DotNetOpenAuth and X-XRDS-Location header

Question

I am playing with DotNetOpenAuth samples, trying to understand how to properly integrate with OpenID. One of the samples is called OpenIdRelyingPartyMvc. It has two code sections that I am not sure about how they influence functionality.

• In Global.asax.cs:

  routes.MapRoute(
      "Default",                                              // Route name
      "{controller}/{action}/{id}",                           // URL with parameters
      new { controller = "Home", action = "Index", id = string.Empty });  // Parameter defaults
  
  routes.MapRoute(
      "Root",
      string.Empty,
      new { controller = "Home", action = "Index", id = string.Empty });
  

If I remove last line that maps "Route", nothing seems to be affected: mapping "Default" seems to be sufficient. Why is there a "Route" route?

• In HomeController.cs

  public class HomeController : Controller {
      public ActionResult Index() {
          Response.AppendHeader(
              "X-XRDS-Location",
              new Uri(Request.Url, 
                  Response.ApplyAppPathModifier("~/Home/xrds")).AbsoluteUri);
          return View("Index");
      }
  
      public ActionResult Xrds()
      {
          return View("Xrds");
      }
  }
  

If I remove "AppendHeader" call and test the sample, it still works! I understand that this header is sufficient, I just can't make the sample application depend on it: it works without it's being set up. If I set the breakpoint inside Xrds method, it is never triggered.

Answer 1

The route in global.asax.cs may be superfluous.

The X-XRDS-Location header that you're removing is not strictly necessary for the OpenID flow, but if you publish your relying party application without out, Yahoo! and other OpenID Providers may warn the user that your site is not legit.

You can test this locally (and thus observe the Home/Xrds action being executed) by running the OpenIdProviderWebForms sample and logging into your RP using an identifier from that sample OP. During login, the OP will query the RP's XRDS, and on the web page asking you to confirm the login, it will indicate whether "RP verification" succeeded or failed. If it succeeded, you should be good to go.