7 files changed, 126 insertions, 83 deletions

diff --git a/src/OAuth/OAuthAuthorizationServer/Code/Client.cs b/src/OAuth/OAuthAuthorizationServer/Code/Client.cs
index 0013f27..cf5ea59 100644
--- a/src/OAuth/OAuthAuthorizationServer/Code/Client.cs
+++ b/src/OAuth/OAuthAuthorizationServer/Code/Client.cs
@@ -1,7 +1,7 @@
 namespace OAuthAuthorizationServer.Code {
 	using System;
 	using System.Collections.Generic;
-
+	using DotNetOpenAuth.Messaging;
 	using DotNetOpenAuth.OAuth2;
 
 	/// <summary>
@@ -11,13 +11,6 @@
 		#region IConsumerDescription Members
 
 		/// <summary>
-		/// Gets the client secret.
-		/// </summary>
-		string IClientDescription.Secret {
-			get { return this.ClientSecret; }
-		}
-
-		/// <summary>
 		/// Gets the callback to use when an individual authorization request
 		/// does not include an explicit callback URI.
 		/// </summary>
@@ -36,6 +29,13 @@
 		}
 
 		/// <summary>
+		/// Gets a value indicating whether a non-empty secret is registered for this client.
+		/// </summary>
+		bool IClientDescription.HasNonEmptySecret {
+			get { return !string.IsNullOrEmpty(this.ClientSecret); }
+		}
+
+		/// <summary>
 		/// Determines whether a callback URI included in a client's authorization request
 		/// is among those allowed callbacks for the registered client.
 		/// </summary>
@@ -59,6 +59,19 @@
 			return false;
 		}
 
+		/// <summary>
+		/// Checks whether the specified client secret is correct.
+		/// </summary>
+		/// <param name="secret">The secret obtained from the client.</param>
+		/// <returns><c>true</c> if the secret matches the one in the authorization server's record for the client; <c>false</c> otherwise.</returns>
+		/// <remarks>
+		/// All string equality checks, whether checking secrets or their hashes,
+		/// should be done using <see cref="MessagingUtilities.EqualsConstantTime"/> to mitigate timing attacks.
+		/// </remarks>
+		bool IClientDescription.IsValidClientSecret(string secret) {
+			return MessagingUtilities.EqualsConstantTime(secret, this.ClientSecret);
+		}
+
 		#endregion
 	}
 }
\ No newline at end of file
diff --git a/src/OAuth/OAuthAuthorizationServer/Code/OAuth2AuthorizationServer.cs b/src/OAuth/OAuthAuthorizationServer/Code/OAuth2AuthorizationServer.cs
index b837d4c..eb7f1f5 100644
--- a/src/OAuth/OAuthAuthorizationServer/Code/OAuth2AuthorizationServer.cs
+++ b/src/OAuth/OAuthAuthorizationServer/Code/OAuth2AuthorizationServer.cs
@@ -10,9 +10,7 @@
 	using DotNetOpenAuth.OAuth2.ChannelElements;
 	using DotNetOpenAuth.OAuth2.Messages;
 
-	internal class OAuth2AuthorizationServer : IAuthorizationServer {
-		private static readonly RSACryptoServiceProvider AsymmetricTokenSigningPrivateKey = CreateRSA();
-
+	internal class OAuth2AuthorizationServer : IAuthorizationServerHost {
 #if SAMPLESONLY
 		/// <summary>
 		/// This is the FOR SAMPLE ONLY hard-coded public key of the complementary OAuthResourceServer sample.
@@ -31,43 +29,39 @@
 		private static readonly RSAParameters ResourceServerEncryptionPublicKey;
 #endif
 
-		#region Implementation of IAuthorizationServer
+		#region Implementation of IAuthorizationServerHost
 
 		public ICryptoKeyStore CryptoKeyStore {
 			get { return MvcApplication.KeyNonceStore; }
 		}
 
-		public INonceStore VerificationCodeNonceStore {
+		public INonceStore NonceStore {
 			get { return MvcApplication.KeyNonceStore; }
 		}
 
-		public RSACryptoServiceProvider AccessTokenSigningKey {
-			get { return AsymmetricTokenSigningPrivateKey; }
-		}
+		public AccessTokenResult CreateAccessToken(IAccessTokenRequest accessTokenRequestMessage) {
+			var accessToken = new AuthorizationServerAccessToken();
 
-		public TimeSpan GetAccessTokenLifetime(IAccessTokenRequest accessTokenRequestMessage) {
 			// Just for the sake of the sample, we use a short-lived token.  This can be useful to mitigate the security risks
 			// of access tokens that are used over standard HTTP.
 			// But this is just the lifetime of the access token.  The client can still renew it using their refresh token until
 			// the authorization itself expires.
-			TimeSpan lifetime = TimeSpan.FromMinutes(2);
+			accessToken.Lifetime = TimeSpan.FromMinutes(2);
 
 			// Also take into account the remaining life of the authorization and artificially shorten the access token's lifetime
 			// to account for that if necessary.
 			//// TODO: code here
 
-			return lifetime;
-		}
-
-		public RSACryptoServiceProvider GetResourceServerEncryptionKey(IAccessTokenRequest accessTokenRequestMessage) {
-			var resourceServerEncryptionKey = new RSACryptoServiceProvider();
-
 			// For this sample, we assume just one resource server.
 			// If this authorization server needs to mint access tokens for more than one resource server,
 			// we'd look at the request message passed to us and decide which public key to return.
-			resourceServerEncryptionKey.ImportParameters(ResourceServerEncryptionPublicKey);
+			accessToken.ResourceServerEncryptionKey = new RSACryptoServiceProvider();
+			accessToken.ResourceServerEncryptionKey.ImportParameters(ResourceServerEncryptionPublicKey);
+
+			accessToken.AccessTokenSigningKey = CreateRSA();
 
-			return resourceServerEncryptionKey;
+			var result = new AccessTokenResult(accessToken);
+			return result;
 		}
 
 		public IClientDescription GetClient(string clientIdentifier) {
@@ -84,11 +78,15 @@
 			return this.IsAuthorizationValid(authorization.Scope, authorization.ClientIdentifier, authorization.UtcIssued, authorization.User);
 		}
 
-		public bool IsResourceOwnerCredentialValid(string userName, string password) {
+		public bool TryAuthorizeResourceOwnerCredentialGrant(string userName, string password, IAccessTokenRequest accessRequest, out string canonicalUserName) {
 			// This web site delegates user authentication to OpenID Providers, and as such no users have local passwords with this server.
 			throw new NotSupportedException();
 		}
 
+		public bool TryAuthorizeClientCredentialsGrant(IAccessTokenRequest accessRequest) {
+			throw new NotImplementedException();
+		}
+
 		#endregion
 
 		public bool CanBeAutoApproved(EndUserAuthorizationRequest authorizationRequest) {
@@ -120,7 +118,7 @@
 		/// Creates the RSA key used by all the crypto service provider instances we create.
 		/// </summary>
 		/// <returns>RSA data that includes the private key.</returns>
-		private static RSAParameters CreateRSAKey() {
+		private static RSAParameters CreateAuthorizationServerSigningKey() {
 #if SAMPLESONLY
 			// Since the sample authorization server and the sample resource server must work together,
 			// we hard-code a FOR SAMPLE USE ONLY key pair.  The matching public key information is hard-coded into the OAuthResourceServer sample.
@@ -155,7 +153,7 @@
 
 		private static RSACryptoServiceProvider CreateRSA() {
 			var rsa = new RSACryptoServiceProvider();
-			rsa.ImportParameters(CreateRSAKey());
+			rsa.ImportParameters(CreateAuthorizationServerSigningKey());
 			return rsa;
 		}
 
diff --git a/src/OAuth/OAuthAuthorizationServer/Controllers/HomeController.cs b/src/OAuth/OAuthAuthorizationServer/Controllers/HomeController.cs
index d6dd144..685b4e7 100644
--- a/src/OAuth/OAuthAuthorizationServer/Controllers/HomeController.cs
+++ b/src/OAuth/OAuthAuthorizationServer/Controllers/HomeController.cs
@@ -40,7 +40,7 @@
 				dc.Clients.InsertOnSubmit(new Client {
 					ClientIdentifier = "sampleImplicitConsumer",
 					Name = "Some sample client used for implicit grants (no secret)",
-					Callback = "http://localhost:59721/",
+					Callback = "http://localhost:59722/",
 				});
 
 				dc.SubmitChanges();
diff --git a/src/OAuth/OAuthAuthorizationServer/OAuthAuthorizationServer.csproj b/src/OAuth/OAuthAuthorizationServer/OAuthAuthorizationServer.csproj
index f148eca..77446a7 100644
--- a/src/OAuth/OAuthAuthorizationServer/OAuthAuthorizationServer.csproj
+++ b/src/OAuth/OAuthAuthorizationServer/OAuthAuthorizationServer.csproj
@@ -1,23 +1,30 @@
 <?xml version="1.0" encoding="utf-8"?>

 <Project ToolsVersion="4.0" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">

   <Import Project="$([MSBuild]::GetDirectoryNameOfFileAbove($(MSBuildProjectDirectory), EnlistmentInfo.props))\EnlistmentInfo.props" Condition=" '$([MSBuild]::GetDirectoryNameOfFileAbove($(MSBuildProjectDirectory), EnlistmentInfo.props))' != '' " />

+  <Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />

+  <PropertyGroup>

+    <VisualStudioVersion Condition="'$(VisualStudioVersion)' == ''">10.0</VisualStudioVersion>

+    <VSToolsPath Condition="'$(VSToolsPath)' == ''">$(MSBuildExtensionsPath32)\Microsoft\VisualStudio\v$(VisualStudioVersion)</VSToolsPath>

+    <IISExpressSSLPort />

+    <IISExpressAnonymousAuthentication>disabled</IISExpressAnonymousAuthentication>

+    <IISExpressWindowsAuthentication>disabled</IISExpressWindowsAuthentication>

+    <IISExpressUseClassicPipelineMode>false</IISExpressUseClassicPipelineMode>

+    <SolutionDir Condition="$(SolutionDir) == '' Or $(SolutionDir) == '*Undefined*'">..\..\..\</SolutionDir>

+    <RestorePackages>true</RestorePackages>

+  </PropertyGroup>

   <PropertyGroup>

     <Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>

     <Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>

-    <ProductVersion>

-    </ProductVersion>

     <SchemaVersion>2.0</SchemaVersion>

     <ProjectGuid>{C78E8235-1D46-43EB-A912-80B522C4E9AE}</ProjectGuid>

-    <ProjectTypeGuids>{F85E285D-A4E0-4152-9332-AB1D724D3325};{349c5851-65df-11da-9384-00065b846f21};{fae04ec0-301f-11d3-bf4b-00c04f79efbc}</ProjectTypeGuids>

+    <ProjectTypeGuids>{E53F8FEA-EAE0-44A6-8774-FFD645390401};{349c5851-65df-11da-9384-00065b846f21};{fae04ec0-301f-11d3-bf4b-00c04f79efbc}</ProjectTypeGuids>

     <OutputType>Library</OutputType>

     <AppDesignerFolder>Properties</AppDesignerFolder>

     <RootNamespace>OAuthAuthorizationServer</RootNamespace>

     <AssemblyName>OAuthAuthorizationServer</AssemblyName>

     <TargetFrameworkVersion>v4.0</TargetFrameworkVersion>

     <MvcBuildViews>false</MvcBuildViews>

-    <UseIISExpress>false</UseIISExpress>

-    <SolutionDir Condition="$(SolutionDir) == '' Or $(SolutionDir) == '*Undefined*'">..\..\..\</SolutionDir>

-    <RestorePackages>true</RestorePackages>

+    <UseIISExpress>true</UseIISExpress>

   </PropertyGroup>

   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">

     <DebugSymbols>true</DebugSymbols>

@@ -38,19 +45,31 @@
   </PropertyGroup>

   <ItemGroup>

     <Reference Include="DotNetOpenAuth.Core">

-      <HintPath>..\..\..\packages\DotNetOpenAuth.Core.4.0.0.12084\lib\net40-full\DotNetOpenAuth.Core.dll</HintPath>

+      <HintPath>..\..\..\packages\DotNetOpenAuth.Core.4.1.0.12182\lib\net40-full\DotNetOpenAuth.Core.dll</HintPath>

+    </Reference>

+    <Reference Include="DotNetOpenAuth.Core.UI">

+      <HintPath>..\..\..\packages\DotNetOpenAuth.Core.UI.4.1.0.12182\lib\net40-full\DotNetOpenAuth.Core.UI.dll</HintPath>

     </Reference>

     <Reference Include="DotNetOpenAuth.OAuth2">

-      <HintPath>..\..\..\packages\DotNetOpenAuth.OAuth2.Core.0.23.0-draft2\lib\net40-full\DotNetOpenAuth.OAuth2.dll</HintPath>

+      <HintPath>..\..\..\packages\DotNetOpenAuth.OAuth2.Core.0.25.0-draft1\lib\net40-full\DotNetOpenAuth.OAuth2.dll</HintPath>

     </Reference>

     <Reference Include="DotNetOpenAuth.OAuth2.AuthorizationServer">

-      <HintPath>..\..\..\packages\DotNetOpenAuth.OAuth2.AuthorizationServer.0.23.0-draft2\lib\net40-full\DotNetOpenAuth.OAuth2.AuthorizationServer.dll</HintPath>

+      <HintPath>..\..\..\packages\DotNetOpenAuth.OAuth2.AuthorizationServer.0.25.0-draft1\lib\net40-full\DotNetOpenAuth.OAuth2.AuthorizationServer.dll</HintPath>

+    </Reference>

+    <Reference Include="DotNetOpenAuth.OAuth2.ClientAuthorization">

+      <HintPath>..\..\..\packages\DotNetOpenAuth.OAuth2.ClientAuthorization.0.25.0-draft1\lib\net40-full\DotNetOpenAuth.OAuth2.ClientAuthorization.dll</HintPath>

     </Reference>

     <Reference Include="DotNetOpenAuth.OpenId">

-      <HintPath>..\..\..\packages\DotNetOpenAuth.OpenId.Core.4.0.0.12084\lib\net40-full\DotNetOpenAuth.OpenId.dll</HintPath>

+      <HintPath>..\..\..\packages\DotNetOpenAuth.OpenId.Core.4.1.0.12182\lib\net40-full\DotNetOpenAuth.OpenId.dll</HintPath>

     </Reference>

     <Reference Include="DotNetOpenAuth.OpenId.RelyingParty">

-      <HintPath>..\..\..\packages\DotNetOpenAuth.OpenId.RelyingParty.4.0.0.12084\lib\net40-full\DotNetOpenAuth.OpenId.RelyingParty.dll</HintPath>

+      <HintPath>..\..\..\packages\DotNetOpenAuth.OpenId.RelyingParty.4.1.0.12182\lib\net40-full\DotNetOpenAuth.OpenId.RelyingParty.dll</HintPath>

+    </Reference>

+    <Reference Include="DotNetOpenAuth.OpenId.RelyingParty.UI">

+      <HintPath>..\..\..\packages\DotNetOpenAuth.OpenId.RelyingParty.UI.4.1.0.12182\lib\net40-full\DotNetOpenAuth.OpenId.RelyingParty.UI.dll</HintPath>

+    </Reference>

+    <Reference Include="DotNetOpenAuth.OpenId.UI">

+      <HintPath>..\..\..\packages\DotNetOpenAuth.OpenId.Core.UI.4.1.0.12182\lib\net40-full\DotNetOpenAuth.OpenId.UI.dll</HintPath>

     </Reference>

     <Reference Include="log4net">

       <HintPath>..\..\..\packages\log4net.2.0.0\lib\net40-full\log4net.dll</HintPath>

@@ -72,7 +91,7 @@
     <Reference Include="System.Data.DataSetExtensions">

       <RequiredTargetFramework>3.5</RequiredTargetFramework>

     </Reference>

-    <Reference Include="System.Web.Mvc, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL" />

+    <Reference Include="System.Web.Mvc, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL" />

     <Reference Include="System.Xml.Linq">

       <RequiredTargetFramework>3.5</RequiredTargetFramework>

     </Reference>

@@ -112,7 +131,9 @@
     <Content Include="Global.asax" />

     <Content Include="Views\Home\CreateDatabase.aspx" />

     <Content Include="Views\OAuth\Authorize.aspx" />

-    <Content Include="Web.config" />

+    <Content Include="Web.config">

+      <SubType>Designer</SubType>

+    </Content>

     <Content Include="Web.Debug.config">

       <DependentUpon>Web.config</DependentUpon>

     </Content>

@@ -160,10 +181,11 @@
     <Service Include="{3259AA49-8AA1-44D3-9025-A0B520596A8C}" />

   </ItemGroup>

   <Import Project="$(MSBuildBinPath)\Microsoft.CSharp.targets" />

-  <Import Project="$(MSBuildExtensionsPath32)\Microsoft\VisualStudio\v10.0\WebApplications\Microsoft.WebApplication.targets" />

-  <!-- To modify your build process, add your task inside one of the targets below and uncomment it. 
-       Other similar extension points exist, see Microsoft.Common.targets.
-  <Target Name="BeforeBuild">
+  <Import Project="$(VSToolsPath)\WebApplications\Microsoft.WebApplication.targets" Condition="'$(VSToolsPath)' != ''" />

+  <Import Project="$(MSBuildExtensionsPath32)\Microsoft\VisualStudio\v10.0\WebApplications\Microsoft.WebApplication.targets" Condition="false" />

+  <!-- To modify your build process, add your task inside one of the targets below and uncomment it. 

+       Other similar extension points exist, see Microsoft.Common.targets.

+  <Target Name="BeforeBuild">

   </Target> -->

   <Target Name="AfterBuild" Condition="'$(MvcBuildViews)'=='true'">

     <AspNetCompiler VirtualPath="temp" PhysicalPath="$(ProjectDir)" />

@@ -173,11 +195,10 @@
       <FlavorProperties GUID="{349c5851-65df-11da-9384-00065b846f21}">

         <WebProjectProperties>

           <UseIIS>False</UseIIS>

-          <AutoAssignPort>True</AutoAssignPort>

+          <AutoAssignPort>False</AutoAssignPort>

           <DevelopmentServerPort>50172</DevelopmentServerPort>

           <DevelopmentServerVPath>/</DevelopmentServerVPath>

-          <IISUrl>

-          </IISUrl>

+          <IISUrl>http://localhost:17947/</IISUrl>

           <NTLMAuthentication>False</NTLMAuthentication>

           <UseCustomServer>False</UseCustomServer>

           <CustomServerUrl>

diff --git a/src/OAuth/OAuthAuthorizationServer/Views/Web.config b/src/OAuth/OAuthAuthorizationServer/Views/Web.config
index aa7a38d..c30f2ad 100644
--- a/src/OAuth/OAuthAuthorizationServer/Views/Web.config
+++ b/src/OAuth/OAuthAuthorizationServer/Views/Web.config
@@ -15,11 +15,11 @@
     -->
     <pages
         validateRequest="false"
-        pageParserFilterType="System.Web.Mvc.ViewTypeParserFilter, System.Web.Mvc, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"
-        pageBaseType="System.Web.Mvc.ViewPage, System.Web.Mvc, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"
-        userControlBaseType="System.Web.Mvc.ViewUserControl, System.Web.Mvc, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35">
+        pageParserFilterType="System.Web.Mvc.ViewTypeParserFilter, System.Web.Mvc, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"
+        pageBaseType="System.Web.Mvc.ViewPage, System.Web.Mvc, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"
+        userControlBaseType="System.Web.Mvc.ViewUserControl, System.Web.Mvc, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35">
       <controls>
-        <add assembly="System.Web.Mvc, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" namespace="System.Web.Mvc" tagPrefix="mvc" />
+        <add assembly="System.Web.Mvc, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" namespace="System.Web.Mvc" tagPrefix="mvc" />
       </controls>
     </pages>
   </system.web>
diff --git a/src/OAuth/OAuthAuthorizationServer/Web.config b/src/OAuth/OAuthAuthorizationServer/Web.config
index 1d6955f..d7ce2e3 100644
--- a/src/OAuth/OAuthAuthorizationServer/Web.config
+++ b/src/OAuth/OAuthAuthorizationServer/Web.config
@@ -5,35 +5,25 @@
   -->

 <configuration>

   <configSections>

-    <section name="uri" type="System.Configuration.UriSection, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />

     <section name="log4net" type="log4net.Config.Log4NetConfigurationSectionHandler" requirePermission="false" />

     <sectionGroup name="dotNetOpenAuth" type="DotNetOpenAuth.Configuration.DotNetOpenAuthSection, DotNetOpenAuth.Core">

-      <section name="openid" type="DotNetOpenAuth.Configuration.OpenIdElement, DotNetOpenAuth.OpenId" requirePermission="false" allowLocation="true" />

-      <section name="oauth" type="DotNetOpenAuth.Configuration.OAuthElement, DotNetOpenAuth.OAuth" requirePermission="false" allowLocation="true" />

+      <sectionGroup name="oauth2" type="DotNetOpenAuth.Configuration.OAuth2SectionGroup, DotNetOpenAuth.OAuth2">

+        <section name="authorizationServer" type="DotNetOpenAuth.Configuration.OAuth2AuthorizationServerSection, DotNetOpenAuth.OAuth2.AuthorizationServer" requirePermission="false" allowLocation="true" />

+      </sectionGroup>

       <section name="messaging" type="DotNetOpenAuth.Configuration.MessagingElement, DotNetOpenAuth.Core" requirePermission="false" allowLocation="true" />

       <section name="reporting" type="DotNetOpenAuth.Configuration.ReportingElement, DotNetOpenAuth.Core" requirePermission="false" allowLocation="true" />

+      <section name="openid" type="DotNetOpenAuth.Configuration.OpenIdElement, DotNetOpenAuth.OpenId" requirePermission="false" allowLocation="true" />

     </sectionGroup>

   </configSections>

   <!-- The uri section is necessary to turn on .NET 3.5 support for IDN (international domain names),

 	     which is necessary for OpenID urls with unicode characters in the domain/host name. 

 	     It is also required to put the Uri class into RFC 3986 escaping mode, which OpenID and OAuth require. -->

-  <uri>

-    <idn enabled="All" />

-    <iriParsing enabled="true" />

-  </uri>

-  <system.net>

-    <defaultProxy enabled="true" />

-    <settings>

-      <!-- This setting causes .NET to check certificate revocation lists (CRL) 

-			     before trusting HTTPS certificates.  But this setting tends to not 

-			     be allowed in shared hosting environments. -->

-      <!--<servicePointManager checkCertificateRevocationList="true"/>-->

-    </settings>

-  </system.net>

   <!-- this is an optional configuration section where aspects of dotnetopenauth can be customized -->

   <dotNetOpenAuth>

     <!-- Allow DotNetOpenAuth to publish usage statistics to library authors to improve the library. -->

-    <reporting enabled="true" />

+    <oauth2>

+      <authorizationServer></authorizationServer>

+    </oauth2>

     <!-- Relaxing SSL requirements is useful for simple samples, but NOT a good idea in production. -->

     <messaging relaxSslRequirements="true">

       <untrustedWebRequest>

@@ -43,6 +33,7 @@
         </whitelistHosts>

       </untrustedWebRequest>

     </messaging>

+    <reporting enabled="true" />

     <openid>

       <relyingParty>

         <security requireSsl="false">

@@ -72,14 +63,14 @@
     </logger>

   </log4net>

   <connectionStrings>

-    <add name="DatabaseConnectionString" connectionString="Data Source=.\SQLEXPRESS;AttachDbFilename=|DataDirectory|\Database2.mdf;Integrated Security=True;User Instance=True" providerName="System.Data.SqlClient" />

+    <add name="DatabaseConnectionString" connectionString="Data Source=.\SQLEXPRESS;AttachDbFilename=|DataDirectory|\Database4.mdf;Integrated Security=True;User Instance=True" providerName="System.Data.SqlClient" />

   </connectionStrings>

   <system.web>

     <compilation debug="true" targetFramework="4.0">

       <assemblies>

         <add assembly="System.Web.Abstractions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />

         <add assembly="System.Web.Routing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />

-        <add assembly="System.Web.Mvc, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />

+        <add assembly="System.Web.Mvc, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />

       </assemblies>

     </compilation>

     <authentication mode="Forms">

@@ -99,12 +90,30 @@
     <modules runAllManagedModulesForAllRequests="true" />

   </system.webServer>

   <runtime>

+    <!-- When targeting ASP.NET MVC 3, this assemblyBinding makes MVC 1 and 2 references relink

+		     to MVC 3 so libraries such as DotNetOpenAuth that compile against MVC 1 will work with it. -->

     <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">

       <dependentAssembly>

         <assemblyIdentity name="System.Web.Mvc" publicKeyToken="31bf3856ad364e35" />

-        <bindingRedirect oldVersion="1.0.0.0" newVersion="2.0.0.0" />

+        <bindingRedirect oldVersion="1.0.0.0-3.0.0.0" newVersion="3.0.0.0" />

       </dependentAssembly>

     </assemblyBinding>

     <legacyHMACWarning enabled="0" />

   </runtime>

+  <system.net>

+    <defaultProxy enabled="true" />

+    <settings>

+      <!-- This setting causes .NET to check certificate revocation lists (CRL) 

+			     before trusting HTTPS certificates.  But this setting tends to not 

+			     be allowed in shared hosting environments. -->

+      <!--<servicePointManager checkCertificateRevocationList="true"/>-->

+    </settings>

+  </system.net>

+  <uri>

+    <!-- The uri section is necessary to turn on .NET 3.5 support for IDN (international domain names),

+		     which is necessary for OpenID urls with unicode characters in the domain/host name.

+		     It is also required to put the Uri class into RFC 3986 escaping mode, which OpenID and OAuth require. -->

+    <idn enabled="All" />

+    <iriParsing enabled="true" />

+  </uri>

 </configuration>
\ No newline at end of file
diff --git a/src/OAuth/OAuthAuthorizationServer/packages.config b/src/OAuth/OAuthAuthorizationServer/packages.config
index c5d87eb..dea78e4 100644
--- a/src/OAuth/OAuthAuthorizationServer/packages.config
+++ b/src/OAuth/OAuthAuthorizationServer/packages.config
@@ -1,12 +1,14 @@
 <?xml version="1.0" encoding="utf-8"?>

 <packages>

-  <package id="CodeContracts.Unofficial" version="1.0.0.2" />

-  <package id="DotNetOpenAuth.Core" version="4.0.0.12084" />

-  <package id="DotNetOpenAuth.OAuth2.AuthorizationServer" version="0.23.0-draft" />

-  <package id="DotNetOpenAuth.OAuth2.AuthorizationServer" version="0.23.0-draft2" />

-  <package id="DotNetOpenAuth.OAuth2.Core" version="0.23.0-draft" />

-  <package id="DotNetOpenAuth.OAuth2.Core" version="0.23.0-draft2" />

-  <package id="DotNetOpenAuth.OpenId.Core" version="4.0.0.12084" />

-  <package id="DotNetOpenAuth.OpenId.RelyingParty" version="4.0.0.12084" />

-  <package id="log4net" version="2.0.0" />

+  <package id="CodeContracts.Unofficial" version="1.0.0.2" targetFramework="net40" />

+  <package id="DotNetOpenAuth.Core" version="4.1.0.12182" targetFramework="net40" />

+  <package id="DotNetOpenAuth.Core.UI" version="4.1.0.12182" targetFramework="net40" />

+  <package id="DotNetOpenAuth.OAuth2.AuthorizationServer" version="0.25.0-draft1" targetFramework="net40" />

+  <package id="DotNetOpenAuth.OAuth2.ClientAuthorization" version="0.25.0-draft1" targetFramework="net40" />

+  <package id="DotNetOpenAuth.OAuth2.Core" version="0.25.0-draft1" targetFramework="net40" />

+  <package id="DotNetOpenAuth.OpenId.Core" version="4.1.0.12182" targetFramework="net40" />

+  <package id="DotNetOpenAuth.OpenId.Core.UI" version="4.1.0.12182" targetFramework="net40" />

+  <package id="DotNetOpenAuth.OpenId.RelyingParty" version="4.1.0.12182" targetFramework="net40" />

+  <package id="DotNetOpenAuth.OpenId.RelyingParty.UI" version="4.1.0.12182" targetFramework="net40" />

+  <package id="log4net" version="2.0.0" targetFramework="net40" />

 </packages>
\ No newline at end of file