diff options
Diffstat (limited to 'samples/OAuthAuthorizationServer/Code/OAuth2AuthorizationServer.cs')
| -rw-r--r-- | samples/OAuthAuthorizationServer/Code/OAuth2AuthorizationServer.cs | 19 |
1 files changed, 14 insertions, 5 deletions
diff --git a/samples/OAuthAuthorizationServer/Code/OAuth2AuthorizationServer.cs b/samples/OAuthAuthorizationServer/Code/OAuth2AuthorizationServer.cs index 07cdd9d..9e490b0 100644 --- a/samples/OAuthAuthorizationServer/Code/OAuth2AuthorizationServer.cs +++ b/samples/OAuthAuthorizationServer/Code/OAuth2AuthorizationServer.cs @@ -45,14 +45,23 @@ get { return AsymmetricTokenSigningPrivateKey; } } - public RSACryptoServiceProvider CreateAccessTokenEncryptionKey(IAccessTokenRequest accessTokenRequestMessage) { - var asymmetricTokenSigningServiceProvider = new RSACryptoServiceProvider(); + public void PrepareAccessToken(IAccessTokenRequest accessTokenRequestMessage, out RSACryptoServiceProvider resourceServerEncryptionKey, out TimeSpan lifetime) { + resourceServerEncryptionKey = new RSACryptoServiceProvider(); // For this sample, we assume just one resource server. // If this authorization server needs to mint access tokens for more than one resource server, // we'd look at the request message passed to us and decide which public key to return. - asymmetricTokenSigningServiceProvider.ImportParameters(ResourceServerEncryptionPublicKey); - return asymmetricTokenSigningServiceProvider; + resourceServerEncryptionKey.ImportParameters(ResourceServerEncryptionPublicKey); + + // Just for the sake of the sample, we use a short-lived token. This can be useful to mitigate the security risks + // of access tokens that are used over standard HTTP. + // But this is just the lifetime of the access token. The client can still renew it using their refresh token until + // the authorization itself expires. + lifetime = TimeSpan.FromMinutes(2); + + // Also take into account the remaining life of the authorization and artificially shorten the access token's lifetime + // to account for that if necessary. + // TODO: code here } public IConsumerDescription GetClient(string clientIdentifier) { @@ -77,7 +86,7 @@ } // NEVER issue an auto-approval to a client that would end up getting an access token immediately - // (without a client secret), as that would allow ANY client to spoof an approved client's identity + // (without a client secret), as that would allow arbitrary clients to masquarade as an approved client // and obtain unauthorized access to user data. if (authorizationRequest.ResponseType == EndUserAuthorizationResponseType.AuthorizationCode) { // Never issue auto-approval if the client secret is blank, since that too makes it easy to spoof |