0

I have an implementation of DNOA that I'm having trouble with. The code in the samples I have seen are wrong and cannot work and I cannot figure out how to get this working correctly.

I have asked a similar question on the DNOA group here but I'm wondering if this is actually a bigger question related to OAuth in general. Andrew asserts that this should work but I see a lot of people asking the same question and no real solution.

When using the ExchangeUserCredentialForToken DNOA is sending username password credentials to the authorisation server. Under the covers this uses a NetworkCredential class that appears to wipe the client_id and client_secret properties (these are apparently moved into a Basic Authentication HTTP header, which is then in turn wiped by the HttpWebRequest.

In the DNOA samples I've seen the code checks that a valid authorisation is held in the system for the user and this client.

Without the client identifier it is impossible to check for a valid authorisation since we cannot check that the scopes requested falls within the scope the user may or may not have authorized the client to access.

I can only assume that either my understanding is incorrect, the samples I've seen are incorrect or there is a problem with DNOA.

I've tried manually deserializing the access_token using:

var token = accessTokenAnalyser.DeserializeAccessToken(new Dummy(), authHeader.Replace("Bearer ", ""));

However, the clientidentifier in the access token was also null.

From reading threads on the DNOA group is appears that the client identifier should also be available in the CreateAccessToken method yet it never is - it's always null.

Another scenario in a sample shows the authroisation server automatically adding an authorisation in the TryAuthorizeResourceOwnerCredentialGrant but again this is impossible as the clientidentifier is always null.

Can anyone advise on either my assumptions being totally wrong on the use of client identifiers or solutions to getting the client identifier into the request at the authorisation server.

Also if during this authorisation process we cannot know the client we also cannot enforce any client scope checks.

Does anyone know how to get the NetworkCredential class to pass the client_id in the request without nulling it?

Jammer
  • 9,969
  • 11
  • 68
  • 115

2 Answers2

2

Using the PostParameterApplicator that comes with DotNetOpenAuth should also resolve this.

The default NetworkCredentialApplicator is fixed in DotNetOpenAuth 4.1.5 (not released yet as of 12/2/2012)

Andrew Arnott
  • 80,040
  • 26
  • 132
  • 171
0

I have resolved this by creating my own ClientCredentialApplicator implementation and then using this when constructing the client.

The class is pretty simple:

public class ClientIdentifierApplicator : DotNetOpenAuth.OAuth2.ClientCredentialApplicator
{
    public string ApiKey { get; set; }
    public string ApiSecret { get; set; }

    public ClientIdentifierApplicator(string apiKey, string apiSecret)
    {
        ApiKey = apiKey;
        ApiSecret = ApiSecret;
    }

    public override void ApplyClientCredential(string clientIdentifier, System.Net.HttpWebRequest request)
    {
        base.ApplyClientCredential(clientIdentifier, request);
        request.Credentials = new NetworkCredential(ApiKey, ApiSecret);
    }
}

Once you have this class available you can construct it like this:

        var clientCred = new ClientIdentifierApplicator(ApiKey, ApiSecret);

And then when instantiating your client WebServerClient or UserAgentClient you can supply it as a constructor parameter:

        var OAuthWebServerClient = new WebServerClient(AuthServerDescription, ApiKey, clientCred);

I tried using the internal NetworkCredentialApplicator but couldn't get it to work as desired.

Jammer
  • 9,969
  • 11
  • 68
  • 115