Fixed bug in OAuth Service Provider WCF sample where the service was using the identity of the logged in user rather than the identity authenticated by the service (OAuth) to look up the data.

Resolves trac #114.  Thanks Steven L-P for reporting this!

3 files changed, 43 insertions, 5 deletions

diff --git a/samples/OAuthServiceProvider/App_Code/DataApi.cs b/samples/OAuthServiceProvider/App_Code/DataApi.cs
index 00876f6..d5adb10 100644
--- a/samples/OAuthServiceProvider/App_Code/DataApi.cs
+++ b/samples/OAuthServiceProvider/App_Code/DataApi.cs
@@ -7,20 +7,25 @@ using System.ServiceModel;
 /// <remarks>
 /// Note how there is no code here that is bound to OAuth or any other
 /// credential/authorization scheme.  That's all part of the channel/binding elsewhere.
-/// And the reference to Global.LoggedInUser is the user being impersonated by the WCF client.
+/// And the reference to OperationContext.Current.ServiceSecurityContext.PrimaryIdentity 
+/// is the user being impersonated by the WCF client.
 /// In the OAuth case, it is the user who authorized the OAuth access token that was used
 /// to gain access to the service.
 /// </remarks>
 public class DataApi : IDataApi {
+	private User User {
+		get { return OperationContext.Current.ServiceSecurityContext.PrimaryIdentity.GetUser(); }
+	}
+
 	public int? GetAge() {
-		return Global.LoggedInUser.Age;
+		return User.Age;
 	}
 
 	public string GetName() {
-		return Global.LoggedInUser.FullName;
+		return User.FullName;
 	}
 
 	public string[] GetFavoriteSites() {
-		return Global.LoggedInUser.FavoriteSites.Select(site => site.SiteUrl).ToArray();
+		return User.FavoriteSites.Select(site => site.SiteUrl).ToArray();
 	}
 }
diff --git a/samples/OAuthServiceProvider/App_Code/OAuthAuthorizationManager.cs b/samples/OAuthServiceProvider/App_Code/OAuthAuthorizationManager.cs
index 1ec2cb5..8589932 100644
--- a/samples/OAuthServiceProvider/App_Code/OAuthAuthorizationManager.cs
+++ b/samples/OAuthServiceProvider/App_Code/OAuthAuthorizationManager.cs
@@ -2,6 +2,7 @@
 using System.Collections.Generic;
 using System.IdentityModel.Policy;
 using System.Linq;
+using System.Security.Principal;
 using System.ServiceModel;
 using System.ServiceModel.Channels;
 using System.ServiceModel.Security;
@@ -27,10 +28,12 @@ public class OAuthAuthorizationManager : ServiceAuthorizationManager {
 		if (auth != null) {
 			var accessToken = Global.DataContext.OAuthTokens.Single(token => token.Token == auth.AccessToken);
 
-			var policy = new OAuthPrincipalAuthorizationPolicy(sp.CreatePrincipal(auth));
+			var principal = sp.CreatePrincipal(auth);
+			var policy = new OAuthPrincipalAuthorizationPolicy(principal);
 			var policies = new List<IAuthorizationPolicy> {
 				policy,
 			};
+
 			var securityContext = new ServiceSecurityContext(policies.AsReadOnly());
 			if (operationContext.IncomingMessageProperties.Security != null) {
 				operationContext.IncomingMessageProperties.Security.ServiceSecurityContext = securityContext;
@@ -40,6 +43,10 @@ public class OAuthAuthorizationManager : ServiceAuthorizationManager {
 				};
 			}
 
+			securityContext.AuthorizationContext.Properties["Identities"] = new List<IIdentity> {
+				principal.Identity,
+			};
+
 			// Only allow this method call if the access token scope permits it.
 			string[] scopes = accessToken.Scope.Split('|');
 			if (scopes.Contains(operationContext.IncomingMessageHeaders.Action)) {
diff --git a/samples/OAuthServiceProvider/App_Code/Utilities.cs b/samples/OAuthServiceProvider/App_Code/Utilities.cs
new file mode 100644
index 0000000..2c25fe8
--- /dev/null
+++ b/samples/OAuthServiceProvider/App_Code/Utilities.cs
@@ -0,0 +1,26 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Security.Principal;
+using System.Web;
+
+/// <summary>
+/// Extension methods and other helpful utility methods.
+/// </summary>
+public static class Utilities {
+	/// <summary>
+	/// Gets the database entity representing the user identified by a given <see cref="IIdentity"/> instance.
+	/// </summary>
+	/// <param name="identity">The identity of the user.</param>
+	/// <returns>
+	/// The database object for that user; or <c>null</c> if the user could not
+	/// be found or if <paramref name="identity"/> is <c>null</c> or represents an anonymous identity.
+	/// </returns>
+	public static User GetUser(this IIdentity identity) {
+		if (identity == null || !identity.IsAuthenticated) {
+			return null;
+		}
+
+		return Global.DataContext.Users.SingleOrDefault(user => user.OpenIDClaimedIdentifier == identity.Name);
+	}
+}