Split up issued tokens into request and access token types.

1 files changed, 33 insertions, 0 deletions

diff --git a/projecttemplates/WebFormsRelyingParty/Model.IssuedAccessToken.cs b/projecttemplates/WebFormsRelyingParty/Model.IssuedAccessToken.cs
new file mode 100644
index 0000000..ee254ac
--- /dev/null
+++ b/projecttemplates/WebFormsRelyingParty/Model.IssuedAccessToken.cs
@@ -0,0 +1,33 @@
+namespace WebFormsRelyingParty {
+	using System;
+	using System.Collections.Generic;
+	using System.Linq;
+	using System.Web;
+	using DotNetOpenAuth.OAuth.ChannelElements;
+
+	public partial class IssuedAccessToken : IServiceProviderAccessToken {
+		string[] IServiceProviderAccessToken.Roles {
+			get {
+				List<string> roles = new List<string>();
+
+				// Include the roles the user who authorized this OAuth token has.
+				// TODO: code here
+
+				// Always add an extra role to indicate this is an OAuth-authorized request.
+				// This allows us to deny access to account management pages to OAuth requests.
+				roles.Add("OAuthToken");
+
+				return roles.ToArray();
+			}
+		}
+
+		string IServiceProviderAccessToken.Username {
+			get {
+				// We don't really have the concept of a single username, but we
+				// can use any of the authentication tokens instead since that
+				// is what the rest of the web site expects.
+				return this.User.AuthenticationTokens.First().ClaimedIdentifier;
+			}
+		}
+	}
+}