Replaces ResourceServer.VerifyAccess with a better pattern for error handling.

Fixes #122

2 files changed, 24 insertions, 22 deletions

diff --git a/projecttemplates/RelyingPartyLogic/OAuthAuthenticationModule.cs b/projecttemplates/RelyingPartyLogic/OAuthAuthenticationModule.cs
index 13e725d..148af91 100644
--- a/projecttemplates/RelyingPartyLogic/OAuthAuthenticationModule.cs
+++ b/projecttemplates/RelyingPartyLogic/OAuthAuthenticationModule.cs
@@ -53,10 +53,11 @@ namespace RelyingPartyLogic {
 				var tokenAnalyzer = new SpecialAccessTokenAnalyzer(crypto, crypto);
 				var resourceServer = new ResourceServer(tokenAnalyzer);
 
-				IPrincipal principal;
-				var errorMessage = resourceServer.VerifyAccess(new HttpRequestWrapper(this.application.Context.Request), out principal);
-				if (errorMessage == null) {
+				try {
+					IPrincipal principal = resourceServer.GetPrincipal(new HttpRequestWrapper(this.application.Context.Request));
 					this.application.Context.User = principal;
+				} catch (ProtocolFaultResponseException ex) {
+					ex.ErrorResponse.Send();
 				}
 			}
 		}
diff --git a/projecttemplates/RelyingPartyLogic/OAuthAuthorizationManager.cs b/projecttemplates/RelyingPartyLogic/OAuthAuthorizationManager.cs
index 1a3a0f0..e38d955 100644
--- a/projecttemplates/RelyingPartyLogic/OAuthAuthorizationManager.cs
+++ b/projecttemplates/RelyingPartyLogic/OAuthAuthorizationManager.cs
@@ -14,6 +14,7 @@ namespace RelyingPartyLogic {
 	using System.ServiceModel.Channels;
 	using System.ServiceModel.Security;
 	using DotNetOpenAuth;
+	using DotNetOpenAuth.Messaging;
 	using DotNetOpenAuth.OAuth;
 	using DotNetOpenAuth.OAuth2;
 
@@ -37,33 +38,33 @@ namespace RelyingPartyLogic {
 				var resourceServer = new ResourceServer(tokenAnalyzer);
 
 				try {
-					IPrincipal principal;
-					var errorResponse = resourceServer.VerifyAccess(httpDetails, requestUri, out principal);
-					if (errorResponse == null) {
-						var policy = new OAuthPrincipalAuthorizationPolicy(principal);
-						var policies = new List<IAuthorizationPolicy> {
+					IPrincipal principal = resourceServer.GetPrincipal(httpDetails, requestUri);
+					var policy = new OAuthPrincipalAuthorizationPolicy(principal);
+					var policies = new List<IAuthorizationPolicy> {
 						policy,
 					};
 
-						var securityContext = new ServiceSecurityContext(policies.AsReadOnly());
-						if (operationContext.IncomingMessageProperties.Security != null) {
-							operationContext.IncomingMessageProperties.Security.ServiceSecurityContext = securityContext;
-						} else {
-							operationContext.IncomingMessageProperties.Security = new SecurityMessageProperty {
-								ServiceSecurityContext = securityContext,
-							};
-						}
+					var securityContext = new ServiceSecurityContext(policies.AsReadOnly());
+					if (operationContext.IncomingMessageProperties.Security != null) {
+						operationContext.IncomingMessageProperties.Security.ServiceSecurityContext = securityContext;
+					} else {
+						operationContext.IncomingMessageProperties.Security = new SecurityMessageProperty {
+							ServiceSecurityContext = securityContext,
+						};
+					}
 
-						securityContext.AuthorizationContext.Properties["Identities"] = new List<IIdentity> {
+					securityContext.AuthorizationContext.Properties["Identities"] = new List<IIdentity> {
 						principal.Identity,
 					};
 
-						// Only allow this method call if the access token scope permits it.
-						if (principal.IsInRole(operationContext.IncomingMessageHeaders.Action)) {
-							return true;
-						}
+					// Only allow this method call if the access token scope permits it.
+					if (principal.IsInRole(operationContext.IncomingMessageHeaders.Action)) {
+						return true;
 					}
-				} catch (ProtocolException /*ex*/) {
+				} catch (ProtocolFaultResponseException ex) {
+					// Return the appropriate unauthorized response to the client.
+					ex.ErrorResponse.Send();
+				} catch (DotNetOpenAuth.Messaging.ProtocolException/* ex*/) {
 					////Logger.Error("Error processing OAuth messages.", ex);
 				}
 			}