diff options
Diffstat (limited to 'src/DotNetOpenAuth.OAuth2/OAuth2')
14 files changed, 89 insertions, 29 deletions
diff --git a/src/DotNetOpenAuth.OAuth2/OAuth2/ChannelElements/AccessRequestBindingElement.cs b/src/DotNetOpenAuth.OAuth2/OAuth2/ChannelElements/AccessRequestBindingElement.cs index b0cef58..7a68060 100644 --- a/src/DotNetOpenAuth.OAuth2/OAuth2/ChannelElements/AccessRequestBindingElement.cs +++ b/src/DotNetOpenAuth.OAuth2/OAuth2/ChannelElements/AccessRequestBindingElement.cs @@ -115,20 +115,23 @@ namespace DotNetOpenAuth.OAuth2.ChannelElements { var authCodeCarrier = message as IAuthorizationCodeCarryingRequest; var refreshTokenCarrier = message as IRefreshTokenCarryingRequest; var resourceOwnerPasswordCarrier = message as AccessTokenResourceOwnerPasswordCredentialsRequest; + var clientCredentialOnly = message as AccessTokenClientCredentialsRequest; if (authCodeCarrier != null) { var authorizationCodeFormatter = AuthorizationCode.CreateFormatter(this.AuthorizationServer); - var authorizationCode = authorizationCodeFormatter.Deserialize(message, authCodeCarrier.Code); + var authorizationCode = authorizationCodeFormatter.Deserialize(message, authCodeCarrier.Code, Protocol.code); authCodeCarrier.AuthorizationDescription = authorizationCode; } else if (refreshTokenCarrier != null) { var refreshTokenFormatter = RefreshToken.CreateFormatter(this.AuthorizationServer.CryptoKeyStore); - var refreshToken = refreshTokenFormatter.Deserialize(message, refreshTokenCarrier.RefreshToken); + var refreshToken = refreshTokenFormatter.Deserialize(message, refreshTokenCarrier.RefreshToken, Protocol.refresh_token); refreshTokenCarrier.AuthorizationDescription = refreshToken; } else if (resourceOwnerPasswordCarrier != null) { try { if (this.AuthorizationServer.IsResourceOwnerCredentialValid(resourceOwnerPasswordCarrier.UserName, resourceOwnerPasswordCarrier.Password)) { resourceOwnerPasswordCarrier.CredentialsValidated = true; } else { - Logger.OAuth.WarnFormat("Resource owner password credential for user \"{0}\" rejected by authorization server host.", resourceOwnerPasswordCarrier.UserName); + Logger.OAuth.WarnFormat( + "Resource owner password credential for user \"{0}\" rejected by authorization server host.", + resourceOwnerPasswordCarrier.UserName); // TODO: fix this to report the appropriate error code for a bad credential. throw new ProtocolException(); @@ -140,6 +143,9 @@ namespace DotNetOpenAuth.OAuth2.ChannelElements { // TODO: fix this to return the appropriate error code for not supporting resource owner password credentials throw new ProtocolException(); } + } else if (clientCredentialOnly != null) { + // this method will throw later if the credentials are false. + clientCredentialOnly.CredentialsValidated = true; } else { throw ErrorUtilities.ThrowInternal("Unexpected message type: " + tokenRequest.GetType()); } @@ -155,7 +161,7 @@ namespace DotNetOpenAuth.OAuth2.ChannelElements { // Check that the client secret is correct. var client = this.AuthorizationServer.GetClientOrThrow(accessRequest.ClientIdentifier); string secret = client.Secret; - ErrorUtilities.VerifyProtocol(!String.IsNullOrEmpty(secret), Protocol.unauthorized_client); // an empty secret is not allowed for client authenticated calls. + ErrorUtilities.VerifyProtocol(!string.IsNullOrEmpty(secret), Protocol.unauthorized_client); // an empty secret is not allowed for client authenticated calls. ErrorUtilities.VerifyProtocol(MessagingUtilities.EqualsConstantTime(secret, accessRequest.ClientSecret), Protocol.incorrect_client_credentials); var scopedAccessRequest = accessRequest as ScopedAccessTokenRequest; diff --git a/src/DotNetOpenAuth.OAuth2/OAuth2/ChannelElements/IAuthorizationDescription.cs b/src/DotNetOpenAuth.OAuth2/OAuth2/ChannelElements/IAuthorizationDescription.cs index 150a6a9..1ad0422 100644 --- a/src/DotNetOpenAuth.OAuth2/OAuth2/ChannelElements/IAuthorizationDescription.cs +++ b/src/DotNetOpenAuth.OAuth2/OAuth2/ChannelElements/IAuthorizationDescription.cs @@ -68,11 +68,13 @@ namespace DotNetOpenAuth.OAuth2.ChannelElements { } /// <summary> - /// Gets the name on the account whose data on the resource server is accessible using this authorization. + /// Gets the name on the account whose data on the resource server is accessible using this authorization, if applicable. /// </summary> + /// <value>A username, or <c>null</c> if the authorization is to access the client's own data (not a distinct resource owner's data).</value> string IAuthorizationDescription.User { get { - Contract.Ensures(!string.IsNullOrEmpty(Contract.Result<string>())); + // Null and non-empty are allowed, but not empty. + Contract.Ensures(Contract.Result<string>() != string.Empty); throw new NotImplementedException(); } } diff --git a/src/DotNetOpenAuth.OAuth2/OAuth2/ChannelElements/OAuth2AuthorizationServerChannel.cs b/src/DotNetOpenAuth.OAuth2/OAuth2/ChannelElements/OAuth2AuthorizationServerChannel.cs index 3375328..6717717 100644 --- a/src/DotNetOpenAuth.OAuth2/OAuth2/ChannelElements/OAuth2AuthorizationServerChannel.cs +++ b/src/DotNetOpenAuth.OAuth2/OAuth2/ChannelElements/OAuth2AuthorizationServerChannel.cs @@ -56,7 +56,7 @@ namespace DotNetOpenAuth.OAuth2.ChannelElements { /// </remarks> protected override OutgoingWebResponse PrepareDirectResponse(IProtocolMessage response) { var webResponse = new OutgoingWebResponse(); - this.ApplyMessageTemplate(response, webResponse); + ApplyMessageTemplate(response, webResponse); string json = this.SerializeAsJson(response); webResponse.SetResponse(json, new ContentType(JsonEncoded)); return webResponse; @@ -69,7 +69,7 @@ namespace DotNetOpenAuth.OAuth2.ChannelElements { /// <returns> /// The deserialized message, if one is found. Null otherwise. /// </returns> - protected override IDirectedProtocolMessage ReadFromRequestCore(HttpRequestInfo request) { + protected override IDirectedProtocolMessage ReadFromRequestCore(HttpRequestBase request) { if (!string.IsNullOrEmpty(request.Url.Fragment)) { var fields = HttpUtility.ParseQueryString(request.Url.Fragment.Substring(1)).ToDictionary(); diff --git a/src/DotNetOpenAuth.OAuth2/OAuth2/ChannelElements/OAuth2ChannelBase.cs b/src/DotNetOpenAuth.OAuth2/OAuth2/ChannelElements/OAuth2ChannelBase.cs index 117d526..51ac58a 100644 --- a/src/DotNetOpenAuth.OAuth2/OAuth2/ChannelElements/OAuth2ChannelBase.cs +++ b/src/DotNetOpenAuth.OAuth2/OAuth2/ChannelElements/OAuth2ChannelBase.cs @@ -60,7 +60,7 @@ namespace DotNetOpenAuth.OAuth2.ChannelElements { // Parameters sent without a value MUST be treated as if they were omitted from the request. // The authorization server SHOULD ignore unrecognized request parameters. var emptyKeys = from pair in fields - where String.IsNullOrEmpty(pair.Value) + where string.IsNullOrEmpty(pair.Value) select pair.Key; foreach (string emptyKey in emptyKeys.ToList()) { fields.Remove(emptyKey); diff --git a/src/DotNetOpenAuth.OAuth2/OAuth2/ChannelElements/OAuth2ClientChannel.cs b/src/DotNetOpenAuth.OAuth2/OAuth2/ChannelElements/OAuth2ClientChannel.cs index 3a8a7c0..c9981d3 100644 --- a/src/DotNetOpenAuth.OAuth2/OAuth2/ChannelElements/OAuth2ClientChannel.cs +++ b/src/DotNetOpenAuth.OAuth2/OAuth2/ChannelElements/OAuth2ClientChannel.cs @@ -76,16 +76,16 @@ namespace DotNetOpenAuth.OAuth2.ChannelElements { /// <returns> /// The deserialized message, if one is found. Null otherwise. /// </returns> - protected override IDirectedProtocolMessage ReadFromRequestCore(HttpRequestInfo request) { - Logger.Channel.DebugFormat("Incoming HTTP request: {0} {1}", request.HttpMethod, request.UrlBeforeRewriting.AbsoluteUri); + protected override IDirectedProtocolMessage ReadFromRequestCore(HttpRequestBase request) { + Logger.Channel.DebugFormat("Incoming HTTP request: {0} {1}", request.HttpMethod, request.GetPublicFacingUrl().AbsoluteUri); - var fields = request.QueryStringBeforeRewriting.ToDictionary(); + var fields = request.GetQueryStringBeforeRewriting().ToDictionary(); // Also read parameters from the fragment, if it's available. // Typically the fragment is not available because the browser doesn't send it to a web server // but this request may have been fabricated by an installed desktop app, in which case // the fragment is available. - string fragment = request.UrlBeforeRewriting.Fragment; + string fragment = request.GetPublicFacingUrl().Fragment; if (!string.IsNullOrEmpty(fragment)) { foreach (var pair in HttpUtility.ParseQueryString(fragment.Substring(1)).ToDictionary()) { fields.Add(pair.Key, pair.Value); diff --git a/src/DotNetOpenAuth.OAuth2/OAuth2/ChannelElements/OAuth2ResourceServerChannel.cs b/src/DotNetOpenAuth.OAuth2/OAuth2/ChannelElements/OAuth2ResourceServerChannel.cs index 1c2a080..947c044 100644 --- a/src/DotNetOpenAuth.OAuth2/OAuth2/ChannelElements/OAuth2ResourceServerChannel.cs +++ b/src/DotNetOpenAuth.OAuth2/OAuth2/ChannelElements/OAuth2ResourceServerChannel.cs @@ -48,7 +48,7 @@ namespace DotNetOpenAuth.OAuth2.ChannelElements { /// <returns> /// The deserialized message, if one is found. Null otherwise. /// </returns> - protected override IDirectedProtocolMessage ReadFromRequestCore(HttpRequestInfo request) { + protected override IDirectedProtocolMessage ReadFromRequestCore(HttpRequestBase request) { var fields = new Dictionary<string, string>(); string accessToken; if ((accessToken = SearchForBearerAccessTokenInRequest(request)) != null) { @@ -106,7 +106,7 @@ namespace DotNetOpenAuth.OAuth2.ChannelElements { ErrorUtilities.VerifyInternal(unauthorizedResponse != null, "Only unauthorized responses are expected."); // First initialize based on the specifics within the message. - this.ApplyMessageTemplate(response, webResponse); + ApplyMessageTemplate(response, webResponse); if (!(response is IHttpDirectResponse)) { webResponse.Status = HttpStatusCode.Unauthorized; } @@ -122,18 +122,18 @@ namespace DotNetOpenAuth.OAuth2.ChannelElements { /// </summary> /// <param name="request">The request.</param> /// <returns>The bearer access token, if one exists. Otherwise <c>null</c>.</returns> - private static string SearchForBearerAccessTokenInRequest(HttpRequestInfo request) { + private static string SearchForBearerAccessTokenInRequest(HttpRequestBase request) { Requires.NotNull(request, "request"); // First search the authorization header. - string authorizationHeader = request.Headers[HttpRequestHeader.Authorization]; + string authorizationHeader = request.Headers[HttpRequestHeaders.Authorization]; if (!string.IsNullOrEmpty(authorizationHeader) && authorizationHeader.StartsWith(Protocol.BearerHttpAuthorizationSchemeWithTrailingSpace, StringComparison.OrdinalIgnoreCase)) { return authorizationHeader.Substring(Protocol.BearerHttpAuthorizationSchemeWithTrailingSpace.Length); } // Failing that, scan the entity - if (!string.IsNullOrEmpty(request.Headers[HttpRequestHeader.ContentType])) { - var contentType = new ContentType(request.Headers[HttpRequestHeader.ContentType]); + if (!string.IsNullOrEmpty(request.Headers[HttpRequestHeaders.ContentType])) { + var contentType = new ContentType(request.Headers[HttpRequestHeaders.ContentType]); if (string.Equals(contentType.MediaType, HttpFormUrlEncoded, StringComparison.Ordinal)) { if (request.Form[Protocol.BearerTokenEncodedUrlParameterName] != null) { return request.Form[Protocol.BearerTokenEncodedUrlParameterName]; @@ -142,8 +142,9 @@ namespace DotNetOpenAuth.OAuth2.ChannelElements { } // Finally, check the least desirable location: the query string - if (!String.IsNullOrEmpty(request.QueryStringBeforeRewriting[Protocol.BearerTokenEncodedUrlParameterName])) { - return request.QueryStringBeforeRewriting[Protocol.BearerTokenEncodedUrlParameterName]; + var unrewrittenQuery = request.GetQueryStringBeforeRewriting(); + if (!string.IsNullOrEmpty(unrewrittenQuery[Protocol.BearerTokenEncodedUrlParameterName])) { + return unrewrittenQuery[Protocol.BearerTokenEncodedUrlParameterName]; } return null; diff --git a/src/DotNetOpenAuth.OAuth2/OAuth2/IAuthorizationServer.cs b/src/DotNetOpenAuth.OAuth2/OAuth2/IAuthorizationServer.cs index 8f4745f..a0a2ad9 100644 --- a/src/DotNetOpenAuth.OAuth2/OAuth2/IAuthorizationServer.cs +++ b/src/DotNetOpenAuth.OAuth2/OAuth2/IAuthorizationServer.cs @@ -256,7 +256,7 @@ namespace DotNetOpenAuth.OAuth2 { /// </returns> /// <exception cref="NotSupportedException">May be thrown if the authorization server does not support the resource owner password credential grant type.</exception> bool IAuthorizationServer.IsResourceOwnerCredentialValid(string userName, string password) { - Contract.Requires(!String.IsNullOrEmpty(userName)); + Contract.Requires(!string.IsNullOrEmpty(userName)); Contract.Requires(password != null); throw new NotImplementedException(); } diff --git a/src/DotNetOpenAuth.OAuth2/OAuth2/Messages/AccessProtectedResourceRequest.cs b/src/DotNetOpenAuth.OAuth2/OAuth2/Messages/AccessProtectedResourceRequest.cs index 6cf8919..dbfe46b 100644 --- a/src/DotNetOpenAuth.OAuth2/OAuth2/Messages/AccessProtectedResourceRequest.cs +++ b/src/DotNetOpenAuth.OAuth2/OAuth2/Messages/AccessProtectedResourceRequest.cs @@ -62,7 +62,7 @@ namespace DotNetOpenAuth.OAuth2.Messages { /// Always "bearer". /// </value> [MessagePart("token_type", IsRequired = true)] - internal string TokenType { + internal static string TokenType { get { return Protocol.AccessTokenTypes.Bearer; } } diff --git a/src/DotNetOpenAuth.OAuth2/OAuth2/Messages/AccessTokenClientCredentialsRequest.cs b/src/DotNetOpenAuth.OAuth2/OAuth2/Messages/AccessTokenClientCredentialsRequest.cs index 266dbce..48419eb 100644 --- a/src/DotNetOpenAuth.OAuth2/OAuth2/Messages/AccessTokenClientCredentialsRequest.cs +++ b/src/DotNetOpenAuth.OAuth2/OAuth2/Messages/AccessTokenClientCredentialsRequest.cs @@ -19,7 +19,7 @@ namespace DotNetOpenAuth.OAuth2.Messages { /// <remarks> /// This is somewhat analogous to 2-legged OAuth. /// </remarks> - internal class AccessTokenClientCredentialsRequest : ScopedAccessTokenRequest { + internal class AccessTokenClientCredentialsRequest : ScopedAccessTokenRequest, IAuthorizationCarryingRequest, IAuthorizationDescription { /// <summary> /// Initializes a new instance of the <see cref="AccessTokenClientCredentialsRequest"/> class. /// </summary> @@ -30,6 +30,43 @@ namespace DotNetOpenAuth.OAuth2.Messages { this.HttpMethods = HttpDeliveryMethods.PostRequest; } + #region IAuthorizationCarryingRequest members + + /// <summary> + /// Gets the authorization that the code or token describes. + /// </summary> + IAuthorizationDescription IAuthorizationCarryingRequest.AuthorizationDescription { + get { return this.CredentialsValidated ? this : null; } + } + + #endregion + + #region IAuthorizationDescription Members + + /// <summary> + /// Gets the date this authorization was established or the token was issued. + /// </summary> + /// <value>A date/time expressed in UTC.</value> + DateTime IAuthorizationDescription.UtcIssued { + get { return DateTime.UtcNow; } + } + + /// <summary> + /// Gets the name on the account whose data on the resource server is accessible using this authorization. + /// </summary> + string IAuthorizationDescription.User { + get { return null; } + } + + /// <summary> + /// Gets the scope of operations the client is allowed to invoke. + /// </summary> + HashSet<string> IAuthorizationDescription.Scope { + get { return this.Scope; } + } + + #endregion + /// <summary> /// Gets the type of the grant. /// </summary> @@ -37,5 +74,10 @@ namespace DotNetOpenAuth.OAuth2.Messages { internal override GrantType GrantType { get { return Messages.GrantType.ClientCredentials; } } + + /// <summary> + /// Gets or sets a value indicating whether the resource owner's credentials have been validated at the authorization server. + /// </summary> + internal bool CredentialsValidated { get; set; } } } diff --git a/src/DotNetOpenAuth.OAuth2/OAuth2/Messages/AccessTokenFailedResponse.cs b/src/DotNetOpenAuth.OAuth2/OAuth2/Messages/AccessTokenFailedResponse.cs index 09acbc5..8c4b1c3 100644 --- a/src/DotNetOpenAuth.OAuth2/OAuth2/Messages/AccessTokenFailedResponse.cs +++ b/src/DotNetOpenAuth.OAuth2/OAuth2/Messages/AccessTokenFailedResponse.cs @@ -38,11 +38,18 @@ namespace DotNetOpenAuth.OAuth2.Messages { /// <param name="request">The faulty request.</param> /// <param name="invalidClientCredentialsInAuthorizationHeader">A value indicating whether this error response is in result to a request that had invalid client credentials which were supplied in the HTTP Authorization header.</param> internal AccessTokenFailedResponse(AccessTokenRequestBase request, bool invalidClientCredentialsInAuthorizationHeader) - : base(request) - { + : base(request) { this.invalidClientCredentialsInAuthorizationHeader = invalidClientCredentialsInAuthorizationHeader; } + /// <summary> + /// Initializes a new instance of the <see cref="AccessTokenFailedResponse"/> class. + /// </summary> + /// <param name="version">The protocol version.</param> + internal AccessTokenFailedResponse(Version version = null) + : base(version ?? Protocol.Default.Version) { + } + #region IHttpDirectResponse Members /// <summary> diff --git a/src/DotNetOpenAuth.OAuth2/OAuth2/Messages/AccessTokenSuccessResponse.cs b/src/DotNetOpenAuth.OAuth2/OAuth2/Messages/AccessTokenSuccessResponse.cs index 28f15ef..6d278c4 100644 --- a/src/DotNetOpenAuth.OAuth2/OAuth2/Messages/AccessTokenSuccessResponse.cs +++ b/src/DotNetOpenAuth.OAuth2/OAuth2/Messages/AccessTokenSuccessResponse.cs @@ -65,7 +65,7 @@ namespace DotNetOpenAuth.OAuth2.Messages { /// <remarks> /// Described in OAuth 2.0 section 7.1. /// </remarks> - [MessagePart(Protocol.token_type, IsRequired = true)] + [MessagePart(Protocol.token_type, IsRequired = false)] // HACKHACK: This is actually required, but wasn't in older drafts of OAuth 2 public string TokenType { get; internal set; } /// <summary> diff --git a/src/DotNetOpenAuth.OAuth2/OAuth2/Messages/EndUserAuthorizationSuccessResponseBase.cs b/src/DotNetOpenAuth.OAuth2/OAuth2/Messages/EndUserAuthorizationSuccessResponseBase.cs index 1d9618b..ef0010e 100644 --- a/src/DotNetOpenAuth.OAuth2/OAuth2/Messages/EndUserAuthorizationSuccessResponseBase.cs +++ b/src/DotNetOpenAuth.OAuth2/OAuth2/Messages/EndUserAuthorizationSuccessResponseBase.cs @@ -7,6 +7,7 @@ namespace DotNetOpenAuth.OAuth2.Messages { using System; using System.Collections.Generic; + using System.Diagnostics.CodeAnalysis; using System.Diagnostics.Contracts; using System.Security.Cryptography; @@ -59,6 +60,7 @@ namespace DotNetOpenAuth.OAuth2.Messages { /// Gets or sets the scope of the <see cref="AccessToken"/> if one is given; otherwise the scope of the authorization code. /// </summary> /// <value>The scope.</value> + [SuppressMessage("Microsoft.Usage", "CA2227:CollectionPropertiesShouldBeReadOnly", Justification = "By design")] public ICollection<string> Scope { get; protected set; } /// <summary> diff --git a/src/DotNetOpenAuth.OAuth2/OAuth2/OAuthUtilities.cs b/src/DotNetOpenAuth.OAuth2/OAuth2/OAuthUtilities.cs index 68ccc1d..dd7909b 100644 --- a/src/DotNetOpenAuth.OAuth2/OAuth2/OAuthUtilities.cs +++ b/src/DotNetOpenAuth.OAuth2/OAuth2/OAuthUtilities.cs @@ -104,7 +104,7 @@ namespace DotNetOpenAuth.OAuth2 { /// </summary> /// <param name="scopeToken">The scope token.</param> internal static void VerifyValidScopeToken(string scopeToken) { - ErrorUtilities.VerifyProtocol(!String.IsNullOrEmpty(scopeToken), OAuthStrings.InvalidScopeToken, scopeToken); + ErrorUtilities.VerifyProtocol(!string.IsNullOrEmpty(scopeToken), OAuthStrings.InvalidScopeToken, scopeToken); for (int i = 0; i < scopeToken.Length; i++) { // The allowed set of characters comes from OAuth 2.0 section 3.3 (draft 23) char ch = scopeToken[i]; diff --git a/src/DotNetOpenAuth.OAuth2/OAuth2/StandardAccessTokenAnalyzer.cs b/src/DotNetOpenAuth.OAuth2/OAuth2/StandardAccessTokenAnalyzer.cs index 3bd2169..636f490 100644 --- a/src/DotNetOpenAuth.OAuth2/OAuth2/StandardAccessTokenAnalyzer.cs +++ b/src/DotNetOpenAuth.OAuth2/OAuth2/StandardAccessTokenAnalyzer.cs @@ -57,7 +57,7 @@ namespace DotNetOpenAuth.OAuth2 { /// </remarks> public virtual bool TryValidateAccessToken(IDirectedProtocolMessage message, string accessToken, out string user, out HashSet<string> scope) { var accessTokenFormatter = AccessToken.CreateFormatter(this.AuthorizationServerPublicSigningKey, this.ResourceServerPrivateEncryptionKey); - var token = accessTokenFormatter.Deserialize(message, accessToken); + var token = accessTokenFormatter.Deserialize(message, accessToken, Protocol.access_token); user = token.User; scope = new HashSet<string>(token.Scope, OAuthUtilities.ScopeStringComparer); return true; |