diff options
author | Andrew Arnott <andrewarnott@gmail.com> | 2012-04-01 08:14:30 -0700 |
---|---|---|
committer | Andrew Arnott <andrewarnott@gmail.com> | 2012-04-01 08:14:48 -0700 |
commit | cc78ccd887b76df0587a47a2c126c541cdce4d7d (patch) | |
tree | 33664471fc550bb7e9f58e8679bbba8fdbc7bbfc /src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/ChannelElements | |
parent | 03bc5770d091ec2e96d49bb0f7dcaa77d8f1a170 (diff) | |
download | DotNetOpenAuth-cc78ccd887b76df0587a47a2c126c541cdce4d7d.zip DotNetOpenAuth-cc78ccd887b76df0587a47a2c126c541cdce4d7d.tar.gz DotNetOpenAuth-cc78ccd887b76df0587a47a2c126c541cdce4d7d.tar.bz2 |
Allows the authorization server to store merely the hashes of client secrets.
Fixes #92
Diffstat (limited to 'src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/ChannelElements')
-rw-r--r-- | src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/ChannelElements/MessageValidationBindingElement.cs | 5 |
1 files changed, 2 insertions, 3 deletions
diff --git a/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/ChannelElements/MessageValidationBindingElement.cs b/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/ChannelElements/MessageValidationBindingElement.cs index be4f70d..23dcbf5 100644 --- a/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/ChannelElements/MessageValidationBindingElement.cs +++ b/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/ChannelElements/MessageValidationBindingElement.cs @@ -81,9 +81,8 @@ namespace DotNetOpenAuth.OAuth2.ChannelElements { var authenticatedClientRequest = message as AuthenticatedClientRequestBase; if (authenticatedClientRequest != null) { var client = this.AuthorizationServer.GetClientOrThrow(authenticatedClientRequest.ClientIdentifier); - string secret = client.Secret; - AuthServerUtilities.TokenEndpointVerify(!string.IsNullOrEmpty(secret), Protocol.AccessTokenRequestErrorCodes.UnauthorizedClient); // an empty secret is not allowed for client authenticated calls. - AuthServerUtilities.TokenEndpointVerify(MessagingUtilities.EqualsConstantTime(secret, authenticatedClientRequest.ClientSecret), Protocol.AccessTokenRequestErrorCodes.InvalidClient, AuthServerStrings.ClientSecretMismatch); + AuthServerUtilities.TokenEndpointVerify(client.HasNonEmptySecret, Protocol.AccessTokenRequestErrorCodes.UnauthorizedClient); // an empty secret is not allowed for client authenticated calls. + AuthServerUtilities.TokenEndpointVerify(client.IsValidClientSecret(authenticatedClientRequest.ClientSecret), Protocol.AccessTokenRequestErrorCodes.InvalidClient, AuthServerStrings.ClientSecretMismatch); if (clientCredentialOnly != null) { clientCredentialOnly.CredentialsValidated = true; |