public AccessTokenModule(IAccessTokenEndPointService service, IErrorResponseBuilder errorResponseBuilder) : base("/oauth/access_token")
{
this.RequiresAuthentication();
Post["/"] = parameters => {
var request =
this.Bind <AccessTokenRequest>();
// Perhaps always validate that the grant type == "authorization_code" and
// return an error with unsupported_grant_type message???
// Needs to validate that the authorization code was issues to the logged in
// user and nobody else. Also need to verify the redirect_uri. Possibly verify
// that the code is still valid to use (time-to-live)
var results =
service.ValidateRequest(request, this.Context);
if (!results.IsValid)
{
return(Response.AsErrorResponse(errorResponseBuilder.Build(results.ErrorType, null), request.RedirectUri));
}
var response =
service.CreateAccessTokenResponse(request, this.Context);
// TODO: need to set "Cache-Control: no-store" and "Pragma: no-cache" headers on the response to comply with the specification
return(Response.AsJson(response));
};
}
public AccessTokenModule(IAccessTokenEndPointService service, IErrorResponseBuilder errorResponseBuilder) : base("/oauth/access_token")
{
this.RequiresAuthentication();
Post["/"] = parameters =>{
var request =
this.Bind<AccessTokenRequest>();
// Perhaps always validate that the grant type == "authorization_code" and
// return an error with unsupported_grant_type message???
// Needs to validate that the authorization code was issues to the logged in
// user and nobody else. Also need to verify the redirect_uri. Possibly verify
// that the code is still valid to use (time-to-live)
var results =
service.ValidateRequest(request, this.Context);
if (!results.IsValid)
{
return Response.AsErrorResponse(errorResponseBuilder.Build(results.ErrorType, null), request.RedirectUri);
}
var response =
service.CreateAccessTokenResponse(request, this.Context);
// TODO: need to set "Cache-Control: no-store" and "Pragma: no-cache" headers on the response to comply with the specification
return Response.AsJson(response);
};
}
public TokenModule(
ITokenEndpointService service,
IErrorResponseBuilder errorResponseBuilder)
: base(OAuth.Configuration.GetFullPath(x => x.TokenRoute))
{
_service = service;
_errorResponseBuilder = errorResponseBuilder;
Post["/", ctx => OAuth.IsEnabled] = _ => CreateToken();
}
public AuthorizeModule(
IAuthorizationEndpointService service,
IErrorResponseBuilder errorResponseBuilder)
: base(OAuth.Configuration.GetFullPath(x => x.AuthorizationRequestRoute))
{
_service = service;
_errorResponseBuilder = errorResponseBuilder;
this.RequiresAuthentication();
Get["/", ctx => OAuth.IsEnabled] = _ => Index();
Post[OAuth.Configuration.AuthorizationAllowRoute, ctx => OAuth.IsEnabled] = _ => Allow();
Post[OAuth.Configuration.AuthorizationDenyRoute, ctx => OAuth.IsEnabled] = _ => Deny();
}
public void SetErrorResponseBuilder(IErrorResponseBuilder init_errResponseBuilder)
{
errResponseBuilder = init_errResponseBuilder;
}
/// <summary>
/// The base address and the various end-points in the module should be grabbed from an
/// OAuthConfiguration and should provide sensible default-values that can be overriden
/// when you enable OAuth in your application.
/// </summary>
public AuthorizationModule(
IAuthorizationEndPointService service,
IErrorResponseBuilder errorResponseBuilder) : base(OAuth.Configuration.GetFullPath(x => x.AuthorizationRequestRoute))
{
this.RequiresAuthentication();
Get["/", ctx => OAuth.IsEnabled] = parameters =>
{
var request =
this.Bind<AuthorizationRequest>();
// Should a seperate check for AuthorizationRequest.ResponseType == "code" be performed
// before the request is validated? According to the specification, it always has to
// be set to "code" for authorization code grant. By checking it here, and returning
// an error of AuthorizationErrorType.UnsupportedResponseType it could be made sure that
// the user implementation never miss it?!
var results =
service.ValidateRequest(request, this.Context);
if (!results.IsValid)
{
return Response.AsErrorResponse(errorResponseBuilder.Build(results.ErrorType, request.State), request.RedirectUrl);
}
// Use something more secure than the username
this.Session[Context.CurrentUser.UserName] = request;
var authorizationView =
service.GetAuthorizationView(request, this.Context);
return View[authorizationView.Item1, authorizationView.Item2];
};
Post[OAuth.Configuration.AuthorizationAllowRoute, ctx => OAuth.IsEnabled] = parameters =>
{
var token =
service.GenerateAuthorizationToken(this.Context);
var request =
this.Session[Context.CurrentUser.UserName] as AuthorizationRequest;
if (request == null)
{
return HttpStatusCode.InternalServerError;
}
var response =
new AuthorizationResponse
{
Code = token,
State = request.State
};
// TODO: Perhaps use an UriBuilder instead?
var url =
string.Concat(request.RedirectUrl, response.AsQueryString());
return Response.AsRedirect(url);
};
Post[OAuth.Configuration.AuthorizationDenyRoute, ctx => OAuth.IsEnabled] = parameters =>
{
var request =
this.Session[Context.CurrentUser.UserName] as AuthorizationRequest;
return request == null ?
HttpStatusCode.InternalServerError :
Response.AsErrorResponse(errorResponseBuilder.Build(ErrorType.AccessDenied, request.State), request.RedirectUrl);
};
}
/// <summary>
/// The base address and the various end-points in the module should be grabbed from an
/// OAuthConfiguration and should provide sensible default-values that can be overriden
/// when you enable OAuth in your application.
/// </summary>
public AuthorizationModule(
IAuthorizationEndPointService service,
IErrorResponseBuilder errorResponseBuilder) : base(OAuth.Configuration.GetFullPath(x => x.AuthorizationRequestRoute))
{
this.RequiresAuthentication();
Get["/", ctx => OAuth.IsEnabled] = parameters =>
{
var request =
this.Bind <AuthorizationRequest>();
// Should a seperate check for AuthorizationRequest.ResponseType == "code" be performed
// before the request is validated? According to the specification, it always has to
// be set to "code" for authorization code grant. By checking it here, and returning
// an error of AuthorizationErrorType.UnsupportedResponseType it could be made sure that
// the user implementation never miss it?!
var results =
service.ValidateRequest(request, this.Context);
if (!results.IsValid)
{
return(Response.AsErrorResponse(errorResponseBuilder.Build(results.ErrorType, request.State), request.RedirectUrl));
}
// Use something more secure than the username
this.Session[Context.CurrentUser.UserName] = request;
var authorizationView =
service.GetAuthorizationView(request, this.Context);
return(View[authorizationView.Item1, authorizationView.Item2]);
};
Post[OAuth.Configuration.AuthorizationAllowRoute, ctx => OAuth.IsEnabled] = parameters =>
{
var token =
service.GenerateAuthorizationToken(this.Context);
var request =
this.Session[Context.CurrentUser.UserName] as AuthorizationRequest;
if (request == null)
{
return(HttpStatusCode.InternalServerError);
}
var response =
new AuthorizationResponse
{
Code = token,
State = request.State
};
// TODO: Perhaps use an UriBuilder instead?
var url =
string.Concat(request.RedirectUrl, response.AsQueryString());
return(Response.AsRedirect(url));
};
Post[OAuth.Configuration.AuthorizationDenyRoute, ctx => OAuth.IsEnabled] = parameters =>
{
var request =
this.Session[Context.CurrentUser.UserName] as AuthorizationRequest;
return(request == null ?
HttpStatusCode.InternalServerError :
Response.AsErrorResponse(errorResponseBuilder.Build(ErrorType.AccessDenied, request.State), request.RedirectUrl));
};
}
public void SetErrorResponseBuilder(IErrorResponseBuilder init_errResponseBuilder)
{
errResponseBuilder = init_errResponseBuilder;
}
