Fixed bug in OAuth Service Provider WCF sample where the service was using the identity of the logged in user rather than the identity authenticated by the service (OAuth) to look up the data.

Resolves trac #114.  Thanks Steven L-P for reporting this!

1 files changed, 8 insertions, 1 deletions

diff --git a/samples/OAuthServiceProvider/App_Code/OAuthAuthorizationManager.cs b/samples/OAuthServiceProvider/App_Code/OAuthAuthorizationManager.cs
index 1ec2cb5..8589932 100644
--- a/samples/OAuthServiceProvider/App_Code/OAuthAuthorizationManager.cs
+++ b/samples/OAuthServiceProvider/App_Code/OAuthAuthorizationManager.cs
@@ -2,6 +2,7 @@
 using System.Collections.Generic;
 using System.IdentityModel.Policy;
 using System.Linq;
+using System.Security.Principal;
 using System.ServiceModel;
 using System.ServiceModel.Channels;
 using System.ServiceModel.Security;
@@ -27,10 +28,12 @@ public class OAuthAuthorizationManager : ServiceAuthorizationManager {
 		if (auth != null) {
 			var accessToken = Global.DataContext.OAuthTokens.Single(token => token.Token == auth.AccessToken);
 
-			var policy = new OAuthPrincipalAuthorizationPolicy(sp.CreatePrincipal(auth));
+			var principal = sp.CreatePrincipal(auth);
+			var policy = new OAuthPrincipalAuthorizationPolicy(principal);
 			var policies = new List<IAuthorizationPolicy> {
 				policy,
 			};
+
 			var securityContext = new ServiceSecurityContext(policies.AsReadOnly());
 			if (operationContext.IncomingMessageProperties.Security != null) {
 				operationContext.IncomingMessageProperties.Security.ServiceSecurityContext = securityContext;
@@ -40,6 +43,10 @@ public class OAuthAuthorizationManager : ServiceAuthorizationManager {
 				};
 			}
 
+			securityContext.AuthorizationContext.Properties["Identities"] = new List<IIdentity> {
+				principal.Identity,
+			};
+
 			// Only allow this method call if the access token scope permits it.
 			string[] scopes = accessToken.Scope.Split('|');
 			if (scopes.Contains(operationContext.IncomingMessageHeaders.Action)) {