/// <summary>
        /// Returns the string representation of the bewit, which is a base64 URL encoded string of format
        /// id\exp\mac\ext, where id is the user identifier, exp is the UNIX time until which bewit is
        /// valid, mac is the HMAC of the bewit to protect integrity, and ext is the application specific data.
        /// </summary>
        public string ToBewitString()
        {
            if (request.Method != HttpMethod.Get) // Not supporting HEAD
                throw new InvalidOperationException("Bewit not allowed for methods other than GET");

            ulong now = utcNow.ToUnixTime() + Convert.ToUInt64(this.localOffset);

            var artifacts = new ArtifactsContainer()
            {
                Id = credential.Id,
                Timestamp = now + (ulong)lifeSeconds,
                Nonce = String.Empty,
                ApplicationSpecificData = this.applicationSpecificData ?? String.Empty
            };

            var normalizedRequest = new NormalizedRequest(request, artifacts) { IsBewit = true };
            var crypto = new Cryptographer(normalizedRequest, artifacts, credential);

            // Sign the request
            crypto.Sign(); // Bewit is for GET and GET must have no request body

            // bewit: id\exp\mac\ext
            string bewit = String.Format(@"{0}\{1}\{2}\{3}",
                                credential.Id,
                                artifacts.Timestamp,
                                artifacts.Mac.ToBase64String(),
                                artifacts.ApplicationSpecificData);

            return bewit.ToBytesFromUtf8().ToBase64UrlString();
        }
        /// <summary>
        /// Returns the string representation of the bewit, which is a base64 URL encoded string of format
        /// id\exp\mac\ext, where id is the user identifier, exp is the UNIX time until which bewit is
        /// valid, mac is the HMAC of the bewit to protect integrity, and ext is the application specific data.
        /// </summary>
        public string ToBewitString()
        {
            if (request.Method != HttpMethod.Get) // Not supporting HEAD
            {
                throw new InvalidOperationException("Bewit not allowed for methods other than GET");
            }

            ulong now = utcNow.ToUnixTime() + Convert.ToUInt64(this.localOffset);

            var artifacts = new ArtifactsContainer()
            {
                Id        = credential.Id,
                Timestamp = now + (ulong)lifeSeconds,
                Nonce     = String.Empty,
                ApplicationSpecificData = this.applicationSpecificData ?? String.Empty
            };

            var normalizedRequest = new NormalizedRequest(request, artifacts)
            {
                IsBewit = true
            };
            var crypto = new Cryptographer(normalizedRequest, artifacts, credential);

            // Sign the request
            crypto.Sign(); // Bewit is for GET and GET must have no request body

            // bewit: id\exp\mac\ext
            string bewit = String.Format(@"{0}\{1}\{2}\{3}",
                                         credential.Id,
                                         artifacts.Timestamp,
                                         artifacts.Mac.ToBase64String(),
                                         artifacts.ApplicationSpecificData);

            return(bewit.ToBytesFromUtf8().ToBase64UrlString());
        }
        /// <summary>
        /// Returns the name of the response header (WWW-Authenticate or Server-Authorization) and the corresponding
        /// value, respectively for an unauthorized and a successful request.
        /// </summary>
        public async Task <Tuple <string, string> > CreateServerAuthorizationAsync(IResponseMessage response)
        {
            if (response.StatusCode == HttpStatusCode.Unauthorized)
            {
                string challenge   = String.Format(" {0}", request.ChallengeParameter ?? String.Empty);
                string headerValue = HawkConstants.Scheme + challenge.TrimEnd(' ');

                return(new Tuple <string, string>(HawkConstants.WwwAuthenticateHeaderName, headerValue));
            }
            else
            {
                // No Server-Authorization header for the following:
                // (1) There is no result or failed authentication.
                // (2) The credential is a bewit.
                // (3) The server is configured to not send the header.
                bool createHeader = this.result != null &&
                                    this.result.IsAuthentic &&
                                    (!this.isBewitRequest) &&
                                    options.EnableServerAuthorization;

                if (createHeader)
                {
                    if (options.NormalizationCallback != null)
                    {
                        this.result.Artifacts.ApplicationSpecificData = options.NormalizationCallback(response);
                    }

                    // Sign the response
                    var normalizedRequest = new NormalizedRequest(request, this.result.Artifacts)
                    {
                        IsServerAuthorization = true
                    };
                    var crypto = new Cryptographer(normalizedRequest, this.result.Artifacts, this.result.Credential);

                    // Response body is needed only if payload hash must be included in the response MAC.
                    string body = null;
                    if (options.ResponsePayloadHashabilityCallback != null &&
                        options.ResponsePayloadHashabilityCallback(this.request))
                    {
                        body = await response.ReadBodyAsStringAsync();
                    }

                    crypto.Sign(body, response.ContentType);

                    string authorization = this.result.Artifacts.ToServerAuthorizationHeaderParameter();

                    if (!String.IsNullOrWhiteSpace(authorization))
                    {
                        return(new Tuple <string, string>(HawkConstants.ServerAuthorizationHeaderName,
                                                          String.Format("{0} {1}", HawkConstants.Scheme, authorization)));
                    }
                }
            }

            return(null);
        }
        /// <summary>
        /// Returns the name of the response header (WWW-Authenticate or Server-Authorization) and the corresponding
        /// value, respectively for an unauthorized and a successful request.
        /// </summary>
        public async Task<Tuple<string, string>> CreateServerAuthorizationAsync(IResponseMessage response)
        {
            if (response.StatusCode == HttpStatusCode.Unauthorized)
            {
                string challenge = String.Format(" {0}", request.ChallengeParameter ?? String.Empty);
                string headerValue = HawkConstants.Scheme + challenge.TrimEnd(' ');

                return new Tuple<string, string>(HawkConstants.WwwAuthenticateHeaderName, headerValue);
            }
            else
            {
                // No Server-Authorization header for the following:
                // (1) There is no result or failed authentication.
                // (2) The credential is a bewit.
                // (3) The server is configured to not send the header.
                bool createHeader = this.result != null
                                        && this.result.IsAuthentic
                                            && (!this.isBewitRequest)
                                                && options.EnableServerAuthorization;

                if (createHeader)
                {
                    if (options.NormalizationCallback != null)
                        this.result.Artifacts.ApplicationSpecificData = options.NormalizationCallback(response);

                    // Sign the response
                    var normalizedRequest = new NormalizedRequest(request, this.result.Artifacts);
                    var crypto = new Cryptographer(normalizedRequest, this.result.Artifacts, this.result.Credential);

                    // Response body is needed only if payload hash must be included in the response MAC.
                    string body = null;
                    if (options.ResponsePayloadHashabilityCallback != null && 
                            options.ResponsePayloadHashabilityCallback(this.request))
                    {
                        body = await response.ReadBodyAsStringAsync();
                    }

                    crypto.Sign(body, response.ContentType);

                    string authorization = this.result.Artifacts.ToServerAuthorizationHeaderParameter();

                    if (!String.IsNullOrWhiteSpace(authorization))
                    {
                        return new Tuple<string, string>(HawkConstants.ServerAuthorizationHeaderName,
                            String.Format("{0} {1}", HawkConstants.Scheme, authorization));
                    }
                }
            }

            return null;
        }
        /// <summary>
        /// Creates the HTTP Authorization header in hawk scheme.
        /// </summary>
        internal async Task CreateClientAuthorizationInternalAsync(IRequestMessage request, DateTime utcNow)
        {
            var credential = options.CredentialsCallback();
            this.artifacts = new ArtifactsContainer()
            {
                Id = credential.Id,
                Timestamp = utcNow.AddSeconds(HawkClient.CompensatorySeconds).ToUnixTime(),
                Nonce = NonceGenerator.Generate()
            };

            if (options.NormalizationCallback != null)
                this.artifacts.ApplicationSpecificData = options.NormalizationCallback(request);

            var normalizedRequest = new NormalizedRequest(request, this.artifacts);
            this.crypto = new Cryptographer(normalizedRequest, this.artifacts, credential);

            // Sign the request
            bool includePayloadHash = options.RequestPayloadHashabilityCallback != null &&
                                            options.RequestPayloadHashabilityCallback(request);

            string payload = includePayloadHash ? await request.ReadBodyAsStringAsync() : null;
            crypto.Sign(payload, request.ContentType);

            request.Authorization = new AuthenticationHeaderValue(HawkConstants.Scheme,
                                                this.artifacts.ToAuthorizationHeaderParameter());
        }