/// <summary>
/// Analyzes an incoming request message payload to discover what kind of
/// message is embedded in it and returns the type, or null if no match is found.
/// </summary>
/// <param name="recipient">The intended or actual recipient of the request message.</param>
/// <param name="fields">The name/value pairs that make up the message payload.</param>
/// <returns>
/// A newly instantiated <see cref="IProtocolMessage"/>-derived object that this message can
/// deserialize to. Null if the request isn't recognized as a valid protocol message.
/// </returns>
/// <remarks>
/// The request messages are:
/// UnauthorizedTokenRequest
/// AuthorizedTokenRequest
/// UserAuthorizationRequest
/// AccessProtectedResourceRequest
/// </remarks>
public virtual IDirectedProtocolMessage GetNewRequestMessage(MessageReceivingEndpoint recipient, IDictionary<string, string> fields)
{
ErrorUtilities.VerifyArgumentNotNull(recipient, "recipient");
ErrorUtilities.VerifyArgumentNotNull(fields, "fields");
MessageBase message = null;
if (fields.ContainsKey("oauth_consumer_key") &&
!fields.ContainsKey("oauth_token")) {
message = new UnauthorizedTokenRequest(recipient);
} else if (fields.ContainsKey("oauth_consumer_key") &&
fields.ContainsKey("oauth_token")) {
// Discern between RequestAccessToken and AccessProtectedResources,
// which have all the same parameters, by figuring out what type of token
// is in the token parameter.
bool tokenTypeIsAccessToken = this.tokenManager.GetTokenType(fields["oauth_token"]) == TokenType.AccessToken;
message = tokenTypeIsAccessToken ? (MessageBase)new AccessProtectedResourceRequest(recipient) :
new AuthorizedTokenRequest(recipient);
} else {
// fail over to the message with no required fields at all.
message = new UserAuthorizationRequest(recipient);
}
if (message != null) {
message.SetAsIncoming();
}
return message;
}
protected internal UserAuthorizationRequest PrepareRequestUserAuthorization(Uri callback, IDictionary<string, string> requestParameters, IDictionary<string, string> redirectParameters, out string requestToken) {
// Obtain an unauthorized request token. Assume the OAuth version given in the service description.
var token = new UnauthorizedTokenRequest(this.ServiceProvider.RequestTokenEndpoint, this.ServiceProvider.Version) {
ConsumerKey = this.ConsumerKey,
Callback = callback,
};
var tokenAccessor = this.Channel.MessageDescriptions.GetAccessor(token);
tokenAccessor.AddExtraParameters(requestParameters);
var requestTokenResponse = this.Channel.Request<UnauthorizedTokenResponse>(token);
this.TokenManager.StoreNewRequestToken(token, requestTokenResponse);
// Fine-tune our understanding of the SP's supported OAuth version if it's wrong.
if (this.ServiceProvider.Version != requestTokenResponse.Version) {
Logger.OAuth.WarnFormat("Expected OAuth service provider at endpoint {0} to use OAuth {1} but {2} was detected. Adjusting service description to new version.", this.ServiceProvider.RequestTokenEndpoint.Location, this.ServiceProvider.Version, requestTokenResponse.Version);
this.ServiceProvider.ProtocolVersion = Protocol.Lookup(requestTokenResponse.Version).ProtocolVersion;
}
// Request user authorization. The OAuth version will automatically include
// or drop the callback that we're setting here.
ITokenContainingMessage assignedRequestToken = requestTokenResponse;
var requestAuthorization = new UserAuthorizationRequest(this.ServiceProvider.UserAuthorizationEndpoint, assignedRequestToken.Token, requestTokenResponse.Version) {
Callback = callback,
};
var requestAuthorizationAccessor = this.Channel.MessageDescriptions.GetAccessor(requestAuthorization);
requestAuthorizationAccessor.AddExtraParameters(redirectParameters);
requestToken = requestAuthorization.RequestToken;
return requestAuthorization;
}
public UserAuthorizationResponse PrepareAuthorizationResponse(UserAuthorizationRequest request, Uri callback) {
Requires.NotNull(request, "request");
Requires.NotNull(callback, "callback");
var authorization = new UserAuthorizationResponse(callback, request.Version) {
RequestToken = request.RequestToken,
};
if (authorization.Version >= Protocol.V10a.Version) {
authorization.VerificationCode = CreateVerificationCode(VerificationCodeFormat.IncludedInCallback, VerifierCodeLength);
}
return authorization;
}
public UserAuthorizationResponse PrepareAuthorizationResponse(UserAuthorizationRequest request) {
Requires.NotNull(request, "request");
// It is very important for us to ignore the oauth_callback argument in the
// UserAuthorizationRequest if the Consumer is a 1.0a consumer or else we
// open up a security exploit.
IServiceProviderRequestToken token = this.TokenManager.GetRequestToken(request.RequestToken);
Uri callback;
if (request.Version >= Protocol.V10a.Version) {
// In OAuth 1.0a, we'll prefer the token-specific callback to the pre-registered one.
if (token.Callback != null) {
callback = token.Callback;
} else {
IConsumerDescription consumer = this.TokenManager.GetConsumer(token.ConsumerKey);
callback = consumer.Callback;
}
} else {
// In OAuth 1.0, we'll prefer the pre-registered callback over the token-specific one
// since 1.0 has a security weakness for user-modified callback URIs.
IConsumerDescription consumer = this.TokenManager.GetConsumer(token.ConsumerKey);
callback = consumer.Callback ?? request.Callback;
}
return callback != null ? this.PrepareAuthorizationResponse(request, callback) : null;
}
/// <summary>
/// Analyzes an incoming request message payload to discover what kind of
/// message is embedded in it and returns the type, or null if no match is found.
/// </summary>
/// <param name="recipient">The intended or actual recipient of the request message.</param>
/// <param name="fields">The name/value pairs that make up the message payload.</param>
/// <returns>
/// A newly instantiated <see cref="IProtocolMessage"/>-derived object that this message can
/// deserialize to. Null if the request isn't recognized as a valid protocol message.
/// </returns>
/// <remarks>
/// The request messages are:
/// UnauthorizedTokenRequest
/// AuthorizedTokenRequest
/// UserAuthorizationRequest
/// AccessProtectedResourceRequest
/// </remarks>
public virtual IDirectedProtocolMessage GetNewRequestMessage(MessageReceivingEndpoint recipient, IDictionary<string, string> fields) {
MessageBase message = null;
Protocol protocol = Protocol.V10; // default to assuming the less-secure 1.0 instead of 1.0a until we prove otherwise.
string token;
fields.TryGetValue("oauth_token", out token);
try {
if (fields.ContainsKey("oauth_consumer_key") && !fields.ContainsKey("oauth_token")) {
protocol = fields.ContainsKey("oauth_callback") ? Protocol.V10a : Protocol.V10;
message = new UnauthorizedTokenRequest(recipient, protocol.Version);
} else if (fields.ContainsKey("oauth_consumer_key") && fields.ContainsKey("oauth_token")) {
// Discern between RequestAccessToken and AccessProtectedResources,
// which have all the same parameters, by figuring out what type of token
// is in the token parameter.
bool tokenTypeIsAccessToken = this.tokenManager.GetTokenType(token) == TokenType.AccessToken;
if (tokenTypeIsAccessToken) {
message = (MessageBase)new AccessProtectedResourceRequest(recipient, protocol.Version);
} else {
// Discern between 1.0 and 1.0a requests by checking on the consumer version we stored
// when the consumer first requested an unauthorized token.
protocol = Protocol.Lookup(this.tokenManager.GetRequestToken(token).ConsumerVersion);
message = new AuthorizedTokenRequest(recipient, protocol.Version);
}
} else {
// fail over to the message with no required fields at all.
if (token != null) {
protocol = Protocol.Lookup(this.tokenManager.GetRequestToken(token).ConsumerVersion);
}
// If a callback parameter is included, that suggests either the consumer
// is following OAuth 1.0 instead of 1.0a, or that a hijacker is trying
// to attack. Either way, if the consumer started out as a 1.0a, keep it
// that way, and we'll just ignore the oauth_callback included in this message
// by virtue of the UserAuthorizationRequest message not including it in its
// 1.0a payload.
message = new UserAuthorizationRequest(recipient, protocol.Version);
}
if (message != null) {
message.SetAsIncoming();
}
return message;
} catch (KeyNotFoundException ex) {
throw ErrorUtilities.Wrap(ex, OAuthStrings.TokenNotFound);
}
}
protected internal UserAuthorizationRequest PrepareRequestUserAuthorization(Uri callback, IDictionary<string, string> requestParameters, IDictionary<string, string> redirectParameters, out string requestToken)
{
// Obtain an unauthorized request token.
var token = new UnauthorizedTokenRequest(this.ServiceProvider.RequestTokenEndpoint) {
ConsumerKey = this.ConsumerKey,
};
var tokenAccessor = this.Channel.MessageDescriptions.GetAccessor(token);
tokenAccessor.AddExtraParameters(requestParameters);
var requestTokenResponse = this.Channel.Request<UnauthorizedTokenResponse>(token);
this.TokenManager.StoreNewRequestToken(token, requestTokenResponse);
// Request user authorization.
ITokenContainingMessage assignedRequestToken = requestTokenResponse;
var requestAuthorization = new UserAuthorizationRequest(this.ServiceProvider.UserAuthorizationEndpoint, assignedRequestToken.Token) {
Callback = callback,
};
var requestAuthorizationAccessor = this.Channel.MessageDescriptions.GetAccessor(requestAuthorization);
requestAuthorizationAccessor.AddExtraParameters(redirectParameters);
requestToken = requestAuthorization.RequestToken;
return requestAuthorization;
}
public UserAuthorizationResponse PrepareAuthorizationResponse(UserAuthorizationRequest request)
{
ErrorUtilities.VerifyArgumentNotNull(request, "request");
if (request.Callback != null) {
var authorization = new UserAuthorizationResponse(request.Callback) {
RequestToken = request.RequestToken,
};
return authorization;
} else {
return null;
}
}
public OAuthRequest(Uri identity, UserAuthorizationRequest request, string[] capabilityNames)
{
Identity = identity;
Request = request;
CapabilityNames = capabilityNames;
}
public UserAuthorizationResponse PrepareAuthorizationResponse(UserAuthorizationRequest request, Uri callback) {
Contract.Requires<ArgumentNullException>(request != null);
Contract.Requires<ArgumentNullException>(callback != null);
var authorization = new UserAuthorizationResponse(callback, request.Version) {
RequestToken = request.RequestToken,
};
if (authorization.Version >= Protocol.V10a.Version) {
authorization.VerificationCode = CreateVerificationCode(VerificationCodeFormat.IncludedInCallback, VerifierCodeLength);
}
return authorization;
}
