Authorization servers now gain insight into the calling client when validating resource owner credential grant type requests.

Fixes #101

3 files changed, 17 insertions, 8 deletions

diff --git a/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/ChannelElements/MessageValidationBindingElement.cs b/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/ChannelElements/MessageValidationBindingElement.cs
index efdbf4d..10d1463 100644
--- a/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/ChannelElements/MessageValidationBindingElement.cs
+++ b/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/ChannelElements/MessageValidationBindingElement.cs
@@ -95,7 +95,7 @@ namespace DotNetOpenAuth.OAuth2.ChannelElements {
 			var resourceOwnerPasswordCarrier = message as AccessTokenResourceOwnerPasswordCredentialsRequest;
 			if (resourceOwnerPasswordCarrier != null) {
 				try {
-					if (this.AuthorizationServer.IsResourceOwnerCredentialValid(resourceOwnerPasswordCarrier.UserName, resourceOwnerPasswordCarrier.Password)) {
+					if (this.AuthorizationServer.IsResourceOwnerCredentialValid(resourceOwnerPasswordCarrier.UserName, resourceOwnerPasswordCarrier.Password, resourceOwnerPasswordCarrier)) {
 						resourceOwnerPasswordCarrier.CredentialsValidated = true;
 					} else {
 						Logger.OAuth.ErrorFormat(
diff --git a/src/DotNetOpenAuth.OAuth2.ClientAuthorization/OAuth2/IAuthorizationServerHost.cs b/src/DotNetOpenAuth.OAuth2.ClientAuthorization/OAuth2/IAuthorizationServerHost.cs
index 61ba7e2..70165c0 100644
--- a/src/DotNetOpenAuth.OAuth2.ClientAuthorization/OAuth2/IAuthorizationServerHost.cs
+++ b/src/DotNetOpenAuth.OAuth2.ClientAuthorization/OAuth2/IAuthorizationServerHost.cs
@@ -19,7 +19,7 @@ namespace DotNetOpenAuth.OAuth2 {
 	/// <summary>
 	/// Provides host-specific authorization server services needed by this library.
 	/// </summary>
-	[ContractClass(typeof(IAuthorizationServerContract))]
+	[ContractClass(typeof(IAuthorizationServerHostContract))]
 	public interface IAuthorizationServerHost {
 		/// <summary>
 		/// Gets the store for storing crypto keys used to symmetrically encrypt and sign authorization codes and refresh tokens.
@@ -84,22 +84,26 @@ namespace DotNetOpenAuth.OAuth2 {
 		/// </summary>
 		/// <param name="userName">Username on the account.</param>
 		/// <param name="password">The user's password.</param>
+		/// <param name="accessRequest">
+		/// The access request the credentials came with.
+		/// This may be useful if the authorization server wishes to apply some policy based on the client that is making the request.
+		/// </param>
 		/// <returns>
 		///   <c>true</c> if the given credentials are valid; otherwise, <c>false</c>.
 		/// </returns>
 		/// <exception cref="NotSupportedException">May be thrown if the authorization server does not support the resource owner password credential grant type.</exception>
-		bool IsResourceOwnerCredentialValid(string userName, string password);
+		bool IsResourceOwnerCredentialValid(string userName, string password, IAccessTokenRequest accessRequest);
 	}
 
 	/// <summary>
 	/// Code Contract for the <see cref="IAuthorizationServerHost"/> interface.
 	/// </summary>
 	[ContractClassFor(typeof(IAuthorizationServerHost))]
-	internal abstract class IAuthorizationServerContract : IAuthorizationServerHost {
+	internal abstract class IAuthorizationServerHostContract : IAuthorizationServerHost {
 		/// <summary>
-		/// Prevents a default instance of the <see cref="IAuthorizationServerContract"/> class from being created.
+		/// Prevents a default instance of the <see cref="IAuthorizationServerHostContract"/> class from being created.
 		/// </summary>
-		private IAuthorizationServerContract() {
+		private IAuthorizationServerHostContract() {
 		}
 
 		/// <summary>
@@ -167,13 +171,18 @@ namespace DotNetOpenAuth.OAuth2 {
 		/// </summary>
 		/// <param name="userName">Username on the account.</param>
 		/// <param name="password">The user's password.</param>
+		/// <param name="accessRequest">
+		/// The access request the credentials came with.
+		/// This may be useful if the authorization server wishes to apply some policy based on the client that is making the request.
+		/// </param>
 		/// <returns>
 		///   <c>true</c> if the given credentials are valid; otherwise, <c>false</c>.
 		/// </returns>
 		/// <exception cref="NotSupportedException">May be thrown if the authorization server does not support the resource owner password credential grant type.</exception>
-		bool IAuthorizationServerHost.IsResourceOwnerCredentialValid(string userName, string password) {
+		bool IAuthorizationServerHost.IsResourceOwnerCredentialValid(string userName, string password, IAccessTokenRequest accessRequest) {
 			Contract.Requires(!string.IsNullOrEmpty(userName));
 			Contract.Requires(password != null);
+			Contract.Requires(accessRequest != null);
 			throw new NotImplementedException();
 		}
 
diff --git a/src/DotNetOpenAuth.Test/OAuth2/OAuth2TestBase.cs b/src/DotNetOpenAuth.Test/OAuth2/OAuth2TestBase.cs
index c84e2c1..8f2ddec 100644
--- a/src/DotNetOpenAuth.Test/OAuth2/OAuth2TestBase.cs
+++ b/src/DotNetOpenAuth.Test/OAuth2/OAuth2TestBase.cs
@@ -53,7 +53,7 @@ namespace DotNetOpenAuth.Test.OAuth2 {
 						d =>
 						d.ClientIdentifier == ClientId && d.User == ResourceOwnerUsername &&
 						MessagingUtilities.AreEquivalent(d.Scope, TestScopes)))).Returns(true);
-			authHostMock.Setup(m => m.IsResourceOwnerCredentialValid(ResourceOwnerUsername, ResourceOwnerPassword)).Returns(true);
+			authHostMock.Setup(m => m.IsResourceOwnerCredentialValid(ResourceOwnerUsername, ResourceOwnerPassword, It.IsAny<IAccessTokenRequest>())).Returns(true);
 			authHostMock.Setup(m => m.GetAccessTokenParameters(It.IsAny<IAccessTokenRequest>())).Returns(new AccessTokenParameters());
 			return authHostMock;
 		}