Suppressed refresh tokens when client credentials are used to comply with OAuth 2.0 section 4.4.3.

author: Andrew Arnott <andrewarnott@gmail.com> 2012-02-16 08:47:49 -0800
committer: Andrew Arnott <andrewarnott@gmail.com> 2012-02-16 08:47:49 -0800
commit: 9869f80aa333eeab6e7d19bf116c3d4c4788e8ba (patch)
tree: b779795d17ddbeaaef59790345b49809f162c47c /src/DotNetOpenAuth.OAuth2.AuthorizationServer
parent: f1837d5eb51cb3ed948d72048e5827332e506a71 (diff)
download: DotNetOpenAuth-9869f80aa333eeab6e7d19bf116c3d4c4788e8ba.zip
DotNetOpenAuth-9869f80aa333eeab6e7d19bf116c3d4c4788e8ba.tar.gz
DotNetOpenAuth-9869f80aa333eeab6e7d19bf116c3d4c4788e8ba.tar.bz2
1 files changed, 9 insertions, 0 deletions
diff --git a/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/AuthorizationServer.cs b/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/AuthorizationServer.cs
index cdcb042..5dee893 100644
--- a/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/AuthorizationServer.cs
+++ b/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/AuthorizationServer.cs
@@ -222,6 +222,15 @@ namespace DotNetOpenAuth.OAuth2 {
 		public virtual IDirectResponseProtocolMessage PrepareAccessTokenResponse(AccessTokenRequestBase request, bool includeRefreshToken = true) {
 			Requires.NotNull(request, "request");
 
+			if (includeRefreshToken) {
+				if (request is AccessTokenClientCredentialsRequest) {
+					// Per OAuth 2.0 section 4.4.3 (draft 23), refresh tokens should never be included
+					// in a response to an access token request that used the client credential grant type.
+					Logger.OAuth.Debug("Suppressing refresh token in access token response because the grant type used by the client disallows it.");
+					includeRefreshToken = false;
+				}
+			}
+
 			var tokenRequest = (IAuthorizationCarryingRequest)request;
 			var response = new AccessTokenSuccessResponse(request) {
 				Lifetime = this.AuthorizationServerServices.GetAccessTokenLifetime(request),
author	Andrew Arnott <andrewarnott@gmail.com>	2012-02-16 08:47:49 -0800
committer	Andrew Arnott <andrewarnott@gmail.com>	2012-02-16 08:47:49 -0800
commit	9869f80aa333eeab6e7d19bf116c3d4c4788e8ba (patch)
tree	b779795d17ddbeaaef59790345b49809f162c47c /src/DotNetOpenAuth.OAuth2.AuthorizationServer
parent	f1837d5eb51cb3ed948d72048e5827332e506a71 (diff)
download	DotNetOpenAuth-9869f80aa333eeab6e7d19bf116c3d4c4788e8ba.zip DotNetOpenAuth-9869f80aa333eeab6e7d19bf116c3d4c4788e8ba.tar.gz DotNetOpenAuth-9869f80aa333eeab6e7d19bf116c3d4c4788e8ba.tar.bz2