diff options
Diffstat (limited to 'samples/OAuthAuthorizationServer')
3 files changed, 220 insertions, 220 deletions
diff --git a/samples/OAuthAuthorizationServer/Controllers/AccountController.cs b/samples/OAuthAuthorizationServer/Controllers/AccountController.cs index f3aa873..b3d24a2 100644 --- a/samples/OAuthAuthorizationServer/Controllers/AccountController.cs +++ b/samples/OAuthAuthorizationServer/Controllers/AccountController.cs @@ -4,77 +4,76 @@ using System.Threading.Tasks; using System.Web.Mvc; using System.Web.Security; - using DotNetOpenAuth.Messaging; - using DotNetOpenAuth.OpenId; - using DotNetOpenAuth.OpenId.RelyingParty; - using OAuthAuthorizationServer.Code; - using OAuthAuthorizationServer.Models; + using DotNetOpenAuth.Messaging; + using DotNetOpenAuth.OpenId; + using DotNetOpenAuth.OpenId.RelyingParty; + using OAuthAuthorizationServer.Code; + using OAuthAuthorizationServer.Models; - [HandleError] + [HandleError] public class AccountController : Controller { - // ************************************** - // URL: /Account/LogOn - // ************************************** + // ************************************** + // URL: /Account/LogOn + // ************************************** public ActionResult LogOn() { - return View(); - } + return View(); + } - [HttpPost] + [HttpPost] public async Task<ActionResult> LogOn(LogOnModel model, string returnUrl) { if (ModelState.IsValid) { - var rp = new OpenIdRelyingParty(); - var request = await rp.CreateRequestAsync(model.UserSuppliedIdentifier, Realm.AutoDetect, new Uri(Request.Url, Url.Action("Authenticate"))); + var rp = new OpenIdRelyingParty(); + var request = await rp.CreateRequestAsync(model.UserSuppliedIdentifier, Realm.AutoDetect, new Uri(Request.Url, Url.Action("Authenticate"))); if (request != null) { if (returnUrl != null) { - request.AddCallbackArguments("returnUrl", returnUrl); - } + request.AddCallbackArguments("returnUrl", returnUrl); + } - var response = await request.GetRedirectingResponseAsync(); - Response.ContentType = response.Content.Headers.ContentType.ToString(); - return response.AsActionResult(); + var response = await request.GetRedirectingResponseAsync(); + Response.ContentType = response.Content.Headers.ContentType.ToString(); + return response.AsActionResult(); } else { - ModelState.AddModelError(string.Empty, "The identifier you supplied is not recognized as a valid OpenID Identifier."); - } - } + ModelState.AddModelError(string.Empty, "The identifier you supplied is not recognized as a valid OpenID Identifier."); + } + } - // If we got this far, something failed, redisplay form - return View(model); - } + // If we got this far, something failed, redisplay form + return View(model); + } public async Task<ActionResult> Authenticate(string returnUrl) { - var rp = new OpenIdRelyingParty(); - var response = await rp.GetResponseAsync(Request); + var rp = new OpenIdRelyingParty(); + var response = await rp.GetResponseAsync(Request); if (response != null) { switch (response.Status) { - case AuthenticationStatus.Authenticated: - // Make sure we have a user account for this guy. - string identifier = response.ClaimedIdentifier; // convert to string so LinqToSQL expression parsing works. + case AuthenticationStatus.Authenticated: + // Make sure we have a user account for this guy. + string identifier = response.ClaimedIdentifier; // convert to string so LinqToSQL expression parsing works. if (MvcApplication.DataContext.Users.FirstOrDefault(u => u.OpenIDClaimedIdentifier == identifier) == null) { MvcApplication.DataContext.Users.InsertOnSubmit(new User { - OpenIDFriendlyIdentifier = response.FriendlyIdentifierForDisplay, - OpenIDClaimedIdentifier = response.ClaimedIdentifier, - }); - } + OpenIDFriendlyIdentifier = response.FriendlyIdentifierForDisplay, + OpenIDClaimedIdentifier = response.ClaimedIdentifier, + }); + } - FormsAuthentication.SetAuthCookie(response.ClaimedIdentifier, false); - return this.Redirect(returnUrl ?? Url.Action("Index", "Home")); + FormsAuthentication.SetAuthCookie(response.ClaimedIdentifier, false); + return this.Redirect(returnUrl ?? Url.Action("Index", "Home")); + default: + ModelState.AddModelError(string.Empty, "An error occurred during login."); + break; + } + } - default: - ModelState.AddModelError(string.Empty, "An error occurred during login."); - break; - } - } + return this.View("LogOn"); + } - return this.View("LogOn"); - } - - // ************************************** - // URL: /Account/LogOff - // ************************************** + // ************************************** + // URL: /Account/LogOff + // ************************************** public ActionResult LogOff() { - FormsAuthentication.SignOut(); + FormsAuthentication.SignOut(); - return RedirectToAction("Index", "Home"); - } - } + return RedirectToAction("Index", "Home"); + } + } }
\ No newline at end of file diff --git a/samples/OAuthAuthorizationServer/Controllers/OAuthController.cs b/samples/OAuthAuthorizationServer/Controllers/OAuthController.cs index 81c73ca..3953c62 100644 --- a/samples/OAuthAuthorizationServer/Controllers/OAuthController.cs +++ b/samples/OAuthAuthorizationServer/Controllers/OAuthController.cs @@ -1,97 +1,97 @@ namespace OAuthAuthorizationServer.Controllers {
- using System;
+ using System;
using System.Collections.Generic;
- using System.Linq;
- using System.Net;
+ using System.Linq;
+ using System.Net;
using System.Security.Cryptography;
- using System.Threading.Tasks;
- using System.Web;
- using System.Web.Mvc;
+ using System.Threading.Tasks;
+ using System.Web;
+ using System.Web.Mvc;
using DotNetOpenAuth.Messaging;
using DotNetOpenAuth.OAuth2;
using OAuthAuthorizationServer.Code;
using OAuthAuthorizationServer.Models;
public class OAuthController : Controller {
- private readonly AuthorizationServer authorizationServer = new AuthorizationServer(new OAuth2AuthorizationServer());
+ private readonly AuthorizationServer authorizationServer = new AuthorizationServer(new OAuth2AuthorizationServer());
- /// <summary>
- /// The OAuth 2.0 token endpoint.
- /// </summary>
- /// <returns>The response to the Client.</returns>
+ /// <summary>
+ /// The OAuth 2.0 token endpoint.
+ /// </summary>
+ /// <returns>The response to the Client.</returns>
public async Task<ActionResult> Token() {
- var request = await this.authorizationServer.HandleTokenRequestAsync(this.Request, this.Response.ClientDisconnectedToken);
- Response.ContentType = request.Content.Headers.ContentType.ToString();
- return request.AsActionResult();
- }
+ var request = await this.authorizationServer.HandleTokenRequestAsync(this.Request, this.Response.ClientDisconnectedToken);
+ Response.ContentType = request.Content.Headers.ContentType.ToString();
+ return request.AsActionResult();
+ }
- /// <summary>
- /// Prompts the user to authorize a client to access the user's private data.
- /// </summary>
- /// <returns>The browser HTML response that prompts the user to authorize the client.</returns>
- [Authorize, AcceptVerbs(HttpVerbs.Get | HttpVerbs.Post)]
- [HttpHeader("x-frame-options", "SAMEORIGIN")] // mitigates clickjacking
+ /// <summary>
+ /// Prompts the user to authorize a client to access the user's private data.
+ /// </summary>
+ /// <returns>The browser HTML response that prompts the user to authorize the client.</returns>
+ [Authorize, AcceptVerbs(HttpVerbs.Get | HttpVerbs.Post)]
+ [HttpHeader("x-frame-options", "SAMEORIGIN")] // mitigates clickjacking
public async Task<ActionResult> Authorize() {
- var pendingRequest = await this.authorizationServer.ReadAuthorizationRequestAsync(Request, Response.ClientDisconnectedToken);
+ var pendingRequest = await this.authorizationServer.ReadAuthorizationRequestAsync(Request, Response.ClientDisconnectedToken);
if (pendingRequest == null) {
- throw new HttpException((int)HttpStatusCode.BadRequest, "Missing authorization request.");
- }
+ throw new HttpException((int)HttpStatusCode.BadRequest, "Missing authorization request.");
+ }
- var requestingClient = MvcApplication.DataContext.Clients.First(c => c.ClientIdentifier == pendingRequest.ClientIdentifier);
+ var requestingClient = MvcApplication.DataContext.Clients.First(c => c.ClientIdentifier == pendingRequest.ClientIdentifier);
- // Consider auto-approving if safe to do so.
+ // Consider auto-approving if safe to do so.
if (((OAuth2AuthorizationServer)this.authorizationServer.AuthorizationServerServices).CanBeAutoApproved(pendingRequest)) {
- var approval = this.authorizationServer.PrepareApproveAuthorizationRequest(pendingRequest, HttpContext.User.Identity.Name);
- var response = await this.authorizationServer.Channel.PrepareResponseAsync(approval, Response.ClientDisconnectedToken);
- Response.ContentType = response.Content.Headers.ContentType.ToString();
- return response.AsActionResult();
- }
+ var approval = this.authorizationServer.PrepareApproveAuthorizationRequest(pendingRequest, HttpContext.User.Identity.Name);
+ var response = await this.authorizationServer.Channel.PrepareResponseAsync(approval, Response.ClientDisconnectedToken);
+ Response.ContentType = response.Content.Headers.ContentType.ToString();
+ return response.AsActionResult();
+ }
var model = new AccountAuthorizeModel {
- ClientApp = requestingClient.Name,
- Scope = pendingRequest.Scope,
- AuthorizationRequest = pendingRequest,
- };
+ ClientApp = requestingClient.Name,
+ Scope = pendingRequest.Scope,
+ AuthorizationRequest = pendingRequest,
+ };
- return View(model);
- }
+ return View(model);
+ }
- /// <summary>
- /// Processes the user's response as to whether to authorize a Client to access his/her private data.
- /// </summary>
- /// <param name="isApproved">if set to <c>true</c>, the user has authorized the Client; <c>false</c> otherwise.</param>
- /// <returns>HTML response that redirects the browser to the Client.</returns>
- [Authorize, HttpPost, ValidateAntiForgeryToken]
+ /// <summary>
+ /// Processes the user's response as to whether to authorize a Client to access his/her private data.
+ /// </summary>
+ /// <param name="isApproved">if set to <c>true</c>, the user has authorized the Client; <c>false</c> otherwise.</param>
+ /// <returns>HTML response that redirects the browser to the Client.</returns>
+ [Authorize, HttpPost, ValidateAntiForgeryToken]
public async Task<ActionResult> AuthorizeResponse(bool isApproved) {
- var pendingRequest = await this.authorizationServer.ReadAuthorizationRequestAsync(Request, Response.ClientDisconnectedToken);
+ var pendingRequest = await this.authorizationServer.ReadAuthorizationRequestAsync(Request, Response.ClientDisconnectedToken);
if (pendingRequest == null) {
- throw new HttpException((int)HttpStatusCode.BadRequest, "Missing authorization request.");
- }
+ throw new HttpException((int)HttpStatusCode.BadRequest, "Missing authorization request.");
+ }
- IDirectedProtocolMessage response;
+ IDirectedProtocolMessage response;
if (isApproved) {
- // The authorization we file in our database lasts until the user explicitly revokes it.
- // You can cause the authorization to expire by setting the ExpirationDateUTC
- // property in the below created ClientAuthorization.
- var client = MvcApplication.DataContext.Clients.First(c => c.ClientIdentifier == pendingRequest.ClientIdentifier);
- client.ClientAuthorizations.Add(
+ // The authorization we file in our database lasts until the user explicitly revokes it.
+ // You can cause the authorization to expire by setting the ExpirationDateUTC
+ // property in the below created ClientAuthorization.
+ var client = MvcApplication.DataContext.Clients.First(c => c.ClientIdentifier == pendingRequest.ClientIdentifier);
+ client.ClientAuthorizations.Add(
new ClientAuthorization {
- Scope = OAuthUtilities.JoinScopes(pendingRequest.Scope),
- User = MvcApplication.LoggedInUser,
- CreatedOnUtc = DateTime.UtcNow,
- });
- MvcApplication.DataContext.SubmitChanges(); // submit now so that this new row can be retrieved later in this same HTTP request
+ Scope = OAuthUtilities.JoinScopes(pendingRequest.Scope),
+ User = MvcApplication.LoggedInUser,
+ CreatedOnUtc = DateTime.UtcNow,
+ });
+ MvcApplication.DataContext.SubmitChanges(); // submit now so that this new row can be retrieved later in this same HTTP request
- // In this simple sample, the user either agrees to the entire scope requested by the client or none of it.
- // But in a real app, you could grant a reduced scope of access to the client by passing a scope parameter to this method.
- response = this.authorizationServer.PrepareApproveAuthorizationRequest(pendingRequest, User.Identity.Name);
+ // In this simple sample, the user either agrees to the entire scope requested by the client or none of it.
+ // But in a real app, you could grant a reduced scope of access to the client by passing a scope parameter to this method.
+ response = this.authorizationServer.PrepareApproveAuthorizationRequest(pendingRequest, User.Identity.Name);
} else {
- response = this.authorizationServer.PrepareRejectAuthorizationRequest(pendingRequest);
- }
+ response = this.authorizationServer.PrepareRejectAuthorizationRequest(pendingRequest);
+ }
- var preparedResponse = await this.authorizationServer.Channel.PrepareResponseAsync(response, Response.ClientDisconnectedToken);
- Response.ContentType = preparedResponse.Content.Headers.ContentType.ToString();
- return preparedResponse.AsActionResult();
- }
- }
+ var preparedResponse = await this.authorizationServer.Channel.PrepareResponseAsync(response, Response.ClientDisconnectedToken);
+ Response.ContentType = preparedResponse.Content.Headers.ContentType.ToString();
+ return preparedResponse.AsActionResult();
+ }
+ }
}
\ No newline at end of file diff --git a/samples/OAuthAuthorizationServer/Web.config b/samples/OAuthAuthorizationServer/Web.config index 08cd69b..ff5baed 100644 --- a/samples/OAuthAuthorizationServer/Web.config +++ b/samples/OAuthAuthorizationServer/Web.config @@ -6,119 +6,120 @@ --> <configuration> - <configSections> - <section name="log4net" type="log4net.Config.Log4NetConfigurationSectionHandler" requirePermission="false" /> - <sectionGroup name="dotNetOpenAuth" type="DotNetOpenAuth.Configuration.DotNetOpenAuthSection, DotNetOpenAuth.Core"> - <section name="openid" type="DotNetOpenAuth.Configuration.OpenIdElement, DotNetOpenAuth.OpenId" requirePermission="false" allowLocation="true" /> - <section name="oauth" type="DotNetOpenAuth.Configuration.OAuthElement, DotNetOpenAuth.OAuth" requirePermission="false" allowLocation="true" /> - <sectionGroup name="oauth2" type="DotNetOpenAuth.Configuration.OAuth2SectionGroup, DotNetOpenAuth.OAuth2"> - <section name="authorizationServer" type="DotNetOpenAuth.Configuration.OAuth2AuthorizationServerSection, DotNetOpenAuth.OAuth2.AuthorizationServer" requirePermission="false" allowLocation="true" /> - </sectionGroup> - <section name="messaging" type="DotNetOpenAuth.Configuration.MessagingElement, DotNetOpenAuth.Core" requirePermission="false" allowLocation="true" /> - <section name="reporting" type="DotNetOpenAuth.Configuration.ReportingElement, DotNetOpenAuth.Core" requirePermission="false" allowLocation="true" /> - </sectionGroup> - </configSections> + <configSections> + <section name="log4net" type="log4net.Config.Log4NetConfigurationSectionHandler" requirePermission="false"/> + <sectionGroup name="dotNetOpenAuth" type="DotNetOpenAuth.Configuration.DotNetOpenAuthSection, DotNetOpenAuth.Core"> + <section name="openid" type="DotNetOpenAuth.Configuration.OpenIdElement, DotNetOpenAuth.OpenId" requirePermission="false" allowLocation="true" /> + <section name="oauth" type="DotNetOpenAuth.Configuration.OAuthElement, DotNetOpenAuth.OAuth" requirePermission="false" allowLocation="true" /> + <sectionGroup name="oauth2" type="DotNetOpenAuth.Configuration.OAuth2SectionGroup, DotNetOpenAuth.OAuth2"> + <section name="authorizationServer" type="DotNetOpenAuth.Configuration.OAuth2AuthorizationServerSection, DotNetOpenAuth.OAuth2.AuthorizationServer" requirePermission="false" allowLocation="true" /> + </sectionGroup> + <section name="messaging" type="DotNetOpenAuth.Configuration.MessagingElement, DotNetOpenAuth.Core" requirePermission="false" allowLocation="true" /> + <section name="reporting" type="DotNetOpenAuth.Configuration.ReportingElement, DotNetOpenAuth.Core" requirePermission="false" allowLocation="true" /> + </sectionGroup> + </configSections> - <!-- The uri section is necessary to turn on .NET 3.5 support for IDN (international domain names), - which is necessary for OpenID urls with unicode characters in the domain/host name. - It is also required to put the Uri class into RFC 3986 escaping mode, which OpenID and OAuth require. --> - <uri> - <idn enabled="All" /> - <iriParsing enabled="true" /> - </uri> + <!-- The uri section is necessary to turn on .NET 3.5 support for IDN (international domain names), + which is necessary for OpenID urls with unicode characters in the domain/host name. + It is also required to put the Uri class into RFC 3986 escaping mode, which OpenID and OAuth require. --> + <uri> + <idn enabled="All"/> + <iriParsing enabled="true"/> + </uri> - <system.net> - <defaultProxy enabled="true" /> - <settings> - <!-- This setting causes .NET to check certificate revocation lists (CRL) - before trusting HTTPS certificates. But this setting tends to not - be allowed in shared hosting environments. --> - <!--<servicePointManager checkCertificateRevocationList="true" />--> - </settings> - </system.net> + <system.net> + <defaultProxy enabled="true" /> + <settings> + <!-- This setting causes .NET to check certificate revocation lists (CRL) + before trusting HTTPS certificates. But this setting tends to not + be allowed in shared hosting environments. --> + <!--<servicePointManager checkCertificateRevocationList="true"/>--> + </settings> + </system.net> - <!-- this is an optional configuration section where aspects of dotnetopenauth can be customized --> - <dotNetOpenAuth> - <!-- Allow DotNetOpenAuth to publish usage statistics to library authors to improve the library. --> - <reporting enabled="true" /> - <oauth2> - <authorizationServer> - </authorizationServer> - </oauth2> + <!-- this is an optional configuration section where aspects of dotnetopenauth can be customized --> + <dotNetOpenAuth> + <!-- Allow DotNetOpenAuth to publish usage statistics to library authors to improve the library. --> + <reporting enabled="true" /> + <oauth2> + <authorizationServer> + </authorizationServer> + </oauth2> - <!-- Relaxing SSL requirements is useful for simple samples, but NOT a good idea in production. --> - <messaging relaxSslRequirements="true"> - <untrustedWebRequest> - <whitelistHosts> - <!-- since this is a sample, and will often be used with localhost --> - <add name="localhost" /> - </whitelistHosts> - </untrustedWebRequest> - </messaging> - </dotNetOpenAuth> + <!-- Relaxing SSL requirements is useful for simple samples, but NOT a good idea in production. --> + <messaging relaxSslRequirements="true"> + <untrustedWebRequest> + <whitelistHosts> + <!-- since this is a sample, and will often be used with localhost --> + <add name="localhost"/> + </whitelistHosts> + </untrustedWebRequest> + </messaging> + </dotNetOpenAuth> - <log4net> - <!-- Setup the root category, add the appenders and set the default level --> - <root> - <level value="INFO" /> - <!--<appender-ref ref="RollingFileAppender" />--> - <appender-ref ref="TracePageAppender" /> - </root> - <!-- Specify the level for some specific categories --> - <logger name="DotNetOpenAuth"> - <level value="ALL" /> - </logger> - </log4net> + <log4net> + <!-- Setup the root category, add the appenders and set the default level --> + <root> + <level value="INFO"/> + <!--<appender-ref ref="RollingFileAppender" />--> + <appender-ref ref="TracePageAppender"/> + </root> + <!-- Specify the level for some specific categories --> + <logger name="DotNetOpenAuth"> + <level value="ALL"/> + </logger> + </log4net> - <connectionStrings> + <connectionStrings> <add name="DatabaseConnectionString" connectionString="Data Source=.\SQLEXPRESS;AttachDbFilename=|DataDirectory|\Database4.mdf;Integrated Security=True;User Instance=True" providerName="System.Data.SqlClient" /> - </connectionStrings> + </connectionStrings> - <appSettings> - <add key="ValidationSettings:UnobtrusiveValidationMode" value="None" /> - </appSettings> + <appSettings> + <add key="ValidationSettings:UnobtrusiveValidationMode" value="None" /> + </appSettings> - <system.web> - <httpRuntime targetFramework="4.5" /> - <compilation debug="true" targetFramework="4.0"> - <assemblies> - <add assembly="System.Web.Abstractions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" /> - <add assembly="System.Web.Routing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" /> - <add assembly="System.Web.Mvc, Version=5.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" /> - </assemblies> - </compilation> + <system.web> + <httpRuntime targetFramework="4.5" /> + <compilation debug="true" targetFramework="4.0"> + <assemblies> + <add assembly="System.Web.Abstractions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" /> + <add assembly="System.Web.Routing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" /> + <add assembly="System.Web.Mvc, Version=5.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" /> + </assemblies> + </compilation> - <authentication mode="Forms"> - <forms loginUrl="~/Account/LogOn" timeout="2880" /> - </authentication> + <authentication mode="Forms"> + <forms loginUrl="~/Account/LogOn" timeout="2880" /> + </authentication> - <pages> - <namespaces> - <add namespace="System.Web.Mvc" /> - <add namespace="System.Web.Mvc.Ajax" /> - <add namespace="System.Web.Mvc.Html" /> - <add namespace="System.Web.Routing" /> - </namespaces> - </pages> - </system.web> + <pages> + <namespaces> + <add namespace="System.Web.Mvc" /> + <add namespace="System.Web.Mvc.Ajax" /> + <add namespace="System.Web.Mvc.Html" /> + <add namespace="System.Web.Routing" /> + </namespaces> + </pages> + </system.web> - <system.webServer> - <validation validateIntegratedModeConfiguration="false" /> - <modules runAllManagedModulesForAllRequests="true" /> - <security> - <authentication> - <anonymousAuthentication enabled="true" /> - </authentication> - </security> - </system.webServer> + <system.webServer> + <validation validateIntegratedModeConfiguration="false"/> + <modules runAllManagedModulesForAllRequests="true"/> + <security> + <authentication> + <anonymousAuthentication enabled="true" /> + </authentication> + </security> + </system.webServer> + + <runtime> + <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1"> + <dependentAssembly> + <assemblyIdentity name="System.Web.Mvc" publicKeyToken="31bf3856ad364e35" /> + <bindingRedirect oldVersion="1.0.0.0-4.0.0.0" newVersion="4.0.0.0" /> + </dependentAssembly> + </assemblyBinding> + </runtime> +</configuration> - <runtime> - <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1"> - <dependentAssembly> - <assemblyIdentity name="System.Web.Mvc" publicKeyToken="31bf3856ad364e35" /> - <bindingRedirect oldVersion="1.0.0.0-4.0.0.0" newVersion="4.0.0.0" /> - </dependentAssembly> - </assemblyBinding> - </runtime> -</configuration>
\ No newline at end of file |