Fixed a bunch of bugs in the project template's oauth sp implementation.

3 files changed, 161 insertions, 30 deletions

diff --git a/projecttemplates/WebFormsRelyingParty/Members/OAuthAuthorize.aspx b/projecttemplates/WebFormsRelyingParty/Members/OAuthAuthorize.aspx
index 3106b7a..349ac0a 100644
--- a/projecttemplates/WebFormsRelyingParty/Members/OAuthAuthorize.aspx
+++ b/projecttemplates/WebFormsRelyingParty/Members/OAuthAuthorize.aspx
@@ -5,35 +5,63 @@
 	<h2>
 		Client authorization
 	</h2>
-	<p>
-		The
-		<asp:Label ID="consumerNameLabel" runat="server" Text="(app name)" />
-		application is requesting to access the private data in your account here. Is that
-		alright with you?
-	</p>
-	<div style="display: none" id="responseButtonsDiv">
-		<asp:Button ID="yesButton" runat="server" Text="Yes" OnClick="yesButton_Click" />
-		<asp:Button ID="noButton" runat="server" Text="No" OnClick="noButton_Click" />
-		<asp:HiddenField runat="server" ID="csrfCheck" EnableViewState="false" />
-	</div>
-	<div id="javascriptDisabled">
-		<b>Javascript appears to be disabled in your browser. </b>This page requires Javascript
-		to be enabled to better protect your security.
-	</div>
+	<asp:MultiView runat="server" ID="outerMultiView" ActiveViewIndex="0">
+		<asp:View runat="server" ID="getPermissionView">
+			<div style="background-color: Yellow">
+				<b>Warning</b>: Never give your login credentials to another web site or application.
+			</div>
+			<p>
+				The
+				<asp:Label ID="consumerNameLabel" runat="server" Text="(app name)" />
+				application is requesting to access the private data in your account here. Is that
+				alright with you?
+			</p>
+			<p>
+				If you grant access now, you can revoke it at any time by returning to this page.
+			</p>
+			<div style="display: none" id="responseButtonsDiv">
+				<asp:Button ID="yesButton" runat="server" Text="Yes" OnClick="yesButton_Click" />
+				<asp:Button ID="noButton" runat="server" Text="No" OnClick="noButton_Click" />
+				<asp:HiddenField runat="server" ID="csrfCheck" EnableViewState="false" />
+			</div>
+			<div id="javascriptDisabled">
+				<b>Javascript appears to be disabled in your browser. </b>This page requires Javascript
+				to be enabled to better protect your security.
+			</div>
+			<asp:Panel runat="server" BackColor="Red" ForeColor="White" Font-Bold="true" Visible="false" ID="OAuth10ConsumerWarning">
+				This website is registered with service_PROVIDER_DOMAIN_NAME to make authorization requests, but has not been configured to send requests securely. If you grant access but you did not initiate this request at consumer_DOMAIN_NAME, it may be possible for other users of consumer_DOMAIN_NAME to access your data. We recommend you deny access unless you are certain that you initiated this request directly with consumer_DOMAIN_NAME.
+			</asp:Panel>
 
-	<script language="javascript" type="text/javascript">
-		//<![CDATA[
-		// we use HTML to hide the action buttons and Javascript to show them
-		// to protect against click-jacking in an iframe whose javascript is disabled.
-		document.getElementById('responseButtonsDiv').style.display = 'block';
-		document.getElementById('javascriptDisabled').style.display = 'none';
+			<script language="javascript" type="text/javascript">
+				//<![CDATA[
+				// we use HTML to hide the action buttons and Javascript to show them
+				// to protect against click-jacking in an iframe whose javascript is disabled.
+				document.getElementById('responseButtonsDiv').style.display = 'block';
+				document.getElementById('javascriptDisabled').style.display = 'none';
 
-		// Frame busting code (to protect us from being hosted in an iframe).
-		// This protects us from click-jacking.
-		if (document.location !== window.top.location) {
-			window.top.location = document.location;
-		}
-		//]]>
-	</script>
+				// Frame busting code (to protect us from being hosted in an iframe).
+				// This protects us from click-jacking.
+				if (document.location !== window.top.location) {
+					window.top.location = document.location;
+				}
+				//]]>
+			</script>
 
+		</asp:View>
+		<asp:View ID="authorizationGrantedView" runat="server">
+			<p>Authorization has been granted.</p>
+			<asp:MultiView runat="server" ID="verifierMultiView" ActiveViewIndex="0">
+				<asp:View ID="verificationCodeView" runat="server">
+					<p>You must enter this verification code at the Consumer: <asp:Label runat="server"
+						ID="verificationCodeLabel" /> </p>
+				</asp:View>
+				<asp:View ID="noCallbackView" runat="server">
+					<p>You may now close this window and return to the Consumer. </p>
+				</asp:View>
+			</asp:MultiView>
+		</asp:View>
+		<asp:View ID="authorizationDeniedView" runat="server">
+			<p>Authorization has been denied. You're free to do whatever now. </p>
+		</asp:View>
+	</asp:MultiView>
 </asp:Content>
diff --git a/projecttemplates/WebFormsRelyingParty/Members/OAuthAuthorize.aspx.cs b/projecttemplates/WebFormsRelyingParty/Members/OAuthAuthorize.aspx.cs
index 4ffb9b8..2969d7c 100644
--- a/projecttemplates/WebFormsRelyingParty/Members/OAuthAuthorize.aspx.cs
+++ b/projecttemplates/WebFormsRelyingParty/Members/OAuthAuthorize.aspx.cs
@@ -18,24 +18,46 @@ namespace WebFormsRelyingParty.Members {
 	public partial class OAuthAuthorize : System.Web.UI.Page {
 		protected void Page_Load(object sender, EventArgs e) {
 			if (!IsPostBack) {
-				if (OAuthServiceProvider.PendingAuthorizationRequest == null) {
+				var pendingRequest = OAuthServiceProvider.PendingAuthorizationRequest;
+				if (pendingRequest == null) {
 					Response.Redirect("~/");
 				}
 
 				this.csrfCheck.Value = Utilities.SetCsrfCookie();
 				this.consumerNameLabel.Text = HttpUtility.HtmlEncode(OAuthServiceProvider.PendingAuthorizationConsumer.Name);
+				OAuth10ConsumerWarning.Visible = pendingRequest.IsUnsafeRequest;
 			} else {
 				Utilities.VerifyCsrfCookie(this.csrfCheck.Value);
 			}
 		}
 
 		protected void yesButton_Click(object sender, EventArgs e) {
+			outerMultiView.SetActiveView(authorizationGrantedView);
+
+			var consumer = OAuthServiceProvider.PendingAuthorizationConsumer;
+			var tokenManager = OAuthServiceProvider.ServiceProvider.TokenManager;
+			var pendingRequest = OAuthServiceProvider.PendingAuthorizationRequest;
+			ITokenContainingMessage requestTokenMessage = pendingRequest;
+			var requestToken = tokenManager.GetRequestToken(requestTokenMessage.Token);
+
 			OAuthServiceProvider.AuthorizePendingRequestToken();
+
+			// The rest of this method only executes if we couldn't automatically
+			// redirect to the consumer.
+			if (pendingRequest.IsUnsafeRequest) {
+				verifierMultiView.SetActiveView(noCallbackView);
+			} else {
+				verifierMultiView.SetActiveView(verificationCodeView);
+				string verifier = ServiceProvider.CreateVerificationCode(consumer.VerificationCodeFormat, consumer.VerificationCodeLength);
+				verificationCodeLabel.Text = verifier;
+				requestToken.VerificationCode = verifier;
+				tokenManager.UpdateToken(requestToken);
+			}
 		}
 
 		protected void noButton_Click(object sender, EventArgs e) {
+			outerMultiView.SetActiveView(authorizationDeniedView);
 			OAuthServiceProvider.PendingAuthorizationRequest = null;
-			Response.Redirect("~/");
 		}
 	}
 }
diff --git a/projecttemplates/WebFormsRelyingParty/Members/OAuthAuthorize.aspx.designer.cs b/projecttemplates/WebFormsRelyingParty/Members/OAuthAuthorize.aspx.designer.cs
index 719a853..3b41f3c 100644
--- a/projecttemplates/WebFormsRelyingParty/Members/OAuthAuthorize.aspx.designer.cs
+++ b/projecttemplates/WebFormsRelyingParty/Members/OAuthAuthorize.aspx.designer.cs
@@ -14,6 +14,24 @@ namespace WebFormsRelyingParty.Members {
     public partial class OAuthAuthorize {
         
         /// <summary>
+        /// outerMultiView control.
+        /// </summary>
+        /// <remarks>
+        /// Auto-generated field.
+        /// To modify move field declaration from designer file to code-behind file.
+        /// </remarks>
+        protected global::System.Web.UI.WebControls.MultiView outerMultiView;
+        
+        /// <summary>
+        /// getPermissionView control.
+        /// </summary>
+        /// <remarks>
+        /// Auto-generated field.
+        /// To modify move field declaration from designer file to code-behind file.
+        /// </remarks>
+        protected global::System.Web.UI.WebControls.View getPermissionView;
+        
+        /// <summary>
         /// consumerNameLabel control.
         /// </summary>
         /// <remarks>
@@ -48,5 +66,68 @@ namespace WebFormsRelyingParty.Members {
         /// To modify move field declaration from designer file to code-behind file.
         /// </remarks>
         protected global::System.Web.UI.WebControls.HiddenField csrfCheck;
+        
+        /// <summary>
+        /// OAuth10ConsumerWarning control.
+        /// </summary>
+        /// <remarks>
+        /// Auto-generated field.
+        /// To modify move field declaration from designer file to code-behind file.
+        /// </remarks>
+        protected global::System.Web.UI.WebControls.Panel OAuth10ConsumerWarning;
+        
+        /// <summary>
+        /// authorizationGrantedView control.
+        /// </summary>
+        /// <remarks>
+        /// Auto-generated field.
+        /// To modify move field declaration from designer file to code-behind file.
+        /// </remarks>
+        protected global::System.Web.UI.WebControls.View authorizationGrantedView;
+        
+        /// <summary>
+        /// verifierMultiView control.
+        /// </summary>
+        /// <remarks>
+        /// Auto-generated field.
+        /// To modify move field declaration from designer file to code-behind file.
+        /// </remarks>
+        protected global::System.Web.UI.WebControls.MultiView verifierMultiView;
+        
+        /// <summary>
+        /// verificationCodeView control.
+        /// </summary>
+        /// <remarks>
+        /// Auto-generated field.
+        /// To modify move field declaration from designer file to code-behind file.
+        /// </remarks>
+        protected global::System.Web.UI.WebControls.View verificationCodeView;
+        
+        /// <summary>
+        /// verificationCodeLabel control.
+        /// </summary>
+        /// <remarks>
+        /// Auto-generated field.
+        /// To modify move field declaration from designer file to code-behind file.
+        /// </remarks>
+        protected global::System.Web.UI.WebControls.Label verificationCodeLabel;
+        
+        /// <summary>
+        /// noCallbackView control.
+        /// </summary>
+        /// <remarks>
+        /// Auto-generated field.
+        /// To modify move field declaration from designer file to code-behind file.
+        /// </remarks>
+        protected global::System.Web.UI.WebControls.View noCallbackView;
+        
+        /// <summary>
+        /// authorizationDeniedView control.
+        /// </summary>
+        /// <remarks>
+        /// Auto-generated field.
+        /// To modify move field declaration from designer file to code-behind file.
+        /// </remarks>
+        protected global::System.Web.UI.WebControls.View authorizationDeniedView;
     }
 }