diff options
4 files changed, 17 insertions, 3 deletions
diff --git a/samples/OAuthConsumerWpf/MainWindow.xaml.cs b/samples/OAuthConsumerWpf/MainWindow.xaml.cs index eacee60..3c55eeb 100644 --- a/samples/OAuthConsumerWpf/MainWindow.xaml.cs +++ b/samples/OAuthConsumerWpf/MainWindow.xaml.cs @@ -61,7 +61,7 @@ AuthorizationEndpoint = new Uri("http://localhost:50172/OAuth/Authorize"), TokenEndpoint = new Uri("http://localhost:50172/OAuth/Token"), }; - this.wcf = new UserAgentClient(authServer, "sampleImplicitConsumer"); + this.wcf = new UserAgentClient(authServer, "sampleconsumer", "samplesecret"); } private void beginAuthorizationButton_Click(object sender, RoutedEventArgs e) { diff --git a/src/DotNetOpenAuth/OAuth2/AuthorizationServer.cs b/src/DotNetOpenAuth/OAuth2/AuthorizationServer.cs index da46b0a..ad40fa5 100644 --- a/src/DotNetOpenAuth/OAuth2/AuthorizationServer.cs +++ b/src/DotNetOpenAuth/OAuth2/AuthorizationServer.cs @@ -62,7 +62,14 @@ namespace DotNetOpenAuth.OAuth2 { } EndUserAuthorizationRequest message; - this.Channel.TryReadFromRequest(request, out message); + if (this.Channel.TryReadFromRequest(request, out message)) { + if (message.ResponseType == EndUserAuthorizationResponseType.AuthorizationCode) { + // Clients with no secrets can only request implicit grant types. + var client = this.AuthorizationServerServices.GetClientOrThrow(message.ClientIdentifier); + ErrorUtilities.VerifyProtocol(!String.IsNullOrEmpty(client.Secret), Protocol.unauthorized_client); + } + } + return message; } diff --git a/src/DotNetOpenAuth/OAuth2/ChannelElements/AccessRequestBindingElement.cs b/src/DotNetOpenAuth/OAuth2/ChannelElements/AccessRequestBindingElement.cs index b7775b6..b86f5dd 100644 --- a/src/DotNetOpenAuth/OAuth2/ChannelElements/AccessRequestBindingElement.cs +++ b/src/DotNetOpenAuth/OAuth2/ChannelElements/AccessRequestBindingElement.cs @@ -135,7 +135,9 @@ namespace DotNetOpenAuth.OAuth2.ChannelElements { // Check that the client secret is correct. var client = this.AuthorizationServer.GetClientOrThrow(accessRequest.ClientIdentifier); - ErrorUtilities.VerifyProtocol(MessagingUtilities.EqualsConstantTime(client.Secret, accessRequest.ClientSecret), Protocol.incorrect_client_credentials); + string secret = client.Secret; + ErrorUtilities.VerifyProtocol(!String.IsNullOrEmpty(secret), Protocol.unauthorized_client); // an empty secret is not allowed for client authenticated calls. + ErrorUtilities.VerifyProtocol(MessagingUtilities.EqualsConstantTime(secret, accessRequest.ClientSecret), Protocol.incorrect_client_credentials); var scopedAccessRequest = accessRequest as ScopedAccessTokenRequest; if (scopedAccessRequest != null) { diff --git a/src/DotNetOpenAuth/OAuth2/Protocol.cs b/src/DotNetOpenAuth/OAuth2/Protocol.cs index 2b50439..3cb8253 100644 --- a/src/DotNetOpenAuth/OAuth2/Protocol.cs +++ b/src/DotNetOpenAuth/OAuth2/Protocol.cs @@ -70,6 +70,11 @@ namespace DotNetOpenAuth.OAuth2 { internal const string incorrect_client_credentials = "incorrect_client_credentials"; /// <summary> + /// The "unauthorized_client" string. + /// </summary> + internal const string unauthorized_client = "unauthorized_client"; + + /// <summary> /// The "authorization_expired" string. /// </summary> internal const string authorization_expired = "authorization_expired"; |