/// <summary>
/// Create an access token using xAuth.
/// </summary>
/// <param name="accessTokenRequestMessage">A request from a client that should be responded to directly with an access token.</param>
/// <param name="nonce">The nonce data.</param>
/// <returns>Describes the parameters to be fed into creating a response to an access token request.</returns>
public AccessTokenResult CreateAccessToken(IAccessTokenRequest accessTokenRequestMessage, string nonce)
{
// Get the client for the consumer key
var client = GetSpecificClient(accessTokenRequestMessage.ClientIdentifier);
if (client != null)
{
// Make sure then client has been authenticated.
if (accessTokenRequestMessage.ClientAuthenticated)
{
long clientID = client.ClientID;
// Get the file store of the certificate to
// return the private key for use in signing
// the access token.
var cryptoKey = new Nequeo.DataAccess.CloudInteraction.Data.Extension.SymmetricCryptoKey().Select.SelectDataEntity(u => u.ClientID == clientID);
X509Certificate2 certificate = base.GetConsumerX509Certificate(client.ClientIdentifier);
var accessToken = new AuthorizationServerAccessToken();
long oAuthConsumerID = 0;
// Get the specific nonce
var nonceData = GetSpecificNonce(nonce);
if (nonceData != null)
{
oAuthConsumerID = nonceData.OAuthConsumerID;
accessToken.Nonce = System.Text.Encoding.Default.GetBytes(nonce);
accessToken.ClientIdentifier = accessTokenRequestMessage.ClientIdentifier;
}
else
{
throw new Exception("Could not insert token; Internal database exception.");
}
// Insert the access token.
if (!InsertAccessToken(oAuthConsumerID, accessToken, client.Callback, accessTokenRequestMessage.Version.ToString(), AccessTokenLifetime))
{
throw new Exception("Could not insert token; Internal database exception.");
}
// If the certificate exists.
if (certificate != null)
{
// This can be useful to mitigate the security risks
// of access tokens that are used over standard HTTP.
// But this is just the lifetime of the access token.
// The client can still renew it using their refresh
// token until the authorization itself expires.
accessToken.Lifetime = TimeSpan.FromMinutes(AccessTokenLifetime);
accessToken.ClientIdentifier = accessTokenRequestMessage.ClientIdentifier;
// For this sample, we assume just one resource server.
// If this authorization server needs to mint access tokens for more than one resource server,
// we'd look at the request message passed to us and decide which public key to return.
accessToken.ResourceServerEncryptionKey = (RSACryptoServiceProvider)certificate.PublicKey.Key;
accessToken.AccessTokenSigningKey = (RSACryptoServiceProvider)certificate.PrivateKey;
}
// Create the access token result.
var result = new AccessTokenResult(accessToken);
// Return the new access token data.
return(result);
}
else
{
throw new Exception("The client has not been authenticated.");
}
}
else
{
throw new Exception("The client for consumer key : " + accessTokenRequestMessage.ClientIdentifier + " does not exist.");
}
}
