Bump Microsoft.Owin in /src/Owin.Security.Providers.OpenID

Bumps [Microsoft.Owin](https://github.com/aspnet/AspNetKatana) from 3.0.1 to 4.2.2.
- [Release notes](https://github.com/aspnet/AspNetKatana/releases)
- [Commits](https://github.com/aspnet/AspNetKatana/compare/v3.0.1...v4.2.2)

---
updated-dependencies:
- dependency-name: Microsoft.Owin
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>

Gemfile.lock

@@ -1,17 +1,17 @@
 GEM
   remote: http://rubygems.org/
   specs:
-    albacore (2.0.4)
+    albacore (3.0.1)
       map (~> 6.5)
       nokogiri (~> 1.5)
-      rake (> 10)
+      rake (~> 10)
       semver2 (~> 3.4)
     map (6.6.0)
-    mini_portile2 (2.0.0)
-    nokogiri (1.6.7.2-x64-mingw32)
-      mini_portile2 (~> 2.0.0.rc2)
-    os (0.9.6)
-    rake (11.1.1)
+    mini_portile2 (2.3.0)
+    nokogiri (1.8.2-x64-mingw32)
+      mini_portile2 (~> 2.3.0)
+    os (1.0.0)
+    rake (10.5.0)
     semver2 (3.4.2)
 
 PLATFORMS

OwinOAuthProviders.sln

@@ -1,6 +1,6 @@
-Microsoft Visual Studio Solution File, Format Version 12.00
-# Visual Studio 14
-VisualStudioVersion = 14.0.25420.1
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio 15
+VisualStudioVersion = 15.0.26730.12
 MinimumVisualStudioVersion = 10.0.40219.1
 Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Owin.Security.Providers.ArcGISOnline", "src\Owin.Security.Providers.ArcGISOnline\Owin.Security.Providers.ArcGISOnline.csproj", "{8A49FAEF-D365-4D25-942C-1CAD03845A5E}"
 EndProject
@@ -108,6 +108,14 @@ Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Owin.Security.Providers.Eve
 EndProject
 Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Owin.Security.Providers.WSO2", "src\Owin.Security.Providers.WSO2\Owin.Security.Providers.WSO2.csproj", "{8FD3A9CB-E684-42C0-A8BF-7746FDD3D43C}"
 EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Owin.Security.Providers.Podbean", "src\Owin.Security.Providers.Podbean\Owin.Security.Providers.Podbean.csproj", "{A7B95FD4-08AD-499F-B574-07560CC2A63F}"
+EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Owin.Security.Providers.ArcGISPortal", "src\Owin.Security.Providers.ArcGISPortal\Owin.Security.Providers.ArcGISPortal.csproj", "{18547CA4-D7D3-43C2-81C2-A21FC8151A93}"
+EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Owin.Security.Providers.Typeform", "src\Owin.Security.Providers.Typeform\Owin.Security.Providers.Typeform.csproj", "{C8862B45-E1D1-4AB7-A83D-3A2FD2A22526}"
+EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Owin.Security.Providers.Google", "src\Owin.Security.Providers.Google\Owin.Security.Providers.Google.csproj", "{ED434959-8CF8-4CAB-83B3-E4A618327AB5}"
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Any CPU = Debug|Any CPU
@@ -326,8 +334,27 @@ Global
 		{8FD3A9CB-E684-42C0-A8BF-7746FDD3D43C}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{8FD3A9CB-E684-42C0-A8BF-7746FDD3D43C}.Release|Any CPU.ActiveCfg = Release|Any CPU
 		{8FD3A9CB-E684-42C0-A8BF-7746FDD3D43C}.Release|Any CPU.Build.0 = Release|Any CPU
+		{A7B95FD4-08AD-499F-B574-07560CC2A63F}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{A7B95FD4-08AD-499F-B574-07560CC2A63F}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{A7B95FD4-08AD-499F-B574-07560CC2A63F}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{A7B95FD4-08AD-499F-B574-07560CC2A63F}.Release|Any CPU.Build.0 = Release|Any CPU
+		{18547CA4-D7D3-43C2-81C2-A21FC8151A93}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{18547CA4-D7D3-43C2-81C2-A21FC8151A93}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{18547CA4-D7D3-43C2-81C2-A21FC8151A93}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{18547CA4-D7D3-43C2-81C2-A21FC8151A93}.Release|Any CPU.Build.0 = Release|Any CPU
+		{C8862B45-E1D1-4AB7-A83D-3A2FD2A22526}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{C8862B45-E1D1-4AB7-A83D-3A2FD2A22526}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{C8862B45-E1D1-4AB7-A83D-3A2FD2A22526}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{C8862B45-E1D1-4AB7-A83D-3A2FD2A22526}.Release|Any CPU.Build.0 = Release|Any CPU
+		{ED434959-8CF8-4CAB-83B3-E4A618327AB5}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{ED434959-8CF8-4CAB-83B3-E4A618327AB5}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{ED434959-8CF8-4CAB-83B3-E4A618327AB5}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{ED434959-8CF8-4CAB-83B3-E4A618327AB5}.Release|Any CPU.Build.0 = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE
 	EndGlobalSection
+	GlobalSection(ExtensibilityGlobals) = postSolution
+		SolutionGuid = {EDFDB942-6583-4AD9-A868-B354B5BF07FC}
+	EndGlobalSection
 EndGlobal

OwinOAuthProvidersDemo/App_Start/Startup.Auth.cs

@@ -4,6 +4,8 @@ using Microsoft.Owin.Security.Cookies;
 using Owin;
 using Owin.Security.Providers.Evernote;
 using Owin.Security.Providers.PayPal;
+using Owin.Security.Providers.ArcGISPortal;
+using Owin.Security.Providers.Typeform;
 
 namespace OwinOAuthProvidersDemo
 {
@@ -125,14 +127,50 @@ namespace OwinOAuthProvidersDemo
             //    clientId: "",
             //    clientSecret: "");
 
-            //in scenarios where a sandbox URL needs to be used
-            //var salesforceOptions = new SalesforceAuthenticationOptions
+            // Salesforce Option 1: don't specify explicit Endpoint config and use Production endpoint defaults
+            //var salesforceOptions1 = new SalesforceAuthenticationOptions
+            //{
+            //    ClientId = "",
+            //    ClientSecret = "",
+            //    Provider = new SalesforceAuthenticationProvider()
+            //    {
+            //        OnAuthenticated = async context =>
+            //        {
+            //            System.Diagnostics.Debug.WriteLine(context.AccessToken);
+            //            System.Diagnostics.Debug.WriteLine(context.RefreshToken);
+            //            System.Diagnostics.Debug.WriteLine(context.OrganizationId);
+            //        }
+            //    }
+            //};
+
+            // Salesforce Option 2: ask for Sandbox environment; no need to know what those endpoints are
+            //var salesforceOptions2 = new SalesforceAuthenticationOptions
             //{
             //    Endpoints =
             //        new SalesforceAuthenticationOptions.SalesforceAuthenticationEndpoints
             //        {
-            //            AuthorizationEndpoint =
-            //                "https://ap1.salesforce.com/services/oauth2/authorize",
+            //            Environment = Owin.Security.Providers.Salesforce.Constants.SandboxEnvironment
+            //        },
+            //    ClientId = "",
+            //    ClientSecret = "",
+            //    Provider = new SalesforceAuthenticationProvider()
+            //    {
+            //        OnAuthenticated = async context =>
+            //        {
+            //            System.Diagnostics.Debug.WriteLine(context.AccessToken);
+            //            System.Diagnostics.Debug.WriteLine(context.RefreshToken);
+            //            System.Diagnostics.Debug.WriteLine(context.OrganizationId);
+            //        }
+            //    }
+            //};
+
+            // Salesforce Option 3: explicitly specify endpoints (will take precedence over Environment choice)
+            //var salesforceOptions3 = new SalesforceAuthenticationOptions
+            //{
+            //    Endpoints =
+            //        new SalesforceAuthenticationOptions.SalesforceAuthenticationEndpoints
+            //        {
+            //            AuthorizationEndpoint = "https://ap1.salesforce.com/services/oauth2/authorize",
             //            TokenEndpoint = "https://ap1.salesforce.com/services/oauth2/token"
             //        },
             //    ClientId = "",
@@ -147,7 +185,7 @@ namespace OwinOAuthProvidersDemo
             //        }
             //    }
             //};
-            //app.UseSalesforceAuthentication(salesforceOptions);
+            //app.UseSalesforceAuthentication(salesforceOptions1);
 
             ////app.UseShopifyAuthentication("", "");
 
@@ -155,6 +193,12 @@ namespace OwinOAuthProvidersDemo
             //    clientId: "",
             //    clientSecret: "");
 
+            //app.UseArcGISPortalAuthentication(new ArcGISPortalAuthenticationOptions(
+            //    "My ArcGIS Portal",
+            //    "https://arcgisportal.mydomain.com/",
+            //    "",
+            //    ""));
+
             //app.UseWordPressAuthentication(
             //    clientId: "",
             //    clientSecret: "");
@@ -307,6 +351,24 @@ namespace OwinOAuthProvidersDemo
             //      AppKey = "",
             //      AppSecret = ""
             //});
+
+            //app.UsePodbeanAuthentication(new PodbeanAuthenticationOptions
+            //{
+            //      AppId = "",
+            //      AppSecret = "",
+            //      DebugUsingRequestHeadersToBuildBaseUri = true
+            //});
+
+            // WARNING:
+            // Typeform doesn't supply the user's ID so use this provider for authorization only, not authentication 
+            // because each time you sign in with the same Typeform account it will yield a distinct UserId.
+            //var typeformOptions = new Owin.Security.Providers.Typeform.TypeformAuthenticationOptions
+            //{
+            //    ClientId = "",
+            //    ClientSecret = "",
+            //};
+            //typeformOptions.Scope.Add("forms:read");
+            //app.UseTypeformAuthentication(typeformOptions);
         }
-	}
+    }
 }

OwinOAuthProvidersDemo/Controllers/AccountController.cs

@@ -419,6 +419,13 @@ namespace OwinOAuthProvidersDemo.Controllers
                     properties.Dictionary[ShopNameKey] = ShopName;
                 }
 
+                // if use Salesforce as OAuth provider you can ask for Sandbox auth endpoint 
+                // for this particular request only
+                //properties.Dictionary.Add(
+                //    Owin.Security.Providers.Salesforce.Constants.EnvironmentAuthenticationProperty,
+                //    Owin.Security.Providers.Salesforce.Constants.SandboxEnvironment
+                //    );
+
                 context.HttpContext.GetOwinContext().Authentication.Challenge(properties, LoginProvider);
             }
         }

OwinOAuthProvidersDemo/OwinOAuthProvidersDemo.csproj

@@ -22,6 +22,7 @@
     <IISExpressUseClassicPipelineMode>false</IISExpressUseClassicPipelineMode>
     <UseGlobalApplicationHostFile />
     <TargetFrameworkProfile />
+    <Use64BitIISExpress />
   </PropertyGroup>
   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
     <DebugSymbols>true</DebugSymbols>
@@ -31,6 +32,7 @@
     <DefineConstants>DEBUG;TRACE</DefineConstants>
     <ErrorReport>prompt</ErrorReport>
     <WarningLevel>4</WarningLevel>
+    <LangVersion>6</LangVersion>
   </PropertyGroup>
   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
     <DebugType>pdbonly</DebugType>
@@ -39,6 +41,7 @@
     <DefineConstants>TRACE</DefineConstants>
     <ErrorReport>prompt</ErrorReport>
     <WarningLevel>4</WarningLevel>
+    <LangVersion>6</LangVersion>
   </PropertyGroup>
   <ItemGroup>
     <Reference Include="Antlr3.Runtime, Version=3.5.0.2, Culture=neutral, PublicKeyToken=eb42632606e9261f, processorArchitecture=MSIL">
@@ -260,6 +263,10 @@
       <Project>{8a49faef-d365-4d25-942c-1cad03845a5e}</Project>
       <Name>Owin.Security.Providers.ArcGISOnline</Name>
     </ProjectReference>
+    <ProjectReference Include="..\src\Owin.Security.Providers.ArcGISPortal\Owin.Security.Providers.ArcGISPortal.csproj">
+      <Project>{18547ca4-d7d3-43c2-81c2-a21fc8151a93}</Project>
+      <Name>Owin.Security.Providers.ArcGISPortal</Name>
+    </ProjectReference>
     <ProjectReference Include="..\src\Owin.Security.Providers.Asana\Owin.Security.Providers.Asana.csproj">
       <Project>{f3e27220-1d8c-4037-94aa-7b7f4a12f351}</Project>
       <Name>Owin.Security.Providers.Asana</Name>
@@ -380,6 +387,10 @@
       <Project>{f7129064-3db7-4b79-81d3-80130d664e45}</Project>
       <Name>Owin.Security.Providers.PayPal</Name>
     </ProjectReference>
+    <ProjectReference Include="..\src\Owin.Security.Providers.Podbean\Owin.Security.Providers.Podbean.csproj">
+      <Project>{a7b95fd4-08ad-499f-b574-07560cc2a63f}</Project>
+      <Name>Owin.Security.Providers.Podbean</Name>
+    </ProjectReference>
     <ProjectReference Include="..\src\Owin.Security.Providers.Reddit\Owin.Security.Providers.Reddit.csproj">
       <Project>{d0cd86c8-a6f9-4c6c-9bf0-eaa461e7fbad}</Project>
       <Name>Owin.Security.Providers.Reddit</Name>
@@ -420,6 +431,10 @@
       <Project>{c3cf8734-6aac-4f59-9a3e-1cba8582cd48}</Project>
       <Name>Owin.Security.Providers.Twitch</Name>
     </ProjectReference>
+    <ProjectReference Include="..\src\Owin.Security.Providers.Typeform\Owin.Security.Providers.Typeform.csproj">
+      <Project>{c8862b45-e1d1-4ab7-a83d-3a2fd2a22526}</Project>
+      <Name>Owin.Security.Providers.Typeform</Name>
+    </ProjectReference>
     <ProjectReference Include="..\src\Owin.Security.Providers.Untappd\Owin.Security.Providers.Untappd.csproj">
       <Project>{3e89eca3-f4e7-4181-b26b-8250d5151044}</Project>
       <Name>Owin.Security.Providers.Untappd</Name>

README.md

@@ -1,10 +1,11 @@
 [![Build status](https://ci.appveyor.com/api/projects/status/gjlkpp86t8dw164f?svg=true)](https://ci.appveyor.com/project/tparnell8/owinoauthproviders)
 
-#OWIN OAuth Providers
+# OWIN OAuth Providers
 
 Provides a set of extra authentication providers for OWIN ([Project Katana](http://katanaproject.codeplex.com/)).  This project includes providers for:
 - OAuth
   - ArcGISOnline
+  - ArcGISPortal
   - Asana
   - Backlog
   - Battle.net
@@ -29,6 +30,7 @@ Provides a set of extra authentication providers for OWIN ([Project Katana](http
   - Onshape
   - ORCID
   - PayPal
+  - Podbean
   - Reddit
   - Salesforce
   - Shopify

Rakefile.rb

@@ -15,7 +15,7 @@ PACKAGES = File.expand_path("packages")
 TOOLS = File.expand_path("tools")
 NUGET = File.expand_path("#{TOOLS}/nuget")
 NUGET_EXE = File.expand_path("#{TOOLS}/nuget/nuget.exe")
-@version = "2.15.1"
+@version = "2.26.0"
 PROJECTS = Dir.glob('src/*').select{|dir| File.directory? dir }
 
 desc 'Retrieve things'
@@ -70,8 +70,8 @@ desc 'publish nugets'
 task :nuspec_publish do
   PROJECTS.each{|dir|
     Dir.chdir(dir) do
-      sh "#{NUGET_EXE} push #{FileList["*.nupkg"].first}"
+      sh "#{NUGET_EXE} push -Source https://api.nuget.org/v3/index.json #{FileList["*.nupkg"].first}"
     end
   }
-  sh "#{NUGET_EXE} push #{FileList["*.nupkg"].first}"
+  sh "#{NUGET_EXE} push -Source https://api.nuget.org/v3/index.json #{FileList["*.nupkg"].first}"
 end

base/Owin.Security.Providers.OpenIDBase/Owin.Security.Providers.OpenIDBase.csproj

@@ -20,6 +20,7 @@
     <DefineConstants>DEBUG;TRACE</DefineConstants>
     <ErrorReport>prompt</ErrorReport>
     <WarningLevel>4</WarningLevel>
+    <LangVersion>6</LangVersion>
   </PropertyGroup>
   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
     <DebugType>pdbonly</DebugType>
@@ -28,6 +29,7 @@
     <DefineConstants>TRACE</DefineConstants>
     <ErrorReport>prompt</ErrorReport>
     <WarningLevel>4</WarningLevel>
+    <LangVersion>6</LangVersion>
   </PropertyGroup>
   <ItemGroup>
     <Reference Include="Microsoft.Owin, Version=3.0.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">

nuget.rake

@@ -10,12 +10,12 @@ namespace :nuget do
       begin
       FileUtils.mkdir_p("#{NUGET}")
       File.open("#{NUGET}/nuget.exe", "wb") do |file|
-        file.write open('http://nuget.org/nuget.exe', {ssl_verify_mode: OpenSSL::SSL::VERIFY_NONE}).read
+        file.write open('https://dist.nuget.org/win-x86-commandline/latest/nuget.exe', {ssl_verify_mode: OpenSSL::SSL::VERIFY_NONE}).read
       end
     rescue
       FileUtils.rm_rf("#{NUGET}/nuget.exe")
       File.open("#{NUGET}/nuget.exe", "wb") do |file|
-        file.write open('https://dist.nuget.org/win-x86-commandline/v3.2.0/nuget.exe', {ssl_verify_mode: OpenSSL::SSL::VERIFY_NONE}).read
+        file.write open('https://dist.nuget.org/win-x86-commandline/latest/nuget.exe', {ssl_verify_mode: OpenSSL::SSL::VERIFY_NONE}).read
       end
     end
     end

src/Owin.Security.Providers.ArcGISOnline/Owin.Security.Providers.ArcGISOnline.csproj

@@ -20,6 +20,7 @@
     <DefineConstants>DEBUG;TRACE</DefineConstants>
     <ErrorReport>prompt</ErrorReport>
     <WarningLevel>4</WarningLevel>
+    <LangVersion>6</LangVersion>
   </PropertyGroup>
   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
     <DebugType>pdbonly</DebugType>
@@ -28,6 +29,7 @@
     <DefineConstants>TRACE</DefineConstants>
     <ErrorReport>prompt</ErrorReport>
     <WarningLevel>4</WarningLevel>
+    <LangVersion>6</LangVersion>
   </PropertyGroup>
   <ItemGroup>
     <Reference Include="Microsoft.Owin, Version=3.0.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">

src/Owin.Security.Providers.ArcGISPortal/ArcGISPortalAuthenticationExtensions.cs

@@ -0,0 +1,20 @@
+using System;
+
+namespace Owin.Security.Providers.ArcGISPortal
+{
+    public static class ArcGISPortalAuthenticationExtensions
+    {
+        public static IAppBuilder UseArcGISPortalAuthentication(this IAppBuilder app,
+            ArcGISPortalAuthenticationOptions options)
+        {
+            if (app == null)
+                throw new ArgumentNullException(nameof(app));
+            if (options == null)
+                throw new ArgumentNullException(nameof(options));
+
+            app.Use(typeof(ArcGISPortalAuthenticationMiddleware), app, options);
+
+            return app;
+        }
+    }
+}

src/Owin.Security.Providers.ArcGISPortal/ArcGISPortalAuthenticationHandler.cs

@@ -0,0 +1,234 @@
+using System;
+using System.Collections.Generic;
+using System.Net.Http;
+using System.Net.Http.Headers;
+using System.Security.Claims;
+using System.Threading.Tasks;
+using Microsoft.Owin.Infrastructure;
+using Microsoft.Owin.Logging;
+using Microsoft.Owin.Security;
+using Microsoft.Owin.Security.Infrastructure;
+using Newtonsoft.Json;
+
+namespace Owin.Security.Providers.ArcGISPortal
+{
+    public class ArcGISPortalAuthenticationHandler : AuthenticationHandler<ArcGISPortalAuthenticationOptions>
+    {
+        private const string XmlSchemaString = "http://www.w3.org/2001/XMLSchema#string";
+
+        private readonly ILogger _logger;
+        private readonly HttpClient _httpClient;
+        private readonly string _host;
+
+        public ArcGISPortalAuthenticationHandler(HttpClient httpClient, ILogger logger, string host)
+        {
+            _httpClient = httpClient;
+            _logger = logger;
+            _host = host;
+        }
+
+        protected override async Task<AuthenticationTicket> AuthenticateCoreAsync()
+        {
+            AuthenticationProperties properties = null;
+
+            try
+            {
+                string code = null;
+                string state = null;
+
+                var query = Request.Query;
+                var values = query.GetValues("code");
+                if (values != null && values.Count == 1)
+                {
+                    code = values[0];
+                }
+                values = query.GetValues("state");
+                if (values != null && values.Count == 1)
+                {
+                    state = values[0];
+                }
+
+                properties = Options.StateDataFormat.Unprotect(state);
+                if (properties == null)
+                {
+                    return null;
+                }
+                // OAuth2 10.12 CSRF
+                if (!ValidateCorrelationId(properties, _logger))
+                {
+                    return new AuthenticationTicket(null, properties);
+                }
+
+                var requestPrefix = Request.Scheme + "://" + Request.Host;
+                var redirectUri = requestPrefix + Request.PathBase + Options.CallbackPath;
+
+                // Build up the body for the token request
+                var body = new List<KeyValuePair<string, string>>
+                {
+                    new KeyValuePair<string, string>("grant_type", "authorization_code"),
+                    new KeyValuePair<string, string>("code", code),
+                    new KeyValuePair<string, string>("redirect_uri", redirectUri),
+                    new KeyValuePair<string, string>("client_id", Options.ClientId),
+                    new KeyValuePair<string, string>("client_secret", Options.ClientSecret)
+                };
+
+                // Request the token
+                var requestMessage = new HttpRequestMessage(HttpMethod.Post, Options.Endpoints.TokenEndpoint);
+                requestMessage.Headers.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
+                requestMessage.Content = new FormUrlEncodedContent(body);
+                var tokenResponse = await _httpClient.SendAsync(requestMessage);
+                tokenResponse.EnsureSuccessStatusCode();
+                var text = await tokenResponse.Content.ReadAsStringAsync();
+
+                // Deserializes the token response
+                dynamic response = JsonConvert.DeserializeObject<dynamic>(text);
+                var accessToken = (string)response.access_token;
+                var refreshToken = (string)response.refresh_token;
+
+                // Get the ArcGISPortal user
+                var userRequest = new HttpRequestMessage(HttpMethod.Get, Options.Endpoints.UserInfoEndpoint + "?f=json&token=" + Uri.EscapeDataString(accessToken));
+                userRequest.Headers.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
+                var userResponse = await _httpClient.SendAsync(userRequest, Request.CallCancelled);
+                userResponse.EnsureSuccessStatusCode();
+                text = await userResponse.Content.ReadAsStringAsync();
+                var user = JsonConvert.DeserializeObject<Provider.ArcGISPortalUser>(text);
+
+                var context = new ArcGISPortalAuthenticatedContext(Context, user, accessToken, refreshToken, _host)
+                {
+                    Identity = new ClaimsIdentity(
+                        Options.AuthenticationType,
+                        ClaimsIdentity.DefaultNameClaimType,
+                        ClaimsIdentity.DefaultRoleClaimType)
+                };
+                if (!string.IsNullOrEmpty(context.Id))
+                {
+                    context.Identity.AddClaim(new Claim(ClaimTypes.NameIdentifier, context.Id, XmlSchemaString, Options.AuthenticationType));
+                }
+                if (!string.IsNullOrEmpty(context.UserName))
+                {
+                    context.Identity.AddClaim(new Claim(ClaimsIdentity.DefaultNameClaimType, context.UserName, XmlSchemaString, Options.AuthenticationType));
+                }
+                if (!string.IsNullOrEmpty(context.Email))
+                {
+                    context.Identity.AddClaim(new Claim(ClaimTypes.Email, context.Email, XmlSchemaString, Options.AuthenticationType));
+                }
+                if (!string.IsNullOrEmpty(context.Name))
+                {
+                    context.Identity.AddClaim(new Claim("urn:ArcGISPortal:name", context.Name, XmlSchemaString, Options.AuthenticationType));
+                }
+                if (!string.IsNullOrEmpty(context.Link))
+                {
+                    context.Identity.AddClaim(new Claim("urn:ArcGISPortal:url", context.Link, XmlSchemaString, Options.AuthenticationType));
+                }
+
+                context.Properties = properties;
+
+                await Options.Provider.Authenticated(context);
+
+                return new AuthenticationTicket(context.Identity, context.Properties);
+            }
+            catch (Exception ex)
+            {
+                _logger.WriteError(ex.Message);
+            }
+            return new AuthenticationTicket(null, properties);
+        }
+
+        protected override Task ApplyResponseChallengeAsync()
+        {
+            if (Response.StatusCode != 401)
+            {
+                return Task.FromResult<object>(null);
+            }
+
+            var challenge = Helper.LookupChallenge(Options.AuthenticationType, Options.AuthenticationMode);
+
+            if (challenge == null) return Task.FromResult<object>(null);
+            var baseUri =
+                Request.Scheme +
+                Uri.SchemeDelimiter +
+                Request.Host +
+                Request.PathBase;
+
+            var currentUri =
+                baseUri +
+                Request.Path +
+                Request.QueryString;
+
+            var redirectUri =
+                baseUri +
+                Options.CallbackPath;
+            var properties = challenge.Properties;
+            if (string.IsNullOrEmpty(properties.RedirectUri))
+            {
+                properties.RedirectUri = currentUri;
+            }
+
+            GenerateCorrelationId(properties);
+            var state = Options.StateDataFormat.Protect(properties);
+            // comma separated
+            var scope = string.Join(",", Options.Scope);
+
+            var authorizationEndpoint =
+                Options.Endpoints.AuthorizationEndpoint +
+                "?client_id=" + Uri.EscapeDataString(Options.ClientId) +
+                "&response_type=" + Uri.EscapeDataString(scope) +
+                "&redirect_uri=" + Uri.EscapeDataString(redirectUri) +
+                "&state=" + Uri.EscapeDataString(state);
+
+            Response.Redirect(authorizationEndpoint);
+
+            return Task.FromResult<object>(null);
+        }
+
+        public override async Task<bool> InvokeAsync()
+        {
+            return await InvokeReplyPathAsync();
+        }
+
+        private async Task<bool> InvokeReplyPathAsync()
+        {
+            if (!Options.CallbackPath.HasValue || Options.CallbackPath != Request.Path) return false;
+            // TODO: error responses
+
+            var ticket = await AuthenticateAsync();
+            if (ticket == null)
+            {
+                _logger.WriteWarning("Invalid return state, unable to redirect.");
+                Response.StatusCode = 500;
+                return true;
+            }
+
+            var context = new ArcGISPortalReturnEndpointContext(Context, ticket)
+            {
+                SignInAsAuthenticationType = Options.SignInAsAuthenticationType,
+                RedirectUri = ticket.Properties.RedirectUri
+            };
+
+            await Options.Provider.ReturnEndpoint(context);
+
+            if (context.SignInAsAuthenticationType != null &&
+                context.Identity != null)
+            {
+                var grantIdentity = context.Identity;
+                if (!string.Equals(grantIdentity.AuthenticationType, context.SignInAsAuthenticationType, StringComparison.Ordinal))
+                {
+                    grantIdentity = new ClaimsIdentity(grantIdentity.Claims, context.SignInAsAuthenticationType, grantIdentity.NameClaimType, grantIdentity.RoleClaimType);
+                }
+                Context.Authentication.SignIn(context.Properties, grantIdentity);
+            }
+
+            if (context.IsRequestCompleted || context.RedirectUri == null) return context.IsRequestCompleted;
+            var redirectUri = context.RedirectUri;
+            if (context.Identity == null)
+            {
+                // add a redirect hint that sign-in failed in some way
+                redirectUri = WebUtilities.AddQueryString(redirectUri, "error", "access_denied");
+            }
+            Response.Redirect(redirectUri);
+            context.RequestCompleted();
+
+            return context.IsRequestCompleted;
+        }
+    }
+}

src/Owin.Security.Providers.ArcGISPortal/ArcGISPortalAuthenticationMiddleware.cs

@@ -0,0 +1,87 @@
+using System;
+using System.Globalization;
+using System.Net.Http;
+using Microsoft.Owin;
+using Microsoft.Owin.Logging;
+using Microsoft.Owin.Security;
+using Microsoft.Owin.Security.DataHandler;
+using Microsoft.Owin.Security.DataProtection;
+using Microsoft.Owin.Security.Infrastructure;
+
+namespace Owin.Security.Providers.ArcGISPortal
+{
+    public class ArcGISPortalAuthenticationMiddleware : AuthenticationMiddleware<ArcGISPortalAuthenticationOptions>
+    {
+        private readonly HttpClient _httpClient;
+        private readonly ILogger _logger;
+
+        public ArcGISPortalAuthenticationMiddleware(OwinMiddleware next, IAppBuilder app,
+            ArcGISPortalAuthenticationOptions options)
+            : base(next, options)
+        {
+            if (string.IsNullOrWhiteSpace(Options.Host))
+                throw new ArgumentException(string.Format(CultureInfo.CurrentCulture,
+                    Resources.Exception_OptionMustBeProvided, "Host"));
+            if (string.IsNullOrWhiteSpace(Options.ClientId))
+                throw new ArgumentException(string.Format(CultureInfo.CurrentCulture,
+                    Resources.Exception_OptionMustBeProvided, "ClientId"));
+            if (string.IsNullOrWhiteSpace(Options.ClientSecret))
+                throw new ArgumentException(string.Format(CultureInfo.CurrentCulture,
+                    Resources.Exception_OptionMustBeProvided, "ClientSecret"));
+
+            _logger = app.CreateLogger<ArcGISPortalAuthenticationMiddleware>();
+
+            if (Options.Provider == null)
+                Options.Provider = new ArcGISPortalAuthenticationProvider();
+
+            if (Options.StateDataFormat == null)
+            {
+                var dataProtector = app.CreateDataProtector(
+                    typeof(ArcGISPortalAuthenticationMiddleware).FullName,
+                    Options.AuthenticationType, "v2");
+                Options.StateDataFormat = new PropertiesDataFormat(dataProtector);
+            }
+
+            if (string.IsNullOrEmpty(Options.SignInAsAuthenticationType))
+                Options.SignInAsAuthenticationType = app.GetDefaultSignInAsAuthenticationType();
+
+            _httpClient = new HttpClient(ResolveHttpMessageHandler(Options))
+            {
+                Timeout = Options.BackchannelTimeout,
+                MaxResponseContentBufferSize = 1024 * 1024 * 10,
+            };
+            _httpClient.DefaultRequestHeaders.UserAgent.ParseAdd("Microsoft Owin ArcGISPortal middleware");
+            _httpClient.DefaultRequestHeaders.ExpectContinue = false;
+        }
+
+        /// <summary>
+        ///     Provides the <see cref="T:Microsoft.Owin.Security.Infrastructure.AuthenticationHandler" /> object for processing
+        ///     authentication-related requests.
+        /// </summary>
+        /// <returns>
+        ///     An <see cref="T:Microsoft.Owin.Security.Infrastructure.AuthenticationHandler" /> configured with the
+        ///     <see cref="T:Owin.Security.Providers.ArcGISPortal.ArcGISPortalAuthenticationOptions" /> supplied to the constructor.
+        /// </returns>
+        protected override AuthenticationHandler<ArcGISPortalAuthenticationOptions> CreateHandler()
+        {
+            return new ArcGISPortalAuthenticationHandler(_httpClient, _logger, Options.Host);
+        }
+
+        private static HttpMessageHandler ResolveHttpMessageHandler(ArcGISPortalAuthenticationOptions options)
+        {
+            var handler = options.BackchannelHttpHandler ?? new WebRequestHandler();
+
+            // If they provided a validator, apply it or fail.
+            if (options.BackchannelCertificateValidator == null) return handler;
+            // Set the cert validate callback
+            var webRequestHandler = handler as WebRequestHandler;
+            if (webRequestHandler == null)
+            {
+                throw new InvalidOperationException(Resources.Exception_ValidatorHandlerMismatch);
+            }
+            webRequestHandler.ServerCertificateValidationCallback = options.BackchannelCertificateValidator.Validate;
+
+            return handler;
+        }
+    }
+}

src/Owin.Security.Providers.ArcGISPortal/ArcGISPortalAuthenticationOptions.cs

@@ -0,0 +1,171 @@
+using System;
+using System.Collections.Generic;
+using System.Net.Http;
+using Microsoft.Owin;
+using Microsoft.Owin.Security;
+
+namespace Owin.Security.Providers.ArcGISPortal
+{
+    public class ArcGISPortalAuthenticationOptions : AuthenticationOptions
+    {
+        public class ArcGISPortalAuthenticationEndpoints
+        {
+            /// <summary>
+            /// Endpoint which is used to redirect users to request ArcGISPortal access
+            /// </summary>
+            /// <remarks>
+            /// Defaults to https://www.arcgis.com/sharing/rest/oauth2/authorize/
+            /// </remarks>
+            public string AuthorizationEndpoint { get; set; }
+
+            /// <summary>
+            /// Endpoint which is used to exchange code for access token
+            /// </summary>
+            /// <remarks>
+            /// Defaults to https://www.arcgis.com/sharing/rest/oauth2/token/
+            /// </remarks>
+            public string TokenEndpoint { get; set; }
+
+            /// <summary>
+            /// Endpoint which is used to obtain user information after authentication
+            /// </summary>
+            /// <remarks>
+            /// Defaults to https://www.arcgis.com/sharing/rest/community/self
+            /// </remarks>
+            public string UserInfoEndpoint { get; set; }
+        }
+
+        private const string AuthenticationTypeNameDefault = "ArcGIS Portal";
+
+        private const string AuthorizationEndPoint = "arcgis/sharing/rest/oauth2/authorize/";
+        private const string TokenEndpoint = "arcgis/sharing/rest/oauth2/token/";
+        private const string UserInfoEndpoint = "arcgis/sharing/rest/community/self";
+
+        /// <summary>
+        ///     Gets or sets the a pinned certificate validator to use to validate the endpoints used
+        ///     in back channel communications belong to ArcGISPortal.
+        /// </summary>
+        /// <value>
+        ///     The pinned certificate validator.
+        /// </value>
+        /// <remarks>
+        ///     If this property is null then the default certificate checks are performed,
+        ///     validating the subject name and if the signing chain is a trusted party.
+        /// </remarks>
+        public ICertificateValidator BackchannelCertificateValidator { get; set; }
+
+        /// <summary>
+        ///     The HttpMessageHandler used to communicate with ArcGISPortal.
+        ///     This cannot be set at the same time as BackchannelCertificateValidator unless the value
+        ///     can be downcast to a WebRequestHandler.
+        /// </summary>
+        public HttpMessageHandler BackchannelHttpHandler { get; set; }
+
+        /// <summary>
+        ///     Gets or sets timeout value in milliseconds for back channel communications with ArcGISPortal.
+        /// </summary>
+        /// <value>
+        ///     The back channel timeout in milliseconds.
+        /// </value>
+        public TimeSpan BackchannelTimeout { get; set; }
+
+        /// <summary>
+        ///     The request path within the application's base path where the user-agent will be returned.
+        ///     The middleware will process this request when it arrives.
+        ///     Default value is "/signin-ArcGISPortal".
+        /// </summary>
+        public PathString CallbackPath { get; set; }
+
+        /// <summary>
+        ///     Get or sets the text that the user can display on a sign in user interface.
+        /// </summary>
+        public string Caption
+        {
+            get { return Description.Caption; }
+            set { Description.Caption = value; }
+        }
+
+        /// <summary>
+        ///     Gets or sets the ArcGIS Portal Authentication Type Name
+        ///     Displayed to the user as the login option, and allows multiple ArcGIS Portal OAuth providers to be configured for use in the same application.
+        /// </summary>
+        public string AuthenticationTypeName { get; set; }
+
+        /// <summary>
+        ///     Gets or sets the ArcGIS Portal Host (where the portal is installed e.g. https://arcgisportal.domain.com)
+        /// </summary>
+        public string Host { get; set; }
+
+        /// <summary>
+        ///     Gets or sets the ArcGISPortal supplied Client ID
+        /// </summary>
+        public string ClientId { get; set; }
+
+        /// <summary>
+        ///     Gets or sets the ArcGISPortal supplied Client Secret
+        /// </summary>
+        public string ClientSecret { get; set; }
+
+        /// <summary>
+        /// Gets the sets of OAuth endpoints used to authenticate against ArcGISPortal.  Overriding these endpoints allows you to use ArcGISPortal Enterprise for
+        /// authentication.
+        /// </summary>
+        public ArcGISPortalAuthenticationEndpoints Endpoints { get; set; }
+
+        /// <summary>
+        ///     Gets or sets the <see cref="IArcGISPortalAuthenticationProvider" /> used in the authentication events
+        /// </summary>
+        public IArcGISPortalAuthenticationProvider Provider { get; set; }
+
+        /// <summary>
+        /// A list of permissions to request.
+        /// </summary>
+        public IList<string> Scope { get; protected set; }
+
+        /// <summary>
+        ///     Gets or sets the name of another authentication middleware which will be responsible for actually issuing a user
+        ///     <see cref="System.Security.Claims.ClaimsIdentity" />.
+        /// </summary>
+        public string SignInAsAuthenticationType { get; set; }
+
+        /// <summary>
+        ///     Gets or sets the type used to secure data handled by the middleware.
+        /// </summary>
+        public ISecureDataFormat<AuthenticationProperties> StateDataFormat { get; set; }
+
+        /// <summary>
+        ///     Initializes a new <see cref="ArcGISPortalAuthenticationOptions" />
+        /// </summary>
+        public ArcGISPortalAuthenticationOptions(string host, string clientId, string clientSecret) : this(AuthenticationTypeNameDefault, host, clientId, clientSecret) {}
+
+        /// <summary>
+        ///     Initializes a new <see cref="ArcGISPortalAuthenticationOptions" />
+        /// </summary>
+        public ArcGISPortalAuthenticationOptions(string authenticationTypeName, string host, string clientId, string clientSecret) : base(authenticationTypeName)
+        {
+            AuthenticationTypeName = authenticationTypeName;
+            Host = host;
+            ClientId = clientId;
+            ClientSecret = clientSecret;
+
+            AuthenticationType = AuthenticationTypeName;
+            Caption = AuthenticationTypeName;
+
+            CallbackPath = new PathString("/signin-arcgis-portal");
+            AuthenticationMode = AuthenticationMode.Passive;
+            Scope = new List<string>
+            {
+                "code"
+            };
+            BackchannelTimeout = TimeSpan.FromSeconds(60);
+
+            Uri hostUri = new Uri(Host);
+            Endpoints = new ArcGISPortalAuthenticationEndpoints
+            {
+                AuthorizationEndpoint = new Uri(hostUri, AuthorizationEndPoint).ToString(),
+                TokenEndpoint = new Uri(hostUri, TokenEndpoint).ToString(),
+                UserInfoEndpoint = new Uri(hostUri, UserInfoEndpoint).ToString()
+            };
+        }
+    }
+}

src/Owin.Security.Providers.ArcGISPortal/Owin.Security.Providers.ArcGISPortal.csproj

@@ -0,0 +1,82 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
+  <PropertyGroup>
+    <Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
+    <Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
+    <ProjectGuid>{18547CA4-D7D3-43C2-81C2-A21FC8151A93}</ProjectGuid>
+    <OutputType>Library</OutputType>
+    <AppDesignerFolder>Properties</AppDesignerFolder>
+    <RootNamespace>Owin.Security.Providers.ArcGISPortal</RootNamespace>
+    <AssemblyName>Owin.Security.Providers.ArcGISPortal</AssemblyName>
+    <TargetFrameworkVersion>v4.5</TargetFrameworkVersion>
+    <FileAlignment>512</FileAlignment>
+  </PropertyGroup>
+  <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
+    <DebugSymbols>true</DebugSymbols>
+    <DebugType>full</DebugType>
+    <Optimize>false</Optimize>
+    <OutputPath>bin\Debug\</OutputPath>
+    <DefineConstants>DEBUG;TRACE</DefineConstants>
+    <ErrorReport>prompt</ErrorReport>
+    <WarningLevel>4</WarningLevel>
+  </PropertyGroup>
+  <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
+    <DebugType>pdbonly</DebugType>
+    <Optimize>true</Optimize>
+    <OutputPath>bin\Release\</OutputPath>
+    <DefineConstants>TRACE</DefineConstants>
+    <ErrorReport>prompt</ErrorReport>
+    <WarningLevel>4</WarningLevel>
+  </PropertyGroup>
+  <ItemGroup>
+    <Reference Include="Microsoft.Owin, Version=3.0.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
+      <HintPath>..\..\packages\Microsoft.Owin.3.0.1\lib\net45\Microsoft.Owin.dll</HintPath>
+    </Reference>
+    <Reference Include="Microsoft.Owin.Security, Version=3.0.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
+      <HintPath>..\..\packages\Microsoft.Owin.Security.3.0.1\lib\net45\Microsoft.Owin.Security.dll</HintPath>
+    </Reference>
+    <Reference Include="Newtonsoft.Json, Version=8.0.0.0, Culture=neutral, PublicKeyToken=30ad4fe6b2a6aeed, processorArchitecture=MSIL">
+      <HintPath>..\..\packages\Newtonsoft.Json.8.0.3\lib\net45\Newtonsoft.Json.dll</HintPath>
+    </Reference>
+    <Reference Include="Owin, Version=1.0.0.0, Culture=neutral, PublicKeyToken=f0ebd12fd5e55cc5, processorArchitecture=MSIL">
+      <HintPath>..\..\packages\Owin.1.0\lib\net40\Owin.dll</HintPath>
+    </Reference>
+    <Reference Include="System" />
+    <Reference Include="System.Core" />
+    <Reference Include="System.Net.Http.WebRequest" />
+    <Reference Include="System.Xml.Linq" />
+    <Reference Include="System.Data.DataSetExtensions" />
+    <Reference Include="Microsoft.CSharp" />
+    <Reference Include="System.Data" />
+    <Reference Include="System.Net.Http" />
+    <Reference Include="System.Xml" />
+  </ItemGroup>
+  <ItemGroup>
+    <Compile Include="ArcGISPortalAuthenticationHandler.cs" />
+    <Compile Include="ArcGISPortalAuthenticationExtensions.cs" />
+    <Compile Include="ArcGISPortalAuthenticationMiddleware.cs" />
+    <Compile Include="ArcGISPortalAuthenticationOptions.cs" />
+    <Compile Include="Properties\AssemblyInfo.cs" />
+    <Compile Include="Provider\ArcGISPortalAuthenticationProvider.cs" />
+    <Compile Include="Provider\ArcGISPortalAuthenticatedContext.cs" />
+    <Compile Include="Provider\ArcGISPortalReturnEndpointContext.cs" />
+    <Compile Include="Provider\ArcGISPortalUser.cs" />
+    <Compile Include="Provider\IArcGISPortalAuthenticationProvider.cs" />
+    <Compile Include="Resources.Designer.cs">
+      <AutoGen>True</AutoGen>
+      <DesignTime>True</DesignTime>
+      <DependentUpon>Resources.resx</DependentUpon>
+    </Compile>
+  </ItemGroup>
+  <ItemGroup>
+    <EmbeddedResource Include="Resources.resx">
+      <Generator>ResXFileCodeGenerator</Generator>
+      <LastGenOutput>Resources.Designer.cs</LastGenOutput>
+    </EmbeddedResource>
+  </ItemGroup>
+  <ItemGroup>
+    <None Include="packages.config" />
+  </ItemGroup>
+  <Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
+</Project>

src/Owin.Security.Providers.ArcGISPortal/Properties/AssemblyInfo.cs

@@ -0,0 +1,36 @@
+using System.Reflection;
+using System.Runtime.CompilerServices;
+using System.Runtime.InteropServices;
+
+// General Information about an assembly is controlled through the following
+// set of attributes. Change these attribute values to modify the information
+// associated with an assembly.
+[assembly: AssemblyTitle("Owin.Security.Providers.ArcGISPortal")]
+[assembly: AssemblyDescription("")]
+[assembly: AssemblyConfiguration("")]
+[assembly: AssemblyCompany("")]
+[assembly: AssemblyProduct("Owin.Security.Providers.ArcGISPortal")]
+[assembly: AssemblyCopyright("Copyright ©  2017")]
+[assembly: AssemblyTrademark("")]
+[assembly: AssemblyCulture("")]
+
+// Setting ComVisible to false makes the types in this assembly not visible
+// to COM components.  If you need to access a type in this assembly from
+// COM, set the ComVisible attribute to true on that type.
+[assembly: ComVisible(false)]
+
+// The following GUID is for the ID of the typelib if this project is exposed to COM
+[assembly: Guid("18547ca4-d7d3-43c2-81c2-a21fc8151a93")]
+
+// Version information for an assembly consists of the following four values:
+//
+//      Major Version
+//      Minor Version
+//      Build Number
+//      Revision
+//
+// You can specify all the values or you can default the Build and Revision Numbers
+// by using the '*' as shown below:
+// [assembly: AssemblyVersion("1.0.*")]
+[assembly: AssemblyVersion("1.0.0.0")]
+[assembly: AssemblyFileVersion("1.0.0.0")]

src/Owin.Security.Providers.ArcGISPortal/Provider/ArcGISPortalAuthenticatedContext.cs

@@ -0,0 +1,81 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved. See License.txt in the project root for license information.
+
+using System.Security.Claims;
+using Microsoft.Owin;
+using Microsoft.Owin.Security;
+using Microsoft.Owin.Security.Provider;
+using Owin.Security.Providers.ArcGISPortal.Provider;
+using System;
+
+namespace Owin.Security.Providers.ArcGISPortal
+{
+    /// <summary>
+    /// Contains information about the login session as well as the user <see cref="System.Security.Claims.ClaimsIdentity"/>.
+    /// </summary>
+    public class ArcGISPortalAuthenticatedContext : BaseContext
+    {
+        /// <summary>
+        /// Initializes a <see cref="ArcGISPortalAuthenticatedContext"/>
+        /// </summary>
+        /// <param name="context">The OWIN environment</param>
+        /// <param name="user">The ArcGIS Portal user</param>
+        /// <param name="accessToken">ArcGIS Portal Access token</param>
+        /// <param name="refreshToken">ArcGIS Portal Refresh token</param>
+        /// <param name="host">ArcGIS Portal Host</param>
+        public ArcGISPortalAuthenticatedContext(IOwinContext context, ArcGISPortalUser user, string accessToken, string refreshToken, string host)
+            : base(context)
+        {
+            Uri hostUri = new Uri(host);
+
+            AccessToken = accessToken;
+            RefreshToken = refreshToken;
+            Id = user.Username;
+            Name = user.FullName;
+            Link = new Uri(hostUri, "arcgis/sharing/rest/community/users/" + Id).ToString();
+            UserName = Id;
+            Email = user.Email;
+        }
+
+        /// <summary>
+        /// Gets the ArcGIS Portal access token
+        /// </summary>
+        public string AccessToken { get; private set; }
+
+        /// <summary>
+        /// Gets the ArcGIS Portal refresh token
+        /// </summary>
+        public string RefreshToken { get; private set; }
+
+        /// <summary>
+        /// Gets the ArcGIS Portal user ID
+        /// </summary>
+        public string Id { get; }
+
+        /// <summary>
+        /// Gets the user's name
+        /// </summary>
+        public string Name { get; private set; }
+
+        /// <summary>
+        /// Gets the user's email
+        /// </summary>
+        public string Email { get; private set; }
+
+        public string Link { get; private set; }
+
+        /// <summary>
+        /// Gets the ArcGIS Portal username
+        /// </summary>
+        public string UserName { get; private set; }
+
+        /// <summary>
+        /// Gets the <see cref="ClaimsIdentity"/> representing the user
+        /// </summary>
+        public ClaimsIdentity Identity { get; set; }
+
+        /// <summary>
+        /// Gets or sets a property bag for common authentication properties
+        /// </summary>
+        public AuthenticationProperties Properties { get; set; }
+    }
+}

src/Owin.Security.Providers.ArcGISPortal/Provider/ArcGISPortalAuthenticationProvider.cs

@@ -0,0 +1,50 @@
+using System;
+using System.Threading.Tasks;
+
+namespace Owin.Security.Providers.ArcGISPortal
+{
+    /// <summary>
+    /// Default <see cref="IArcGISPortalAuthenticationProvider"/> implementation.
+    /// </summary>
+    public class ArcGISPortalAuthenticationProvider : IArcGISPortalAuthenticationProvider
+    {
+        /// <summary>
+        /// Initializes a <see cref="ArcGISPortalAuthenticationProvider"/>
+        /// </summary>
+        public ArcGISPortalAuthenticationProvider()
+        {
+            OnAuthenticated = context => Task.FromResult<object>(null);
+            OnReturnEndpoint = context => Task.FromResult<object>(null);
+        }
+
+        /// <summary>
+        /// Gets or sets the function that is invoked when the Authenticated method is invoked.
+        /// </summary>
+        public Func<ArcGISPortalAuthenticatedContext, Task> OnAuthenticated { get; set; }
+
+        /// <summary>
+        /// Gets or sets the function that is invoked when the ReturnEndpoint method is invoked.
+        /// </summary>
+        public Func<ArcGISPortalReturnEndpointContext, Task> OnReturnEndpoint { get; set; }
+
+        /// <summary>
+        /// Invoked whenever ArcGISPortal successfully authenticates a user
+        /// </summary>
+        /// <param name="context">Contains information about the login session as well as the user <see cref="System.Security.Claims.ClaimsIdentity"/>.</param>
+        /// <returns>A <see cref="Task"/> representing the completed operation.</returns>
+        public virtual Task Authenticated(ArcGISPortalAuthenticatedContext context)
+        {
+            return OnAuthenticated(context);
+        }
+
+        /// <summary>
+        /// Invoked prior to the <see cref="System.Security.Claims.ClaimsIdentity"/> being saved in a local cookie and the browser being redirected to the originally requested URL.
+        /// </summary>
+        /// <param name="context"></param>
+        /// <returns>A <see cref="Task"/> representing the completed operation.</returns>
+        public virtual Task ReturnEndpoint(ArcGISPortalReturnEndpointContext context)
+        {
+            return OnReturnEndpoint(context);
+        }
+    }
+}

src/Owin.Security.Providers.ArcGISPortal/Provider/ArcGISPortalReturnEndpointContext.cs

@@ -0,0 +1,26 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved. See License.txt in the project root for license information.
+
+using Microsoft.Owin;
+using Microsoft.Owin.Security;
+using Microsoft.Owin.Security.Provider;
+
+namespace Owin.Security.Providers.ArcGISPortal
+{
+    /// <summary>
+    /// Provides context information to middleware providers.
+    /// </summary>
+    public class ArcGISPortalReturnEndpointContext : ReturnEndpointContext
+    {
+        /// <summary>
+        ///
+        /// </summary>
+        /// <param name="context">OWIN environment</param>
+        /// <param name="ticket">The authentication ticket</param>
+        public ArcGISPortalReturnEndpointContext(
+            IOwinContext context,
+            AuthenticationTicket ticket)
+            : base(context, ticket)
+        {
+        }
+    }
+}

src/Owin.Security.Providers.ArcGISPortal/Provider/ArcGISPortalUser.cs

@@ -0,0 +1,9 @@
+namespace Owin.Security.Providers.ArcGISPortal.Provider
+{
+    public class ArcGISPortalUser
+    {
+        public string Username { get; set; }
+        public string FullName { get; set; }
+        public string Email { get; set; }
+    }
+}

src/Owin.Security.Providers.ArcGISPortal/Provider/IArcGISPortalAuthenticationProvider.cs

@@ -0,0 +1,24 @@
+using System.Threading.Tasks;
+
+namespace Owin.Security.Providers.ArcGISPortal
+{
+    /// <summary>
+    /// Specifies callback methods which the <see cref="ArcGISPortalAuthenticationMiddleware"></see> invokes to enable developer control over the authentication process. />
+    /// </summary>
+    public interface IArcGISPortalAuthenticationProvider
+    {
+        /// <summary>
+        /// Invoked whenever ArcGISPortal successfully authenticates a user
+        /// </summary>
+        /// <param name="context">Contains information about the login session as well as the user <see cref="System.Security.Claims.ClaimsIdentity"/>.</param>
+        /// <returns>A <see cref="Task"/> representing the completed operation.</returns>
+        Task Authenticated(ArcGISPortalAuthenticatedContext context);
+
+        /// <summary>
+        /// Invoked prior to the <see cref="System.Security.Claims.ClaimsIdentity"/> being saved in a local cookie and the browser being redirected to the originally requested URL.
+        /// </summary>
+        /// <param name="context"></param>
+        /// <returns>A <see cref="Task"/> representing the completed operation.</returns>
+        Task ReturnEndpoint(ArcGISPortalReturnEndpointContext context);
+    }
+}

src/Owin.Security.Providers.ArcGISPortal/Resources.Designer.cs

@@ -0,0 +1,81 @@
+//------------------------------------------------------------------------------
+// <auto-generated>
+//     This code was generated by a tool.
+//     Runtime Version:4.0.30319.42000
+//
+//     Changes to this file may cause incorrect behavior and will be lost if
+//     the code is regenerated.
+// </auto-generated>
+//------------------------------------------------------------------------------
+
+namespace Owin.Security.Providers.ArcGISPortal {
+    using System;
+    
+    
+    /// <summary>
+    ///   A strongly-typed resource class, for looking up localized strings, etc.
+    /// </summary>
+    // This class was auto-generated by the StronglyTypedResourceBuilder
+    // class via a tool like ResGen or Visual Studio.
+    // To add or remove a member, edit your .ResX file then rerun ResGen
+    // with the /str option, or rebuild your VS project.
+    [global::System.CodeDom.Compiler.GeneratedCodeAttribute("System.Resources.Tools.StronglyTypedResourceBuilder", "15.0.0.0")]
+    [global::System.Diagnostics.DebuggerNonUserCodeAttribute()]
+    [global::System.Runtime.CompilerServices.CompilerGeneratedAttribute()]
+    internal class Resources {
+        
+        private static global::System.Resources.ResourceManager resourceMan;
+        
+        private static global::System.Globalization.CultureInfo resourceCulture;
+        
+        [global::System.Diagnostics.CodeAnalysis.SuppressMessageAttribute("Microsoft.Performance", "CA1811:AvoidUncalledPrivateCode")]
+        internal Resources() {
+        }
+        
+        /// <summary>
+        ///   Returns the cached ResourceManager instance used by this class.
+        /// </summary>
+        [global::System.ComponentModel.EditorBrowsableAttribute(global::System.ComponentModel.EditorBrowsableState.Advanced)]
+        internal static global::System.Resources.ResourceManager ResourceManager {
+            get {
+                if (object.ReferenceEquals(resourceMan, null)) {
+                    global::System.Resources.ResourceManager temp = new global::System.Resources.ResourceManager("Owin.Security.Providers.ArcGISPortal.Resources", typeof(Resources).Assembly);
+                    resourceMan = temp;
+                }
+                return resourceMan;
+            }
+        }
+        
+        /// <summary>
+        ///   Overrides the current thread's CurrentUICulture property for all
+        ///   resource lookups using this strongly typed resource class.
+        /// </summary>
+        [global::System.ComponentModel.EditorBrowsableAttribute(global::System.ComponentModel.EditorBrowsableState.Advanced)]
+        internal static global::System.Globalization.CultureInfo Culture {
+            get {
+                return resourceCulture;
+            }
+            set {
+                resourceCulture = value;
+            }
+        }
+        
+        /// <summary>
+        ///   Looks up a localized string similar to The &apos;{0}&apos; option must be provided..
+        /// </summary>
+        internal static string Exception_OptionMustBeProvided {
+            get {
+                return ResourceManager.GetString("Exception_OptionMustBeProvided", resourceCulture);
+            }
+        }
+        
+        /// <summary>
+        ///   Looks up a localized string similar to An ICertificateValidator cannot be specified at the same time as an HttpMessageHandler unless it is a WebRequestHandler..
+        /// </summary>
+        internal static string Exception_ValidatorHandlerMismatch {
+            get {
+                return ResourceManager.GetString("Exception_ValidatorHandlerMismatch", resourceCulture);
+            }
+        }
+    }
+}

src/Owin.Security.Providers.ArcGISPortal/Resources.resx

@@ -0,0 +1,126 @@
+<?xml version="1.0" encoding="utf-8"?>
+<root>
+  <!-- 
+    Microsoft ResX Schema 
+    
+    Version 2.0
+    
+    The primary goals of this format is to allow a simple XML format 
+    that is mostly human readable. The generation and parsing of the 
+    various data types are done through the TypeConverter classes 
+    associated with the data types.
+    
+    Example:
+    
+    ... ado.net/XML headers & schema ...
+    <resheader name="resmimetype">text/microsoft-resx</resheader>
+    <resheader name="version">2.0</resheader>
+    <resheader name="reader">System.Resources.ResXResourceReader, System.Windows.Forms, ...</resheader>
+    <resheader name="writer">System.Resources.ResXResourceWriter, System.Windows.Forms, ...</resheader>
+    <data name="Name1"><value>this is my long string</value><comment>this is a comment</comment></data>
+    <data name="Color1" type="System.Drawing.Color, System.Drawing">Blue</data>
+    <data name="Bitmap1" mimetype="application/x-microsoft.net.object.binary.base64">
+        <value>[base64 mime encoded serialized .NET Framework object]</value>
+    </data>
+    <data name="Icon1" type="System.Drawing.Icon, System.Drawing" mimetype="application/x-microsoft.net.object.bytearray.base64">
+        <value>[base64 mime encoded string representing a byte array form of the .NET Framework object]</value>
+        <comment>This is a comment</comment>
+    </data>
+                
+    There are any number of "resheader" rows that contain simple 
+    name/value pairs.
+    
+    Each data row contains a name, and value. The row also contains a 
+    type or mimetype. Type corresponds to a .NET class that support 
+    text/value conversion through the TypeConverter architecture. 
+    Classes that don't support this are serialized and stored with the 
+    mimetype set.
+    
+    The mimetype is used for serialized objects, and tells the 
+    ResXResourceReader how to depersist the object. This is currently not 
+    extensible. For a given mimetype the value must be set accordingly:
+    
+    Note - application/x-microsoft.net.object.binary.base64 is the format 
+    that the ResXResourceWriter will generate, however the reader can 
+    read any of the formats listed below.
+    
+    mimetype: application/x-microsoft.net.object.binary.base64
+    value   : The object must be serialized with 
+            : System.Runtime.Serialization.Formatters.Binary.BinaryFormatter
+            : and then encoded with base64 encoding.
+    
+    mimetype: application/x-microsoft.net.object.soap.base64
+    value   : The object must be serialized with 
+            : System.Runtime.Serialization.Formatters.Soap.SoapFormatter
+            : and then encoded with base64 encoding.
+
+    mimetype: application/x-microsoft.net.object.bytearray.base64
+    value   : The object must be serialized into a byte array 
+            : using a System.ComponentModel.TypeConverter
+            : and then encoded with base64 encoding.
+    -->
+  <xsd:schema id="root" xmlns="" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:msdata="urn:schemas-microsoft-com:xml-msdata">
+    <xsd:import namespace="http://www.w3.org/XML/1998/namespace" />
+    <xsd:element name="root" msdata:IsDataSet="true">
+      <xsd:complexType>
+        <xsd:choice maxOccurs="unbounded">
+          <xsd:element name="metadata">
+            <xsd:complexType>
+              <xsd:sequence>
+                <xsd:element name="value" type="xsd:string" minOccurs="0" />
+              </xsd:sequence>
+              <xsd:attribute name="name" use="required" type="xsd:string" />
+              <xsd:attribute name="type" type="xsd:string" />
+              <xsd:attribute name="mimetype" type="xsd:string" />
+              <xsd:attribute ref="xml:space" />
+            </xsd:complexType>
+          </xsd:element>
+          <xsd:element name="assembly">
+            <xsd:complexType>
+              <xsd:attribute name="alias" type="xsd:string" />
+              <xsd:attribute name="name" type="xsd:string" />
+            </xsd:complexType>
+          </xsd:element>
+          <xsd:element name="data">
+            <xsd:complexType>
+              <xsd:sequence>
+                <xsd:element name="value" type="xsd:string" minOccurs="0" msdata:Ordinal="1" />
+                <xsd:element name="comment" type="xsd:string" minOccurs="0" msdata:Ordinal="2" />
+              </xsd:sequence>
+              <xsd:attribute name="name" type="xsd:string" use="required" msdata:Ordinal="1" />
+              <xsd:attribute name="type" type="xsd:string" msdata:Ordinal="3" />
+              <xsd:attribute name="mimetype" type="xsd:string" msdata:Ordinal="4" />
+              <xsd:attribute ref="xml:space" />
+            </xsd:complexType>
+          </xsd:element>
+          <xsd:element name="resheader">
+            <xsd:complexType>
+              <xsd:sequence>
+                <xsd:element name="value" type="xsd:string" minOccurs="0" msdata:Ordinal="1" />
+              </xsd:sequence>
+              <xsd:attribute name="name" type="xsd:string" use="required" />
+            </xsd:complexType>
+          </xsd:element>
+        </xsd:choice>
+      </xsd:complexType>
+    </xsd:element>
+  </xsd:schema>
+  <resheader name="resmimetype">
+    <value>text/microsoft-resx</value>
+  </resheader>
+  <resheader name="version">
+    <value>2.0</value>
+  </resheader>
+  <resheader name="reader">
+    <value>System.Resources.ResXResourceReader, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</value>
+  </resheader>
+  <resheader name="writer">
+    <value>System.Resources.ResXResourceWriter, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</value>
+  </resheader>
+  <data name="Exception_OptionMustBeProvided" xml:space="preserve">
+    <value>The '{0}' option must be provided.</value>
+  </data>
+  <data name="Exception_ValidatorHandlerMismatch" xml:space="preserve">
+    <value>An ICertificateValidator cannot be specified at the same time as an HttpMessageHandler unless it is a WebRequestHandler.</value>
+  </data>
+</root>

src/Owin.Security.Providers.ArcGISPortal/packages.config

@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="utf-8"?>
+<packages>
+  <package id="Microsoft.Owin" version="3.0.1" targetFramework="net45" />
+  <package id="Microsoft.Owin.Security" version="3.0.1" targetFramework="net45" />
+  <package id="Newtonsoft.Json" version="8.0.3" targetFramework="net45" />
+  <package id="Owin" version="1.0" targetFramework="net45" />
+</packages>

src/Owin.Security.Providers.Asana/Owin.Security.Providers.Asana.csproj

@@ -20,6 +20,7 @@
     <DefineConstants>DEBUG;TRACE</DefineConstants>
     <ErrorReport>prompt</ErrorReport>
     <WarningLevel>4</WarningLevel>
+    <LangVersion>6</LangVersion>
   </PropertyGroup>
   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
     <DebugType>pdbonly</DebugType>
@@ -28,6 +29,7 @@
     <DefineConstants>TRACE</DefineConstants>
     <ErrorReport>prompt</ErrorReport>
     <WarningLevel>4</WarningLevel>
+    <LangVersion>6</LangVersion>
   </PropertyGroup>
   <ItemGroup>
     <Reference Include="Microsoft.Owin, Version=3.0.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">

src/Owin.Security.Providers.Backlog/Owin.Security.Providers.Backlog.csproj

@@ -20,6 +20,7 @@
     <DefineConstants>DEBUG;TRACE</DefineConstants>
     <ErrorReport>prompt</ErrorReport>
     <WarningLevel>4</WarningLevel>
+    <LangVersion>6</LangVersion>
   </PropertyGroup>
   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
     <DebugType>pdbonly</DebugType>
@@ -28,6 +29,7 @@
     <DefineConstants>TRACE</DefineConstants>
     <ErrorReport>prompt</ErrorReport>
     <WarningLevel>4</WarningLevel>
+    <LangVersion>6</LangVersion>
   </PropertyGroup>
   <ItemGroup>
     <Reference Include="Microsoft.Owin, Version=3.0.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">

src/Owin.Security.Providers.Baidu/Owin.Security.Providers.Baidu.csproj

@@ -20,6 +20,7 @@
     <DefineConstants>DEBUG;TRACE</DefineConstants>
     <ErrorReport>prompt</ErrorReport>
     <WarningLevel>4</WarningLevel>
+    <LangVersion>6</LangVersion>
   </PropertyGroup>
   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
     <DebugType>pdbonly</DebugType>
@@ -28,6 +29,7 @@
     <DefineConstants>TRACE</DefineConstants>
     <ErrorReport>prompt</ErrorReport>
     <WarningLevel>4</WarningLevel>
+    <LangVersion>6</LangVersion>
   </PropertyGroup>
   <ItemGroup>
     <Reference Include="Microsoft.Owin, Version=3.0.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">

src/Owin.Security.Providers.BattleNet/Owin.Security.Providers.BattleNet.csproj

@@ -20,6 +20,7 @@
     <DefineConstants>DEBUG;TRACE</DefineConstants>
     <ErrorReport>prompt</ErrorReport>
     <WarningLevel>4</WarningLevel>
+    <LangVersion>6</LangVersion>
   </PropertyGroup>
   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
     <DebugType>pdbonly</DebugType>
@@ -28,6 +29,7 @@
     <DefineConstants>TRACE</DefineConstants>
     <ErrorReport>prompt</ErrorReport>
     <WarningLevel>4</WarningLevel>
+    <LangVersion>6</LangVersion>
   </PropertyGroup>
   <ItemGroup>
     <Reference Include="Microsoft.Owin, Version=3.0.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">

src/Owin.Security.Providers.Bitbucket/Owin.Security.Providers.Bitbucket.csproj

@@ -20,6 +20,7 @@
     <DefineConstants>DEBUG;TRACE</DefineConstants>
     <ErrorReport>prompt</ErrorReport>
     <WarningLevel>4</WarningLevel>
+    <LangVersion>6</LangVersion>
   </PropertyGroup>
   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
     <DebugType>pdbonly</DebugType>
@@ -28,6 +29,7 @@
     <DefineConstants>TRACE</DefineConstants>
     <ErrorReport>prompt</ErrorReport>
     <WarningLevel>4</WarningLevel>
+    <LangVersion>6</LangVersion>
   </PropertyGroup>
   <ItemGroup>
     <Reference Include="Microsoft.Owin, Version=3.0.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">

src/Owin.Security.Providers.Box/Owin.Security.Providers.Box.csproj

@@ -20,6 +20,7 @@
     <DefineConstants>DEBUG;TRACE</DefineConstants>
     <ErrorReport>prompt</ErrorReport>
     <WarningLevel>4</WarningLevel>
+    <LangVersion>6</LangVersion>
   </PropertyGroup>
   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
     <DebugType>pdbonly</DebugType>
@@ -28,6 +29,7 @@
     <DefineConstants>TRACE</DefineConstants>
     <ErrorReport>prompt</ErrorReport>
     <WarningLevel>4</WarningLevel>
+    <LangVersion>6</LangVersion>
   </PropertyGroup>
   <ItemGroup>
     <Reference Include="Microsoft.Owin, Version=3.0.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">

src/Owin.Security.Providers.Buffer/Owin.Security.Providers.Buffer.csproj

@@ -20,6 +20,7 @@
     <DefineConstants>DEBUG;TRACE</DefineConstants>
     <ErrorReport>prompt</ErrorReport>
     <WarningLevel>4</WarningLevel>
+    <LangVersion>6</LangVersion>
   </PropertyGroup>
   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
     <DebugType>pdbonly</DebugType>
@@ -28,6 +29,7 @@
     <DefineConstants>TRACE</DefineConstants>
     <ErrorReport>prompt</ErrorReport>
     <WarningLevel>4</WarningLevel>
+    <LangVersion>6</LangVersion>
   </PropertyGroup>
   <ItemGroup>
     <Reference Include="Microsoft.Owin, Version=3.0.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">

src/Owin.Security.Providers.Cosign/Owin.Security.Providers.Cosign.csproj

@@ -20,6 +20,7 @@
     <DefineConstants>DEBUG;TRACE</DefineConstants>
     <ErrorReport>prompt</ErrorReport>
     <WarningLevel>4</WarningLevel>
+    <LangVersion>6</LangVersion>
   </PropertyGroup>
   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
     <DebugType>pdbonly</DebugType>
@@ -28,6 +29,7 @@
     <DefineConstants>TRACE</DefineConstants>
     <ErrorReport>prompt</ErrorReport>
     <WarningLevel>4</WarningLevel>
+    <LangVersion>6</LangVersion>
   </PropertyGroup>
   <ItemGroup>
     <Reference Include="Microsoft.Owin, Version=3.0.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">

src/Owin.Security.Providers.DeviantArt/Owin.Security.Providers.DeviantArt.csproj

@@ -20,6 +20,7 @@
     <DefineConstants>DEBUG;TRACE</DefineConstants>
     <ErrorReport>prompt</ErrorReport>
     <WarningLevel>4</WarningLevel>
+    <LangVersion>6</LangVersion>
   </PropertyGroup>
   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
     <DebugType>pdbonly</DebugType>
@@ -28,6 +29,7 @@
     <DefineConstants>TRACE</DefineConstants>
     <ErrorReport>prompt</ErrorReport>
     <WarningLevel>4</WarningLevel>
+    <LangVersion>6</LangVersion>
   </PropertyGroup>
   <ItemGroup>
     <Reference Include="Microsoft.Owin, Version=3.0.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">

src/Owin.Security.Providers.Discord/DiscordAuthenticationHandler.cs

@@ -105,7 +105,7 @@ namespace Owin.Security.Providers.Discord
                 };
                 if (!string.IsNullOrEmpty(context.Id))
                 {
-                    context.Identity.AddClaim(new Claim(ClaimTypes.NameIdentifier, context.UserName, XmlSchemaString, Options.AuthenticationType));
+                    context.Identity.AddClaim(new Claim(ClaimTypes.NameIdentifier, context.Id, XmlSchemaString, Options.AuthenticationType));
                 }
                 if (!string.IsNullOrEmpty(context.UserName))
                 {

src/Owin.Security.Providers.Discord/Owin.Security.Providers.Discord.csproj

@@ -20,6 +20,7 @@
     <DefineConstants>DEBUG;TRACE</DefineConstants>
     <ErrorReport>prompt</ErrorReport>
     <WarningLevel>4</WarningLevel>
+    <LangVersion>6</LangVersion>
   </PropertyGroup>
   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
     <DebugType>pdbonly</DebugType>
@@ -28,6 +29,7 @@
     <DefineConstants>TRACE</DefineConstants>
     <ErrorReport>prompt</ErrorReport>
     <WarningLevel>4</WarningLevel>
+    <LangVersion>6</LangVersion>
   </PropertyGroup>
   <ItemGroup>
     <Reference Include="Microsoft.Owin, Version=3.0.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">

src/Owin.Security.Providers.Discord/Provider/DiscordAuthenticatedContext.cs

@@ -39,7 +39,7 @@ namespace Owin.Security.Providers.Discord.Provider
             Discriminator = TryGetValue(user, "discriminator");
             Avatar = TryGetValue(user, "avatar");
             Email = TryGetValue(user, "email");
-            Verified = TryGetValue(user, "verified") == "true";
+            Verified = TryGetValue(user, "verified").ToLowerInvariant() == "true";
         }
 
         public string RefreshToken { get; set; }

src/Owin.Security.Providers.DoYouBuzz/Owin.Security.Providers.DoYouBuzz.csproj

@@ -20,6 +20,7 @@
     <DefineConstants>DEBUG;TRACE</DefineConstants>
     <ErrorReport>prompt</ErrorReport>
     <WarningLevel>4</WarningLevel>
+    <LangVersion>6</LangVersion>
   </PropertyGroup>
   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
     <DebugType>pdbonly</DebugType>
@@ -28,6 +29,7 @@
     <DefineConstants>TRACE</DefineConstants>
     <ErrorReport>prompt</ErrorReport>
     <WarningLevel>4</WarningLevel>
+    <LangVersion>6</LangVersion>
   </PropertyGroup>
   <ItemGroup>
     <Reference Include="Microsoft.Owin, Version=3.0.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">

src/Owin.Security.Providers.Dropbox/Owin.Security.Providers.Dropbox.csproj

@@ -20,6 +20,7 @@
     <DefineConstants>DEBUG;TRACE</DefineConstants>
     <ErrorReport>prompt</ErrorReport>
     <WarningLevel>4</WarningLevel>
+    <LangVersion>6</LangVersion>
   </PropertyGroup>
   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
     <DebugType>pdbonly</DebugType>
@@ -28,6 +29,7 @@
     <DefineConstants>TRACE</DefineConstants>
     <ErrorReport>prompt</ErrorReport>
     <WarningLevel>4</WarningLevel>
+    <LangVersion>6</LangVersion>
   </PropertyGroup>
   <ItemGroup>
     <Reference Include="Microsoft.Owin, Version=3.0.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">

src/Owin.Security.Providers.EVEOnline/Owin.Security.Providers.EVEOnline.csproj

@@ -20,6 +20,7 @@
     <DefineConstants>DEBUG;TRACE</DefineConstants>
     <ErrorReport>prompt</ErrorReport>
     <WarningLevel>4</WarningLevel>
+    <LangVersion>6</LangVersion>
   </PropertyGroup>
   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
     <DebugType>pdbonly</DebugType>
@@ -28,6 +29,7 @@
     <DefineConstants>TRACE</DefineConstants>
     <ErrorReport>prompt</ErrorReport>
     <WarningLevel>4</WarningLevel>
+    <LangVersion>6</LangVersion>
   </PropertyGroup>
   <ItemGroup>
     <Reference Include="Microsoft.Owin, Version=3.0.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">

src/Owin.Security.Providers.Evernote/Owin.Security.Providers.Evernote.csproj

@@ -21,6 +21,7 @@
     <DefineConstants>DEBUG;TRACE</DefineConstants>
     <ErrorReport>prompt</ErrorReport>
     <WarningLevel>4</WarningLevel>
+    <LangVersion>6</LangVersion>
   </PropertyGroup>
   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
     <DebugType>pdbonly</DebugType>
@@ -29,6 +30,7 @@
     <DefineConstants>TRACE</DefineConstants>
     <ErrorReport>prompt</ErrorReport>
     <WarningLevel>4</WarningLevel>
+    <LangVersion>6</LangVersion>
   </PropertyGroup>
   <ItemGroup>
     <Reference Include="Accessibility" />

src/Owin.Security.Providers.Fitbit/Owin.Security.Providers.Fitbit.csproj

@@ -20,6 +20,7 @@
     <DefineConstants>DEBUG;TRACE</DefineConstants>
     <ErrorReport>prompt</ErrorReport>
     <WarningLevel>4</WarningLevel>
+    <LangVersion>6</LangVersion>
   </PropertyGroup>
   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
     <DebugType>pdbonly</DebugType>
@@ -28,6 +29,7 @@
     <DefineConstants>TRACE</DefineConstants>
     <ErrorReport>prompt</ErrorReport>
     <WarningLevel>4</WarningLevel>
+    <LangVersion>6</LangVersion>
   </PropertyGroup>
   <ItemGroup>
     <Reference Include="Microsoft.Owin, Version=3.0.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">

src/Owin.Security.Providers.Flickr/Owin.Security.Providers.Flickr.csproj

@@ -20,6 +20,7 @@
     <DefineConstants>DEBUG;TRACE</DefineConstants>
     <ErrorReport>prompt</ErrorReport>
     <WarningLevel>4</WarningLevel>
+    <LangVersion>6</LangVersion>
   </PropertyGroup>
   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
     <DebugType>pdbonly</DebugType>
@@ -28,6 +29,7 @@
     <DefineConstants>TRACE</DefineConstants>
     <ErrorReport>prompt</ErrorReport>
     <WarningLevel>4</WarningLevel>
+    <LangVersion>6</LangVersion>
   </PropertyGroup>
   <ItemGroup>
     <Reference Include="Microsoft.Owin, Version=3.0.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">

src/Owin.Security.Providers.Foursquare/Owin.Security.Providers.Foursquare.csproj

@@ -20,6 +20,7 @@
     <DefineConstants>DEBUG;TRACE</DefineConstants>
     <ErrorReport>prompt</ErrorReport>
     <WarningLevel>4</WarningLevel>
+    <LangVersion>6</LangVersion>
   </PropertyGroup>
   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
     <DebugType>pdbonly</DebugType>
@@ -28,6 +29,7 @@
     <DefineConstants>TRACE</DefineConstants>
     <ErrorReport>prompt</ErrorReport>
     <WarningLevel>4</WarningLevel>
+    <LangVersion>6</LangVersion>
   </PropertyGroup>
   <ItemGroup>
     <Reference Include="Microsoft.Owin, Version=3.0.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">

src/Owin.Security.Providers.Geni/Owin.Security.Providers.Geni.csproj

@@ -20,6 +20,7 @@
     <DefineConstants>DEBUG;TRACE</DefineConstants>
     <ErrorReport>prompt</ErrorReport>
     <WarningLevel>4</WarningLevel>
+    <LangVersion>6</LangVersion>
   </PropertyGroup>
   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
     <DebugType>pdbonly</DebugType>
@@ -28,6 +29,7 @@
     <DefineConstants>TRACE</DefineConstants>
     <ErrorReport>prompt</ErrorReport>
     <WarningLevel>4</WarningLevel>
+    <LangVersion>6</LangVersion>
   </PropertyGroup>
   <ItemGroup>
     <Reference Include="Microsoft.Owin, Version=3.0.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">

src/Owin.Security.Providers.GitHub/Owin.Security.Providers.GitHub.csproj

@@ -20,6 +20,7 @@
     <DefineConstants>DEBUG;TRACE</DefineConstants>
     <ErrorReport>prompt</ErrorReport>
     <WarningLevel>4</WarningLevel>
+    <LangVersion>6</LangVersion>
   </PropertyGroup>
   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
     <DebugType>pdbonly</DebugType>
@@ -28,6 +29,7 @@
     <DefineConstants>TRACE</DefineConstants>
     <ErrorReport>prompt</ErrorReport>
     <WarningLevel>4</WarningLevel>
+    <LangVersion>6</LangVersion>
   </PropertyGroup>
   <ItemGroup>
     <Reference Include="Microsoft.Owin, Version=3.0.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">

src/Owin.Security.Providers.Gitter/Owin.Security.Providers.Gitter.csproj

@@ -20,6 +20,7 @@
     <DefineConstants>DEBUG;TRACE</DefineConstants>
     <ErrorReport>prompt</ErrorReport>
     <WarningLevel>4</WarningLevel>
+    <LangVersion>6</LangVersion>
   </PropertyGroup>
   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
     <DebugType>pdbonly</DebugType>
@@ -28,6 +29,7 @@
     <DefineConstants>TRACE</DefineConstants>
     <ErrorReport>prompt</ErrorReport>
     <WarningLevel>4</WarningLevel>
+    <LangVersion>6</LangVersion>
   </PropertyGroup>
   <ItemGroup>
     <Reference Include="Microsoft.Owin, Version=3.0.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">

src/Owin.Security.Providers.Google/Constants.cs

@@ -0,0 +1,7 @@
+namespace Owin.Security.Providers.Google
+{
+    internal static class Constants
+    {
+        public const string DefaultAuthenticationType = "Google";
+    }
+}

src/Owin.Security.Providers.Google/GoogleAuthenticationExtensions.cs

@@ -0,0 +1,29 @@
+using System;
+
+namespace Owin.Security.Providers.Google
+{
+    public static class GoogleAuthenticationExtensions
+    {
+        public static IAppBuilder UseGoogleAuthentication(this IAppBuilder app,
+            GoogleAuthenticationOptions options)
+        {
+            if (app == null)
+                throw new ArgumentNullException(nameof(app));
+            if (options == null)
+                throw new ArgumentNullException(nameof(options));
+
+            app.Use(typeof(GoogleAuthenticationMiddleware), app, options);
+
+            return app;
+        }
+
+        public static IAppBuilder UseGoogleAuthentication(this IAppBuilder app, string clientId, string clientSecret)
+        {
+            return app.UseGoogleAuthentication(new GoogleAuthenticationOptions
+            {
+                ClientId = clientId,
+                ClientSecret = clientSecret
+            });
+        }
+    }
+}

src/Owin.Security.Providers.Google/GoogleAuthenticationHandler.cs

@@ -0,0 +1,246 @@
+using System;
+using System.Collections.Generic;
+using System.Net.Http;
+using System.Security.Claims;
+using System.Threading.Tasks;
+using Microsoft.Owin.Infrastructure;
+using Microsoft.Owin.Logging;
+using Microsoft.Owin.Security;
+using Microsoft.Owin.Security.Infrastructure;
+using Newtonsoft.Json;
+using Newtonsoft.Json.Linq;
+using Owin.Security.Providers.Google.Provider;
+
+namespace Owin.Security.Providers.Google
+{
+    public class GoogleAuthenticationHandler : AuthenticationHandler<GoogleAuthenticationOptions>
+    {
+        private const string XmlSchemaString = "http://www.w3.org/2001/XMLSchema#string";
+        private const string TokenEndpoint = "https://accounts.google.com/o/oauth2/token";
+        // TODO: This url should come from here: https://accounts.google.com/.well-known/openid-configuration
+        // TODO: as described by https://developers.google.com/identity/protocols/OpenIDConnect#discovery
+        private const string UserInfoEndpoint = "https://www.googleapis.com/oauth2/v3/userinfo";
+
+        private readonly ILogger _logger;
+        private readonly HttpClient _httpClient;
+
+        public GoogleAuthenticationHandler(HttpClient httpClient, ILogger logger)
+        {
+            _httpClient = httpClient;
+            _logger = logger;
+        }
+
+        protected override async Task<AuthenticationTicket> AuthenticateCoreAsync()
+        {
+            AuthenticationProperties properties = null;
+
+            try
+            {
+                string code = null;
+                string state = null;
+
+                var query = Request.Query;
+                var values = query.GetValues("code");
+                if (values != null && values.Count == 1)
+                {
+                    code = values[0];
+                }
+                values = query.GetValues("state");
+                if (values != null && values.Count == 1)
+                {
+                    state = values[0];
+                }
+
+                properties = Options.StateDataFormat.Unprotect(state);
+                if (properties == null)
+                {
+                    return null;
+                }
+
+                // OAuth2 10.12 CSRF
+                if (!ValidateCorrelationId(properties, _logger))
+                {
+                    return new AuthenticationTicket(null, properties);
+                }
+
+                var requestPrefix = Request.Scheme + "://" + Request.Host;
+                var redirectUri = requestPrefix + Request.PathBase + Options.CallbackPath;
+
+                // Build up the body for the token request
+                var body = new List<KeyValuePair<string, string>>
+                {
+                    new KeyValuePair<string, string>("grant_type", "authorization_code"),
+                    new KeyValuePair<string, string>("code", code),
+                    new KeyValuePair<string, string>("redirect_uri", redirectUri),
+                    new KeyValuePair<string, string>("client_id", Options.ClientId),
+                    new KeyValuePair<string, string>("client_secret", Options.ClientSecret)
+                };
+
+                // Request the token
+                var tokenResponse =
+                    await _httpClient.PostAsync(TokenEndpoint, new FormUrlEncodedContent(body));
+                tokenResponse.EnsureSuccessStatusCode();
+                var text = await tokenResponse.Content.ReadAsStringAsync();
+
+                // Deserializes the token response
+                dynamic response = JsonConvert.DeserializeObject<dynamic>(text);
+                var accessToken = (string)response.access_token;
+                var expires = (string) response.expires_in;
+                string refreshToken = null;
+                if (response.refresh_token != null)
+                    refreshToken = (string) response.refresh_token;
+
+                // Get the Google user
+                var graphResponse = await _httpClient.GetAsync(
+                    UserInfoEndpoint + "?access_token=" + Uri.EscapeDataString(accessToken), Request.CallCancelled);
+                graphResponse.EnsureSuccessStatusCode();
+                text = await graphResponse.Content.ReadAsStringAsync();
+                var userInfo = JObject.Parse(text);
+
+                var context = new GoogleAuthenticatedContext(Context, userInfo, accessToken, expires, refreshToken)
+                {
+                    Identity = new ClaimsIdentity(
+                        Options.AuthenticationType,
+                        ClaimsIdentity.DefaultNameClaimType,
+                        ClaimsIdentity.DefaultRoleClaimType)
+                };
+                if (!string.IsNullOrEmpty(context.Id))
+                {
+                    context.Identity.AddClaim(new Claim(ClaimTypes.NameIdentifier, context.Id, XmlSchemaString, Options.AuthenticationType));
+                }
+                if (!string.IsNullOrEmpty(context.UserName))
+                {
+                    context.Identity.AddClaim(new Claim(ClaimsIdentity.DefaultNameClaimType, context.UserName, XmlSchemaString, Options.AuthenticationType));
+                }
+                if (!string.IsNullOrEmpty(context.Email))
+                {
+                    context.Identity.AddClaim(new Claim(ClaimTypes.Email, context.Email, XmlSchemaString, Options.AuthenticationType));
+                }
+                if (!string.IsNullOrEmpty(context.Name))
+                {
+                    context.Identity.AddClaim(new Claim("urn:google:name", context.Name, XmlSchemaString, Options.AuthenticationType));
+                }
+                if (!string.IsNullOrEmpty(context.Link))
+                {
+                    context.Identity.AddClaim(new Claim("urn:google:url", context.Link, XmlSchemaString, Options.AuthenticationType));
+                }
+                context.Properties = properties;
+
+                await Options.Provider.Authenticated(context);
+
+                return new AuthenticationTicket(context.Identity, context.Properties);
+            }
+            catch (Exception ex)
+            {
+                _logger.WriteError(ex.Message);
+            }
+            return new AuthenticationTicket(null, properties);
+        }
+
+        protected override Task ApplyResponseChallengeAsync()
+        {
+            if (Response.StatusCode != 401)
+            {
+                return Task.FromResult<object>(null);
+            }
+
+            var challenge = Helper.LookupChallenge(Options.AuthenticationType, Options.AuthenticationMode);
+
+            if (challenge == null) return Task.FromResult<object>(null);
+            var baseUri =
+                Request.Scheme +
+                Uri.SchemeDelimiter +
+                Request.Host +
+                Request.PathBase;
+
+            var currentUri =
+                baseUri +
+                Request.Path +
+                Request.QueryString;
+
+            var redirectUri =
+                baseUri +
+                Options.CallbackPath;
+
+            var properties = challenge.Properties;
+            if (string.IsNullOrEmpty(properties.RedirectUri))
+            {
+                properties.RedirectUri = currentUri;
+            }
+
+            // OAuth2 10.12 CSRF
+            GenerateCorrelationId(properties);
+
+            // comma separated
+            var scope = string.Join(" ", Options.Scope);
+
+            var state = Options.StateDataFormat.Protect(properties);
+
+            var authorizationEndpoint =
+                "https://accounts.google.com/o/oauth2/auth" +
+                "?response_type=code" +
+                "&client_id=" + Uri.EscapeDataString(Options.ClientId) +
+                "&redirect_uri=" + Uri.EscapeDataString(redirectUri) +
+                "&scope=" + Uri.EscapeDataString(scope) +
+                "&state=" + Uri.EscapeDataString(state);
+
+            // Check if offline access was requested
+            if (Options.RequestOfflineAccess)
+                authorizationEndpoint += "&access_type=offline";
+
+            Response.Redirect(authorizationEndpoint);
+
+            return Task.FromResult<object>(null);
+        }
+
+        public override async Task<bool> InvokeAsync()
+        {
+            return await InvokeReplyPathAsync();
+        }
+
+        private async Task<bool> InvokeReplyPathAsync()
+        {
+            if (!Options.CallbackPath.HasValue || Options.CallbackPath != Request.Path) return false;
+            // TODO: error responses
+
+            var ticket = await AuthenticateAsync();
+            if (ticket == null)
+            {
+                _logger.WriteWarning("Invalid return state, unable to redirect.");
+                Response.StatusCode = 500;
+                return true;
+            }
+
+            var context = new GoogleReturnEndpointContext(Context, ticket)
+            {
+                SignInAsAuthenticationType = Options.SignInAsAuthenticationType,
+                RedirectUri = ticket.Properties.RedirectUri
+            };
+
+            await Options.Provider.ReturnEndpoint(context);
+
+            if (context.SignInAsAuthenticationType != null &&
+                context.Identity != null)
+            {
+                var grantIdentity = context.Identity;
+                if (!string.Equals(grantIdentity.AuthenticationType, context.SignInAsAuthenticationType, StringComparison.Ordinal))
+                {
+                    grantIdentity = new ClaimsIdentity(grantIdentity.Claims, context.SignInAsAuthenticationType, grantIdentity.NameClaimType, grantIdentity.RoleClaimType);
+                }
+                Context.Authentication.SignIn(context.Properties, grantIdentity);
+            }
+
+            if (context.IsRequestCompleted || context.RedirectUri == null) return context.IsRequestCompleted;
+            var redirectUri = context.RedirectUri;
+            if (context.Identity == null)
+            {
+                // add a redirect hint that sign-in failed in some way
+                redirectUri = WebUtilities.AddQueryString(redirectUri, "error", "access_denied");
+            }
+            Response.Redirect(redirectUri);
+            context.RequestCompleted();
+
+            return context.IsRequestCompleted;
+        }
+    }
+}

src/Owin.Security.Providers.Google/GoogleAuthenticationMiddleware.cs

@@ -0,0 +1,83 @@
+using System;
+using System.Globalization;
+using System.Net.Http;
+using Microsoft.Owin;
+using Microsoft.Owin.Logging;
+using Microsoft.Owin.Security;
+using Microsoft.Owin.Security.DataHandler;
+using Microsoft.Owin.Security.DataProtection;
+using Microsoft.Owin.Security.Infrastructure;
+using Owin.Security.Providers.Google.Provider;
+
+namespace Owin.Security.Providers.Google
+{
+    public class GoogleAuthenticationMiddleware : AuthenticationMiddleware<GoogleAuthenticationOptions>
+    {
+        private readonly HttpClient _httpClient;
+        private readonly ILogger _logger;
+
+        public GoogleAuthenticationMiddleware(OwinMiddleware next, IAppBuilder app,
+            GoogleAuthenticationOptions options)
+            : base(next, options)
+        {
+            if (string.IsNullOrWhiteSpace(Options.ClientId))
+                throw new ArgumentException(string.Format(CultureInfo.CurrentCulture,
+                    Resources.Exception_OptionMustBeProvided, "ClientId"));
+            if (string.IsNullOrWhiteSpace(Options.ClientSecret))
+                throw new ArgumentException(string.Format(CultureInfo.CurrentCulture,
+                    Resources.Exception_OptionMustBeProvided, "ClientSecret"));
+
+            _logger = app.CreateLogger<GoogleAuthenticationMiddleware>();
+
+            if (Options.Provider == null)
+                Options.Provider = new GoogleAuthenticationProvider();
+
+            if (Options.StateDataFormat == null)
+            {
+                var dataProtector = app.CreateDataProtector(
+                    typeof (GoogleAuthenticationMiddleware).FullName,
+                    Options.AuthenticationType, "v1");
+                Options.StateDataFormat = new PropertiesDataFormat(dataProtector);
+            }
+
+            if (string.IsNullOrEmpty(Options.SignInAsAuthenticationType))
+                Options.SignInAsAuthenticationType = app.GetDefaultSignInAsAuthenticationType();
+
+            _httpClient = new HttpClient(ResolveHttpMessageHandler(Options))
+            {
+                Timeout = Options.BackchannelTimeout,
+                MaxResponseContentBufferSize = 1024*1024*10
+            };
+        }
+
+        /// <summary>
+        ///     Provides the <see cref="T:Microsoft.Owin.Security.Infrastructure.AuthenticationHandler" /> object for processing
+        ///     authentication-related requests.
+        /// </summary>
+        /// <returns>
+        ///     An <see cref="T:Microsoft.Owin.Security.Infrastructure.AuthenticationHandler" /> configured with the
+        ///     <see cref="T:Owin.Security.Providers.GooglePlus.GooglePlusAuthenticationOptions" /> supplied to the constructor.
+        /// </returns>
+        protected override AuthenticationHandler<GoogleAuthenticationOptions> CreateHandler()
+        {
+            return new GoogleAuthenticationHandler(_httpClient, _logger);
+        }
+
+        private static HttpMessageHandler ResolveHttpMessageHandler(GoogleAuthenticationOptions options)
+        {
+            var handler = options.BackchannelHttpHandler ?? new WebRequestHandler();
+
+            // If they provided a validator, apply it or fail.
+            if (options.BackchannelCertificateValidator == null) return handler;
+            // Set the cert validate callback
+            var webRequestHandler = handler as WebRequestHandler;
+            if (webRequestHandler == null)
+            {
+                throw new InvalidOperationException(Resources.Exception_ValidatorHandlerMismatch);
+            }
+            webRequestHandler.ServerCertificateValidationCallback = options.BackchannelCertificateValidator.Validate;
+
+            return handler;
+        }
+    }
+}

src/Owin.Security.Providers.Google/GoogleAuthenticationOptions.cs

@@ -0,0 +1,110 @@
+using System;
+using System.Collections.Generic;
+using System.Net.Http;
+using Microsoft.Owin;
+using Microsoft.Owin.Security;
+using Owin.Security.Providers.Google.Provider;
+
+namespace Owin.Security.Providers.Google
+{
+    public class GoogleAuthenticationOptions : AuthenticationOptions
+    {
+        /// <summary>
+        ///     Gets or sets the a pinned certificate validator to use to validate the endpoints used
+        ///     in back channel communications belonging to Google.
+        /// </summary>
+        /// <value>
+        ///     The pinned certificate validator.
+        /// </value>
+        /// <remarks>
+        ///     If this property is null then the default certificate checks are performed,
+        ///     validating the subject name and if the signing chain is a trusted party.
+        /// </remarks>
+        public ICertificateValidator BackchannelCertificateValidator { get; set; }
+
+        /// <summary>
+        ///     The HttpMessageHandler used to communicate with Google.
+        ///     This cannot be set at the same time as BackchannelCertificateValidator unless the value
+        ///     can be downcast to a WebRequestHandler.
+        /// </summary>
+        public HttpMessageHandler BackchannelHttpHandler { get; set; }
+
+        /// <summary>
+        ///     Gets or sets timeout value in milliseconds for back channel communications with Google.
+        /// </summary>
+        /// <value>
+        ///     The back channel timeout in milliseconds.
+        /// </value>
+        public TimeSpan BackchannelTimeout { get; set; }
+
+        /// <summary>
+        ///     The request path within the application's base path where the user-agent will be returned.
+        ///     The middleware will process this request when it arrives.
+        ///     Default value is "/signin-google".
+        /// </summary>
+        public PathString CallbackPath { get; set; }
+
+        /// <summary>
+        ///     Get or sets the text that the user can display on a sign in user interface.
+        /// </summary>
+        public string Caption
+        {
+            get { return Description.Caption; }
+            set { Description.Caption = value; }
+        }
+
+        /// <summary>
+        ///     Gets or sets the Google supplied Client ID
+        /// </summary>
+        public string ClientId { get; set; }
+
+        /// <summary>
+        ///     Gets or sets the Google supplied Client Secret
+        /// </summary>
+        public string ClientSecret { get; set; }
+
+        /// <summary>
+        ///     Gets or sets the <see cref="IGoogleAuthenticationProvider" /> used in the authentication events
+        /// </summary>
+        public IGoogleAuthenticationProvider Provider { get; set; }
+
+        /// <summary>
+        /// Gets or sets whether to request offline access.  If offline access is requested the <see cref="GoogleAuthenticatedContext"/> will contain a Refresh Token.
+        /// </summary>
+        public bool RequestOfflineAccess { get; set; }
+
+        /// <summary>
+        /// A list of permissions to request.
+        /// </summary>
+        public IList<string> Scope { get; private set; }
+
+        /// <summary>
+        ///     Gets or sets the name of another authentication middleware which will be responsible for actually issuing a user
+        ///     <see cref="System.Security.Claims.ClaimsIdentity" />.
+        /// </summary>
+        public string SignInAsAuthenticationType { get; set; }
+
+        /// <summary>
+        ///     Gets or sets the type used to secure data handled by the middleware.
+        /// </summary>
+        public ISecureDataFormat<AuthenticationProperties> StateDataFormat { get; set; }
+
+        /// <summary>
+        ///     Initializes a new <see cref="GoogleAuthenticationOptions" />
+        /// </summary>
+        public GoogleAuthenticationOptions()
+            : base("Google")
+        {
+            Caption = Constants.DefaultAuthenticationType;
+            CallbackPath = new PathString("/signin-google");
+            AuthenticationMode = AuthenticationMode.Passive;
+            Scope = new List<string>
+            {
+                "openid",
+                "profile",
+                "email"
+            };
+            BackchannelTimeout = TimeSpan.FromSeconds(60);
+        }
+    }
+}

src/Owin.Security.Providers.Google/Owin.Security.Providers.Google.csproj

@@ -0,0 +1,104 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="14.0" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
+  <PropertyGroup>
+    <Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
+    <Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
+    <ProjectGuid>{ED434959-8CF8-4CAB-83B3-E4A618327AB5}</ProjectGuid>
+    <OutputType>Library</OutputType>
+    <AppDesignerFolder>Properties</AppDesignerFolder>
+    <RootNamespace>Owin.Security.Providers.Google</RootNamespace>
+    <AssemblyName>Owin.Security.Providers.Google</AssemblyName>
+    <TargetFrameworkVersion>v4.5</TargetFrameworkVersion>
+    <FileAlignment>512</FileAlignment>
+  </PropertyGroup>
+  <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
+    <DebugSymbols>true</DebugSymbols>
+    <DebugType>full</DebugType>
+    <Optimize>false</Optimize>
+    <OutputPath>bin\Debug\</OutputPath>
+    <DefineConstants>DEBUG;TRACE</DefineConstants>
+    <ErrorReport>prompt</ErrorReport>
+    <WarningLevel>4</WarningLevel>
+    <LangVersion>6</LangVersion>
+  </PropertyGroup>
+  <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
+    <DebugType>pdbonly</DebugType>
+    <Optimize>true</Optimize>
+    <OutputPath>bin\Release\</OutputPath>
+    <DefineConstants>TRACE</DefineConstants>
+    <ErrorReport>prompt</ErrorReport>
+    <WarningLevel>4</WarningLevel>
+    <LangVersion>6</LangVersion>
+  </PropertyGroup>
+  <ItemGroup>
+    <Reference Include="Microsoft.Owin, Version=3.0.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
+      <HintPath>..\..\packages\Microsoft.Owin.3.0.1\lib\net45\Microsoft.Owin.dll</HintPath>
+      <Private>True</Private>
+    </Reference>
+    <Reference Include="Microsoft.Owin.Security, Version=3.0.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
+      <HintPath>..\..\packages\Microsoft.Owin.Security.3.0.1\lib\net45\Microsoft.Owin.Security.dll</HintPath>
+      <Private>True</Private>
+    </Reference>
+    <Reference Include="Newtonsoft.Json, Version=8.0.0.0, Culture=neutral, PublicKeyToken=30ad4fe6b2a6aeed, processorArchitecture=MSIL">
+      <HintPath>..\..\packages\Newtonsoft.Json.8.0.3\lib\net45\Newtonsoft.Json.dll</HintPath>
+      <Private>True</Private>
+    </Reference>
+    <Reference Include="Owin, Version=1.0.0.0, Culture=neutral, PublicKeyToken=f0ebd12fd5e55cc5, processorArchitecture=MSIL">
+      <HintPath>..\..\packages\Owin.1.0\lib\net40\Owin.dll</HintPath>
+      <Private>True</Private>
+    </Reference>
+    <Reference Include="System" />
+    <Reference Include="System.Core" />
+    <Reference Include="System.Net.Http.WebRequest" />
+    <Reference Include="System.Xml.Linq" />
+    <Reference Include="System.Data.DataSetExtensions" />
+    <Reference Include="Microsoft.CSharp" />
+    <Reference Include="System.Data" />
+    <Reference Include="System.Net.Http" />
+    <Reference Include="System.Xml" />
+  </ItemGroup>
+  <ItemGroup>
+    <Compile Include="Properties\AssemblyInfo.cs" />
+    <Compile Include="Constants.cs" />
+    <Compile Include="GoogleAuthenticationExtensions.cs" />
+    <Compile Include="GoogleAuthenticationHandler.cs" />
+    <Compile Include="GoogleAuthenticationMiddleware.cs" />
+    <Compile Include="GoogleAuthenticationOptions.cs" />
+    <Compile Include="Provider\GoogleAuthenticatedContext.cs" />
+    <Compile Include="Provider\GoogleAuthenticationProvider.cs" />
+    <Compile Include="Provider\GoogleReturnEndpointContext.cs" />
+    <Compile Include="Provider\IGoogleAuthenticationProvider.cs" />
+    <Compile Include="Resources.Designer.cs">
+      <DependentUpon>Resources.resx</DependentUpon>
+      <AutoGen>True</AutoGen>
+      <DesignTime>True</DesignTime>
+    </Compile>
+  </ItemGroup>
+  <ItemGroup>
+    <EmbeddedResource Include="Resources.resx">
+      <Generator>ResXFileCodeGenerator</Generator>
+      <LastGenOutput>Resources.Designer.cs</LastGenOutput>
+    </EmbeddedResource>
+  </ItemGroup>
+  <ItemGroup>
+    <None Include="packages.config" />
+  </ItemGroup>
+  <Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
+  <Target Name="PostBuildMacros">
+    <GetAssemblyIdentity AssemblyFiles="$(TargetPath)">
+      <Output TaskParameter="Assemblies" ItemName="Targets" />
+    </GetAssemblyIdentity>
+    <ItemGroup>
+      <VersionNumber Include="@(Targets->'%(Version)')" />
+    </ItemGroup>
+  </Target>
+  <PropertyGroup>
+    <PreBuildEvent>
+    </PreBuildEvent>
+    <PostBuildEventDependsOn>
+      $(PostBuildEventDependsOn);
+      PostBuildMacros;
+    </PostBuildEventDependsOn>
+  </PropertyGroup>
+</Project>

src/Owin.Security.Providers.Google/Properties/AssemblyInfo.cs

@@ -0,0 +1,15 @@
+using System.Reflection;
+using System.Runtime.InteropServices;
+
+[assembly: AssemblyTitle("Owin.Security.Providers.Google")]
+[assembly: AssemblyDescription("")]
+[assembly: AssemblyConfiguration("")]
+[assembly: AssemblyCompany("")]
+[assembly: AssemblyProduct("Owin.Security.Providers.Google")]
+[assembly: AssemblyCopyright("Copyright ©  2019")]
+[assembly: AssemblyTrademark("")]
+[assembly: AssemblyCulture("")]
+[assembly: ComVisible(false)]
+[assembly: Guid("ed434959-8cf8-4cab-83b3-e4a618327ab5")]
+[assembly: AssemblyVersion("2.0.0.0")]
+[assembly: AssemblyFileVersion("2.0.0.0")]

src/Owin.Security.Providers.Google/Provider/GoogleAuthenticatedContext.cs

@@ -0,0 +1,111 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved. See License.txt in the project root for license information.
+
+using System;
+using System.Globalization;
+using System.Security.Claims;
+using Microsoft.Owin;
+using Microsoft.Owin.Security;
+using Microsoft.Owin.Security.Provider;
+using Newtonsoft.Json.Linq;
+
+namespace Owin.Security.Providers.Google.Provider
+{
+    /// <summary>
+    /// Contains information about the login session as well as the user <see cref="System.Security.Claims.ClaimsIdentity"/>.
+    /// </summary>
+    public class GoogleAuthenticatedContext : BaseContext
+    {
+        /// <summary>
+        /// Initializes a <see cref="GoogleAuthenticatedContext"/>
+        /// </summary>
+        /// <param name="context">The OWIN environment</param>
+        /// <param name="userInfo">The JSON-serialized user_info. Format described here: https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims</param>
+        /// <param name="accessToken">Google Access token</param>
+        /// <param name="expires">Seconds until expiration</param>
+        /// <param name="refreshToken"></param>
+        public GoogleAuthenticatedContext(IOwinContext context, JObject userInfo, string accessToken, string expires, string refreshToken)
+            : base(context)
+        {
+            UserInfo = userInfo;
+            AccessToken = accessToken;
+            RefreshToken = refreshToken;
+
+            int expiresValue;
+            if (int.TryParse(expires, NumberStyles.Integer, CultureInfo.InvariantCulture, out expiresValue))
+            {
+                ExpiresIn = TimeSpan.FromSeconds(expiresValue);
+            }
+
+            // See https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims for a list of properties
+            Id = TryGetValue(userInfo, "sub");
+            Name = TryGetValue(userInfo, "name");
+            Link = TryGetValue(userInfo, "profile");
+            UserName = TryGetValue(userInfo, "name").Replace(" ", "");
+
+            var email = TryGetValue(userInfo, "email");
+            if (email != null)
+                Email = email;
+        }
+
+        /// <summary>
+        /// Gets the JSON-serialized user
+        /// </summary>
+        /// <remarks>
+        /// Contains the Google user obtained from the endpoint https://www.googleapis.com/oauth2/v3/userinfo
+        /// </remarks>
+        public JObject UserInfo { get; private set; }
+
+        /// <summary>
+        /// Gets the Google OAuth access token
+        /// </summary>
+        public string AccessToken { get; private set; }
+
+        /// <summary>
+        /// Gets the Google OAuth refresh token.  This is only available when the RequestOfflineAccess property of <see cref="GoogleAuthenticationOptions"/> is set to true
+        /// </summary>
+        public string RefreshToken { get; private set; }
+
+        /// <summary>
+        /// Gets the Google access token expiration time
+        /// </summary>
+        public TimeSpan? ExpiresIn { get; set; }
+
+        /// <summary>
+        /// Gets the Google user ID
+        /// </summary>
+        public string Id { get; private set; }
+
+        /// <summary>
+        /// Gets the user's name
+        /// </summary>
+        public string Name { get; private set; }
+
+        public string Link { get; private set; }
+
+        /// <summary>
+        /// Gets the Google username
+        /// </summary>
+        public string UserName { get; private set; }
+
+        /// <summary>
+        /// Gets the Google email address for the account
+        /// </summary>
+        public string Email { get; private set; }
+
+        /// <summary>
+        /// Gets the <see cref="ClaimsIdentity"/> representing the user
+        /// </summary>
+        public ClaimsIdentity Identity { get; set; }
+
+        /// <summary>
+        /// Gets or sets a property bag for common authentication properties
+        /// </summary>
+        public AuthenticationProperties Properties { get; set; }
+
+        private static string TryGetValue(JObject user, string propertyName)
+        {
+            JToken value;
+            return user.TryGetValue(propertyName, out value) ? value.ToString() : null;
+        }
+    }
+}

src/Owin.Security.Providers.Google/Provider/GoogleAuthenticationProvider.cs

@@ -0,0 +1,50 @@
+using System;
+using System.Threading.Tasks;
+
+namespace Owin.Security.Providers.Google.Provider
+{
+    /// <summary>
+    /// Default <see cref="IGoogleAuthenticationProvider"/> implementation.
+    /// </summary>
+    public class GoogleAuthenticationProvider : IGoogleAuthenticationProvider
+    {
+        /// <summary>
+        /// Initializes a <see cref="GoogleAuthenticationProvider"/>
+        /// </summary>
+        public GoogleAuthenticationProvider()
+        {
+            OnAuthenticated = context => Task.FromResult<object>(null);
+            OnReturnEndpoint = context => Task.FromResult<object>(null);
+        }
+
+        /// <summary>
+        /// Gets or sets the function that is invoked when the Authenticated method is invoked.
+        /// </summary>
+        public Func<GoogleAuthenticatedContext, Task> OnAuthenticated { get; set; }
+
+        /// <summary>
+        /// Gets or sets the function that is invoked when the ReturnEndpoint method is invoked.
+        /// </summary>
+        public Func<GoogleReturnEndpointContext, Task> OnReturnEndpoint { get; set; }
+
+        /// <summary>
+        /// Invoked whenever Google successfully authenticates a user
+        /// </summary>
+        /// <param name="context">Contains information about the login session as well as the user <see cref="System.Security.Claims.ClaimsIdentity"/>.</param>
+        /// <returns>A <see cref="Task"/> representing the completed operation.</returns>
+        public virtual Task Authenticated(GoogleAuthenticatedContext context)
+        {
+            return OnAuthenticated(context);
+        }
+
+        /// <summary>
+        /// Invoked prior to the <see cref="System.Security.Claims.ClaimsIdentity"/> being saved in a local cookie and the browser being redirected to the originally requested URL.
+        /// </summary>
+        /// <param name="context"></param>
+        /// <returns>A <see cref="Task"/> representing the completed operation.</returns>
+        public virtual Task ReturnEndpoint(GoogleReturnEndpointContext context)
+        {
+            return OnReturnEndpoint(context);
+        }
+    }
+}

src/Owin.Security.Providers.Google/Provider/GoogleReturnEndpointContext.cs

@@ -0,0 +1,26 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved. See License.txt in the project root for license information.
+
+using Microsoft.Owin;
+using Microsoft.Owin.Security;
+using Microsoft.Owin.Security.Provider;
+
+namespace Owin.Security.Providers.Google.Provider
+{
+    /// <summary>
+    /// Provides context information to middleware providers.
+    /// </summary>
+    public class GoogleReturnEndpointContext : ReturnEndpointContext
+    {
+        /// <summary>
+        /// 
+        /// </summary>
+        /// <param name="context">OWIN environment</param>
+        /// <param name="ticket">The authentication ticket</param>
+        public GoogleReturnEndpointContext(
+            IOwinContext context,
+            AuthenticationTicket ticket)
+            : base(context, ticket)
+        {
+        }
+    }
+}

src/Owin.Security.Providers.Google/Provider/IGoogleAuthenticationProvider.cs

@@ -0,0 +1,24 @@
+using System.Threading.Tasks;
+
+namespace Owin.Security.Providers.Google.Provider
+{
+    /// <summary>
+    /// Specifies callback methods which the <see cref="GoogleAuthenticationMiddleware"></see> invokes to enable developer control over the authentication process. />
+    /// </summary>
+    public interface IGoogleAuthenticationProvider
+    {
+        /// <summary>
+        /// Invoked whenever Google successfully authenticates a user
+        /// </summary>
+        /// <param name="context">Contains information about the login session as well as the user <see cref="System.Security.Claims.ClaimsIdentity"/>.</param>
+        /// <returns>A <see cref="Task"/> representing the completed operation.</returns>
+        Task Authenticated(GoogleAuthenticatedContext context);
+
+        /// <summary>
+        /// Invoked prior to the <see cref="System.Security.Claims.ClaimsIdentity"/> being saved in a local cookie and the browser being redirected to the originally requested URL.
+        /// </summary>
+        /// <param name="context"></param>
+        /// <returns>A <see cref="Task"/> representing the completed operation.</returns>
+        Task ReturnEndpoint(GoogleReturnEndpointContext context);
+    }
+}

src/Owin.Security.Providers.Google/Resources.Designer.cs

@@ -0,0 +1,81 @@
+//------------------------------------------------------------------------------
+// <auto-generated>
+//     This code was generated by a tool.
+//     Runtime Version:4.0.30319.42000
+//
+//     Changes to this file may cause incorrect behavior and will be lost if
+//     the code is regenerated.
+// </auto-generated>
+//------------------------------------------------------------------------------
+
+namespace Owin.Security.Providers.Google {
+    using System;
+    
+    
+    /// <summary>
+    ///   A strongly-typed resource class, for looking up localized strings, etc.
+    /// </summary>
+    // This class was auto-generated by the StronglyTypedResourceBuilder
+    // class via a tool like ResGen or Visual Studio.
+    // To add or remove a member, edit your .ResX file then rerun ResGen
+    // with the /str option, or rebuild your VS project.
+    [global::System.CodeDom.Compiler.GeneratedCodeAttribute("System.Resources.Tools.StronglyTypedResourceBuilder", "4.0.0.0")]
+    [global::System.Diagnostics.DebuggerNonUserCodeAttribute()]
+    [global::System.Runtime.CompilerServices.CompilerGeneratedAttribute()]
+    internal class Resources {
+        
+        private static global::System.Resources.ResourceManager resourceMan;
+        
+        private static global::System.Globalization.CultureInfo resourceCulture;
+        
+        [global::System.Diagnostics.CodeAnalysis.SuppressMessageAttribute("Microsoft.Performance", "CA1811:AvoidUncalledPrivateCode")]
+        internal Resources() {
+        }
+        
+        /// <summary>
+        ///   Returns the cached ResourceManager instance used by this class.
+        /// </summary>
+        [global::System.ComponentModel.EditorBrowsableAttribute(global::System.ComponentModel.EditorBrowsableState.Advanced)]
+        internal static global::System.Resources.ResourceManager ResourceManager {
+            get {
+                if (object.ReferenceEquals(resourceMan, null)) {
+                    var temp = new global::System.Resources.ResourceManager("Owin.Security.Providers.GooglePlus.Resources", typeof(Resources).Assembly);
+                    resourceMan = temp;
+                }
+                return resourceMan;
+            }
+        }
+        
+        /// <summary>
+        ///   Overrides the current thread's CurrentUICulture property for all
+        ///   resource lookups using this strongly typed resource class.
+        /// </summary>
+        [global::System.ComponentModel.EditorBrowsableAttribute(global::System.ComponentModel.EditorBrowsableState.Advanced)]
+        internal static global::System.Globalization.CultureInfo Culture {
+            get {
+                return resourceCulture;
+            }
+            set {
+                resourceCulture = value;
+            }
+        }
+        
+        /// <summary>
+        ///   Looks up a localized string similar to The &apos;{0}&apos; option must be provided..
+        /// </summary>
+        internal static string Exception_OptionMustBeProvided {
+            get {
+                return ResourceManager.GetString("Exception_OptionMustBeProvided", resourceCulture);
+            }
+        }
+        
+        /// <summary>
+        ///   Looks up a localized string similar to An ICertificateValidator cannot be specified at the same time as an HttpMessageHandler unless it is a WebRequestHandler..
+        /// </summary>
+        internal static string Exception_ValidatorHandlerMismatch {
+            get {
+                return ResourceManager.GetString("Exception_ValidatorHandlerMismatch", resourceCulture);
+            }
+        }
+    }
+}

src/Owin.Security.Providers.Google/Resources.resx

@@ -0,0 +1,126 @@
+<?xml version="1.0" encoding="utf-8"?>
+<root>
+  <!-- 
+    Microsoft ResX Schema 
+    
+    Version 2.0
+    
+    The primary goals of this format is to allow a simple XML format 
+    that is mostly human readable. The generation and parsing of the 
+    various data types are done through the TypeConverter classes 
+    associated with the data types.
+    
+    Example:
+    
+    ... ado.net/XML headers & schema ...
+    <resheader name="resmimetype">text/microsoft-resx</resheader>
+    <resheader name="version">2.0</resheader>
+    <resheader name="reader">System.Resources.ResXResourceReader, System.Windows.Forms, ...</resheader>
+    <resheader name="writer">System.Resources.ResXResourceWriter, System.Windows.Forms, ...</resheader>
+    <data name="Name1"><value>this is my long string</value><comment>this is a comment</comment></data>
+    <data name="Color1" type="System.Drawing.Color, System.Drawing">Blue</data>
+    <data name="Bitmap1" mimetype="application/x-microsoft.net.object.binary.base64">
+        <value>[base64 mime encoded serialized .NET Framework object]</value>
+    </data>
+    <data name="Icon1" type="System.Drawing.Icon, System.Drawing" mimetype="application/x-microsoft.net.object.bytearray.base64">
+        <value>[base64 mime encoded string representing a byte array form of the .NET Framework object]</value>
+        <comment>This is a comment</comment>
+    </data>
+                
+    There are any number of "resheader" rows that contain simple 
+    name/value pairs.
+    
+    Each data row contains a name, and value. The row also contains a 
+    type or mimetype. Type corresponds to a .NET class that support 
+    text/value conversion through the TypeConverter architecture. 
+    Classes that don't support this are serialized and stored with the 
+    mimetype set.
+    
+    The mimetype is used for serialized objects, and tells the 
+    ResXResourceReader how to depersist the object. This is currently not 
+    extensible. For a given mimetype the value must be set accordingly:
+    
+    Note - application/x-microsoft.net.object.binary.base64 is the format 
+    that the ResXResourceWriter will generate, however the reader can 
+    read any of the formats listed below.
+    
+    mimetype: application/x-microsoft.net.object.binary.base64
+    value   : The object must be serialized with 
+            : System.Runtime.Serialization.Formatters.Binary.BinaryFormatter
+            : and then encoded with base64 encoding.
+    
+    mimetype: application/x-microsoft.net.object.soap.base64
+    value   : The object must be serialized with 
+            : System.Runtime.Serialization.Formatters.Soap.SoapFormatter
+            : and then encoded with base64 encoding.
+
+    mimetype: application/x-microsoft.net.object.bytearray.base64
+    value   : The object must be serialized into a byte array 
+            : using a System.ComponentModel.TypeConverter
+            : and then encoded with base64 encoding.
+    -->
+  <xsd:schema id="root" xmlns="" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:msdata="urn:schemas-microsoft-com:xml-msdata">
+    <xsd:import namespace="http://www.w3.org/XML/1998/namespace" />
+    <xsd:element name="root" msdata:IsDataSet="true">
+      <xsd:complexType>
+        <xsd:choice maxOccurs="unbounded">
+          <xsd:element name="metadata">
+            <xsd:complexType>
+              <xsd:sequence>
+                <xsd:element name="value" type="xsd:string" minOccurs="0" />
+              </xsd:sequence>
+              <xsd:attribute name="name" use="required" type="xsd:string" />
+              <xsd:attribute name="type" type="xsd:string" />
+              <xsd:attribute name="mimetype" type="xsd:string" />
+              <xsd:attribute ref="xml:space" />
+            </xsd:complexType>
+          </xsd:element>
+          <xsd:element name="assembly">
+            <xsd:complexType>
+              <xsd:attribute name="alias" type="xsd:string" />
+              <xsd:attribute name="name" type="xsd:string" />
+            </xsd:complexType>
+          </xsd:element>
+          <xsd:element name="data">
+            <xsd:complexType>
+              <xsd:sequence>
+                <xsd:element name="value" type="xsd:string" minOccurs="0" msdata:Ordinal="1" />
+                <xsd:element name="comment" type="xsd:string" minOccurs="0" msdata:Ordinal="2" />
+              </xsd:sequence>
+              <xsd:attribute name="name" type="xsd:string" use="required" msdata:Ordinal="1" />
+              <xsd:attribute name="type" type="xsd:string" msdata:Ordinal="3" />
+              <xsd:attribute name="mimetype" type="xsd:string" msdata:Ordinal="4" />
+              <xsd:attribute ref="xml:space" />
+            </xsd:complexType>
+          </xsd:element>
+          <xsd:element name="resheader">
+            <xsd:complexType>
+              <xsd:sequence>
+                <xsd:element name="value" type="xsd:string" minOccurs="0" msdata:Ordinal="1" />
+              </xsd:sequence>
+              <xsd:attribute name="name" type="xsd:string" use="required" />
+            </xsd:complexType>
+          </xsd:element>
+        </xsd:choice>
+      </xsd:complexType>
+    </xsd:element>
+  </xsd:schema>
+  <resheader name="resmimetype">
+    <value>text/microsoft-resx</value>
+  </resheader>
+  <resheader name="version">
+    <value>2.0</value>
+  </resheader>
+  <resheader name="reader">
+    <value>System.Resources.ResXResourceReader, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</value>
+  </resheader>
+  <resheader name="writer">
+    <value>System.Resources.ResXResourceWriter, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</value>
+  </resheader>
+  <data name="Exception_OptionMustBeProvided" xml:space="preserve">
+    <value>The '{0}' option must be provided.</value>
+  </data>
+  <data name="Exception_ValidatorHandlerMismatch" xml:space="preserve">
+    <value>An ICertificateValidator cannot be specified at the same time as an HttpMessageHandler unless it is a WebRequestHandler.</value>
+  </data>
+</root>

src/Owin.Security.Providers.Google/packages.config

@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="utf-8"?>
+<packages>
+  <package id="Microsoft.Owin" version="3.0.1" targetFramework="net45" />
+  <package id="Microsoft.Owin.Security" version="3.0.1" targetFramework="net45" />
+  <package id="Newtonsoft.Json" version="8.0.3" targetFramework="net45" />
+  <package id="Owin" version="1.0" targetFramework="net45" />
+</packages>

src/Owin.Security.Providers.GooglePlus/Owin.Security.Providers.GooglePlus.csproj

@@ -20,6 +20,7 @@
     <DefineConstants>DEBUG;TRACE</DefineConstants>
     <ErrorReport>prompt</ErrorReport>
     <WarningLevel>4</WarningLevel>
+    <LangVersion>6</LangVersion>
   </PropertyGroup>
   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
     <DebugType>pdbonly</DebugType>
@@ -28,6 +29,7 @@
     <DefineConstants>TRACE</DefineConstants>
     <ErrorReport>prompt</ErrorReport>
     <WarningLevel>4</WarningLevel>
+    <LangVersion>6</LangVersion>
   </PropertyGroup>
   <ItemGroup>
     <Reference Include="Microsoft.Owin, Version=3.0.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">

src/Owin.Security.Providers.HealthGraph/Owin.Security.Providers.HealthGraph.csproj

@@ -20,6 +20,7 @@
     <DefineConstants>DEBUG;TRACE</DefineConstants>
     <ErrorReport>prompt</ErrorReport>
     <WarningLevel>4</WarningLevel>
+    <LangVersion>6</LangVersion>
   </PropertyGroup>
   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
     <DebugType>pdbonly</DebugType>
@@ -28,6 +29,7 @@
     <DefineConstants>TRACE</DefineConstants>
     <ErrorReport>prompt</ErrorReport>
     <WarningLevel>4</WarningLevel>
+    <LangVersion>6</LangVersion>
   </PropertyGroup>
   <ItemGroup>
     <Reference Include="Microsoft.Owin, Version=3.0.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">

src/Owin.Security.Providers.Imgur/Owin.Security.Providers.Imgur.csproj

@@ -20,6 +20,7 @@
     <DefineConstants>DEBUG;TRACE</DefineConstants>
     <ErrorReport>prompt</ErrorReport>
     <WarningLevel>4</WarningLevel>
+    <LangVersion>6</LangVersion>
   </PropertyGroup>
   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
     <DebugType>pdbonly</DebugType>
@@ -28,6 +29,7 @@
     <DefineConstants>TRACE</DefineConstants>
     <ErrorReport>prompt</ErrorReport>
     <WarningLevel>4</WarningLevel>
+    <LangVersion>6</LangVersion>
   </PropertyGroup>
   <ItemGroup>
     <Reference Include="Microsoft.Owin, Version=3.0.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">

src/Owin.Security.Providers.Instagram/Owin.Security.Providers.Instagram.csproj

@@ -20,6 +20,7 @@
     <DefineConstants>DEBUG;TRACE</DefineConstants>
     <ErrorReport>prompt</ErrorReport>
     <WarningLevel>4</WarningLevel>
+    <LangVersion>6</LangVersion>
   </PropertyGroup>
   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
     <DebugType>pdbonly</DebugType>
@@ -28,6 +29,7 @@
     <DefineConstants>TRACE</DefineConstants>
     <ErrorReport>prompt</ErrorReport>
     <WarningLevel>4</WarningLevel>
+    <LangVersion>6</LangVersion>
   </PropertyGroup>
   <ItemGroup>
     <Reference Include="Microsoft.Owin, Version=3.0.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">

src/Owin.Security.Providers.LinkedIn/LinkedInAuthenticationHandler.cs

@@ -1,6 +1,7 @@
 using System;
 using System.Collections.Generic;
 using System.Linq;
+using System.Net;
 using System.Net.Http;
 using System.Security.Claims;
 using System.Threading.Tasks;
@@ -16,8 +17,10 @@ namespace Owin.Security.Providers.LinkedIn
     public class LinkedInAuthenticationHandler : AuthenticationHandler<LinkedInAuthenticationOptions>
     {
         private const string XmlSchemaString = "http://www.w3.org/2001/XMLSchema#string";
-        private const string TokenEndpoint = "https://www.linkedin.com/uas/oauth2/accessToken";
-        private const string UserInfoEndpoint = "https://api.linkedin.com/v1/people/";
+        private const string TokenEndpoint = "https://www.linkedin.com/oauth/v2/accessToken";
+        private const string UserInfoEndpoint = "https://api.linkedin.com/v2/me";
+        private const string AuthorizationEndpoint = "https://www.linkedin.com/oauth/v2/authorization";
+        private const string EmailEndpoint = "https://api.linkedin.com/v2/emailAddress?q=members&projection=(elements*(handle~))";
 
         private readonly ILogger _logger;
         private readonly HttpClient _httpClient;
@@ -34,21 +37,7 @@ namespace Owin.Security.Providers.LinkedIn
 
             try
             {
-                string code = null;
-                string state = null;
-
-                var query = Request.Query;
-                var values = query.GetValues("code");
-                if (values != null && values.Count == 1)
-                {
-                    code = values[0];
-                }
-                values = query.GetValues("state");
-                if (values != null && values.Count == 1)
-                {
-                    state = values[0];
-                }
-
+                var state = GetQueryValue("state");
                 properties = Options.StateDataFormat.Unprotect(state);
                 if (properties == null)
                 {
@@ -61,94 +50,31 @@ namespace Owin.Security.Providers.LinkedIn
                     return new AuthenticationTicket(null, properties);
                 }
 
-                var requestPrefix = Request.Scheme + "://" + this.GetHostName();
-                var redirectUri = requestPrefix + Request.PathBase + Options.CallbackPath;
-
-                // Build up the body for the token request
-                var body = new List<KeyValuePair<string, string>>
-                {
-                    new KeyValuePair<string, string>("grant_type", "authorization_code"),
-                    new KeyValuePair<string, string>("code", code),
-                    new KeyValuePair<string, string>("redirect_uri", redirectUri),
-                    new KeyValuePair<string, string>("client_id", Options.ClientId),
-                    new KeyValuePair<string, string>("client_secret", Options.ClientSecret)
-                };
-
-                // Request the token
-                var tokenResponse = await _httpClient.PostAsync(TokenEndpoint, new FormUrlEncodedContent(body));
-                tokenResponse.EnsureSuccessStatusCode();
-                var text = await tokenResponse.Content.ReadAsStringAsync();
-
-                // Deserializes the token response
-                dynamic response = JsonConvert.DeserializeObject<dynamic>(text);
+                var code = GetQueryValue("code");
+                var accessTokenResponse = await GetAccessToken(code);
+                dynamic response = JsonConvert.DeserializeObject<dynamic>(accessTokenResponse);
                 var accessToken = (string)response.access_token;
-                var expires = (string) response.expires_in;
+                var expires = (string)response.expires_in;
 
-                // Get the LinkedIn user
-                var userInfoEndpoint = UserInfoEndpoint
-                                          + "~:("+ string.Join(",", Options.ProfileFields.Distinct().ToArray()) +")"
-                                          + "?oauth2_access_token=" + Uri.EscapeDataString(accessToken);
-                var userRequest = new HttpRequestMessage(HttpMethod.Get, userInfoEndpoint);
-                userRequest.Headers.Add("x-li-format", "json");
-                var graphResponse = await _httpClient.SendAsync(userRequest, Request.CallCancelled);
-                graphResponse.EnsureSuccessStatusCode();
-                text = await graphResponse.Content.ReadAsStringAsync();
-                var user = JObject.Parse(text);
+                var userInfoResponse = await GetUserInfo(accessToken);
+                var user = JObject.Parse(userInfoResponse);
+                string email = null;
+                if (Options.Scope.Contains(LinkedInAuthenticationOptions.EmailAddressScopeName))
+                {
+                    email = await GetUserEmail(accessToken);
+                }
 
-                var context = new LinkedInAuthenticatedContext(Context, user, accessToken, expires)
+                var context = new LinkedInAuthenticatedContext(Context, user, accessToken, expires, email)
                 {
                     Identity = new ClaimsIdentity(
                         Options.AuthenticationType,
                         ClaimsIdentity.DefaultNameClaimType,
                         ClaimsIdentity.DefaultRoleClaimType)
                 };
-                if (!string.IsNullOrEmpty(context.Id))
-                {
-                    context.Identity.AddClaim(new Claim(ClaimTypes.NameIdentifier, context.Id, XmlSchemaString, Options.AuthenticationType));
-                }
-                if (!string.IsNullOrEmpty(context.Email))
-                {
-                    context.Identity.AddClaim(new Claim(ClaimTypes.Email, context.Email, XmlSchemaString, Options.AuthenticationType));
-                }
-                if (!string.IsNullOrEmpty(context.GivenName))
-                {
-                    context.Identity.AddClaim(new Claim(ClaimTypes.GivenName, context.GivenName, XmlSchemaString, Options.AuthenticationType));
-                }
-                if (!string.IsNullOrEmpty(context.FamilyName))
-                {
-                    context.Identity.AddClaim(new Claim(ClaimTypes.Surname, context.FamilyName, XmlSchemaString, Options.AuthenticationType));
-                }
-                if (!string.IsNullOrEmpty(context.Name))
-                {
-                    context.Identity.AddClaim(new Claim(ClaimTypes.Name, context.Name, XmlSchemaString, Options.AuthenticationType));
-                    context.Identity.AddClaim(new Claim("urn:linkedin:name", context.Name, XmlSchemaString, Options.AuthenticationType));
-                }
-                if (!string.IsNullOrEmpty(context.Industry))
-                {
-                    context.Identity.AddClaim(new Claim("urn:linkedin:industry", context.Industry, XmlSchemaString, Options.AuthenticationType));
-                }
-                if (!string.IsNullOrEmpty(context.Positions))
-                {
-                    context.Identity.AddClaim(new Claim("urn:linkedin:positions", context.Positions, XmlSchemaString, Options.AuthenticationType));
-                }
-                if (!string.IsNullOrEmpty(context.Summary))
-                {
-                    context.Identity.AddClaim(new Claim("urn:linkedin:summary", context.Summary, XmlSchemaString, Options.AuthenticationType));
-                }
-                if (!string.IsNullOrEmpty(context.Headline))
-                {
-                    context.Identity.AddClaim(new Claim("urn:linkedin:headline", context.Headline, XmlSchemaString, Options.AuthenticationType));
-                }
-                if (!string.IsNullOrEmpty(context.Link))
-                {
-                    context.Identity.AddClaim(new Claim("urn:linkedin:url", context.Link, XmlSchemaString, Options.AuthenticationType));
-                }
-                if (!string.IsNullOrEmpty(context.AccessToken))
-                {
-                    context.Identity.AddClaim(new Claim("urn:linkedin:accesstoken", context.AccessToken, XmlSchemaString, Options.AuthenticationType));
-                }
-                context.Properties = properties;
 
+                AddClaimsToContextIdentity(context);
+
+                context.Properties = properties;
                 await Options.Provider.Authenticated(context);
 
                 return new AuthenticationTicket(context.Identity, context.Properties);
@@ -206,7 +132,7 @@ namespace Owin.Security.Providers.LinkedIn
             var state = Options.StateDataFormat.Protect(properties);
 
             var authorizationEndpoint =
-                "https://www.linkedin.com/uas/oauth2/authorization" +
+                AuthorizationEndpoint +
                 "?response_type=code" +
                 "&client_id=" + Uri.EscapeDataString(Options.ClientId) +
                 "&redirect_uri=" + Uri.EscapeDataString(redirectUri) +
@@ -281,5 +207,123 @@ namespace Owin.Security.Providers.LinkedIn
         {
             return string.IsNullOrWhiteSpace(Options.ProxyHost) ? Request.Host.ToString() : Options.ProxyHost;
         }
+
+        private static void SetAuthorizedRequestHeaders(string accessToken, HttpRequestMessage userRequest)
+        {
+            userRequest.Headers.Add("x-li-format", "json");
+            userRequest.Headers.Add("Authorization", "Bearer " + accessToken);
+        }
+
+        private async Task<string> GetUserEmail(string accessToken)
+        {
+            var emailRequest = new HttpRequestMessage(HttpMethod.Get, EmailEndpoint);
+            SetAuthorizedRequestHeaders(accessToken, emailRequest);
+            var graphResponse = await _httpClient.SendAsync(emailRequest, Request.CallCancelled);
+            try
+            {
+                graphResponse.EnsureSuccessStatusCode();
+            }
+            catch (Exception e)
+            {
+                _logger.WriteError(string.Format("Retrieving the user email using authorization from provider {0} failed. Message: {1}", Options.AuthenticationType, e.Message));
+                throw;
+            }
+
+            var text = await graphResponse.Content.ReadAsStringAsync();
+            var emailResponse = JObject.Parse(text);
+            string email = null;
+            var emailValue = emailResponse.SelectToken("elements[0].handle~.emailAddress");
+            if (emailValue != null)
+            {
+                email = emailValue.Value<string>();
+            }
+            else
+            {
+                var errorMessageValue = emailResponse.SelectToken("elements[0].handle!.message");
+                var errorMessage = string.Empty;
+                if (errorMessageValue != null)
+                {
+                    errorMessage = errorMessageValue.Value<string>();
+                }
+
+                _logger.WriteWarning("Could not retrieve the user email from LinkedIn. Message: " + errorMessage);
+            }
+
+            return await Task.FromResult<string>(email);
+        }
+
+        private async Task<string> GetAccessToken(string code)
+        {
+            var requestPrefix = Request.Scheme + "://" + this.GetHostName();
+            var redirectUri = requestPrefix + Request.PathBase + Options.CallbackPath;
+
+            // Build up the body for the token request
+            var body = new List<KeyValuePair<string, string>>
+                {
+                    new KeyValuePair<string, string>("grant_type", "authorization_code"),
+                    new KeyValuePair<string, string>("code", code),
+                    new KeyValuePair<string, string>("redirect_uri", redirectUri),
+                    new KeyValuePair<string, string>("client_id", Options.ClientId),
+                    new KeyValuePair<string, string>("client_secret", Options.ClientSecret)
+                };
+
+            // Request the token
+            var tokenResponse = await _httpClient.PostAsync(TokenEndpoint, new FormUrlEncodedContent(body));
+            tokenResponse.EnsureSuccessStatusCode();
+            return await tokenResponse.Content.ReadAsStringAsync();
+        }
+
+        private async Task<string> GetUserInfo(string accessToken)
+        {
+            var userInfoEndpoint = UserInfoEndpoint
+                                          + "?projection=(" + string.Join(",", Options.ProfileFields.Distinct().ToArray()) + ")";
+            var userRequest = new HttpRequestMessage(HttpMethod.Get, userInfoEndpoint);
+            SetAuthorizedRequestHeaders(accessToken, userRequest);
+            var graphResponse = await _httpClient.SendAsync(userRequest, Request.CallCancelled);
+            graphResponse.EnsureSuccessStatusCode();
+            return await graphResponse.Content.ReadAsStringAsync();
+        }
+
+        private void AddClaimsToContextIdentity(LinkedInAuthenticatedContext context)
+        {
+            if (!string.IsNullOrEmpty(context.Id))
+            {
+                context.Identity.AddClaim(new Claim(ClaimTypes.NameIdentifier, context.Id, XmlSchemaString, Options.AuthenticationType));
+            }
+            if (!string.IsNullOrEmpty(context.Email))
+            {
+                context.Identity.AddClaim(new Claim(ClaimTypes.Email, context.Email, XmlSchemaString, Options.AuthenticationType));
+            }
+            if (!string.IsNullOrEmpty(context.GivenName))
+            {
+                context.Identity.AddClaim(new Claim(ClaimTypes.GivenName, context.GivenName, XmlSchemaString, Options.AuthenticationType));
+            }
+            if (!string.IsNullOrEmpty(context.FamilyName))
+            {
+                context.Identity.AddClaim(new Claim(ClaimTypes.Surname, context.FamilyName, XmlSchemaString, Options.AuthenticationType));
+            }
+            if (!string.IsNullOrEmpty(context.Name))
+            {
+                context.Identity.AddClaim(new Claim(ClaimTypes.Name, context.Name, XmlSchemaString, Options.AuthenticationType));
+                context.Identity.AddClaim(new Claim("urn:linkedin:name", context.Name, XmlSchemaString, Options.AuthenticationType));
+            }
+            if (!string.IsNullOrEmpty(context.AccessToken))
+            {
+                context.Identity.AddClaim(new Claim("urn:linkedin:accesstoken", context.AccessToken, XmlSchemaString, Options.AuthenticationType));
+            }
+        }
+
+        private string GetQueryValue(string name)
+        {
+            string result = null;
+            var query = Request.Query;
+            var values = query.GetValues(name);
+            if (values != null && values.Count == 1)
+            {
+                result = values[0];
+            }
+
+            return result;
+        }
     }
 }

src/Owin.Security.Providers.LinkedIn/LinkedInAuthenticationOptions.cs

@@ -8,6 +8,11 @@ namespace Owin.Security.Providers.LinkedIn
 {
     public class LinkedInAuthenticationOptions : AuthenticationOptions
     {
+        /// <summary>
+        /// The calim name that is used to request permission to retrieve the user address during the authorization call
+        /// </summary>
+        public const string EmailAddressScopeName = "r_emailaddress";
+
         /// <summary>
         ///     Gets or sets the a pinned certificate validator to use to validate the endpoints used
         ///     in back channel communications belong to LinkedIn.
@@ -118,22 +123,15 @@ namespace Owin.Security.Providers.LinkedIn
             AuthenticationMode = AuthenticationMode.Passive;
             Scope = new List<string>
             {
-                "r_basicprofile",
-                "r_emailaddress"
+                "r_liteprofile",
+                EmailAddressScopeName
             };
             ProfileFields = new List<string>
             {
                 "id",
-                "first-name",
-                "last-name",
-                "formatted-name",
-                "email-address",
-                "public-profile-url",
-                "picture-url",
-                "industry",
-                "headline",
-                "summary",
-                "positions"
+                "firstName",
+                "lastName",
+                "profilePicture(displayImage~:playableStreams)"
             };
             BackchannelTimeout = TimeSpan.FromSeconds(60);
         }

src/Owin.Security.Providers.LinkedIn/Owin.Security.Providers.LinkedIn.csproj

@@ -20,6 +20,7 @@
     <DefineConstants>DEBUG;TRACE</DefineConstants>
     <ErrorReport>prompt</ErrorReport>
     <WarningLevel>4</WarningLevel>
+    <LangVersion>6</LangVersion>
   </PropertyGroup>
   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
     <DebugType>pdbonly</DebugType>
@@ -28,6 +29,7 @@
     <DefineConstants>TRACE</DefineConstants>
     <ErrorReport>prompt</ErrorReport>
     <WarningLevel>4</WarningLevel>
+    <LangVersion>6</LangVersion>
   </PropertyGroup>
   <ItemGroup>
     <Reference Include="Microsoft.Owin, Version=3.0.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">

src/Owin.Security.Providers.LinkedIn/Provider/LinkedInAuthenticatedContext.cs

@@ -6,8 +6,8 @@ using System.Security.Claims;
 using Microsoft.Owin;
 using Microsoft.Owin.Security;
 using Microsoft.Owin.Security.Provider;
-using Newtonsoft.Json.Linq;
 using Newtonsoft.Json;
+using Newtonsoft.Json.Linq;
 
 namespace Owin.Security.Providers.LinkedIn
 {
@@ -26,26 +26,35 @@ namespace Owin.Security.Providers.LinkedIn
         public LinkedInAuthenticatedContext(IOwinContext context, JObject user, string accessToken, string expires)
             : base(context)
         {
-            User = user;
-            AccessToken = accessToken;
+            this.User = user;
+            this.AccessToken = accessToken;
 
             int expiresValue;
             if (int.TryParse(expires, NumberStyles.Integer, CultureInfo.InvariantCulture, out expiresValue))
             {
-                ExpiresIn = TimeSpan.FromSeconds(expiresValue);
+                this.ExpiresIn = TimeSpan.FromSeconds(expiresValue);
             }
 
-            Id = TryGetValue(user, "id");
-            Name = TryGetValue(user, "formattedName");
-            FamilyName = TryGetValue(user, "lastName");
-            GivenName = TryGetValue(user, "firstName");
-            Link = TryGetValue(user, "publicProfileUrl");
-            UserName = TryGetValue(user, "formattedName").Replace(" ", "");
-            Email = TryGetValue(user, "emailAddress");
-            Industry = TryGetValue(user, "industry");
-            Summary = TryGetValue(user, "summary");
-            Headline = TryGetValue(user, "headline");
-            Positions = TryGetValueAndSerialize(user, "positions");
+            this.Id = TryGetValue(user, "id");
+            this.FamilyName = TryGetLocalizedValue(user, "lastName");
+            this.GivenName = TryGetLocalizedValue(user, "firstName");
+            if (this.FamilyName != null || this.GivenName != null)
+            {
+                this.Name = string.Join(" ", this.GivenName, this.FamilyName);
+            }
+        }
+
+        /// <summary>
+        /// Initializes a <see cref="LinkedInAuthenticatedContext"/>
+        /// </summary>
+        /// <param name="context">The OWIN environment</param>
+        /// <param name="user">The JSON-serialized user</param>
+        /// <param name="accessToken">LinkedIn Access token</param>
+        /// <param name="expires">Seconds until expiration</param>
+        /// <param name="expires">User email returned from dedicated endpoint</param>
+        public LinkedInAuthenticatedContext(IOwinContext context, JObject user, string accessToken, string expires, string email) : this(context, user, accessToken, expires)
+        {
+            this.Email = email;
         }
 
         /// <summary>
@@ -95,25 +104,30 @@ namespace Owin.Security.Providers.LinkedIn
         /// <summary>
         /// Describes the users membership profile
         /// </summary>
+        [Obsolete("LinkedIn doesn't return this claim anymore.")]
         public string Summary { get; private set; }
 
         /// <summary>
         /// Industry the member belongs to
         /// https://developer.linkedin.com/docs/reference/industry-codes
         /// </summary>
+        [Obsolete("LinkedIn doesn't return this claim anymore.")]
         public string Industry { get; set; }
 
         /// <summary>
         /// The members headline
         /// </summary>
+        [Obsolete("LinkedIn doesn't return this claim anymore.")]
         public string Headline { get; set; }
 
         /// <summary>
         /// Member's current positions
         /// https://developer.linkedin.com/docs/fields/positions
         /// </summary>
+        [Obsolete("LinkedIn doesn't return this claim anymore.")]
         public string Positions { get; set; }
 
+        [Obsolete("LinkedIn doesn't return this claim anymore.")]
         public string Link { get; private set; }
 
         /// <summary>
@@ -142,5 +156,28 @@ namespace Owin.Security.Providers.LinkedIn
             JToken value;
             return user.TryGetValue(propertyName, out value) ? JsonConvert.SerializeObject(value) : null;
         }
+
+        private static string TryGetLocalizedValue(JObject container, string propertyName)
+        {
+            var localizedValues = container.SelectToken(propertyName + ".localized") as JObject;
+            if (localizedValues == null)
+            {
+                return null;
+            }
+
+            var defaultValue = TryGetValue(localizedValues, "en-US");
+            if (defaultValue != null)
+            {
+                return defaultValue;
+            }
+
+            if (localizedValues.HasValues)
+            {
+                return localizedValues.First.First.Value<string>();
+            }
+
+            return null;
+        }
+
     }
 }

src/Owin.Security.Providers.MyHeritage/Owin.Security.Providers.MyHeritage.csproj

@@ -21,6 +21,7 @@
     <DefineConstants>DEBUG;TRACE</DefineConstants>
     <ErrorReport>prompt</ErrorReport>
     <WarningLevel>4</WarningLevel>
+    <LangVersion>6</LangVersion>
   </PropertyGroup>
   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
     <DebugType>pdbonly</DebugType>
@@ -29,6 +30,7 @@
     <DefineConstants>TRACE</DefineConstants>
     <ErrorReport>prompt</ErrorReport>
     <WarningLevel>4</WarningLevel>
+    <LangVersion>6</LangVersion>
   </PropertyGroup>
   <ItemGroup>
     <Reference Include="Microsoft.Owin, Version=3.0.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">

src/Owin.Security.Providers.Onshape/Owin.Security.Providers.Onshape.csproj

@@ -20,6 +20,7 @@
     <DefineConstants>DEBUG;TRACE</DefineConstants>
     <ErrorReport>prompt</ErrorReport>
     <WarningLevel>4</WarningLevel>
+    <LangVersion>6</LangVersion>
   </PropertyGroup>
   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
     <DebugType>pdbonly</DebugType>
@@ -28,6 +29,7 @@
     <DefineConstants>TRACE</DefineConstants>
     <ErrorReport>prompt</ErrorReport>
     <WarningLevel>4</WarningLevel>
+    <LangVersion>6</LangVersion>
   </PropertyGroup>
   <ItemGroup>
     <Reference Include="Microsoft.Owin, Version=3.0.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">

src/Owin.Security.Providers.OpenID/Owin.Security.Providers.OpenID.csproj

@@ -20,6 +20,7 @@
     <DefineConstants>DEBUG;TRACE</DefineConstants>
     <ErrorReport>prompt</ErrorReport>
     <WarningLevel>4</WarningLevel>
+    <LangVersion>6</LangVersion>
   </PropertyGroup>
   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
     <DebugType>pdbonly</DebugType>
@@ -28,6 +29,7 @@
     <DefineConstants>TRACE</DefineConstants>
     <ErrorReport>prompt</ErrorReport>
     <WarningLevel>4</WarningLevel>
+    <LangVersion>6</LangVersion>
   </PropertyGroup>
   <ItemGroup>
     <Reference Include="Microsoft.Owin, Version=3.0.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">

src/Owin.Security.Providers.OpenID/packages.config

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="utf-8"?>
 <packages>
-  <package id="Microsoft.Owin" version="3.0.1" targetFramework="net45" />
+  <package id="Microsoft.Owin" version="4.2.2" targetFramework="net45" />
   <package id="Microsoft.Owin.Security" version="3.0.1" targetFramework="net45" />
   <package id="Newtonsoft.Json" version="8.0.3" targetFramework="net45" />
   <package id="Owin" version="1.0" targetFramework="net45" />

src/Owin.Security.Providers.Orcid/Owin.Security.Providers.Orcid.csproj

@@ -20,6 +20,7 @@
     <DefineConstants>DEBUG;TRACE</DefineConstants>
     <ErrorReport>prompt</ErrorReport>
     <WarningLevel>4</WarningLevel>
+    <LangVersion>6</LangVersion>
   </PropertyGroup>
   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
     <DebugType>pdbonly</DebugType>
@@ -28,6 +29,7 @@
     <DefineConstants>TRACE</DefineConstants>
     <ErrorReport>prompt</ErrorReport>
     <WarningLevel>4</WarningLevel>
+    <LangVersion>6</LangVersion>
   </PropertyGroup>
   <ItemGroup>
     <Reference Include="Microsoft.Owin, Version=3.0.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">

src/Owin.Security.Providers.PayPal/Owin.Security.Providers.PayPal.csproj

@@ -20,6 +20,7 @@
     <DefineConstants>DEBUG;TRACE</DefineConstants>
     <ErrorReport>prompt</ErrorReport>
     <WarningLevel>4</WarningLevel>
+    <LangVersion>6</LangVersion>
   </PropertyGroup>
   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
     <DebugType>pdbonly</DebugType>
@@ -28,6 +29,7 @@
     <DefineConstants>TRACE</DefineConstants>
     <ErrorReport>prompt</ErrorReport>
     <WarningLevel>4</WarningLevel>
+    <LangVersion>6</LangVersion>
   </PropertyGroup>
   <ItemGroup>
     <Reference Include="Microsoft.Owin, Version=3.0.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">

src/Owin.Security.Providers.Podbean/Constants.cs

@@ -0,0 +1,7 @@
+namespace Owin.Security.Providers.Podbean
+{
+    internal static class Constants
+    {
+        public const string DefaultAuthenticationType = "Podbean";
+    }
+}

src/Owin.Security.Providers.Podbean/Owin.Security.Providers.Podbean.csproj

@@ -0,0 +1,100 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="14.0" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
+  <PropertyGroup>
+    <Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
+    <Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
+    <ProjectGuid>{A7B95FD4-08AD-499F-B574-07560CC2A63F}</ProjectGuid>
+    <OutputType>Library</OutputType>
+    <AppDesignerFolder>Properties</AppDesignerFolder>
+    <RootNamespace>Owin.Security.Providers.Podbean</RootNamespace>
+    <AssemblyName>Owin.Security.Providers.Podbean</AssemblyName>
+    <TargetFrameworkVersion>v4.5</TargetFrameworkVersion>
+    <FileAlignment>512</FileAlignment>
+  </PropertyGroup>
+  <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
+    <DebugSymbols>true</DebugSymbols>
+    <DebugType>full</DebugType>
+    <Optimize>false</Optimize>
+    <OutputPath>bin\Debug\</OutputPath>
+    <DefineConstants>DEBUG;TRACE</DefineConstants>
+    <ErrorReport>prompt</ErrorReport>
+    <WarningLevel>4</WarningLevel>
+    <LangVersion>6</LangVersion>
+  </PropertyGroup>
+  <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
+    <DebugType>pdbonly</DebugType>
+    <Optimize>true</Optimize>
+    <OutputPath>bin\Release\</OutputPath>
+    <DefineConstants>TRACE</DefineConstants>
+    <ErrorReport>prompt</ErrorReport>
+    <WarningLevel>4</WarningLevel>
+    <LangVersion>6</LangVersion>
+  </PropertyGroup>
+  <ItemGroup>
+    <Reference Include="Microsoft.Owin, Version=3.0.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
+      <HintPath>..\..\packages\Microsoft.Owin.3.0.1\lib\net45\Microsoft.Owin.dll</HintPath>
+    </Reference>
+    <Reference Include="Microsoft.Owin.Security, Version=3.0.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
+      <HintPath>..\..\packages\Microsoft.Owin.Security.3.0.1\lib\net45\Microsoft.Owin.Security.dll</HintPath>
+    </Reference>
+    <Reference Include="Newtonsoft.Json, Version=8.0.0.0, Culture=neutral, PublicKeyToken=30ad4fe6b2a6aeed, processorArchitecture=MSIL">
+      <HintPath>..\..\packages\Newtonsoft.Json.8.0.3\lib\net45\Newtonsoft.Json.dll</HintPath>
+    </Reference>
+    <Reference Include="Owin, Version=1.0.0.0, Culture=neutral, PublicKeyToken=f0ebd12fd5e55cc5, processorArchitecture=MSIL">
+      <HintPath>..\..\packages\Owin.1.0\lib\net40\Owin.dll</HintPath>
+    </Reference>
+    <Reference Include="System" />
+    <Reference Include="System.Core" />
+    <Reference Include="System.Net.Http.WebRequest" />
+    <Reference Include="System.Xml.Linq" />
+    <Reference Include="System.Data.DataSetExtensions" />
+    <Reference Include="Microsoft.CSharp" />
+    <Reference Include="System.Data" />
+    <Reference Include="System.Net.Http" />
+    <Reference Include="System.Xml" />
+  </ItemGroup>
+  <ItemGroup>
+    <Compile Include="Properties\AssemblyInfo.cs" />
+    <Compile Include="PodbeanAuthenticationExtensions.cs" />
+    <Compile Include="PodbeanAuthenticationHandler.cs" />
+    <Compile Include="PodbeanAuthenticationMiddleware.cs" />
+    <Compile Include="PodbeanAuthenticationOptions.cs" />
+    <Compile Include="Constants.cs" />
+    <Compile Include="Provider\PodbeanAuthenticatedContext.cs" />
+    <Compile Include="Provider\PodbeanAuthenticationProvider.cs" />
+    <Compile Include="Provider\PodbeanReturnEndpointContext.cs" />
+    <Compile Include="Provider\IPodbeanAuthenticationProvider.cs" />
+    <Compile Include="Resources.Designer.cs">
+      <DependentUpon>Resources.resx</DependentUpon>
+      <AutoGen>True</AutoGen>
+      <DesignTime>True</DesignTime>
+    </Compile>
+  </ItemGroup>
+  <ItemGroup>
+    <EmbeddedResource Include="Resources.resx">
+      <Generator>ResXFileCodeGenerator</Generator>
+      <LastGenOutput>Resources.Designer.cs</LastGenOutput>
+    </EmbeddedResource>
+  </ItemGroup>
+  <ItemGroup>
+    <None Include="packages.config" />
+  </ItemGroup>
+  <Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
+  <Target Name="PostBuildMacros">
+    <GetAssemblyIdentity AssemblyFiles="$(TargetPath)">
+      <Output TaskParameter="Assemblies" ItemName="Targets" />
+    </GetAssemblyIdentity>
+    <ItemGroup>
+      <VersionNumber Include="@(Targets->'%(Version)')" />
+    </ItemGroup>
+  </Target>
+  <PropertyGroup>
+    <PreBuildEvent>
+    </PreBuildEvent>
+    <PostBuildEventDependsOn>
+      $(PostBuildEventDependsOn);
+      PostBuildMacros;
+    </PostBuildEventDependsOn>
+  </PropertyGroup>
+</Project>

src/Owin.Security.Providers.Podbean/PodbeanAuthenticationExtensions.cs

@@ -0,0 +1,33 @@
+#region
+
+using System;
+
+#endregion
+
+namespace Owin.Security.Providers.Podbean
+{
+    public static class PodbeanAuthenticationExtensions
+    {
+        public static IAppBuilder UsePodbeanAuthentication(this IAppBuilder app,
+            PodbeanAuthenticationOptions options)
+        {
+            if (app == null)
+                throw new ArgumentNullException(nameof(app));
+            if (options == null)
+                throw new ArgumentNullException(nameof(options));
+
+            app.Use(typeof(PodbeanAuthenticationMiddleware), app, options);
+
+            return app;
+        }
+
+        public static IAppBuilder UsePodbeanAuthentication(this IAppBuilder app, string appId, string appSecret)
+        {
+            return app.UsePodbeanAuthentication(new PodbeanAuthenticationOptions
+            {
+                AppId = appId,
+                AppSecret = appSecret
+            });
+        }
+    }
+}

src/Owin.Security.Providers.Podbean/PodbeanAuthenticationHandler.cs

@@ -0,0 +1,246 @@
+#region
+
+using System;
+using System.Collections.Generic;
+using System.Net.Http;
+using System.Security.Claims;
+using System.Threading.Tasks;
+using Microsoft.Owin.Infrastructure;
+using Microsoft.Owin.Logging;
+using Microsoft.Owin.Security;
+using Microsoft.Owin.Security.Infrastructure;
+using Newtonsoft.Json;
+using Newtonsoft.Json.Linq;
+using Microsoft.Owin;
+using System.Net.Http.Headers;
+
+#endregion
+
+namespace Owin.Security.Providers.Podbean
+{
+	public class PodbeanAuthenticationHandler : AuthenticationHandler<PodbeanAuthenticationOptions>
+	{
+		private const string XmlSchemaString = "http://www.w3.org/2001/XMLSchema#string";
+		private const string TokenEndpoint = "https://api.podbean.com/v1/oauth/token";
+		private const string PodcastIdEndpoint = "https://api.podbean.com/v1/oauth/debugToken";
+		private const string PodcastEndpoint = "https://api.podbean.com/v1/podcast";
+		private readonly HttpClient _httpClient;
+
+		private readonly ILogger _logger;
+
+		public PodbeanAuthenticationHandler(HttpClient httpClient, ILogger logger)
+		{
+			_httpClient = httpClient;
+			_logger = logger;
+		}
+
+		protected override async Task<AuthenticationTicket> AuthenticateCoreAsync()
+		{
+			AuthenticationProperties properties = null;
+
+			try
+			{
+				string code = null;
+				string state = null;
+
+				var query = Request.Query;
+				var values = query.GetValues("code");
+				if (values != null && values.Count == 1)
+					code = values[0];
+				values = query.GetValues("state");
+				if (values != null && values.Count == 1)
+					state = values[0];
+
+				properties = Options.StateDataFormat.Unprotect(state);
+				if (properties == null)
+					return null;
+
+				// OAuth2 10.12 CSRF
+				if (!ValidateCorrelationId(properties, _logger))
+					return new AuthenticationTicket(null, properties);
+
+				var requestPrefix = GetBaseUri(Request);
+				var redirectUri = requestPrefix + Request.PathBase + Options.CallbackPath;
+
+				// Build up the body for the token request
+				var body = new List<KeyValuePair<string, string>>
+				{
+					new KeyValuePair<string, string>("grant_type", "authorization_code"),
+					new KeyValuePair<string, string>("code", code),
+					new KeyValuePair<string, string>("redirect_uri", redirectUri)
+				};
+
+				// Request the token
+				var tokenRequest = new HttpRequestMessage(HttpMethod.Post, TokenEndpoint);
+				tokenRequest.Headers.Authorization = 
+					new AuthenticationHeaderValue("Basic", Base64Encode($"{Options.AppId}:{Options.AppSecret}"));
+				tokenRequest.Content = new FormUrlEncodedContent(body);
+
+				var tokenResponse = await _httpClient.SendAsync(tokenRequest, Request.CallCancelled);
+				tokenResponse.EnsureSuccessStatusCode();
+				var text = await tokenResponse.Content.ReadAsStringAsync();
+
+				// Deserializes the token response
+				dynamic token = JsonConvert.DeserializeObject<dynamic>(text);
+				var accessToken = (string)token.access_token;
+				var refreshToken = (string)token.refresh_token;
+				var expires = (string)token.expires_in;
+				
+				// Get the Podbean podcast
+				var podcastResponse = await _httpClient.GetAsync(
+					$"{PodcastEndpoint}?access_token={Uri.EscapeDataString(accessToken)}", Request.CallCancelled);
+				podcastResponse.EnsureSuccessStatusCode();
+				text = await podcastResponse.Content.ReadAsStringAsync();
+				var podcast = JObject.Parse(text)["podcast"].ToObject<Podcast>();
+
+				// Get the Podbean podcast id
+				var podcastIdRequest = new HttpRequestMessage(HttpMethod.Get, $"{PodcastIdEndpoint}?access_token={Uri.EscapeDataString(accessToken)}");
+				podcastIdRequest.Headers.Authorization =
+					new AuthenticationHeaderValue("Basic", Base64Encode($"{Options.AppId}:{Options.AppSecret}"));
+				var podcastIdResponse = await _httpClient.SendAsync(podcastIdRequest, Request.CallCancelled);
+				podcastIdResponse.EnsureSuccessStatusCode();
+				text = await podcastIdResponse.Content.ReadAsStringAsync();
+				var podcastId = JsonConvert.DeserializeObject<dynamic>(text);
+				podcast.Id = (string)podcastId.podcast_id;
+
+				var context = new PodbeanAuthenticatedContext(Context, podcast, accessToken, refreshToken, expires)
+				{
+					Identity = new ClaimsIdentity(
+						Options.AuthenticationType,
+						ClaimsIdentity.DefaultNameClaimType,
+						ClaimsIdentity.DefaultRoleClaimType)
+				};
+				if (!string.IsNullOrEmpty(context.Id))
+					context.Identity.AddClaim(new Claim(ClaimTypes.NameIdentifier, context.Id, XmlSchemaString,
+						Options.AuthenticationType));
+				if (!string.IsNullOrEmpty(context.Name))
+					context.Identity.AddClaim(new Claim(ClaimsIdentity.DefaultNameClaimType, context.Name,
+						XmlSchemaString, Options.AuthenticationType));
+				context.Properties = properties;
+
+				await Options.Provider.Authenticated(context);
+
+				return new AuthenticationTicket(context.Identity, context.Properties);
+			}
+			catch (Exception ex)
+			{
+				_logger.WriteError(ex.Message);
+			}
+			return new AuthenticationTicket(null, properties);
+		}
+
+		protected override Task ApplyResponseChallengeAsync()
+		{
+			if (Response.StatusCode != 401)
+				return Task.FromResult<object>(null);
+
+			var challenge = Helper.LookupChallenge(Options.AuthenticationType, Options.AuthenticationMode);
+
+			if (challenge == null) return Task.FromResult<object>(null);
+			var baseUri = GetBaseUri(Request);
+
+			var currentUri =
+				baseUri +
+				Request.Path +
+				Request.QueryString;
+
+			var redirectUri =
+				baseUri +
+				Options.CallbackPath;
+
+			var properties = challenge.Properties;
+			if (string.IsNullOrEmpty(properties.RedirectUri))
+				properties.RedirectUri = currentUri;
+
+			// OAuth2 10.12 CSRF
+			GenerateCorrelationId(properties);
+
+			var state = Options.StateDataFormat.Protect(properties);
+
+			var scope = string.Join(" ", Options.Scope);
+
+			var authorizationEndpoint =
+				"https://api.podbean.com/v1/dialog/oauth" +
+				"?response_type=code" +
+				"&client_id=" + Uri.EscapeDataString(Options.AppId) +
+				"&redirect_uri=" + Uri.EscapeDataString(redirectUri) +
+				"&scope=" + Uri.EscapeDataString(scope) +
+				"&state=" + Uri.EscapeDataString(state);
+
+			Response.Redirect(authorizationEndpoint);
+
+			return Task.FromResult<object>(null);
+		}
+
+		public override async Task<bool> InvokeAsync()
+		{
+			return await InvokeReplyPathAsync();
+		}
+
+		private async Task<bool> InvokeReplyPathAsync()
+		{
+			if (!Options.CallbackPath.HasValue || Options.CallbackPath != Request.Path) return false;
+			// TODO: error responses
+
+			var ticket = await AuthenticateAsync();
+			if (ticket == null)
+			{
+				_logger.WriteWarning("Invalid return state, unable to redirect.");
+				Response.StatusCode = 500;
+				return true;
+			}
+
+			var context = new PodbeanReturnEndpointContext(Context, ticket)
+			{
+				SignInAsAuthenticationType = Options.SignInAsAuthenticationType,
+				RedirectUri = ticket.Properties.RedirectUri
+			};
+
+			await Options.Provider.ReturnEndpoint(context);
+
+			if (context.SignInAsAuthenticationType != null &&
+				context.Identity != null)
+			{
+				var grantIdentity = context.Identity;
+				if (!string.Equals(grantIdentity.AuthenticationType, context.SignInAsAuthenticationType,
+					StringComparison.Ordinal))
+					grantIdentity = new ClaimsIdentity(grantIdentity.Claims, context.SignInAsAuthenticationType,
+						grantIdentity.NameClaimType, grantIdentity.RoleClaimType);
+				Context.Authentication.SignIn(context.Properties, grantIdentity);
+			}
+
+			if (context.IsRequestCompleted || context.RedirectUri == null) return context.IsRequestCompleted;
+			var redirectUri = context.RedirectUri;
+			if (context.Identity == null)
+				redirectUri = WebUtilities.AddQueryString(redirectUri, "error", "access_denied");
+			Response.Redirect(redirectUri);
+			context.RequestCompleted();
+
+			return context.IsRequestCompleted;
+		}
+
+		private static string Base64Encode(string plainText)
+		{
+			var plainTextBytes = System.Text.Encoding.UTF8.GetBytes(plainText);
+			return System.Convert.ToBase64String(plainTextBytes);
+		}
+
+		private string GetBaseUri(IOwinRequest request)
+		{
+			if (Options.DebugUsingRequestHeadersToBuildBaseUri &&
+				request.Headers["X-Original-Host"] != null &&
+				request.Headers["X-Forwarded-Proto"] != null)
+			{
+				return request.Headers["X-Forwarded-Proto"] + Uri.SchemeDelimiter + request.Headers["X-Original-Host"];
+			}
+
+			var baseUri =
+				request.Scheme +
+				Uri.SchemeDelimiter +
+				request.Host +
+				request.PathBase;
+
+			return baseUri;
+		}
+	}
+}

src/Owin.Security.Providers.Podbean/PodbeanAuthenticationMiddleware.cs

@@ -0,0 +1,84 @@
+#region
+
+using System;
+using System.Globalization;
+using System.Net.Http;
+using Microsoft.Owin;
+using Microsoft.Owin.Logging;
+using Microsoft.Owin.Security;
+using Microsoft.Owin.Security.DataHandler;
+using Microsoft.Owin.Security.DataProtection;
+using Microsoft.Owin.Security.Infrastructure;
+
+#endregion
+
+namespace Owin.Security.Providers.Podbean
+{
+    public class PodbeanAuthenticationMiddleware : AuthenticationMiddleware<PodbeanAuthenticationOptions>
+    {
+        private readonly HttpClient _httpClient;
+        private readonly ILogger _logger;
+
+        public PodbeanAuthenticationMiddleware(OwinMiddleware next, IAppBuilder app,
+            PodbeanAuthenticationOptions options)
+            : base(next, options)
+        {
+            if (string.IsNullOrWhiteSpace(Options.AppId))
+                throw new ArgumentException(string.Format(CultureInfo.CurrentCulture,
+                    Resources.Exception_OptionMustBeProvided, "AppId"));
+            if (string.IsNullOrWhiteSpace(Options.AppSecret))
+                throw new ArgumentException(string.Format(CultureInfo.CurrentCulture,
+                    Resources.Exception_OptionMustBeProvided, "AppSecret"));
+
+            _logger = app.CreateLogger<PodbeanAuthenticationMiddleware>();
+
+            if (Options.Provider == null)
+                Options.Provider = new PodbeanAuthenticationProvider();
+
+            if (Options.StateDataFormat == null)
+            {
+                var dataProtector = app.CreateDataProtector(
+                    typeof(PodbeanAuthenticationMiddleware).FullName,
+                    Options.AuthenticationType, "v1");
+                Options.StateDataFormat = new PropertiesDataFormat(dataProtector);
+            }
+
+            if (string.IsNullOrEmpty(Options.SignInAsAuthenticationType))
+                Options.SignInAsAuthenticationType = app.GetDefaultSignInAsAuthenticationType();
+
+            _httpClient = new HttpClient(ResolveHttpMessageHandler(Options))
+            {
+                Timeout = Options.BackchannelTimeout,
+                MaxResponseContentBufferSize = 1024 * 1024 * 10
+            };
+        }
+
+        /// <summary>
+        ///     Provides the <see cref="T:Microsoft.Owin.Security.Infrastructure.AuthenticationHandler" /> object for processing
+        ///     authentication-related requests.
+        /// </summary>
+        /// <returns>
+        ///     An <see cref="T:Microsoft.Owin.Security.Infrastructure.AuthenticationHandler" /> configured with the
+        ///     <see cref="T:Owin.Security.Providers.Podbean.PodbeanAuthenticationOptions" /> supplied to the constructor.
+        /// </returns>
+        protected override AuthenticationHandler<PodbeanAuthenticationOptions> CreateHandler()
+        {
+            return new PodbeanAuthenticationHandler(_httpClient, _logger);
+        }
+
+        private static HttpMessageHandler ResolveHttpMessageHandler(PodbeanAuthenticationOptions options)
+        {
+            var handler = options.BackchannelHttpHandler ?? new WebRequestHandler();
+
+            // If they provided a validator, apply it or fail.
+            if (options.BackchannelCertificateValidator == null) return handler;
+            // Set the cert validate callback
+            var webRequestHandler = handler as WebRequestHandler;
+            if (webRequestHandler == null)
+                throw new InvalidOperationException(Resources.Exception_ValidatorHandlerMismatch);
+            webRequestHandler.ServerCertificateValidationCallback = options.BackchannelCertificateValidator.Validate;
+
+            return handler;
+        }
+    }
+}

src/Owin.Security.Providers.Podbean/PodbeanAuthenticationOptions.cs

@@ -0,0 +1,110 @@
+using System;
+using System.Collections.Generic;
+using System.Net.Http;
+using Microsoft.Owin;
+using Microsoft.Owin.Security;
+
+namespace Owin.Security.Providers.Podbean
+{
+    public class PodbeanAuthenticationOptions : AuthenticationOptions
+    {
+        /// <summary>
+        ///     Initializes a new <see cref="PodbeanAuthenticationOptions" />
+        /// </summary>
+        public PodbeanAuthenticationOptions()
+            : base("Podbean")
+        {
+            Caption = Constants.DefaultAuthenticationType;
+            CallbackPath = new PathString("/signin-podbean");
+            AuthenticationMode = AuthenticationMode.Passive;
+            Scope = new List<string>
+            {
+                "podcast_read"
+            };
+            BackchannelTimeout = TimeSpan.FromSeconds(60);
+        }
+
+        /// <summary>
+        ///     Gets or sets the a pinned certificate validator to use to validate the endpoints used
+        ///     in back channel communications belong to Podbean
+        /// </summary>
+        /// <value>
+        ///     The pinned certificate validator.
+        /// </value>
+        /// <remarks>
+        ///     If this property is null then the default certificate checks are performed,
+        ///     validating the subject name and if the signing chain is a trusted party.
+        /// </remarks>
+        public ICertificateValidator BackchannelCertificateValidator { get; set; }
+
+        /// <summary>
+        ///     The HttpMessageHandler used to communicate with Podbean.
+        ///     This cannot be set at the same time as BackchannelCertificateValidator unless the value
+        ///     can be downcast to a WebRequestHandler.
+        /// </summary>
+        public HttpMessageHandler BackchannelHttpHandler { get; set; }
+
+        /// <summary>
+        ///     Gets or sets timeout value in milliseconds for back channel communications with Podbean.
+        /// </summary>
+        /// <value>
+        ///     The back channel timeout in milliseconds.
+        /// </value>
+        public TimeSpan BackchannelTimeout { get; set; }
+
+        /// <summary>
+        ///     The request path within the application's base path where the user-agent will be returned.
+        ///     The middleware will process this request when it arrives.
+        ///     Default value is "/signin-Podbean".
+        /// </summary>
+        public PathString CallbackPath { get; set; }
+
+        /// <summary>
+        ///     Get or sets the text that the user can display on a sign in user interface.
+        /// </summary>
+        public string Caption
+        {
+            get { return Description.Caption; }
+            set { Description.Caption = value; }
+        }
+
+        /// <summary>
+        ///     Gets or sets the Podbean supplied App ID
+        /// </summary>
+        public string AppId { get; set; }
+
+        /// <summary>
+        ///     Gets or sets the Podbean supplied App Secret
+        /// </summary>
+        public string AppSecret { get; set; }
+
+		/// <summary>
+		/// Set this value to true to debug locally using a service such as https://ngrok.io.
+		/// Podbean doesn't allow you to redirect to localhost. Ngrok and similar services
+		/// set the X-Original-Host and X-Forwarded-Proto headers to build the base Uri for 
+		/// redirects back to localhost.
+		/// </summary>
+		public bool DebugUsingRequestHeadersToBuildBaseUri { get; set; }
+
+        /// <summary>
+        /// A list of permissions to request.
+        /// </summary>
+        public IList<string> Scope { get; private set; }
+
+        /// <summary>
+        ///     Gets or sets the <see cref="IPodbeanAuthenticationProvider" /> used in the authentication events
+        /// </summary>
+        public IPodbeanAuthenticationProvider Provider { get; set; }
+
+        /// <summary>
+        ///     Gets or sets the name of another authentication middleware which will be responsible for actually issuing a user
+        ///     <see cref="System.Security.Claims.ClaimsIdentity" />.
+        /// </summary>
+        public string SignInAsAuthenticationType { get; set; }
+
+        /// <summary>
+        ///     Gets or sets the type used to secure data handled by the middleware.
+        /// </summary>
+        public ISecureDataFormat<AuthenticationProperties> StateDataFormat { get; set; }
+    }
+}

src/Owin.Security.Providers.Podbean/Properties/AssemblyInfo.cs

@@ -0,0 +1,15 @@
+using System.Reflection;
+using System.Runtime.InteropServices;
+
+[assembly: AssemblyTitle("Owin.Security.Providers.Podbean")]
+[assembly: AssemblyDescription("")]
+[assembly: AssemblyConfiguration("")]
+[assembly: AssemblyCompany("")]
+[assembly: AssemblyProduct("Owin.Security.Providers.Podbean")]
+[assembly: AssemblyCopyright("Copyright ©  2016")]
+[assembly: AssemblyTrademark("")]
+[assembly: AssemblyCulture("")]
+[assembly: ComVisible(false)]
+[assembly: Guid("38815307-3360-4f54-9204-03fae50160bc")]
+[assembly: AssemblyVersion("2.0.0.0")]
+[assembly: AssemblyFileVersion("2.0.0.0")]

src/Owin.Security.Providers.Podbean/Provider/IPodbeanAuthenticationProvider.cs

@@ -0,0 +1,33 @@
+#region
+
+using System.Threading.Tasks;
+
+#endregion
+
+namespace Owin.Security.Providers.Podbean
+{
+    /// <summary>
+    ///     Specifies callback methods which the <see cref="PodbeanAuthenticationMiddleware"></see> invokes to enable developer
+    ///     control over the authentication process. />
+    /// </summary>
+    public interface IPodbeanAuthenticationProvider
+    {
+        /// <summary>
+        ///     Invoked whenever Podbean successfully authenticates a user
+        /// </summary>
+        /// <param name="context">
+        ///     Contains information about the login session as well as the user
+        ///     <see cref="System.Security.Claims.ClaimsIdentity" />.
+        /// </param>
+        /// <returns>A <see cref="Task" /> representing the completed operation.</returns>
+        Task Authenticated(PodbeanAuthenticatedContext context);
+
+        /// <summary>
+        ///     Invoked prior to the <see cref="System.Security.Claims.ClaimsIdentity" /> being saved in a local cookie and the
+        ///     browser being redirected to the originally requested URL.
+        /// </summary>
+        /// <param name="context"></param>
+        /// <returns>A <see cref="Task" /> representing the completed operation.</returns>
+        Task ReturnEndpoint(PodbeanReturnEndpointContext context);
+    }
+}

src/Owin.Security.Providers.Podbean/Provider/PodbeanAuthenticatedContext.cs

@@ -0,0 +1,130 @@
+#region
+
+using System;
+using System.Globalization;
+using System.Security.Claims;
+using Microsoft.Owin;
+using Microsoft.Owin.Security;
+using Microsoft.Owin.Security.Provider;
+using Newtonsoft.Json.Linq;
+using Newtonsoft.Json;
+
+#endregion
+
+namespace Owin.Security.Providers.Podbean
+{
+	/// <summary>
+	///     Contains information about the login session as well as the user
+	///     <see cref="System.Security.Claims.ClaimsIdentity" />.
+	/// </summary>
+	public class PodbeanAuthenticatedContext : BaseContext
+	{
+		/// <summary>
+		///     Initializes a <see cref="PodbeanAuthenticatedContext" />
+		/// </summary>
+		/// <param name="context">The OWIN environment</param>
+		/// <param name="podcast">The <see cref="Podcast"/></param>
+		/// <param name="accessToken">Podbean Access token</param>
+		/// <param name="refreshToken">Podbean Refresh token</param>
+		/// <param name="expires">Seconds until expiration</param>
+		public PodbeanAuthenticatedContext(IOwinContext context, Podcast podcast, string accessToken, string refreshToken, string expires)
+			: base(context)
+		{
+			Podcast = podcast;
+			Id = podcast.Id;
+			Name = podcast.Title;
+			AccessToken = accessToken;
+			RefreshToken = refreshToken;
+
+			int expiresValue;
+			if (int.TryParse(expires, NumberStyles.Integer, CultureInfo.InvariantCulture, out expiresValue))
+				ExpiresIn = TimeSpan.FromSeconds(expiresValue);
+		}
+
+		/// <summary>
+		///     Gets the JSON-serialized user
+		/// </summary>
+		/// <remarks>
+		///     Contains the Podbean user obtained from the endpoint https://api.Podbeanapp.com/1/user.json
+		/// </remarks>
+		public Podcast Podcast { get; }
+
+		/// <summary>
+		///     Gets the Podbean OAuth access token
+		/// </summary>
+		public string AccessToken { get; }
+
+		/// <summary>
+		///     Gets the Podbean OAuth refresh token
+		/// </summary>
+		public string RefreshToken { get; }
+
+		/// <summary>
+		///     Gets the Podbean access token expiration time
+		/// </summary>
+		public TimeSpan? ExpiresIn { get; set; }
+
+		/// <summary>
+		/// Gets the Podbean Podcast ID
+		/// </summary>
+		public string Id { get; }
+
+		/// <summary>
+		///     The name of the user
+		/// </summary>
+		public string Name { get; }
+
+		/// <summary>
+		///     Gets the <see cref="ClaimsIdentity" /> representing the user
+		/// </summary>
+		public ClaimsIdentity Identity { get; set; }
+
+		/// <summary>
+		///     Gets or sets a property bag for common authentication properties
+		/// </summary>
+		public AuthenticationProperties Properties { get; set; }
+	}
+
+	public class Podcast
+	{
+		/// <summary>
+		/// The Id of the <see cref="Podcast"/>
+		/// </summary>
+		public string Id { get; set; }
+
+		/// <summary>
+		/// The title of the <see cref="Podcast"/>
+		/// </summary>
+		public string Title { get; set; }
+
+		/// <summary>
+		/// The description of the <see cref="Podcast"/>
+		/// </summary>
+		[JsonProperty(PropertyName = "desc")]
+		public string Description { get; set; }
+
+		/// <summary>
+		/// A url to an image representing the logo of the <see cref="Podcast"/>
+		/// </summary>
+		public string Logo { get; set; }
+
+		/// <summary>
+		/// A url to the <see cref="Podcast"/>'s website
+		/// </summary>
+		public string Website { get; set; }
+
+		/// <summary>
+		/// The name of the category of the <see cref="Podcast"/>
+		/// </summary>
+		[JsonProperty(PropertyName = "category_name")]
+		public string CategoryName { get; set; }
+
+		/// <summary>
+		/// The episode types of the <see cref="Podcast"/>.
+		/// The possible value is a combination of public, premium or private
+		/// </summary>
+		[JsonProperty(PropertyName = "allow_episode_type")]
+		public string[] AllowEpisodeTypes { get; set; }
+	}
+
+}

src/Owin.Security.Providers.Podbean/Provider/PodbeanAuthenticationProvider.cs

@@ -0,0 +1,58 @@
+#region
+
+using System;
+using System.Threading.Tasks;
+
+#endregion
+
+namespace Owin.Security.Providers.Podbean
+{
+    /// <summary>
+    ///     Default <see cref="IPodbeanAuthenticationProvider" /> implementation.
+    /// </summary>
+    public class PodbeanAuthenticationProvider : IPodbeanAuthenticationProvider
+    {
+        /// <summary>
+        ///     Initializes a <see cref="PodbeanAuthenticationProvider" />
+        /// </summary>
+        public PodbeanAuthenticationProvider()
+        {
+            OnAuthenticated = context => Task.FromResult<object>(null);
+            OnReturnEndpoint = context => Task.FromResult<object>(null);
+        }
+
+        /// <summary>
+        ///     Gets or sets the function that is invoked when the Authenticated method is invoked.
+        /// </summary>
+        public Func<PodbeanAuthenticatedContext, Task> OnAuthenticated { get; set; }
+
+        /// <summary>
+        ///     Gets or sets the function that is invoked when the ReturnEndpoint method is invoked.
+        /// </summary>
+        public Func<PodbeanReturnEndpointContext, Task> OnReturnEndpoint { get; set; }
+
+        /// <summary>
+        ///     Invoked whenever Podbean successfully authenticates a user
+        /// </summary>
+        /// <param name="context">
+        ///     Contains information about the login session as well as the user
+        ///     <see cref="System.Security.Claims.ClaimsIdentity" />.
+        /// </param>
+        /// <returns>A <see cref="Task" /> representing the completed operation.</returns>
+        public virtual Task Authenticated(PodbeanAuthenticatedContext context)
+        {
+            return OnAuthenticated(context);
+        }
+
+        /// <summary>
+        ///     Invoked prior to the <see cref="System.Security.Claims.ClaimsIdentity" /> being saved in a local cookie and the
+        ///     browser being redirected to the originally requested URL.
+        /// </summary>
+        /// <param name="context"></param>
+        /// <returns>A <see cref="Task" /> representing the completed operation.</returns>
+        public virtual Task ReturnEndpoint(PodbeanReturnEndpointContext context)
+        {
+            return OnReturnEndpoint(context);
+        }
+    }
+}

src/Owin.Security.Providers.Podbean/Provider/PodbeanReturnEndpointContext.cs

@@ -0,0 +1,23 @@
+using Microsoft.Owin;
+using Microsoft.Owin.Security;
+using Microsoft.Owin.Security.Provider;
+
+namespace Owin.Security.Providers.Podbean
+{
+    /// <summary>
+    ///     Provides context information to middleware providers.
+    /// </summary>
+    public class PodbeanReturnEndpointContext : ReturnEndpointContext
+    {
+        /// <summary>
+        /// </summary>
+        /// <param name="context">OWIN environment</param>
+        /// <param name="ticket">The authentication ticket</param>
+        public PodbeanReturnEndpointContext(
+            IOwinContext context,
+            AuthenticationTicket ticket)
+            : base(context, ticket)
+        {
+        }
+    }
+}

src/Owin.Security.Providers.Podbean/Resources.Designer.cs

@@ -0,0 +1,81 @@
+//------------------------------------------------------------------------------
+// <auto-generated>
+//     This code was generated by a tool.
+//     Runtime Version:4.0.30319.42000
+//
+//     Changes to this file may cause incorrect behavior and will be lost if
+//     the code is regenerated.
+// </auto-generated>
+//------------------------------------------------------------------------------
+
+namespace Owin.Security.Providers.Podbean {
+    using System;
+    
+    
+    /// <summary>
+    ///   A strongly-typed resource class, for looking up localized strings, etc.
+    /// </summary>
+    // This class was auto-generated by the StronglyTypedResourceBuilder
+    // class via a tool like ResGen or Visual Studio.
+    // To add or remove a member, edit your .ResX file then rerun ResGen
+    // with the /str option, or rebuild your VS project.
+    [global::System.CodeDom.Compiler.GeneratedCodeAttribute("System.Resources.Tools.StronglyTypedResourceBuilder", "4.0.0.0")]
+    [global::System.Diagnostics.DebuggerNonUserCodeAttribute()]
+    [global::System.Runtime.CompilerServices.CompilerGeneratedAttribute()]
+    internal class Resources {
+        
+        private static global::System.Resources.ResourceManager resourceMan;
+        
+        private static global::System.Globalization.CultureInfo resourceCulture;
+        
+        [global::System.Diagnostics.CodeAnalysis.SuppressMessageAttribute("Microsoft.Performance", "CA1811:AvoidUncalledPrivateCode")]
+        internal Resources() {
+        }
+        
+        /// <summary>
+        ///   Returns the cached ResourceManager instance used by this class.
+        /// </summary>
+        [global::System.ComponentModel.EditorBrowsableAttribute(global::System.ComponentModel.EditorBrowsableState.Advanced)]
+        internal static global::System.Resources.ResourceManager ResourceManager {
+            get {
+                if (object.ReferenceEquals(resourceMan, null)) {
+                    global::System.Resources.ResourceManager temp = new global::System.Resources.ResourceManager("Owin.Security.Providers.Podbean.Resources", typeof(Resources).Assembly);
+                    resourceMan = temp;
+                }
+                return resourceMan;
+            }
+        }
+        
+        /// <summary>
+        ///   Overrides the current thread's CurrentUICulture property for all
+        ///   resource lookups using this strongly typed resource class.
+        /// </summary>
+        [global::System.ComponentModel.EditorBrowsableAttribute(global::System.ComponentModel.EditorBrowsableState.Advanced)]
+        internal static global::System.Globalization.CultureInfo Culture {
+            get {
+                return resourceCulture;
+            }
+            set {
+                resourceCulture = value;
+            }
+        }
+        
+        /// <summary>
+        ///   Looks up a localized string similar to The &apos;{0}&apos; option must be provided..
+        /// </summary>
+        internal static string Exception_OptionMustBeProvided {
+            get {
+                return ResourceManager.GetString("Exception_OptionMustBeProvided", resourceCulture);
+            }
+        }
+        
+        /// <summary>
+        ///   Looks up a localized string similar to An ICertificateValidator cannot be specified at the same time as an HttpMessageHandler unless it is a WebRequestHandler..
+        /// </summary>
+        internal static string Exception_ValidatorHandlerMismatch {
+            get {
+                return ResourceManager.GetString("Exception_ValidatorHandlerMismatch", resourceCulture);
+            }
+        }
+    }
+}

src/Owin.Security.Providers.Podbean/Resources.resx

@@ -0,0 +1,126 @@
+<?xml version="1.0" encoding="utf-8"?>
+<root>
+  <!-- 
+    Microsoft ResX Schema 
+    
+    Version 2.0
+    
+    The primary goals of this format is to allow a simple XML format 
+    that is mostly human readable. The generation and parsing of the 
+    various data types are done through the TypeConverter classes 
+    associated with the data types.
+    
+    Example:
+    
+    ... ado.net/XML headers & schema ...
+    <resheader name="resmimetype">text/microsoft-resx</resheader>
+    <resheader name="version">2.0</resheader>
+    <resheader name="reader">System.Resources.ResXResourceReader, System.Windows.Forms, ...</resheader>
+    <resheader name="writer">System.Resources.ResXResourceWriter, System.Windows.Forms, ...</resheader>
+    <data name="Name1"><value>this is my long string</value><comment>this is a comment</comment></data>
+    <data name="Color1" type="System.Drawing.Color, System.Drawing">Blue</data>
+    <data name="Bitmap1" mimetype="application/x-microsoft.net.object.binary.base64">
+        <value>[base64 mime encoded serialized .NET Framework object]</value>
+    </data>
+    <data name="Icon1" type="System.Drawing.Icon, System.Drawing" mimetype="application/x-microsoft.net.object.bytearray.base64">
+        <value>[base64 mime encoded string representing a byte array form of the .NET Framework object]</value>
+        <comment>This is a comment</comment>
+    </data>
+                
+    There are any number of "resheader" rows that contain simple 
+    name/value pairs.
+    
+    Each data row contains a name, and value. The row also contains a 
+    type or mimetype. Type corresponds to a .NET class that support 
+    text/value conversion through the TypeConverter architecture. 
+    Classes that don't support this are serialized and stored with the 
+    mimetype set.
+    
+    The mimetype is used for serialized objects, and tells the 
+    ResXResourceReader how to depersist the object. This is currently not 
+    extensible. For a given mimetype the value must be set accordingly:
+    
+    Note - application/x-microsoft.net.object.binary.base64 is the format 
+    that the ResXResourceWriter will generate, however the reader can 
+    read any of the formats listed below.
+    
+    mimetype: application/x-microsoft.net.object.binary.base64
+    value   : The object must be serialized with 
+            : System.Runtime.Serialization.Formatters.Binary.BinaryFormatter
+            : and then encoded with base64 encoding.
+    
+    mimetype: application/x-microsoft.net.object.soap.base64
+    value   : The object must be serialized with 
+            : System.Runtime.Serialization.Formatters.Soap.SoapFormatter
+            : and then encoded with base64 encoding.
+
+    mimetype: application/x-microsoft.net.object.bytearray.base64
+    value   : The object must be serialized into a byte array 
+            : using a System.ComponentModel.TypeConverter
+            : and then encoded with base64 encoding.
+    -->
+  <xsd:schema id="root" xmlns="" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:msdata="urn:schemas-microsoft-com:xml-msdata">
+    <xsd:import namespace="http://www.w3.org/XML/1998/namespace" />
+    <xsd:element name="root" msdata:IsDataSet="true">
+      <xsd:complexType>
+        <xsd:choice maxOccurs="unbounded">
+          <xsd:element name="metadata">
+            <xsd:complexType>
+              <xsd:sequence>
+                <xsd:element name="value" type="xsd:string" minOccurs="0" />
+              </xsd:sequence>
+              <xsd:attribute name="name" use="required" type="xsd:string" />
+              <xsd:attribute name="type" type="xsd:string" />
+              <xsd:attribute name="mimetype" type="xsd:string" />
+              <xsd:attribute ref="xml:space" />
+            </xsd:complexType>
+          </xsd:element>
+          <xsd:element name="assembly">
+            <xsd:complexType>
+              <xsd:attribute name="alias" type="xsd:string" />
+              <xsd:attribute name="name" type="xsd:string" />
+            </xsd:complexType>
+          </xsd:element>
+          <xsd:element name="data">
+            <xsd:complexType>
+              <xsd:sequence>
+                <xsd:element name="value" type="xsd:string" minOccurs="0" msdata:Ordinal="1" />
+                <xsd:element name="comment" type="xsd:string" minOccurs="0" msdata:Ordinal="2" />
+              </xsd:sequence>
+              <xsd:attribute name="name" type="xsd:string" use="required" msdata:Ordinal="1" />
+              <xsd:attribute name="type" type="xsd:string" msdata:Ordinal="3" />
+              <xsd:attribute name="mimetype" type="xsd:string" msdata:Ordinal="4" />
+              <xsd:attribute ref="xml:space" />
+            </xsd:complexType>
+          </xsd:element>
+          <xsd:element name="resheader">
+            <xsd:complexType>
+              <xsd:sequence>
+                <xsd:element name="value" type="xsd:string" minOccurs="0" msdata:Ordinal="1" />
+              </xsd:sequence>
+              <xsd:attribute name="name" type="xsd:string" use="required" />
+            </xsd:complexType>
+          </xsd:element>
+        </xsd:choice>
+      </xsd:complexType>
+    </xsd:element>
+  </xsd:schema>
+  <resheader name="resmimetype">
+    <value>text/microsoft-resx</value>
+  </resheader>
+  <resheader name="version">
+    <value>2.0</value>
+  </resheader>
+  <resheader name="reader">
+    <value>System.Resources.ResXResourceReader, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</value>
+  </resheader>
+  <resheader name="writer">
+    <value>System.Resources.ResXResourceWriter, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</value>
+  </resheader>
+  <data name="Exception_OptionMustBeProvided" xml:space="preserve">
+    <value>The '{0}' option must be provided.</value>
+  </data>
+  <data name="Exception_ValidatorHandlerMismatch" xml:space="preserve">
+    <value>An ICertificateValidator cannot be specified at the same time as an HttpMessageHandler unless it is a WebRequestHandler.</value>
+  </data>
+</root>

src/Owin.Security.Providers.Podbean/packages.config

@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="utf-8"?>
+<packages>
+  <package id="Microsoft.Owin" version="3.0.1" targetFramework="net45" />
+  <package id="Microsoft.Owin.Security" version="3.0.1" targetFramework="net45" />
+  <package id="Newtonsoft.Json" version="8.0.3" targetFramework="net45" />
+  <package id="Owin" version="1.0" targetFramework="net45" />
+</packages>

src/Owin.Security.Providers.Reddit/Owin.Security.Providers.Reddit.csproj

@@ -20,6 +20,7 @@
     <DefineConstants>DEBUG;TRACE</DefineConstants>
     <ErrorReport>prompt</ErrorReport>
     <WarningLevel>4</WarningLevel>
+    <LangVersion>6</LangVersion>
   </PropertyGroup>
   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
     <DebugType>pdbonly</DebugType>
@@ -28,6 +29,7 @@
     <DefineConstants>TRACE</DefineConstants>
     <ErrorReport>prompt</ErrorReport>
     <WarningLevel>4</WarningLevel>
+    <LangVersion>6</LangVersion>
   </PropertyGroup>
   <ItemGroup>
     <Reference Include="Microsoft.Owin, Version=3.0.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">

src/Owin.Security.Providers.Salesforce/Constants.cs

@@ -1,7 +1,11 @@
 namespace Owin.Security.Providers.Salesforce
 {
-    internal static class Constants
+    public static class Constants
     {
         public const string DefaultAuthenticationType = "Salesforce";
+
+        public const string EnvironmentAuthenticationProperty = "Environment";
+        public const string ProductionEnvironment = "Production";
+        public const string SandboxEnvironment = "Sandbox";
     }
 }

src/Owin.Security.Providers.Salesforce/Owin.Security.Providers.Salesforce.csproj

@@ -20,6 +20,7 @@
     <DefineConstants>DEBUG;TRACE</DefineConstants>
     <ErrorReport>prompt</ErrorReport>
     <WarningLevel>4</WarningLevel>
+    <LangVersion>6</LangVersion>
   </PropertyGroup>
   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
     <DebugType>pdbonly</DebugType>
@@ -28,6 +29,7 @@
     <DefineConstants>TRACE</DefineConstants>
     <ErrorReport>prompt</ErrorReport>
     <WarningLevel>4</WarningLevel>
+    <LangVersion>6</LangVersion>
   </PropertyGroup>
   <ItemGroup>
     <Reference Include="Microsoft.Owin, Version=3.0.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">

src/Owin.Security.Providers.Salesforce/SalesforceAuthenticationHandler.cs

@@ -18,6 +18,12 @@ namespace Owin.Security.Providers.Salesforce
     {
         private const string XmlSchemaString = "http://www.w3.org/2001/XMLSchema#string";
 
+        private const string ProductionHost =    "https://login.salesforce.com";
+        private const string SandboxHost =       "https://test.salesforce.com";
+
+        private const string AuthorizationEndpoint = "/services/oauth2/authorize";
+        private const string TokenEndpoint =     "/services/oauth2/token";
+
         private readonly ILogger _logger;
         private readonly HttpClient _httpClient;
 
@@ -74,7 +80,7 @@ namespace Owin.Security.Providers.Salesforce
                     };
 
                 // Request the token
-                var requestMessage = new HttpRequestMessage(HttpMethod.Post, Options.Endpoints.TokenEndpoint);
+                var requestMessage = new HttpRequestMessage(HttpMethod.Post, ComposeTokenEndpoint(properties));
                 requestMessage.Headers.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
                 requestMessage.Content = new FormUrlEncodedContent(body);
                 var tokenResponse = await _httpClient.SendAsync(requestMessage);
@@ -186,8 +192,10 @@ namespace Owin.Security.Providers.Salesforce
 
             var state = Options.StateDataFormat.Protect(properties);
 
-            var authorizationEndpoint =
-                $"{Options.Endpoints.AuthorizationEndpoint}?response_type={"code"}&client_id={Options.ClientId}&redirect_uri={HttpUtility.UrlEncode(redirectUri)}&display={"page"}&immediate={false}&state={Uri.EscapeDataString(state)}";
+            var authorizationEndpoint = ComposeAuthorizationEndpoint(properties);
+
+            authorizationEndpoint =
+                $"{authorizationEndpoint}?response_type={"code"}&client_id={Options.ClientId}&redirect_uri={HttpUtility.UrlEncode(redirectUri)}&display={Options.DisplayMode}&immediate={false}&state={Uri.EscapeDataString(state)}";
 
             if (Options.Scope != null && Options.Scope.Count > 0)
             {
@@ -253,5 +261,66 @@ namespace Owin.Security.Providers.Salesforce
 
             return context.IsRequestCompleted;
         }
+
+        private string ComposeAuthorizationEndpoint(AuthenticationProperties properties) {
+            string endpointPath = AuthorizationEndpoint;
+
+            string endpoint =
+                !String.IsNullOrEmpty(Options.Endpoints.AuthorizationEndpoint) ?
+                Options.Endpoints.AuthorizationEndpoint :
+                ComposeEndpoint(properties, endpointPath);
+
+            // if AuthenticationProperties for this session specifies an environment property
+            // it should take precedence over the value in AuthenticationOptions
+            string environmentProperty = null;
+            if (properties.Dictionary.TryGetValue(Constants.EnvironmentAuthenticationProperty, out environmentProperty)) {
+                endpoint =
+                    environmentProperty == Constants.SandboxEnvironment ?
+                    SandboxHost + endpointPath :
+                    ProductionHost + endpointPath;
+            }
+
+            return endpoint;
+        }
+
+        private string ComposeTokenEndpoint(AuthenticationProperties properties) {
+            string endpointPath = TokenEndpoint;
+
+            string endpoint =
+                !String.IsNullOrEmpty(Options.Endpoints.TokenEndpoint) ?
+                Options.Endpoints.TokenEndpoint :
+                ComposeEndpoint(properties, endpointPath);
+
+            // if AuthenticationProperties for this session specifies an environment property
+            // it should take precedence over the value in AuthenticationOptions
+            string environmentProperty = null; ;
+            if (properties.Dictionary.TryGetValue(Constants.EnvironmentAuthenticationProperty, out environmentProperty)) {
+                endpoint =
+                    environmentProperty == Constants.SandboxEnvironment ?
+                    SandboxHost + endpointPath :
+                    ProductionHost + endpointPath;
+            }
+
+            return endpoint;
+        }
+
+        private string ComposeEndpoint(AuthenticationProperties properties, string endpointPath) {
+            string endpoint =
+                !String.IsNullOrEmpty(Options.Endpoints.Environment) && Options.Endpoints.Environment == Constants.SandboxEnvironment ?
+                SandboxHost + endpointPath :
+                ProductionHost + endpointPath;
+
+            // if AuthenticationProperties for this session specifies an environment property
+            // it should take precedence over the value in AuthenticationOptions
+            string environmentProperty = null; ;
+            if (properties.Dictionary.TryGetValue(Constants.EnvironmentAuthenticationProperty, out environmentProperty)) {
+                endpoint =
+                    environmentProperty == Constants.SandboxEnvironment ?
+                    SandboxHost + endpointPath :
+                    ProductionHost + endpointPath;
+            }
+
+            return endpoint;
+        }
     }
 }

src/Owin.Security.Providers.Salesforce/SalesforceAuthenticationOptions.cs

@@ -19,11 +19,28 @@ namespace Owin.Security.Providers.Salesforce
             /// Endpoint which is used to exchange code for access token
             /// </summary>
             public string TokenEndpoint { get; set; }
+
+            /// <summary>
+            /// Production or Sandbox. Use Constants.ProductionEnvironment or Constants.SandboxEnvironment
+            /// </summary>
+            public string Environment { get; set; }
         }
 
-        private const string AuthorizationEndPoint = "";
-        private const string TokenEndpoint = "";
-
+        /// <summary>
+        /// Options for Display Mode
+        ///     Changes the login and authorization pages’ display type. Salesforce supports these values.
+        ///     page—Full-page authorization screen(default)
+        ///     popup—Compact dialog optimized for modern web browser popup windows
+        ///     touch—Mobile-optimized dialog designed for modern smartphones, such as Android and iPhone
+        ///     mobile—Mobile-optimized dialog designed for less capable smartphones, such as BlackBerry OS 5
+        /// </summary>
+        public enum Display{
+            page,
+            popup,
+            touch,
+            mobile
+        }
+        
         /// <summary>
         ///     Gets or sets the a pinned certificate validator to use to validate the endpoints used
         ///     in back channel communications belong to Salesforce.
@@ -79,8 +96,8 @@ namespace Owin.Security.Providers.Salesforce
         public string ClientSecret { get; set; }
 
         /// <summary>
-        /// Gets the sets of OAuth endpoints used to authenticate against Salesforce.  Overriding these endpoints allows you to use Salesforce Enterprise for
-        /// authentication.
+        /// Gets the sets of OAuth endpoints used to authenticate against Salesforce.  
+        /// Overriding these endpoints allows you to use Salesforce Enterprise for authentication.
         /// </summary>
         public SalesforceAuthenticationEndpoints Endpoints { get; set; }
 
@@ -108,6 +125,10 @@ namespace Owin.Security.Providers.Salesforce
         ///     <see cref="System.Security.Claims.ClaimsIdentity" />.
         /// </summary>
         public string SignInAsAuthenticationType { get; set; }
+        /// <summary>
+        ///     Gets or sets the display—(Optional) 
+        /// </summary>
+        public Display DisplayMode { get; set; }
 
         /// <summary>
         ///     Gets or sets the type used to secure data handled by the middleware.
@@ -127,8 +148,8 @@ namespace Owin.Security.Providers.Salesforce
             BackchannelTimeout = TimeSpan.FromSeconds(60);
             Endpoints = new SalesforceAuthenticationEndpoints
             {
-                AuthorizationEndpoint = AuthorizationEndPoint,
-                TokenEndpoint = TokenEndpoint
+                AuthorizationEndpoint = null,
+                TokenEndpoint = null
             };
         }
     }

src/Owin.Security.Providers.Shopify/Owin.Security.Providers.Shopify.csproj

@@ -20,6 +20,7 @@
     <DefineConstants>DEBUG;TRACE</DefineConstants>
     <ErrorReport>prompt</ErrorReport>
     <WarningLevel>4</WarningLevel>
+    <LangVersion>6</LangVersion>
   </PropertyGroup>
   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
     <DebugType>pdbonly</DebugType>
@@ -28,6 +29,7 @@
     <DefineConstants>TRACE</DefineConstants>
     <ErrorReport>prompt</ErrorReport>
     <WarningLevel>4</WarningLevel>
+    <LangVersion>6</LangVersion>
   </PropertyGroup>
   <ItemGroup>
     <Reference Include="Microsoft.Owin, Version=3.0.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">

src/Owin.Security.Providers.SlackProvider/Owin.Security.Providers.SlackProvider.csproj

@@ -20,6 +20,7 @@
     <DefineConstants>DEBUG;TRACE</DefineConstants>
     <ErrorReport>prompt</ErrorReport>
     <WarningLevel>4</WarningLevel>
+    <LangVersion>6</LangVersion>
   </PropertyGroup>
   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
     <DebugType>pdbonly</DebugType>
@@ -28,6 +29,7 @@
     <DefineConstants>TRACE</DefineConstants>
     <ErrorReport>prompt</ErrorReport>
     <WarningLevel>4</WarningLevel>
+    <LangVersion>6</LangVersion>
   </PropertyGroup>
   <ItemGroup>
     <Reference Include="Microsoft.Owin, Version=3.0.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">

src/Owin.Security.Providers.SoundCloud/Owin.Security.Providers.SoundCloud.csproj

@@ -20,6 +20,7 @@
     <DefineConstants>DEBUG;TRACE</DefineConstants>
     <ErrorReport>prompt</ErrorReport>
     <WarningLevel>4</WarningLevel>
+    <LangVersion>6</LangVersion>
   </PropertyGroup>
   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
     <DebugType>pdbonly</DebugType>
@@ -28,6 +29,7 @@
     <DefineConstants>TRACE</DefineConstants>
     <ErrorReport>prompt</ErrorReport>
     <WarningLevel>4</WarningLevel>
+    <LangVersion>6</LangVersion>
   </PropertyGroup>
   <ItemGroup>
     <Reference Include="Microsoft.Owin, Version=3.0.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">

src/Owin.Security.Providers.Spotify/Owin.Security.Providers.Spotify.csproj

@@ -20,6 +20,7 @@
     <DefineConstants>DEBUG;TRACE</DefineConstants>
     <ErrorReport>prompt</ErrorReport>
     <WarningLevel>4</WarningLevel>
+    <LangVersion>6</LangVersion>
   </PropertyGroup>
   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
     <DebugType>pdbonly</DebugType>
@@ -28,6 +29,7 @@
     <DefineConstants>TRACE</DefineConstants>
     <ErrorReport>prompt</ErrorReport>
     <WarningLevel>4</WarningLevel>
+    <LangVersion>6</LangVersion>
   </PropertyGroup>
   <ItemGroup>
     <Reference Include="Microsoft.Owin, Version=3.0.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">

src/Owin.Security.Providers.StackExchange/Owin.Security.Providers.StackExchange.csproj

@@ -20,6 +20,7 @@
     <DefineConstants>DEBUG;TRACE</DefineConstants>
     <ErrorReport>prompt</ErrorReport>
     <WarningLevel>4</WarningLevel>
+    <LangVersion>6</LangVersion>
   </PropertyGroup>
   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
     <DebugType>pdbonly</DebugType>
@@ -28,6 +29,7 @@
     <DefineConstants>TRACE</DefineConstants>
     <ErrorReport>prompt</ErrorReport>
     <WarningLevel>4</WarningLevel>
+    <LangVersion>6</LangVersion>
   </PropertyGroup>
   <ItemGroup>
     <Reference Include="Microsoft.Owin, Version=3.0.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">

src/Owin.Security.Providers.Steam/Owin.Security.Providers.Steam.csproj

@@ -20,6 +20,7 @@
     <DefineConstants>DEBUG;TRACE</DefineConstants>
     <ErrorReport>prompt</ErrorReport>
     <WarningLevel>4</WarningLevel>
+    <LangVersion>6</LangVersion>
   </PropertyGroup>
   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
     <DebugType>pdbonly</DebugType>
@@ -28,6 +29,7 @@
     <DefineConstants>TRACE</DefineConstants>
     <ErrorReport>prompt</ErrorReport>
     <WarningLevel>4</WarningLevel>
+    <LangVersion>6</LangVersion>
   </PropertyGroup>
   <ItemGroup>
     <Reference Include="Microsoft.Owin, Version=3.0.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">

src/Owin.Security.Providers.Steam/SteamAuthenticationHandler.cs

@@ -10,7 +10,7 @@ namespace Owin.Security.Providers.Steam
 {
     internal sealed class SteamAuthenticationHandler : OpenIDAuthenticationHandlerBase<SteamAuthenticationOptions>
     {
-        private readonly Regex _accountIDRegex = new Regex(@"^http://steamcommunity\.com/openid/id/(7[0-9]{15,25})$", RegexOptions.Compiled);
+        private readonly Regex _accountIDRegex = new Regex(@"^https?://steamcommunity\.com/openid/id/(7[0-9]{15,25})$", RegexOptions.Compiled);
 
         private const string UserInfoUri = "http://api.steampowered.com/ISteamUser/GetPlayerSummaries/v0002/?key={0}&steamids={1}";