/// <summary> /// Create an access token using xAuth. /// </summary> /// <param name="accessTokenRequestMessage">A request from a client that should be responded to directly with an access token.</param> /// <param name="nonce">The nonce data.</param> /// <returns>Describes the parameters to be fed into creating a response to an access token request.</returns> public AccessTokenResult CreateAccessToken(IAccessTokenRequest accessTokenRequestMessage, string nonce) { // Get the client for the consumer key var client = GetSpecificClient(accessTokenRequestMessage.ClientIdentifier); if (client != null) { // Make sure then client has been authenticated. if (accessTokenRequestMessage.ClientAuthenticated) { long clientID = client.ClientID; // Get the file store of the certificate to // return the private key for use in signing // the access token. var cryptoKey = new Nequeo.DataAccess.CloudInteraction.Data.Extension.SymmetricCryptoKey().Select.SelectDataEntity(u => u.ClientID == clientID); X509Certificate2 certificate = base.GetConsumerX509Certificate(client.ClientIdentifier); var accessToken = new AuthorizationServerAccessToken(); long oAuthConsumerID = 0; // Get the specific nonce var nonceData = GetSpecificNonce(nonce); if (nonceData != null) { oAuthConsumerID = nonceData.OAuthConsumerID; accessToken.Nonce = System.Text.Encoding.Default.GetBytes(nonce); accessToken.ClientIdentifier = accessTokenRequestMessage.ClientIdentifier; } else { throw new Exception("Could not insert token; Internal database exception."); } // Insert the access token. if (!InsertAccessToken(oAuthConsumerID, accessToken, client.Callback, accessTokenRequestMessage.Version.ToString(), AccessTokenLifetime)) { throw new Exception("Could not insert token; Internal database exception."); } // If the certificate exists. if (certificate != null) { // This can be useful to mitigate the security risks // of access tokens that are used over standard HTTP. // But this is just the lifetime of the access token. // The client can still renew it using their refresh // token until the authorization itself expires. accessToken.Lifetime = TimeSpan.FromMinutes(AccessTokenLifetime); accessToken.ClientIdentifier = accessTokenRequestMessage.ClientIdentifier; // For this sample, we assume just one resource server. // If this authorization server needs to mint access tokens for more than one resource server, // we'd look at the request message passed to us and decide which public key to return. accessToken.ResourceServerEncryptionKey = (RSACryptoServiceProvider)certificate.PublicKey.Key; accessToken.AccessTokenSigningKey = (RSACryptoServiceProvider)certificate.PrivateKey; } // Create the access token result. var result = new AccessTokenResult(accessToken); // Return the new access token data. return(result); } else { throw new Exception("The client has not been authenticated."); } } else { throw new Exception("The client for consumer key : " + accessTokenRequestMessage.ClientIdentifier + " does not exist."); } }