/// <summary>
/// Prepares the response to an access token request.
/// </summary>
/// <param name="request">The request for an access token.</param>
/// <param name="allowRefreshToken">If set to <c>true</c>, the response will include a long-lived refresh token.</param>
/// <returns>The response message to send to the client.</returns>
private AccessTokenSuccessResponse PrepareAccessTokenResponse(AccessTokenRequestBase request, bool allowRefreshToken = true)
{
Requires.NotNull(request, "request");
if (allowRefreshToken)
{
if (request is AccessTokenClientCredentialsRequest)
{
// Per OAuth 2.0 section 4.4.3 (draft 23), refresh tokens should never be included
// in a response to an access token request that used the client credential grant type.
Logger.OAuth.Debug("Suppressing refresh token in access token response because the grant type used by the client disallows it.");
allowRefreshToken = false;
}
}
var tokenRequest = (IAuthorizationCarryingRequest)request;
var accessTokenRequest = (IAccessTokenRequestInternal)request;
var response = new AccessTokenSuccessResponse(request)
{
HasRefreshToken = allowRefreshToken,
};
response.Scope.ResetContents(tokenRequest.AuthorizationDescription.Scope);
return(response);
}
public TokenEndpointProtocolException(AccessTokenRequestBase requestMessage, string error, string description = null, Uri moreInformation = null, string authenticateHeader = null)
: base(string.Format(CultureInfo.CurrentUICulture, ClientAuthorizationStrings.TokenEndpointErrorFormat, error, description))
{
this.requestMessage = requestMessage;
this.Error = error;
this.Description = description;
this.MoreInformation = moreInformation;
this.authenticateHeader = authenticateHeader;
}
/// <summary>
/// Verifies a condition is true or throws an exception describing the problem.
/// </summary>
/// <param name="condition">The condition that evaluates to true to avoid an exception.</param>
/// <param name="requestMessage">The request message.</param>
/// <param name="error">A single error code from <see cref="Protocol.AccessTokenRequestErrorCodes"/>.</param>
/// <param name="authenticationModule">The authentication module from which to glean the WWW-Authenticate header when applicable.</param>
/// <param name="unformattedDescription">A human-readable UTF-8 encoded text providing additional information, used to assist the client developer in understanding the error that occurred.</param>
/// <param name="args">The formatting arguments to generate the actual description.</param>
internal static void TokenEndpointVerify(bool condition, AccessTokenRequestBase requestMessage, string error, ClientAuthenticationModule authenticationModule = null, string unformattedDescription = null, params object[] args)
{
if (!condition)
{
string description = unformattedDescription != null?string.Format(CultureInfo.CurrentCulture, unformattedDescription, args) : null;
string wwwAuthenticateHeader = null;
if (authenticationModule != null)
{
wwwAuthenticateHeader = authenticationModule.AuthenticateHeader;
}
throw new TokenEndpointProtocolException(requestMessage, error, description, authenticateHeader: wwwAuthenticateHeader);
}
}
/// <summary>
/// Handles an incoming request to the authorization server's token endpoint.
/// </summary>
/// <param name="request">The HTTP request.</param>
/// <param name="cancellationToken">The cancellation token.</param>
/// <returns>
/// The HTTP response to send to the client.
/// </returns>
public async Task <HttpResponseMessage> HandleTokenRequestAsync(HttpRequestMessage request, CancellationToken cancellationToken = default(CancellationToken))
{
Requires.NotNull(request, "request");
IProtocolMessage responseMessage;
try {
AccessTokenRequestBase requestMessage = await this.Channel.TryReadFromRequestAsync <AccessTokenRequestBase>(request, cancellationToken);
if (requestMessage != null)
{
var accessTokenResult = this.AuthorizationServerServices.CreateAccessToken(requestMessage);
ErrorUtilities.VerifyHost(accessTokenResult != null, "IAuthorizationServerHost.CreateAccessToken must not return null.");
IAccessTokenRequestInternal accessRequestInternal = requestMessage;
accessRequestInternal.AccessTokenResult = accessTokenResult;
var successResponseMessage = this.PrepareAccessTokenResponse(requestMessage, accessTokenResult.AllowRefreshToken);
successResponseMessage.Lifetime = accessTokenResult.AccessToken.Lifetime;
var authCarryingRequest = requestMessage as IAuthorizationCarryingRequest;
if (authCarryingRequest != null)
{
accessTokenResult.AccessToken.ApplyAuthorization(authCarryingRequest.AuthorizationDescription);
IAccessTokenIssuingResponse accessTokenIssuingResponse = successResponseMessage;
accessTokenIssuingResponse.AuthorizationDescription = accessTokenResult.AccessToken;
}
responseMessage = successResponseMessage;
}
else
{
responseMessage = new AccessTokenFailedResponse()
{
Error = Protocol.AccessTokenRequestErrorCodes.InvalidRequest
};
}
} catch (TokenEndpointProtocolException ex) {
responseMessage = ex.GetResponse();
} catch (ProtocolException) {
responseMessage = new AccessTokenFailedResponse()
{
Error = Protocol.AccessTokenRequestErrorCodes.InvalidRequest
};
}
return(await this.Channel.PrepareResponseAsync(responseMessage, cancellationToken));
}
private AccessTokenSuccessResponse PrepareAccessTokenResponse(AccessTokenRequestBase request, bool allowRefreshToken = true)
{
if (allowRefreshToken)
{
if (request is AccessTokenClientCredentialsRequest)
{
Logger.OAuth.Debug("Suppressing refresh token in access token response because the grant type used by the client disallows it.");
allowRefreshToken = false;
}
}
var tokenRequest = (IAuthorizationCarryingRequest)request;
var accessTokenRequest = (IAccessTokenRequestInternal)request;
var response = new AccessTokenSuccessResponse(request)
{
HasRefreshToken = allowRefreshToken
};
response.Scope.ResetContents(tokenRequest.AuthorizationDescription.Scope);
return(response);
}
