summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--projecttemplates/RelyingPartyLogic/OAuthAuthorizationServer.cs25
-rw-r--r--samples/OAuthAuthorizationServer/Code/OAuth2AuthorizationServer.cs4
-rw-r--r--src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/ChannelElements/MessageValidationBindingElement.cs13
-rw-r--r--src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/IAuthorizationServerHost.cs50
4 files changed, 86 insertions, 6 deletions
diff --git a/projecttemplates/RelyingPartyLogic/OAuthAuthorizationServer.cs b/projecttemplates/RelyingPartyLogic/OAuthAuthorizationServer.cs
index a5eb09c..afc652b 100644
--- a/projecttemplates/RelyingPartyLogic/OAuthAuthorizationServer.cs
+++ b/projecttemplates/RelyingPartyLogic/OAuthAuthorizationServer.cs
@@ -133,14 +133,35 @@ namespace RelyingPartyLogic {
/// Or <c>null</c> if the return value is false.
/// </param>
/// <returns>
- /// <c>true</c> if the given credentials are valid; otherwise, <c>false</c>.
+ /// <c>true</c> if the given credentials are valid and the authorization granted; otherwise, <c>false</c>.
/// </returns>
- /// <exception cref="NotSupportedException">May be thrown if the authorization server does not support the resource owner password credential grant type.</exception>
+ /// <exception cref="NotSupportedException">
+ /// May be thrown if the authorization server does not support the resource owner password credential grant type.
+ /// </exception>
public bool TryAuthorizeResourceOwnerCredentialGrant(string userName, string password, IAccessTokenRequest accessRequest, out string canonicalUserName) {
// This web site delegates user authentication to OpenID Providers, and as such no users have local passwords with this server.
throw new NotSupportedException();
}
+ /// <summary>
+ /// Determines whether an access token request given a client credential grant should be authorized
+ /// and if so records an authorization entry such that subsequent calls to <see cref="IsAuthorizationValid"/> would
+ /// return <c>true</c>.
+ /// </summary>
+ /// <param name="accessRequest">
+ /// The access request the credentials came with.
+ /// This may be useful if the authorization server wishes to apply some policy based on the client that is making the request.
+ /// </param>
+ /// <returns>
+ /// <c>true</c> if the given credentials are valid and the authorization granted; otherwise, <c>false</c>.
+ /// </returns>
+ /// <exception cref="NotSupportedException">
+ /// May be thrown if the authorization server does not support the client credential grant type.
+ /// </exception>
+ public bool TryAuthorizeClientCredentialsGrant(IAccessTokenRequest accessRequest) {
+ throw new NotImplementedException();
+ }
+
#endregion
public bool CanBeAutoApproved(EndUserAuthorizationRequest authorizationRequest) {
diff --git a/samples/OAuthAuthorizationServer/Code/OAuth2AuthorizationServer.cs b/samples/OAuthAuthorizationServer/Code/OAuth2AuthorizationServer.cs
index a5ff728..eb7f1f5 100644
--- a/samples/OAuthAuthorizationServer/Code/OAuth2AuthorizationServer.cs
+++ b/samples/OAuthAuthorizationServer/Code/OAuth2AuthorizationServer.cs
@@ -83,6 +83,10 @@
throw new NotSupportedException();
}
+ public bool TryAuthorizeClientCredentialsGrant(IAccessTokenRequest accessRequest) {
+ throw new NotImplementedException();
+ }
+
#endregion
public bool CanBeAutoApproved(EndUserAuthorizationRequest authorizationRequest) {
diff --git a/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/ChannelElements/MessageValidationBindingElement.cs b/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/ChannelElements/MessageValidationBindingElement.cs
index e6ca2f3..80b843a 100644
--- a/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/ChannelElements/MessageValidationBindingElement.cs
+++ b/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/ChannelElements/MessageValidationBindingElement.cs
@@ -138,6 +138,19 @@ namespace DotNetOpenAuth.OAuth2.ChannelElements {
}
applied = true;
+ } else if (clientCredentialOnly != null) {
+ try {
+ if (!this.AuthorizationServer.TryAuthorizeClientCredentialsGrant(clientCredentialOnly)) {
+ Logger.OAuth.ErrorFormat(
+ "Client credentials grant access request for client \"{0}\" rejected by authorization server host.",
+ clientCredentialOnly.ClientIdentifier);
+ throw new TokenEndpointProtocolException(accessTokenRequest, Protocol.AccessTokenRequestErrorCodes.UnauthorizedClient);
+ }
+ } catch (NotSupportedException) {
+ throw new TokenEndpointProtocolException(accessTokenRequest, Protocol.AccessTokenRequestErrorCodes.UnsupportedGrantType);
+ } catch (NotImplementedException) {
+ throw new TokenEndpointProtocolException(accessTokenRequest, Protocol.AccessTokenRequestErrorCodes.UnsupportedGrantType);
+ }
} else {
// Check that authorization requests come with an acceptable callback URI.
var authorizationRequest = message as EndUserAuthorizationRequest;
diff --git a/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/IAuthorizationServerHost.cs b/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/IAuthorizationServerHost.cs
index d280d26..3b7df5c 100644
--- a/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/IAuthorizationServerHost.cs
+++ b/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/IAuthorizationServerHost.cs
@@ -98,8 +98,27 @@ namespace DotNetOpenAuth.OAuth2 {
/// <returns>
/// <c>true</c> if the given credentials are valid and the authorization granted; otherwise, <c>false</c>.
/// </returns>
- /// <exception cref="NotSupportedException">May be thrown if the authorization server does not support the resource owner password credential grant type.</exception>
+ /// <exception cref="NotSupportedException">
+ /// May be thrown if the authorization server does not support the resource owner password credential grant type.
+ /// </exception>
bool TryAuthorizeResourceOwnerCredentialGrant(string userName, string password, IAccessTokenRequest accessRequest, out string canonicalUserName);
+
+ /// <summary>
+ /// Determines whether an access token request given a client credential grant should be authorized
+ /// and if so records an authorization entry such that subsequent calls to <see cref="IsAuthorizationValid"/> would
+ /// return <c>true</c>.
+ /// </summary>
+ /// <param name="accessRequest">
+ /// The access request the credentials came with.
+ /// This may be useful if the authorization server wishes to apply some policy based on the client that is making the request.
+ /// </param>
+ /// <returns>
+ /// <c>true</c> if the given credentials are valid and the authorization granted; otherwise, <c>false</c>.
+ /// </returns>
+ /// <exception cref="NotSupportedException">
+ /// May be thrown if the authorization server does not support the client credential grant type.
+ /// </exception>
+ bool TryAuthorizeClientCredentialsGrant(IAccessTokenRequest accessRequest);
}
/// <summary>
@@ -174,7 +193,9 @@ namespace DotNetOpenAuth.OAuth2 {
}
/// <summary>
- /// Determines whether a given set of resource owner credentials is valid based on the authorization server's user database.
+ /// Determines whether a given set of resource owner credentials is valid based on the authorization server's user database
+ /// and if so records an authorization entry such that subsequent calls to <see cref="IsAuthorizationValid"/> would
+ /// return <c>true</c>.
/// </summary>
/// <param name="userName">Username on the account.</param>
/// <param name="password">The user's password.</param>
@@ -187,9 +208,11 @@ namespace DotNetOpenAuth.OAuth2 {
/// Or <c>null</c> if the return value is false.
/// </param>
/// <returns>
- /// <c>true</c> if the given credentials are valid; otherwise, <c>false</c>.
+ /// <c>true</c> if the given credentials are valid and the authorization granted; otherwise, <c>false</c>.
/// </returns>
- /// <exception cref="NotSupportedException">May be thrown if the authorization server does not support the resource owner password credential grant type.</exception>
+ /// <exception cref="NotSupportedException">
+ /// May be thrown if the authorization server does not support the resource owner password credential grant type.
+ /// </exception>
bool IAuthorizationServerHost.TryAuthorizeResourceOwnerCredentialGrant(string userName, string password, IAccessTokenRequest accessRequest, out string canonicalUserName) {
Contract.Requires(!string.IsNullOrEmpty(userName));
Contract.Requires(password != null);
@@ -199,6 +222,25 @@ namespace DotNetOpenAuth.OAuth2 {
}
/// <summary>
+ /// Determines whether an access token request given a client credential grant should be authorized
+ /// and if so records an authorization entry such that subsequent calls to <see cref="IsAuthorizationValid"/> would
+ /// return <c>true</c>.
+ /// </summary>
+ /// <param name="accessRequest">
+ /// The access request the credentials came with.
+ /// This may be useful if the authorization server wishes to apply some policy based on the client that is making the request.
+ /// </param>
+ /// <returns>
+ /// <c>true</c> if the given credentials are valid and the authorization granted; otherwise, <c>false</c>.
+ /// </returns>
+ /// <exception cref="NotSupportedException">
+ /// May be thrown if the authorization server does not support the client credential grant type.
+ /// </exception>
+ bool IAuthorizationServerHost.TryAuthorizeClientCredentialsGrant(IAccessTokenRequest accessRequest) {
+ throw new NotImplementedException();
+ }
+
+ /// <summary>
/// Obtains parameters to go into the formulation of an access token.
/// </summary>
/// <param name="accessTokenRequestMessage">Details regarding the resources that the access token will grant access to, and the identity of the client
generated by cgit v1.1 at 2025-05-29 01:01:27 +0000