diff options
| author | Andrew Arnott <andrewarnott@gmail.com> | 2009-11-10 16:26:21 -0800 |
|---|---|---|
| committer | Andrew Arnott <andrewarnott@gmail.com> | 2009-11-10 16:26:21 -0800 |
| commit | 5d4d80b4a83bb9d6af62cc5f6d78f6f7e541e67d (patch) | |
| tree | 2a64b2060fb3ec37a1b263f91f2aa92bad44f1e4 | |
| parent | 1fc942e7cefa847a919ae7c4ce424797c438a011 (diff) | |
| download | DotNetOpenAuth-5d4d80b4a83bb9d6af62cc5f6d78f6f7e541e67d.zip DotNetOpenAuth-5d4d80b4a83bb9d6af62cc5f6d78f6f7e541e67d.tar.gz DotNetOpenAuth-5d4d80b4a83bb9d6af62cc5f6d78f6f7e541e67d.tar.bz2 | |
Fixed up roles, and restricted OAuth tokens from providing access to sensitive user pages.
| -rw-r--r-- | projecttemplates/WebFormsRelyingParty/Members/Web.config | 9 | ||||
| -rw-r--r-- | projecttemplates/WebFormsRelyingParty/Model.IssuedAccessToken.cs | 17 |
2 files changed, 24 insertions, 2 deletions
diff --git a/projecttemplates/WebFormsRelyingParty/Members/Web.config b/projecttemplates/WebFormsRelyingParty/Members/Web.config index aafc323..f95a16d 100644 --- a/projecttemplates/WebFormsRelyingParty/Members/Web.config +++ b/projecttemplates/WebFormsRelyingParty/Members/Web.config @@ -15,4 +15,13 @@ <deny users="?" /> </authorization> </system.web> + + <!-- Protect certain user pages from delegated (OAuth) clients. --> + <location path="AccountInfo.aspx"> + <system.web> + <authorization> + <deny roles="delegated" /> + </authorization> + </system.web> + </location> </configuration> diff --git a/projecttemplates/WebFormsRelyingParty/Model.IssuedAccessToken.cs b/projecttemplates/WebFormsRelyingParty/Model.IssuedAccessToken.cs index ee254ac..e47a9de 100644 --- a/projecttemplates/WebFormsRelyingParty/Model.IssuedAccessToken.cs +++ b/projecttemplates/WebFormsRelyingParty/Model.IssuedAccessToken.cs @@ -6,21 +6,34 @@ using DotNetOpenAuth.OAuth.ChannelElements; public partial class IssuedAccessToken : IServiceProviderAccessToken { + /// <summary> + /// Gets the roles that the OAuth principal should belong to. + /// </summary> + /// <value> + /// The roles that the user belongs to, or a subset of these according to the rights + /// granted when the user authorized the request token. + /// </value> string[] IServiceProviderAccessToken.Roles { get { List<string> roles = new List<string>(); // Include the roles the user who authorized this OAuth token has. - // TODO: code here + roles.AddRange(this.User.Roles.Select(r => r.Name)); // Always add an extra role to indicate this is an OAuth-authorized request. // This allows us to deny access to account management pages to OAuth requests. - roles.Add("OAuthToken"); + roles.Add("delegated"); return roles.ToArray(); } } + /// <summary> + /// Gets the username of the principal that will be impersonated by this access token. + /// </summary> + /// <value> + /// The name of the user who authorized the OAuth request token originally. + /// </value> string IServiceProviderAccessToken.Username { get { // We don't really have the concept of a single username, but we |