[Route("api/forge/callback/oauth")] // see Web.Config FORGE_CALLBACK_URL variable
public async Task <HttpResponseMessage> OAuthCallback(string code, string state)
{
ThreeLeggedApi oauth = new ThreeLeggedApi();
DynamicDictionary bearer = await oauth.GettokenAsync(ConfigVariables.FORGE_CLIENT_ID, ConfigVariables.FORGE_CLIENT_SECRET, oAuthConstants.AUTHORIZATION_CODE, code, ConfigVariables.FORGE_CALLBACK_URL);
// the local_id of the requester machine should be provised on the original
// login call as passed as state
if (!string.IsNullOrWhiteSpace(state))
{
bearer.Dictionary.Add("local_id", state);
}
// the respose come with expires_in in minutes, so let's also store the absolute time
bearer.Dictionary.Add("expires_at", DateTime.UtcNow.AddSeconds((long)bearer.Dictionary["expires_in"]));
// at this point we can store the access & refresh token on a database and return
// the respective DB unique ID, that way the application can refresh the token in
// and the client will not see it.
string sessionIdUnprotected = await OAuthDB.RegisterUser(bearer);
// and encrypt the database ID to send to the user
string sessionIdProtected = Convert.ToBase64String(System.Web.Security.MachineKey.Protect(Encoding.UTF8.GetBytes(sessionIdUnprotected)));
// return to user
HttpResponseMessage res = Request.CreateResponse(System.Net.HttpStatusCode.OK);
res.Content = new StringContent(sessionIdProtected, Encoding.UTF8, "text/plain");
return(res);
}
