public virtual TokenResponse SVX_MakeTokenResponse(AccessTokenRequest req, AuthorizationCodeParams codeParamsHint)
{
// We should only get here with req.grant_type ==
// "authorization_code", so we don't have to worry about modeling
// what IdP does in any other case.
if (req.grant_type != "authorization_code")
{
return(VProgram_API.Nondet <TokenResponse>());
}
authorizationCodeGenerator.Verify(codeParamsHint, req.code);
if (req.redirect_uri != codeParamsHint.redirect_uri)
{
throw new Exception("Authorization code RP mismatch");
}
var JwtTokenBody = MakeJwtTokenBody(req.client_id, codeParamsHint.userID);
SVX.PayloadSecret <JwtTokenBody> id_token1 = getTokenGenerator().Generate(JwtTokenBody, SVX_Principal);
TokenResponse TokenResponse = new TokenResponse
{
id_token = id_token1,
};
return(TokenResponse);
}
public AuthorizationResponse SVX_MakeAuthorizationResponse(AuthorizationRequest req, IdPAuthenticationEntry idpConc)
{
// In the real CodeEndpoint, we would request an
// IdPAuthenticationEntry for req.SVX_sender, but SVX doesn't know
// that, so we have to do a concrete check.
SVX.VProgram_API.Assert(req.SVX_sender == idpConc.channel);
// Copy/paste: [With this expression inlined below, BCT silently mistranslated the code.]
var theParams = new AuthorizationCodeParams
{
redirect_uri = req.redirect_uri,
userID = idpConc.userID
};
var authorizationCode = authorizationCodeGenerator.Generate(theParams, SVX_Principal);
return(new AuthorizationResponse
{
code = authorizationCode,
state = req.state
});
}
public AuthorizationCodeResponse SVX_MakeAuthorizationCodeResponse(AuthorizationCodeRequest req, IdPAuthenticationEntry idpConc)
{
// In CodeEndpoint, we requested an IdPAuthenticationEntry for
// req.SVX_sender, but SVX doesn't know that, so we have to do a
// concrete check.
VProgram_API.Assert(req.SVX_sender == idpConc.authenticatedClient);
// With this expression inlined below, BCT silently mistranslated the code.
var theParams = new AuthorizationCodeParams
{
rpPrincipal = req.rpPrincipal,
googleUsername = idpConc.googleUsername
};
var authorizationCode = authorizationCodeGenerator.Generate(theParams, googlePrincipal);
return(new AuthorizationCodeResponse
{
authorizationCode = authorizationCode,
state = req.state
});
}
public ValidationResponse SVX_MakeValidationResponse(ValidationRequest req, AuthorizationCodeParams paramsHint)
{
// As long as we're using the interim implementation of
// AssumeValidSecret that assumes the parameters of equal
// secrets are reference equal, it's critical that we don't do
// anything that will introduce a contradiction. With paramsHint
// as nondet, we should be OK for now.
// Comment out these 2 lines to see the verification fail.
if (paramsHint.rpPrincipal != req.rpPrincipal)
{
throw new Exception("Authorization code RP mismatch");
}
authorizationCodeGenerator.Verify(paramsHint, req.authorizationCode);
return(new ValidationResponse
{
googleUsername = paramsHint.googleUsername
});
}
