diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/DotNetOpenAuth/OAuth2/OAuthUtilities.cs | 15 |
1 files changed, 14 insertions, 1 deletions
diff --git a/src/DotNetOpenAuth/OAuth2/OAuthUtilities.cs b/src/DotNetOpenAuth/OAuth2/OAuthUtilities.cs index fa1e661..4565a3f 100644 --- a/src/DotNetOpenAuth/OAuth2/OAuthUtilities.cs +++ b/src/DotNetOpenAuth/OAuth2/OAuthUtilities.cs @@ -24,6 +24,17 @@ namespace DotNetOpenAuth.OAuth2 { private static char[] scopeDelimiter = new char[] { ' ' }; /// <summary> + /// The characters that may appear in an access token that is included in an HTTP Authorization header. + /// </summary> + /// <remarks> + /// This is defined in OAuth 2.0 DRAFT 10, section 5.1.1. (http://tools.ietf.org/id/draft-ietf-oauth-v2-10.html#authz-header) + /// </remarks> + private static string accessTokenAuthorizationHeaderAllowedCharacters = MessagingUtilities.UppercaseLetters + + MessagingUtilities.LowercaseLetters + + MessagingUtilities.Digits + + @"!#$%&'()*+-./:<=>?@[]^_`{|}~\,;"; + + /// <summary> /// Determines whether one given scope is a subset of another scope. /// </summary> /// <param name="requestedScope">The requested scope, which may be a subset of <paramref name="grantedScope"/>.</param> @@ -71,10 +82,12 @@ namespace DotNetOpenAuth.OAuth2 { internal static void AuthorizeWithOAuthWrap(this HttpWebRequest request, string accessToken) { Contract.Requires<ArgumentNullException>(request != null); Contract.Requires<ArgumentException>(!string.IsNullOrEmpty(accessToken)); + Contract.Requires<ArgumentException>(accessToken.All(ch => accessTokenAuthorizationHeaderAllowedCharacters.IndexOf(ch) >= 0), "The access token contains characters that must not appear in the HTTP Authorization header."); + request.Headers[HttpRequestHeader.Authorization] = string.Format( CultureInfo.InvariantCulture, Protocol.HttpAuthorizationHeaderFormat, - Uri.EscapeDataString(accessToken)); + accessToken); } /// <summary> |