summaryrefslogtreecommitdiffstats
path: root/src/DotNetOpenAuth.OAuth2/OAuth2
diff options
context:
space:
mode:
Diffstat (limited to 'src/DotNetOpenAuth.OAuth2/OAuth2')
-rw-r--r--src/DotNetOpenAuth.OAuth2/OAuth2/ChannelElements/OAuth2AuthorizationServerChannel.cs1
-rw-r--r--src/DotNetOpenAuth.OAuth2/OAuth2/ChannelElements/OAuth2ResourceServerChannel.cs7
-rw-r--r--src/DotNetOpenAuth.OAuth2/OAuth2/Messages/AccessTokenSuccessResponse.cs13
-rw-r--r--src/DotNetOpenAuth.OAuth2/OAuth2/OAuthStrings.Designer.cs9
-rw-r--r--src/DotNetOpenAuth.OAuth2/OAuth2/OAuthStrings.resx3
5 files changed, 29 insertions, 4 deletions
diff --git a/src/DotNetOpenAuth.OAuth2/OAuth2/ChannelElements/OAuth2AuthorizationServerChannel.cs b/src/DotNetOpenAuth.OAuth2/OAuth2/ChannelElements/OAuth2AuthorizationServerChannel.cs
index 1026018..295ee86 100644
--- a/src/DotNetOpenAuth.OAuth2/OAuth2/ChannelElements/OAuth2AuthorizationServerChannel.cs
+++ b/src/DotNetOpenAuth.OAuth2/OAuth2/ChannelElements/OAuth2AuthorizationServerChannel.cs
@@ -56,6 +56,7 @@ namespace DotNetOpenAuth.OAuth2.ChannelElements {
/// </remarks>
protected override OutgoingWebResponse PrepareDirectResponse(IProtocolMessage response) {
var webResponse = new OutgoingWebResponse();
+ this.ApplyMessageTemplate(response, webResponse);
string json = this.SerializeAsJson(response);
webResponse.SetResponse(json, new ContentType(JsonEncoded));
return webResponse;
diff --git a/src/DotNetOpenAuth.OAuth2/OAuth2/ChannelElements/OAuth2ResourceServerChannel.cs b/src/DotNetOpenAuth.OAuth2/OAuth2/ChannelElements/OAuth2ResourceServerChannel.cs
index cc61d47..1c2a080 100644
--- a/src/DotNetOpenAuth.OAuth2/OAuth2/ChannelElements/OAuth2ResourceServerChannel.cs
+++ b/src/DotNetOpenAuth.OAuth2/OAuth2/ChannelElements/OAuth2ResourceServerChannel.cs
@@ -106,10 +106,9 @@ namespace DotNetOpenAuth.OAuth2.ChannelElements {
ErrorUtilities.VerifyInternal(unauthorizedResponse != null, "Only unauthorized responses are expected.");
// First initialize based on the specifics within the message.
- var httpResponse = response as IHttpDirectResponse;
- webResponse.Status = httpResponse != null ? httpResponse.HttpStatusCode : HttpStatusCode.Unauthorized;
- foreach (string headerName in httpResponse.Headers) {
- webResponse.Headers.Add(headerName, httpResponse.Headers[headerName]);
+ this.ApplyMessageTemplate(response, webResponse);
+ if (!(response is IHttpDirectResponse)) {
+ webResponse.Status = HttpStatusCode.Unauthorized;
}
// Now serialize all the message parts into the WWW-Authenticate header.
diff --git a/src/DotNetOpenAuth.OAuth2/OAuth2/Messages/AccessTokenSuccessResponse.cs b/src/DotNetOpenAuth.OAuth2/OAuth2/Messages/AccessTokenSuccessResponse.cs
index c5c93b5..534929b 100644
--- a/src/DotNetOpenAuth.OAuth2/OAuth2/Messages/AccessTokenSuccessResponse.cs
+++ b/src/DotNetOpenAuth.OAuth2/OAuth2/Messages/AccessTokenSuccessResponse.cs
@@ -95,5 +95,18 @@ namespace DotNetOpenAuth.OAuth2.Messages {
/// Gets or sets a value indicating whether a refresh token is or should be included in the response.
/// </summary>
internal bool HasRefreshToken { get; set; }
+
+ /// <summary>
+ /// Checks the message state for conformity to the protocol specification
+ /// and throws an exception if the message is invalid.
+ /// </summary>
+ /// <exception cref="ProtocolException">Thrown if the message is invalid.</exception>
+ protected override void EnsureValidMessage() {
+ base.EnsureValidMessage();
+
+ // Per OAuth 2.0 section 4.4.3 (draft 23), refresh tokens should never be included
+ // in a response to an access token request that used the client credential grant type.
+ ErrorUtilities.VerifyProtocol(!this.HasRefreshToken || !(this.OriginatingRequest is AccessTokenClientCredentialsRequest), OAuthStrings.RefreshTokenInappropriateForRequestType, this.OriginatingRequest.GetType().Name);
+ }
}
}
diff --git a/src/DotNetOpenAuth.OAuth2/OAuth2/OAuthStrings.Designer.cs b/src/DotNetOpenAuth.OAuth2/OAuth2/OAuthStrings.Designer.cs
index dcd6139..2167b5f 100644
--- a/src/DotNetOpenAuth.OAuth2/OAuth2/OAuthStrings.Designer.cs
+++ b/src/DotNetOpenAuth.OAuth2/OAuth2/OAuthStrings.Designer.cs
@@ -160,6 +160,15 @@ namespace DotNetOpenAuth.OAuth2 {
}
/// <summary>
+ /// Looks up a localized string similar to The request message type {0} should not be responded to with a refresh token..
+ /// </summary>
+ internal static string RefreshTokenInappropriateForRequestType {
+ get {
+ return ResourceManager.GetString("RefreshTokenInappropriateForRequestType", resourceCulture);
+ }
+ }
+
+ /// <summary>
/// Looks up a localized string similar to Individual scopes may not contain spaces..
/// </summary>
internal static string ScopesMayNotContainSpaces {
diff --git a/src/DotNetOpenAuth.OAuth2/OAuth2/OAuthStrings.resx b/src/DotNetOpenAuth.OAuth2/OAuth2/OAuthStrings.resx
index 9f920e7..6fad914 100644
--- a/src/DotNetOpenAuth.OAuth2/OAuth2/OAuthStrings.resx
+++ b/src/DotNetOpenAuth.OAuth2/OAuth2/OAuthStrings.resx
@@ -150,6 +150,9 @@
<data name="NoGrantNoRefreshToken" xml:space="preserve">
<value>Refresh tokens should not be granted without the request including an access grant.</value>
</data>
+ <data name="RefreshTokenInappropriateForRequestType" xml:space="preserve">
+ <value>The request message type {0} should not be responded to with a refresh token.</value>
+ </data>
<data name="ScopesMayNotContainSpaces" xml:space="preserve">
<value>Individual scopes may not contain spaces.</value>
</data>
generated by cgit v1.1 at 2025-06-01 08:34:38 +0000