protected override IRequestToken GenerateRequestToken(
HttpContext httpContext,
OAuthRequestContext requestContext)
{
// Don't check to see if the token already exists... it will do!
return ServiceProviderContext.TokenGenerator.CreateRequestToken(requestContext.Consumer, requestContext.Parameters);
}
private bool Equals(OAuthRequestContext other)
{
if (other == null)
{
return(false);
}
return(((this.Parameters == null && other.Parameters == null) ||
(this.Parameters != null && this.Parameters.Equals(other.Parameters))) &&
((this.SigningProvider == null && other.SigningProvider == null) ||
(this.SigningProvider != null && this.SigningProvider.Equals(other.SigningProvider))) &&
((this.Consumer == null && other.Consumer == null) ||
(this.Consumer != null && this.Consumer.Equals(other.Consumer))) &&
((this.RequestToken == null && other.RequestToken == null) ||
(this.RequestToken != null && this.RequestToken.Equals(other.RequestToken))) &&
((this.AccessToken == null && other.AccessToken == null) ||
(this.AccessToken != null && this.AccessToken.Equals(other.AccessToken))) &&
(this.RequestId != null && this.RequestId.Equals(other.RequestId)) &&
(this.IsSignatureValid == other.IsSignatureValid) &&
((this.Signature == null && other.Signature == null) ||
(this.Signature != null && this.Signature.Equals(other.Signature))) &&
((this.Principal == null && other.Principal == null) ||
(this.Principal != null && this.Principal.Equals(other.Principal))) &&
((this.ResponseParameters == null && other.ResponseParameters == null) ||
(this.ResponseParameters != null && this.ResponseParameters.Equals(other.ResponseParameters))) &&
(this.IsOAuthRequest == other.IsOAuthRequest));
}
protected virtual void ParseParameters(HttpContext httpContext, OAuthRequestContext requestContext)
{
// Try to parse the parameters
OAuthParameters parameters = OAuthParameters.Parse(httpContext.Request, ServiceProviderContext.Settings.ParameterSources);
/*
* Check for missing required parameters:
*
* The consumer key, signature method, signature, timestamp and nonce parameters
* are all required
*/
parameters.RequireAllOf(
Constants.ConsumerKeyParameter,
Constants.SignatureMethodParameter,
Constants.SignatureParameter,
Constants.TimestampParameter,
Constants.NonceParameter,
Constants.CallbackParameter);
/*
* The version parameter is optional, but it if is present its value must be 1.0
*/
if (parameters.Version != null)
{
parameters.RequireVersion(Constants.Version1_0);
}
requestContext.Parameters = parameters;
}
protected virtual void CheckVerifier(HttpContext httpContext, OAuthRequestContext requestContext)
{
if (!ServiceProviderContext.VerificationProvider.IsValid(requestContext.RequestToken, requestContext.Parameters.Verifier))
{
OAuthRequestException.ThrowParametersRejected(new string[] { Constants.VerifierParameter }, "Invalid verifier for request token.");
}
}
protected virtual void SetRequestToken(HttpContext httpContext, OAuthRequestContext requestContext)
{
/*
* Check the token
*/
IRequestToken token;
if (ServiceProviderContext.TokenStore.ContainsRequestToken(requestContext.Parameters.Token))
{
token = ServiceProviderContext.TokenStore.GetRequestToken(requestContext.Parameters.Token);
/*
* Ensure the token was issued to the same consumer as this request purports
* to be from.
*/
if (!token.ConsumerKey.Equals(requestContext.Parameters.ConsumerKey))
{
OAuthRequestException.ThrowTokenRejected(null);
}
/*
* Ensure the token is valid
*/
if (token == null)
{
OAuthRequestException.ThrowTokenRejected(null);
}
else
{
switch (token.Status)
{
case TokenStatus.Authorized:
requestContext.RequestToken = token;
break;
case TokenStatus.Expired:
OAuthRequestException.ThrowTokenExpired(null);
break;
case TokenStatus.Used:
OAuthRequestException.ThrowTokenUsed(null);
break;
case TokenStatus.Revoked:
OAuthRequestException.ThrowTokenRevoked(null);
break;
case TokenStatus.Unauthorized:
case TokenStatus.Unknown:
default:
OAuthRequestException.ThrowTokenRejected(null);
break;
}
}
}
else
{
OAuthRequestException.ThrowTokenRejected(null);
}
}
public static void SetSigningProvider(HttpContext httpContext, OAuthRequestContext context)
{
/*
* Check there is a signing provider for the signature method
*/
ISigningProvider signingProvider = ServiceProviderContext.GetSigningProvider(context.Parameters.SignatureMethod);
if (signingProvider == null)
{
// There is no signing provider for this signature method
OAuthRequestException.ThrowSignatureMethodRejected(null);
}
// Double check the signing provider declares that it can handle the signature method
if (!signingProvider.SignatureMethod.Equals(context.Parameters.SignatureMethod))
{
OAuthRequestException.ThrowSignatureMethodRejected(null);
}
// Ask the signing provider to check the request for pre-conditions
if (!signingProvider.CheckRequest(httpContext.Request))
{
OAuthRequestException.ThrowSignatureMethodRejected(null);
}
context.SigningProvider = signingProvider;
}
public static void SetRequestId(OAuthRequestContext context)
{
/*
* Check the timestamp and nonce
*/
context.RequestId = ServiceProviderContext.RequestIdValidator.CheckRequest(
context.Parameters.Nonce,
context.Parameters.Timestamp,
context.Parameters.ConsumerKey,
context.Parameters.Token);
}
protected virtual void SetAccessToken(HttpApplication application, OAuthRequestContext context)
{
IAccessToken accessToken = null;
if (context.Parameters.Token == null && ServiceProviderContext.Settings.AllowConsumerRequests)
{
accessToken = new EmptyAccessToken(context.Consumer.Key);
}
else if (ServiceProviderContext.TokenStore.ContainsAccessToken(context.Parameters.Token))
{
accessToken = ServiceProviderContext.TokenStore.GetAccessToken(context.Parameters.Token);
}
if (accessToken == null)
{
OAuthRequestException.ThrowTokenRejected(null);
}
else
{
/*
* Ensure the token was issued to the same consumer as this request purports
* to be from.
*/
if (!accessToken.ConsumerKey.Equals(context.Parameters.ConsumerKey))
{
OAuthRequestException.ThrowTokenRejected(null);
}
switch (accessToken.Status)
{
case TokenStatus.Authorized:
context.AccessToken = accessToken;
break;
case TokenStatus.Expired:
OAuthRequestException.ThrowTokenExpired(null);
break;
case TokenStatus.Used:
OAuthRequestException.ThrowTokenUsed(null);
break;
case TokenStatus.Revoked:
OAuthRequestException.ThrowTokenRevoked(null);
break;
case TokenStatus.Unauthorized:
case TokenStatus.Unknown:
default:
OAuthRequestException.ThrowTokenRejected(null);
break;
}
}
}
protected virtual IAccessToken GenerateAccessToken(HttpContext httpContext, OAuthRequestContext requestContext)
{
IAccessToken accessToken;
do
{
accessToken = ServiceProviderContext.TokenGenerator.CreateAccessToken(requestContext.Consumer, requestContext.RequestToken);
}while (ServiceProviderContext.TokenStore.Contains(accessToken.Token));
return(accessToken);
}
protected override void IssueRequestToken(
HttpContext httpContext,
OAuthRequestContext requestContext)
{
// Generate a request token
IRequestToken token = this.GenerateRequestToken(httpContext, requestContext);
// Store the token
requestContext.RequestToken = token;
// Don't add to the token store (as it is already in there)
// Add to the response
requestContext.ResponseParameters[Constants.TokenParameter] = token.Token;
requestContext.ResponseParameters[Constants.TokenSecretParameter] = token.Secret;
}
protected override void IssueAccessToken(
HttpContext httpContext,
OAuthRequestContext requestContext)
{
// Generate an access token
IAccessToken accessToken = this.GenerateAccessToken(httpContext, requestContext);
// Mark the token as authorized
accessToken.Status = TokenStatus.Authorized;
// Don't store the token
// Don't mark the request token as used
// Add to the response
requestContext.ResponseParameters[Constants.TokenParameter] = accessToken.Token;
requestContext.ResponseParameters[Constants.TokenSecretParameter] = accessToken.Secret;
}
public virtual void HandleAuthenticateRequest(object sender, EventArgs args)
{
if (ServiceProviderContext.Settings.AuthenticateRequests)
{
HttpApplication application = (HttpApplication)sender;
// Don't do anything if another authentication module has set the user already
if (application.Context.User != null)
{
return;
}
OAuthRequestContext context = new OAuthRequestContext();
WorkflowHelper.StoreOAuthContext(application.Context, context);
try
{
this.ParseParameters(application, context);
this.SetConsumer(application, context);
this.SetAccessToken(application, context);
context.IsOAuthRequest = true;
}
catch (OAuthRequestException ex)
{
// The request may not be an OAuth request so don't pass the exception to the consumer
context.AddError(ex);
context.IsOAuthRequest = false;
return;
}
try
{
this.SetSigningProvider(application, context);
this.SetRequestId(application, context);
this.SetSignature(application, context);
}
catch (OAuthRequestException ex)
{
context.AddError(ex);
WorkflowHelper.SendBadRequest(application.Context, ex, null);
}
this.UpdateAccessToken(application, context);
this.SetUser(application, context);
}
}
/// <summary>
/// Processes the HTTP web request.
/// </summary>
/// <param name="context">HTTP context</param>
public void ProcessRequest(HttpContext context)
{
OAuthRequestContext requestContext = new OAuthRequestContext(new NameValueCollection());
// Check request parameters
try
{
// TODO: Should we ensure the realm parameter, if present, matches the configured realm?
this.ParseParameters(context, requestContext);
this.SetSigningProvider(context, requestContext);
this.SetConsumer(context, requestContext);
this.SetRequestId(context, requestContext);
this.SetRequestToken(context, requestContext);
this.SetSignature(context, requestContext);
this.CheckVerifier(context, requestContext);
}
catch (OAuthRequestException ex)
{
requestContext.AddError(ex);
WorkflowHelper.SendBadRequest(context, ex, requestContext.ResponseParameters);
return;
}
// Allow the application to decide whether to issue the access token
bool isRequestAllowed = this.AllowRequest(context, requestContext);
if (isRequestAllowed)
{
// Allow the application to add additional response parameters
WorkflowHelper.AddApplicationResponseParameters(
requestContext,
this.GetAdditionalResponseParameters(
context,
requestContext));
// Issue the token
this.IssueAccessToken(context, requestContext);
WorkflowHelper.SendOk(context, requestContext.ResponseParameters);
}
else
{
// Send an unauthorized response
WorkflowHelper.SendUnauthorized(context, requestContext.ResponseParameters);
}
}
/// <summary>
/// Processes the HTTP web request.
/// </summary>
/// <param name="context">HTTP context</param>
public void ProcessRequest(HttpContext context)
{
OAuthRequestContext requestContext = new OAuthRequestContext(new NameValueCollection());
// Check request parameters
try
{
// TODO: Should we ensure the realm parameter, if present, matches the configured realm?
this.ParseParameters(context, requestContext);
this.SetSigningProvider(context, requestContext);
this.SetConsumer(context, requestContext);
this.SetRequestId(context, requestContext);
this.SetRequestToken(context, requestContext);
this.SetSignature(context, requestContext);
this.CheckVerifier(context, requestContext);
}
catch (OAuthRequestException ex)
{
requestContext.AddError(ex);
WorkflowHelper.SendBadRequest(context, ex, requestContext.ResponseParameters);
return;
}
// Allow the application to decide whether to issue the access token
bool isRequestAllowed = this.AllowRequest(context, requestContext);
if (isRequestAllowed)
{
// Allow the application to add additional response parameters
WorkflowHelper.AddApplicationResponseParameters(
requestContext,
this.GetAdditionalResponseParameters(
context,
requestContext));
// Issue the token
this.IssueAccessToken(context, requestContext);
WorkflowHelper.SendOk(context, requestContext.ResponseParameters);
}
else
{
// Send an unauthorized response
WorkflowHelper.SendUnauthorized(context, requestContext.ResponseParameters);
}
}
protected virtual void SetUser(HttpApplication application, OAuthRequestContext context)
{
// If we are an EmptyAccessToken then there is no User to load.
if (context.AccessToken is EmptyAccessToken)
{
// Setup any roles defined for Consumer Requests.
string[] roles = new string[] { };
Array.Resize <string>(ref roles, ServiceProviderContext.Settings.ConsumerRequestRoles.Count);
ServiceProviderContext.Settings.ConsumerRequestRoles.CopyTo(roles, 0);
context.AccessToken.RequestToken.Roles = roles;
return;
}
// Create the principal
context.Principal = new OAuthPrincipal(context.AccessToken);
application.Context.User = context.Principal;
}
public virtual void HandleAuthenticateRequest(object sender, EventArgs args)
{
if (ServiceProviderContext.Settings.AuthenticateRequests)
{
HttpApplication application = (HttpApplication)sender;
// Don't do anything if another authentication module has set the user already
if (application.Context.User != null)
return;
OAuthRequestContext context = new OAuthRequestContext();
WorkflowHelper.StoreOAuthContext(application.Context, context);
try
{
this.ParseParameters(application, context);
this.SetConsumer(application, context);
this.SetAccessToken(application, context);
context.IsOAuthRequest = true;
}
catch (OAuthRequestException ex)
{
// The request may not be an OAuth request so don't pass the exception to the consumer
context.AddError(ex);
context.IsOAuthRequest = false;
return;
}
try
{
this.SetSigningProvider(application, context);
this.SetRequestId(application, context);
this.SetSignature(application, context);
}
catch (OAuthRequestException ex)
{
context.AddError(ex);
WorkflowHelper.SendBadRequest(application.Context, ex, null);
}
this.UpdateAccessToken(application, context);
this.SetUser(application, context);
}
}
public static void AddApplicationResponseParameters(OAuthRequestContext requestContext, NameValueCollection additionalParameters)
{
if (additionalParameters == null)
{
return;
}
// Remove any oauth_ prefixed parameters from the application's additional response
foreach (string key in additionalParameters.AllKeys)
{
if (key.StartsWith(Constants.OAuthParameterPrefix, StringComparison.Ordinal))
{
additionalParameters.Remove(key);
}
}
// Add the application's custom parameters
requestContext.ResponseParameters.Add(additionalParameters);
}
protected virtual void IssueAccessToken(HttpContext httpContext, OAuthRequestContext requestContext)
{
// Generate an access token
IAccessToken accessToken = this.GenerateAccessToken(httpContext, requestContext);
// Mark the token as authorized
accessToken.Status = TokenStatus.Authorized;
// Store the token
ServiceProviderContext.TokenStore.Add(accessToken);
// Mark the request token as used
requestContext.RequestToken.Status = TokenStatus.Used;
ServiceProviderContext.TokenStore.Update(requestContext.RequestToken);
// Add to the response
requestContext.ResponseParameters[Constants.TokenParameter] = accessToken.Token;
requestContext.ResponseParameters[Constants.TokenSecretParameter] = accessToken.Secret;
}
protected virtual void ParseParameters(HttpApplication application, OAuthRequestContext context)
{
// Try to parse the parameters
OAuthParameters parameters = OAuthParameters.Parse(application.Request);
/*
* Check for missing required parameters:
*
* The consumer key, token, signature method, signature, timestamp and nonce parameters
* are all required
*/
if (ServiceProviderContext.Settings.AllowConsumerRequests)
{
parameters.RequireAllOf(
Constants.ConsumerKeyParameter,
Constants.SignatureMethodParameter,
Constants.SignatureParameter,
Constants.TimestampParameter,
Constants.NonceParameter);
}
else
{
// For 3 legged TokenParameter is required
parameters.RequireAllOf(
Constants.ConsumerKeyParameter,
Constants.TokenParameter,
Constants.SignatureMethodParameter,
Constants.SignatureParameter,
Constants.TimestampParameter,
Constants.NonceParameter);
}
/*
* The version parameter is optional, but it if is present its value must be 1.0
*/
if (parameters.Version != null)
{
parameters.RequireVersion(Constants.Version1_0);
}
context.Parameters = parameters;
}
public static void SetConsumer(OAuthRequestContext context)
{
/*
* Get the consumer by its consumer key
*/
if (ServiceProviderContext.ConsumerStore.Contains(context.Parameters.ConsumerKey))
{
IConsumer consumer = ServiceProviderContext.ConsumerStore.GetByKey(context.Parameters.ConsumerKey);
if (consumer == null)
{
OAuthRequestException.ThrowConsumerKeyUnknown(null);
}
else
{
switch (consumer.Status)
{
case ConsumerStatus.Valid:
context.Consumer = consumer;
break;
case ConsumerStatus.TemporarilyDisabled:
OAuthRequestException.ThrowConsumerKeyRefused(null);
break;
case ConsumerStatus.PermanentlyDisabled:
OAuthRequestException.ThrowConsumerKeyRejected(null);
break;
case ConsumerStatus.Unknown:
default:
OAuthRequestException.ThrowConsumerKeyUnknown(null);
break;
}
}
}
else
{
OAuthRequestException.ThrowConsumerKeyUnknown(null);
}
}
public static void SetSignature(HttpContext httpContext, OAuthRequestContext requestContext)
{
// Get the token to sign with
string tokenSecret;
if (requestContext.AccessToken != null)
{
tokenSecret = requestContext.AccessToken.Secret;
}
else if (requestContext.RequestToken != null)
{
tokenSecret = requestContext.RequestToken.Secret;
}
else
{
tokenSecret = null;
}
/*
* Check the signature
*/
bool isValid = requestContext.SigningProvider.CheckSignature(
SignatureBase.Create(
httpContext.Request.HttpMethod,
new Uri(httpContext.Request.Url.GetLeftPart(UriPartial.Authority) + httpContext.Request.RawUrl),
requestContext.Parameters),
requestContext.Parameters.Signature,
requestContext.Consumer.Secret,
tokenSecret);
if (!isValid)
{
OAuthRequestException.ThrowSignatureInvalid(null);
}
else
{
requestContext.IsSignatureValid = true;
}
}
private void HandleError(object sender, EventArgs e)
{
if (ServiceProviderContext.Settings.AuthenticateRequests)
{
HttpApplication application = (HttpApplication)sender;
if (application.Context.Error is OAuthRequestException)
{
OAuthRequestException exception = (OAuthRequestException)application.Context.Error;
OAuthRequestContext context = WorkflowHelper.RetrieveOAuthContext(application.Context);
if (context != null)
{
context.AddError(exception);
}
application.Context.ClearError(); // Ensure we clear the exception to avoid ASP.NET handling this
WorkflowHelper.SendBadRequest(application.Context, exception, null);
}
}
}
protected virtual void IssueRequestToken(HttpContext httpContext, OAuthRequestContext requestContext)
{
// Generate a request token
IRequestToken token = this.GenerateRequestToken(httpContext, requestContext);
// Check to see if the request for a token is oob and that oob is allowed.
if (requestContext.Parameters.Callback.Equals(Constants.OAuthOutOfBandCallback))
{
if (ServiceProviderContext.Settings.AllowOutOfBandCallback == false)
{
OAuthRequestException.ThrowParametersRejected(new string[] { Constants.CallbackParameter }, "Out of band is not supported.");
}
}
else
{
Uri callbackUri;
if (Uri.TryCreate(requestContext.Parameters.Callback, UriKind.Absolute, out callbackUri))
{
ServiceProviderContext.CallbackStore.AddCallback(token, callbackUri);
}
else
{
OAuthRequestException.ThrowParametersRejected(new string[] { Constants.CallbackParameter }, "Not a valid Uri.");
}
}
// Store the token
requestContext.RequestToken = token;
ServiceProviderContext.TokenStore.Add(token);
// Add to the response
requestContext.ResponseParameters[Constants.CallbackConfirmedParameter] = "true"; // The spec never defines when to send false or what will happen if you do.
requestContext.ResponseParameters[Constants.TokenParameter] = token.Token;
requestContext.ResponseParameters[Constants.TokenSecretParameter] = token.Secret;
}
protected virtual void SetRequestId(HttpContext httpContext, OAuthRequestContext requestContext)
{
WorkflowHelper.SetRequestId(requestContext);
}
protected virtual void SetSigningProvider(HttpContext httpContext, OAuthRequestContext requestContext)
{
WorkflowHelper.SetSigningProvider(httpContext, requestContext);
}
protected virtual void SetSignature(HttpContext httpContext, OAuthRequestContext requestContext)
{
WorkflowHelper.SetSignature(httpContext, requestContext);
}
protected virtual void IssueAccessToken(HttpContext httpContext, OAuthRequestContext requestContext)
{
// Generate an access token
IAccessToken accessToken = this.GenerateAccessToken(httpContext, requestContext);
// Mark the token as authorized
accessToken.Status = TokenStatus.Authorized;
// Store the token
ServiceProviderContext.TokenStore.Add(accessToken);
// Mark the request token as used
requestContext.RequestToken.Status = TokenStatus.Used;
ServiceProviderContext.TokenStore.Update(requestContext.RequestToken);
// Add to the response
requestContext.ResponseParameters[Constants.TokenParameter] = accessToken.Token;
requestContext.ResponseParameters[Constants.TokenSecretParameter] = accessToken.Secret;
}
public static void SetRequestId(OAuthRequestContext context)
{
/*
* Check the timestamp and nonce
*/
context.RequestId = ServiceProviderContext.RequestIdValidator.CheckRequest(
context.Parameters.Nonce,
context.Parameters.Timestamp,
context.Parameters.ConsumerKey,
context.Parameters.Token);
}
public static void AddApplicationResponseParameters(OAuthRequestContext requestContext, NameValueCollection additionalParameters)
{
if (additionalParameters == null)
return;
// Remove any oauth_ prefixed parameters from the application's additional response
foreach (string key in additionalParameters.AllKeys)
if (key.StartsWith(Constants.OAuthParameterPrefix, StringComparison.Ordinal))
additionalParameters.Remove(key);
// Add the application's custom parameters
requestContext.ResponseParameters.Add(additionalParameters);
}
protected virtual void SetAccessToken(HttpApplication application, OAuthRequestContext context)
{
IAccessToken accessToken = null;
if (context.Parameters.Token == null && ServiceProviderContext.Settings.AllowConsumerRequests)
{
accessToken = new EmptyAccessToken(context.Consumer.Key);
}
else if (ServiceProviderContext.TokenStore.ContainsAccessToken(context.Parameters.Token))
accessToken = ServiceProviderContext.TokenStore.GetAccessToken(context.Parameters.Token);
if (accessToken == null)
OAuthRequestException.ThrowTokenRejected(null);
else
{
/*
* Ensure the token was issued to the same consumer as this request purports
* to be from.
*/
if (!accessToken.ConsumerKey.Equals(context.Parameters.ConsumerKey))
OAuthRequestException.ThrowTokenRejected(null);
switch (accessToken.Status)
{
case TokenStatus.Authorized:
context.AccessToken = accessToken;
break;
case TokenStatus.Expired:
OAuthRequestException.ThrowTokenExpired(null);
break;
case TokenStatus.Used:
OAuthRequestException.ThrowTokenUsed(null);
break;
case TokenStatus.Revoked:
OAuthRequestException.ThrowTokenRevoked(null);
break;
case TokenStatus.Unauthorized:
case TokenStatus.Unknown:
default:
OAuthRequestException.ThrowTokenRejected(null);
break;
}
}
}
protected virtual void SetRequestToken(HttpContext httpContext, OAuthRequestContext requestContext)
{
/*
* Check the token
*/
IRequestToken token;
if (ServiceProviderContext.TokenStore.ContainsRequestToken(requestContext.Parameters.Token))
{
token = ServiceProviderContext.TokenStore.GetRequestToken(requestContext.Parameters.Token);
/*
* Ensure the token was issued to the same consumer as this request purports
* to be from.
*/
if (!token.ConsumerKey.Equals(requestContext.Parameters.ConsumerKey))
OAuthRequestException.ThrowTokenRejected(null);
/*
* Ensure the token is valid
*/
if (token == null)
OAuthRequestException.ThrowTokenRejected(null);
else
switch (token.Status)
{
case TokenStatus.Authorized:
requestContext.RequestToken = token;
break;
case TokenStatus.Expired:
OAuthRequestException.ThrowTokenExpired(null);
break;
case TokenStatus.Used:
OAuthRequestException.ThrowTokenUsed(null);
break;
case TokenStatus.Revoked:
OAuthRequestException.ThrowTokenRevoked(null);
break;
case TokenStatus.Unauthorized:
case TokenStatus.Unknown:
default:
OAuthRequestException.ThrowTokenRejected(null);
break;
}
}
else
OAuthRequestException.ThrowTokenRejected(null);
}
protected virtual void CheckVerifier(HttpContext httpContext, OAuthRequestContext requestContext)
{
if (!ServiceProviderContext.VerificationProvider.IsValid(requestContext.RequestToken, requestContext.Parameters.Verifier))
{
OAuthRequestException.ThrowParametersRejected(new string[] { Constants.VerifierParameter }, "Invalid verifier for request token.");
}
}
private bool Equals(OAuthRequestContext other)
{
if (other == null)
return false;
return ((this.Parameters == null && other.Parameters == null) ||
(this.Parameters != null && this.Parameters.Equals(other.Parameters))) &&
((this.SigningProvider == null && other.SigningProvider == null) ||
(this.SigningProvider != null && this.SigningProvider.Equals(other.SigningProvider))) &&
((this.Consumer == null && other.Consumer == null) ||
(this.Consumer != null && this.Consumer.Equals(other.Consumer))) &&
((this.RequestToken == null && other.RequestToken == null) ||
(this.RequestToken != null && this.RequestToken.Equals(other.RequestToken))) &&
((this.AccessToken == null && other.AccessToken == null) ||
(this.AccessToken != null && this.AccessToken.Equals(other.AccessToken))) &&
(this.RequestId != null && this.RequestId.Equals(other.RequestId)) &&
(this.IsSignatureValid == other.IsSignatureValid) &&
((this.Signature == null && other.Signature == null) ||
(this.Signature != null && this.Signature.Equals(other.Signature))) &&
((this.Principal == null && other.Principal == null) ||
(this.Principal != null && this.Principal.Equals(other.Principal))) &&
((this.ResponseParameters == null && other.ResponseParameters == null) ||
(this.ResponseParameters != null && this.ResponseParameters.Equals(other.ResponseParameters))) &&
(this.IsOAuthRequest == other.IsOAuthRequest);
}
/// <summary>
/// Supplies additional parameters to send in the response.
/// </summary>
///
/// <remarks>
/// Parameter names prefixed with <c>"oauth_"</c> will be stripped.
/// </remarks>
///
/// <param name="httpContext">HTTP context</param>
/// <param name="requestContext">OAuth request context</param>
///
/// <returns>
/// A collection of parameters to add to the response, or
/// <c>null</c> if no additional parameters should be sent
/// </returns>
protected virtual NameValueCollection GetAdditionalResponseParameters(HttpContext httpContext, OAuthRequestContext requestContext)
{
// By default, there are no extra parameters
return null;
}
/// <summary>
/// Determines whether an access token is issued for this request.
/// </summary>
///
/// <remarks>
/// <para>
/// If you need to apply extra rules before allowing an access
/// token to be issued, you should create an AccessTokenHandler class
/// which inherits from this & overrides the AllowRequest method
/// and add it as a HTTP handler for the access token URI.
/// </para>
///
/// <para>
/// If AllowRequest returns <c>true</c> the access token will
/// be issued. Additional application-specific response
/// parameters can be added by overriding the
/// <see cref="GetAdditionalResponseParameters"/> method.
/// </para>
///
/// <para>
/// If AllowRequest returns <c>false</c> then a 401 Unauthorized
/// response will be returned.
/// </para>
///
/// <para>
/// The <paramref name="requestContext"/> parameter contains
/// the OAuth information parsed from the request.
/// </para>
/// </remarks>
///
/// <param name="httpContext">HTTP context</param>
/// <param name="requestContext">OAuth request context</param>
///
/// <returns>
/// <c>true</c>, if an access token should be issued; <c>false</c>
/// otherwise
/// </returns>
protected virtual bool AllowRequest(HttpContext httpContext, OAuthRequestContext requestContext)
{
// By default, requests for access tokens are allowed
return true;
}
protected virtual IAccessToken GenerateAccessToken(HttpContext httpContext, OAuthRequestContext requestContext)
{
IAccessToken accessToken;
do
{
accessToken = ServiceProviderContext.TokenGenerator.CreateAccessToken(requestContext.Consumer, requestContext.RequestToken);
}
while (ServiceProviderContext.TokenStore.Contains(accessToken.Token));
return accessToken;
}
public static void SetSigningProvider(HttpContext httpContext, OAuthRequestContext context)
{
/*
* Check there is a signing provider for the signature method
*/
ISigningProvider signingProvider = ServiceProviderContext.GetSigningProvider(context.Parameters.SignatureMethod);
if (signingProvider == null)
{
// There is no signing provider for this signature method
OAuthRequestException.ThrowSignatureMethodRejected(null);
}
// Double check the signing provider declares that it can handle the signature method
if (!signingProvider.SignatureMethod.Equals(context.Parameters.SignatureMethod))
OAuthRequestException.ThrowSignatureMethodRejected(null);
// Ask the signing provider to check the request for pre-conditions
if (!signingProvider.CheckRequest(httpContext.Request))
OAuthRequestException.ThrowSignatureMethodRejected(null);
context.SigningProvider = signingProvider;
}
protected virtual void UpdateAccessToken(HttpApplication application, OAuthRequestContext context)
{
// TODO: Update access token according to its usage policy...
}
public static void SetConsumer(OAuthRequestContext context)
{
/*
* Get the consumer by its consumer key
*/
if (ServiceProviderContext.ConsumerStore.Contains(context.Parameters.ConsumerKey))
{
IConsumer consumer = ServiceProviderContext.ConsumerStore.GetByKey(context.Parameters.ConsumerKey);
if (consumer == null)
OAuthRequestException.ThrowConsumerKeyUnknown(null);
else
switch (consumer.Status)
{
case ConsumerStatus.Valid:
context.Consumer = consumer;
break;
case ConsumerStatus.TemporarilyDisabled:
OAuthRequestException.ThrowConsumerKeyRefused(null);
break;
case ConsumerStatus.PermanentlyDisabled:
OAuthRequestException.ThrowConsumerKeyRejected(null);
break;
case ConsumerStatus.Unknown:
default:
OAuthRequestException.ThrowConsumerKeyUnknown(null);
break;
}
}
else
OAuthRequestException.ThrowConsumerKeyUnknown(null);
}
protected virtual void IssueRequestToken(HttpContext httpContext, OAuthRequestContext requestContext)
{
// Generate a request token
IRequestToken token = this.GenerateRequestToken(httpContext, requestContext);
// Check to see if the request for a token is oob and that oob is allowed.
if (requestContext.Parameters.Callback.Equals(Constants.OAuthOutOfBandCallback))
{
if (ServiceProviderContext.Settings.AllowOutOfBandCallback == false)
OAuthRequestException.ThrowParametersRejected(new string[] { Constants.CallbackParameter }, "Out of band is not supported.");
}
else
{
Uri callbackUri;
if (Uri.TryCreate(requestContext.Parameters.Callback, UriKind.Absolute, out callbackUri))
{
ServiceProviderContext.CallbackStore.AddCallback(token, callbackUri);
}
else
OAuthRequestException.ThrowParametersRejected(new string[] { Constants.CallbackParameter }, "Not a valid Uri.");
}
// Store the token
requestContext.RequestToken = token;
ServiceProviderContext.TokenStore.Add(token);
// Add to the response
requestContext.ResponseParameters[Constants.CallbackConfirmedParameter] = "true"; // The spec never defines when to send false or what will happen if you do.
requestContext.ResponseParameters[Constants.TokenParameter] = token.Token;
requestContext.ResponseParameters[Constants.TokenSecretParameter] = token.Secret;
}
public static void SetSignature(HttpContext httpContext, OAuthRequestContext requestContext)
{
// Get the token to sign with
string tokenSecret;
if (requestContext.AccessToken != null)
tokenSecret = requestContext.AccessToken.Secret;
else if (requestContext.RequestToken != null)
tokenSecret = requestContext.RequestToken.Secret;
else
tokenSecret = null;
/*
* Check the signature
*/
bool isValid = requestContext.SigningProvider.CheckSignature(
SignatureBase.Create(
httpContext.Request.HttpMethod,
new Uri(httpContext.Request.Url.GetLeftPart(UriPartial.Authority) + httpContext.Request.RawUrl),
requestContext.Parameters),
requestContext.Parameters.Signature,
requestContext.Consumer.Secret,
tokenSecret);
if (!isValid)
OAuthRequestException.ThrowSignatureInvalid(null);
else
requestContext.IsSignatureValid = true;
}
protected virtual void UpdateAccessToken(HttpApplication application, OAuthRequestContext context)
{
// TODO: Update access token according to its usage policy...
}
public static void StoreOAuthContext(HttpContext httpContext, OAuthRequestContext oauthContext)
{
httpContext.Items[typeof(OAuthRequestContext)] = oauthContext;
}
protected virtual void SetRequestId(HttpContext httpContext, OAuthRequestContext requestContext)
{
WorkflowHelper.SetRequestId(requestContext);
}
protected virtual IRequestToken GenerateRequestToken(HttpContext httpContext, OAuthRequestContext requestContext)
{
IRequestToken requestToken;
do
{
requestToken = ServiceProviderContext.TokenGenerator.CreateRequestToken(requestContext.Consumer, requestContext.Parameters);
}while (ServiceProviderContext.TokenStore.Contains(requestToken.Token));
return(requestToken);
}
protected virtual void SetSignature(HttpContext httpContext, OAuthRequestContext requestContext)
{
WorkflowHelper.SetSignature(httpContext, requestContext);
}
protected virtual void SetUser(HttpApplication application, OAuthRequestContext context)
{
// If we are an EmptyAccessToken then there is no User to load.
if (context.AccessToken is EmptyAccessToken)
{
// Setup any roles defined for Consumer Requests.
string[] roles = new string[] { };
Array.Resize<string>(ref roles, ServiceProviderContext.Settings.ConsumerRequestRoles.Count);
ServiceProviderContext.Settings.ConsumerRequestRoles.CopyTo(roles, 0);
context.AccessToken.RequestToken.Roles = roles;
return;
}
// Create the principal
context.Principal = new OAuthPrincipal(context.AccessToken);
application.Context.User = context.Principal;
}
protected virtual void SetRequestId(HttpApplication application, OAuthRequestContext context)
{
WorkflowHelper.SetRequestId(context);
}
protected virtual void SetSigningProvider(HttpContext httpContext, OAuthRequestContext requestContext)
{
WorkflowHelper.SetSigningProvider(httpContext, requestContext);
}
/// <summary>
/// Supplies additional parameters to send in the response.
/// </summary>
///
/// <remarks>
/// Parameter names prefixed with <c>"oauth_"</c> will be stripped.
/// </remarks>
///
/// <param name="httpContext">HTTP context</param>
/// <param name="requestContext">OAuth request context</param>
///
/// <returns>
/// A collection of parameters to add to the response, or
/// <c>null</c> if no additional parameters should be sent
/// </returns>
protected virtual NameValueCollection GetAdditionalResponseParameters(HttpContext httpContext, OAuthRequestContext requestContext)
{
// By default, there are no extra parameters
return(null);
}
protected virtual void SetSignature(HttpApplication application, OAuthRequestContext context)
{
WorkflowHelper.SetSignature(application.Context, context);
}
protected virtual IRequestToken GenerateRequestToken(HttpContext httpContext, OAuthRequestContext requestContext)
{
IRequestToken requestToken;
do
{
requestToken = ServiceProviderContext.TokenGenerator.CreateRequestToken(requestContext.Consumer, requestContext.Parameters);
}
while (ServiceProviderContext.TokenStore.Contains(requestToken.Token));
return requestToken;
}
protected virtual void SetRequestId(HttpApplication application, OAuthRequestContext context)
{
WorkflowHelper.SetRequestId(context);
}
protected virtual void ParseParameters(HttpContext httpContext, OAuthRequestContext requestContext)
{
// Try to parse the parameters
OAuthParameters parameters = OAuthParameters.Parse(httpContext.Request, ServiceProviderContext.Settings.ParameterSources);
/*
* Check for missing required parameters:
*
* The consumer key, signature method, signature, timestamp and nonce parameters
* are all required
*/
parameters.RequireAllOf(
Constants.ConsumerKeyParameter,
Constants.TokenParameter,
Constants.SignatureMethodParameter,
Constants.SignatureParameter,
Constants.TimestampParameter,
Constants.NonceParameter,
Constants.VerifierParameter);
/*
* The version parameter is optional, but it if is present its value must be 1.0
*/
if (parameters.Version != null)
parameters.RequireVersion(Constants.Version1_0);
/*
* Check that there are no other parameters except for realm, version and
* the required parameters
*/
parameters.AllowOnly(
Constants.ConsumerKeyParameter,
Constants.TokenParameter,
Constants.SignatureMethodParameter,
Constants.SignatureParameter,
Constants.TimestampParameter,
Constants.NonceParameter,
Constants.VerifierParameter,
Constants.VersionParameter, // (optional)
Constants.RealmParameter); // (optional)
requestContext.Parameters = parameters;
}
/// <summary>
/// Determines whether an access token is issued for this request.
/// </summary>
///
/// <remarks>
/// <para>
/// If you need to apply extra rules before allowing an access
/// token to be issued, you should create an AccessTokenHandler class
/// which inherits from this & overrides the AllowRequest method
/// and add it as a HTTP handler for the access token URI.
/// </para>
///
/// <para>
/// If AllowRequest returns <c>true</c> the access token will
/// be issued. Additional application-specific response
/// parameters can be added by overriding the
/// <see cref="GetAdditionalResponseParameters"/> method.
/// </para>
///
/// <para>
/// If AllowRequest returns <c>false</c> then a 401 Unauthorized
/// response will be returned.
/// </para>
///
/// <para>
/// The <paramref name="requestContext"/> parameter contains
/// the OAuth information parsed from the request.
/// </para>
/// </remarks>
///
/// <param name="httpContext">HTTP context</param>
/// <param name="requestContext">OAuth request context</param>
///
/// <returns>
/// <c>true</c>, if an access token should be issued; <c>false</c>
/// otherwise
/// </returns>
protected virtual bool AllowRequest(HttpContext httpContext, OAuthRequestContext requestContext)
{
// By default, requests for access tokens are allowed
return(true);
}
public static void StoreOAuthContext(HttpContext httpContext, OAuthRequestContext oauthContext)
{
httpContext.Items[typeof(OAuthRequestContext)] = oauthContext;
}
protected virtual void ParseParameters(HttpApplication application, OAuthRequestContext context)
{
// Try to parse the parameters
OAuthParameters parameters = OAuthParameters.Parse(application.Request);
/*
* Check for missing required parameters:
*
* The consumer key, token, signature method, signature, timestamp and nonce parameters
* are all required
*/
if (ServiceProviderContext.Settings.AllowConsumerRequests)
{
parameters.RequireAllOf(
Constants.ConsumerKeyParameter,
Constants.SignatureMethodParameter,
Constants.SignatureParameter,
Constants.TimestampParameter,
Constants.NonceParameter);
}
else
{
// For 3 legged TokenParameter is required
parameters.RequireAllOf(
Constants.ConsumerKeyParameter,
Constants.TokenParameter,
Constants.SignatureMethodParameter,
Constants.SignatureParameter,
Constants.TimestampParameter,
Constants.NonceParameter);
}
/*
* The version parameter is optional, but it if is present its value must be 1.0
*/
if (parameters.Version != null)
parameters.RequireVersion(Constants.Version1_0);
context.Parameters = parameters;
}
protected virtual void SetSignature(HttpApplication application, OAuthRequestContext context)
{
WorkflowHelper.SetSignature(application.Context, context);
}
