/// <summary>
/// Adds the necessary HTTP Authorization header to an HTTP request for protected resources
/// so that the Service Provider will allow the request through.
/// </summary>
/// <param name="requestHeaders">The headers on the request for protected resources from the service provider.</param>
/// <param name="accessToken">The access token previously obtained from the Authorization Server.</param>
public static void AuthorizeRequest(WebHeaderCollection requestHeaders, string accessToken)
{
Requires.NotNull(requestHeaders, "requestHeaders");
Requires.NotNullOrEmpty(accessToken, "accessToken");
OAuthUtilities.AuthorizeWithBearerToken(requestHeaders, accessToken);
}
/// <summary>
/// Adds the necessary HTTP Authorization header to an HTTP request for protected resources
/// so that the Service Provider will allow the request through.
/// </summary>
/// <param name="request">The request for protected resources from the service provider.</param>
/// <param name="accessToken">The access token previously obtained from the Authorization Server.</param>
public static void AuthorizeRequest(HttpWebRequest request, string accessToken)
{
Requires.NotNull(request, "request");
Requires.NotNullOrEmpty(accessToken, "accessToken");
OAuthUtilities.AuthorizeWithBearerToken(request, accessToken);
}
/// <summary>
/// Discovers what access the client should have considering the access token in the current request.
/// </summary>
/// <param name="httpRequestInfo">The HTTP request info.</param>
/// <param name="requiredScopes">The set of scopes required to approve this request.</param>
/// <returns>
/// The access token describing the authorization the client has. Never <c>null</c>.
/// </returns>
/// <exception cref="ProtocolFaultResponseException">
/// Thrown when the client is not authorized. This exception should be caught and the
/// <see cref="ProtocolFaultResponseException.ErrorResponseMessage"/> message should be returned to the client.
/// </exception>
public virtual AccessToken GetAccessToken(HttpRequestBase httpRequestInfo = null, params string[] requiredScopes)
{
Requires.NotNull(requiredScopes, "requiredScopes");
RequiresEx.ValidState(this.ScopeSatisfiedCheck != null, Strings.RequiredPropertyNotYetPreset);
if (httpRequestInfo == null)
{
httpRequestInfo = this.Channel.GetRequestFromContext();
}
AccessToken accessToken;
AccessProtectedResourceRequest request = null;
try {
if (this.Channel.TryReadFromRequest <AccessProtectedResourceRequest>(httpRequestInfo, out request))
{
accessToken = this.AccessTokenAnalyzer.DeserializeAccessToken(request, request.AccessToken);
ErrorUtilities.VerifyHost(accessToken != null, "IAccessTokenAnalyzer.DeserializeAccessToken returned a null reslut.");
if (string.IsNullOrEmpty(accessToken.User) && string.IsNullOrEmpty(accessToken.ClientIdentifier))
{
Logger.OAuth.Error("Access token rejected because both the username and client id properties were null or empty.");
ErrorUtilities.ThrowProtocol(ResourceServerStrings.InvalidAccessToken);
}
var requiredScopesSet = OAuthUtilities.ParseScopeSet(requiredScopes);
if (!this.ScopeSatisfiedCheck.IsScopeSatisfied(requiredScope: requiredScopesSet, grantedScope: accessToken.Scope))
{
var response = UnauthorizedResponse.InsufficientScope(request, requiredScopesSet);
throw new ProtocolFaultResponseException(this.Channel, response);
}
return(accessToken);
}
else
{
var ex = new ProtocolException(ResourceServerStrings.MissingAccessToken);
var response = UnauthorizedResponse.InvalidRequest(ex);
throw new ProtocolFaultResponseException(this.Channel, response, innerException: ex);
}
} catch (ProtocolException ex) {
if (ex is ProtocolFaultResponseException)
{
// This doesn't need to be wrapped again.
throw;
}
var response = request != null?UnauthorizedResponse.InvalidToken(request, ex) : UnauthorizedResponse.InvalidRequest(ex);
throw new ProtocolFaultResponseException(this.Channel, response, innerException: ex);
}
}
/// <summary>
/// Applies the client identifier and (when applicable) the client authentication to an outbound message.
/// </summary>
/// <param name="clientIdentifier">The identifier by which the authorization server should recognize this client.</param>
/// <param name="request">The outbound message to apply authentication information to.</param>
public override void ApplyClientCredential(string clientIdentifier, HttpRequestMessage request)
{
if (clientIdentifier != null)
{
if (this.credential != null)
{
ErrorUtilities.VerifyHost(
string.Equals(this.credential.UserName, clientIdentifier, StringComparison.Ordinal),
"Client identifiers \"{0}\" and \"{1}\" do not match.",
this.credential.UserName,
clientIdentifier);
}
// HttpWebRequest ignores the Credentials property until the remote server returns a 401 Unauthorized.
// So we also set the HTTP Authorization request header directly.
OAuthUtilities.ApplyHttpBasicAuth(request.Headers, clientIdentifier, this.clientSecret);
}
}