diff options
| -rw-r--r-- | projecttemplates/WebFormsRelyingParty/Members/Web.config | 9 | ||||
| -rw-r--r-- | projecttemplates/WebFormsRelyingParty/Model.IssuedAccessToken.cs | 17 |
2 files changed, 24 insertions, 2 deletions
diff --git a/projecttemplates/WebFormsRelyingParty/Members/Web.config b/projecttemplates/WebFormsRelyingParty/Members/Web.config index aafc323..f95a16d 100644 --- a/projecttemplates/WebFormsRelyingParty/Members/Web.config +++ b/projecttemplates/WebFormsRelyingParty/Members/Web.config @@ -15,4 +15,13 @@ <deny users="?" /> </authorization> </system.web> + + <!-- Protect certain user pages from delegated (OAuth) clients. --> + <location path="AccountInfo.aspx"> + <system.web> + <authorization> + <deny roles="delegated" /> + </authorization> + </system.web> + </location> </configuration> diff --git a/projecttemplates/WebFormsRelyingParty/Model.IssuedAccessToken.cs b/projecttemplates/WebFormsRelyingParty/Model.IssuedAccessToken.cs index ee254ac..e47a9de 100644 --- a/projecttemplates/WebFormsRelyingParty/Model.IssuedAccessToken.cs +++ b/projecttemplates/WebFormsRelyingParty/Model.IssuedAccessToken.cs @@ -6,21 +6,34 @@ using DotNetOpenAuth.OAuth.ChannelElements; public partial class IssuedAccessToken : IServiceProviderAccessToken { + /// <summary> + /// Gets the roles that the OAuth principal should belong to. + /// </summary> + /// <value> + /// The roles that the user belongs to, or a subset of these according to the rights + /// granted when the user authorized the request token. + /// </value> string[] IServiceProviderAccessToken.Roles { get { List<string> roles = new List<string>(); // Include the roles the user who authorized this OAuth token has. - // TODO: code here + roles.AddRange(this.User.Roles.Select(r => r.Name)); // Always add an extra role to indicate this is an OAuth-authorized request. // This allows us to deny access to account management pages to OAuth requests. - roles.Add("OAuthToken"); + roles.Add("delegated"); return roles.ToArray(); } } + /// <summary> + /// Gets the username of the principal that will be impersonated by this access token. + /// </summary> + /// <value> + /// The name of the user who authorized the OAuth request token originally. + /// </value> string IServiceProviderAccessToken.Username { get { // We don't really have the concept of a single username, but we |