diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/DotNetOpenAuth/OAuth2/AuthorizationServer.cs | 9 | ||||
| -rw-r--r-- | src/DotNetOpenAuth/OAuth2/ChannelElements/AccessRequestBindingElement.cs | 4 | ||||
| -rw-r--r-- | src/DotNetOpenAuth/OAuth2/Protocol.cs | 5 |
3 files changed, 16 insertions, 2 deletions
diff --git a/src/DotNetOpenAuth/OAuth2/AuthorizationServer.cs b/src/DotNetOpenAuth/OAuth2/AuthorizationServer.cs index da46b0a..ad40fa5 100644 --- a/src/DotNetOpenAuth/OAuth2/AuthorizationServer.cs +++ b/src/DotNetOpenAuth/OAuth2/AuthorizationServer.cs @@ -62,7 +62,14 @@ namespace DotNetOpenAuth.OAuth2 { } EndUserAuthorizationRequest message; - this.Channel.TryReadFromRequest(request, out message); + if (this.Channel.TryReadFromRequest(request, out message)) { + if (message.ResponseType == EndUserAuthorizationResponseType.AuthorizationCode) { + // Clients with no secrets can only request implicit grant types. + var client = this.AuthorizationServerServices.GetClientOrThrow(message.ClientIdentifier); + ErrorUtilities.VerifyProtocol(!String.IsNullOrEmpty(client.Secret), Protocol.unauthorized_client); + } + } + return message; } diff --git a/src/DotNetOpenAuth/OAuth2/ChannelElements/AccessRequestBindingElement.cs b/src/DotNetOpenAuth/OAuth2/ChannelElements/AccessRequestBindingElement.cs index b7775b6..b86f5dd 100644 --- a/src/DotNetOpenAuth/OAuth2/ChannelElements/AccessRequestBindingElement.cs +++ b/src/DotNetOpenAuth/OAuth2/ChannelElements/AccessRequestBindingElement.cs @@ -135,7 +135,9 @@ namespace DotNetOpenAuth.OAuth2.ChannelElements { // Check that the client secret is correct. var client = this.AuthorizationServer.GetClientOrThrow(accessRequest.ClientIdentifier); - ErrorUtilities.VerifyProtocol(MessagingUtilities.EqualsConstantTime(client.Secret, accessRequest.ClientSecret), Protocol.incorrect_client_credentials); + string secret = client.Secret; + ErrorUtilities.VerifyProtocol(!String.IsNullOrEmpty(secret), Protocol.unauthorized_client); // an empty secret is not allowed for client authenticated calls. + ErrorUtilities.VerifyProtocol(MessagingUtilities.EqualsConstantTime(secret, accessRequest.ClientSecret), Protocol.incorrect_client_credentials); var scopedAccessRequest = accessRequest as ScopedAccessTokenRequest; if (scopedAccessRequest != null) { diff --git a/src/DotNetOpenAuth/OAuth2/Protocol.cs b/src/DotNetOpenAuth/OAuth2/Protocol.cs index 2b50439..3cb8253 100644 --- a/src/DotNetOpenAuth/OAuth2/Protocol.cs +++ b/src/DotNetOpenAuth/OAuth2/Protocol.cs @@ -70,6 +70,11 @@ namespace DotNetOpenAuth.OAuth2 { internal const string incorrect_client_credentials = "incorrect_client_credentials"; /// <summary> + /// The "unauthorized_client" string. + /// </summary> + internal const string unauthorized_client = "unauthorized_client"; + + /// <summary> /// The "authorization_expired" string. /// </summary> internal const string authorization_expired = "authorization_expired"; |