diff options
| author | Andrew Arnott <andrewarnott@gmail.com> | 2013-03-01 21:22:52 -0800 |
|---|---|---|
| committer | Andrew Arnott <andrewarnott@gmail.com> | 2013-03-01 21:22:52 -0800 |
| commit | bb7549901264bf51276bdd33cab293b83a7fcceb (patch) | |
| tree | ecd95f4d7abea7dd1d8fbd7be0b565266ee5ce19 /src | |
| parent | 9b403a0a59e0385e5a2a7e95e3053de7f0e90a34 (diff) | |
| download | DotNetOpenAuth-bb7549901264bf51276bdd33cab293b83a7fcceb.zip DotNetOpenAuth-bb7549901264bf51276bdd33cab293b83a7fcceb.tar.gz DotNetOpenAuth-bb7549901264bf51276bdd33cab293b83a7fcceb.tar.bz2 | |
Adds support for symmetric key signing and encryption of access tokens.
This targets the common scenario where authorization servers and resource servers are actually on the same web application, and asymmetric cryptography is overkill and requires extra setup.
Diffstat (limited to 'src')
3 files changed, 37 insertions, 3 deletions
diff --git a/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/AuthorizationServerAccessToken.cs b/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/AuthorizationServerAccessToken.cs index 7c9f808..cbf4b09 100644 --- a/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/AuthorizationServerAccessToken.cs +++ b/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/AuthorizationServerAccessToken.cs @@ -11,6 +11,7 @@ namespace DotNetOpenAuth.OAuth2 { using System.Security.Cryptography; using System.Text; using DotNetOpenAuth.Messaging; + using DotNetOpenAuth.Messaging.Bindings; using DotNetOpenAuth.OAuth2.ChannelElements; /// <summary> @@ -40,12 +41,23 @@ namespace DotNetOpenAuth.OAuth2 { public RSACryptoServiceProvider ResourceServerEncryptionKey { get; set; } /// <summary> + /// Gets or sets the symmetric key store to use if the asymmetric key properties are not set. + /// </summary> + public ICryptoKeyStore SymmetricKeyStore { get; set; } + + /// <summary> /// Serializes this instance to a simple string for transmission to the client. /// </summary> /// <returns>A non-empty string.</returns> protected internal override string Serialize() { - ErrorUtilities.VerifyHost(this.AccessTokenSigningKey != null, AuthServerStrings.AccessTokenSigningKeyMissing); - var formatter = CreateFormatter(this.AccessTokenSigningKey, this.ResourceServerEncryptionKey); + ErrorUtilities.VerifyHost(this.AccessTokenSigningKey != null || this.SymmetricKeyStore != null, AuthServerStrings.AccessTokenSigningKeyMissing); + IDataBagFormatter<AccessToken> formatter; + if (this.AccessTokenSigningKey != null) { + formatter = CreateFormatter(this.AccessTokenSigningKey, this.ResourceServerEncryptionKey); + } else { + formatter = CreateFormatter(this.SymmetricKeyStore); + } + return formatter.Serialize(this); } } diff --git a/src/DotNetOpenAuth.OAuth2.ResourceServer/OAuth2/StandardAccessTokenAnalyzer.cs b/src/DotNetOpenAuth.OAuth2.ResourceServer/OAuth2/StandardAccessTokenAnalyzer.cs index 32f10ba..3bd0324 100644 --- a/src/DotNetOpenAuth.OAuth2.ResourceServer/OAuth2/StandardAccessTokenAnalyzer.cs +++ b/src/DotNetOpenAuth.OAuth2.ResourceServer/OAuth2/StandardAccessTokenAnalyzer.cs @@ -10,6 +10,7 @@ namespace DotNetOpenAuth.OAuth2 { using System.IO; using System.Security.Cryptography; using DotNetOpenAuth.Messaging; + using DotNetOpenAuth.Messaging.Bindings; using DotNetOpenAuth.OAuth2.ChannelElements; using Validation; @@ -30,6 +31,14 @@ namespace DotNetOpenAuth.OAuth2 { } /// <summary> + /// Initializes a new instance of the <see cref="StandardAccessTokenAnalyzer"/> class. + /// </summary> + public StandardAccessTokenAnalyzer(ICryptoKeyStore symmetricKeyStore) { + Requires.NotNull(symmetricKeyStore, "symmetricKeyStore"); + this.SymmetricKeyStore = symmetricKeyStore; + } + + /// <summary> /// Gets the authorization server public signing key. /// </summary> /// <value>The authorization server public signing key.</value> @@ -41,6 +50,8 @@ namespace DotNetOpenAuth.OAuth2 { /// <value>The resource server private encryption key.</value> public RSACryptoServiceProvider ResourceServerPrivateEncryptionKey { get; private set; } + public ICryptoKeyStore SymmetricKeyStore { get; private set; } + /// <summary> /// Reads an access token to find out what data it authorizes access to. /// </summary> @@ -50,7 +61,9 @@ namespace DotNetOpenAuth.OAuth2 { /// <exception cref="ProtocolException">Thrown if the access token is expired, invalid, or from an untrusted authorization server.</exception> public virtual AccessToken DeserializeAccessToken(IDirectedProtocolMessage message, string accessToken) { ErrorUtilities.VerifyProtocol(!string.IsNullOrEmpty(accessToken), ResourceServerStrings.MissingAccessToken); - var accessTokenFormatter = AccessToken.CreateFormatter(this.AuthorizationServerPublicSigningKey, this.ResourceServerPrivateEncryptionKey); + var accessTokenFormatter = this.AuthorizationServerPublicSigningKey != null + ? AccessToken.CreateFormatter(this.AuthorizationServerPublicSigningKey, this.ResourceServerPrivateEncryptionKey) + : AccessToken.CreateFormatter(this.SymmetricKeyStore); var token = new AccessToken(); try { accessTokenFormatter.Deserialize(token, accessToken, message, Protocol.access_token); diff --git a/src/DotNetOpenAuth.OAuth2/OAuth2/AccessToken.cs b/src/DotNetOpenAuth.OAuth2/OAuth2/AccessToken.cs index fa87972..a8c911e 100644 --- a/src/DotNetOpenAuth.OAuth2/OAuth2/AccessToken.cs +++ b/src/DotNetOpenAuth.OAuth2/OAuth2/AccessToken.cs @@ -57,6 +57,15 @@ namespace DotNetOpenAuth.OAuth2 { } /// <summary> + /// Creates a formatter capable of serializing/deserializing an access token. + /// </summary> + /// <returns>An access token serializer.</returns> + internal static IDataBagFormatter<AccessToken> CreateFormatter(ICryptoKeyStore symmetricKeyStore) { + Requires.NotNull(symmetricKeyStore, "symmetricKeyStore"); + return new UriStyleMessageFormatter<AccessToken>(symmetricKeyStore, bucket: "AccessTokens", signed: true, encrypted: true); + } + + /// <summary> /// Initializes this instance of the <see cref="AccessToken"/> class. /// </summary> /// <param name="authorization">The authorization to apply to this access token.</param> |