2 files changed, 15 insertions, 16 deletions

diff --git a/samples/OAuthAuthorizationServer/Code/OAuth2AuthorizationServer.cs b/samples/OAuthAuthorizationServer/Code/OAuth2AuthorizationServer.cs
index 07cdd9d..9e490b0 100644
--- a/samples/OAuthAuthorizationServer/Code/OAuth2AuthorizationServer.cs
+++ b/samples/OAuthAuthorizationServer/Code/OAuth2AuthorizationServer.cs
@@ -45,14 +45,23 @@
 			get { return AsymmetricTokenSigningPrivateKey; }
 		}
 
-		public RSACryptoServiceProvider CreateAccessTokenEncryptionKey(IAccessTokenRequest accessTokenRequestMessage) {
-			var asymmetricTokenSigningServiceProvider = new RSACryptoServiceProvider();
+		public void PrepareAccessToken(IAccessTokenRequest accessTokenRequestMessage, out RSACryptoServiceProvider resourceServerEncryptionKey, out TimeSpan lifetime) {
+			resourceServerEncryptionKey = new RSACryptoServiceProvider();
 
 			// For this sample, we assume just one resource server.
 			// If this authorization server needs to mint access tokens for more than one resource server,
 			// we'd look at the request message passed to us and decide which public key to return.
-			asymmetricTokenSigningServiceProvider.ImportParameters(ResourceServerEncryptionPublicKey);
-			return asymmetricTokenSigningServiceProvider;
+			resourceServerEncryptionKey.ImportParameters(ResourceServerEncryptionPublicKey);
+
+			// Just for the sake of the sample, we use a short-lived token.  This can be useful to mitigate the security risks
+			// of access tokens that are used over standard HTTP.
+			// But this is just the lifetime of the access token.  The client can still renew it using their refresh token until
+			// the authorization itself expires.
+			lifetime = TimeSpan.FromMinutes(2);
+
+			// Also take into account the remaining life of the authorization and artificially shorten the access token's lifetime
+			// to account for that if necessary.
+			// TODO: code here
 		}
 
 		public IConsumerDescription GetClient(string clientIdentifier) {
@@ -77,7 +86,7 @@
 			}
 
 			// NEVER issue an auto-approval to a client that would end up getting an access token immediately
-			// (without a client secret), as that would allow ANY client to spoof an approved client's identity
+			// (without a client secret), as that would allow arbitrary clients to masquarade as an approved client
 			// and obtain unauthorized access to user data.
 			if (authorizationRequest.ResponseType == EndUserAuthorizationResponseType.AuthorizationCode) {
 				// Never issue auto-approval if the client secret is blank, since that too makes it easy to spoof
diff --git a/samples/OAuthAuthorizationServer/Controllers/OAuthController.cs b/samples/OAuthAuthorizationServer/Controllers/OAuthController.cs
index 07dc8cc..a67c57b 100644
--- a/samples/OAuthAuthorizationServer/Controllers/OAuthController.cs
+++ b/samples/OAuthAuthorizationServer/Controllers/OAuthController.cs
@@ -23,18 +23,8 @@
 		public ActionResult Token() {

 			var request = this.authorizationServer.ReadAccessTokenRequest();

 			if (request != null) {

-				// Just for the sake of the sample, we use a short-lived token.  This can be useful to mitigate the security risks

-				// of access tokens that are used over standard HTTP.

-				// But this is just the lifetime of the access token.  The client can still renew it using their refresh token until

-				// the authorization itself expires.

-				TimeSpan accessTokenLifetime = TimeSpan.FromMinutes(2);

-

-				// Also take into account the remaining life of the authorization and artificially shorten the access token's lifetime

-				// to account for that if necessary.

-				// TODO: code here

-

 				// Prepare the refresh and access tokens.

-				var response = this.authorizationServer.PrepareAccessTokenResponse(request, accessTokenLifetime);

+				var response = this.authorizationServer.PrepareAccessTokenResponse(request);

 				return this.authorizationServer.Channel.PrepareResponse(response).AsActionResult();

 			}