//----------------------------------------------------------------------- // // Copyright (c) Andrew Arnott. All rights reserved. // //----------------------------------------------------------------------- namespace RelyingPartyLogic { using System; using System.Collections.Generic; using System.Linq; using System.Security.Cryptography; using System.Text; using DotNetOpenAuth.Messaging.Bindings; using DotNetOpenAuth.OAuth2; ///

/// Provides OAuth 2.0 authorization server information to DotNetOpenAuth. ///

public class OAuthAuthorizationServer : IAuthorizationServer { internal static readonly RSAParameters AsymmetricKey; private static readonly byte[] secret; private readonly INonceStore nonceStore = new NonceDbStore(); static OAuthAuthorizationServer() { // TODO: Replace this sample code with real code. // For this sample, we just generate random secrets. RandomNumberGenerator crypto = new RNGCryptoServiceProvider(); secret = new byte[16]; crypto.GetBytes(secret); AsymmetricKey = new RSACryptoServiceProvider().ExportParameters(true); } ///

/// Initializes a new instance of the class. ///

public OAuthAuthorizationServer() { } #region IAuthorizationServer Members ///

/// Gets the secret used to symmetrically encrypt and sign authorization codes and refresh tokens. ///

/// /// /// This secret should be kept strictly confidential in the authorization server(s) /// and NOT shared with the resource server. Anyone with this secret can mint /// tokens to essentially grant themselves access to anything they want. /// public byte[] Secret { get { return secret; } } ///

/// Gets the asymmetric private key to use for signing access tokens. ///

/// /// /// The public key in the private/public key pair will be used by the resource /// servers to validate that the access token is minted by a trusted authorization server. /// public RSAParameters AccessTokenSigningPrivateKey { get { return AsymmetricKey; } } ///

/// Gets the authorization code nonce store to use to ensure that authorization codes can only be used once. ///

/// The authorization code nonce store. public INonceStore VerificationCodeNonceStore { get { return this.nonceStore; } } ///

/// Gets the client with a given identifier. ///

/// The client identifier. /// The client registration. Never null. /// Thrown when no client with the given identifier is registered with this authorization server. public IConsumerDescription GetClient(string clientIdentifier) { return Database.DataContext.Consumers.First(c => c.ConsumerKey == clientIdentifier); } ///

/// Determines whether a described authorization is (still) valid. ///

/// The authorization. /// /// true if the original authorization is still valid; otherwise, false. /// /// /// When establishing that an authorization is still valid, /// it's very important to only match on recorded authorizations that /// meet these criteria: /// 1) The client identifier matches. /// 2) The user account matches. /// 3) The scope on the recorded authorization must include all scopes in the given authorization. /// 4) The date the recorded authorization was issued must be no later that the date the given authorization was issued. /// One possible scenario is where the user authorized a client, later revoked authorization, /// and even later reinstated authorization. This subsequent recorded authorization /// would not satisfy requirement #4 in the above list. This is important because the revocation /// the user went through should invalidate all previously issued tokens as a matter of /// security in the event the user was revoking access in order to sever authorization on a stolen /// account or piece of hardware in which the tokens were stored. /// public bool IsAuthorizationValid(DotNetOpenAuth.OAuth2.ChannelElements.IAuthorizationDescription authorization) { // We don't support revoking tokens yet. return true; } #endregion } }