Work toward OAuth 2.0 draft 8.

15 files changed, 148 insertions, 207 deletions

diff --git a/src/DotNetOpenAuth.Test/OAuthWrap/MessageFactoryTests.cs b/src/DotNetOpenAuth.Test/OAuthWrap/MessageFactoryTests.cs
index 827027e..e89cc86 100644
--- a/src/DotNetOpenAuth.Test/OAuthWrap/MessageFactoryTests.cs
+++ b/src/DotNetOpenAuth.Test/OAuthWrap/MessageFactoryTests.cs
@@ -73,7 +73,7 @@ namespace DotNetOpenAuth.Test.OAuthWrap {
 				{ Protocol.redirect_uri, "abc" },
 			};
 			IDirectedProtocolMessage request = this.messageFactory.GetNewRequestMessage(this.recipient, fields);
-			Assert.IsInstanceOf(typeof(WebServerRequest), request);
+			Assert.IsInstanceOf(typeof(EndUserAuthorizationRequest), request);
 		}
 
 		[TestCase]
@@ -81,7 +81,7 @@ namespace DotNetOpenAuth.Test.OAuthWrap {
 			var fields = new Dictionary<string, string> {
 				{ Protocol.error, "user_denied" },
 			};
-			var request = new WebServerRequest(this.recipient.Location, Protocol.Default.Version);
+			var request = new EndUserAuthorizationRequest(this.recipient.Location, Protocol.Default.Version);
 			Assert.IsInstanceOf(
 				typeof(WebServerFailedResponse),
 				this.messageFactory.GetNewResponseMessage(request, fields));
@@ -92,7 +92,7 @@ namespace DotNetOpenAuth.Test.OAuthWrap {
 			var fields = new Dictionary<string, string> {
 				{ Protocol.code, "abc" },
 			};
-			var request = new WebServerRequest(this.recipient.Location, Protocol.Default.Version);
+			var request = new EndUserAuthorizationRequest(this.recipient.Location, Protocol.Default.Version);
 			Assert.IsInstanceOf(
 				typeof(WebServerSuccessResponse),
 				this.messageFactory.GetNewResponseMessage(request, fields));
diff --git a/src/DotNetOpenAuth/DotNetOpenAuth.csproj b/src/DotNetOpenAuth/DotNetOpenAuth.csproj
index 3626101..5418aab 100644
--- a/src/DotNetOpenAuth/DotNetOpenAuth.csproj
+++ b/src/DotNetOpenAuth/DotNetOpenAuth.csproj
@@ -333,7 +333,6 @@ http://opensource.org/licenses/ms-pl.html
     <Compile Include="OAuthWrap\Messages\IAccessTokenSuccessResponse.cs" />
     <Compile Include="OAuthWrap\Messages\IMessageWithClientState.cs" />
     <Compile Include="OAuthWrap\Messages\IOAuthDirectResponseFormat.cs" />
-    <Compile Include="OAuthWrap\Messages\IRequestWithRedirectUri.cs" />
     <Compile Include="OAuthWrap\Messages\RefreshAccessTokenRequest.cs" />
     <Compile Include="OAuthWrap\Messages\Device\DeviceAccessTokenRequest.cs" />
     <Compile Include="OAuthWrap\Messages\Device\DeviceRequest.cs" />
@@ -348,6 +347,7 @@ http://opensource.org/licenses/ms-pl.html
     <Compile Include="OAuthWrap\Messages\UsernameAndPassword\UserNamePasswordVerificationResponse.cs" />
     <Compile Include="OAuthWrap\Messages\ResponseFormat.cs" />
     <Compile Include="OAuthWrap\Messages\ResponseFormatEncoder.cs" />
+    <Compile Include="OAuthWrap\Messages\WebServer\WebServerRequest.cs" />
     <Compile Include="OAuthWrap\ResourceServer.cs" />
     <Compile Include="OAuthWrap\StandardAccessTokenAnalyzer.cs" />
     <Compile Include="OAuthWrap\UserAgentClient.cs" />
@@ -644,7 +644,7 @@ http://opensource.org/licenses/ms-pl.html
     <Compile Include="OAuthWrap\Messages\MessageBase.cs" />
     <Compile Include="OAuthWrap\Messages\WebServer\WebServerAccessTokenRequest.cs" />
     <Compile Include="OAuthWrap\Messages\WebServer\WebServerFailedResponse.cs" />
-    <Compile Include="OAuthWrap\Messages\WebServer\WebServerRequest.cs" />
+    <Compile Include="OAuthWrap\Messages\EndUserAuthorizationRequest.cs" />
     <Compile Include="OAuthWrap\Messages\WebServer\WebServerSuccessResponse.cs" />
     <Compile Include="OAuthWrap\Messages\UsernameAndPassword\UserNamePasswordFailedResponse.cs" />
     <Compile Include="OAuthWrap\Messages\UsernameAndPassword\UserNamePasswordRequest.cs" />
diff --git a/src/DotNetOpenAuth/OAuthWrap/ChannelElements/AuthServerAllFlowsBindingElement.cs b/src/DotNetOpenAuth/OAuthWrap/ChannelElements/AuthServerAllFlowsBindingElement.cs
index 3c4d3e2..30430fb 100644
--- a/src/DotNetOpenAuth/OAuthWrap/ChannelElements/AuthServerAllFlowsBindingElement.cs
+++ b/src/DotNetOpenAuth/OAuthWrap/ChannelElements/AuthServerAllFlowsBindingElement.cs
@@ -68,7 +68,7 @@ namespace DotNetOpenAuth.OAuthWrap.ChannelElements {
 		/// <see cref="MessagePartAttribute.RequiredProtection"/> properties where applicable.
 		/// </remarks>
 		public override MessageProtections? ProcessIncomingMessage(IProtocolMessage message) {
-			var authorizationRequest = message as IRequestWithRedirectUri;
+			var authorizationRequest = message as EndUserAuthorizationRequest;
 			if (authorizationRequest != null) {
 				var client = this.AuthorizationServer.GetClientOrThrow(authorizationRequest.ClientIdentifier);
 				ErrorUtilities.VerifyProtocol(client.Callback == null || client.Callback == authorizationRequest.Callback, OAuthWrapStrings.CallbackMismatch, client.Callback, authorizationRequest.Callback);
diff --git a/src/DotNetOpenAuth/OAuthWrap/ChannelElements/OAuthWrapAuthorizationServerChannel.cs b/src/DotNetOpenAuth/OAuthWrap/ChannelElements/OAuthWrapAuthorizationServerChannel.cs
index 029d583..0dda8ec 100644
--- a/src/DotNetOpenAuth/OAuthWrap/ChannelElements/OAuthWrapAuthorizationServerChannel.cs
+++ b/src/DotNetOpenAuth/OAuthWrap/ChannelElements/OAuthWrapAuthorizationServerChannel.cs
@@ -43,7 +43,7 @@ namespace DotNetOpenAuth.OAuthWrap.ChannelElements {
 			typeof(Messages.UserNamePasswordVerificationResponse),
 			typeof(Messages.UserNamePasswordFailedResponse),
 			typeof(Messages.UsernamePasswordCaptchaResponse),
-			typeof(Messages.WebServerRequest),
+			typeof(Messages.EndUserAuthorizationRequest),
 			typeof(Messages.WebServerSuccessResponse),
 			typeof(Messages.WebServerFailedResponse),
 			typeof(Messages.WebServerAccessTokenRequest),
diff --git a/src/DotNetOpenAuth/OAuthWrap/ChannelElements/WebServerVerificationCodeBindingElement.cs b/src/DotNetOpenAuth/OAuthWrap/ChannelElements/WebServerVerificationCodeBindingElement.cs
index 1f0666f..4c6e2de 100644
--- a/src/DotNetOpenAuth/OAuthWrap/ChannelElements/WebServerVerificationCodeBindingElement.cs
+++ b/src/DotNetOpenAuth/OAuthWrap/ChannelElements/WebServerVerificationCodeBindingElement.cs
@@ -51,7 +51,7 @@ namespace DotNetOpenAuth.OAuthWrap.ChannelElements {
 			var response = message as WebServerSuccessResponse;
 			if (response != null) {
 				var directResponse = (IDirectResponseProtocolMessage)response;
-				var request = (WebServerRequest)directResponse.OriginatingRequest;
+				var request = (EndUserAuthorizationRequest)directResponse.OriginatingRequest;
 				ITokenCarryingRequest tokenCarryingResponse = response;
 				tokenCarryingResponse.AuthorizationDescription = new VerificationCode(this.AuthorizationServer.Secret, this.AuthorizationServer.VerificationCodeNonceStore, request.ClientIdentifier, request.Callback, request.Scope, response.AuthorizingUsername);
 
diff --git a/src/DotNetOpenAuth/OAuthWrap/Messages/EndUserAuthorizationRequest.cs b/src/DotNetOpenAuth/OAuthWrap/Messages/EndUserAuthorizationRequest.cs
new file mode 100644
index 0000000..026d33f
--- /dev/null
+++ b/src/DotNetOpenAuth/OAuthWrap/Messages/EndUserAuthorizationRequest.cs
@@ -0,0 +1,99 @@
+//-----------------------------------------------------------------------
+// <copyright file="EndUserAuthorizationRequest.cs" company="Andrew Arnott">
+//     Copyright (c) Andrew Arnott. All rights reserved.
+// </copyright>
+//-----------------------------------------------------------------------
+
+namespace DotNetOpenAuth.OAuthWrap.Messages {
+	using System;
+	using System.Diagnostics.Contracts;
+	using DotNetOpenAuth.Messaging;
+
+	/// <summary>
+	/// A message sent by a web application Client to the AuthorizationServer
+	/// via the user agent to obtain authorization from the user and prepare
+	/// to issue an access token to the Consumer if permission is granted.
+	/// </summary>
+	[Serializable]
+	public abstract class EndUserAuthorizationRequest : MessageBase, IMessageWithClientState {
+		/// <summary>
+		/// Initializes a new instance of the <see cref="EndUserAuthorizationRequest"/> class.
+		/// </summary>
+		/// <param name="authorizationEndpoint">The Authorization Server's user authorization URL to direct the user to.</param>
+		/// <param name="version">The protocol version.</param>
+		internal EndUserAuthorizationRequest(Uri authorizationEndpoint, Version version)
+			: base(version, MessageTransport.Indirect, authorizationEndpoint) {
+			Contract.Requires<ArgumentNullException>(authorizationEndpoint != null);
+			Contract.Requires<ArgumentNullException>(version != null);
+			this.HttpMethods = HttpDeliveryMethods.GetRequest;
+		}
+
+		/// <summary>
+		/// Initializes a new instance of the <see cref="EndUserAuthorizationRequest"/> class.
+		/// </summary>
+		/// <param name="authorizationServer">The authorization server.</param>
+		internal EndUserAuthorizationRequest(AuthorizationServerDescription authorizationServer)
+			: this(authorizationServer.AuthorizationEndpoint, authorizationServer.Version) {
+			Contract.Requires<ArgumentNullException>(authorizationServer != null);
+			Contract.Requires<ArgumentException>(authorizationServer.Version != null);
+			Contract.Requires<ArgumentException>(authorizationServer.AuthorizationEndpoint != null);
+		}
+
+		/// <summary>
+		/// Gets or sets the identifier by which this client is known to the Authorization Server.
+		/// </summary>
+		[MessagePart(Protocol.client_id, IsRequired = true, AllowEmpty = false)]
+		public string ClientIdentifier { get; set; }
+
+		/// <summary>
+		/// Gets or sets the callback URL.
+		/// </summary>
+		/// <value>
+		/// An absolute URL to which the Authorization Server will redirect the User back after
+		/// the user has approved the authorization request.
+		/// </value>
+		/// <remarks>
+		/// REQUIRED unless a redirection URI has been established between the client and authorization server via other means. An absolute URI to which the authorization server will redirect the user-agent to when the end-user authorization step is completed. The authorization server MAY require the client to pre-register their redirection URI. The redirection URI MUST NOT include a query component as defined by [RFC3986]  (Berners-Lee, T., Fielding, R., and L. Masinter, “Uniform Resource Identifier (URI): Generic Syntax,” January 2005.) section 3 if the state parameter is present. 
+		/// </remarks>
+		[MessagePart(Protocol.redirect_uri, IsRequired = false, AllowEmpty = false)]
+		public Uri Callback { get; set; }
+
+		/// <summary>
+		/// Gets or sets state of the client that should be sent back with the authorization response.
+		/// </summary>
+		/// <value>
+		/// An opaque value that Clients can use to maintain state associated with this request. 
+		/// </value>
+		/// <remarks>
+		/// REQUIRED. The client identifier as described in Section 3.4  (Client Credentials). 
+		/// </remarks>
+		[MessagePart(Protocol.state, IsRequired = false, AllowEmpty = true)]
+		public string ClientState { get; set; }
+
+		/// <summary>
+		/// Gets or sets the scope of access being requested.
+		/// </summary>
+		/// <value>The scope of the access request expressed as a list of space-delimited strings. The value of the scope parameter is defined by the authorization server. If the value contains multiple space-delimited strings, their order does not matter, and each string adds an additional access range to the requested scope.</value>
+		[MessagePart(Protocol.scope, IsRequired = false, AllowEmpty = true)]
+		public string Scope { get; set; }
+
+		/////// <summary>
+		/////// Gets or sets a value indicating whether the authorization server is
+		/////// allowed to interact with the user before responding to the client's request.
+		/////// </summary>
+		////public bool IsUserInteractionAllowed {
+		////    get { return !this.Immediate.HasValue || !this.Immediate.Value; }
+		////    set { this.Immediate = value ? (bool?)null : true; }
+		////}
+
+		/////// <summary>
+		/////// Gets or sets a value indicating whether the authorization server is
+		/////// required to redirect the browser back to the client immediately.
+		/////// </summary>
+		/////// <remarks>
+		/////// OPTIONAL. The parameter value must be set to true or false. If set to true, the authorization server MUST NOT prompt the end-user to authenticate or approve access. Instead, the authorization server attempts to establish the end-user's identity via other means (e.g. browser cookies) and checks if the end-user has previously approved an identical access request by the same client and if that access grant is still active. If the authorization server does not support an immediate check or if it is unable to establish the end-user's identity or approval status, it MUST deny the request without prompting the end-user. Defaults to false  if omitted. 
+		/////// </remarks>
+		////[MessagePart(Protocol.immediate, IsRequired = false, AllowEmpty = false)]
+		////internal bool? Immediate { get; set; }
+	}
+}
diff --git a/src/DotNetOpenAuth/OAuthWrap/Messages/IRequestWithRedirectUri.cs b/src/DotNetOpenAuth/OAuthWrap/Messages/IRequestWithRedirectUri.cs
deleted file mode 100644
index 49fa0bb..0000000
--- a/src/DotNetOpenAuth/OAuthWrap/Messages/IRequestWithRedirectUri.cs
+++ /dev/null
@@ -1,29 +0,0 @@
-//-----------------------------------------------------------------------
-// <copyright file="IRequestWithRedirectUri.cs" company="Andrew Arnott">
-//     Copyright (c) Andrew Arnott. All rights reserved.
-// </copyright>
-//-----------------------------------------------------------------------
-
-namespace DotNetOpenAuth.OAuthWrap.Messages {
-	using System;
-	using System.Collections.Generic;
-	using System.Linq;
-	using System.Text;
-
-	/// <summary>
-	/// A message that contains a callback parameter.
-	/// </summary>
-	internal interface IRequestWithRedirectUri {
-		/// <summary>
-		/// Gets the client identifier.
-		/// </summary>
-		/// <value>The client identifier.</value>
-		string ClientIdentifier { get; }
-
-		/// <summary>
-		/// Gets the callback.
-		/// </summary>
-		/// <value>The callback.</value>
-		Uri Callback { get; }
-	}
-}
diff --git a/src/DotNetOpenAuth/OAuthWrap/Messages/UserAgent/UserAgentRequest.cs b/src/DotNetOpenAuth/OAuthWrap/Messages/UserAgent/UserAgentRequest.cs
index f4c39a0..df6b07e 100644
--- a/src/DotNetOpenAuth/OAuthWrap/Messages/UserAgent/UserAgentRequest.cs
+++ b/src/DotNetOpenAuth/OAuthWrap/Messages/UserAgent/UserAgentRequest.cs
@@ -15,7 +15,7 @@ namespace DotNetOpenAuth.OAuthWrap.Messages {
 	/// A message requesting user authorization to access protected data on behalf
 	/// of an installed application or browser-hosted Javascript.
 	/// </summary>
-	internal class UserAgentRequest : MessageBase, IRequestWithRedirectUri {
+	internal class UserAgentRequest : EndUserAuthorizationRequest {
 		/// <summary>
 		/// The type of message.
 		/// </summary>
@@ -28,7 +28,7 @@ namespace DotNetOpenAuth.OAuthWrap.Messages {
 		/// <param name="authorizationEndpoint">The authorization endpoint.</param>
 		/// <param name="version">The version.</param>
 		internal UserAgentRequest(Uri authorizationEndpoint, Version version)
-			: base(version, MessageTransport.Indirect, authorizationEndpoint) {
+			: base(authorizationEndpoint, version) {
 		}
 
 		/// <summary>
@@ -36,65 +36,7 @@ namespace DotNetOpenAuth.OAuthWrap.Messages {
 		/// </summary>
 		/// <param name="authorizationServer">The authorization server.</param>
 		internal UserAgentRequest(AuthorizationServerDescription authorizationServer)
-			: this(authorizationServer.AuthorizationEndpoint, authorizationServer.Version) {
+			: base(authorizationServer) {
 		}
-
-		/// <summary>
-		/// Gets or sets state of the client that should be sent back with the authorization response.
-		/// </summary>
-		/// <value>
-		/// An opaque value that Clients can use to maintain state associated with this request. 
-		/// </value>
-		[MessagePart(Protocol.state, IsRequired = false, AllowEmpty = true)]
-		public string ClientState { get; set; }
-
-		/// <summary>
-		/// Gets or sets the identifier by which this client is known to the Authorization Server.
-		/// </summary>
-		[MessagePart(Protocol.client_id, IsRequired = true, AllowEmpty = false)]
-		public string ClientIdentifier { get; set; }
-
-		/// <summary>
-		/// Gets or sets the callback URL.
-		/// </summary>
-		/// <value>
-		/// An absolute URL to which the Authorization Server will redirect the User back after
-		/// the user has approved the authorization request.
-		/// </value>
-		/// <remarks>
-		/// REQUIRED unless a redirection URI has been established between the client and authorization server via other means. An absolute URI to which the authorization server will redirect the user-agent to when the end-user authorization step is completed. The authorization server MAY require the client to pre-register their redirection URI. The redirection URI MUST NOT include a query component as defined by [RFC3986]  (Berners-Lee, T., Fielding, R., and L. Masinter, “Uniform Resource Identifier (URI): Generic Syntax,” January 2005.) section 3 if the state parameter is present. 
-		/// </remarks>
-		[MessagePart(Protocol.redirect_uri, IsRequired = false, AllowEmpty = false)]
-		public Uri Callback { get; set; }
-
-		/// <summary>
-		/// Gets or sets a value indicating whether the authorization server is
-		/// required to redirect the browser back to the client immediately.
-		/// </summary>
-		/// <remarks>
-		/// OPTIONAL. The parameter value must be set to true or false. If set to true, the authorization server MUST NOT prompt the end-user to authenticate or approve access. Instead, the authorization server attempts to establish the end-user's identity via other means (e.g. browser cookies) and checks if the end-user has previously approved an identical access request by the same client and if that access grant is still active. If the authorization server does not support an immediate check or if it is unable to establish the end-user's identity or approval status, it MUST deny the request without prompting the end-user. Defaults to false  if omitted. 
-		/// </remarks>
-		[MessagePart(Protocol.immediate, IsRequired = false, AllowEmpty = false)]
-		internal bool? Immediate { get; set; }
-
-		/// <summary>
-		/// Gets or sets the scope.
-		/// </summary>
-		/// <value>The scope.</value>
-		/// <remarks>
-		/// OPTIONAL. The scope of the access request expressed as a list of space-delimited strings. The value of the scope parameter is defined by the authorization server. If the value contains multiple space-delimited strings, their order does not matter, and each string adds additional access range to the requested scope. 
-		/// </remarks>
-		[MessagePart(Protocol.scope, IsRequired = false, AllowEmpty = true)]
-		internal string Scope { get; set; }
-
-		/// <summary>
-		/// Gets or sets the type of the secret.
-		/// </summary>
-		/// <value>The type of the secret.</value>
-		/// <remarks>
-		/// OPTIONAL. The access token secret type as described by Section 5.3  (Cryptographic Tokens Requests). If omitted, the authorization server will issue a bearer token (an access token without a matching secret) as described by Section 5.2  (Bearer Token Requests). 
-		/// </remarks>
-		[MessagePart(Protocol.secret_type, IsRequired = false, AllowEmpty = false)]
-		internal string SecretType { get; set; }
 	}
 }
diff --git a/src/DotNetOpenAuth/OAuthWrap/Messages/UserAgent/UserAgentSuccessResponse.cs b/src/DotNetOpenAuth/OAuthWrap/Messages/UserAgent/UserAgentSuccessResponse.cs
index c7e2ad5..607cf5f 100644
--- a/src/DotNetOpenAuth/OAuthWrap/Messages/UserAgent/UserAgentSuccessResponse.cs
+++ b/src/DotNetOpenAuth/OAuthWrap/Messages/UserAgent/UserAgentSuccessResponse.cs
@@ -48,26 +48,6 @@ namespace DotNetOpenAuth.OAuthWrap.Messages {
 		public TimeSpan? Lifetime { get; internal set; }
 
 		/// <summary>
-		/// Gets or sets the refresh token.
-		/// </summary>
-		/// <value>The refresh token.</value>
-		/// <remarks>
-		/// OPTIONAL. The refresh token used to obtain new access tokens using the same end-user access grant as described in Section 6  (Refreshing an Access Token). 
-		/// </remarks>
-		[MessagePart(Protocol.refresh_token, IsRequired = false, AllowEmpty = false)]
-		public string RefreshToken { get; internal set; }
-
-		/// <summary>
-		/// Gets or sets the access token secret.
-		/// </summary>
-		/// <value>The access token secret.</value>
-		/// <remarks>
-		/// REQUIRED if requested by the client. The corresponding access token secret as requested by the client. 
-		/// </remarks>
-		[MessagePart(Protocol.access_token_secret, IsRequired = false, AllowEmpty = false)]
-		public string AccessTokenSecret { get; internal set; }
-
-		/// <summary>
 		/// Gets the scope.
 		/// </summary>
 		/// <value>The scope.</value>
diff --git a/src/DotNetOpenAuth/OAuthWrap/Messages/WebServer/WebServerAccessTokenRequest.cs b/src/DotNetOpenAuth/OAuthWrap/Messages/WebServer/WebServerAccessTokenRequest.cs
index 56f9d91..c41705a 100644
--- a/src/DotNetOpenAuth/OAuthWrap/Messages/WebServer/WebServerAccessTokenRequest.cs
+++ b/src/DotNetOpenAuth/OAuthWrap/Messages/WebServer/WebServerAccessTokenRequest.cs
@@ -111,7 +111,7 @@ namespace DotNetOpenAuth.OAuthWrap.Messages {
 		internal string VerificationCode { get; set; }
 
 		/// <summary>
-		/// Gets or sets the callback URL used in <see cref="WebServerRequest.Callback"/>
+		/// Gets or sets the callback URL used in <see cref="EndUserAuthorizationRequest.Callback"/>
 		/// </summary>
 		/// <value>
 		/// The Callback URL used to obtain the Verification Code.
diff --git a/src/DotNetOpenAuth/OAuthWrap/Messages/WebServer/WebServerFailedResponse.cs b/src/DotNetOpenAuth/OAuthWrap/Messages/WebServer/WebServerFailedResponse.cs
index 8cb1cb0..1bfa168 100644
--- a/src/DotNetOpenAuth/OAuthWrap/Messages/WebServer/WebServerFailedResponse.cs
+++ b/src/DotNetOpenAuth/OAuthWrap/Messages/WebServer/WebServerFailedResponse.cs
@@ -37,7 +37,7 @@ namespace DotNetOpenAuth.OAuthWrap.Messages {
 		/// </summary>
 		/// <param name="clientCallback">The client callback.</param>
 		/// <param name="request">The request.</param>
-		internal WebServerFailedResponse(Uri clientCallback, WebServerRequest request)
+		internal WebServerFailedResponse(Uri clientCallback, EndUserAuthorizationRequest request)
 			: this(clientCallback, ((IMessage)request).Version) {
 			Contract.Requires<ArgumentNullException>(clientCallback != null, "clientCallback");
 			Contract.Requires<ArgumentNullException>(request != null, "request");
diff --git a/src/DotNetOpenAuth/OAuthWrap/Messages/WebServer/WebServerRequest.cs b/src/DotNetOpenAuth/OAuthWrap/Messages/WebServer/WebServerRequest.cs
index dc0332d..d6f25e4 100644
--- a/src/DotNetOpenAuth/OAuthWrap/Messages/WebServer/WebServerRequest.cs
+++ b/src/DotNetOpenAuth/OAuthWrap/Messages/WebServer/WebServerRequest.cs
@@ -4,104 +4,41 @@
 // </copyright>
 //-----------------------------------------------------------------------
 
-namespace DotNetOpenAuth.OAuthWrap.Messages {
+namespace DotNetOpenAuth.OAuthWrap.Messages.WebServer {
 	using System;
+	using System.Collections.Generic;
 	using System.Diagnostics.Contracts;
+	using System.Linq;
+	using System.Text;
 	using DotNetOpenAuth.Messaging;
 
-	/// <summary>
-	/// A message sent by a web application Client to the AuthorizationServer
-	/// via the user agent to obtain authorization from the user and prepare
-	/// to issue an access token to the Consumer if permission is granted.
-	/// </summary>
-	[Serializable]
-	public class WebServerRequest : MessageBase, IMessageWithClientState, IRequestWithRedirectUri {
+	public class WebServerRequest : EndUserAuthorizationRequest {
 		/// <summary>
 		/// The type of message.
 		/// </summary>
 		[MessagePart(Protocol.type, IsRequired = true)]
-#pragma warning disable 169
 		private const string Type = "web_server";
-#pragma warning restore 169
 
 		/// <summary>
-		/// Initializes a new instance of the <see cref="WebServerRequest"/> class.
+		/// Initializes a new instance of the <see cref="EndUserAuthorizationRequest"/> class.
 		/// </summary>
 		/// <param name="authorizationEndpoint">The Authorization Server's user authorization URL to direct the user to.</param>
 		/// <param name="version">The protocol version.</param>
 		internal WebServerRequest(Uri authorizationEndpoint, Version version)
-			: base(version, MessageTransport.Indirect, authorizationEndpoint) {
+			: base(authorizationEndpoint, version) {
 			Contract.Requires<ArgumentNullException>(authorizationEndpoint != null);
 			Contract.Requires<ArgumentNullException>(version != null);
-			this.HttpMethods = HttpDeliveryMethods.GetRequest;
 		}
 
 		/// <summary>
-		/// Initializes a new instance of the <see cref="WebServerRequest"/> class.
+		/// Initializes a new instance of the <see cref="EndUserAuthorizationRequest"/> class.
 		/// </summary>
 		/// <param name="authorizationServer">The authorization server.</param>
 		internal WebServerRequest(AuthorizationServerDescription authorizationServer)
-			: this(authorizationServer.AuthorizationEndpoint, authorizationServer.Version) {
+			: base(authorizationServer) {
 			Contract.Requires<ArgumentNullException>(authorizationServer != null);
 			Contract.Requires<ArgumentException>(authorizationServer.Version != null);
 			Contract.Requires<ArgumentException>(authorizationServer.AuthorizationEndpoint != null);
 		}
-
-		/// <summary>
-		/// Gets or sets state of the client that should be sent back with the authorization response.
-		/// </summary>
-		/// <value>
-		/// An opaque value that Clients can use to maintain state associated with this request. 
-		/// </value>
-		/// <remarks>
-		/// REQUIRED. The client identifier as described in Section 3.4  (Client Credentials). 
-		/// </remarks>
-		[MessagePart(Protocol.state, IsRequired = false, AllowEmpty = true)]
-		public string ClientState { get; set; }
-
-		/// <summary>
-		/// Gets or sets the scope of access being requested.
-		/// </summary>
-		/// <value>The scope of the access request expressed as a list of space-delimited strings. The value of the scope parameter is defined by the authorization server. If the value contains multiple space-delimited strings, their order does not matter, and each string adds an additional access range to the requested scope.</value>
-		[MessagePart(Protocol.scope, IsRequired = false, AllowEmpty = true)]
-		public string Scope { get; set; }
-
-		/// <summary>
-		/// Gets or sets a value indicating whether the authorization server is
-		/// allowed to interact with the user before responding to the client's request.
-		/// </summary>
-		public bool IsUserInteractionAllowed {
-			get { return !this.Immediate.HasValue || !this.Immediate.Value; }
-			set { this.Immediate = value ? (bool?)null : true; }
-		}
-
-		/// <summary>
-		/// Gets or sets the identifier by which this client is known to the Authorization Server.
-		/// </summary>
-		[MessagePart(Protocol.client_id, IsRequired = true, AllowEmpty = false)]
-		public string ClientIdentifier { get; set; }
-
-		/// <summary>
-		/// Gets or sets the callback URL.
-		/// </summary>
-		/// <value>
-		/// An absolute URL to which the Authorization Server will redirect the User back after
-		/// the user has approved the authorization request.
-		/// </value>
-		/// <remarks>
-		/// REQUIRED unless a redirection URI has been established between the client and authorization server via other means. An absolute URI to which the authorization server will redirect the user-agent to when the end-user authorization step is completed. The authorization server MAY require the client to pre-register their redirection URI. The redirection URI MUST NOT include a query component as defined by [RFC3986]  (Berners-Lee, T., Fielding, R., and L. Masinter, “Uniform Resource Identifier (URI): Generic Syntax,” January 2005.) section 3 if the state parameter is present. 
-		/// </remarks>
-		[MessagePart(Protocol.redirect_uri, IsRequired = false, AllowEmpty = false)]
-		public Uri Callback { get; set; }
-
-		/// <summary>
-		/// Gets or sets a value indicating whether the authorization server is
-		/// required to redirect the browser back to the client immediately.
-		/// </summary>
-		/// <remarks>
-		/// OPTIONAL. The parameter value must be set to true or false. If set to true, the authorization server MUST NOT prompt the end-user to authenticate or approve access. Instead, the authorization server attempts to establish the end-user's identity via other means (e.g. browser cookies) and checks if the end-user has previously approved an identical access request by the same client and if that access grant is still active. If the authorization server does not support an immediate check or if it is unable to establish the end-user's identity or approval status, it MUST deny the request without prompting the end-user. Defaults to false  if omitted. 
-		/// </remarks>
-		[MessagePart(Protocol.immediate, IsRequired = false, AllowEmpty = false)]
-		internal bool? Immediate { get; set; }
 	}
 }
diff --git a/src/DotNetOpenAuth/OAuthWrap/Messages/WebServer/WebServerSuccessResponse.cs b/src/DotNetOpenAuth/OAuthWrap/Messages/WebServer/WebServerSuccessResponse.cs
index 4f86d9b..dc5b70b 100644
--- a/src/DotNetOpenAuth/OAuthWrap/Messages/WebServer/WebServerSuccessResponse.cs
+++ b/src/DotNetOpenAuth/OAuthWrap/Messages/WebServer/WebServerSuccessResponse.cs
@@ -32,22 +32,34 @@ namespace DotNetOpenAuth.OAuthWrap.Messages {
 		/// </summary>
 		/// <param name="clientCallback">The client callback.</param>
 		/// <param name="request">The request.</param>
-		internal WebServerSuccessResponse(Uri clientCallback, WebServerRequest request)
+		internal WebServerSuccessResponse(Uri clientCallback, EndUserAuthorizationRequest request)
 			: base(request, clientCallback) {
 			Contract.Requires<ArgumentNullException>(clientCallback != null, "clientCallback");
 			Contract.Requires<ArgumentNullException>(request != null, "request");
 			((IMessageWithClientState)this).ClientState = ((IMessageWithClientState)request).ClientState;
 		}
 
+		/// <summary>
+		/// Gets or sets the verification code or refresh/access token.
+		/// </summary>
+		/// <value>The code or token.</value>
 		string ITokenCarryingRequest.CodeOrToken {
 			get { return this.VerificationCode; }
 			set { this.VerificationCode = value; }
 		}
 
+		/// <summary>
+		/// Gets the type of the code or token.
+		/// </summary>
+		/// <value>The type of the code or token.</value>
 		CodeOrTokenType ITokenCarryingRequest.CodeOrTokenType {
 			get { return CodeOrTokenType.VerificationCode; }
 		}
 
+		/// <summary>
+		/// Gets or sets the authorization that the token describes.
+		/// </summary>
+		/// <value></value>
 		IAuthorizationDescription ITokenCarryingRequest.AuthorizationDescription { get; set; }
 
 		/// <summary>
@@ -55,7 +67,7 @@ namespace DotNetOpenAuth.OAuthWrap.Messages {
 		/// </summary>
 		/// <value>An opaque value defined by the client.</value>
 		/// <remarks>
-		/// REQUIRED if the Client sent the value in the <see cref="WebServerRequest"/>.
+		/// REQUIRED if the Client sent the value in the <see cref="EndUserAuthorizationRequest"/>.
 		/// </remarks>
 		[MessagePart(Protocol.state, IsRequired = false, AllowEmpty = true)]
 		string IMessageWithClientState.ClientState { get; set; }
diff --git a/src/DotNetOpenAuth/OAuthWrap/WebServerAuthorizationServer.cs b/src/DotNetOpenAuth/OAuthWrap/WebServerAuthorizationServer.cs
index de9d5b3..bfd53fd 100644
--- a/src/DotNetOpenAuth/OAuthWrap/WebServerAuthorizationServer.cs
+++ b/src/DotNetOpenAuth/OAuthWrap/WebServerAuthorizationServer.cs
@@ -35,17 +35,17 @@ namespace DotNetOpenAuth.OAuthWrap {
 		/// <param name="request">The HTTP request to read from.</param>
 		/// <returns>The incoming request, or null if no OAuth message was attached.</returns>
 		/// <exception cref="ProtocolException">Thrown if an unexpected OAuth message is attached to the incoming request.</exception>
-		public WebServerRequest ReadAuthorizationRequest(HttpRequestInfo request = null) {
+		public EndUserAuthorizationRequest ReadAuthorizationRequest(HttpRequestInfo request = null) {
 			if (request == null) {
 				request = this.Channel.GetRequestFromContext();
 			}
 
-			WebServerRequest message;
+			EndUserAuthorizationRequest message;
 			this.Channel.TryReadFromRequest(request, out message);
 			return message;
 		}
 
-		public void ApproveAuthorizationRequest(WebServerRequest authorizationRequest, string username, Uri callback = null) {
+		public void ApproveAuthorizationRequest(EndUserAuthorizationRequest authorizationRequest, string username, Uri callback = null) {
 			Contract.Requires<ArgumentNullException>(authorizationRequest != null, "authorizationRequest");
 
 			var response = this.PrepareApproveAuthorizationRequest(authorizationRequest, callback);
@@ -53,7 +53,7 @@ namespace DotNetOpenAuth.OAuthWrap {
 			this.Channel.Send(response);
 		}
 
-		public void RejectAuthorizationRequest(WebServerRequest authorizationRequest, Uri callback = null) {
+		public void RejectAuthorizationRequest(EndUserAuthorizationRequest authorizationRequest, Uri callback = null) {
 			Contract.Requires<ArgumentNullException>(authorizationRequest != null, "authorizationRequest");
 
 			var response = this.PrepareRejectAuthorizationRequest(authorizationRequest, callback);
@@ -92,7 +92,7 @@ namespace DotNetOpenAuth.OAuthWrap {
 			return request;
 		}
 
-		internal WebServerFailedResponse PrepareRejectAuthorizationRequest(WebServerRequest authorizationRequest, Uri callback = null) {
+		internal WebServerFailedResponse PrepareRejectAuthorizationRequest(EndUserAuthorizationRequest authorizationRequest, Uri callback = null) {
 			Contract.Requires<ArgumentNullException>(authorizationRequest != null, "authorizationRequest");
 			Contract.Ensures(Contract.Result<WebServerFailedResponse>() != null);
 
@@ -104,7 +104,7 @@ namespace DotNetOpenAuth.OAuthWrap {
 			return response;
 		}
 
-		internal WebServerSuccessResponse PrepareApproveAuthorizationRequest(WebServerRequest authorizationRequest, Uri callback = null) {
+		internal WebServerSuccessResponse PrepareApproveAuthorizationRequest(EndUserAuthorizationRequest authorizationRequest, Uri callback = null) {
 			Contract.Requires<ArgumentNullException>(authorizationRequest != null, "authorizationRequest");
 			Contract.Ensures(Contract.Result<WebServerSuccessResponse>() != null);
 
@@ -117,7 +117,7 @@ namespace DotNetOpenAuth.OAuthWrap {
 			return response;
 		}
 
-		protected Uri GetCallback(WebServerRequest authorizationRequest) {
+		protected Uri GetCallback(EndUserAuthorizationRequest authorizationRequest) {
 			Contract.Requires<ArgumentNullException>(authorizationRequest != null, "authorizationRequest");
 			Contract.Ensures(Contract.Result<Uri>() != null);
 
diff --git a/src/DotNetOpenAuth/OAuthWrap/WebServerClient.cs b/src/DotNetOpenAuth/OAuthWrap/WebServerClient.cs
index 7e883b1..eaa86b3 100644
--- a/src/DotNetOpenAuth/OAuthWrap/WebServerClient.cs
+++ b/src/DotNetOpenAuth/OAuthWrap/WebServerClient.cs
@@ -37,7 +37,7 @@ namespace DotNetOpenAuth.OAuthWrap {
 		/// Prepares a request for user authorization from an authorization server.
 		/// </summary>
 		/// <returns>The authorization request.</returns>
-		public WebServerRequest PrepareRequestUserAuthorization() {
+		public EndUserAuthorizationRequest PrepareRequestUserAuthorization() {
 			return this.PrepareRequestUserAuthorization(new AuthorizationState());
 		}
 
@@ -46,13 +46,13 @@ namespace DotNetOpenAuth.OAuthWrap {
 		/// </summary>
 		/// <param name="authorization">The authorization state to associate with this particular request.</param>
 		/// <returns>The authorization request.</returns>
-		public WebServerRequest PrepareRequestUserAuthorization(IAuthorizationState authorization) {
+		public EndUserAuthorizationRequest PrepareRequestUserAuthorization(IAuthorizationState authorization) {
 			Contract.Requires<ArgumentNullException>(authorization != null);
 			Contract.Requires<InvalidOperationException>(authorization.Callback != null || (HttpContext.Current != null && HttpContext.Current.Request != null), MessagingStrings.HttpContextRequired);
 			Contract.Requires<InvalidOperationException>(!string.IsNullOrEmpty(this.ClientIdentifier));
-			Contract.Ensures(Contract.Result<WebServerRequest>() != null);
-			Contract.Ensures(Contract.Result<WebServerRequest>().ClientIdentifier == this.ClientIdentifier);
-			Contract.Ensures(Contract.Result<WebServerRequest>().Callback == authorization.Callback);
+			Contract.Ensures(Contract.Result<EndUserAuthorizationRequest>() != null);
+			Contract.Ensures(Contract.Result<EndUserAuthorizationRequest>().ClientIdentifier == this.ClientIdentifier);
+			Contract.Ensures(Contract.Result<EndUserAuthorizationRequest>().Callback == authorization.Callback);
 
 			if (authorization.Callback == null) {
 				authorization.Callback = this.Channel.GetRequestFromContext().UrlBeforeRewriting
@@ -60,7 +60,7 @@ namespace DotNetOpenAuth.OAuthWrap {
 				authorization.SaveChanges();
 			}
 
-			var request = new WebServerRequest(this.AuthorizationServer) {
+			var request = new EndUserAuthorizationRequest(this.AuthorizationServer) {
 				ClientIdentifier = this.ClientIdentifier,
 				Callback = authorization.Callback,
 				Scope = authorization.Scope,