summaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/DotNetOpenAuth.OAuth2.AuthorizationServer/DotNetOpenAuth.OAuth2.AuthorizationServer.csproj2
-rw-r--r--src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/ChannelElements/AccessRequestBindingElement.cs15
-rw-r--r--src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/ChannelElements/AuthorizationCode.cs2
-rw-r--r--src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/ChannelElements/AuthorizationCodeBindingElement.cs14
-rw-r--r--src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/ChannelElements/IncomingMessageValidationBindingElement.cs (renamed from src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/ChannelElements/AuthServerAllFlowsBindingElement.cs)38
-rw-r--r--src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/ChannelElements/OAuth2AuthorizationServerChannel.cs2
-rw-r--r--src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/Messages/AccessTokenAuthorizationCodeRequestAS.cs4
7 files changed, 31 insertions, 46 deletions
diff --git a/src/DotNetOpenAuth.OAuth2.AuthorizationServer/DotNetOpenAuth.OAuth2.AuthorizationServer.csproj b/src/DotNetOpenAuth.OAuth2.AuthorizationServer/DotNetOpenAuth.OAuth2.AuthorizationServer.csproj
index c28de19..a007d99 100644
--- a/src/DotNetOpenAuth.OAuth2.AuthorizationServer/DotNetOpenAuth.OAuth2.AuthorizationServer.csproj
+++ b/src/DotNetOpenAuth.OAuth2.AuthorizationServer/DotNetOpenAuth.OAuth2.AuthorizationServer.csproj
@@ -24,7 +24,7 @@
<Compile Include="OAuth2\ChannelElements\AccessTokenBindingElement.cs" />
<Compile Include="OAuth2\ChannelElements\AuthorizationCode.cs" />
<Compile Include="OAuth2\ChannelElements\AuthorizationCodeBindingElement.cs" />
- <Compile Include="OAuth2\ChannelElements\AuthServerAllFlowsBindingElement.cs" />
+ <Compile Include="OAuth2\ChannelElements\IncomingMessageValidationBindingElement.cs" />
<Compile Include="OAuth2\ChannelElements\AuthServerBindingElementBase.cs" />
<Compile Include="OAuth2\ChannelElements\IOAuth2ChannelWithAuthorizationServer.cs" />
<Compile Include="OAuth2\ChannelElements\OAuth2AuthorizationServerChannel.cs" />
diff --git a/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/ChannelElements/AccessRequestBindingElement.cs b/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/ChannelElements/AccessRequestBindingElement.cs
index b04947b..0c0f365 100644
--- a/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/ChannelElements/AccessRequestBindingElement.cs
+++ b/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/ChannelElements/AccessRequestBindingElement.cs
@@ -27,12 +27,6 @@ namespace DotNetOpenAuth.OAuth2.ChannelElements {
/// </remarks>
internal class AccessRequestBindingElement : AuthServerBindingElementBase {
/// <summary>
- /// Initializes a new instance of the <see cref="AccessRequestBindingElement"/> class.
- /// </summary>
- internal AccessRequestBindingElement() {
- }
-
- /// <summary>
/// Gets the protection commonly offered (if any) by this binding element.
/// </summary>
/// <value></value>
@@ -99,15 +93,6 @@ namespace DotNetOpenAuth.OAuth2.ChannelElements {
[SuppressMessage("Microsoft.Naming", "CA2204:Literals should be spelled correctly", MessageId = "authorizationexpired", Justification = "Protocol requirement")]
[SuppressMessage("Microsoft.Globalization", "CA1303:Do not pass literals as localized parameters", MessageId = "DotNetOpenAuth.Messaging.ErrorUtilities.VerifyProtocol(System.Boolean,System.String,System.Object[])", Justification = "Protocol requirement")]
public override MessageProtections? ProcessIncomingMessage(IProtocolMessage message) {
- var authenticatedClientRequest = message as AuthenticatedClientRequestBase;
- if (authenticatedClientRequest != null) {
- // Check that the client secret is correct.
- var client = this.AuthorizationServer.GetClientOrThrow(authenticatedClientRequest.ClientIdentifier);
- string secret = client.Secret;
- ErrorUtilities.VerifyProtocol(!string.IsNullOrEmpty(secret), Protocol.unauthorized_client); // an empty secret is not allowed for client authenticated calls.
- ErrorUtilities.VerifyProtocol(MessagingUtilities.EqualsConstantTime(secret, authenticatedClientRequest.ClientSecret), Protocol.incorrect_client_credentials);
- }
-
var tokenRequest = message as IAuthorizationCarryingRequest;
if (tokenRequest != null) {
try {
diff --git a/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/ChannelElements/AuthorizationCode.cs b/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/ChannelElements/AuthorizationCode.cs
index 111c007..a1a7fe5 100644
--- a/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/ChannelElements/AuthorizationCode.cs
+++ b/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/ChannelElements/AuthorizationCode.cs
@@ -86,7 +86,7 @@ namespace DotNetOpenAuth.OAuth2.ChannelElements {
[SuppressMessage("Microsoft.Naming", "CA2204:Literals should be spelled correctly", MessageId = "redirecturimismatch", Justification = "Protocol requirement")]
[SuppressMessage("Microsoft.Globalization", "CA1303:Do not pass literals as localized parameters", MessageId = "DotNetOpenAuth.Messaging.ErrorUtilities.VerifyProtocol(System.Boolean,System.String,System.Object[])", Justification = "Protocol requirement")]
internal void VerifyCallback(Uri callback) {
- ErrorUtilities.VerifyProtocol(MessagingUtilities.AreEquivalent(this.CallbackHash, CalculateCallbackHash(callback)), Protocol.redirect_uri_mismatch);
+ ErrorUtilities.VerifyProtocol(MessagingUtilities.AreEquivalentConstantTime(this.CallbackHash, CalculateCallbackHash(callback)), Protocol.redirect_uri_mismatch);
}
/// <summary>
diff --git a/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/ChannelElements/AuthorizationCodeBindingElement.cs b/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/ChannelElements/AuthorizationCodeBindingElement.cs
index d5b6d07..0d92397 100644
--- a/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/ChannelElements/AuthorizationCodeBindingElement.cs
+++ b/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/ChannelElements/AuthorizationCodeBindingElement.cs
@@ -19,12 +19,6 @@ namespace DotNetOpenAuth.OAuth2.ChannelElements {
/// </summary>
internal class AuthorizationCodeBindingElement : AuthServerBindingElementBase {
/// <summary>
- /// Initializes a new instance of the <see cref="AuthorizationCodeBindingElement"/> class.
- /// </summary>
- internal AuthorizationCodeBindingElement() {
- }
-
- /// <summary>
/// Gets the protection commonly offered (if any) by this binding element.
/// </summary>
/// <value>Always <c>MessageProtections.None</c></value>
@@ -87,14 +81,6 @@ namespace DotNetOpenAuth.OAuth2.ChannelElements {
/// <see cref="MessagePartAttribute.RequiredProtection"/> properties where applicable.
/// </remarks>
public override MessageProtections? ProcessIncomingMessage(IProtocolMessage message) {
- var request = message as AccessTokenAuthorizationCodeRequestAS;
- if (request != null) {
- IAuthorizationCarryingRequest tokenRequest = request;
- ((AuthorizationCode)tokenRequest.AuthorizationDescription).VerifyCallback(request.Callback);
-
- return MessageProtections.None;
- }
-
return null;
}
}
diff --git a/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/ChannelElements/AuthServerAllFlowsBindingElement.cs b/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/ChannelElements/IncomingMessageValidationBindingElement.cs
index 24ac020..b23643b 100644
--- a/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/ChannelElements/AuthServerAllFlowsBindingElement.cs
+++ b/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/ChannelElements/IncomingMessageValidationBindingElement.cs
@@ -1,5 +1,5 @@
//-----------------------------------------------------------------------
-// <copyright file="AuthServerAllFlowsBindingElement.cs" company="Outercurve Foundation">
+// <copyright file="IncomingMessageValidationBindingElement.cs" company="Outercurve Foundation">
// Copyright (c) Outercurve Foundation. All rights reserved.
// </copyright>
//-----------------------------------------------------------------------
@@ -14,16 +14,10 @@ namespace DotNetOpenAuth.OAuth2.ChannelElements {
using Messaging;
/// <summary>
- /// A binding element that should be applied for authorization server channels regardless of which flows
- /// are supported.
+ /// A guard for all messages incoming to an Authorization Server to ensure that they are well formed,
+ /// have valid secrets, callback URIs, etc.
/// </summary>
- internal class AuthServerAllFlowsBindingElement : AuthServerBindingElementBase {
- /// <summary>
- /// Initializes a new instance of the <see cref="AuthServerAllFlowsBindingElement"/> class.
- /// </summary>
- internal AuthServerAllFlowsBindingElement() {
- }
-
+ internal class IncomingMessageValidationBindingElement : AuthServerBindingElementBase {
/// <summary>
/// Gets the protection commonly offered (if any) by this binding element.
/// </summary>
@@ -68,16 +62,36 @@ namespace DotNetOpenAuth.OAuth2.ChannelElements {
/// <see cref="MessagePartAttribute.RequiredProtection"/> properties where applicable.
/// </remarks>
public override MessageProtections? ProcessIncomingMessage(IProtocolMessage message) {
+ bool applied = false;
+
+ // Check that the client secret is correct for client authenticated messages.
+ var authenticatedClientRequest = message as AuthenticatedClientRequestBase;
+ if (authenticatedClientRequest != null) {
+ var client = this.AuthorizationServer.GetClientOrThrow(authenticatedClientRequest.ClientIdentifier);
+ string secret = client.Secret;
+ ErrorUtilities.VerifyProtocol(!string.IsNullOrEmpty(secret), Protocol.unauthorized_client); // an empty secret is not allowed for client authenticated calls.
+ ErrorUtilities.VerifyProtocol(MessagingUtilities.EqualsConstantTime(secret, authenticatedClientRequest.ClientSecret), Protocol.incorrect_client_credentials);
+ applied = true;
+ }
+
+ // Check that authorization requests come with an acceptable callback URI.
var authorizationRequest = message as EndUserAuthorizationRequest;
if (authorizationRequest != null) {
var client = this.AuthorizationServer.GetClientOrThrow(authorizationRequest.ClientIdentifier);
ErrorUtilities.VerifyProtocol(authorizationRequest.Callback == null || client.IsCallbackAllowed(authorizationRequest.Callback), OAuthStrings.ClientCallbackDisallowed, authorizationRequest.Callback);
ErrorUtilities.VerifyProtocol(authorizationRequest.Callback != null || client.DefaultCallback != null, OAuthStrings.NoCallback);
+ applied = true;
+ }
- return MessageProtections.None;
+ // Check that the callback URI in a direct message from the client matches the one in the indirect message received earlier.
+ var request = message as AccessTokenAuthorizationCodeRequestAS;
+ if (request != null) {
+ IAuthorizationCodeCarryingRequest tokenRequest = request;
+ tokenRequest.AuthorizationDescription.VerifyCallback(request.Callback);
+ applied = true;
}
- return null;
+ return applied ? (MessageProtections?)MessageProtections.None : null;
}
}
}
diff --git a/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/ChannelElements/OAuth2AuthorizationServerChannel.cs b/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/ChannelElements/OAuth2AuthorizationServerChannel.cs
index 9e9de28..6179dbc 100644
--- a/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/ChannelElements/OAuth2AuthorizationServerChannel.cs
+++ b/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/ChannelElements/OAuth2AuthorizationServerChannel.cs
@@ -113,7 +113,7 @@ namespace DotNetOpenAuth.OAuth2.ChannelElements {
Requires.NotNull(authorizationServer, "authorizationServer");
var bindingElements = new List<IChannelBindingElement>();
- bindingElements.Add(new AuthServerAllFlowsBindingElement());
+ bindingElements.Add(new IncomingMessageValidationBindingElement());
bindingElements.Add(new AuthorizationCodeBindingElement());
bindingElements.Add(new AccessTokenBindingElement());
bindingElements.Add(new AccessRequestBindingElement());
diff --git a/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/Messages/AccessTokenAuthorizationCodeRequestAS.cs b/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/Messages/AccessTokenAuthorizationCodeRequestAS.cs
index 3abec7a..ca14d0e 100644
--- a/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/Messages/AccessTokenAuthorizationCodeRequestAS.cs
+++ b/src/DotNetOpenAuth.OAuth2.AuthorizationServer/OAuth2/Messages/AccessTokenAuthorizationCodeRequestAS.cs
@@ -16,7 +16,7 @@ namespace DotNetOpenAuth.OAuth2.Messages {
/// and (at the authorization server's option) a refresh token.
/// </summary>
internal class AccessTokenAuthorizationCodeRequestAS : AccessTokenAuthorizationCodeRequest, IAuthorizationCodeCarryingRequest {
- /// <summary>
+ /// <summary>
/// Initializes a new instance of the <see cref="AccessTokenAuthorizationCodeRequestAS"/> class.
/// </summary>
/// <param name="tokenEndpoint">The Authorization Server's access token endpoint URL.</param>
@@ -25,7 +25,7 @@ namespace DotNetOpenAuth.OAuth2.Messages {
: base(tokenEndpoint, version) {
}
- #region IAuthorizationCodeCarryingRequest Members
+ #region IAuthorizationCodeCarryingRequest Members
/// <summary>
/// Gets or sets the verification code or refresh/access token.
generated by cgit v1.1 at 2025-05-12 20:18:24 +0000