Fixed non-thread-safe use of RsaCryptoServiceProvider instances.

2 files changed, 28 insertions, 10 deletions

diff --git a/samples/OAuthAuthorizationServer/Code/OAuth2AuthorizationServer.cs b/samples/OAuthAuthorizationServer/Code/OAuth2AuthorizationServer.cs
index ec2f8fd..d71416e 100644
--- a/samples/OAuthAuthorizationServer/Code/OAuth2AuthorizationServer.cs
+++ b/samples/OAuthAuthorizationServer/Code/OAuth2AuthorizationServer.cs
@@ -11,9 +11,10 @@
 	using DotNetOpenAuth.OAuth2.Messages;
 
 	internal class OAuth2AuthorizationServer : IAuthorizationServer {
-		internal static readonly RSAParameters AsymmetricTokenSigningPrivateKey;
+		private static readonly RSAParameters AsymmetricTokenSigningPrivateKey;
 
-		internal static readonly RSACryptoServiceProvider AsymmetricTokenSigningServiceProvider;
+		[ThreadStatic]
+		internal static readonly RSACryptoServiceProvider AsymmetricTokenSigningServiceProvider = CreateAsymmetricTokenSigningServiceProvider();
 
 		private static readonly byte[] secret;
 
@@ -47,12 +48,23 @@
 			var privateKey = keyPair.ExportParameters(true);
 			var publicKey = keyPair.ExportParameters(false);
 
-			// Ultimately the private key information must be what is returned bout the AccessTokenSigningPrivateKey property.
+			// Ultimately the private key information must be what is returned through the AccessTokenSigningPrivateKey property.
 			AsymmetricTokenSigningPrivateKey = privateKey;
 #endif
+		}
 
-			AsymmetricTokenSigningServiceProvider = new RSACryptoServiceProvider();
-			AsymmetricTokenSigningServiceProvider.ImportParameters(AsymmetricTokenSigningPrivateKey);
+		/// <summary>
+		/// Creates the asymmetric token signing service provider.
+		/// </summary>
+		/// <returns>An RSA crypto service provider.</returns>
+		/// <remarks>
+		/// Since <see cref="RSACryptoServiceProvider"/> are not thread-safe, one must be created for each thread.
+		/// In this sample we just create one for each incoming request.  Be sure to call Dispose on them to release native handles.
+		/// </remarks>
+		private static RSACryptoServiceProvider CreateAsymmetricTokenSigningServiceProvider() {
+			var asymmetricTokenSigningServiceProvider = new RSACryptoServiceProvider();
+			asymmetricTokenSigningServiceProvider.ImportParameters(AsymmetricTokenSigningPrivateKey);
+			return asymmetricTokenSigningServiceProvider;
 		}
 
 		#region Implementation of IAuthorizationServer
diff --git a/samples/OAuthAuthorizationServer/Controllers/OAuthController.cs b/samples/OAuthAuthorizationServer/Controllers/OAuthController.cs
index fc332d0..b9fbe65 100644
--- a/samples/OAuthAuthorizationServer/Controllers/OAuthController.cs
+++ b/samples/OAuthAuthorizationServer/Controllers/OAuthController.cs
@@ -37,14 +37,20 @@
 		/// <summary>

 		/// The resource server's encryption service provider with private key.

 		/// </summary>

-		private static readonly RSACryptoServiceProvider ResourceServerEncryptionServiceProvider;

+		/// <remarks>

+		/// Since <see cref="RSACryptoServiceProvider"/> are not thread-safe, one must be created for each thread.

+		/// </remarks>

+		[ThreadStatic]

+		private static RSACryptoServiceProvider ResourceServerEncryptionServiceProvider = CreateResourceServerEncryptionServiceProvider();

 

 		/// <summary>

-		/// Initializes the <see cref="OAuthController"/> class.

+		/// Creates the resource server's encryption service provider with private key.

 		/// </summary>

-		static OAuthController() {

-			ResourceServerEncryptionServiceProvider = new RSACryptoServiceProvider();

-			ResourceServerEncryptionServiceProvider.ImportParameters(ResourceServerEncryptionPublicKey);

+		/// <returns>An RSA crypto service provider.</returns>

+		private static RSACryptoServiceProvider CreateResourceServerEncryptionServiceProvider() {

+			var resourceServerEncryptionServiceProvider = new RSACryptoServiceProvider();

+			resourceServerEncryptionServiceProvider.ImportParameters(ResourceServerEncryptionPublicKey);

+			return resourceServerEncryptionServiceProvider;

 		}

 

 		/// <summary>