/// <summary>
		/// Initializes a new instance of the <see cref="OAuthChannel"/> class.
		/// </summary>
		/// <param name="signingBindingElement">The binding element to use for signing.</param>
		/// <param name="store">The web application store to use for nonces.</param>
		/// <param name="tokenManager">The token manager instance to use.</param>
		internal OAuthChannel(ITamperProtectionChannelBindingElement signingBindingElement, INonceStore store, IServiceProviderTokenManager tokenManager)
			: this(
			signingBindingElement,
			store,
			tokenManager,
			new OAuthServiceProviderMessageFactory(tokenManager)) {
		}

        /// <summary>
        /// Initializes a new instance of the <see cref="OAuthChannel"/> class.
        /// </summary>
        /// <param name="signingBindingElement">The binding element to use for signing.</param>
        /// <param name="store">The web application store to use for nonces.</param>
        /// <param name="tokenManager">The token manager instance to use.</param>
        /// <param name="isConsumer">A value indicating whether this channel is being constructed for a Consumer (as opposed to a Service Provider).</param>
        internal OAuthChannel(ITamperProtectionChannelBindingElement signingBindingElement, INonceStore store, ITokenManager tokenManager, bool isConsumer)
            : this(signingBindingElement,
			store,
			tokenManager,
			isConsumer ? (IMessageFactory)new OAuthConsumerMessageFactory() : new OAuthServiceProviderMessageFactory(tokenManager))
        {
        }

		/// <summary>
		/// Records the feature and dependency use.
		/// </summary>
		/// <param name="value">The consumer or service provider.</param>
		/// <param name="service">The service.</param>
		/// <param name="tokenManager">The token manager.</param>
		/// <param name="nonceStore">The nonce store.</param>
		internal static void RecordFeatureAndDependencyUse(object value, ServiceProviderHostDescription service, ITokenManager tokenManager, INonceStore nonceStore) {
			Requires.NotNull(value, "value");
			Requires.NotNull(service, "service");
			Requires.NotNull(tokenManager, "tokenManager");

			// In release builds, just quietly return.
			if (value == null || service == null || tokenManager == null) {
				return;
			}

			if (Reporting.Enabled && Reporting.Configuration.IncludeFeatureUsage) {
				StringBuilder builder = new StringBuilder();
				builder.Append(value.GetType().Name);
				builder.Append(" ");
				builder.Append(tokenManager.GetType().Name);
				if (nonceStore != null) {
					builder.Append(" ");
					builder.Append(nonceStore.GetType().Name);
				}
				builder.Append(" ");
				builder.Append(service.UserAuthorizationEndpoint != null ? service.UserAuthorizationEndpoint.Location.AbsoluteUri : string.Empty);
				Reporting.ObservedFeatures.Add(builder.ToString());
				Reporting.Touch();
			}
		}

        /// <summary>
        /// Initializes a new instance of the <see cref="StandardReplayProtectionBindingElement"/> class.
        /// </summary>
        /// <param name="nonceStore">The store where nonces will be persisted and checked.</param>
        /// <param name="allowEmptyNonces">A value indicating whether zero-length nonces will be allowed.</param>
        internal StandardReplayProtectionBindingElement(INonceStore nonceStore, bool allowEmptyNonces)
        {
            ErrorUtilities.VerifyArgumentNotNull(nonceStore, "nonceStore");

            this.nonceStore = nonceStore;
            this.AllowZeroLengthNonce = allowEmptyNonces;
        }

		/// <summary>
		/// Serializes this <see cref="Token"/> instance as a string that can be
		/// included as part of a return_to variable in a querystring. 
		/// This string is cryptographically signed to protect against tampering.
		/// </summary>
		public string Serialize(INonceStore store) {
			using (MemoryStream dataStream = new MemoryStream()) {
				if (!persistSignature(store)) {
					Debug.Assert(!persistNonce(Endpoint, store), "Without a signature, a nonce is meaningless.");
					dataStream.WriteByte(0); // there will be NO signature.
					StreamWriter writer = new StreamWriter(dataStream);
					Endpoint.Serialize(writer);
					writer.Flush();
					return Convert.ToBase64String(dataStream.ToArray());
				} else {
					using (HashAlgorithm shaHash = createHashAlgorithm(store))
					using (CryptoStream shaStream = new CryptoStream(dataStream, shaHash, CryptoStreamMode.Write)) {
						StreamWriter writer = new StreamWriter(shaStream);
						Endpoint.Serialize(writer);
						if (persistNonce(Endpoint, store))
							writer.WriteLine(Nonce.Code);
						
						writer.Flush();
						shaStream.Flush();
						shaStream.FlushFinalBlock();

						byte[] hash = shaHash.Hash;
						byte[] data = new byte[1 + hash.Length + dataStream.Length];
						data[0] = 1; // there is a signature
						Buffer.BlockCopy(hash, 0, data, 1, hash.Length);
						Buffer.BlockCopy(dataStream.ToArray(), 0, data, 1 + hash.Length, (int)dataStream.Length);

						return Convert.ToBase64String(data);
					}
				}
			}
		}

 public AuthorizationServerHost(ICryptoKeyStore cryptoKeyStore, INonceStore nonceStore, IClientRepository clientRepository, IUserRepository userRepository)
 {
     _cryptoKeyStore = cryptoKeyStore;
     _nonceStore = nonceStore;
     _clientRepository = clientRepository;
     _userRepository = userRepository;
 }

		/// <summary>
		/// Records the feature and dependency use.
		/// </summary>
		/// <param name="value">The consumer or service provider.</param>
		/// <param name="service">The service.</param>
		/// <param name="tokenManager">The token manager.</param>
		/// <param name="nonceStore">The nonce store.</param>
		internal static void RecordFeatureAndDependencyUse(object value, ServiceProviderDescription service, ITokenManager tokenManager, INonceStore nonceStore) {
			Contract.Requires(value != null);
			Contract.Requires(service != null);
			Contract.Requires(tokenManager != null);

			// In release builds, just quietly return.
			if (value == null || service == null || tokenManager == null) {
				return;
			}

			if (Reporting.Enabled && Reporting.Configuration.IncludeFeatureUsage) {
				StringBuilder builder = new StringBuilder();
				builder.Append(value.GetType().Name);
				builder.Append(" ");
				builder.Append(tokenManager.GetType().Name);
				if (nonceStore != null) {
					builder.Append(" ");
					builder.Append(nonceStore.GetType().Name);
				}
				builder.Append(" ");
				builder.Append(service.Version);
				builder.Append(" ");
				builder.Append(service.UserAuthorizationEndpoint);
				Reporting.ObservedFeatures.Add(builder.ToString());
				Reporting.Touch();
			}
		}

		/// <summary>
		/// Initializes a new instance of the <see cref="ReturnToNonceBindingElement"/> class.
		/// </summary>
		/// <param name="nonceStore">The nonce store to use.</param>
		/// <param name="securitySettings">The security settings of the RP.</param>
		internal ReturnToNonceBindingElement(INonceStore nonceStore, RelyingPartySecuritySettings securitySettings) {
			Contract.Requires<ArgumentNullException>(nonceStore != null);
			Contract.Requires<ArgumentNullException>(securitySettings != null);

			this.nonceStore = nonceStore;
			this.securitySettings = securitySettings;
		}

		/// <summary>
		/// Initializes a new instance of the <see cref="ReturnToNonceBindingElement"/> class.
		/// </summary>
		/// <param name="nonceStore">The nonce store to use.</param>
		/// <param name="securitySettings">The security settings of the RP.</param>
		internal ReturnToNonceBindingElement(INonceStore nonceStore, RelyingPartySecuritySettings securitySettings) {
			Requires.NotNull(nonceStore, "nonceStore");
			Requires.NotNull(securitySettings, "securitySettings");

			this.nonceStore = nonceStore;
			this.securitySettings = securitySettings;
		}

 /// <summary>
 /// Initializes a new instance of the <see cref="WsseRequestInterceptor"/> class.
 /// </summary>
 /// <param name="provider">The provider.</param>
 /// <param name="realm">The realm.</param>
 /// <param name="timestampRangevalidator">The timestamp rangevalidator.</param>
 /// <param name="nonceStore">The nonce store.</param>
 public WsseRequestInterceptor(IPasswordProvider provider, string realm, ITimestampRangeValidator timestampRangevalidator, INonceStore nonceStore)
     : base(false)
 {
     TimestampRangeValidator = timestampRangevalidator;
     NonceStore = nonceStore;
     Provider = provider;
     Realm = realm;
 }

        /// <summary>
        /// Initializes a new instance of the <see cref="OAuthChannel"/> class.
        /// </summary>
        /// <param name="signingBindingElement">The binding element to use for signing.</param>
        /// <param name="store">The web application store to use for nonces.</param>
        /// <param name="tokenManager">The ITokenManager instance to use.</param>
        /// <param name="messageTypeProvider">
        /// An injected message type provider instance.
        /// Except for mock testing, this should always be one of
        /// <see cref="OAuthConsumerMessageFactory"/> or <see cref="OAuthServiceProviderMessageFactory"/>.
        /// </param>
        internal OAuthChannel(ITamperProtectionChannelBindingElement signingBindingElement, INonceStore store, ITokenManager tokenManager, IMessageFactory messageTypeProvider)
            : base(messageTypeProvider, InitializeBindingElements(signingBindingElement, store, tokenManager))
        {
            ErrorUtilities.VerifyArgumentNotNull(tokenManager, "tokenManager");

            this.TokenManager = tokenManager;
            ErrorUtilities.VerifyArgumentNamed(signingBindingElement.SignatureCallback == null, "signingBindingElement", OAuthStrings.SigningElementAlreadyAssociatedWithChannel);

            signingBindingElement.SignatureCallback = this.SignatureCallback;
        }

		protected OAuthChannel(ITamperProtectionChannelBindingElement signingBindingElement, INonceStore store, ITokenManager tokenManager, SecuritySettings securitySettings, IMessageFactory messageTypeProvider, IChannelBindingElement[] bindingElements)
			: base(messageTypeProvider, bindingElements) {
			Requires.NotNull(tokenManager, "tokenManager");
			Requires.NotNull(securitySettings, "securitySettings");
			Requires.NotNull(signingBindingElement, "signingBindingElement");
			Requires.True(signingBindingElement.SignatureCallback == null, "signingBindingElement", OAuthStrings.SigningElementAlreadyAssociatedWithChannel);
			Requires.NotNull(bindingElements, "bindingElements");

			this.TokenManager = tokenManager;
			signingBindingElement.SignatureCallback = this.SignatureCallback;
		}

		internal OAuthConsumerChannel(ITamperProtectionChannelBindingElement signingBindingElement, INonceStore store, IConsumerTokenManager tokenManager, ConsumerSecuritySettings securitySettings, IMessageFactory messageFactory = null)
			: base(
			signingBindingElement,
			tokenManager,
			securitySettings,
			messageFactory ?? new OAuthConsumerMessageFactory(),
			InitializeBindingElements(signingBindingElement, store)) {
			Requires.NotNull(tokenManager, "tokenManager");
			Requires.NotNull(securitySettings, "securitySettings");
			Requires.NotNull(signingBindingElement, "signingBindingElement");
		}

		/// <summary>
		/// Initializes the binding elements for the OAuth channel.
		/// </summary>
		/// <param name="signingBindingElement">The signing binding element.</param>
		/// <param name="store">The nonce store.</param>
		/// <param name="tokenManager">The token manager.</param>
		/// <param name="securitySettings">The security settings.</param>
		/// <returns>
		/// An array of binding elements used to initialize the channel.
		/// </returns>
		private static IChannelBindingElement[] InitializeBindingElements(ITamperProtectionChannelBindingElement signingBindingElement, INonceStore store, ITokenManager tokenManager, SecuritySettings securitySettings) {
			Requires.NotNull(securitySettings, "securitySettings");

			var bindingElements = OAuthChannel.InitializeBindingElements(signingBindingElement, store);

			var spTokenManager = tokenManager as IServiceProviderTokenManager;
			var serviceProviderSecuritySettings = securitySettings as ServiceProviderSecuritySettings;
			bindingElements.Insert(0, new TokenHandlingBindingElement(spTokenManager, serviceProviderSecuritySettings));

			return bindingElements.ToArray();
		}

        IIdSiteSyncCallbackHandler IIdSiteSyncCallbackHandler.SetNonceStore(INonceStore nonceStore)
        {
            if (nonceStore == null)
            {
                throw new ArgumentNullException(nameof(nonceStore));
            }

            this.nonceStore = nonceStore;

            return this;
        }

		internal OAuthServiceProviderChannel(ITamperProtectionChannelBindingElement signingBindingElement, INonceStore store, IServiceProviderTokenManager tokenManager, ServiceProviderSecuritySettings securitySettings, IMessageFactory messageTypeProvider = null)
			: base(
			signingBindingElement,
			tokenManager,
			securitySettings,
			messageTypeProvider ?? new OAuthServiceProviderMessageFactory(tokenManager),
			InitializeBindingElements(signingBindingElement, store, tokenManager, securitySettings)) {
			Requires.NotNull(tokenManager, "tokenManager");
			Requires.NotNull(securitySettings, "securitySettings");
			Requires.NotNull(signingBindingElement, "signingBindingElement");
		}

		internal OAuthChannel(ITamperProtectionChannelBindingElement signingBindingElement, INonceStore store, IServiceProviderTokenManager tokenManager, ServiceProviderSecuritySettings securitySettings)
			: this(
			signingBindingElement,
			store,
			tokenManager,
			securitySettings,
			new OAuthServiceProviderMessageFactory(tokenManager)) {
			Contract.Requires<ArgumentNullException>(tokenManager != null);
			Contract.Requires<ArgumentNullException>(securitySettings != null);
			Contract.Requires<ArgumentNullException>(signingBindingElement != null);
			Contract.Requires<ArgumentException>(signingBindingElement.SignatureCallback == null, OAuthStrings.SigningElementAlreadyAssociatedWithChannel);
		}

        /// <summary>
        /// Initializes a new instance of the <see cref="OpenIdProvider"/> class.
        /// </summary>
        /// <param name="associationStore">The association store to use.  Cannot be null.</param>
        /// <param name="nonceStore">The nonce store to use.  Cannot be null.</param>
        private OpenIdProvider(IAssociationStore<AssociationRelyingPartyType> associationStore, INonceStore nonceStore)
        {
            Contract.Requires(associationStore != null);
            Contract.Requires(nonceStore != null);
            Contract.Ensures(this.AssociationStore == associationStore);
            Contract.Ensures(this.SecuritySettings != null);
            Contract.Ensures(this.Channel != null);
            ErrorUtilities.VerifyArgumentNotNull(associationStore, "associationStore");
            ErrorUtilities.VerifyArgumentNotNull(nonceStore, "nonceStore");

            this.AssociationStore = associationStore;
            this.SecuritySettings = DotNetOpenAuthSection.Configuration.OpenId.Provider.SecuritySettings.CreateSecuritySettings();
            this.Channel = new OpenIdChannel(this.AssociationStore, nonceStore, this.SecuritySettings);
        }

		/// <summary>
		/// Initializes a new instance of the <see cref="OpenIdProvider"/> class.
		/// </summary>
		/// <param name="nonceStore">The nonce store to use.  Cannot be null.</param>
		/// <param name="cryptoKeyStore">The crypto key store.  Cannot be null.</param>
		private OpenIdProvider(INonceStore nonceStore, ICryptoKeyStore cryptoKeyStore) {
			Requires.NotNull(nonceStore, "nonceStore");
			Requires.NotNull(cryptoKeyStore, "cryptoKeyStore");

			this.SecuritySettings = OpenIdElement.Configuration.Provider.SecuritySettings.CreateSecuritySettings();
			this.behaviors.CollectionChanged += this.OnBehaviorsChanged;
			foreach (var behavior in OpenIdElement.Configuration.Provider.Behaviors.CreateInstances(false)) {
				this.behaviors.Add(behavior);
			}

			this.AssociationStore = new SwitchingAssociationStore(cryptoKeyStore, this.SecuritySettings);
			this.Channel = new OpenIdProviderChannel(this.AssociationStore, nonceStore, this.SecuritySettings);
			this.CryptoKeyStore = cryptoKeyStore;
			this.discoveryServices = new IdentifierDiscoveryServices(this);

			Reporting.RecordFeatureAndDependencyUse(this, nonceStore);
		}

		/// <summary>
		/// Initializes a new instance of the <see cref="OpenIdProvider"/> class.
		/// </summary>
		/// <param name="associationStore">The association store to use.  Cannot be null.</param>
		/// <param name="nonceStore">The nonce store to use.  Cannot be null.</param>
		private OpenIdProvider(IAssociationStore<AssociationRelyingPartyType> associationStore, INonceStore nonceStore) {
			Contract.Requires<ArgumentNullException>(associationStore != null);
			Contract.Requires<ArgumentNullException>(nonceStore != null);
			Contract.Ensures(this.AssociationStore == associationStore);
			Contract.Ensures(this.SecuritySettings != null);
			Contract.Ensures(this.Channel != null);

			this.AssociationStore = associationStore;
			this.SecuritySettings = DotNetOpenAuthSection.Configuration.OpenId.Provider.SecuritySettings.CreateSecuritySettings();
			this.behaviors.CollectionChanged += this.OnBehaviorsChanged;
			foreach (var behavior in DotNetOpenAuthSection.Configuration.OpenId.Provider.Behaviors.CreateInstances(false)) {
				this.behaviors.Add(behavior);
			}

			this.Channel = new OpenIdChannel(this.AssociationStore, nonceStore, this.SecuritySettings);

			Reporting.RecordFeatureAndDependencyUse(this, associationStore, nonceStore);
		}