logging, added tests, fixed code only flow.

src/Microsoft.AspNet.Authentication.OpenIdConnect/INonceCache.cs

@@ -5,8 +5,8 @@ namespace Microsoft.AspNet.Authentication.OpenIdConnect
 {
     public interface INonceCache
     {
-        string AddNonce(string nonce);
+        bool TryAddNonce(string nonce);
+
         bool TryRemoveNonce(string nonce);
-        bool HasNonce(string nonce);
     }
-}
+}

src/Microsoft.AspNet.Authentication.OpenIdConnect/OpenIdConnectAuthenticationDefaults.cs

@@ -26,7 +26,7 @@ public static class OpenIdConnectAuthenticationDefaults
         /// <summary>
         /// The prefix used to for the a nonce in the cookie
         /// </summary>
-        internal const string CookieNoncePrefix = ".AspNet.OpenIdConnect.Nonce.";
+        public const string CookieNoncePrefix = ".AspNet.OpenIdConnect.Nonce.";
 
         /// <summary>
         /// The property for the RedirectUri that was used when asking for a 'authorizationCode'
@@ -36,6 +36,6 @@ public static class OpenIdConnectAuthenticationDefaults
         /// <summary>
         /// Constant used to identify state in openIdConnect protocal message
         /// </summary>
-        internal const string AuthenticationPropertiesKey = "OpenIdConnect.AuthenticationProperties";
+        public const string AuthenticationPropertiesKey = "OpenIdConnect.AuthenticationProperties";
     }
 }

src/Microsoft.AspNet.Authentication.OpenIdConnect/OpenIdConnectAuthenticationExtensions.cs

@@ -26,5 +26,16 @@ public static IApplicationBuilder UseOpenIdConnectAuthentication(this IApplicati
                      Name = optionsName
                  });
         }
+
+        /// <summary>
+        /// Adds the <see cref="OpenIdConnectAuthenticationMiddleware"/> into the ASP.NET runtime.
+        /// </summary>
+        /// <param name="app">The application builder</param>
+        /// <param name="options">Options which control the processing of the OpenIdConnect protocol and token validation.</param>
+        /// <returns>The application builder</returns>
+        public static IApplicationBuilder UseOpenIdConnectAuthentication(this IApplicationBuilder app, IOptions<OpenIdConnectAuthenticationOptions> options)
+        {
+            return app.UseMiddleware<OpenIdConnectAuthenticationMiddleware>(options);
+        }
     }
-}
+}

src/Microsoft.AspNet.Authentication.OpenIdConnect/OpenIdConnectAuthenticationMiddleware.cs

@@ -30,31 +30,29 @@ public class OpenIdConnectAuthenticationMiddleware : AuthenticationMiddleware<Op
         /// <summary>
         /// Initializes a <see cref="OpenIdConnectAuthenticationMiddleware"/>
         /// </summary>
-        /// <param name="next">The next middleware in the ASP.NET pipeline to invoke</param>
-        /// <param name="app">The ASP.NET application</param>
-        /// <param name="options">Configuration options for the middleware</param>
+        /// <param name="next">The next middleware in the ASP.NET pipeline to invoke.</param>
+        /// <param name="dataProtectionProvider"> provider for creating a data protector.</param>
+        /// <param name="loggerFactory">factory for creating a <see cref="ILogger"/>.</param>
+        /// <param name="options">a <see cref="IOptions{OpenIdConnectAuthenticationOptions}"/> instance that will supply <see cref="OpenIdConnectAuthenticationOptions"/> 
+        /// if configureOptions is null.</param>
+        /// <param name="configureOptions">a <see cref="ConfigureOptions{OpenIdConnectAuthenticationOptions}"/> instance that will be passed to an instance of <see cref="OpenIdConnectAuthenticationOptions"/>
+        /// that is retrieved by calling <see cref="IOptions{OpenIdConnectAuthenticationOptions}.GetNamedOptions(string)"/> where string == <see cref="ConfigureOptions{OpenIdConnectAuthenticationOptions}.Name"/> provides runtime configuration.</param>
         [SuppressMessage("Microsoft.Reliability", "CA2000:Dispose objects before losing scope", Justification = "Managed by caller")]
         public OpenIdConnectAuthenticationMiddleware(
             [NotNull] RequestDelegate next,
             [NotNull] IDataProtectionProvider dataProtectionProvider,
             [NotNull] ILoggerFactory loggerFactory,
             [NotNull] IOptions<ExternalAuthenticationOptions> externalOptions,
             [NotNull] IOptions<OpenIdConnectAuthenticationOptions> options,
-            ConfigureOptions<OpenIdConnectAuthenticationOptions> configureOptions)
+            ConfigureOptions<OpenIdConnectAuthenticationOptions> configureOptions = null)
             : base(next, options, configureOptions)
         {
             _logger = loggerFactory.CreateLogger<OpenIdConnectAuthenticationMiddleware>();
-
-            if (string.IsNullOrEmpty(Options.SignInScheme))
+            if (string.IsNullOrEmpty(Options.SignInScheme) && !string.IsNullOrEmpty(externalOptions.Options.SignInScheme))
             {
                 Options.SignInScheme = externalOptions.Options.SignInScheme;
             }
 
-            if (string.IsNullOrWhiteSpace(Options.TokenValidationParameters.AuthenticationType))
-            {
-                Options.TokenValidationParameters.AuthenticationType = Options.AuthenticationScheme;
-            }
-
             if (Options.StateDataFormat == null)
             {
                 var dataProtector = dataProtectionProvider.CreateProtector(
@@ -152,7 +150,7 @@ private static HttpMessageHandler ResolveHttpMessageHandler(OpenIdConnectAuthent
                 var webRequestHandler = handler as WebRequestHandler;
                 if (webRequestHandler == null)
                 {
-                    throw new InvalidOperationException(Resources.Exception_ValidatorHandlerMismatch);
+                    throw new InvalidOperationException(Resources.OIDCH_0102_ExceptionValidatorHandlerMismatch);
                 }
                 webRequestHandler.ServerCertificateValidationCallback = options.BackchannelCertificateValidator.Validate;
             }

src/Microsoft.AspNet.Authentication.OpenIdConnect/OpenIdConnectAuthenticationOptions.cs

@@ -52,31 +52,30 @@ public OpenIdConnectAuthenticationOptions()
         [SuppressMessage("Microsoft.Globalization", "CA1303:Do not pass literals as localized parameters", MessageId = "Microsoft.Owin.Security.OpenIdConnect.OpenIdConnectAuthenticationOptions.set_Caption(System.String)", Justification = "Not a LOC field")]
         public OpenIdConnectAuthenticationOptions(string authenticationScheme)
         {
-            // REVIEW: why was this active by default??
-            //AuthenticationMode = AuthenticationMode.Active;
             AuthenticationScheme = authenticationScheme;
             BackchannelTimeout = TimeSpan.FromMinutes(1);
             Caption = OpenIdConnectAuthenticationDefaults.Caption;
             ProtocolValidator = new OpenIdConnectProtocolValidator();
             RefreshOnIssuerKeyNotFound = true;
+            ResponseMode = OpenIdConnectResponseModes.FormPost;
             ResponseType = OpenIdConnectResponseTypes.CodeIdToken;
             Scope = OpenIdConnectScopes.OpenIdProfile;
             TokenValidationParameters = new TokenValidationParameters();
             UseTokenLifetime = true;
         }
 
         /// <summary>
-        /// Gets or sets the Authority to use when making OpenIdConnect calls.
+        /// Gets or sets the expected audience for any received JWT token.
         /// </summary>
-        public string Authority { get; set; }
+        /// <value>
+        /// The expected audience for any received JWT token.
+        /// </value>
+        public string Audience { get; set; }
 
         /// <summary>
-        /// An optional constrained path on which to process the authentication callback.
-        /// If not provided and RedirectUri is available, this value will be generated from RedirectUri.
+        /// Gets or sets the Authority to use when making OpenIdConnect calls.
         /// </summary>
-        /// <remarks>If you set this value, then the <see cref="OpenIdConnectAuthenticationHandler"/> will only listen for posts at this address. 
-        /// If the IdentityProvider does not post to this address, you may end up in a 401 -> IdentityProvider -> Client -> 401 -> ...</remarks>
-        public PathString CallbackPath { get; set; }
+        public string Authority { get; set; }
 
 #if DNX451
         /// <summary>
@@ -112,7 +111,7 @@ public TimeSpan BackchannelTimeout
             {
                 if (value <= TimeSpan.Zero)
                 {
-                    throw new ArgumentOutOfRangeException("BackchannelTimeout", value, Resources.ArgsException_BackchallelLessThanZero);
+                    throw new ArgumentOutOfRangeException("BackchannelTimeout", value, Resources.OIDCH_0101_BackChallnelLessThanZero);
                 }
 
                 _backchannelTimeout = value;
@@ -128,6 +127,14 @@ public string Caption
             set { Description.Caption = value; }
         }
 
+        /// <summary>
+        /// An optional constrained path on which to process the authentication callback.
+        /// If not provided and RedirectUri is available, this value will be generated from RedirectUri.
+        /// </summary>
+        /// <remarks>If you set this value, then the <see cref="OpenIdConnectAuthenticationHandler"/> will only listen for posts at this address. 
+        /// If the IdentityProvider does not post to this address, you may end up in a 401 -> IdentityProvider -> Client -> 401 -> ...</remarks>
+        public PathString CallbackPath { get; set; }
+
         /// <summary>
         /// Gets or sets the 'client_id'.
         /// </summary>
@@ -145,36 +152,28 @@ public string Caption
         public OpenIdConnectConfiguration Configuration { get; set; }
 
         /// <summary>
-        /// The OpenIdConnect protocol http://openid.net/specs/openid-connect-core-1_0.html
-        /// recommends adding a nonce to a request as a mitigation against replay attacks when requesting id_tokens.
-        /// By default the runtime uses cookies with unique names generated from a hash of the nonce.
-        /// </summary>
-        public INonceCache NonceCache { get; set; }
-
-        /// <summary>
-        /// Gets or sets the discovery endpoint for obtaining metadata
+        /// Responsible for retrieving, caching, and refreshing the configuration from metadata.
+        /// If not provided, then one will be created using the MetadataAddress and Backchannel properties.
         /// </summary>
-        public string MetadataAddress { get; set; }
+        public IConfigurationManager<OpenIdConnectConfiguration> ConfigurationManager { get; set; }
 
         /// <summary>
-        /// Gets or sets the expected audience for any received JWT token.
+        /// Gets or sets a value controlling if the 'CurrentUri' should be used as the 'local redirect' post authentication
+        /// if AuthenticationProperties.RedirectUri is null or empty.
         /// </summary>
-        /// <value>
-        /// The expected audience for any received JWT token.
-        /// </value>
-        public string Audience { get; set; }
+        public bool DefaultToCurrentUriOnRedirect { get; set; }
 
         /// <summary>
-        /// Responsible for retrieving, caching, and refreshing the configuration from metadata.
-        /// If not provided, then one will be created using the MetadataAddress and Backchannel properties.
+        /// Gets or sets the discovery endpoint for obtaining metadata
         /// </summary>
-        public IConfigurationManager<OpenIdConnectConfiguration> ConfigurationManager { get; set; }
+        public string MetadataAddress { get; set; }
 
         /// <summary>
-        /// Gets or sets if a metadata refresh should be attempted after a SecurityTokenSignatureKeyNotFoundException. This allows for automatic
-        /// recovery in the event of a signature key rollover. This is enabled by default.
+        /// The OpenIdConnect protocol http://openid.net/specs/openid-connect-core-1_0.html
+        /// recommends adding a nonce to a request as a mitigation against replay attacks when requesting id_tokens.
+        /// By default the runtime uses cookies with unique names generated from a hash of the nonce.
         /// </summary>
-        public bool RefreshOnIssuerKeyNotFound { get; set; }
+        public INonceCache NonceCache { get; set; }
 
         /// <summary>
         /// Gets or sets the <see cref="OpenIdConnectAuthenticationNotifications"/> to notify when processing OpenIdConnect messages.
@@ -217,11 +216,22 @@ public OpenIdConnectProtocolValidator ProtocolValidator
         [SuppressMessage("Microsoft.Design", "CA1056:UriPropertiesShouldNotBeStrings", Justification = "By Design")]
         public string RedirectUri { get; set; }
 
+        /// <summary>
+        /// Gets or sets if a metadata refresh should be attempted after a SecurityTokenSignatureKeyNotFoundException. This allows for automatic
+        /// recovery in the event of a signature key rollover. This is enabled by default.
+        /// </summary>
+        public bool RefreshOnIssuerKeyNotFound { get; set; }
+
         /// <summary>
         /// Gets or sets the 'resource'.
         /// </summary>
         public string Resource { get; set; }
 
+        /// <summary>
+        /// Gets or sets the 'response_mode'.
+        /// </summary>
+        public string ResponseMode { get; private set; }
+
         /// <summary>
         /// Gets or sets the 'response_type'.
         /// </summary>
@@ -233,10 +243,7 @@ public OpenIdConnectProtocolValidator ProtocolValidator
         public string Scope { get; set; }
 
         /// <summary>
-        /// Gets or sets the authentication scheme corresponding to the middleware
-        /// responsible of persisting user's identity after a successful authentication.
-        /// This value typically corresponds to a cookie middleware registered in the Startup class.
-        /// When omitted, <see cref="ExternalAuthenticationOptions.SignInScheme"/> is used as a fallback value.
+        /// Gets or sets the SignInScheme which will be used to set the <see cref="System.Security.Claims.ClaimsIdentity.AuthenticationType"/>.
         /// </summary>
         public string SignInScheme { get; set; }
 

src/Microsoft.AspNet.Authentication.OpenIdConnect/OpenIdConnectServiceCollectionExtensions.cs

@@ -15,7 +15,7 @@ public static class OpenIdConnectServiceCollectionExtensions
     {
         public static IServiceCollection ConfigureOpenIdConnectAuthentication([NotNull] this IServiceCollection services, [NotNull] Action<OpenIdConnectAuthenticationOptions> configure)
         {
-            return services.ConfigureOpenIdConnectAuthentication(configure, optionsName: "");
+            return ConfigureOpenIdConnectAuthentication(services, configure, null);
         }
 
         public static IServiceCollection ConfigureOpenIdConnectAuthentication([NotNull] this IServiceCollection services, [NotNull] Action<OpenIdConnectAuthenticationOptions> configure, string optionsName)
@@ -25,7 +25,7 @@ public static IServiceCollection ConfigureOpenIdConnectAuthentication([NotNull]
 
         public static IServiceCollection ConfigureOpenIdConnectAuthentication([NotNull] this IServiceCollection services, [NotNull] IConfiguration config)
         {
-            return services.ConfigureOpenIdConnectAuthentication(config, optionsName: "");
+            return ConfigureOpenIdConnectAuthentication(services, config, null);
         }
 
         public static IServiceCollection ConfigureOpenIdConnectAuthentication([NotNull] this IServiceCollection services, [NotNull] IConfiguration config, string optionsName)