I tracked down what appears to be a defect causing a NullReferenceException in my ASP.NET MVC app. Did I break this, or should this break DotNetOpenAuth for the majority of installations?

I get this:

[NullReferenceException: Object reference not set to an instance of an object.]
   DotNetOpenAuth.AspNet.OpenAuthSecurityManager.GetUsername(HttpContextBase context) +27
   DotNetOpenAuth.AspNet.OpenAuthSecurityManager.RequestAuthentication(String returnUrl) +341
   Controllers.LoginController.Index() +226

Here's the Index() method. Note it currently returns User in production and OK in development. Those are obviously temporary. The commented code is from the last URL I referenced below, where I reduced the amount of code between me and the problem. The stack trace was still similar, though.

public virtual ActionResult Index()
{
    if (HttpContext == null) return Content("HttpContext");
    if (HttpContext.User == null) return Content("User");
    if (HttpContext.User.Identity == null) return Content("Identity");
    return Content("OK");
    new OpenAuthSecurityManager(HttpContext, s_fbClient, OAuthDataProvider.Instance)
        .RequestAuthentication(Url.Action(Actions.Callback()));
    // OAuthWebSecurity
    //  .RequestAuthentication("facebook", Url.Action(Actions.Callback()));
    return null;
}

The exception arises because HttpContext.User is null. Here's the DotNetOpenAuth.AspNet library source for that failing method.

private static string GetUsername(HttpContextBase context) {
    string username = null;
        if (context.User.Identity.IsAuthenticated) {
            username = context.User.Identity.Name;
        }
    return username ?? string.Empty;
}

User has apparently has been nullable ever since IIS Integrated Mode was available. This explains why I don't see it in development, as I'm running IIS Express with defaults, but it doesn't explain why I can't find any information about the defect. Integrated mode was released in 2007, and DotNetOpenAuth is still maintained. Microsoft docs say this about the setting:

Classic Mode: Use this mode only when the applications in the application pool cannot run in Integrated mode.

I must be missing something, because it seems like everyone should have this issue.

Have I NuGet'ed a non-maintained library somehow? It seems odd, since it shows it was just updated a week ago. But when I follow the documentation link from NuGet, the source code I arrive at doesn't seem to even have an AspNet namespace, where my exception arose.

EDIT: The only related package I use is currently DotNetOpenAuth.AspNet (and it has 8 dependencies), last published less than a week ago. I've tried other packages also. I don't need SimpleAuth or any WebMatrix jazz. In the process of resolving this, I tried switching libraries as described http://techblog.dorogin.com/2013/06/Microsoft.AspNet.WebPages.OAuth.html

EDIT: Logged a defect related to this, but it seems this library may not be maintained. https://github.com/DotNetOpenAuth/DotNetOpenAuth/issues/317#issuecomment-29580565

EDIT: Pending stack trace, it may be the same defect as MVC 5 Owin Facebook Auth results in Null Reference Exception

This is indeed a defect in the DotNetOpenAuth.AspNet code. Unfortunately that DotNetOpenAuth library is no longer maintained. Modifying the source with:

private static string GetUsername(HttpContextBase context) {
    string username = null;
        if (context.User != null && context.User.Identity.IsAuthenticated) {
            username = context.User.Identity.Name;
        }
    return username ?? string.Empty;
}

Of course does the trick.