Authorization servers can override the granted scopes for all grant types.

This change adds the ability for authorization servers to override the granted scopes of client credential and resource owner password grant types.

Fixes #225

5 files changed, 110 insertions, 35 deletions

diff --git a/src/DotNetOpenAuth.OAuth2.AuthorizationServer/DotNetOpenAuth.OAuth2.AuthorizationServer.csproj b/src/DotNetOpenAuth.OAuth2.AuthorizationServer/DotNetOpenAuth.OAuth2.AuthorizationServer.csproj
index bb782f0..73c563b 100644
--- a/src/DotNetOpenAuth.OAuth2.AuthorizationServer/DotNetOpenAuth.OAuth2.AuthorizationServer.csproj
+++ b/src/DotNetOpenAuth.OAuth2.AuthorizationServer/DotNetOpenAuth.OAuth2.AuthorizationServer.csproj
@@ -27,6 +27,8 @@
       <DependentUpon>AuthServerStrings.resx</DependentUpon>
     </Compile>
     <Compile Include="OAuth2\AuthServerUtilities.cs" />
+    <Compile Include="OAuth2\AutomatedAuthorizationCheckResponse.cs" />
+    <Compile Include="OAuth2\AutomatedUserAuthorizationCheckResponse.cs" />
     <Compile Include="OAuth2\ChannelElements\AggregatingClientCredentialReader.cs" />
     <Compile Include="OAuth2\ChannelElements\ClientCredentialHttpBasicReader.cs" />
     <Compile Include="OAuth2\ChannelElements\ClientCredentialMessagePartReader.cs" />
diff --git a/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/AutomatedAuthorizationCheckResponse.cs b/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/AutomatedAuthorizationCheckResponse.cs
new file mode 100644
index 0000000..0179d05
--- /dev/null
+++ b/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/AutomatedAuthorizationCheckResponse.cs
@@ -0,0 +1,40 @@
+//-----------------------------------------------------------------------
+// <copyright file="AutomatedAuthorizationCheckResponse.cs" company="Andrew Arnott">
+//     Copyright (c) Andrew Arnott. All rights reserved.
+// </copyright>
+//-----------------------------------------------------------------------
+
+namespace DotNetOpenAuth.OAuth2 {
+	using System;
+	using System.Collections.Generic;
+	using System.Linq;
+	using System.Text;
+	using DotNetOpenAuth.OAuth2.Messages;
+
+	/// <summary>
+	/// Describes the result of an automated authorization check, such as for client credential or resource owner password grants.
+	/// </summary>
+	public class AutomatedAuthorizationCheckResponse {
+		/// <summary>
+		/// Initializes a new instance of the <see cref="AutomatedAuthorizationCheckResponse" /> class.
+		/// </summary>
+		/// <param name="accessRequest">The access token request.</param>
+		/// <param name="approved">A value indicating whether the authorization should be approved.</param>
+		public AutomatedAuthorizationCheckResponse(IAccessTokenRequest accessRequest, bool approved) {
+			Requires.NotNull(accessRequest, "accessRequest");
+
+			this.IsApproved = approved;
+			this.ApprovedScope = new HashSet<string>(accessRequest.Scope);
+		}
+
+		/// <summary>
+		/// Gets a value indicating whether the authorization should be approved.
+		/// </summary>
+		public bool IsApproved { get; private set; }
+
+		/// <summary>
+		/// Gets the scope to be granted.
+		/// </summary>
+		public HashSet<string> ApprovedScope { get; private set; }
+	}
+}
diff --git a/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/AutomatedUserAuthorizationCheckResponse.cs b/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/AutomatedUserAuthorizationCheckResponse.cs
new file mode 100644
index 0000000..b62807c
--- /dev/null
+++ b/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/AutomatedUserAuthorizationCheckResponse.cs
@@ -0,0 +1,42 @@
+//-----------------------------------------------------------------------
+// <copyright file="AutomatedUserAuthorizationCheckResponse.cs" company="Andrew Arnott">
+//     Copyright (c) Andrew Arnott. All rights reserved.
+// </copyright>
+//-----------------------------------------------------------------------
+
+namespace DotNetOpenAuth.OAuth2 {
+	using System;
+	using System.Collections.Generic;
+	using System.Linq;
+	using System.Text;
+
+	using DotNetOpenAuth.OAuth2.Messages;
+
+	/// <summary>
+	/// Describes the result of an automated authorization check for resource owner grants.
+	/// </summary>
+	public class AutomatedUserAuthorizationCheckResponse : AutomatedAuthorizationCheckResponse {
+		/// <summary>
+		/// Initializes a new instance of the <see cref="AutomatedUserAuthorizationCheckResponse" /> class.
+		/// </summary>
+		/// <param name="accessRequest">The access token request.</param>
+		/// <param name="approved">A value indicating whether the authorization should be approved.</param>
+		/// <param name="canonicalUserName">
+		/// Canonical username of the authorizing user (resource owner), as the resource server would recognize it.
+		/// Ignored if <paramref name="approved"/> is false.
+		/// </param>
+		public AutomatedUserAuthorizationCheckResponse(IAccessTokenRequest accessRequest, bool approved, string canonicalUserName)
+			: base(accessRequest, approved) {
+			if (approved) {
+				Requires.NotNullOrEmpty(canonicalUserName, "canonicalUserName");
+			}
+
+			this.CanonicalUserName = canonicalUserName;
+		}
+
+		/// <summary>
+		/// Gets the canonical username of the authorizing user (resource owner).
+		/// </summary>
+		public string CanonicalUserName { get; private set; }
+	}
+}
diff --git a/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/ChannelElements/MessageValidationBindingElement.cs b/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/ChannelElements/MessageValidationBindingElement.cs
index 27b71db..3eac5a6 100644
--- a/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/ChannelElements/MessageValidationBindingElement.cs
+++ b/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/ChannelElements/MessageValidationBindingElement.cs
@@ -120,11 +120,13 @@ namespace DotNetOpenAuth.OAuth2.ChannelElements {
 			// Check that any resource owner password credential is correct.
 			if (resourceOwnerPasswordCarrier != null) {
 				try {
-					string canonicalUserName;
-					if (this.AuthorizationServer.TryAuthorizeResourceOwnerCredentialGrant(resourceOwnerPasswordCarrier.UserName, resourceOwnerPasswordCarrier.Password, resourceOwnerPasswordCarrier, out canonicalUserName)) {
-						ErrorUtilities.VerifyHost(!string.IsNullOrEmpty(canonicalUserName), "TryAuthorizeResourceOwnerCredentialGrant did not initialize out parameter.");
+					var authorizeResult =
+						this.AuthorizationServer.CheckAuthorizeResourceOwnerCredentialGrant(
+							resourceOwnerPasswordCarrier.UserName, resourceOwnerPasswordCarrier.Password, resourceOwnerPasswordCarrier);
+					if (authorizeResult.IsApproved) {
 						resourceOwnerPasswordCarrier.CredentialsValidated = true;
-						resourceOwnerPasswordCarrier.UserName = canonicalUserName;
+						resourceOwnerPasswordCarrier.UserName = authorizeResult.CanonicalUserName;
+						resourceOwnerPasswordCarrier.Scope.ResetContents(authorizeResult.ApprovedScope);
 					} else {
 						Logger.OAuth.ErrorFormat(
 							"Resource owner password credential for user \"{0}\" rejected by authorization server host.",
@@ -140,12 +142,15 @@ namespace DotNetOpenAuth.OAuth2.ChannelElements {
 				applied = true;
 			} else if (clientCredentialOnly != null) {
 				try {
-					if (!this.AuthorizationServer.TryAuthorizeClientCredentialsGrant(clientCredentialOnly)) {
+					var authorizeResult = this.AuthorizationServer.CheckAuthorizeClientCredentialsGrant(clientCredentialOnly);
+					if (!authorizeResult.IsApproved) {
 						Logger.OAuth.ErrorFormat(
 							"Client credentials grant access request for client \"{0}\" rejected by authorization server host.",
 							clientCredentialOnly.ClientIdentifier);
 						throw new TokenEndpointProtocolException(accessTokenRequest, Protocol.AccessTokenRequestErrorCodes.UnauthorizedClient);
 					}
+
+					clientCredentialOnly.Scope.ResetContents(authorizeResult.ApprovedScope);
 				} catch (NotSupportedException) {
 					throw new TokenEndpointProtocolException(accessTokenRequest, Protocol.AccessTokenRequestErrorCodes.UnsupportedGrantType);
 				} catch (NotImplementedException) {
diff --git a/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/IAuthorizationServerHost.cs b/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/IAuthorizationServerHost.cs
index b75cb29..b9b5725 100644
--- a/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/IAuthorizationServerHost.cs
+++ b/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/IAuthorizationServerHost.cs
@@ -91,17 +91,11 @@ namespace DotNetOpenAuth.OAuth2 {
 		/// The access request the credentials came with.
 		/// This may be useful if the authorization server wishes to apply some policy based on the client that is making the request.
 		/// </param>
-		/// <param name="canonicalUserName">
-		/// Receives the canonical username (normalized for the resource server) of the user, for valid credentials;
-		/// Or <c>null</c> if the return value is false.
-		/// </param>
-		/// <returns>
-		///   <c>true</c> if the given credentials are valid and the authorization granted; otherwise, <c>false</c>.
-		/// </returns>
+		/// <returns>A value that describes the result of the authorization check.</returns>
 		/// <exception cref="NotSupportedException">
 		/// May be thrown if the authorization server does not support the resource owner password credential grant type.
 		/// </exception>
-		bool TryAuthorizeResourceOwnerCredentialGrant(string userName, string password, IAccessTokenRequest accessRequest, out string canonicalUserName);
+		AutomatedUserAuthorizationCheckResponse CheckAuthorizeResourceOwnerCredentialGrant(string userName, string password, IAccessTokenRequest accessRequest);
 
 		/// <summary>
 		/// Determines whether an access token request given a client credential grant should be authorized
@@ -112,17 +106,15 @@ namespace DotNetOpenAuth.OAuth2 {
 		/// The access request the credentials came with.
 		/// This may be useful if the authorization server wishes to apply some policy based on the client that is making the request.
 		/// </param>
-		/// <returns>
-		///   <c>true</c> if the given credentials are valid and the authorization granted; otherwise, <c>false</c>.
-		/// </returns>
+		/// <returns>A value that describes the result of the authorization check.</returns>
 		/// <exception cref="NotSupportedException">
 		/// May be thrown if the authorization server does not support the client credential grant type.
 		/// </exception>
-		bool TryAuthorizeClientCredentialsGrant(IAccessTokenRequest accessRequest);
+		AutomatedAuthorizationCheckResponse CheckAuthorizeClientCredentialsGrant(IAccessTokenRequest accessRequest);
 	}
 
 	/// <summary>
-	/// Code Contract for the <see cref="IAuthorizationServerHost"/> interface.
+	/// Code Contract for the <see cref="IAuthorizationServerHost" /> interface.
 	/// </summary>
 	[ContractClassFor(typeof(IAuthorizationServerHost))]
 	internal abstract class IAuthorizationServerHostContract : IAuthorizationServerHost {
@@ -203,40 +195,34 @@ namespace DotNetOpenAuth.OAuth2 {
 		/// The access request the credentials came with.
 		/// This may be useful if the authorization server wishes to apply some policy based on the client that is making the request.
 		/// </param>
-		/// <param name="canonicalUserName">
-		/// Receives the canonical username (normalized for the resource server) of the user, for valid credentials;
-		/// Or <c>null</c> if the return value is false.
-		/// </param>
 		/// <returns>
-		///   <c>true</c> if the given credentials are valid and the authorization granted; otherwise, <c>false</c>.
+		/// A value that describes the result of the authorization check.
 		/// </returns>
 		/// <exception cref="NotSupportedException">
 		/// May be thrown if the authorization server does not support the resource owner password credential grant type.
 		/// </exception>
-		bool IAuthorizationServerHost.TryAuthorizeResourceOwnerCredentialGrant(string userName, string password, IAccessTokenRequest accessRequest, out string canonicalUserName) {
+		AutomatedUserAuthorizationCheckResponse IAuthorizationServerHost.CheckAuthorizeResourceOwnerCredentialGrant(string userName, string password, IAccessTokenRequest accessRequest) {
 			Contract.Requires(!string.IsNullOrEmpty(userName));
 			Contract.Requires(password != null);
 			Contract.Requires(accessRequest != null);
-			Contract.Ensures(!Contract.Result<bool>() || !string.IsNullOrEmpty(Contract.ValueAtReturn<string>(out canonicalUserName)));
+			Contract.Ensures(Contract.Result<AutomatedUserAuthorizationCheckResponse>() != null);
 			throw new NotImplementedException();
 		}
 
 		/// <summary>
 		/// Determines whether an access token request given a client credential grant should be authorized
-		/// and if so records an authorization entry such that subsequent calls to <see cref="IAuthorizationServerHost.IsAuthorizationValid"/> would
+		/// and if so records an authorization entry such that subsequent calls to <see cref="IAuthorizationServerHost.IsAuthorizationValid" /> would
 		/// return <c>true</c>.
 		/// </summary>
-		/// <param name="accessRequest">
-		/// The access request the credentials came with.
-		/// This may be useful if the authorization server wishes to apply some policy based on the client that is making the request.
-		/// </param>
+		/// <param name="accessRequest">The access request the credentials came with.
+		/// This may be useful if the authorization server wishes to apply some policy based on the client that is making the request.</param>
 		/// <returns>
-		///   <c>true</c> if the given credentials are valid and the authorization granted; otherwise, <c>false</c>.
+		/// A value that describes the result of the authorization check.
 		/// </returns>
-		/// <exception cref="NotSupportedException">
-		/// May be thrown if the authorization server does not support the client credential grant type.
-		/// </exception>
-		bool IAuthorizationServerHost.TryAuthorizeClientCredentialsGrant(IAccessTokenRequest accessRequest) {
+		/// <exception cref="NotSupportedException">May be thrown if the authorization server does not support the client credential grant type.</exception>
+		AutomatedAuthorizationCheckResponse IAuthorizationServerHost.CheckAuthorizeClientCredentialsGrant(IAccessTokenRequest accessRequest) {
+			Contract.Requires(accessRequest != null);
+			Contract.Ensures(Contract.Result<AutomatedAuthorizationCheckResponse>() != null);
 			throw new NotImplementedException();
 		}