blob: f936c60e22d2098d0ea7171ae07232b967f78874 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
|
using System;
using System.Collections.Generic;
using System.Linq;
using System.Security.Cryptography;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using DotNetOpenAuth;
using DotNetOpenAuth.OAuth;
using DotNetOpenAuth.OAuth.Messages;
/// <summary>
/// Conducts the user through a Consumer authorization process.
/// </summary>
public partial class Authorize : System.Web.UI.Page {
private static readonly RandomNumberGenerator CryptoRandomDataGenerator = new RNGCryptoServiceProvider();
private string AuthorizationSecret {
get { return Session["OAuthAuthorizationSecret"] as string; }
set { Session["OAuthAuthorizationSecret"] = value; }
}
protected void Page_Load(object sender, EventArgs e) {
if (!IsPostBack) {
if (Global.PendingOAuthAuthorization == null) {
Response.Redirect("~/Members/AuthorizedConsumers.aspx");
} else {
ITokenContainingMessage pendingToken = Global.PendingOAuthAuthorization;
var token = Global.DataContext.OAuthTokens.Single(t => t.Token == pendingToken.Token);
desiredAccessLabel.Text = token.Scope;
consumerLabel.Text = Global.TokenManager.GetConsumerForToken(token.Token).ConsumerKey;
// Generate an unpredictable secret that goes to the user agent and must come back
// with authorization to guarantee the user interacted with this page rather than
// being scripted by an evil Consumer.
byte[] randomData = new byte[8];
CryptoRandomDataGenerator.GetBytes(randomData);
this.AuthorizationSecret = Convert.ToBase64String(randomData);
OAuthAuthorizationSecToken.Value = this.AuthorizationSecret;
OAuth10ConsumerWarning.Visible = Global.PendingOAuthAuthorization.IsUnsafeRequest;
}
}
}
protected void allowAccessButton_Click(object sender, EventArgs e) {
if (this.AuthorizationSecret != OAuthAuthorizationSecToken.Value) {
throw new ArgumentException(); // probably someone trying to hack in.
}
this.AuthorizationSecret = null; // clear one time use secret
var pending = Global.PendingOAuthAuthorization;
Global.AuthorizePendingRequestToken();
multiView.ActiveViewIndex = 1;
ServiceProvider sp = new ServiceProvider(Constants.SelfDescription, Global.TokenManager);
var response = sp.PrepareAuthorizationResponse(pending);
if (response != null) {
sp.Channel.Send(response);
} else {
if (pending.IsUnsafeRequest) {
verifierMultiView.ActiveViewIndex = 1;
} else {
string verifier = ServiceProvider.CreateVerificationCode(VerificationCodeFormat.AlphaNumericNoLookAlikes, 10);
verificationCodeLabel.Text = verifier;
ITokenContainingMessage requestTokenMessage = pending;
Global.TokenManager.GetRequestToken(requestTokenMessage.Token).VerificationCode = verifier;
}
}
}
protected void denyAccessButton_Click(object sender, EventArgs e) {
// erase the request token.
multiView.ActiveViewIndex = 2;
}
}
|
