Applied requirement that the authorization endpoint be HTTPS, per the spec.

3 files changed, 5 insertions, 18 deletions

diff --git a/src/DotNetOpenAuth/OAuth2/AuthorizationServerDescription.cs b/src/DotNetOpenAuth/OAuth2/AuthorizationServerDescription.cs
index 8979b23..bbad27c 100644
--- a/src/DotNetOpenAuth/OAuth2/AuthorizationServerDescription.cs
+++ b/src/DotNetOpenAuth/OAuth2/AuthorizationServerDescription.cs
@@ -37,7 +37,7 @@ namespace DotNetOpenAuth.OAuth2 {
 		/// Gets or sets the Authorization Server URL where the Client (re)directs the User
 		/// to make an authorization request.
 		/// </summary>
-		/// <value>An HTTP or HTTPS URL.</value>
+		/// <value>An HTTPS URL.</value>
 		/// <remarks>
 		/// <para>Clients direct the resource owner to the authorization endpoint to approve their access request. Before granting access, the resource owner first authenticates with the authorization server. The way in which the authorization server authenticates the end-user (e.g. username and password login, OpenID, session cookies) and in which the authorization server obtains the end-user's authorization, including whether it uses a secure channel such as TLS/SSL, is beyond the scope of this specification. However, the authorization server MUST first verify the identity of the end-user.</para>
 		/// <para>The URI of the authorization endpoint can be found in the service documentation, or can be obtained by the client by making an unauthorized protected resource request (from the WWW-Authenticate response header auth-uri (The 'authorization-uri' Attribute) attribute).</para>
diff --git a/src/DotNetOpenAuth/OAuth2/Messages/AccessTokenClientCredentialsRequest.cs b/src/DotNetOpenAuth/OAuth2/Messages/AccessTokenClientCredentialsRequest.cs
index 87ff8f0..475a170 100644
--- a/src/DotNetOpenAuth/OAuth2/Messages/AccessTokenClientCredentialsRequest.cs
+++ b/src/DotNetOpenAuth/OAuth2/Messages/AccessTokenClientCredentialsRequest.cs
@@ -37,22 +37,5 @@ namespace DotNetOpenAuth.OAuth2.Messages {
 		internal override GrantType GrantType {
 			get { return Messages.GrantType.None; }
 		}
-
-		/// <summary>
-		/// Checks the message state for conformity to the protocol specification
-		/// and throws an exception if the message is invalid.
-		/// </summary>
-		/// <remarks>
-		/// 	<para>Some messages have required fields, or combinations of fields that must relate to each other
-		/// in specialized ways.  After deserializing a message, this method checks the state of the
-		/// message to see if it conforms to the protocol.</para>
-		/// 	<para>Note that this property should <i>not</i> check signatures or perform any state checks
-		/// outside this scope of this particular message.</para>
-		/// </remarks>
-		/// <exception cref="ProtocolException">Thrown if the message is invalid.</exception>
-		protected override void EnsureValidMessage() {
-			base.EnsureValidMessage();
-			ErrorUtilities.VerifyProtocol(this.Recipient.IsTransportSecure(), OAuthStrings.HttpsRequired);
-		}
 	}
 }
diff --git a/src/DotNetOpenAuth/OAuth2/Messages/EndUserAuthorizationRequest.cs b/src/DotNetOpenAuth/OAuth2/Messages/EndUserAuthorizationRequest.cs
index b5ba890..11d39d1 100644
--- a/src/DotNetOpenAuth/OAuth2/Messages/EndUserAuthorizationRequest.cs
+++ b/src/DotNetOpenAuth/OAuth2/Messages/EndUserAuthorizationRequest.cs
@@ -8,6 +8,7 @@ namespace DotNetOpenAuth.OAuth2.Messages {
 	using System;
 	using System.Collections.Generic;
 	using System.Diagnostics.Contracts;
+	using DotNetOpenAuth.Configuration;
 	using DotNetOpenAuth.Messaging;
 	using DotNetOpenAuth.OAuth2.ChannelElements;
 
@@ -98,6 +99,9 @@ namespace DotNetOpenAuth.OAuth2.Messages {
 		protected override void EnsureValidMessage() {
 			base.EnsureValidMessage();
 
+			ErrorUtilities.VerifyProtocol(
+				DotNetOpenAuthSection.Configuration.Messaging.RelaxSslRequirements || this.Recipient.IsTransportSecure(),
+				OAuthStrings.HttpsRequired);
 			ErrorUtilities.VerifyProtocol(this.Callback == null || this.Callback.IsAbsoluteUri, this, OAuthStrings.AbsoluteUriRequired, Protocol.redirect_uri);
 		}
 	}