summaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/DotNetOpenAuth.Core/Messaging/Channel.cs16
-rw-r--r--src/DotNetOpenAuth.OAuth/OAuth/ChannelElements/OAuthChannel.cs6
-rw-r--r--src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/AuthorizationServer.cs9
-rw-r--r--src/DotNetOpenAuth.OAuth2/OAuth2/ChannelElements/OAuth2AuthorizationServerChannel.cs1
-rw-r--r--src/DotNetOpenAuth.OAuth2/OAuth2/ChannelElements/OAuth2ResourceServerChannel.cs7
-rw-r--r--src/DotNetOpenAuth.OAuth2/OAuth2/Messages/AccessTokenSuccessResponse.cs13
-rw-r--r--src/DotNetOpenAuth.OAuth2/OAuth2/OAuthStrings.Designer.cs9
-rw-r--r--src/DotNetOpenAuth.OAuth2/OAuth2/OAuthStrings.resx3
-rw-r--r--src/DotNetOpenAuth.OpenId/OpenId/ChannelElements/OpenIdChannel.cs1
9 files changed, 56 insertions, 9 deletions
diff --git a/src/DotNetOpenAuth.Core/Messaging/Channel.cs b/src/DotNetOpenAuth.Core/Messaging/Channel.cs
index 201d861..26a8179 100644
--- a/src/DotNetOpenAuth.Core/Messaging/Channel.cs
+++ b/src/DotNetOpenAuth.Core/Messaging/Channel.cs
@@ -1038,6 +1038,22 @@ namespace DotNetOpenAuth.Messaging {
}
/// <summary>
+ /// Applies message prescribed HTTP response headers to an outgoing web response.
+ /// </summary>
+ /// <param name="message">The message.</param>
+ /// <param name="response">The HTTP response.</param>
+ protected void ApplyMessageTemplate(IMessage message, OutgoingWebResponse response) {
+ Requires.NotNull(message, "message");
+ var httpMessage = message as IHttpDirectResponse;
+ if (httpMessage != null) {
+ response.Status = httpMessage.HttpStatusCode;
+ foreach (string headerName in httpMessage.Headers) {
+ response.Headers.Add(headerName, httpMessage.Headers[headerName]);
+ }
+ }
+ }
+
+ /// <summary>
/// Prepares to send a request to the Service Provider as the query string in a GET request.
/// </summary>
/// <param name="requestMessage">The message to be transmitted to the ServiceProvider.</param>
diff --git a/src/DotNetOpenAuth.OAuth/OAuth/ChannelElements/OAuthChannel.cs b/src/DotNetOpenAuth.OAuth/OAuth/ChannelElements/OAuthChannel.cs
index 293bf5a..2cbc16b 100644
--- a/src/DotNetOpenAuth.OAuth/OAuth/ChannelElements/OAuthChannel.cs
+++ b/src/DotNetOpenAuth.OAuth/OAuth/ChannelElements/OAuthChannel.cs
@@ -223,11 +223,7 @@ namespace DotNetOpenAuth.OAuth.ChannelElements {
Headers = new System.Net.WebHeaderCollection(),
};
- IHttpDirectResponse httpMessage = response as IHttpDirectResponse;
- if (httpMessage != null) {
- encodedResponse.Status = httpMessage.HttpStatusCode;
- }
-
+ this.ApplyMessageTemplate(response, encodedResponse);
return encodedResponse;
}
diff --git a/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/AuthorizationServer.cs b/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/AuthorizationServer.cs
index cdcb042..5dee893 100644
--- a/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/AuthorizationServer.cs
+++ b/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/AuthorizationServer.cs
@@ -222,6 +222,15 @@ namespace DotNetOpenAuth.OAuth2 {
public virtual IDirectResponseProtocolMessage PrepareAccessTokenResponse(AccessTokenRequestBase request, bool includeRefreshToken = true) {
Requires.NotNull(request, "request");
+ if (includeRefreshToken) {
+ if (request is AccessTokenClientCredentialsRequest) {
+ // Per OAuth 2.0 section 4.4.3 (draft 23), refresh tokens should never be included
+ // in a response to an access token request that used the client credential grant type.
+ Logger.OAuth.Debug("Suppressing refresh token in access token response because the grant type used by the client disallows it.");
+ includeRefreshToken = false;
+ }
+ }
+
var tokenRequest = (IAuthorizationCarryingRequest)request;
var response = new AccessTokenSuccessResponse(request) {
Lifetime = this.AuthorizationServerServices.GetAccessTokenLifetime(request),
diff --git a/src/DotNetOpenAuth.OAuth2/OAuth2/ChannelElements/OAuth2AuthorizationServerChannel.cs b/src/DotNetOpenAuth.OAuth2/OAuth2/ChannelElements/OAuth2AuthorizationServerChannel.cs
index 1026018..295ee86 100644
--- a/src/DotNetOpenAuth.OAuth2/OAuth2/ChannelElements/OAuth2AuthorizationServerChannel.cs
+++ b/src/DotNetOpenAuth.OAuth2/OAuth2/ChannelElements/OAuth2AuthorizationServerChannel.cs
@@ -56,6 +56,7 @@ namespace DotNetOpenAuth.OAuth2.ChannelElements {
/// </remarks>
protected override OutgoingWebResponse PrepareDirectResponse(IProtocolMessage response) {
var webResponse = new OutgoingWebResponse();
+ this.ApplyMessageTemplate(response, webResponse);
string json = this.SerializeAsJson(response);
webResponse.SetResponse(json, new ContentType(JsonEncoded));
return webResponse;
diff --git a/src/DotNetOpenAuth.OAuth2/OAuth2/ChannelElements/OAuth2ResourceServerChannel.cs b/src/DotNetOpenAuth.OAuth2/OAuth2/ChannelElements/OAuth2ResourceServerChannel.cs
index cc61d47..1c2a080 100644
--- a/src/DotNetOpenAuth.OAuth2/OAuth2/ChannelElements/OAuth2ResourceServerChannel.cs
+++ b/src/DotNetOpenAuth.OAuth2/OAuth2/ChannelElements/OAuth2ResourceServerChannel.cs
@@ -106,10 +106,9 @@ namespace DotNetOpenAuth.OAuth2.ChannelElements {
ErrorUtilities.VerifyInternal(unauthorizedResponse != null, "Only unauthorized responses are expected.");
// First initialize based on the specifics within the message.
- var httpResponse = response as IHttpDirectResponse;
- webResponse.Status = httpResponse != null ? httpResponse.HttpStatusCode : HttpStatusCode.Unauthorized;
- foreach (string headerName in httpResponse.Headers) {
- webResponse.Headers.Add(headerName, httpResponse.Headers[headerName]);
+ this.ApplyMessageTemplate(response, webResponse);
+ if (!(response is IHttpDirectResponse)) {
+ webResponse.Status = HttpStatusCode.Unauthorized;
}
// Now serialize all the message parts into the WWW-Authenticate header.
diff --git a/src/DotNetOpenAuth.OAuth2/OAuth2/Messages/AccessTokenSuccessResponse.cs b/src/DotNetOpenAuth.OAuth2/OAuth2/Messages/AccessTokenSuccessResponse.cs
index c5c93b5..534929b 100644
--- a/src/DotNetOpenAuth.OAuth2/OAuth2/Messages/AccessTokenSuccessResponse.cs
+++ b/src/DotNetOpenAuth.OAuth2/OAuth2/Messages/AccessTokenSuccessResponse.cs
@@ -95,5 +95,18 @@ namespace DotNetOpenAuth.OAuth2.Messages {
/// Gets or sets a value indicating whether a refresh token is or should be included in the response.
/// </summary>
internal bool HasRefreshToken { get; set; }
+
+ /// <summary>
+ /// Checks the message state for conformity to the protocol specification
+ /// and throws an exception if the message is invalid.
+ /// </summary>
+ /// <exception cref="ProtocolException">Thrown if the message is invalid.</exception>
+ protected override void EnsureValidMessage() {
+ base.EnsureValidMessage();
+
+ // Per OAuth 2.0 section 4.4.3 (draft 23), refresh tokens should never be included
+ // in a response to an access token request that used the client credential grant type.
+ ErrorUtilities.VerifyProtocol(!this.HasRefreshToken || !(this.OriginatingRequest is AccessTokenClientCredentialsRequest), OAuthStrings.RefreshTokenInappropriateForRequestType, this.OriginatingRequest.GetType().Name);
+ }
}
}
diff --git a/src/DotNetOpenAuth.OAuth2/OAuth2/OAuthStrings.Designer.cs b/src/DotNetOpenAuth.OAuth2/OAuth2/OAuthStrings.Designer.cs
index dcd6139..2167b5f 100644
--- a/src/DotNetOpenAuth.OAuth2/OAuth2/OAuthStrings.Designer.cs
+++ b/src/DotNetOpenAuth.OAuth2/OAuth2/OAuthStrings.Designer.cs
@@ -160,6 +160,15 @@ namespace DotNetOpenAuth.OAuth2 {
}
/// <summary>
+ /// Looks up a localized string similar to The request message type {0} should not be responded to with a refresh token..
+ /// </summary>
+ internal static string RefreshTokenInappropriateForRequestType {
+ get {
+ return ResourceManager.GetString("RefreshTokenInappropriateForRequestType", resourceCulture);
+ }
+ }
+
+ /// <summary>
/// Looks up a localized string similar to Individual scopes may not contain spaces..
/// </summary>
internal static string ScopesMayNotContainSpaces {
diff --git a/src/DotNetOpenAuth.OAuth2/OAuth2/OAuthStrings.resx b/src/DotNetOpenAuth.OAuth2/OAuth2/OAuthStrings.resx
index 9f920e7..6fad914 100644
--- a/src/DotNetOpenAuth.OAuth2/OAuth2/OAuthStrings.resx
+++ b/src/DotNetOpenAuth.OAuth2/OAuth2/OAuthStrings.resx
@@ -150,6 +150,9 @@
<data name="NoGrantNoRefreshToken" xml:space="preserve">
<value>Refresh tokens should not be granted without the request including an access grant.</value>
</data>
+ <data name="RefreshTokenInappropriateForRequestType" xml:space="preserve">
+ <value>The request message type {0} should not be responded to with a refresh token.</value>
+ </data>
<data name="ScopesMayNotContainSpaces" xml:space="preserve">
<value>Individual scopes may not contain spaces.</value>
</data>
diff --git a/src/DotNetOpenAuth.OpenId/OpenId/ChannelElements/OpenIdChannel.cs b/src/DotNetOpenAuth.OpenId/OpenId/ChannelElements/OpenIdChannel.cs
index a2340ec..357c02d 100644
--- a/src/DotNetOpenAuth.OpenId/OpenId/ChannelElements/OpenIdChannel.cs
+++ b/src/DotNetOpenAuth.OpenId/OpenId/ChannelElements/OpenIdChannel.cs
@@ -181,6 +181,7 @@ namespace DotNetOpenAuth.OpenId.ChannelElements {
byte[] keyValueEncoding = KeyValueFormEncoding.GetBytes(fields);
OutgoingWebResponse preparedResponse = new OutgoingWebResponse();
+ this.ApplyMessageTemplate(response, preparedResponse);
preparedResponse.Headers.Add(HttpResponseHeader.ContentType, KeyValueFormContentType);
preparedResponse.OriginalMessage = response;
preparedResponse.ResponseStream = new MemoryStream(keyValueEncoding);