View("Login");
        }
    }
    return new EmptyResult();
}

}

Answer 1

<configuration>
       <configSections>
          <section name="dotNetOpenAuth" type="DotNetOpenAuth.Configuration.DotNetOpenAuthSection" requirePermission="false" allowLocation="true"/>
       </configSections>
       <dotNetOpenAuth>
          <openid>
             <relyingParty>
                <behaviors>
                   <!-- The following OPTIONAL behavior allows RPs to use SREG only, but be compatible
                        with OPs that use Attribute Exchange (in various formats). -->
                   <add type="DotNetOpenAuth.OpenId.Behaviors.AXFetchAsSregTransform, DotNetOpenAuth" />
                </behaviors>
             </relyingParty>
          </openid>
       </dotNetOpenAuth>
    </configuration>

http://dotnetopenauth.net:8000/wiki/CodeSnippets/OpenIDRP/AXFetchAsSregTransform

Add the config info to your web.config.

Google has one unique trait, in that it ignores all attribute requests marked as 'optional'. You must request the user's email address as 'required' in order to ever get an email address from Google. Be wary though, that by marking the attribute as required, Google will refuse to authenticate the user unless the user is willing to give up their email address. So if you don't actually require the email address, it may be best to mark it as optional, and just forego getting it from your Google users in order to avoid chasing your users away by forcing them to give up their email address if they don't want to.