diff options
Diffstat (limited to 'src/DotNetOpenAuth.OAuth.Consumer')
16 files changed, 686 insertions, 713 deletions
diff --git a/src/DotNetOpenAuth.OAuth.Consumer/DotNetOpenAuth.OAuth.Consumer.csproj b/src/DotNetOpenAuth.OAuth.Consumer/DotNetOpenAuth.OAuth.Consumer.csproj index 922b860..fe14abc 100644 --- a/src/DotNetOpenAuth.OAuth.Consumer/DotNetOpenAuth.OAuth.Consumer.csproj +++ b/src/DotNetOpenAuth.OAuth.Consumer/DotNetOpenAuth.OAuth.Consumer.csproj @@ -19,17 +19,16 @@ <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' "> </PropertyGroup> <ItemGroup> - <Compile Include="OAuth\ChannelElements\IConsumerTokenManager.cs" /> - <Compile Include="OAuth\ChannelElements\OAuthConsumerChannel.cs" /> - <Compile Include="OAuth\ChannelElements\OAuthConsumerMessageFactory.cs" /> - <Compile Include="OAuth\ChannelElements\RsaSha1ConsumerSigningBindingElement.cs" /> - <Compile Include="OAuth\ConsumerBase.cs" /> - <Compile Include="OAuth\DesktopConsumer.cs" /> + <Compile Include="OAuth\AccessToken.cs" /> + <Compile Include="OAuth\AccessTokenResponse.cs" /> + <Compile Include="OAuth\ITemporaryCredentialStorage.cs" /> + <Compile Include="OAuth\Consumer.cs" /> + <Compile Include="OAuth\CookieTemporaryCredentialStorage.cs" /> + <Compile Include="OAuth\MemoryTemporaryCredentialStorage.cs" /> <Compile Include="OAuth\OAuth1HmacSha1HttpMessageHandler.cs" /> <Compile Include="OAuth\OAuth1HttpMessageHandlerBase.cs" /> <Compile Include="OAuth\OAuth1PlainTextMessageHandler.cs" /> <Compile Include="OAuth\OAuth1RsaSha1HttpMessageHandler.cs" /> - <Compile Include="OAuth\WebConsumer.cs" /> <Compile Include="Properties\AssemblyInfo.cs"> <SubType> </SubType> diff --git a/src/DotNetOpenAuth.OAuth.Consumer/OAuth/AccessToken.cs b/src/DotNetOpenAuth.OAuth.Consumer/OAuth/AccessToken.cs new file mode 100644 index 0000000..20e3ec4 --- /dev/null +++ b/src/DotNetOpenAuth.OAuth.Consumer/OAuth/AccessToken.cs @@ -0,0 +1,39 @@ +//----------------------------------------------------------------------- +// <copyright file="AccessToken.cs" company="Andrew Arnott"> +// Copyright (c) Andrew Arnott. All rights reserved. +// </copyright> +//----------------------------------------------------------------------- + +namespace DotNetOpenAuth.OAuth { + /// <summary> + /// An OAuth 1.0 access token and secret. + /// </summary> + public struct AccessToken { + /// <summary> + /// Initializes a new instance of the <see cref="AccessToken"/> struct. + /// </summary> + /// <param name="token">The token.</param> + /// <param name="secret">The secret.</param> + public AccessToken(string token, string secret) + : this() { + this.Token = token; + this.Secret = secret; + } + + /// <summary> + /// Gets or sets the token. + /// </summary> + /// <value> + /// The token. + /// </value> + public string Token { get; set; } + + /// <summary> + /// Gets or sets the token secret. + /// </summary> + /// <value> + /// The secret. + /// </value> + public string Secret { get; set; } + } +} diff --git a/src/DotNetOpenAuth.OAuth.Consumer/OAuth/AccessTokenResponse.cs b/src/DotNetOpenAuth.OAuth.Consumer/OAuth/AccessTokenResponse.cs new file mode 100644 index 0000000..dd35400 --- /dev/null +++ b/src/DotNetOpenAuth.OAuth.Consumer/OAuth/AccessTokenResponse.cs @@ -0,0 +1,19 @@ +namespace DotNetOpenAuth.OAuth { + using System; + using System.Collections.Generic; + using System.Collections.Specialized; + using System.Linq; + using System.Text; + using System.Threading.Tasks; + + public class AccessTokenResponse { + public AccessTokenResponse(string accessToken, string tokenSecret, NameValueCollection extraData) { + this.AccessToken = new AccessToken(accessToken, tokenSecret); + this.ExtraData = extraData; + } + + public AccessToken AccessToken { get; set; } + + public NameValueCollection ExtraData { get; set; } + } +} diff --git a/src/DotNetOpenAuth.OAuth.Consumer/OAuth/ChannelElements/IConsumerTokenManager.cs b/src/DotNetOpenAuth.OAuth.Consumer/OAuth/ChannelElements/IConsumerTokenManager.cs deleted file mode 100644 index 74ec3be..0000000 --- a/src/DotNetOpenAuth.OAuth.Consumer/OAuth/ChannelElements/IConsumerTokenManager.cs +++ /dev/null @@ -1,25 +0,0 @@ -//----------------------------------------------------------------------- -// <copyright file="IConsumerTokenManager.cs" company="Outercurve Foundation"> -// Copyright (c) Outercurve Foundation. All rights reserved. -// </copyright> -//----------------------------------------------------------------------- - -namespace DotNetOpenAuth.OAuth.ChannelElements { - /// <summary> - /// A token manager for use by a web site in its role as a consumer of - /// an individual ServiceProvider. - /// </summary> - public interface IConsumerTokenManager : ITokenManager { - /// <summary> - /// Gets the consumer key. - /// </summary> - /// <value>The consumer key.</value> - string ConsumerKey { get; } - - /// <summary> - /// Gets the consumer secret. - /// </summary> - /// <value>The consumer secret.</value> - string ConsumerSecret { get; } - } -} diff --git a/src/DotNetOpenAuth.OAuth.Consumer/OAuth/ChannelElements/OAuthConsumerChannel.cs b/src/DotNetOpenAuth.OAuth.Consumer/OAuth/ChannelElements/OAuthConsumerChannel.cs deleted file mode 100644 index a10ff09..0000000 --- a/src/DotNetOpenAuth.OAuth.Consumer/OAuth/ChannelElements/OAuthConsumerChannel.cs +++ /dev/null @@ -1,67 +0,0 @@ -//----------------------------------------------------------------------- -// <copyright file="OAuthConsumerChannel.cs" company="Outercurve Foundation"> -// Copyright (c) Outercurve Foundation. All rights reserved. -// </copyright> -//----------------------------------------------------------------------- - -namespace DotNetOpenAuth.OAuth.ChannelElements { - using System; - using System.Collections.Generic; - using System.Diagnostics.CodeAnalysis; - using System.Linq; - using System.Text; - using DotNetOpenAuth.Messaging; - using DotNetOpenAuth.Messaging.Bindings; - using Validation; - - /// <summary> - /// The messaging channel for OAuth 1.0(a) Consumers. - /// </summary> - internal class OAuthConsumerChannel : OAuthChannel { - /// <summary> - /// Initializes a new instance of the <see cref="OAuthConsumerChannel" /> class. - /// </summary> - /// <param name="signingBindingElement">The binding element to use for signing.</param> - /// <param name="store">The web application store to use for nonces.</param> - /// <param name="tokenManager">The token manager instance to use.</param> - /// <param name="securitySettings">The security settings.</param> - /// <param name="messageFactory">The message factory.</param> - /// <param name="hostFactories">The host factories.</param> - [SuppressMessage("Microsoft.Globalization", "CA1303:Do not pass literals as localized parameters", MessageId = "System.Diagnostics.Contracts.__ContractsRuntime.Requires<System.ArgumentNullException>(System.Boolean,System.String,System.String)", Justification = "Code contracts"), SuppressMessage("Microsoft.Naming", "CA2204:Literals should be spelled correctly", MessageId = "securitySettings", Justification = "Code contracts")] - internal OAuthConsumerChannel(ITamperProtectionChannelBindingElement signingBindingElement, INonceStore store, IConsumerTokenManager tokenManager, ConsumerSecuritySettings securitySettings, IMessageFactory messageFactory = null, IHostFactories hostFactories = null) - : base( - signingBindingElement, - tokenManager, - securitySettings, - messageFactory ?? new OAuthConsumerMessageFactory(), - InitializeBindingElements(signingBindingElement, store), - hostFactories) { - Requires.NotNull(tokenManager, "tokenManager"); - Requires.NotNull(securitySettings, "securitySettings"); - Requires.NotNull(signingBindingElement, "signingBindingElement"); - } - - /// <summary> - /// Gets the consumer secret for a given consumer key. - /// </summary> - /// <param name="consumerKey">The consumer key.</param> - /// <returns>The consumer secret.</returns> - protected override string GetConsumerSecret(string consumerKey) { - var consumerTokenManager = (IConsumerTokenManager)this.TokenManager; - ErrorUtilities.VerifyInternal(consumerKey == consumerTokenManager.ConsumerKey, "The token manager consumer key and the consumer key set earlier do not match!"); - return consumerTokenManager.ConsumerSecret; - } - - /// <summary> - /// Initializes the binding elements for the OAuth channel. - /// </summary> - /// <param name="signingBindingElement">The signing binding element.</param> - /// <param name="store">The nonce store.</param> - /// <returns> - /// An array of binding elements used to initialize the channel. - /// </returns> - private static new IChannelBindingElement[] InitializeBindingElements(ITamperProtectionChannelBindingElement signingBindingElement, INonceStore store) { - return OAuthChannel.InitializeBindingElements(signingBindingElement, store).ToArray(); - } - } -} diff --git a/src/DotNetOpenAuth.OAuth.Consumer/OAuth/ChannelElements/OAuthConsumerMessageFactory.cs b/src/DotNetOpenAuth.OAuth.Consumer/OAuth/ChannelElements/OAuthConsumerMessageFactory.cs deleted file mode 100644 index e79749f..0000000 --- a/src/DotNetOpenAuth.OAuth.Consumer/OAuth/ChannelElements/OAuthConsumerMessageFactory.cs +++ /dev/null @@ -1,108 +0,0 @@ -//----------------------------------------------------------------------- -// <copyright file="OAuthConsumerMessageFactory.cs" company="Outercurve Foundation"> -// Copyright (c) Outercurve Foundation. All rights reserved. -// </copyright> -//----------------------------------------------------------------------- - -namespace DotNetOpenAuth.OAuth.ChannelElements { - using System; - using System.Collections.Generic; - using DotNetOpenAuth.Messaging; - using DotNetOpenAuth.OAuth.Messages; - - /// <summary> - /// An OAuth-protocol specific implementation of the <see cref="IMessageFactory"/> - /// interface. - /// </summary> - public class OAuthConsumerMessageFactory : IMessageFactory { - /// <summary> - /// Initializes a new instance of the <see cref="OAuthConsumerMessageFactory"/> class. - /// </summary> - protected internal OAuthConsumerMessageFactory() { - } - - #region IMessageFactory Members - - /// <summary> - /// Analyzes an incoming request message payload to discover what kind of - /// message is embedded in it and returns the type, or null if no match is found. - /// </summary> - /// <param name="recipient">The intended or actual recipient of the request message.</param> - /// <param name="fields">The name/value pairs that make up the message payload.</param> - /// <returns> - /// A newly instantiated <see cref="IProtocolMessage"/>-derived object that this message can - /// deserialize to. Null if the request isn't recognized as a valid protocol message. - /// </returns> - /// <remarks> - /// The request messages are: - /// UserAuthorizationResponse - /// </remarks> - public virtual IDirectedProtocolMessage GetNewRequestMessage(MessageReceivingEndpoint recipient, IDictionary<string, string> fields) { - MessageBase message = null; - - if (fields.ContainsKey("oauth_token")) { - Protocol protocol = fields.ContainsKey("oauth_verifier") ? Protocol.V10a : Protocol.V10; - message = new UserAuthorizationResponse(recipient.Location, protocol.Version); - } - - if (message != null) { - message.SetAsIncoming(); - } - - return message; - } - - /// <summary> - /// Analyzes an incoming request message payload to discover what kind of - /// message is embedded in it and returns the type, or null if no match is found. - /// </summary> - /// <param name="request"> - /// The message that was sent as a request that resulted in the response. - /// Null on a Consumer site that is receiving an indirect message from the Service Provider. - /// </param> - /// <param name="fields">The name/value pairs that make up the message payload.</param> - /// <returns> - /// A newly instantiated <see cref="IProtocolMessage"/>-derived object that this message can - /// deserialize to. Null if the request isn't recognized as a valid protocol message. - /// </returns> - /// <remarks> - /// The response messages are: - /// UnauthorizedTokenResponse - /// AuthorizedTokenResponse - /// </remarks> - public virtual IDirectResponseProtocolMessage GetNewResponseMessage(IDirectedProtocolMessage request, IDictionary<string, string> fields) { - MessageBase message = null; - - // All response messages have the oauth_token field. - if (!fields.ContainsKey("oauth_token")) { - return null; - } - - // All direct message responses should have the oauth_token_secret field. - if (!fields.ContainsKey("oauth_token_secret")) { - Logger.OAuth.Error("An OAuth message was expected to contain an oauth_token_secret but didn't."); - return null; - } - - var unauthorizedTokenRequest = request as UnauthorizedTokenRequest; - var authorizedTokenRequest = request as AuthorizedTokenRequest; - if (unauthorizedTokenRequest != null) { - Protocol protocol = fields.ContainsKey("oauth_callback_confirmed") ? Protocol.V10a : Protocol.V10; - message = new UnauthorizedTokenResponse(unauthorizedTokenRequest, protocol.Version); - } else if (authorizedTokenRequest != null) { - message = new AuthorizedTokenResponse(authorizedTokenRequest); - } else { - Logger.OAuth.ErrorFormat("Unexpected response message given the request type {0}", request.GetType().Name); - throw new ProtocolException(OAuthStrings.InvalidIncomingMessage); - } - - if (message != null) { - message.SetAsIncoming(); - } - - return message; - } - - #endregion - } -} diff --git a/src/DotNetOpenAuth.OAuth.Consumer/OAuth/ChannelElements/RsaSha1ConsumerSigningBindingElement.cs b/src/DotNetOpenAuth.OAuth.Consumer/OAuth/ChannelElements/RsaSha1ConsumerSigningBindingElement.cs deleted file mode 100644 index d492e33..0000000 --- a/src/DotNetOpenAuth.OAuth.Consumer/OAuth/ChannelElements/RsaSha1ConsumerSigningBindingElement.cs +++ /dev/null @@ -1,76 +0,0 @@ -//----------------------------------------------------------------------- -// <copyright file="RsaSha1ConsumerSigningBindingElement.cs" company="Outercurve Foundation"> -// Copyright (c) Outercurve Foundation. All rights reserved. -// </copyright> -//----------------------------------------------------------------------- - -namespace DotNetOpenAuth.OAuth.ChannelElements { - using System; - using System.Diagnostics.CodeAnalysis; - using System.Security.Cryptography; - using System.Security.Cryptography.X509Certificates; - using System.Text; - using DotNetOpenAuth.Messaging; - using Validation; - - /// <summary> - /// A binding element that signs outgoing messages and verifies the signature on incoming messages. - /// </summary> - [SuppressMessage("Microsoft.Naming", "CA1704:IdentifiersShouldBeSpelledCorrectly", MessageId = "Sha", Justification = "Acronym")] - public class RsaSha1ConsumerSigningBindingElement : RsaSha1SigningBindingElement { - /// <summary> - /// Initializes a new instance of the <see cref="RsaSha1ConsumerSigningBindingElement"/> class. - /// </summary> - /// <param name="signingCertificate">The certificate used to sign outgoing messages.</param> - public RsaSha1ConsumerSigningBindingElement(X509Certificate2 signingCertificate) { - Requires.NotNull(signingCertificate, "signingCertificate"); - - this.SigningCertificate = signingCertificate; - } - - /// <summary> - /// Gets or sets the certificate used to sign outgoing messages. Used only by Consumers. - /// </summary> - public X509Certificate2 SigningCertificate { get; set; } - - /// <summary> - /// Determines whether the signature on some message is valid. - /// </summary> - /// <param name="message">The message to check the signature on.</param> - /// <returns> - /// <c>true</c> if the signature on the message is valid; otherwise, <c>false</c>. - /// </returns> - protected override bool IsSignatureValid(ITamperResistantOAuthMessage message) { - throw new NotImplementedException(); - } - - /// <summary> - /// Calculates a signature for a given message. - /// </summary> - /// <param name="message">The message to sign.</param> - /// <returns>The signature for the message.</returns> - /// <remarks> - /// This method signs the message per OAuth 1.0 section 9.3. - /// </remarks> - protected override string GetSignature(ITamperResistantOAuthMessage message) { - ErrorUtilities.VerifyOperation(this.SigningCertificate != null, OAuthStrings.X509CertificateNotProvidedForSigning); - - string signatureBaseString = ConstructSignatureBaseString(message, this.Channel.MessageDescriptions.GetAccessor(message)); - byte[] data = Encoding.ASCII.GetBytes(signatureBaseString); - var provider = (RSACryptoServiceProvider)this.SigningCertificate.PrivateKey; - byte[] binarySignature = provider.SignData(data, "SHA1"); - string base64Signature = Convert.ToBase64String(binarySignature); - return base64Signature; - } - - /// <summary> - /// Creates a new object that is a copy of the current instance. - /// </summary> - /// <returns> - /// A new object that is a copy of this instance. - /// </returns> - protected override ITamperProtectionChannelBindingElement Clone() { - return new RsaSha1ConsumerSigningBindingElement(this.SigningCertificate); - } - } -} diff --git a/src/DotNetOpenAuth.OAuth.Consumer/OAuth/Consumer.cs b/src/DotNetOpenAuth.OAuth.Consumer/OAuth/Consumer.cs new file mode 100644 index 0000000..578902c --- /dev/null +++ b/src/DotNetOpenAuth.OAuth.Consumer/OAuth/Consumer.cs @@ -0,0 +1,336 @@ +//----------------------------------------------------------------------- +// <copyright file="Consumer.cs" company="Outercurve Foundation"> +// Copyright (c) Outercurve Foundation. All rights reserved. +// </copyright> +//----------------------------------------------------------------------- + +namespace DotNetOpenAuth.OAuth { + using System; + using System.Collections.Generic; + using System.Diagnostics.CodeAnalysis; + using System.Linq; + using System.Net; + using System.Net.Http; + using System.Security.Cryptography.X509Certificates; + using System.Threading; + using System.Threading.Tasks; + using System.Web; + using DotNetOpenAuth.Configuration; + using DotNetOpenAuth.Messaging; + using DotNetOpenAuth.Messaging.Bindings; + using DotNetOpenAuth.OAuth.ChannelElements; + using DotNetOpenAuth.OAuth.Messages; + using Validation; + + /// <summary> + /// Base class for <see cref="WebConsumer"/> and <see cref="DesktopConsumer"/> types. + /// </summary> + public class Consumer { + /// <summary> + /// The host factories. + /// </summary> + private IHostFactories hostFactories; + + /// <summary> + /// Initializes a new instance of the <see cref="Consumer"/> class. + /// </summary> + public Consumer() { + this.HostFactories = new DefaultOAuthHostFactories(); + } + + /// <summary> + /// Initializes a new instance of the <see cref="Consumer"/> class. + /// </summary> + /// <param name="consumerKey">The consumer key.</param> + /// <param name="consumerSecret">The consumer secret.</param> + /// <param name="serviceProvider">The service provider.</param> + /// <param name="temporaryCredentialStorage">The temporary credential storage.</param> + public Consumer( + string consumerKey, + string consumerSecret, + ServiceProviderDescription serviceProvider, + ITemporaryCredentialStorage temporaryCredentialStorage) { + this.ConsumerKey = consumerKey; + this.ConsumerSecret = consumerSecret; + this.ServiceProvider = serviceProvider; + this.TemporaryCredentialStorage = temporaryCredentialStorage; + } + + /// <summary> + /// Gets or sets the object with factories for host-customizable services. + /// </summary> + public IHostFactories HostFactories { + get { + return this.hostFactories; + } + + set { + Requires.NotNull(value, "value"); + this.hostFactories = value; + } + } + + /// <summary> + /// Gets the Consumer Key used to communicate with the Service Provider. + /// </summary> + public string ConsumerKey { get; set; } + + /// <summary> + /// Gets or sets the consumer secret. + /// </summary> + /// <value> + /// The consumer secret. + /// </value> + public string ConsumerSecret { get; set; } + + /// <summary> + /// Gets or sets the consumer certificate. + /// </summary> + /// <value> + /// The consumer certificate. + /// </value> + /// <remarks> + /// If set, this causes all outgoing messages to be signed with the certificate instead of the consumer secret. + /// </remarks> + public X509Certificate2 ConsumerCertificate { get; set; } + + /// <summary> + /// Gets or sets the Service Provider that will be accessed. + /// </summary> + public ServiceProviderDescription ServiceProvider { get; set; } + + /// <summary> + /// Gets the persistence store for tokens and secrets. + /// </summary> + public ITemporaryCredentialStorage TemporaryCredentialStorage { get; set; } + + /// <summary> + /// Obtains an access token for a new account at the Service Provider via 2-legged OAuth. + /// </summary> + /// <param name="requestParameters">Any applicable parameters to include in the query string of the token request.</param> + /// <param name="cancellationToken">The cancellation token.</param> + /// <returns>The access token.</returns> + public async Task<AccessTokenResponse> RequestNewClientAccountAsync(IEnumerable<KeyValuePair<string, string>> requestParameters = null, CancellationToken cancellationToken = default(CancellationToken)) { + Verify.Operation(this.ConsumerKey != null, Strings.RequiredPropertyNotYetPreset, "ConsumerKey"); + Verify.Operation(this.ServiceProvider != null, Strings.RequiredPropertyNotYetPreset, "ServiceProvider"); + + using (var handler = this.CreateMessageHandler()) { + using (var client = this.CreateHttpClient(handler)) { + string identifier, secret; + + var requestUri = new UriBuilder(this.ServiceProvider.TemporaryCredentialsRequestEndpoint); + requestUri.AppendQueryArgument(Protocol.CallbackParameter, "oob"); + requestUri.AppendQueryArgs(requestParameters); + var request = new HttpRequestMessage(this.ServiceProvider.TemporaryCredentialsRequestEndpointMethod, requestUri.Uri); + using (var response = await client.SendAsync(request, cancellationToken)) { + response.EnsureSuccessStatusCode(); + cancellationToken.ThrowIfCancellationRequested(); + + // Parse the response and ensure that it meets the requirements of the OAuth 1.0 spec. + string content = await response.Content.ReadAsStringAsync(); + var responseData = HttpUtility.ParseQueryString(content); + identifier = responseData[Protocol.TokenParameter]; + secret = responseData[Protocol.TokenSecretParameter]; + ErrorUtilities.VerifyProtocol(!string.IsNullOrEmpty(identifier), MessagingStrings.RequiredParametersMissing, typeof(UnauthorizedTokenResponse).Name, Protocol.TokenParameter); + ErrorUtilities.VerifyProtocol(secret != null, MessagingStrings.RequiredParametersMissing, typeof(UnauthorizedTokenResponse).Name, Protocol.TokenSecretParameter); + } + + // Immediately exchange the temporary credential for an access token. + handler.AccessToken = identifier; + handler.AccessTokenSecret = secret; + request = new HttpRequestMessage(this.ServiceProvider.TokenRequestEndpointMethod, this.ServiceProvider.TokenRequestEndpoint); + using (var response = await client.SendAsync(request, cancellationToken)) { + response.EnsureSuccessStatusCode(); + + // Parse the response and ensure that it meets the requirements of the OAuth 1.0 spec. + string content = await response.Content.ReadAsStringAsync(); + var responseData = HttpUtility.ParseQueryString(content); + string accessToken = responseData[Protocol.TokenParameter]; + string tokenSecret = responseData[Protocol.TokenSecretParameter]; + ErrorUtilities.VerifyProtocol(!string.IsNullOrEmpty(accessToken), MessagingStrings.RequiredParametersMissing, typeof(AuthorizedTokenResponse).Name, Protocol.TokenParameter); + ErrorUtilities.VerifyProtocol(tokenSecret != null, MessagingStrings.RequiredParametersMissing, typeof(AuthorizedTokenResponse).Name, Protocol.TokenSecretParameter); + + responseData.Remove(Protocol.TokenParameter); + responseData.Remove(Protocol.TokenSecretParameter); + return new AccessTokenResponse(accessToken, tokenSecret, responseData); + } + } + } + } + + /// <summary> + /// Prepares an OAuth message that begins an authorization request that will + /// redirect the user to the Service Provider to provide that authorization. + /// </summary> + /// <param name="callback">The absolute URI that the Service Provider should redirect the + /// User Agent to upon successful authorization, or <c>null</c> to signify an out of band return.</param> + /// <param name="requestParameters">Extra parameters to add to the request token message. Optional.</param> + /// <param name="cancellationToken">The cancellation token.</param> + /// <returns> + /// The URL to direct the user agent to for user authorization. + /// </returns> + public async Task<Uri> RequestUserAuthorizationAsync(Uri callback = null, IEnumerable<KeyValuePair<string, string>> requestParameters = null, CancellationToken cancellationToken = default(CancellationToken)) { + Requires.NotNull(callback, "callback"); + Verify.Operation(this.ConsumerKey != null, Strings.RequiredPropertyNotYetPreset, "ConsumerKey"); + Verify.Operation(this.TemporaryCredentialStorage != null, Strings.RequiredPropertyNotYetPreset, "TemporaryCredentialStorage"); + Verify.Operation(this.ServiceProvider != null, Strings.RequiredPropertyNotYetPreset, "ServiceProvider"); + + // Obtain temporary credentials before the redirect. + using (var client = this.CreateHttpClient(new AccessToken())) { + var requestUri = new UriBuilder(this.ServiceProvider.TemporaryCredentialsRequestEndpoint); + requestUri.AppendQueryArgument(Protocol.CallbackParameter, callback != null ? callback.AbsoluteUri : "oob"); + requestUri.AppendQueryArgs(requestParameters); + var request = new HttpRequestMessage(this.ServiceProvider.TemporaryCredentialsRequestEndpointMethod, requestUri.Uri); + using (var response = await client.SendAsync(request, cancellationToken)) { + response.EnsureSuccessStatusCode(); + cancellationToken.ThrowIfCancellationRequested(); + + // Parse the response and ensure that it meets the requirements of the OAuth 1.0 spec. + string content = await response.Content.ReadAsStringAsync(); + var responseData = HttpUtility.ParseQueryString(content); + ErrorUtilities.VerifyProtocol(string.Equals(responseData[Protocol.CallbackConfirmedParameter], "true", StringComparison.Ordinal), MessagingStrings.RequiredParametersMissing, typeof(UnauthorizedTokenResponse).Name, Protocol.CallbackConfirmedParameter); + string identifier = responseData[Protocol.TokenParameter]; + string secret = responseData[Protocol.TokenSecretParameter]; + ErrorUtilities.VerifyProtocol(!string.IsNullOrEmpty(identifier), MessagingStrings.RequiredParametersMissing, typeof(UnauthorizedTokenResponse).Name, Protocol.TokenParameter); + ErrorUtilities.VerifyProtocol(secret != null, MessagingStrings.RequiredParametersMissing, typeof(UnauthorizedTokenResponse).Name, Protocol.TokenSecretParameter); + + // Save the temporary credential we received so that after user authorization + // we can use it to obtain the access token. + cancellationToken.ThrowIfCancellationRequested(); + this.TemporaryCredentialStorage.SaveTemporaryCredential(identifier, secret); + + // Construct the user authorization URL so our caller can direct a browser to it. + var authorizationEndpoint = new UriBuilder(this.ServiceProvider.ResourceOwnerAuthorizationEndpoint); + authorizationEndpoint.AppendQueryArgument(Protocol.TokenParameter, identifier); + return authorizationEndpoint.Uri; + } + } + } + + /// <summary> + /// Obtains an access token after a successful user authorization. + /// </summary> + /// <param name="authorizationCompleteUri">The URI used to redirect back to the consumer that contains a message from the service provider.</param> + /// <param name="cancellationToken">The cancellation token.</param> + /// <returns> + /// The access token assigned by the Service Provider, or <c>null</c> if no response was detected in the specified URL. + /// </returns> + public Task<AccessTokenResponse> ProcessUserAuthorizationAsync(Uri authorizationCompleteUri, CancellationToken cancellationToken = default(CancellationToken)) { + Requires.NotNull(authorizationCompleteUri, "authorizationCompleteUri"); + Verify.Operation(this.TemporaryCredentialStorage != null, Strings.RequiredPropertyNotYetPreset, "TemporaryCredentialStorage"); + + // Parse the response and verify that it meets spec requirements. + var queryString = HttpUtility.ParseQueryString(authorizationCompleteUri.Query); + string identifier = queryString[Protocol.TokenParameter]; + string verifier = queryString[Protocol.VerifierParameter]; + + if (identifier == null) { + // We assume there is no response message here at all, and return null to indicate that. + return null; + } + + ErrorUtilities.VerifyProtocol(!string.IsNullOrEmpty(identifier), MessagingStrings.RequiredNonEmptyParameterWasEmpty, typeof(UserAuthorizationResponse).Name, Protocol.TokenParameter); + ErrorUtilities.VerifyProtocol(!string.IsNullOrEmpty(verifier), MessagingStrings.RequiredNonEmptyParameterWasEmpty, typeof(UserAuthorizationResponse).Name, Protocol.VerifierParameter); + + var temporaryCredential = this.TemporaryCredentialStorage.RetrieveTemporaryCredential(); + Verify.Operation(string.Equals(temporaryCredential.Key, identifier, StringComparison.Ordinal), "Temporary credential identifiers do not match."); + + return this.ProcessUserAuthorizationAsync(verifier, cancellationToken); + } + + /// <summary> + /// Obtains an access token after a successful user authorization. + /// </summary> + /// <param name="verifier">The verifier.</param> + /// <param name="cancellationToken">The cancellation token.</param> + /// <returns> + /// The access token assigned by the Service Provider. + /// </returns> + public async Task<AccessTokenResponse> ProcessUserAuthorizationAsync(string verifier, CancellationToken cancellationToken = default(CancellationToken)) { + Requires.NotNull(verifier, "verifier"); + Verify.Operation(this.ConsumerKey != null, Strings.RequiredPropertyNotYetPreset, "ConsumerKey"); + Verify.Operation(this.TemporaryCredentialStorage != null, Strings.RequiredPropertyNotYetPreset, "TemporaryCredentialStorage"); + Verify.Operation(this.ServiceProvider != null, Strings.RequiredPropertyNotYetPreset, "ServiceProvider"); + + var temporaryCredential = this.TemporaryCredentialStorage.RetrieveTemporaryCredential(); + + using (var client = this.CreateHttpClient(new AccessToken(temporaryCredential.Key, temporaryCredential.Value))) { + var requestUri = new UriBuilder(this.ServiceProvider.TokenRequestEndpoint); + requestUri.AppendQueryArgument(Protocol.VerifierParameter, verifier); + var request = new HttpRequestMessage(this.ServiceProvider.TokenRequestEndpointMethod, requestUri.Uri); + using (var response = await client.SendAsync(request, cancellationToken)) { + response.EnsureSuccessStatusCode(); + + // Parse the response and ensure that it meets the requirements of the OAuth 1.0 spec. + string content = await response.Content.ReadAsStringAsync(); + var responseData = HttpUtility.ParseQueryString(content); + string accessToken = responseData[Protocol.TokenParameter]; + string tokenSecret = responseData[Protocol.TokenSecretParameter]; + ErrorUtilities.VerifyProtocol(!string.IsNullOrEmpty(accessToken), MessagingStrings.RequiredParametersMissing, typeof(AuthorizedTokenResponse).Name, Protocol.TokenParameter); + ErrorUtilities.VerifyProtocol(tokenSecret != null, MessagingStrings.RequiredParametersMissing, typeof(AuthorizedTokenResponse).Name, Protocol.TokenSecretParameter); + + responseData.Remove(Protocol.TokenParameter); + responseData.Remove(Protocol.TokenSecretParameter); + return new AccessTokenResponse(accessToken, tokenSecret, responseData); + } + } + } + + /// <summary> + /// Creates a message handler that signs outbound requests with a previously obtained authorization. + /// </summary> + /// <param name="accessToken">The access token to authorize outbound HTTP requests with.</param> + /// <param name="innerHandler">The inner handler that actually sends the HTTP message on the network.</param> + /// <returns> + /// A message handler. + /// </returns> + /// <remarks> + /// Overrides of this method may allow various derived types of handlers to be returned, + /// enabling consumers that use RSA or other signing methods. + /// </remarks> + public virtual OAuth1HttpMessageHandlerBase CreateMessageHandler(AccessToken accessToken = default(AccessToken), HttpMessageHandler innerHandler = null) { + Verify.Operation(this.ConsumerKey != null, Strings.RequiredPropertyNotYetPreset, "ConsumerKey"); + + innerHandler = innerHandler ?? this.HostFactories.CreateHttpMessageHandler(); + OAuth1HttpMessageHandlerBase handler; + if (this.ConsumerCertificate != null) { + handler = new OAuth1RsaSha1HttpMessageHandler(innerHandler) { + SigningCertificate = this.ConsumerCertificate, + }; + } else { + handler = new OAuth1HmacSha1HttpMessageHandler(innerHandler); + } + + handler.ConsumerKey = this.ConsumerKey; + handler.ConsumerSecret = this.ConsumerSecret; + handler.AccessToken = accessToken.Token; + handler.AccessTokenSecret = accessToken.Secret; + + return handler; + } + + /// <summary> + /// Creates the HTTP client. + /// </summary> + /// <param name="accessToken">The access token to authorize outbound HTTP requests with.</param> + /// <param name="innerHandler">The inner handler that actually sends the HTTP message on the network.</param> + /// <returns>The HttpClient to use.</returns> + public HttpClient CreateHttpClient(AccessToken accessToken, HttpMessageHandler innerHandler = null) { + var handler = this.CreateMessageHandler(accessToken, innerHandler); + var client = this.HostFactories.CreateHttpClient(handler); + return client; + } + + /// <summary> + /// Creates the HTTP client. + /// </summary> + /// <param name="innerHandler">The inner handler that actually sends the HTTP message on the network.</param> + /// <returns>The HttpClient to use.</returns> + public HttpClient CreateHttpClient(OAuth1HttpMessageHandlerBase innerHandler) { + Requires.NotNull(innerHandler, "innerHandler"); + + var client = this.HostFactories.CreateHttpClient(innerHandler); + return client; + } + } +} diff --git a/src/DotNetOpenAuth.OAuth.Consumer/OAuth/ConsumerBase.cs b/src/DotNetOpenAuth.OAuth.Consumer/OAuth/ConsumerBase.cs deleted file mode 100644 index 1bea2c5..0000000 --- a/src/DotNetOpenAuth.OAuth.Consumer/OAuth/ConsumerBase.cs +++ /dev/null @@ -1,258 +0,0 @@ -//----------------------------------------------------------------------- -// <copyright file="ConsumerBase.cs" company="Outercurve Foundation"> -// Copyright (c) Outercurve Foundation. All rights reserved. -// </copyright> -//----------------------------------------------------------------------- - -namespace DotNetOpenAuth.OAuth { - using System; - using System.Collections.Generic; - using System.Diagnostics.CodeAnalysis; - using System.Linq; - using System.Net; - using System.Net.Http; - using System.Threading; - using System.Threading.Tasks; - using DotNetOpenAuth.Configuration; - using DotNetOpenAuth.Messaging; - using DotNetOpenAuth.Messaging.Bindings; - using DotNetOpenAuth.OAuth.ChannelElements; - using DotNetOpenAuth.OAuth.Messages; - using Validation; - - /// <summary> - /// Base class for <see cref="WebConsumer"/> and <see cref="DesktopConsumer"/> types. - /// </summary> - public class ConsumerBase : IDisposable { - /// <summary> - /// Initializes a new instance of the <see cref="ConsumerBase"/> class. - /// </summary> - /// <param name="serviceDescription">The endpoints and behavior of the Service Provider.</param> - /// <param name="tokenManager">The host's method of storing and recalling tokens and secrets.</param> - protected ConsumerBase(ServiceProviderDescription serviceDescription, IConsumerTokenManager tokenManager) { - Requires.NotNull(serviceDescription, "serviceDescription"); - Requires.NotNull(tokenManager, "tokenManager"); - - ITamperProtectionChannelBindingElement signingElement = serviceDescription.CreateTamperProtectionElement(); - INonceStore store = new NonceMemoryStore(StandardExpirationBindingElement.MaximumMessageAge); - this.SecuritySettings = OAuthElement.Configuration.Consumer.SecuritySettings.CreateSecuritySettings(); - this.OAuthChannel = new OAuthConsumerChannel(signingElement, store, tokenManager, this.SecuritySettings); - this.ServiceProvider = serviceDescription; - - OAuthReporting.RecordFeatureAndDependencyUse(this, serviceDescription, tokenManager, null); - } - - /// <summary> - /// Gets the Consumer Key used to communicate with the Service Provider. - /// </summary> - public string ConsumerKey { - get { return this.TokenManager.ConsumerKey; } - } - - /// <summary> - /// Gets the Service Provider that will be accessed. - /// </summary> - public ServiceProviderDescription ServiceProvider { get; private set; } - - /// <summary> - /// Gets the persistence store for tokens and secrets. - /// </summary> - public IConsumerTokenManager TokenManager { - get { return (IConsumerTokenManager)this.OAuthChannel.TokenManager; } - } - - /// <summary> - /// Gets the channel to use for sending/receiving messages. - /// </summary> - public Channel Channel { - get { return this.OAuthChannel; } - } - - /// <summary> - /// Gets the security settings for this consumer. - /// </summary> - internal ConsumerSecuritySettings SecuritySettings { get; private set; } - - /// <summary> - /// Gets or sets the channel to use for sending/receiving messages. - /// </summary> - internal OAuthChannel OAuthChannel { get; set; } - - /// <summary> - /// Creates a message handler that signs outbound requests with a previously obtained authorization. - /// </summary> - /// <param name="accessToken">The access token to authorize outbound HTTP requests with.</param> - /// <param name="innerHandler">The inner handler that actually sends the HTTP message on the network.</param> - /// <returns> - /// A message handler. - /// </returns> - public OAuth1HttpMessageHandlerBase CreateMessageHandler(string accessToken = null, HttpMessageHandler innerHandler = null) { - return new OAuth1HmacSha1HttpMessageHandler() { - ConsumerKey = this.ConsumerKey, - ConsumerSecret = this.TokenManager.ConsumerSecret, - AccessToken = accessToken, - AccessTokenSecret = accessToken != null ? this.TokenManager.GetTokenSecret(accessToken) : null, - InnerHandler = innerHandler ?? this.Channel.HostFactories.CreateHttpMessageHandler(), - }; - } - - /// <summary> - /// Creates the HTTP client. - /// </summary> - /// <param name="accessToken">The access token to authorize outbound HTTP requests with.</param> - /// <param name="innerHandler">The inner handler that actually sends the HTTP message on the network.</param> - /// <returns>The HttpClient to use.</returns> - public HttpClient CreateHttpClient(string accessToken, HttpMessageHandler innerHandler = null) { - Requires.NotNullOrEmpty(accessToken, "accessToken"); - - var handler = this.CreateMessageHandler(accessToken, innerHandler); - var client = this.Channel.HostFactories.CreateHttpClient(handler); - return client; - } - - /// <summary> - /// Creates the HTTP client. - /// </summary> - /// <param name="innerHandler">The inner handler that actually sends the HTTP message on the network.</param> - /// <returns>The HttpClient to use.</returns> - public HttpClient CreateHttpClient(OAuth1HttpMessageHandlerBase innerHandler) { - Requires.NotNull(innerHandler, "innerHandler"); - - var client = this.Channel.HostFactories.CreateHttpClient(innerHandler); - return client; - } - - /// <summary> - /// Obtains an access token for a new account at the Service Provider via 2-legged OAuth. - /// </summary> - /// <param name="requestParameters">Any applicable parameters to include in the query string of the token request.</param> - /// <param name="cancellationToken">The cancellation token.</param> - /// <returns>The access token.</returns> - /// <remarks> - /// The token secret is stored in the <see cref="TokenManager"/>. - /// </remarks> - public async Task<string> RequestNewClientAccountAsync(IDictionary<string, string> requestParameters = null, CancellationToken cancellationToken = default(CancellationToken)) { - // Obtain an unauthorized request token. Force use of OAuth 1.0 (not 1.0a) so that - // we are not expected to provide an oauth_verifier which doesn't apply in 2-legged OAuth. - var token = new UnauthorizedTokenRequest(this.ServiceProvider.RequestTokenEndpoint, Protocol.V10.Version) { - ConsumerKey = this.ConsumerKey, - }; - var tokenAccessor = this.Channel.MessageDescriptions.GetAccessor(token); - tokenAccessor.AddExtraParameters(requestParameters); - var requestTokenResponse = await this.Channel.RequestAsync<UnauthorizedTokenResponse>(token, cancellationToken); - this.TokenManager.StoreNewRequestToken(token, requestTokenResponse); - - var requestAccess = new AuthorizedTokenRequest(this.ServiceProvider.AccessTokenEndpoint, Protocol.V10.Version) { - RequestToken = requestTokenResponse.RequestToken, - ConsumerKey = this.ConsumerKey, - }; - var grantAccess = await this.Channel.RequestAsync<AuthorizedTokenResponse>(requestAccess, cancellationToken); - this.TokenManager.ExpireRequestTokenAndStoreNewAccessToken(this.ConsumerKey, requestTokenResponse.RequestToken, grantAccess.AccessToken, grantAccess.TokenSecret); - return grantAccess.AccessToken; - } - - #region IDisposable Members - - /// <summary> - /// Performs application-defined tasks associated with freeing, releasing, or resetting unmanaged resources. - /// </summary> - public void Dispose() { - this.Dispose(true); - GC.SuppressFinalize(this); - } - - #endregion - - /// <summary> - /// Creates a web request prepared with OAuth authorization - /// that may be further tailored by adding parameters by the caller. - /// </summary> - /// <param name="endpoint">The URL and method on the Service Provider to send the request to.</param> - /// <param name="accessToken">The access token that permits access to the protected resource.</param> - /// <returns>The initialized WebRequest object.</returns> - protected internal AccessProtectedResourceRequest CreateAuthorizingMessage(MessageReceivingEndpoint endpoint, string accessToken) { - Requires.NotNull(endpoint, "endpoint"); - Requires.NotNullOrEmpty(accessToken, "accessToken"); - - AccessProtectedResourceRequest message = new AccessProtectedResourceRequest(endpoint, this.ServiceProvider.Version) { - AccessToken = accessToken, - ConsumerKey = this.ConsumerKey, - }; - - return message; - } - - /// <summary> - /// Prepares an OAuth message that begins an authorization request that will - /// redirect the user to the Service Provider to provide that authorization. - /// </summary> - /// <param name="callback">An optional Consumer URL that the Service Provider should redirect the - /// User Agent to upon successful authorization.</param> - /// <param name="requestParameters">Extra parameters to add to the request token message. Optional.</param> - /// <param name="redirectParameters">Extra parameters to add to the redirect to Service Provider message. Optional.</param> - /// <param name="cancellationToken">The cancellation token.</param> - /// <returns> - /// The pending user agent redirect based message to be sent as an HttpResponse. - /// </returns> - [SuppressMessage("Microsoft.Design", "CA1021:AvoidOutParameters", MessageId = "3#", Justification = "Two results")] - protected internal async Task<UserAuthorizationRequest> PrepareRequestUserAuthorizationAsync(Uri callback, IDictionary<string, string> requestParameters, IDictionary<string, string> redirectParameters, CancellationToken cancellationToken = default(CancellationToken)) { - // Obtain an unauthorized request token. Assume the OAuth version given in the service description. - var token = new UnauthorizedTokenRequest(this.ServiceProvider.RequestTokenEndpoint, this.ServiceProvider.Version) { - ConsumerKey = this.ConsumerKey, - Callback = callback, - }; - var tokenAccessor = this.Channel.MessageDescriptions.GetAccessor(token); - tokenAccessor.AddExtraParameters(requestParameters); - var requestTokenResponse = await this.Channel.RequestAsync<UnauthorizedTokenResponse>(token, cancellationToken); - this.TokenManager.StoreNewRequestToken(token, requestTokenResponse); - - // Fine-tune our understanding of the SP's supported OAuth version if it's wrong. - if (this.ServiceProvider.Version != requestTokenResponse.Version) { - Logger.OAuth.WarnFormat("Expected OAuth service provider at endpoint {0} to use OAuth {1} but {2} was detected. Adjusting service description to new version.", this.ServiceProvider.RequestTokenEndpoint.Location, this.ServiceProvider.Version, requestTokenResponse.Version); - this.ServiceProvider.ProtocolVersion = Protocol.Lookup(requestTokenResponse.Version).ProtocolVersion; - } - - // Request user authorization. The OAuth version will automatically include - // or drop the callback that we're setting here. - ITokenContainingMessage assignedRequestToken = requestTokenResponse; - var requestAuthorization = new UserAuthorizationRequest(this.ServiceProvider.UserAuthorizationEndpoint, assignedRequestToken.Token, requestTokenResponse.Version) { - Callback = callback, - }; - var requestAuthorizationAccessor = this.Channel.MessageDescriptions.GetAccessor(requestAuthorization); - requestAuthorizationAccessor.AddExtraParameters(redirectParameters); - return requestAuthorization; - } - - /// <summary> - /// Exchanges a given request token for access token. - /// </summary> - /// <param name="requestToken">The request token that the user has authorized.</param> - /// <param name="verifier">The verifier code.</param> - /// <param name="cancellationToken">The cancellation token.</param> - /// <returns> - /// The access token assigned by the Service Provider. - /// </returns> - protected async Task<AuthorizedTokenResponse> ProcessUserAuthorizationAsync(string requestToken, string verifier, CancellationToken cancellationToken = default(CancellationToken)) { - Requires.NotNullOrEmpty(requestToken, "requestToken"); - - var requestAccess = new AuthorizedTokenRequest(this.ServiceProvider.AccessTokenEndpoint, this.ServiceProvider.Version) { - RequestToken = requestToken, - VerificationCode = verifier, - ConsumerKey = this.ConsumerKey, - }; - var grantAccess = await this.Channel.RequestAsync<AuthorizedTokenResponse>(requestAccess, cancellationToken); - this.TokenManager.ExpireRequestTokenAndStoreNewAccessToken(this.ConsumerKey, requestToken, grantAccess.AccessToken, grantAccess.TokenSecret); - return grantAccess; - } - - /// <summary> - /// Releases unmanaged and - optionally - managed resources - /// </summary> - /// <param name="disposing"><c>true</c> to release both managed and unmanaged resources; <c>false</c> to release only unmanaged resources.</param> - protected virtual void Dispose(bool disposing) { - if (disposing) { - this.Channel.Dispose(); - } - } - } -} diff --git a/src/DotNetOpenAuth.OAuth.Consumer/OAuth/CookieTemporaryCredentialStorage.cs b/src/DotNetOpenAuth.OAuth.Consumer/OAuth/CookieTemporaryCredentialStorage.cs new file mode 100644 index 0000000..25941e6 --- /dev/null +++ b/src/DotNetOpenAuth.OAuth.Consumer/OAuth/CookieTemporaryCredentialStorage.cs @@ -0,0 +1,130 @@ +//----------------------------------------------------------------------- +// <copyright file="CookieTemporaryCredentialStorage.cs" company="Microsoft"> +// Copyright (c) Microsoft. All rights reserved. +// Copyright (c) Andrew Arnott. All rights reserved. +// </copyright> +//----------------------------------------------------------------------- + +namespace DotNetOpenAuth.OAuth { + using System; + using System.Collections.Generic; + using System.Linq; + using System.Text; + using System.Threading.Tasks; + using System.Web; + using System.Web.Security; + using Validation; + + /// <summary> + /// Provides temporary credential storage by persisting them in a protected cookie on the + /// user agent (i.e. browser). + /// </summary> + public class CookieTemporaryCredentialStorage : ITemporaryCredentialStorage { + /// <summary> + /// Key used for token cookie + /// </summary> + protected const string TokenCookieKey = "DNOAOAuth1TempCredential"; + + /// <summary> + /// Primary request context. + /// </summary> + private readonly HttpContextBase httpContext; + + /// <summary> + /// Initializes a new instance of the <see cref="CookieTemporaryCredentialsStorage"/> class + /// using <see cref="HttpContext.Current"/> as the source for the context to read and write cookies to. + /// </summary> + public CookieTemporaryCredentialStorage() + : this(new HttpContextWrapper(HttpContext.Current)) { + } + + /// <summary> + /// Initializes a new instance of the <see cref="CookieTemporaryCredentialsStorage"/> class. + /// </summary> + /// <param name="httpContext">The HTTP context from and to which to access cookies.</param> + public CookieTemporaryCredentialStorage(HttpContextBase httpContext) { + Requires.NotNull(httpContext, "httpContext"); + this.httpContext = httpContext; + } + + #region ITemporaryCredentialsStorage Members + + /// <summary> + /// Saves the temporary credential. + /// </summary> + /// <param name="identifier">The identifier.</param> + /// <param name="secret">The secret.</param> + public void SaveTemporaryCredential(string identifier, string secret) { + var cookie = new HttpCookie(TokenCookieKey) { + HttpOnly = true + }; + + if (FormsAuthentication.RequireSSL) { + cookie.Secure = true; + } + + var encryptedToken = ProtectAndEncodeToken(identifier, secret); + cookie.Values[identifier] = encryptedToken; + + this.httpContext.Response.Cookies.Set(cookie); + } + + /// <summary> + /// Obtains the temporary credential identifier and secret, if available. + /// </summary> + /// <returns> + /// An initialized key value pair if credentials are available; otherwise both key and value are <c>null</c>. + /// </returns> + /// <exception cref="System.NotImplementedException"></exception> + public KeyValuePair<string, string> RetrieveTemporaryCredential() { + HttpCookie cookie = this.httpContext.Request.Cookies[TokenCookieKey]; + if (cookie == null || cookie.Values.Count == 0) { + return new KeyValuePair<string, string>(); + } + + string identifier = cookie.Values.GetKey(0); + string secret = DecodeAndUnprotectToken(identifier, cookie.Values[identifier]); + return new KeyValuePair<string, string>(identifier, secret); + } + + /// <summary> + /// Clears the temporary credentials from storage. + /// </summary> + /// <remarks> + /// DotNetOpenAuth calls this when the credentials are no longer needed. + /// </remarks> + public void ClearTemporaryCredential() { + var cookie = new HttpCookie(TokenCookieKey) { + Value = string.Empty, + Expires = DateTime.UtcNow.AddDays(-5), + }; + this.httpContext.Response.Cookies.Set(cookie); + } + + #endregion + + /// <summary> + /// Protect and url-encode the specified token secret. + /// </summary> + /// <param name="token">The token to be used as a key.</param> + /// <param name="tokenSecret">The token secret to be protected</param> + /// <returns>The encrypted and protected string.</returns> + protected static string ProtectAndEncodeToken(string token, string tokenSecret) { + byte[] cookieBytes = Encoding.UTF8.GetBytes(tokenSecret); + var secretBytes = MachineKeyUtil.Protect(cookieBytes, TokenCookieKey, "Token:" + token); + return HttpServerUtility.UrlTokenEncode(secretBytes); + } + + /// <summary> + /// Url-decode and unprotect the specified encrypted token string. + /// </summary> + /// <param name="token">The token to be used as a key.</param> + /// <param name="encryptedToken">The encrypted token to be decrypted</param> + /// <returns>The original token secret</returns> + protected static string DecodeAndUnprotectToken(string token, string encryptedToken) { + byte[] cookieBytes = HttpServerUtility.UrlTokenDecode(encryptedToken); + byte[] clearBytes = MachineKeyUtil.Unprotect(cookieBytes, TokenCookieKey, "Token:" + token); + return Encoding.UTF8.GetString(clearBytes); + } + } +} diff --git a/src/DotNetOpenAuth.OAuth.Consumer/OAuth/DesktopConsumer.cs b/src/DotNetOpenAuth.OAuth.Consumer/OAuth/DesktopConsumer.cs deleted file mode 100644 index a1bfd2d..0000000 --- a/src/DotNetOpenAuth.OAuth.Consumer/OAuth/DesktopConsumer.cs +++ /dev/null @@ -1,79 +0,0 @@ -//----------------------------------------------------------------------- -// <copyright file="DesktopConsumer.cs" company="Outercurve Foundation"> -// Copyright (c) Outercurve Foundation. All rights reserved. -// </copyright> -//----------------------------------------------------------------------- - -namespace DotNetOpenAuth.OAuth { - using System; - using System.Collections.Generic; - using System.Diagnostics.CodeAnalysis; - using System.Threading; - using System.Threading.Tasks; - using DotNetOpenAuth.Messaging; - using DotNetOpenAuth.OAuth; - using DotNetOpenAuth.OAuth.ChannelElements; - using DotNetOpenAuth.OAuth.Messages; - - /// <summary> - /// Used by a desktop application to use OAuth to access the Service Provider on behalf of the User. - /// </summary> - /// <remarks> - /// The methods on this class are thread-safe. Provided the properties are set and not changed - /// afterward, a single instance of this class may be used by an entire desktop application safely. - /// </remarks> - public class DesktopConsumer : ConsumerBase { - /// <summary> - /// Initializes a new instance of the <see cref="DesktopConsumer"/> class. - /// </summary> - /// <param name="serviceDescription">The endpoints and behavior of the Service Provider.</param> - /// <param name="tokenManager">The host's method of storing and recalling tokens and secrets.</param> - public DesktopConsumer(ServiceProviderDescription serviceDescription, IConsumerTokenManager tokenManager) - : base(serviceDescription, tokenManager) { - } - - /// <summary> - /// Begins an OAuth authorization request. - /// </summary> - /// <param name="requestParameters">Extra parameters to add to the request token message. Optional.</param> - /// <param name="redirectParameters">Extra parameters to add to the redirect to Service Provider message. Optional.</param> - /// <param name="cancellationToken">The cancellation token.</param> - /// <returns> - /// The URL to open a browser window to allow the user to provide authorization and the request token. - /// </returns> - [SuppressMessage("Microsoft.Design", "CA1021:AvoidOutParameters", MessageId = "2#", Justification = "Two results")] - public async Task<Tuple<Uri, string>> RequestUserAuthorizationAsync(IDictionary<string, string> requestParameters, IDictionary<string, string> redirectParameters, CancellationToken cancellationToken = default(CancellationToken)) { - var message = await this.PrepareRequestUserAuthorizationAsync(null, requestParameters, redirectParameters, cancellationToken); - var response = await this.Channel.PrepareResponseAsync(message, cancellationToken); - return Tuple.Create(response.GetDirectUriRequest(), message.RequestToken); - } - - /// <summary> - /// Exchanges a given request token for access token. - /// </summary> - /// <param name="requestToken">The request token that the user has authorized.</param> - /// <param name="cancellationToken">The cancellation token.</param> - /// <returns>The access token assigned by the Service Provider.</returns> - [Obsolete("Use the ProcessUserAuthorization method that takes a verifier parameter instead.")] - public Task<AuthorizedTokenResponse> ProcessUserAuthorizationAsync(string requestToken, CancellationToken cancellationToken = default(CancellationToken)) { - return this.ProcessUserAuthorizationAsync(requestToken, null, cancellationToken); - } - - /// <summary> - /// Exchanges a given request token for access token. - /// </summary> - /// <param name="requestToken">The request token that the user has authorized.</param> - /// <param name="verifier">The verifier code typed in by the user. Must not be <c>Null</c> for OAuth 1.0a service providers and later.</param> - /// <param name="cancellationToken">The cancellation token.</param> - /// <returns> - /// The access token assigned by the Service Provider. - /// </returns> - public new Task<AuthorizedTokenResponse> ProcessUserAuthorizationAsync(string requestToken, string verifier, CancellationToken cancellationToken = default(CancellationToken)) { - if (this.ServiceProvider.Version >= Protocol.V10a.Version) { - ErrorUtilities.VerifyNonZeroLength(verifier, "verifier"); - } - - return base.ProcessUserAuthorizationAsync(requestToken, verifier, cancellationToken); - } - } -} diff --git a/src/DotNetOpenAuth.OAuth.Consumer/OAuth/ITemporaryCredentialStorage.cs b/src/DotNetOpenAuth.OAuth.Consumer/OAuth/ITemporaryCredentialStorage.cs new file mode 100644 index 0000000..428749a --- /dev/null +++ b/src/DotNetOpenAuth.OAuth.Consumer/OAuth/ITemporaryCredentialStorage.cs @@ -0,0 +1,40 @@ +//----------------------------------------------------------------------- +// <copyright file="ITemporaryCredentialStorage.cs" company="Outercurve Foundation"> +// Copyright (c) Outercurve Foundation. All rights reserved. +// </copyright> +//----------------------------------------------------------------------- + +namespace DotNetOpenAuth.OAuth { + using System.Collections.Generic; + + /// <summary> + /// A token manager for use by an OAuth Consumer to store a temporary credential + /// (previously known as "unauthorized request token and secret"). + /// </summary> + /// <remarks> + /// The credentials stored here are obtained as described in: + /// http://tools.ietf.org/html/rfc5849#section-2.1 + /// </remarks> + public interface ITemporaryCredentialStorage { + /// <summary> + /// Saves the specified temporary credential for later retrieval. + /// </summary> + /// <param name="identifier">The identifier.</param> + /// <param name="secret">The secret.</param> + void SaveTemporaryCredential(string identifier, string secret); + + /// <summary> + /// Obtains a temporary credential secret, if available. + /// </summary> + /// <returns>The temporary credential identifier secret if available; otherwise a key value pair whose strings are left in their uninitialized <c>null</c> state.</returns> + KeyValuePair<string, string> RetrieveTemporaryCredential(); + + /// <summary> + /// Clears the temporary credentials from storage. + /// </summary> + /// <remarks> + /// DotNetOpenAuth calls this when the credentials are no longer needed. + /// </remarks> + void ClearTemporaryCredential(); + } +} diff --git a/src/DotNetOpenAuth.OAuth.Consumer/OAuth/MemoryTemporaryCredentialStorage.cs b/src/DotNetOpenAuth.OAuth.Consumer/OAuth/MemoryTemporaryCredentialStorage.cs new file mode 100644 index 0000000..832084d --- /dev/null +++ b/src/DotNetOpenAuth.OAuth.Consumer/OAuth/MemoryTemporaryCredentialStorage.cs @@ -0,0 +1,65 @@ +//----------------------------------------------------------------------- +// <copyright file="MemoryTemporaryCredentialStorage.cs" company="Andrew Arnott"> +// Copyright (c) Andrew Arnott. All rights reserved. +// </copyright> +//----------------------------------------------------------------------- + +namespace DotNetOpenAuth.OAuth { + using System; + using System.Collections.Generic; + using System.Linq; + using System.Text; + using System.Threading.Tasks; + + /// <summary> + /// Non-persistent memory storage for temporary credentials. + /// Useful for installed apps (not redirection based web apps). + /// </summary> + public class MemoryTemporaryCredentialStorage : ITemporaryCredentialStorage { + /// <summary> + /// The identifier. + /// </summary> + private string identifier; + + /// <summary> + /// The secret. + /// </summary> + private string secret; + + #region ITemporaryCredentialStorage Members + + /// <summary> + /// Saves the specified temporary credential for later retrieval. + /// </summary> + /// <param name="identifier">The identifier.</param> + /// <param name="secret">The secret.</param> + public void SaveTemporaryCredential(string identifier, string secret) { + this.identifier = identifier; + this.secret = secret; + } + + /// <summary> + /// Obtains a temporary credential secret, if available. + /// </summary> + /// <returns> + /// The temporary credential secret if available; otherwise <c>null</c>. + /// </returns> + public KeyValuePair<string, string> RetrieveTemporaryCredential() { + return new KeyValuePair<string, string>(this.identifier, this.secret); + } + + /// <summary> + /// Clears the temporary credentials from storage. + /// </summary> + /// <param name="identifier">The identifier of the credentials to clear.</param> + /// <remarks> + /// DotNetOpenAuth calls this when the credentials are no longer needed. + /// </remarks> + public void ClearTemporaryCredential() { + this.identifier = null; + this.secret = null; + } + + #endregion + } +} diff --git a/src/DotNetOpenAuth.OAuth.Consumer/OAuth/OAuth1HttpMessageHandlerBase.cs b/src/DotNetOpenAuth.OAuth.Consumer/OAuth/OAuth1HttpMessageHandlerBase.cs index 17d7b7a..aa462f3 100644 --- a/src/DotNetOpenAuth.OAuth.Consumer/OAuth/OAuth1HttpMessageHandlerBase.cs +++ b/src/DotNetOpenAuth.OAuth.Consumer/OAuth/OAuth1HttpMessageHandlerBase.cs @@ -154,6 +154,10 @@ namespace DotNetOpenAuth.OAuth { // Add parameters and signature to request. switch (this.Location) { case OAuthParametersLocation.AuthorizationHttpHeader: + // Some oauth parameters may have been put in the query string of the original message. + // We want to move any that we find into the authorization header. + oauthParameters.Add(ExtractOAuthParametersFromQueryString(request)); + request.Headers.Authorization = new AuthenticationHeaderValue(Protocol.AuthorizationHeaderScheme, MessagingUtilities.AssembleAuthorizationHeader(oauthParameters.AsKeyValuePairs())); break; case OAuthParametersLocation.QueryString: @@ -258,6 +262,38 @@ namespace DotNetOpenAuth.OAuth { } /// <summary> + /// Collects and removes all query string parameters beginning with "oauth_" from the specified request, + /// and returns them as a collection. + /// </summary> + /// <param name="request">The request whose query string should be searched for "oauth_" parameters.</param> + /// <returns>The collection of parameters that were removed from the query string.</returns> + private static NameValueCollection ExtractOAuthParametersFromQueryString(HttpRequestMessage request) { + Requires.NotNull(request, "request"); + + var extracted = new NameValueCollection(); + if (!string.IsNullOrEmpty(request.RequestUri.Query)) { + var queryString = HttpUtility.ParseQueryString(request.RequestUri.Query); + foreach (var pair in queryString.AsKeyValuePairs()) { + if (pair.Key.StartsWith(Protocol.ParameterPrefix, StringComparison.Ordinal)) { + extracted.Add(pair.Key, pair.Value); + } + } + + if (extracted.Count > 0) { + foreach (string key in extracted) { + queryString.Remove(key); + } + + var modifiedRequestUri = new UriBuilder(request.RequestUri); + modifiedRequestUri.Query = MessagingUtilities.CreateQueryString(queryString.AsKeyValuePairs()); + request.RequestUri = modifiedRequestUri.Uri; + } + } + + return extracted; + } + + /// <summary> /// Constructs the "Signature Base String" as described in http://tools.ietf.org/html/rfc5849#section-3.4.1 /// </summary> /// <param name="request">The HTTP request message.</param> @@ -319,12 +355,6 @@ namespace DotNetOpenAuth.OAuth { if (request.RequestUri.Query != null) { // NameValueCollection does support non-unique keys, as long as you use it carefully. nvc = HttpUtility.ParseQueryString(request.RequestUri.Query); - - // Remove any parameters beginning with "oauth_" - var keysToRemove = nvc.Cast<string>().Where(k => k.StartsWith(Protocol.ParameterPrefix, StringComparison.Ordinal)).ToList(); - foreach (string key in keysToRemove) { - nvc.Remove(key); - } } else { nvc = new NameValueCollection(8); } diff --git a/src/DotNetOpenAuth.OAuth.Consumer/OAuth/OAuth1RsaSha1HttpMessageHandler.cs b/src/DotNetOpenAuth.OAuth.Consumer/OAuth/OAuth1RsaSha1HttpMessageHandler.cs index fd2ad65..129ebc2 100644 --- a/src/DotNetOpenAuth.OAuth.Consumer/OAuth/OAuth1RsaSha1HttpMessageHandler.cs +++ b/src/DotNetOpenAuth.OAuth.Consumer/OAuth/OAuth1RsaSha1HttpMessageHandler.cs @@ -8,6 +8,7 @@ namespace DotNetOpenAuth.OAuth { using System; using System.Collections.Generic; using System.Linq; + using System.Net.Http; using System.Security.Cryptography; using System.Security.Cryptography.X509Certificates; using System.Text; @@ -20,6 +21,20 @@ namespace DotNetOpenAuth.OAuth { /// </summary> public class OAuth1RsaSha1HttpMessageHandler : OAuth1HttpMessageHandlerBase { /// <summary> + /// Initializes a new instance of the <see cref="OAuth1RsaSha1HttpMessageHandler"/> class. + /// </summary> + public OAuth1RsaSha1HttpMessageHandler() { + } + + /// <summary> + /// Initializes a new instance of the <see cref="OAuth1RsaSha1HttpMessageHandler"/> class. + /// </summary> + /// <param name="innerHandler">The inner handler which is responsible for processing the HTTP response messages.</param> + public OAuth1RsaSha1HttpMessageHandler(HttpMessageHandler innerHandler) + : base(innerHandler) { + } + + /// <summary> /// Gets or sets the certificate used to sign outgoing messages. Used only by Consumers. /// </summary> public X509Certificate2 SigningCertificate { get; set; } diff --git a/src/DotNetOpenAuth.OAuth.Consumer/OAuth/WebConsumer.cs b/src/DotNetOpenAuth.OAuth.Consumer/OAuth/WebConsumer.cs deleted file mode 100644 index 49a54a0..0000000 --- a/src/DotNetOpenAuth.OAuth.Consumer/OAuth/WebConsumer.cs +++ /dev/null @@ -1,87 +0,0 @@ -//----------------------------------------------------------------------- -// <copyright file="WebConsumer.cs" company="Outercurve Foundation"> -// Copyright (c) Outercurve Foundation. All rights reserved. -// </copyright> -//----------------------------------------------------------------------- - -namespace DotNetOpenAuth.OAuth { - using System; - using System.Collections.Generic; - using System.Threading; - using System.Threading.Tasks; - using System.Web; - using DotNetOpenAuth.Messaging; - using DotNetOpenAuth.OAuth.ChannelElements; - using DotNetOpenAuth.OAuth.Messages; - using Validation; - - /// <summary> - /// A website or application that uses OAuth to access the Service Provider on behalf of the User. - /// </summary> - /// <remarks> - /// The methods on this class are thread-safe. Provided the properties are set and not changed - /// afterward, a single instance of this class may be used by an entire web application safely. - /// </remarks> - public class WebConsumer : ConsumerBase { - /// <summary> - /// Initializes a new instance of the <see cref="WebConsumer"/> class. - /// </summary> - /// <param name="serviceDescription">The endpoints and behavior of the Service Provider.</param> - /// <param name="tokenManager">The host's method of storing and recalling tokens and secrets.</param> - public WebConsumer(ServiceProviderDescription serviceDescription, IConsumerTokenManager tokenManager) - : base(serviceDescription, tokenManager) { - } - - /// <summary> - /// Begins an OAuth authorization request and redirects the user to the Service Provider - /// to provide that authorization. Upon successful authorization, the user is redirected - /// back to the current page. - /// </summary> - /// <param name="cancellationToken">The cancellation token.</param> - /// <returns>The pending user agent redirect based message to be sent as an HttpResponse.</returns> - /// <remarks> - /// Requires HttpContext.Current. - /// </remarks> - public Task<UserAuthorizationRequest> PrepareRequestUserAuthorizationAsync(CancellationToken cancellationToken = default(CancellationToken)) { - Uri callback = this.Channel.GetRequestFromContext().GetPublicFacingUrl().StripQueryArgumentsWithPrefix(Protocol.ParameterPrefix); - return this.PrepareRequestUserAuthorizationAsync(callback, null, null, cancellationToken); - } - - /// <summary> - /// Prepares an OAuth message that begins an authorization request that will - /// redirect the user to the Service Provider to provide that authorization. - /// </summary> - /// <param name="callback"> - /// An optional Consumer URL that the Service Provider should redirect the - /// User Agent to upon successful authorization. - /// </param> - /// <param name="requestParameters">Extra parameters to add to the request token message. Optional.</param> - /// <param name="redirectParameters">Extra parameters to add to the redirect to Service Provider message. Optional.</param> - /// <param name="cancellationToken">The cancellation token.</param> - /// <returns>The pending user agent redirect based message to be sent as an HttpResponse.</returns> - public new Task<UserAuthorizationRequest> PrepareRequestUserAuthorizationAsync(Uri callback, IDictionary<string, string> requestParameters, IDictionary<string, string> redirectParameters, CancellationToken cancellationToken = default(CancellationToken)) { - return base.PrepareRequestUserAuthorizationAsync(callback, requestParameters, redirectParameters, cancellationToken); - } - - /// <summary> - /// Processes an incoming authorization-granted message from an SP and obtains an access token. - /// </summary> - /// <param name="request">The incoming HTTP request.</param> - /// <param name="cancellationToken">The cancellation token.</param> - /// <returns> - /// The access token, or null if no incoming authorization message was recognized. - /// </returns> - public async Task<AuthorizedTokenResponse> ProcessUserAuthorizationAsync(HttpRequestBase request = null, CancellationToken cancellationToken = default(CancellationToken)) { - request = request ?? this.Channel.GetRequestFromContext(); - - var authorizationMessage = await this.Channel.TryReadFromRequestAsync<UserAuthorizationResponse>(cancellationToken, request); - if (authorizationMessage != null) { - string requestToken = authorizationMessage.RequestToken; - string verifier = authorizationMessage.VerificationCode; - return await this.ProcessUserAuthorizationAsync(requestToken, verifier, cancellationToken); - } else { - return null; - } - } - } -} |