Added capability to use asymmetric signing for the access token so that resource servers don't have the ability to mint access tokens.

But resource servers can still mint verification codes and refresh tokens since they are signed using the shared secret, so that needs to be fixed.

1 files changed, 10 insertions, 2 deletions

diff --git a/samples/OAuthServiceProvider/Code/OAuth2AuthorizationServer.cs b/samples/OAuthServiceProvider/Code/OAuth2AuthorizationServer.cs
index 6a36a83..695ba74 100644
--- a/samples/OAuthServiceProvider/Code/OAuth2AuthorizationServer.cs
+++ b/samples/OAuthServiceProvider/Code/OAuth2AuthorizationServer.cs
@@ -13,13 +13,17 @@
 	internal class OAuth2AuthorizationServer : IAuthorizationServer {
 		private static readonly byte[] secret;
 
+		private static readonly RSAParameters asymmetricKey;
+
 		private readonly INonceStore nonceStore = new DatabaseNonceStore();
 
-		static OAuth2AuthorizationServer()
-		{
+		static OAuth2AuthorizationServer() {
+			// For this sample, we just generate random secrets.
 			RandomNumberGenerator crypto = new RNGCryptoServiceProvider();
 			secret = new byte[16];
 			crypto.GetBytes(secret);
+
+			asymmetricKey = new RSACryptoServiceProvider().ExportParameters(true);
 		}
 
 		#region Implementation of IAuthorizationServer
@@ -32,6 +36,10 @@
 			get { return this.nonceStore; }
 		}
 
+		public RSAParameters? AccessTokenSigningPrivateKey {
+			get { return asymmetricKey; }
+		}
+
 		public IConsumerDescription GetClient(string clientIdentifier) {
 			var consumerRow = Global.DataContext.OAuthConsumers.SingleOrDefault(
 				consumerCandidate => consumerCandidate.ConsumerKey == clientIdentifier);