Implicit grants are now sort of working on the authorization server side.

Still to do:
 * Ensure no auto-authorize of access tokens based on previous authorizations for the unauthenticated client.
 * Provide the authorization server with a way to indicate access token lifetime, and to veto the request based on the requested scopes being too dangerous for the less secure implicit grant type.

1 files changed, 2 insertions, 32 deletions

diff --git a/samples/OAuthAuthorizationServer/Controllers/OAuthController.cs b/samples/OAuthAuthorizationServer/Controllers/OAuthController.cs
index fb836a6..07dc8cc 100644
--- a/samples/OAuthAuthorizationServer/Controllers/OAuthController.cs
+++ b/samples/OAuthAuthorizationServer/Controllers/OAuthController.cs
@@ -16,24 +16,6 @@
 	public class OAuthController : Controller {

 		private readonly AuthorizationServer authorizationServer = new AuthorizationServer(new OAuth2AuthorizationServer());

 

-#if SAMPLESONLY

-		/// <summary>

-		/// This is the FOR SAMPLE ONLY hard-coded public key of the complementary OAuthResourceServer sample.

-		/// </summary>

-		/// <remarks>

-		/// In a real app, the authorization server would need to determine which resource server the access token needs to be encoded for

-		/// based on the authorization request.  It would then need to look up the public key for that resource server and use that in 

-		/// preparing the access token for the client to use against that resource server.

-		/// </remarks>

-		private static readonly RSAParameters ResourceServerEncryptionPublicKey = new RSAParameters {

-			Exponent = new byte[] { 1, 0, 1 },

-			Modulus = new byte[] { 166, 175, 117, 169, 211, 251, 45, 215, 55, 53, 202, 65, 153, 155, 92, 219, 235, 243, 61, 170, 101, 250, 221, 214, 239, 175, 238, 175, 239, 20, 144, 72, 227, 221, 4, 219, 32, 225, 101, 96, 18, 33, 117, 176, 110, 123, 109, 23, 29, 85, 93, 50, 129, 163, 113, 57, 122, 212, 141, 145, 17, 31, 67, 165, 181, 91, 117, 23, 138, 251, 198, 132, 188, 213, 10, 157, 116, 229, 48, 168, 8, 127, 28, 156, 239, 124, 117, 36, 232, 100, 222, 23, 52, 186, 239, 5, 63, 207, 185, 16, 137, 73, 137, 147, 252, 71, 9, 239, 113, 27, 88, 255, 91, 56, 192, 142, 210, 21, 34, 81, 204, 239, 57, 60, 140, 249, 15, 101 },

-		};

-#else

-		[Obsolete("You must use a real key for a real app.", true)]

-		private static readonly RSAParameters ResourceServerEncryptionPublicKey;

-#endif

-

 		/// <summary>

 		/// The OAuth 2.0 token endpoint.

 		/// </summary>

@@ -52,10 +34,8 @@
 				// TODO: code here

 

 				// Prepare the refresh and access tokens.

-				using (var crypto = CreateResourceServerEncryptionServiceProvider()) {

-					var response = this.authorizationServer.PrepareAccessTokenResponse(request, crypto, accessTokenLifetime);

-					return this.authorizationServer.Channel.PrepareResponse(response).AsActionResult();

-				}

+				var response = this.authorizationServer.PrepareAccessTokenResponse(request, accessTokenLifetime);

+				return this.authorizationServer.Channel.PrepareResponse(response).AsActionResult();

 			}

 

 			throw new HttpException((int)HttpStatusCode.BadRequest, "Missing OAuth 2.0 request message.");

@@ -124,15 +104,5 @@
 

 			return this.authorizationServer.Channel.PrepareResponse(response).AsActionResult();

 		}

-

-		/// <summary>

-		/// Creates the resource server's encryption service provider with private key.

-		/// </summary>

-		/// <returns>An RSA crypto service provider.</returns>

-		internal static RSACryptoServiceProvider CreateResourceServerEncryptionServiceProvider() {

-			var resourceServerEncryptionServiceProvider = new RSACryptoServiceProvider();

-			resourceServerEncryptionServiceProvider.ImportParameters(ResourceServerEncryptionPublicKey);

-			return resourceServerEncryptionServiceProvider;

-		}

 	}

 }