10 files changed, 73 insertions, 57 deletions

diff --git a/projecttemplates/RelyingPartyDatabase/Properties/Database.sqlcmdvars b/projecttemplates/RelyingPartyDatabase/Properties/Database.sqlcmdvars
index a396dc9..f2c472d 100644
--- a/projecttemplates/RelyingPartyDatabase/Properties/Database.sqlcmdvars
+++ b/projecttemplates/RelyingPartyDatabase/Properties/Database.sqlcmdvars
@@ -4,7 +4,7 @@
   <Properties>
     <Property>
       <PropertyName>Path1</PropertyName>
-      <PropertyValue>WEBROOT\App_Data\</PropertyValue>
+      <PropertyValue>WEBROOT</PropertyValue>
     </Property>
   </Properties>
 </SqlCommandVariables>
\ No newline at end of file
diff --git a/projecttemplates/RelyingPartyLogic/CreateDatabase.sql b/projecttemplates/RelyingPartyLogic/CreateDatabase.sql
index 0fa1b43..bbc5e07 100644
--- a/projecttemplates/RelyingPartyLogic/CreateDatabase.sql
+++ b/projecttemplates/RelyingPartyLogic/CreateDatabase.sql
@@ -8,10 +8,10 @@ SET ANSI_NULLS, ANSI_PADDING, ANSI_WARNINGS, ARITHABORT, CONCAT_NULL_YIELDS_NULL
 
 GO
 /*
-:setvar Path1 "WEBROOT\App_Data\"
+:setvar Path1 "WEBROOT"
 :setvar DatabaseName "RelyingPartyDatabase"
-:setvar DefaultDataPath ""
-:setvar DefaultLogPath ""
+:setvar DefaultDataPath "c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\DATA\"
+:setvar DefaultLogPath "c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\DATA\"
 */
 
 GO
@@ -128,24 +128,6 @@ ELSE
 
 
 GO
-IF IS_SRVROLEMEMBER(N'sysadmin') = 1
-    BEGIN
-        IF EXISTS (SELECT 1
-                   FROM   [master].[dbo].[sysdatabases]
-                   WHERE  [name] = N'$(DatabaseName)')
-            BEGIN
-                EXECUTE sp_executesql N'ALTER DATABASE [$(DatabaseName)]
-    SET HONOR_BROKER_PRIORITY OFF 
-    WITH ROLLBACK IMMEDIATE';
-            END
-    END
-ELSE
-    BEGIN
-        PRINT N'The database settings cannot be modified. You must be a SysAdmin to apply these settings.';
-    END
-
-
-GO
 USE [$(DatabaseName)]
 
 GO
@@ -727,9 +709,3 @@ ALTER TABLE [dbo].[UserRole] WITH CHECK CHECK CONSTRAINT [FK_UserRole_User];
 
 
 GO
-ALTER DATABASE [$(DatabaseName)]
-    SET MULTI_USER 
-    WITH ROLLBACK IMMEDIATE;
-
-
-GO
diff --git a/projecttemplates/WebFormsRelyingParty/Members/OAuthAuthorize.aspx.cs b/projecttemplates/WebFormsRelyingParty/Members/OAuthAuthorize.aspx.cs
index cd523dd..18f44b7 100644
--- a/projecttemplates/WebFormsRelyingParty/Members/OAuthAuthorize.aspx.cs
+++ b/projecttemplates/WebFormsRelyingParty/Members/OAuthAuthorize.aspx.cs
@@ -8,9 +8,12 @@ namespace WebFormsRelyingParty.Members {
 	using System;
 	using System.Collections.Generic;
 	using System.Linq;
+	using System.Net;
 	using System.Web;
 	using System.Web.UI;
 	using System.Web.UI.WebControls;
+
+	using DotNetOpenAuth.Messaging;
 	using DotNetOpenAuth.OAuth;
 	using DotNetOpenAuth.OAuth.Messages;
 	using DotNetOpenAuth.OAuth2.Messages;
@@ -21,7 +24,12 @@ namespace WebFormsRelyingParty.Members {
 		private EndUserAuthorizationRequest pendingRequest;
 
 		protected void Page_Load(object sender, EventArgs e) {
-			this.pendingRequest = OAuthServiceProvider.AuthorizationServer.ReadAuthorizationRequest();
+			// We'll mask that on postback it's a POST when looking up the authorization details so that the GET-only
+			// message can be picked up.
+			var requestInfo = this.IsPostBack
+			                  	? new HttpRequestInfo("GET", this.Request.Url, this.Request.RawUrl, new WebHeaderCollection(), null)
+			                  	: null;
+			this.pendingRequest = OAuthServiceProvider.AuthorizationServer.ReadAuthorizationRequest(requestInfo);
 			if (this.pendingRequest == null) {
 				Response.Redirect("AccountInfo.aspx");
 			}
@@ -37,7 +45,10 @@ namespace WebFormsRelyingParty.Members {
 
 		protected void yesButton_Click(object sender, EventArgs e) {
 			this.outerMultiView.SetActiveView(this.authorizationGrantedView);
-			OAuthServiceProvider.AuthorizationServer.ApproveAuthorizationRequest(this.pendingRequest, HttpContext.Current.User.Identity.Name);
+
+			// In this case the resource server and the auth server are the same, so just use the same key.
+			var resourceServerPublicKey = OAuthServiceProvider.AuthorizationServer.AuthorizationServer.AccessTokenSigningPrivateKey;
+			OAuthServiceProvider.AuthorizationServer.ApproveAuthorizationRequest(this.pendingRequest, HttpContext.Current.User.Identity.Name, resourceServerPublicKey);
 		}
 
 		protected void noButton_Click(object sender, EventArgs e) {
diff --git a/src/DotNetOpenAuth/OAuth2/ChannelElements/AccessRequestBindingElement.cs b/src/DotNetOpenAuth/OAuth2/ChannelElements/AccessRequestBindingElement.cs
index b71b66d..eaa444d 100644
--- a/src/DotNetOpenAuth/OAuth2/ChannelElements/AccessRequestBindingElement.cs
+++ b/src/DotNetOpenAuth/OAuth2/ChannelElements/AccessRequestBindingElement.cs
@@ -7,6 +7,7 @@
 namespace DotNetOpenAuth.OAuth2.ChannelElements {
 	using System;
 	using System.Collections.Generic;
+	using System.Globalization;
 	using System.Linq;
 	using System.Text;
 	using DotNetOpenAuth.Messaging;
@@ -52,12 +53,18 @@ namespace DotNetOpenAuth.OAuth2.ChannelElements {
 		/// <see cref="MessagePartAttribute.RequiredProtection"/> properties where applicable.
 		/// </remarks>
 		public override MessageProtections? ProcessOutgoingMessage(IProtocolMessage message) {
-			var tokenRequest = message as ITokenCarryingRequest;
-			if (tokenRequest != null) {
-				ErrorUtilities.VerifyInternal(tokenRequest.CodeOrTokenType == CodeOrTokenType.AuthorizationCode, "Only verification codes are expected here.");
-				var tokenBag = (AuthorizationCode)tokenRequest.AuthorizationDescription;
-				var formatter = AuthorizationCode.CreateFormatter(this.AuthorizationServer);
-				tokenRequest.CodeOrToken = formatter.Serialize(tokenBag);
+			var response = message as ITokenCarryingRequest;
+			if (response != null) {
+				switch (response.CodeOrTokenType)
+				{
+					case CodeOrTokenType.AuthorizationCode:
+						var codeFormatter = AuthorizationCode.CreateFormatter(this.AuthorizationServer);
+						var code = (AuthorizationCode)response.AuthorizationDescription;
+						response.CodeOrToken = codeFormatter.Serialize(code);
+						break;
+					default:
+						throw ErrorUtilities.ThrowInternal(string.Format(CultureInfo.CurrentCulture, "Unexpected outgoing code or token type: {0}", response.CodeOrTokenType));
+				}
 
 				return MessageProtections.None;
 			}
diff --git a/src/DotNetOpenAuth/OAuth2/ClientBase.cs b/src/DotNetOpenAuth/OAuth2/ClientBase.cs
index b2b63aa..46b6af4 100644
--- a/src/DotNetOpenAuth/OAuth2/ClientBase.cs
+++ b/src/DotNetOpenAuth/OAuth2/ClientBase.cs
@@ -184,6 +184,28 @@ namespace DotNetOpenAuth.OAuth2 {
 			authorizationState.SaveChanges();
 		}
 
+		internal void UpdateAuthorizationWithResponse(IAuthorizationState authorizationState, EndUserAuthorizationSuccessAuthCodeResponse authorizationSuccess) {
+			Contract.Requires<ArgumentNullException>(authorizationState != null, "authorizationState");
+			Contract.Requires<ArgumentNullException>(authorizationSuccess != null, "authorizationSuccess");
+
+			var accessTokenRequest = new AccessTokenAuthorizationCodeRequest(this.AuthorizationServer) {
+				ClientIdentifier = this.ClientIdentifier,
+				ClientSecret = this.ClientSecret,
+				Callback = authorizationState.Callback,
+				AuthorizationCode = authorizationSuccess.AuthorizationCode,
+			};
+			IProtocolMessage accessTokenResponse = this.Channel.Request(accessTokenRequest);
+			var accessTokenSuccess = accessTokenResponse as AccessTokenSuccessResponse;
+			var failedAccessTokenResponse = accessTokenResponse as AccessTokenFailedResponse;
+			if (accessTokenSuccess != null) {
+				this.UpdateAuthorizationWithResponse(authorizationState, accessTokenSuccess);
+			} else {
+				authorizationState.Delete();
+				string error = failedAccessTokenResponse != null ? failedAccessTokenResponse.Error : "(unknown)";
+				ErrorUtilities.ThrowProtocol(OAuthWrapStrings.CannotObtainAccessTokenWithReason, error);
+			}
+		}
+
 		/// <summary>
 		/// Calculates the fraction of life remaining in an access token.
 		/// </summary>
diff --git a/src/DotNetOpenAuth/OAuth2/Messages/UnauthorizedResponse.cs b/src/DotNetOpenAuth/OAuth2/Messages/UnauthorizedResponse.cs
index 90ef662..0f12a8c 100644
--- a/src/DotNetOpenAuth/OAuth2/Messages/UnauthorizedResponse.cs
+++ b/src/DotNetOpenAuth/OAuth2/Messages/UnauthorizedResponse.cs
@@ -19,6 +19,17 @@ namespace DotNetOpenAuth.OAuth2.Messages {
 		/// <summary>
 		/// Initializes a new instance of the <see cref="UnauthorizedResponse"/> class.
 		/// </summary>
+		/// <param name="exception">The exception.</param>
+		/// <param name="version">The protocol version.</param>
+		internal UnauthorizedResponse(ProtocolException exception, Version version = null)
+			: base(version ?? Protocol.Default.Version) {
+			Contract.Requires<ArgumentNullException>(exception != null, "exception");
+			this.ErrorMessage = exception.Message;
+		}
+
+		/// <summary>
+		/// Initializes a new instance of the <see cref="UnauthorizedResponse"/> class.
+		/// </summary>
 		/// <param name="request">The request.</param>
 		internal UnauthorizedResponse(IDirectedProtocolMessage request)
 			: base(request) {
diff --git a/src/DotNetOpenAuth/OAuth2/ResourceServer.cs b/src/DotNetOpenAuth/OAuth2/ResourceServer.cs
index 3a86d29..25af340 100644
--- a/src/DotNetOpenAuth/OAuth2/ResourceServer.cs
+++ b/src/DotNetOpenAuth/OAuth2/ResourceServer.cs
@@ -92,7 +92,7 @@ namespace DotNetOpenAuth.OAuth2 {
 					throw ErrorUtilities.ThrowProtocol("Missing access token.");
 				}
 			} catch (ProtocolException ex) {
-				var response = new UnauthorizedResponse(request, ex);
+				var response = request != null ? new UnauthorizedResponse(request, ex) : new UnauthorizedResponse(ex);
 
 				username = null;
 				scope = null;
diff --git a/src/DotNetOpenAuth/OAuth2/UserAgentClient.cs b/src/DotNetOpenAuth/OAuth2/UserAgentClient.cs
index 1a30af0..f7e1a9f 100644
--- a/src/DotNetOpenAuth/OAuth2/UserAgentClient.cs
+++ b/src/DotNetOpenAuth/OAuth2/UserAgentClient.cs
@@ -90,10 +90,13 @@ namespace DotNetOpenAuth.OAuth2 {
 				return null;
 			}
 
-			EndUserAuthorizationSuccessAccessTokenResponse success;
+			EndUserAuthorizationSuccessAccessTokenResponse accessTokenSuccess;
+			EndUserAuthorizationSuccessAuthCodeResponse authCodeSuccess;
 			EndUserAuthorizationFailedResponse failure;
-			if ((success = response as EndUserAuthorizationSuccessAccessTokenResponse) != null) {
-				this.UpdateAuthorizationWithResponse(authorizationState, success);
+			if ((accessTokenSuccess = response as EndUserAuthorizationSuccessAccessTokenResponse) != null) {
+				this.UpdateAuthorizationWithResponse(authorizationState, accessTokenSuccess);
+			} else if ((authCodeSuccess = response as EndUserAuthorizationSuccessAuthCodeResponse) != null) {
+				this.UpdateAuthorizationWithResponse(authorizationState, authCodeSuccess);
 			} else if ((failure = response as EndUserAuthorizationFailedResponse) != null) {
 				authorizationState.Delete();
 				return null;
diff --git a/src/DotNetOpenAuth/OAuth2/WebServerAuthorizationServer.cs b/src/DotNetOpenAuth/OAuth2/WebServerAuthorizationServer.cs
index 66bc96d..8800efd 100644
--- a/src/DotNetOpenAuth/OAuth2/WebServerAuthorizationServer.cs
+++ b/src/DotNetOpenAuth/OAuth2/WebServerAuthorizationServer.cs
@@ -70,7 +70,8 @@ namespace DotNetOpenAuth.OAuth2 {
 			if (request != null) {
 				// This convenience method only encrypts access tokens assuming that this auth server
 				// doubles as the resource server.
-				response = this.PrepareAccessTokenResponse(request, this.AuthorizationServer.AccessTokenSigningPrivateKey);
+				RSAParameters resourceServerPublicKey = this.AuthorizationServer.AccessTokenSigningPrivateKey;
+				response = this.PrepareAccessTokenResponse(request, resourceServerPublicKey);
 				return true;
 			}
 
diff --git a/src/DotNetOpenAuth/OAuth2/WebServerClient.cs b/src/DotNetOpenAuth/OAuth2/WebServerClient.cs
index d7116df..9b95677 100644
--- a/src/DotNetOpenAuth/OAuth2/WebServerClient.cs
+++ b/src/DotNetOpenAuth/OAuth2/WebServerClient.cs
@@ -120,22 +120,7 @@ namespace DotNetOpenAuth.OAuth2 {
 				var failure = response as EndUserAuthorizationFailedResponse;
 				ErrorUtilities.VerifyProtocol(success != null || failure != null, MessagingStrings.UnexpectedMessageReceivedOfMany);
 				if (success != null) {
-					var accessTokenRequest = new AccessTokenAuthorizationCodeRequest(this.AuthorizationServer) {
-						ClientIdentifier = this.ClientIdentifier,
-						ClientSecret = this.ClientSecret,
-						Callback = authorizationState.Callback,
-						AuthorizationCode = success.AuthorizationCode,
-					};
-					IProtocolMessage accessTokenResponse = this.Channel.Request(accessTokenRequest);
-					var accessTokenSuccess = accessTokenResponse as AccessTokenSuccessResponse;
-					var failedAccessTokenResponse = accessTokenResponse as AccessTokenFailedResponse;
-					if (accessTokenSuccess != null) {
-						this.UpdateAuthorizationWithResponse(authorizationState, accessTokenSuccess);
-					} else {
-						authorizationState.Delete();
-						string error = failedAccessTokenResponse != null ? failedAccessTokenResponse.Error : "(unknown)";
-						ErrorUtilities.ThrowProtocol(OAuthWrapStrings.CannotObtainAccessTokenWithReason, error);
-					}
+					UpdateAuthorizationWithResponse(authorizationState, success);
 				} else { // failure
 					Logger.OAuth.Info("User refused to grant the requested authorization at the Authorization Server.");
 					authorizationState.Delete();