1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
|
//-----------------------------------------------------------------------
// <copyright file="AuthorizationCode.cs" company="Outercurve Foundation">
// Copyright (c) Outercurve Foundation. All rights reserved.
// </copyright>
//-----------------------------------------------------------------------
namespace DotNetOpenAuth.OAuth2.ChannelElements {
using System;
using System.Collections.Generic;
using System.Diagnostics.CodeAnalysis;
using System.Diagnostics.Contracts;
using System.Security.Cryptography;
using System.Text;
using DotNetOpenAuth.Messaging;
/// <summary>
/// Represents the authorization code created when a user approves authorization that
/// allows the client to request an access/refresh token.
/// </summary>
internal class AuthorizationCode : AuthorizationDataBag {
/// <summary>
/// The name of the bucket for symmetric keys used to sign authorization codes.
/// </summary>
internal const string AuthorizationCodeKeyBucket = "https://localhost/dnoa/oauth_authorization_code";
/// <summary>
/// Initializes a new instance of the <see cref="AuthorizationCode"/> class.
/// </summary>
public AuthorizationCode() {
}
/// <summary>
/// Initializes a new instance of the <see cref="AuthorizationCode"/> class.
/// </summary>
/// <param name="clientIdentifier">The client identifier.</param>
/// <param name="callback">The callback the client used to obtain authorization, if one was explicitly included in the request.</param>
/// <param name="scopes">The authorized scopes.</param>
/// <param name="username">The name on the account that authorized access.</param>
internal AuthorizationCode(string clientIdentifier, Uri callback, IEnumerable<string> scopes, string username) {
Requires.NotNullOrEmpty(clientIdentifier, "clientIdentifier");
this.ClientIdentifier = clientIdentifier;
this.CallbackHash = CalculateCallbackHash(callback);
this.Scope.ResetContents(scopes);
this.User = username;
this.UtcCreationDate = DateTime.UtcNow;
}
/// <summary>
/// Gets the maximum message age from the standard expiration binding element.
/// </summary>
/// <value>This interval need not account for clock skew because it is only compared within a single authorization server or farm of servers.</value>
internal static TimeSpan MaximumMessageAge {
get { return Configuration.DotNetOpenAuthSection.Messaging.MaximumMessageLifetimeNoSkew; }
}
/// <summary>
/// Gets or sets the hash of the callback URL.
/// </summary>
[MessagePart("cb")]
private byte[] CallbackHash { get; set; }
/// <summary>
/// Creates a serializer/deserializer for this type.
/// </summary>
/// <param name="authorizationServer">The authorization server that will be serializing/deserializing this authorization code. Must not be null.</param>
/// <returns>A DataBag formatter.</returns>
internal static IDataBagFormatter<AuthorizationCode> CreateFormatter(IAuthorizationServer authorizationServer) {
Requires.NotNull(authorizationServer, "authorizationServer");
Contract.Ensures(Contract.Result<IDataBagFormatter<AuthorizationCode>>() != null);
var cryptoStore = authorizationServer.CryptoKeyStore;
ErrorUtilities.VerifyHost(cryptoStore != null, OAuthStrings.ResultShouldNotBeNull, authorizationServer.GetType(), "CryptoKeyStore");
return new UriStyleMessageFormatter<AuthorizationCode>(
cryptoStore,
AuthorizationCodeKeyBucket,
signed: true,
encrypted: true,
compressed: false,
maximumAge: MaximumMessageAge,
decodeOnceOnly: authorizationServer.NonceStore);
}
/// <summary>
/// Verifies the the given callback URL matches the callback originally given in the authorization request.
/// </summary>
/// <param name="callback">The callback.</param>
/// <remarks>
/// This method serves to verify that the callback URL given in the original authorization request
/// and the callback URL given in the access token request match.
/// </remarks>
/// <exception cref="ProtocolException">Thrown when the callback URLs do not match.</exception>
[SuppressMessage("Microsoft.Naming", "CA2204:Literals should be spelled correctly", MessageId = "redirecturimismatch", Justification = "Protocol requirement")]
[SuppressMessage("Microsoft.Globalization", "CA1303:Do not pass literals as localized parameters", MessageId = "DotNetOpenAuth.Messaging.ErrorUtilities.VerifyProtocol(System.Boolean,System.String,System.Object[])", Justification = "Protocol requirement")]
internal void VerifyCallback(Uri callback) {
ErrorUtilities.VerifyProtocol(MessagingUtilities.AreEquivalentConstantTime(this.CallbackHash, CalculateCallbackHash(callback)), Protocol.redirect_uri_mismatch);
}
/// <summary>
/// Calculates the hash of the callback URL.
/// </summary>
/// <param name="callback">The callback whose hash should be calculated.</param>
/// <returns>
/// A base64 encoding of the hash of the URL.
/// </returns>
[SuppressMessage("Microsoft.Reliability", "CA2000:Dispose objects before losing scope", Justification = "False positive.")]
private static byte[] CalculateCallbackHash(Uri callback) {
if (callback == null) {
return null;
}
using (var hasher = new SHA256Managed()) {
return hasher.ComputeHash(Encoding.UTF8.GetBytes(callback.AbsoluteUri));
}
}
}
}
|
