Fixes access denial errors from OAuth 2 resource servers so they include the required parameters in their WWW-Authenticate headers.

Fixes #124

4 files changed, 22 insertions, 14 deletions

diff --git a/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/ChannelElements/AuthServerBindingElementBase.cs b/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/ChannelElements/AuthServerBindingElementBase.cs
index b66088c..9d3a52c 100644
--- a/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/ChannelElements/AuthServerBindingElementBase.cs
+++ b/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/ChannelElements/AuthServerBindingElementBase.cs
@@ -38,6 +38,13 @@ namespace DotNetOpenAuth.OAuth2.ChannelElements {
 		public abstract MessageProtections Protection { get; }
 
 		/// <summary>
+		/// Gets the channel to which this binding element belongs.
+		/// </summary>
+		internal IOAuth2ChannelWithAuthorizationServer AuthServerChannel {
+			get { return (IOAuth2ChannelWithAuthorizationServer)this.Channel; }
+		}
+
+		/// <summary>
 		/// Gets the authorization server hosting this channel.
 		/// </summary>
 		/// <value>The authorization server.</value>
diff --git a/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/ChannelElements/IOAuth2ChannelWithAuthorizationServer.cs b/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/ChannelElements/IOAuth2ChannelWithAuthorizationServer.cs
index ff6d7d1..5247062 100644
--- a/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/ChannelElements/IOAuth2ChannelWithAuthorizationServer.cs
+++ b/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/ChannelElements/IOAuth2ChannelWithAuthorizationServer.cs
@@ -14,6 +14,11 @@ namespace DotNetOpenAuth.OAuth2.ChannelElements {
 		/// Gets the authorization server.
 		/// </summary>
 		/// <value>The authorization server.</value>
-		 IAuthorizationServerHost AuthorizationServer { get;  }
+		IAuthorizationServerHost AuthorizationServer { get; }
+
+		/// <summary>
+		/// Gets or sets the service that checks whether a granted set of scopes satisfies a required set of scopes.
+		/// </summary>
+		IScopeSatisfiedCheck ScopeSatisfiedCheck { get; set; }
 	}
 }
diff --git a/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/ChannelElements/MessageValidationBindingElement.cs b/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/ChannelElements/MessageValidationBindingElement.cs
index ac23e24..4821527 100644
--- a/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/ChannelElements/MessageValidationBindingElement.cs
+++ b/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/ChannelElements/MessageValidationBindingElement.cs
@@ -29,21 +29,12 @@ namespace DotNetOpenAuth.OAuth2.ChannelElements {
 		private readonly ClientAuthenticationModule clientAuthenticationModule;
 
 		/// <summary>
-		/// The authorization server host that applies.
-		/// </summary>
-		private readonly IAuthorizationServerHost authorizationServer;
-
-		/// <summary>
 		/// Initializes a new instance of the <see cref="MessageValidationBindingElement"/> class.
 		/// </summary>
 		/// <param name="clientAuthenticationModule">The aggregating client authentication module.</param>
-		/// <param name="authorizationServer">The authorization server host.</param>
-		internal MessageValidationBindingElement(ClientAuthenticationModule clientAuthenticationModule, IAuthorizationServerHost authorizationServer) {
+		internal MessageValidationBindingElement(ClientAuthenticationModule clientAuthenticationModule) {
 			Requires.NotNull(clientAuthenticationModule, "clientAuthenticationModule");
-			Requires.NotNull(authorizationServer, "authorizationServer");
-
 			this.clientAuthenticationModule = clientAuthenticationModule;
-			this.authorizationServer = authorizationServer;
 		}
 
 		/// <summary>
@@ -105,7 +96,7 @@ namespace DotNetOpenAuth.OAuth2.ChannelElements {
 			var accessTokenRequest = authenticatedClientRequest as AccessTokenRequestBase; // currently the only type of message.
 			if (authenticatedClientRequest != null) {
 				string clientIdentifier;
-				var result = this.clientAuthenticationModule.TryAuthenticateClient(this.authorizationServer, authenticatedClientRequest, out clientIdentifier);
+				var result = this.clientAuthenticationModule.TryAuthenticateClient(this.AuthServerChannel.AuthorizationServer, authenticatedClientRequest, out clientIdentifier);
 				AuthServerUtilities.TokenEndpointVerify(result != ClientAuthenticationResult.ClientIdNotAuthenticated, accessTokenRequest, Protocol.AccessTokenRequestErrorCodes.UnauthorizedClient); // an empty secret is not allowed for client authenticated calls.
 				AuthServerUtilities.TokenEndpointVerify(result == ClientAuthenticationResult.ClientAuthenticated, accessTokenRequest, Protocol.AccessTokenRequestErrorCodes.InvalidClient, this.clientAuthenticationModule, AuthServerStrings.ClientSecretMismatch);
 				authenticatedClientRequest.ClientIdentifier = clientIdentifier;
@@ -166,7 +157,7 @@ namespace DotNetOpenAuth.OAuth2.ChannelElements {
 					var scopedAccessRequest = accessRequest as ScopedAccessTokenRequest;
 					if (scopedAccessRequest != null) {
 						// Make sure the scope the client is requesting does not exceed the scope in the grant.
-						if (!scopedAccessRequest.Scope.IsSubsetOf(authCarrier.AuthorizationDescription.Scope)) {
+						if (!this.AuthServerChannel.ScopeSatisfiedCheck.IsScopeSatisfied(requiredScope: scopedAccessRequest.Scope, grantedScope: authCarrier.AuthorizationDescription.Scope)) {
 							Logger.OAuth.ErrorFormat("The requested access scope (\"{0}\") exceeds the grant scope (\"{1}\").", scopedAccessRequest.Scope, authCarrier.AuthorizationDescription.Scope);
 							throw new TokenEndpointProtocolException(accessTokenRequest, Protocol.AccessTokenRequestErrorCodes.InvalidScope, AuthServerStrings.AccessScopeExceedsGrantScope);
 						}
diff --git a/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/ChannelElements/OAuth2AuthorizationServerChannel.cs b/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/ChannelElements/OAuth2AuthorizationServerChannel.cs
index 53dfb54..7ca4538 100644
--- a/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/ChannelElements/OAuth2AuthorizationServerChannel.cs
+++ b/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/ChannelElements/OAuth2AuthorizationServerChannel.cs
@@ -49,6 +49,11 @@ namespace DotNetOpenAuth.OAuth2.ChannelElements {
 		public IAuthorizationServerHost AuthorizationServer { get; private set; }
 
 		/// <summary>
+		/// Gets or sets the service that checks whether a granted set of scopes satisfies a required set of scopes.
+		/// </summary>
+		public IScopeSatisfiedCheck ScopeSatisfiedCheck { get; set; }
+
+		/// <summary>
 		/// Gets the protocol message that may be in the given HTTP response.
 		/// </summary>
 		/// <param name="response">The response that is anticipated to contain an protocol message.</param>
@@ -118,7 +123,7 @@ namespace DotNetOpenAuth.OAuth2.ChannelElements {
 			var bindingElements = new List<IChannelBindingElement>();
 
 			// The order they are provided is used for outgoing messgaes, and reversed for incoming messages.
-			bindingElements.Add(new MessageValidationBindingElement(clientAuthenticationModule, authorizationServer));
+			bindingElements.Add(new MessageValidationBindingElement(clientAuthenticationModule));
 			bindingElements.Add(new TokenCodeSerializationBindingElement());
 
 			return bindingElements.ToArray();