1 files changed, 37 insertions, 13 deletions

diff --git a/src/DotNetOpenAuth.OAuth2.ClientAuthorization/OAuth2/IClientDescription.cs b/src/DotNetOpenAuth.OAuth2.ClientAuthorization/OAuth2/IClientDescription.cs
index d30151b..bcef28b 100644
--- a/src/DotNetOpenAuth.OAuth2.ClientAuthorization/OAuth2/IClientDescription.cs
+++ b/src/DotNetOpenAuth.OAuth2.ClientAuthorization/OAuth2/IClientDescription.cs
@@ -15,11 +15,6 @@ namespace DotNetOpenAuth.OAuth2 {
 	[ContractClass(typeof(IClientDescriptionContract))]
 	public interface IClientDescription {
 		/// <summary>
-		/// Gets the client secret.
-		/// </summary>
-		string Secret { get; }
-
-		/// <summary>
 		/// Gets the callback to use when an individual authorization request
 		/// does not include an explicit callback URI.
 		/// </summary>
@@ -32,6 +27,11 @@ namespace DotNetOpenAuth.OAuth2 {
 		ClientType ClientType { get; }
 
 		/// <summary>
+		/// Gets a value indicating whether a non-empty secret is registered for this client.
+		/// </summary>
+		bool HasNonEmptySecret { get; }
+
+		/// <summary>
 		/// Determines whether a callback URI included in a client's authorization request 
 		/// is among those allowed callbacks for the registered client.
 		/// </summary>
@@ -56,6 +56,17 @@ namespace DotNetOpenAuth.OAuth2 {
 		/// </para>
 		/// </remarks>
 		bool IsCallbackAllowed(Uri callback);
+
+		/// <summary>
+		/// Checks whether the specified client secret is correct.
+		/// </summary>
+		/// <param name="secret">The secret obtained from the client.</param>
+		/// <returns><c>true</c> if the secret matches the one in the authorization server's record for the client; <c>false</c> otherwise.</returns>
+		/// <remarks>
+		/// All string equality checks, whether checking secrets or their hashes,
+		/// should be done using <see cref="MessagingUtilites.EqualsConstantTime"/> to mitigate timing attacks.
+		/// </remarks>
+		bool IsValidClientSecret(string secret);
 	}
 
 	/// <summary>
@@ -66,14 +77,6 @@ namespace DotNetOpenAuth.OAuth2 {
 		#region IClientDescription Members
 
 		/// <summary>
-		/// Gets the client secret.
-		/// </summary>
-		/// <value></value>
-		string IClientDescription.Secret {
-			get { throw new NotImplementedException(); }
-		}
-
-		/// <summary>
 		/// Gets the type of the client.
 		/// </summary>
 		ClientType IClientDescription.ClientType {
@@ -95,6 +98,13 @@ namespace DotNetOpenAuth.OAuth2 {
 		}
 
 		/// <summary>
+		/// Gets a value indicating whether a non-empty secret is registered for this client.
+		/// </summary>
+		bool IClientDescription.HasNonEmptySecret {
+			get { throw new NotImplementedException(); }
+		}
+
+		/// <summary>
 		/// Determines whether a callback URI included in a client's authorization request
 		/// is among those allowed callbacks for the registered client.
 		/// </summary>
@@ -108,6 +118,20 @@ namespace DotNetOpenAuth.OAuth2 {
 			throw new NotImplementedException();
 		}
 
+		/// <summary>
+		/// Checks whether the specified client secret is correct.
+		/// </summary>
+		/// <param name="secret">The secret obtained from the client.</param>
+		/// <returns><c>true</c> if the secret matches the one in the authorization server's record for the client; <c>false</c> otherwise.</returns>
+		/// <remarks>
+		/// All string equality checks, whether checking secrets or their hashes,
+		/// should be done using <see cref="MessagingUtilites.EqualsConstantTime"/> to mitigate timing attacks.
+		/// </remarks>
+		bool IClientDescription.IsValidClientSecret(string secret) {
+			Requires.NotNullOrEmpty(secret, "secret");
+			throw new NotImplementedException();
+		}
+
 		#endregion
 	}
 }