diff options
Diffstat (limited to 'src/DotNetOpenAuth.OAuth2/OAuth2/ChannelElements/AccessRequestBindingElement.cs')
| -rw-r--r-- | src/DotNetOpenAuth.OAuth2/OAuth2/ChannelElements/AccessRequestBindingElement.cs | 183 |
1 files changed, 0 insertions, 183 deletions
diff --git a/src/DotNetOpenAuth.OAuth2/OAuth2/ChannelElements/AccessRequestBindingElement.cs b/src/DotNetOpenAuth.OAuth2/OAuth2/ChannelElements/AccessRequestBindingElement.cs deleted file mode 100644 index 7a68060..0000000 --- a/src/DotNetOpenAuth.OAuth2/OAuth2/ChannelElements/AccessRequestBindingElement.cs +++ /dev/null @@ -1,183 +0,0 @@ -//----------------------------------------------------------------------- -// <copyright file="AccessRequestBindingElement.cs" company="Outercurve Foundation"> -// Copyright (c) Outercurve Foundation. All rights reserved. -// </copyright> -//----------------------------------------------------------------------- - -namespace DotNetOpenAuth.OAuth2.ChannelElements { - using System; - using System.Collections.Generic; - using System.Diagnostics.CodeAnalysis; - using System.Globalization; - using System.Linq; - using System.Security.Cryptography; - using System.Text; - using DotNetOpenAuth.Messaging; - using DotNetOpenAuth.Messaging.Bindings; - using DotNetOpenAuth.OAuth2.Messages; - - /// <summary> - /// Decodes verification codes, refresh tokens and access tokens on incoming messages. - /// </summary> - /// <remarks> - /// This binding element also ensures that the code/token coming in is issued to - /// the same client that is sending the code/token and that the authorization has - /// not been revoked and that an access token has not expired. - /// </remarks> - internal class AccessRequestBindingElement : AuthServerBindingElementBase { - /// <summary> - /// Initializes a new instance of the <see cref="AccessRequestBindingElement"/> class. - /// </summary> - internal AccessRequestBindingElement() { - } - - /// <summary> - /// Gets the protection commonly offered (if any) by this binding element. - /// </summary> - /// <value></value> - /// <remarks> - /// This value is used to assist in sorting binding elements in the channel stack. - /// </remarks> - public override MessageProtections Protection { - get { return MessageProtections.None; } - } - - /// <summary> - /// Prepares a message for sending based on the rules of this channel binding element. - /// </summary> - /// <param name="message">The message to prepare for sending.</param> - /// <returns> - /// The protections (if any) that this binding element applied to the message. - /// Null if this binding element did not even apply to this binding element. - /// </returns> - /// <remarks> - /// Implementations that provide message protection must honor the - /// <see cref="MessagePartAttribute.RequiredProtection"/> properties where applicable. - /// </remarks> - public override MessageProtections? ProcessOutgoingMessage(IProtocolMessage message) { - var authCodeCarrier = message as IAuthorizationCodeCarryingRequest; - if (authCodeCarrier != null) { - var codeFormatter = AuthorizationCode.CreateFormatter(this.AuthorizationServer); - var code = authCodeCarrier.AuthorizationDescription; - authCodeCarrier.Code = codeFormatter.Serialize(code); - return MessageProtections.None; - } - - var accessTokenCarrier = message as IAccessTokenCarryingRequest; - if (accessTokenCarrier != null) { - var responseWithOriginatingRequest = (IDirectResponseProtocolMessage)message; - var request = (IAccessTokenRequest)responseWithOriginatingRequest.OriginatingRequest; - - using (var resourceServerKey = this.AuthorizationServer.GetResourceServerEncryptionKey(request)) { - var tokenFormatter = AccessToken.CreateFormatter(this.AuthorizationServer.AccessTokenSigningKey, resourceServerKey); - var token = accessTokenCarrier.AuthorizationDescription; - accessTokenCarrier.AccessToken = tokenFormatter.Serialize(token); - } - - return MessageProtections.None; - } - - var accessTokenResponse = message as AccessTokenSuccessResponse; - if (accessTokenResponse != null) { - var directResponseMessage = (IDirectResponseProtocolMessage)accessTokenResponse; - var accessTokenRequest = (AccessTokenRequestBase)directResponseMessage.OriginatingRequest; - ErrorUtilities.VerifyProtocol(accessTokenRequest.GrantType != GrantType.ClientCredentials || accessTokenResponse.RefreshToken == null, OAuthStrings.NoGrantNoRefreshToken); - } - - return null; - } - - /// <summary> - /// Performs any transformation on an incoming message that may be necessary and/or - /// validates an incoming message based on the rules of this channel binding element. - /// </summary> - /// <param name="message">The incoming message to process.</param> - /// <returns> - /// The protections (if any) that this binding element applied to the message. - /// Null if this binding element did not even apply to this binding element. - /// </returns> - /// <exception cref="ProtocolException"> - /// Thrown when the binding element rules indicate that this message is invalid and should - /// NOT be processed. - /// </exception> - /// <remarks> - /// Implementations that provide message protection must honor the - /// <see cref="MessagePartAttribute.RequiredProtection"/> properties where applicable. - /// </remarks> - [SuppressMessage("Microsoft.Naming", "CA2204:Literals should be spelled correctly", MessageId = "unauthorizedclient", Justification = "Protocol requirement")] - [SuppressMessage("Microsoft.Naming", "CA2204:Literals should be spelled correctly", MessageId = "incorrectclientcredentials", Justification = "Protocol requirement")] - [SuppressMessage("Microsoft.Naming", "CA2204:Literals should be spelled correctly", MessageId = "authorizationexpired", Justification = "Protocol requirement")] - [SuppressMessage("Microsoft.Globalization", "CA1303:Do not pass literals as localized parameters", MessageId = "DotNetOpenAuth.Messaging.ErrorUtilities.VerifyProtocol(System.Boolean,System.String,System.Object[])", Justification = "Protocol requirement")] - public override MessageProtections? ProcessIncomingMessage(IProtocolMessage message) { - var tokenRequest = message as IAuthorizationCarryingRequest; - if (tokenRequest != null) { - try { - var authCodeCarrier = message as IAuthorizationCodeCarryingRequest; - var refreshTokenCarrier = message as IRefreshTokenCarryingRequest; - var resourceOwnerPasswordCarrier = message as AccessTokenResourceOwnerPasswordCredentialsRequest; - var clientCredentialOnly = message as AccessTokenClientCredentialsRequest; - if (authCodeCarrier != null) { - var authorizationCodeFormatter = AuthorizationCode.CreateFormatter(this.AuthorizationServer); - var authorizationCode = authorizationCodeFormatter.Deserialize(message, authCodeCarrier.Code, Protocol.code); - authCodeCarrier.AuthorizationDescription = authorizationCode; - } else if (refreshTokenCarrier != null) { - var refreshTokenFormatter = RefreshToken.CreateFormatter(this.AuthorizationServer.CryptoKeyStore); - var refreshToken = refreshTokenFormatter.Deserialize(message, refreshTokenCarrier.RefreshToken, Protocol.refresh_token); - refreshTokenCarrier.AuthorizationDescription = refreshToken; - } else if (resourceOwnerPasswordCarrier != null) { - try { - if (this.AuthorizationServer.IsResourceOwnerCredentialValid(resourceOwnerPasswordCarrier.UserName, resourceOwnerPasswordCarrier.Password)) { - resourceOwnerPasswordCarrier.CredentialsValidated = true; - } else { - Logger.OAuth.WarnFormat( - "Resource owner password credential for user \"{0}\" rejected by authorization server host.", - resourceOwnerPasswordCarrier.UserName); - - // TODO: fix this to report the appropriate error code for a bad credential. - throw new ProtocolException(); - } - } catch (NotSupportedException) { - // TODO: fix this to return the appropriate error code for not supporting resource owner password credentials - throw new ProtocolException(); - } catch (NotImplementedException) { - // TODO: fix this to return the appropriate error code for not supporting resource owner password credentials - throw new ProtocolException(); - } - } else if (clientCredentialOnly != null) { - // this method will throw later if the credentials are false. - clientCredentialOnly.CredentialsValidated = true; - } else { - throw ErrorUtilities.ThrowInternal("Unexpected message type: " + tokenRequest.GetType()); - } - } catch (ExpiredMessageException ex) { - throw ErrorUtilities.Wrap(ex, Protocol.authorization_expired); - } - - var accessRequest = tokenRequest as AccessTokenRequestBase; - if (accessRequest != null) { - // Make sure the client sending us this token is the client we issued the token to. - ErrorUtilities.VerifyProtocol(string.Equals(accessRequest.ClientIdentifier, tokenRequest.AuthorizationDescription.ClientIdentifier, StringComparison.Ordinal), Protocol.incorrect_client_credentials); - - // Check that the client secret is correct. - var client = this.AuthorizationServer.GetClientOrThrow(accessRequest.ClientIdentifier); - string secret = client.Secret; - ErrorUtilities.VerifyProtocol(!string.IsNullOrEmpty(secret), Protocol.unauthorized_client); // an empty secret is not allowed for client authenticated calls. - ErrorUtilities.VerifyProtocol(MessagingUtilities.EqualsConstantTime(secret, accessRequest.ClientSecret), Protocol.incorrect_client_credentials); - - var scopedAccessRequest = accessRequest as ScopedAccessTokenRequest; - if (scopedAccessRequest != null) { - // Make sure the scope the client is requesting does not exceed the scope in the grant. - ErrorUtilities.VerifyProtocol(scopedAccessRequest.Scope.IsSubsetOf(tokenRequest.AuthorizationDescription.Scope), OAuthStrings.AccessScopeExceedsGrantScope, scopedAccessRequest.Scope, tokenRequest.AuthorizationDescription.Scope); - } - } - - // Make sure the authorization this token represents hasn't already been revoked. - ErrorUtilities.VerifyProtocol(this.AuthorizationServer.IsAuthorizationValid(tokenRequest.AuthorizationDescription), Protocol.authorization_expired); - - return MessageProtections.None; - } - - return null; - } - } -} |