2 files changed, 11 insertions, 28 deletions

diff --git a/samples/OAuthResourceServer/Code/Global.cs b/samples/OAuthResourceServer/Code/Global.cs
index a70930b..a48baff 100644
--- a/samples/OAuthResourceServer/Code/Global.cs
+++ b/samples/OAuthResourceServer/Code/Global.cs
@@ -32,15 +32,6 @@
 #endif
 
 		/// <summary>
-		/// The authorization server crypto service provider that contains a public key.
-		/// </summary>
-		/// <remarks>
-		/// Since <see cref="RSACryptoServiceProvider"/> are not thread-safe, one must be created for each thread.
-		/// </remarks>
-		[ThreadStatic]
-		public static readonly RSACryptoServiceProvider AuthorizationServerSigningServiceProvider = CreateAuthorizationServerSigningServiceProvider();
-
-		/// <summary>
 		/// An application memory cache of recent log messages.
 		/// </summary>
 		public static StringBuilder LogMessages = new StringBuilder();
@@ -74,19 +65,10 @@
 #endif
 
 		/// <summary>
-		/// The crypto service provider for this resource server that contains the private key used to decrypt an access token.
-		/// </summary>
-		/// <remarks>
-		/// Since <see cref="RSACryptoServiceProvider"/> are not thread-safe, one must be created for each thread.
-		/// </remarks>
-		[ThreadStatic]
-		internal static readonly RSACryptoServiceProvider ResourceServerEncryptionServiceProvider = CreateResourceServerEncryptionServiceProvider();
-
-		/// <summary>
 		/// Creates the crypto service provider for this resource server that contains the private key used to decrypt an access token.
 		/// </summary>
 		/// <returns>An RSA crypto service provider.</returns>
-		private static RSACryptoServiceProvider CreateResourceServerEncryptionServiceProvider() {
+		internal static RSACryptoServiceProvider CreateResourceServerEncryptionServiceProvider() {
 			var resourceServerEncryptionServiceProvider = new RSACryptoServiceProvider();
 			resourceServerEncryptionServiceProvider.ImportParameters(ResourceServerEncryptionPrivateKey);
 			return resourceServerEncryptionServiceProvider;
@@ -96,7 +78,7 @@
 		/// Creates the crypto service provider for the authorization server that contains the public key used to verify an access token signature.
 		/// </summary>
 		/// <returns>An RSA crypto service provider.</returns>
-		private static RSACryptoServiceProvider CreateAuthorizationServerSigningServiceProvider() {
+		internal static RSACryptoServiceProvider CreateAuthorizationServerSigningServiceProvider() {
 			var authorizationServerSigningServiceProvider = new RSACryptoServiceProvider();
 			authorizationServerSigningServiceProvider.ImportParameters(AuthorizationServerSigningPublicKey);
 			return authorizationServerSigningServiceProvider;
diff --git a/samples/OAuthResourceServer/Code/OAuthAuthorizationManager.cs b/samples/OAuthResourceServer/Code/OAuthAuthorizationManager.cs
index 4b47dd5..0c1953d 100644
--- a/samples/OAuthResourceServer/Code/OAuthAuthorizationManager.cs
+++ b/samples/OAuthResourceServer/Code/OAuthAuthorizationManager.cs
@@ -64,16 +64,17 @@
 		private static IPrincipal VerifyOAuth2(HttpRequestMessageProperty httpDetails, Uri requestUri) {
 			// for this sample where the auth server and resource server are the same site,
 			// we use the same public/private key.
-			var resourceServer = new ResourceServer(
-				new StandardAccessTokenAnalyzer(
-					Global.AuthorizationServerSigningServiceProvider,
-					Global.ResourceServerEncryptionServiceProvider));
+			using (var signing = Global.CreateAuthorizationServerSigningServiceProvider()) {
+				using (var encrypting = Global.CreateResourceServerEncryptionServiceProvider()) {
+					var resourceServer = new ResourceServer(new StandardAccessTokenAnalyzer(signing, encrypting));
 
-			IPrincipal result;
-			var error = resourceServer.VerifyAccess(new HttpRequestInfo(httpDetails, requestUri), out result);
+					IPrincipal result;
+					var error = resourceServer.VerifyAccess(new HttpRequestInfo(httpDetails, requestUri), out result);
 
-			// TODO: return the prepared error code.
-			return error != null ? null : result;
+					// TODO: return the prepared error code.
+					return error != null ? null : result;
+				}
+			}
 		}
 	}
 }