I'm going through the dotNetOpenAuth Samples (OpenIdRelyingPartyMVC and OpenIdProviderMvc) and come up to a question for better understanding...

In the MembersArea of the Relying Party App I use the OpenID "http://localhost:4864/user/bob3" for example. I get redirected to the Providers Login Page, where I use the credentials of Bob5 then. After successfully logged in, I get redirected back to the RelyingParty which says "Congratulations Bob3...".

Is this just a Binding Bug in the Relying Party App, which takes the OpenID which was submitted to the Provider, or am I authenticated in the security context of Bob3 with the credentials of Bob5 which would be an major security issue in my opinion, as I am able to authenticate as whoever I want just with one working user account at the provider.

I think you are using an out-of-date branch which contains a security issue that was discovered 3 years ago:

http://www.zdnet.com/article/dotnet-projects-flawed-sample-code-has-crippling-authentication-exploit/

Code of the flawed controller: https://github.com/DotNetOpenAuth/DotNetOpenAuth.Samples/blob/master/src/OpenID/OpenIdProviderMvc/Controllers/OpenIdController.cs

Fixed code: https://github.com/DotNetOpenAuth/DotNetOpenAuth/blob/develop/samples/OpenIdProviderMvc/Controllers/OpenIdController.cs

Diff of the fix: https://github.com/DotNetOpenAuth/DotNetOpenAuth/commit/cdd3e95f4eac8076ffd78641bf4cf61d4422572a

It seems to me that the "master" branch is out of date, while the "develop" branch is the one that we should use.