summaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/AuthorizationServer.cs9
-rw-r--r--src/DotNetOpenAuth.OAuth2/OAuth2/Messages/AccessTokenSuccessResponse.cs13
-rw-r--r--src/DotNetOpenAuth.OAuth2/OAuth2/OAuthStrings.Designer.cs9
-rw-r--r--src/DotNetOpenAuth.OAuth2/OAuth2/OAuthStrings.resx3
4 files changed, 34 insertions, 0 deletions
diff --git a/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/AuthorizationServer.cs b/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/AuthorizationServer.cs
index cdcb042..5dee893 100644
--- a/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/AuthorizationServer.cs
+++ b/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/AuthorizationServer.cs
@@ -222,6 +222,15 @@ namespace DotNetOpenAuth.OAuth2 {
public virtual IDirectResponseProtocolMessage PrepareAccessTokenResponse(AccessTokenRequestBase request, bool includeRefreshToken = true) {
Requires.NotNull(request, "request");
+ if (includeRefreshToken) {
+ if (request is AccessTokenClientCredentialsRequest) {
+ // Per OAuth 2.0 section 4.4.3 (draft 23), refresh tokens should never be included
+ // in a response to an access token request that used the client credential grant type.
+ Logger.OAuth.Debug("Suppressing refresh token in access token response because the grant type used by the client disallows it.");
+ includeRefreshToken = false;
+ }
+ }
+
var tokenRequest = (IAuthorizationCarryingRequest)request;
var response = new AccessTokenSuccessResponse(request) {
Lifetime = this.AuthorizationServerServices.GetAccessTokenLifetime(request),
diff --git a/src/DotNetOpenAuth.OAuth2/OAuth2/Messages/AccessTokenSuccessResponse.cs b/src/DotNetOpenAuth.OAuth2/OAuth2/Messages/AccessTokenSuccessResponse.cs
index c5c93b5..534929b 100644
--- a/src/DotNetOpenAuth.OAuth2/OAuth2/Messages/AccessTokenSuccessResponse.cs
+++ b/src/DotNetOpenAuth.OAuth2/OAuth2/Messages/AccessTokenSuccessResponse.cs
@@ -95,5 +95,18 @@ namespace DotNetOpenAuth.OAuth2.Messages {
/// Gets or sets a value indicating whether a refresh token is or should be included in the response.
/// </summary>
internal bool HasRefreshToken { get; set; }
+
+ /// <summary>
+ /// Checks the message state for conformity to the protocol specification
+ /// and throws an exception if the message is invalid.
+ /// </summary>
+ /// <exception cref="ProtocolException">Thrown if the message is invalid.</exception>
+ protected override void EnsureValidMessage() {
+ base.EnsureValidMessage();
+
+ // Per OAuth 2.0 section 4.4.3 (draft 23), refresh tokens should never be included
+ // in a response to an access token request that used the client credential grant type.
+ ErrorUtilities.VerifyProtocol(!this.HasRefreshToken || !(this.OriginatingRequest is AccessTokenClientCredentialsRequest), OAuthStrings.RefreshTokenInappropriateForRequestType, this.OriginatingRequest.GetType().Name);
+ }
}
}
diff --git a/src/DotNetOpenAuth.OAuth2/OAuth2/OAuthStrings.Designer.cs b/src/DotNetOpenAuth.OAuth2/OAuth2/OAuthStrings.Designer.cs
index dcd6139..2167b5f 100644
--- a/src/DotNetOpenAuth.OAuth2/OAuth2/OAuthStrings.Designer.cs
+++ b/src/DotNetOpenAuth.OAuth2/OAuth2/OAuthStrings.Designer.cs
@@ -160,6 +160,15 @@ namespace DotNetOpenAuth.OAuth2 {
}
/// <summary>
+ /// Looks up a localized string similar to The request message type {0} should not be responded to with a refresh token..
+ /// </summary>
+ internal static string RefreshTokenInappropriateForRequestType {
+ get {
+ return ResourceManager.GetString("RefreshTokenInappropriateForRequestType", resourceCulture);
+ }
+ }
+
+ /// <summary>
/// Looks up a localized string similar to Individual scopes may not contain spaces..
/// </summary>
internal static string ScopesMayNotContainSpaces {
diff --git a/src/DotNetOpenAuth.OAuth2/OAuth2/OAuthStrings.resx b/src/DotNetOpenAuth.OAuth2/OAuth2/OAuthStrings.resx
index 9f920e7..6fad914 100644
--- a/src/DotNetOpenAuth.OAuth2/OAuth2/OAuthStrings.resx
+++ b/src/DotNetOpenAuth.OAuth2/OAuth2/OAuthStrings.resx
@@ -150,6 +150,9 @@
<data name="NoGrantNoRefreshToken" xml:space="preserve">
<value>Refresh tokens should not be granted without the request including an access grant.</value>
</data>
+ <data name="RefreshTokenInappropriateForRequestType" xml:space="preserve">
+ <value>The request message type {0} should not be responded to with a refresh token.</value>
+ </data>
<data name="ScopesMayNotContainSpaces" xml:space="preserve">
<value>Individual scopes may not contain spaces.</value>
</data>
generated by cgit v1.1 at 2025-05-21 15:17:40 +0000