summaryrefslogtreecommitdiffstats
path: root/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/ChannelElements
diff options
context:
space:
mode:
authorAndrew Arnott <andrewarnott@gmail.com>2012-04-01 08:14:30 -0700
committerAndrew Arnott <andrewarnott@gmail.com>2012-04-01 08:14:48 -0700
commitcc78ccd887b76df0587a47a2c126c541cdce4d7d (patch)
tree33664471fc550bb7e9f58e8679bbba8fdbc7bbfc /src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/ChannelElements
parent03bc5770d091ec2e96d49bb0f7dcaa77d8f1a170 (diff)
downloadDotNetOpenAuth-cc78ccd887b76df0587a47a2c126c541cdce4d7d.zip
DotNetOpenAuth-cc78ccd887b76df0587a47a2c126c541cdce4d7d.tar.gz
DotNetOpenAuth-cc78ccd887b76df0587a47a2c126c541cdce4d7d.tar.bz2
Allows the authorization server to store merely the hashes of client secrets.
Fixes #92
Diffstat (limited to 'src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/ChannelElements')
-rw-r--r--src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/ChannelElements/MessageValidationBindingElement.cs5
1 files changed, 2 insertions, 3 deletions
diff --git a/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/ChannelElements/MessageValidationBindingElement.cs b/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/ChannelElements/MessageValidationBindingElement.cs
index be4f70d..23dcbf5 100644
--- a/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/ChannelElements/MessageValidationBindingElement.cs
+++ b/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/ChannelElements/MessageValidationBindingElement.cs
@@ -81,9 +81,8 @@ namespace DotNetOpenAuth.OAuth2.ChannelElements {
var authenticatedClientRequest = message as AuthenticatedClientRequestBase;
if (authenticatedClientRequest != null) {
var client = this.AuthorizationServer.GetClientOrThrow(authenticatedClientRequest.ClientIdentifier);
- string secret = client.Secret;
- AuthServerUtilities.TokenEndpointVerify(!string.IsNullOrEmpty(secret), Protocol.AccessTokenRequestErrorCodes.UnauthorizedClient); // an empty secret is not allowed for client authenticated calls.
- AuthServerUtilities.TokenEndpointVerify(MessagingUtilities.EqualsConstantTime(secret, authenticatedClientRequest.ClientSecret), Protocol.AccessTokenRequestErrorCodes.InvalidClient, AuthServerStrings.ClientSecretMismatch);
+ AuthServerUtilities.TokenEndpointVerify(client.HasNonEmptySecret, Protocol.AccessTokenRequestErrorCodes.UnauthorizedClient); // an empty secret is not allowed for client authenticated calls.
+ AuthServerUtilities.TokenEndpointVerify(client.IsValidClientSecret(authenticatedClientRequest.ClientSecret), Protocol.AccessTokenRequestErrorCodes.InvalidClient, AuthServerStrings.ClientSecretMismatch);
if (clientCredentialOnly != null) {
clientCredentialOnly.CredentialsValidated = true;