1 files changed, 43 insertions, 15 deletions

diff --git a/samples/OAuthServiceProvider/Code/OAuthAuthorizationManager.cs b/samples/OAuthServiceProvider/Code/OAuthAuthorizationManager.cs
index 6d5bfff..92038bd 100644
--- a/samples/OAuthServiceProvider/Code/OAuthAuthorizationManager.cs
+++ b/samples/OAuthServiceProvider/Code/OAuthAuthorizationManager.cs
@@ -7,8 +7,9 @@
 	using System.ServiceModel;
 	using System.ServiceModel.Channels;
 	using System.ServiceModel.Security;
-	using DotNetOpenAuth;
 	using DotNetOpenAuth.OAuth;
+	using DotNetOpenAuth.OAuth.ChannelElements;
+	using DotNetOpenAuth.OAuthWrap;
 
 	/// <summary>
 	/// A WCF extension to authenticate incoming messages using OAuth.
@@ -24,17 +25,14 @@
 
 			HttpRequestMessageProperty httpDetails = operationContext.RequestContext.RequestMessage.Properties[HttpRequestMessageProperty.Name] as HttpRequestMessageProperty;
 			Uri requestUri = operationContext.RequestContext.RequestMessage.Properties["OriginalHttpRequestUri"] as Uri;
-			ServiceProvider sp = Constants.CreateServiceProvider();
-			try {
-				var auth = sp.ReadProtectedResourceAuthorization(httpDetails, requestUri);
-				if (auth != null) {
-					var accessToken = Global.DataContext.OAuthTokens.Single(token => token.Token == auth.AccessToken);
 
-					var principal = sp.CreatePrincipal(auth);
+			try {
+				var principal = this.VerifyOAuth2(httpDetails, requestUri);
+				if (principal != null) {
 					var policy = new OAuthPrincipalAuthorizationPolicy(principal);
 					var policies = new List<IAuthorizationPolicy> {
-					policy,
-				};
+						policy,
+					};
 
 					var securityContext = new ServiceSecurityContext(policies.AsReadOnly());
 					if (operationContext.IncomingMessageProperties.Security != null) {
@@ -46,14 +44,13 @@
 					}
 
 					securityContext.AuthorizationContext.Properties["Identities"] = new List<IIdentity> {
-					principal.Identity,
-				};
+						principal.Identity,
+					};
 
 					// Only allow this method call if the access token scope permits it.
-					string[] scopes = accessToken.Scope.Split('|');
-					if (scopes.Contains(operationContext.IncomingMessageHeaders.Action)) {
-						return true;
-					}
+					return principal.IsInRole(operationContext.IncomingMessageHeaders.Action);
+				} else {
+					return false;
 				}
 			} catch (ProtocolException ex) {
 				Global.Logger.Error("Error processing OAuth messages.", ex);
@@ -61,5 +58,36 @@
 
 			return false;
 		}
+
+		private OAuthPrincipal VerifyOAuth1(HttpRequestMessageProperty httpDetails, Uri requestUri) {
+			ServiceProvider sp = Constants.CreateServiceProvider();
+			var auth = sp.ReadProtectedResourceAuthorization(httpDetails, requestUri);
+			if (auth != null) {
+				var accessToken = Global.DataContext.OAuthTokens.Single(token => token.Token == auth.AccessToken);
+				var principal = sp.CreatePrincipal(auth);
+				return principal;
+			}
+
+			return null;
+		}
+
+		private OAuthPrincipal VerifyOAuth2(HttpRequestMessageProperty httpDetails, Uri requestUri) {
+			// for this sample where the auth server and resource server are the same site,
+			// we use the same public/private key.
+			var resourceServer = new ResourceServer(
+				new StandardAccessTokenAnalyzer(
+					OAuth2AuthorizationServer.AsymmetricKey,
+					OAuth2AuthorizationServer.AsymmetricKey));
+
+			string username, scope;
+			var error = resourceServer.VerifyAccess(new DotNetOpenAuth.Messaging.HttpRequestInfo(httpDetails, requestUri), out username, out scope);
+			if (error == null) {
+				string[] scopes = scope.Split(new char[] { ' ' });
+				var principal = new OAuthPrincipal(username, scopes);
+				return principal;
+			} else {
+				return null;
+			}
+		}
 	}
 }
\ No newline at end of file