/// <summary> /// The base address and the various end-points in the module should be grabbed from an /// OAuthConfiguration and should provide sensible default-values that can be overriden /// when you enable OAuth in your application. /// </summary> public AuthorizationModule( IAuthorizationEndPointService service, IErrorResponseBuilder errorResponseBuilder) : base(OAuth.Configuration.GetFullPath(x => x.AuthorizationRequestRoute)) { this.RequiresAuthentication(); Get["/", ctx => OAuth.IsEnabled] = parameters => { var request = this.Bind<AuthorizationRequest>(); // Should a seperate check for AuthorizationRequest.ResponseType == "code" be performed // before the request is validated? According to the specification, it always has to // be set to "code" for authorization code grant. By checking it here, and returning // an error of AuthorizationErrorType.UnsupportedResponseType it could be made sure that // the user implementation never miss it?! var results = service.ValidateRequest(request, this.Context); if (!results.IsValid) { return Response.AsErrorResponse(errorResponseBuilder.Build(results.ErrorType, request.State), request.RedirectUrl); } // Use something more secure than the username this.Session[Context.CurrentUser.UserName] = request; var authorizationView = service.GetAuthorizationView(request, this.Context); return View[authorizationView.Item1, authorizationView.Item2]; }; Post[OAuth.Configuration.AuthorizationAllowRoute, ctx => OAuth.IsEnabled] = parameters => { var token = service.GenerateAuthorizationToken(this.Context); var request = this.Session[Context.CurrentUser.UserName] as AuthorizationRequest; if (request == null) { return HttpStatusCode.InternalServerError; } var response = new AuthorizationResponse { Code = token, State = request.State }; // TODO: Perhaps use an UriBuilder instead? var url = string.Concat(request.RedirectUrl, response.AsQueryString()); return Response.AsRedirect(url); }; Post[OAuth.Configuration.AuthorizationDenyRoute, ctx => OAuth.IsEnabled] = parameters => { var request = this.Session[Context.CurrentUser.UserName] as AuthorizationRequest; return request == null ? HttpStatusCode.InternalServerError : Response.AsErrorResponse(errorResponseBuilder.Build(ErrorType.AccessDenied, request.State), request.RedirectUrl); }; }
/// <summary> /// The base address and the various end-points in the module should be grabbed from an /// OAuthConfiguration and should provide sensible default-values that can be overriden /// when you enable OAuth in your application. /// </summary> public AuthorizationModule( IAuthorizationEndPointService service, IErrorResponseBuilder errorResponseBuilder) : base(OAuth.Configuration.GetFullPath(x => x.AuthorizationRequestRoute)) { this.RequiresAuthentication(); Get["/", ctx => OAuth.IsEnabled] = parameters => { var request = this.Bind <AuthorizationRequest>(); // Should a seperate check for AuthorizationRequest.ResponseType == "code" be performed // before the request is validated? According to the specification, it always has to // be set to "code" for authorization code grant. By checking it here, and returning // an error of AuthorizationErrorType.UnsupportedResponseType it could be made sure that // the user implementation never miss it?! var results = service.ValidateRequest(request, this.Context); if (!results.IsValid) { return(Response.AsErrorResponse(errorResponseBuilder.Build(results.ErrorType, request.State), request.RedirectUrl)); } // Use something more secure than the username this.Session[Context.CurrentUser.UserName] = request; var authorizationView = service.GetAuthorizationView(request, this.Context); return(View[authorizationView.Item1, authorizationView.Item2]); }; Post[OAuth.Configuration.AuthorizationAllowRoute, ctx => OAuth.IsEnabled] = parameters => { var token = service.GenerateAuthorizationToken(this.Context); var request = this.Session[Context.CurrentUser.UserName] as AuthorizationRequest; if (request == null) { return(HttpStatusCode.InternalServerError); } var response = new AuthorizationResponse { Code = token, State = request.State }; // TODO: Perhaps use an UriBuilder instead? var url = string.Concat(request.RedirectUrl, response.AsQueryString()); return(Response.AsRedirect(url)); }; Post[OAuth.Configuration.AuthorizationDenyRoute, ctx => OAuth.IsEnabled] = parameters => { var request = this.Session[Context.CurrentUser.UserName] as AuthorizationRequest; return(request == null ? HttpStatusCode.InternalServerError : Response.AsErrorResponse(errorResponseBuilder.Build(ErrorType.AccessDenied, request.State), request.RedirectUrl)); }; }