Added authorizing user to the verification code.

The username is encrypted to avoid disclosing data to the client or a third party.

1 files changed, 15 insertions, 5 deletions

diff --git a/samples/OAuthServiceProvider/Code/OAuth2AuthorizationServer.cs b/samples/OAuthServiceProvider/Code/OAuth2AuthorizationServer.cs
index 15d791e..70474f2 100644
--- a/samples/OAuthServiceProvider/Code/OAuth2AuthorizationServer.cs
+++ b/samples/OAuthServiceProvider/Code/OAuth2AuthorizationServer.cs
@@ -1,16 +1,26 @@
-using DotNetOpenAuth.Messaging.Bindings;
-using DotNetOpenAuth.OAuth.ChannelElements;
-
-namespace OAuthServiceProvider.Code {
+namespace OAuthServiceProvider.Code {
 	using System;
 	using System.Collections.Generic;
 	using System.Linq;
+	using System.Security.Cryptography;
 	using System.Web;
+	using DotNetOpenAuth.Messaging;
+	using DotNetOpenAuth.Messaging.Bindings;
+	using DotNetOpenAuth.OAuth.ChannelElements;
 	using DotNetOpenAuth.OAuthWrap;
 
 	internal class OAuth2AuthorizationServer : IAuthorizationServer {
-		private static readonly byte[] secret = new byte[] { 0x33, 0x55 }; // TODO: make this cryptographically strong and unique per app.
+		private static readonly byte[] secret;
+
 		private readonly INonceStore nonceStore = new DatabaseNonceStore();
+
+		static OAuth2AuthorizationServer()
+		{
+			RandomNumberGenerator crypto = new RNGCryptoServiceProvider();
+			secret = new byte[16];
+			crypto.GetBytes(secret);
+		}
+
 		#region Implementation of IAuthorizationServer
 
 		public byte[] Secret {