diff options
Diffstat (limited to 'src')
9 files changed, 56 insertions, 9 deletions
diff --git a/src/DotNetOpenAuth.Core/Messaging/Channel.cs b/src/DotNetOpenAuth.Core/Messaging/Channel.cs index 201d861..26a8179 100644 --- a/src/DotNetOpenAuth.Core/Messaging/Channel.cs +++ b/src/DotNetOpenAuth.Core/Messaging/Channel.cs @@ -1038,6 +1038,22 @@ namespace DotNetOpenAuth.Messaging { } /// <summary> + /// Applies message prescribed HTTP response headers to an outgoing web response. + /// </summary> + /// <param name="message">The message.</param> + /// <param name="response">The HTTP response.</param> + protected void ApplyMessageTemplate(IMessage message, OutgoingWebResponse response) { + Requires.NotNull(message, "message"); + var httpMessage = message as IHttpDirectResponse; + if (httpMessage != null) { + response.Status = httpMessage.HttpStatusCode; + foreach (string headerName in httpMessage.Headers) { + response.Headers.Add(headerName, httpMessage.Headers[headerName]); + } + } + } + + /// <summary> /// Prepares to send a request to the Service Provider as the query string in a GET request. /// </summary> /// <param name="requestMessage">The message to be transmitted to the ServiceProvider.</param> diff --git a/src/DotNetOpenAuth.OAuth/OAuth/ChannelElements/OAuthChannel.cs b/src/DotNetOpenAuth.OAuth/OAuth/ChannelElements/OAuthChannel.cs index 293bf5a..2cbc16b 100644 --- a/src/DotNetOpenAuth.OAuth/OAuth/ChannelElements/OAuthChannel.cs +++ b/src/DotNetOpenAuth.OAuth/OAuth/ChannelElements/OAuthChannel.cs @@ -223,11 +223,7 @@ namespace DotNetOpenAuth.OAuth.ChannelElements { Headers = new System.Net.WebHeaderCollection(), }; - IHttpDirectResponse httpMessage = response as IHttpDirectResponse; - if (httpMessage != null) { - encodedResponse.Status = httpMessage.HttpStatusCode; - } - + this.ApplyMessageTemplate(response, encodedResponse); return encodedResponse; } diff --git a/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/AuthorizationServer.cs b/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/AuthorizationServer.cs index cdcb042..5dee893 100644 --- a/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/AuthorizationServer.cs +++ b/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/AuthorizationServer.cs @@ -222,6 +222,15 @@ namespace DotNetOpenAuth.OAuth2 { public virtual IDirectResponseProtocolMessage PrepareAccessTokenResponse(AccessTokenRequestBase request, bool includeRefreshToken = true) { Requires.NotNull(request, "request"); + if (includeRefreshToken) { + if (request is AccessTokenClientCredentialsRequest) { + // Per OAuth 2.0 section 4.4.3 (draft 23), refresh tokens should never be included + // in a response to an access token request that used the client credential grant type. + Logger.OAuth.Debug("Suppressing refresh token in access token response because the grant type used by the client disallows it."); + includeRefreshToken = false; + } + } + var tokenRequest = (IAuthorizationCarryingRequest)request; var response = new AccessTokenSuccessResponse(request) { Lifetime = this.AuthorizationServerServices.GetAccessTokenLifetime(request), diff --git a/src/DotNetOpenAuth.OAuth2/OAuth2/ChannelElements/OAuth2AuthorizationServerChannel.cs b/src/DotNetOpenAuth.OAuth2/OAuth2/ChannelElements/OAuth2AuthorizationServerChannel.cs index 1026018..295ee86 100644 --- a/src/DotNetOpenAuth.OAuth2/OAuth2/ChannelElements/OAuth2AuthorizationServerChannel.cs +++ b/src/DotNetOpenAuth.OAuth2/OAuth2/ChannelElements/OAuth2AuthorizationServerChannel.cs @@ -56,6 +56,7 @@ namespace DotNetOpenAuth.OAuth2.ChannelElements { /// </remarks> protected override OutgoingWebResponse PrepareDirectResponse(IProtocolMessage response) { var webResponse = new OutgoingWebResponse(); + this.ApplyMessageTemplate(response, webResponse); string json = this.SerializeAsJson(response); webResponse.SetResponse(json, new ContentType(JsonEncoded)); return webResponse; diff --git a/src/DotNetOpenAuth.OAuth2/OAuth2/ChannelElements/OAuth2ResourceServerChannel.cs b/src/DotNetOpenAuth.OAuth2/OAuth2/ChannelElements/OAuth2ResourceServerChannel.cs index cc61d47..1c2a080 100644 --- a/src/DotNetOpenAuth.OAuth2/OAuth2/ChannelElements/OAuth2ResourceServerChannel.cs +++ b/src/DotNetOpenAuth.OAuth2/OAuth2/ChannelElements/OAuth2ResourceServerChannel.cs @@ -106,10 +106,9 @@ namespace DotNetOpenAuth.OAuth2.ChannelElements { ErrorUtilities.VerifyInternal(unauthorizedResponse != null, "Only unauthorized responses are expected."); // First initialize based on the specifics within the message. - var httpResponse = response as IHttpDirectResponse; - webResponse.Status = httpResponse != null ? httpResponse.HttpStatusCode : HttpStatusCode.Unauthorized; - foreach (string headerName in httpResponse.Headers) { - webResponse.Headers.Add(headerName, httpResponse.Headers[headerName]); + this.ApplyMessageTemplate(response, webResponse); + if (!(response is IHttpDirectResponse)) { + webResponse.Status = HttpStatusCode.Unauthorized; } // Now serialize all the message parts into the WWW-Authenticate header. diff --git a/src/DotNetOpenAuth.OAuth2/OAuth2/Messages/AccessTokenSuccessResponse.cs b/src/DotNetOpenAuth.OAuth2/OAuth2/Messages/AccessTokenSuccessResponse.cs index c5c93b5..534929b 100644 --- a/src/DotNetOpenAuth.OAuth2/OAuth2/Messages/AccessTokenSuccessResponse.cs +++ b/src/DotNetOpenAuth.OAuth2/OAuth2/Messages/AccessTokenSuccessResponse.cs @@ -95,5 +95,18 @@ namespace DotNetOpenAuth.OAuth2.Messages { /// Gets or sets a value indicating whether a refresh token is or should be included in the response. /// </summary> internal bool HasRefreshToken { get; set; } + + /// <summary> + /// Checks the message state for conformity to the protocol specification + /// and throws an exception if the message is invalid. + /// </summary> + /// <exception cref="ProtocolException">Thrown if the message is invalid.</exception> + protected override void EnsureValidMessage() { + base.EnsureValidMessage(); + + // Per OAuth 2.0 section 4.4.3 (draft 23), refresh tokens should never be included + // in a response to an access token request that used the client credential grant type. + ErrorUtilities.VerifyProtocol(!this.HasRefreshToken || !(this.OriginatingRequest is AccessTokenClientCredentialsRequest), OAuthStrings.RefreshTokenInappropriateForRequestType, this.OriginatingRequest.GetType().Name); + } } } diff --git a/src/DotNetOpenAuth.OAuth2/OAuth2/OAuthStrings.Designer.cs b/src/DotNetOpenAuth.OAuth2/OAuth2/OAuthStrings.Designer.cs index dcd6139..2167b5f 100644 --- a/src/DotNetOpenAuth.OAuth2/OAuth2/OAuthStrings.Designer.cs +++ b/src/DotNetOpenAuth.OAuth2/OAuth2/OAuthStrings.Designer.cs @@ -160,6 +160,15 @@ namespace DotNetOpenAuth.OAuth2 { } /// <summary> + /// Looks up a localized string similar to The request message type {0} should not be responded to with a refresh token.. + /// </summary> + internal static string RefreshTokenInappropriateForRequestType { + get { + return ResourceManager.GetString("RefreshTokenInappropriateForRequestType", resourceCulture); + } + } + + /// <summary> /// Looks up a localized string similar to Individual scopes may not contain spaces.. /// </summary> internal static string ScopesMayNotContainSpaces { diff --git a/src/DotNetOpenAuth.OAuth2/OAuth2/OAuthStrings.resx b/src/DotNetOpenAuth.OAuth2/OAuth2/OAuthStrings.resx index 9f920e7..6fad914 100644 --- a/src/DotNetOpenAuth.OAuth2/OAuth2/OAuthStrings.resx +++ b/src/DotNetOpenAuth.OAuth2/OAuth2/OAuthStrings.resx @@ -150,6 +150,9 @@ <data name="NoGrantNoRefreshToken" xml:space="preserve"> <value>Refresh tokens should not be granted without the request including an access grant.</value> </data> + <data name="RefreshTokenInappropriateForRequestType" xml:space="preserve"> + <value>The request message type {0} should not be responded to with a refresh token.</value> + </data> <data name="ScopesMayNotContainSpaces" xml:space="preserve"> <value>Individual scopes may not contain spaces.</value> </data> diff --git a/src/DotNetOpenAuth.OpenId/OpenId/ChannelElements/OpenIdChannel.cs b/src/DotNetOpenAuth.OpenId/OpenId/ChannelElements/OpenIdChannel.cs index a2340ec..357c02d 100644 --- a/src/DotNetOpenAuth.OpenId/OpenId/ChannelElements/OpenIdChannel.cs +++ b/src/DotNetOpenAuth.OpenId/OpenId/ChannelElements/OpenIdChannel.cs @@ -181,6 +181,7 @@ namespace DotNetOpenAuth.OpenId.ChannelElements { byte[] keyValueEncoding = KeyValueFormEncoding.GetBytes(fields); OutgoingWebResponse preparedResponse = new OutgoingWebResponse(); + this.ApplyMessageTemplate(response, preparedResponse); preparedResponse.Headers.Add(HttpResponseHeader.ContentType, KeyValueFormContentType); preparedResponse.OriginalMessage = response; preparedResponse.ResponseStream = new MemoryStream(keyValueEncoding); |