I'm going through the dotNetOpenAuth Samples (OpenIdRelyingPartyMVC and OpenIdProviderMvc) and come up to a question for better understanding...
In the MembersArea of the Relying Party App I use the OpenID "http://localhost:4864/user/bob3" for example. I get redirected to the Providers Login Page, where I use the credentials of Bob5 then. After successfully logged in, I get redirected back to the RelyingParty which says "Congratulations Bob3...".
Is this just a Binding Bug in the Relying Party App, which takes the OpenID which was submitted to the Provider, or am I authenticated in the security context of Bob3 with the credentials of Bob5 which would be an major security issue in my opinion, as I am able to authenticate as whoever I want just with one working user account at the provider.
I think you are using an out-of-date branch which contains a security issue that was discovered 3 years ago:
Code of the flawed controller: https://github.com/DotNetOpenAuth/DotNetOpenAuth.Samples/blob/master/src/OpenID/OpenIdProviderMvc/Controllers/OpenIdController.cs
Diff of the fix: https://github.com/DotNetOpenAuth/DotNetOpenAuth/commit/cdd3e95f4eac8076ffd78641bf4cf61d4422572a
It seems to me that the "master" branch is out of date, while the "develop" branch is the one that we should use.