1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
|
//-----------------------------------------------------------------------
// <copyright file="OAuthServiceProviderMessageFactory.cs" company="Outercurve Foundation">
// Copyright (c) Outercurve Foundation. All rights reserved.
// </copyright>
//-----------------------------------------------------------------------
namespace DotNetOpenAuth.OAuth.ChannelElements {
using System;
using System.Collections.Generic;
using DotNetOpenAuth.Logging;
using DotNetOpenAuth.Messaging;
using DotNetOpenAuth.OAuth.Messages;
using Validation;
/// <summary>
/// An OAuth-protocol specific implementation of the <see cref="IMessageFactory"/>
/// interface.
/// </summary>
public class OAuthServiceProviderMessageFactory : IMessageFactory {
/// <summary>
/// The token manager to use for discerning between request and access tokens.
/// </summary>
private IServiceProviderTokenManager tokenManager;
/// <summary>
/// Initializes a new instance of the <see cref="OAuthServiceProviderMessageFactory"/> class.
/// </summary>
/// <param name="tokenManager">The token manager instance to use.</param>
public OAuthServiceProviderMessageFactory(IServiceProviderTokenManager tokenManager) {
Requires.NotNull(tokenManager, "tokenManager");
this.tokenManager = tokenManager;
}
#region IMessageFactory Members
/// <summary>
/// Analyzes an incoming request message payload to discover what kind of
/// message is embedded in it and returns the type, or null if no match is found.
/// </summary>
/// <param name="recipient">The intended or actual recipient of the request message.</param>
/// <param name="fields">The name/value pairs that make up the message payload.</param>
/// <returns>
/// A newly instantiated <see cref="IProtocolMessage"/>-derived object that this message can
/// deserialize to. Null if the request isn't recognized as a valid protocol message.
/// </returns>
/// <remarks>
/// The request messages are:
/// UnauthorizedTokenRequest
/// AuthorizedTokenRequest
/// UserAuthorizationRequest
/// AccessProtectedResourceRequest
/// </remarks>
public virtual IDirectedProtocolMessage GetNewRequestMessage(MessageReceivingEndpoint recipient, IDictionary<string, string> fields) {
MessageBase message = null;
Protocol protocol = Protocol.V10; // default to assuming the less-secure 1.0 instead of 1.0a until we prove otherwise.
string token;
fields.TryGetValue("oauth_token", out token);
try {
if (fields.ContainsKey("oauth_consumer_key") && !fields.ContainsKey("oauth_token")) {
protocol = fields.ContainsKey("oauth_callback") ? Protocol.V10a : Protocol.V10;
message = new UnauthorizedTokenRequest(recipient, protocol.Version);
} else if (fields.ContainsKey("oauth_consumer_key") && fields.ContainsKey("oauth_token")) {
// Discern between RequestAccessToken and AccessProtectedResources,
// which have all the same parameters, by figuring out what type of token
// is in the token parameter.
bool tokenTypeIsAccessToken = this.tokenManager.GetTokenType(token) == TokenType.AccessToken;
if (tokenTypeIsAccessToken) {
message = (MessageBase)new AccessProtectedResourceRequest(recipient, protocol.Version);
} else {
// Discern between 1.0 and 1.0a requests by checking on the consumer version we stored
// when the consumer first requested an unauthorized token.
protocol = Protocol.Lookup(this.tokenManager.GetRequestToken(token).ConsumerVersion);
message = new AuthorizedTokenRequest(recipient, protocol.Version);
}
} else {
// fail over to the message with no required fields at all.
if (token != null) {
protocol = Protocol.Lookup(this.tokenManager.GetRequestToken(token).ConsumerVersion);
}
// If a callback parameter is included, that suggests either the consumer
// is following OAuth 1.0 instead of 1.0a, or that a hijacker is trying
// to attack. Either way, if the consumer started out as a 1.0a, keep it
// that way, and we'll just ignore the oauth_callback included in this message
// by virtue of the UserAuthorizationRequest message not including it in its
// 1.0a payload.
message = new UserAuthorizationRequest(recipient, protocol.Version);
}
if (message != null) {
message.SetAsIncoming();
}
return message;
} catch (KeyNotFoundException ex) {
throw ErrorUtilities.Wrap(ex, OAuthStrings.TokenNotFound);
}
}
/// <summary>
/// Analyzes an incoming request message payload to discover what kind of
/// message is embedded in it and returns the type, or null if no match is found.
/// </summary>
/// <param name="request">
/// The message that was sent as a request that resulted in the response.
/// Null on a Consumer site that is receiving an indirect message from the Service Provider.
/// </param>
/// <param name="fields">The name/value pairs that make up the message payload.</param>
/// <returns>
/// The <see cref="IProtocolMessage"/>-derived concrete class that this message can
/// deserialize to. Null if the request isn't recognized as a valid protocol message.
/// </returns>
/// <remarks>
/// The response messages are:
/// None.
/// </remarks>
public virtual IDirectResponseProtocolMessage GetNewResponseMessage(IDirectedProtocolMessage request, IDictionary<string, string> fields) {
Logger.OAuth.Error("Service Providers are not expected to ever receive responses.");
return null;
}
#endregion
}
}
|
