2 files changed, 40 insertions, 29 deletions

diff --git a/src/OAuth/OAuthAuthorizationServer/Code/Client.cs b/src/OAuth/OAuthAuthorizationServer/Code/Client.cs
index 0013f27..cf5ea59 100644
--- a/src/OAuth/OAuthAuthorizationServer/Code/Client.cs
+++ b/src/OAuth/OAuthAuthorizationServer/Code/Client.cs
@@ -1,7 +1,7 @@
 namespace OAuthAuthorizationServer.Code {
 	using System;
 	using System.Collections.Generic;
-
+	using DotNetOpenAuth.Messaging;
 	using DotNetOpenAuth.OAuth2;
 
 	/// <summary>
@@ -11,13 +11,6 @@
 		#region IConsumerDescription Members
 
 		/// <summary>
-		/// Gets the client secret.
-		/// </summary>
-		string IClientDescription.Secret {
-			get { return this.ClientSecret; }
-		}
-
-		/// <summary>
 		/// Gets the callback to use when an individual authorization request
 		/// does not include an explicit callback URI.
 		/// </summary>
@@ -36,6 +29,13 @@
 		}
 
 		/// <summary>
+		/// Gets a value indicating whether a non-empty secret is registered for this client.
+		/// </summary>
+		bool IClientDescription.HasNonEmptySecret {
+			get { return !string.IsNullOrEmpty(this.ClientSecret); }
+		}
+
+		/// <summary>
 		/// Determines whether a callback URI included in a client's authorization request
 		/// is among those allowed callbacks for the registered client.
 		/// </summary>
@@ -59,6 +59,19 @@
 			return false;
 		}
 
+		/// <summary>
+		/// Checks whether the specified client secret is correct.
+		/// </summary>
+		/// <param name="secret">The secret obtained from the client.</param>
+		/// <returns><c>true</c> if the secret matches the one in the authorization server's record for the client; <c>false</c> otherwise.</returns>
+		/// <remarks>
+		/// All string equality checks, whether checking secrets or their hashes,
+		/// should be done using <see cref="MessagingUtilities.EqualsConstantTime"/> to mitigate timing attacks.
+		/// </remarks>
+		bool IClientDescription.IsValidClientSecret(string secret) {
+			return MessagingUtilities.EqualsConstantTime(secret, this.ClientSecret);
+		}
+
 		#endregion
 	}
 }
\ No newline at end of file
diff --git a/src/OAuth/OAuthAuthorizationServer/Code/OAuth2AuthorizationServer.cs b/src/OAuth/OAuthAuthorizationServer/Code/OAuth2AuthorizationServer.cs
index b837d4c..eb7f1f5 100644
--- a/src/OAuth/OAuthAuthorizationServer/Code/OAuth2AuthorizationServer.cs
+++ b/src/OAuth/OAuthAuthorizationServer/Code/OAuth2AuthorizationServer.cs
@@ -10,9 +10,7 @@
 	using DotNetOpenAuth.OAuth2.ChannelElements;
 	using DotNetOpenAuth.OAuth2.Messages;
 
-	internal class OAuth2AuthorizationServer : IAuthorizationServer {
-		private static readonly RSACryptoServiceProvider AsymmetricTokenSigningPrivateKey = CreateRSA();
-
+	internal class OAuth2AuthorizationServer : IAuthorizationServerHost {
 #if SAMPLESONLY
 		/// <summary>
 		/// This is the FOR SAMPLE ONLY hard-coded public key of the complementary OAuthResourceServer sample.
@@ -31,43 +29,39 @@
 		private static readonly RSAParameters ResourceServerEncryptionPublicKey;
 #endif
 
-		#region Implementation of IAuthorizationServer
+		#region Implementation of IAuthorizationServerHost
 
 		public ICryptoKeyStore CryptoKeyStore {
 			get { return MvcApplication.KeyNonceStore; }
 		}
 
-		public INonceStore VerificationCodeNonceStore {
+		public INonceStore NonceStore {
 			get { return MvcApplication.KeyNonceStore; }
 		}
 
-		public RSACryptoServiceProvider AccessTokenSigningKey {
-			get { return AsymmetricTokenSigningPrivateKey; }
-		}
+		public AccessTokenResult CreateAccessToken(IAccessTokenRequest accessTokenRequestMessage) {
+			var accessToken = new AuthorizationServerAccessToken();
 
-		public TimeSpan GetAccessTokenLifetime(IAccessTokenRequest accessTokenRequestMessage) {
 			// Just for the sake of the sample, we use a short-lived token.  This can be useful to mitigate the security risks
 			// of access tokens that are used over standard HTTP.
 			// But this is just the lifetime of the access token.  The client can still renew it using their refresh token until
 			// the authorization itself expires.
-			TimeSpan lifetime = TimeSpan.FromMinutes(2);
+			accessToken.Lifetime = TimeSpan.FromMinutes(2);
 
 			// Also take into account the remaining life of the authorization and artificially shorten the access token's lifetime
 			// to account for that if necessary.
 			//// TODO: code here
 
-			return lifetime;
-		}
-
-		public RSACryptoServiceProvider GetResourceServerEncryptionKey(IAccessTokenRequest accessTokenRequestMessage) {
-			var resourceServerEncryptionKey = new RSACryptoServiceProvider();
-
 			// For this sample, we assume just one resource server.
 			// If this authorization server needs to mint access tokens for more than one resource server,
 			// we'd look at the request message passed to us and decide which public key to return.
-			resourceServerEncryptionKey.ImportParameters(ResourceServerEncryptionPublicKey);
+			accessToken.ResourceServerEncryptionKey = new RSACryptoServiceProvider();
+			accessToken.ResourceServerEncryptionKey.ImportParameters(ResourceServerEncryptionPublicKey);
+
+			accessToken.AccessTokenSigningKey = CreateRSA();
 
-			return resourceServerEncryptionKey;
+			var result = new AccessTokenResult(accessToken);
+			return result;
 		}
 
 		public IClientDescription GetClient(string clientIdentifier) {
@@ -84,11 +78,15 @@
 			return this.IsAuthorizationValid(authorization.Scope, authorization.ClientIdentifier, authorization.UtcIssued, authorization.User);
 		}
 
-		public bool IsResourceOwnerCredentialValid(string userName, string password) {
+		public bool TryAuthorizeResourceOwnerCredentialGrant(string userName, string password, IAccessTokenRequest accessRequest, out string canonicalUserName) {
 			// This web site delegates user authentication to OpenID Providers, and as such no users have local passwords with this server.
 			throw new NotSupportedException();
 		}
 
+		public bool TryAuthorizeClientCredentialsGrant(IAccessTokenRequest accessRequest) {
+			throw new NotImplementedException();
+		}
+
 		#endregion
 
 		public bool CanBeAutoApproved(EndUserAuthorizationRequest authorizationRequest) {
@@ -120,7 +118,7 @@
 		/// Creates the RSA key used by all the crypto service provider instances we create.
 		/// </summary>
 		/// <returns>RSA data that includes the private key.</returns>
-		private static RSAParameters CreateRSAKey() {
+		private static RSAParameters CreateAuthorizationServerSigningKey() {
 #if SAMPLESONLY
 			// Since the sample authorization server and the sample resource server must work together,
 			// we hard-code a FOR SAMPLE USE ONLY key pair.  The matching public key information is hard-coded into the OAuthResourceServer sample.
@@ -155,7 +153,7 @@
 
 		private static RSACryptoServiceProvider CreateRSA() {
 			var rsa = new RSACryptoServiceProvider();
-			rsa.ImportParameters(CreateRSAKey());
+			rsa.ImportParameters(CreateAuthorizationServerSigningKey());
 			return rsa;
 		}