public object Post(ApprovalResponse ApprovalResponse) { ApprovalData data = new ApprovalData(); data.User = Session.Get <DataModels.ResourceOwner>("AuthResourceOwner"); Request.Items.Add("Model", data); data.Redirect = ApprovalResponse.redirect; Uri referrerURI = Request.GetReferrerURI(); Uri current = new Uri(Request.AbsoluteUri); //CRSF protection if (!referrerURI.SchemeHostPathMatch(current)) { throw TokenErrorUtility.CreateError(DataModels.ErrorCodes.invalid_request, "Invalid Request", ApprovalResponse); } Uri redirectURI = null; if (!Uri.TryCreate(ApprovalResponse.redirect, UriKind.RelativeOrAbsolute, out redirectURI) || (redirectURI.IsAbsoluteUri && redirectURI.Host != current.Host)) { throw TokenErrorUtility.CreateError(DataModels.ErrorCodes.invalid_request, "Invalid Redirect URI", data); } data.Redirect = redirectURI.ToString(); DataModels.ResourceOwner owner = Session.Get <DataModels.ResourceOwner>("AuthResourceOwner"); if (owner == null) { throw TokenErrorUtility.CreateError(DataModels.ErrorCodes.access_denied, "Not Authenticated", data); } data.Owner = owner; DataModels.Client client = ClientModel.GetClientByID(ApprovalResponse.client_id); if (client == null) { throw TokenErrorUtility.CreateError(DataModels.ErrorCodes.invalid_request, "Invalid Client ID", data); } data.Client = client; List <DataModels.Scope> scopes = ScopeModel.GetScopeDetails(ApprovalResponse.approved_scopes).ToList(); string scope = ""; if (scopes != null) { scopes.ForEach((cur) => scope += cur.scope_name + " "); } data.RequestedScopes = scopes; DataModels.Approval approval = new DataModels.Approval() { client_id = client.id, resource_owner_id = owner.id, type = DataModels.ApprovalTypes.user_granted, scope = scope, }; if (!ApprovalModel.AddOrUpdateApproval(approval)) { throw TokenErrorUtility.CreateError(DataModels.ErrorCodes.server_error, "Error storing approval", data); } return(new HttpResult(data) { StatusCode = System.Net.HttpStatusCode.Redirect, Location = ApprovalResponse.redirect }); }