DotNetOpenAuth.OAuth2.ClientAuthorization

Encodes/decodes the OAuth 2.0 response_type argument.

Initializes a new instance of the class.

Encodes the specified value.

The value. Guaranteed to never be null. The in string form, ready for message transport.

Decodes the specified value.

The string value carried by the transport. Guaranteed to never be null, although it may be empty. The deserialized form of the given string. Thrown when the string value given cannot be decoded into the required object type.

Encodes/decodes the OAuth 2.0 grant_type argument.

Initializes a new instance of the class.

Encodes the specified value.

The value. Guaranteed to never be null. The in string form, ready for message transport.

Decodes the specified value.

The base messaging channel used by OAuth 2.0 parties.

The protocol versions supported by this channel.

Initializes a new instance of the class.

The message types that are received by this channel. The binding elements to use in sending and receiving messages. The order they are provided is used for outgoing messgaes, and reversed for incoming messages.

Allows preprocessing and validation of message data before an appropriate message type is selected or deserialized.

The received message data.

A strongly-typed resource class, for looking up localized strings, etc.

Returns the cached ResourceManager instance used by this class.

Overrides the current thread's CurrentUICulture property for all resource lookups using this strongly typed resource class.

Looks up a localized string similar to The request message type {0} should not be responded to with a refresh token..

Looks up a localized string similar to The Authorization Server's token endpoint generated error {0}: '{1}'.

OAuth 2 Client types

Based on their ability to authenticate securely with the authorization server (i.e. ability to maintain the confidentiality of their client credentials). The client type designation is based on the authorization server's definition of secure authentication and its acceptable exposure levels of client credentials. The authorization server SHOULD NOT make assumptions about the client type, nor accept the type information provided by the client developer without first establishing trust. A client application consisting of multiple components, each with its own client type (e.g. a distributed client with both a confidential server-based component and a public browser-based component), MUST register each component separately as a different client to ensure proper handling by the authorization server. The authorization server MAY provider tools to manage such complex clients through a single administration interface.

Clients capable of maintaining the confidentiality of their credentials (e.g. client implemented on a secure server with restricted access to the client credentials), or capable of secure client authentication using other means.

Clients incapable of maintaining the confidentiality of their credentials (e.g. clients executing on the device used by the resource owner such as an installed native application or a web browser-based application), and incapable of secure client authentication via any other means.

A description of a client from an Authorization Server's point of view.

Determines whether a callback URI included in a client's authorization request is among those allowed callbacks for the registered client.

The absolute URI the client has requested the authorization result be received at. Never null. true if the callback URL is allowable for this client; otherwise, false. At the point this method is invoked, the identity of the client has not been confirmed. To avoid open redirector attacks, the alleged client's identity is used to lookup a list of allowable callback URLs to make sure that the callback URL the actual client is requesting is one of the expected ones. From OAuth 2.0 section 2.1: The authorization server SHOULD require the client to pre-register their redirection URI or at least certain components such as the scheme, host, port and path. If a redirection URI was registered, the authorization server MUST compare any redirection URI received at the authorization endpoint with the registered URI.

Checks whether the specified client secret is correct.

The secret obtained from the client. true if the secret matches the one in the authorization server's record for the client; false otherwise. All string equality checks, whether checking secrets or their hashes, should be done using to mitigate timing attacks.

Gets the callback to use when an individual authorization request does not include an explicit callback URI.

An absolute URL; or null if none is registered.

Gets the type of the client.

Gets a value indicating whether a non-empty secret is registered for this client.

Contract class for the interface.

Determines whether a callback URI included in a client's authorization request is among those allowed callbacks for the registered client.

The requested callback URI. true if the callback is allowed; otherwise, false.

Checks whether the specified client secret is correct.

Gets the type of the client.

Gets the callback to use when an individual authorization request does not include an explicit callback URI.

An absolute URL; or null if none is registered.

Gets a value indicating whether a non-empty secret is registered for this client.

A request from a Client to an Authorization Server to exchange an authorization code for an access token, and (at the authorization server's option) a refresh token.

A message sent from the client to the authorization server to exchange a previously obtained grant for an access token.

A direct message from the client to the authorization server that includes the client's credentials.

The backing for the property.

Initializes a new instance of the class.

The Authorization Server's access token endpoint URL. The version.

Gets the client identifier previously obtained from the Authorization Server.

The client identifier. Not required, because the client id may be communicate through alternate means like HTTP Basic authentication (the OAuth 2 spec allows a lot of freedom here).

Gets the client secret.

The client secret. REQUIRED. The client secret as described in Section 2.1 (Client Credentials). OPTIONAL if no client secret was issued.

Gets the HTTP headers of the request.

May be an empty collection, but must not be null.

Implemented by all message types whose response may contain an access token.

A request from a client that should be responded to directly with an access token.

Gets a value indicating whether the client requesting the access token has authenticated itself.

false for implicit grant requests; otherwise, true.

Gets the identifier of the client authorized to access protected data.

Gets the username of the authorizing user, when applicable.

A non-empty string; or null when no user has authorized this access token.

Gets the scope of operations the client is allowed to invoke.

Gets or sets the result of calling the authorization server host's access token creation method.

Initializes a new instance of the class.

The Authorization Server's access token endpoint URL. The version.

Checks the message state for conformity to the protocol specification and throws an exception if the message is invalid.

Some messages have required fields, or combinations of fields that must relate to each other in specialized ways. After deserializing a message, this method checks the state of the message to see if it conforms to the protocol. Note that this property should not check signatures or perform any state checks outside this scope of this particular message. Thrown if the message is invalid.

Gets the scope of operations the client is allowed to invoke.

Gets a value indicating whether the client requesting the access token has authenticated itself.

Always true, because of our base class.

Gets or sets the result of calling the authorization server host's access token creation method.

Gets the username of the authorizing user, when applicable.

A non-empty string; or null when no user has authorized this access token.

Gets the type of the grant.

The type of the grant.

Gets the scope of operations the client is allowed to invoke.

Initializes a new instance of the class.

The Authorization Server's access token endpoint URL. The version.

Gets the type of the grant.

The type of the grant.

Gets or sets the verification code previously communicated to the Client in .

The verification code received from the authorization server.

Gets or sets the callback URL used in

The Callback URL used to obtain the Verification Code. REQUIRED, if the redirect_uri parameter was included in the authorization request as described in Section 4.1.1, and their values MUST be identical.

Gets the scope of operations the client is allowed to invoke.

A request for an access token for a client application that has its own (non-user affiliated) client name and password.

This is somewhat analogous to 2-legged OAuth.

An access token request that includes a scope parameter.

Initializes a new instance of the class.

The Authorization Server's access token endpoint URL. The version.

Gets the set of scopes the Client would like the access token to provide access to.

A set of scopes. Never null.

Gets the scope of operations the client is allowed to invoke.

Initializes a new instance of the class.

The authorization server. The version.

Gets the authorization that the code or token describes.

Gets the date this authorization was established or the token was issued.

A date/time expressed in UTC.

Gets the name on the account whose data on the resource server is accessible using this authorization.

Gets the scope of operations the client is allowed to invoke.

Gets the type of the grant.

The type of the grant.

A response from the Authorization Server to the Client to indicate that a request for an access token renewal failed, probably due to an invalid refresh token.

This message type is shared by the Web App, Rich App, and Username/Password profiles.

A value indicating whether this error response is in result to a request that had invalid client credentials which were supplied in the HTTP Authorization header.

The headers to include in the response.

Initializes a new instance of the class.

The faulty request.

Initializes a new instance of the class.

The faulty request. A value indicating whether this error response is in result to a request that had invalid client credentials which were supplied in the HTTP Authorization header.

Initializes a new instance of the class.

The protocol version.

Gets the HTTP status code that the direct response should be sent with.

Gets the HTTP headers to add to the response.

May be an empty collection, but must not be null.

Gets or sets the error.

One of the values given in .

Gets or sets a human readable description of the error.

Human-readable text providing additional information, used to assist in the understanding and resolution of the error that occurred.

Gets or sets the location of the web page that describes the error and possible resolution.

A URI identifying a human-readable web page with information about the error, used to provide the end-user with additional information about the error.

A request from the client to the token endpoint for a new access token in exchange for a refresh token that the client has previously obtained.

Initializes a new instance of the class.

The token endpoint. The version.

Gets or sets the refresh token.

The refresh token. REQUIRED. The refresh token associated with the access token to be refreshed.

Gets the type of the grant.

The type of the grant.

A request from a Client to an Authorization Server to exchange the user's username and password for an access token.

Initializes a new instance of the class.

The access token endpoint. The protocol version.

Gets the authorization that the code or token describes.

Gets the date this authorization was established or the token was issued.

A date/time expressed in UTC.

Gets the name on the account whose data on the resource server is accessible using this authorization.

Gets the scope of operations the client is allowed to invoke.

Gets the username of the authorizing user, when applicable.

A non-empty string; or null when no user has authorized this access token.

Gets the type of the grant.

The type of the grant.

Gets or sets the user's account username.

The username on the user's account.

Gets or sets the user's password.

The password.

Gets or sets a value indicating whether the resource owner's credentials have been validated at the authorization server.

Describes the parameters to be fed into creating a response to an access token request.

Gets or sets a value indicating whether to provide the client with a refresh token, when applicable.

The default value is true. > The refresh token will never be provided when this value is false. The refresh token may be provided when this value is true.

Gets the access token.

A response from the Authorization Server to the Client containing a delegation code that the Client should use to obtain an access token.

This message type is shared by the Web App, Rich App, and Username/Password profiles.

A message sent from the Authorization Server to the client carrying an access token.

Gets or sets the lifetime of the access token.

The lifetime.

Initializes a new instance of the class.

The request.

Checks the message state for conformity to the protocol specification and throws an exception if the message is invalid.

Thrown if the message is invalid.

Gets the HTTP status code that the direct response should be sent with.

Always HttpStatusCode.OK

Gets the HTTP headers to add to the response.

May be an empty collection, but must not be null.

Gets or sets the access token.

The access token.

Gets or sets the token type.

Usually "bearer". Described in OAuth 2.0 section 7.1.

Gets or sets the lifetime of the access token.

The lifetime.

Gets or sets the refresh token.

The refresh token. OPTIONAL. The refresh token used to obtain new access tokens using the same end-user access grant as described in Section 6 (Refreshing an Access Token).

Gets the scope of access being requested.

The scope of the access request expressed as a list of space-delimited strings. The value of the scope parameter is defined by the authorization server. If the value contains multiple space-delimited strings, their order does not matter, and each string adds an additional access range to the requested scope.

Gets or sets the lifetime of the access token.

The lifetime.

Gets the authorization that the token describes.

Gets or sets the authorization that the token describes.

Gets or sets the access token.

Gets or sets a value indicating whether a refresh token is or should be included in the response.

The message that an Authorization Server responds to a Client with when the user denies a user authorization request.

A message carrying client state the authorization server should preserve on behalf of the client during an authorization.

Gets or sets the state of the client.

The state of the client.

Initializes a new instance of the class.

The URL to redirect to so the client receives the message. This may not be built into the request message if the client pre-registered the URL with the authorization server. The protocol version.

Initializes a new instance of the class.

The URL to redirect to so the client receives the message. This may not be built into the request message if the client pre-registered the URL with the authorization server. The authorization request from the user agent on behalf of the client.

Gets or sets the error.

One of the values given in . OR a numerical HTTP status code from the 4xx or 5xx range, with the exception of the 400 (Bad Request) and 401 (Unauthorized) status codes. For example, if the service is temporarily unavailable, the authorization server MAY return an error response with "error" set to "503".

Gets or sets a human readable description of the error.

Human-readable text providing additional information, used to assist in the understanding and resolution of the error that occurred.

Gets or sets the location of the web page that describes the error and possible resolution.

A URI identifying a human-readable web page with information about the error, used to provide the end-user with additional information about the error.

Gets or sets some state as provided by the client in the authorization request.

An opaque value defined by the client. REQUIRED if the Client sent the value in the .

A message sent by a web application Client to the AuthorizationServer via the user agent to obtain authorization from the user and prepare to issue an access token to the client if permission is granted.

Gets the grant type that the client expects of the authorization server.

Always . Other response types are not supported.

Initializes a new instance of the class.

The Authorization Server's user authorization URL to direct the user to. The protocol version.

Checks the message state for conformity to the protocol specification and throws an exception if the message is invalid.

Thrown if the message is invalid.

Gets the grant type that the client expects of the authorization server.

Gets or sets the identifier by which this client is known to the Authorization Server.

Gets or sets the callback URL.

An absolute URL to which the Authorization Server will redirect the User back after the user has approved the authorization request. REQUIRED unless a redirection URI has been established between the client and authorization server via other means. An absolute URI to which the authorization server will redirect the user-agent to when the end-user authorization step is completed. The authorization server MAY require the client to pre-register their redirection URI. The redirection URI MUST NOT include a query component as defined by [RFC3986] (Berners-Lee, T., Fielding, R., and L. Masinter, “Uniform Resource Identifier (URI): Generic Syntax,” January 2005.) section 3 if the state parameter is present.

Gets or sets state of the client that should be sent back with the authorization response.

An opaque value that Clients can use to maintain state associated with this request. This data is proprietary to the client and should be considered an opaque string to the authorization server.

Gets the scope of access being requested.

Gets or sets the grant type that the client expects of the authorization server.

Always . Other response types are not supported.

Initializes a new instance of the class.

The Authorization Server's user authorization URL to direct the user to. The protocol version.

Gets the grant type that the client expects of the authorization server.

Gets or sets the result of calling the authorization server host's access token creation method.

Gets the username of the authorizing user, when applicable.

A non-empty string; or null when no user has authorized this access token.

Gets a value indicating whether the client requesting the access token has authenticated itself.

Always false because authorization requests only include the client_id, without a secret.

An indication of what kind of response the client is requesting from the authorization server after the user has granted authorized access.

An access token should be returned immediately.

An authorization code should be returned, which can later be exchanged for refresh and access tokens.

The message sent by the Authorization Server to the Client via the user agent to indicate that user authorization was granted, carrying only an access token, and to return the user to the Client where they started their experience.

The message sent by the Authorization Server to the Client via the user agent to indicate that user authorization was granted, and to return the user to the Client where they started their experience.

Initializes a new instance of the class.

The URL to redirect to so the client receives the message. This may not be built into the request message if the client pre-registered the URL with the authorization server. The protocol version.

Initializes a new instance of the class.

Gets or sets some state as provided by the client in the authorization request.

An opaque value defined by the client. REQUIRED if the Client sent the value in the .

Gets or sets the scope of the if one is given; otherwise the scope of the authorization code.

The scope.

Gets or sets the authorizing user's account name.

Initializes a new instance of the class.

The URL to redirect to so the client receives the message. This may not be built into the request message if the client pre-registered the URL with the authorization server. The protocol version.

Initializes a new instance of the class.

Gets or sets the authorization that the token describes.

Gets the authorization that the token describes.

Gets a value indicating whether the payload for the message should be included in the redirect fragment instead of the query string or POST entity.

Gets or sets the lifetime of the access token.

The lifetime.

Gets or sets the token type.

Usually "bearer". Described in OAuth 2.0 section 7.1.

Gets or sets the access token.

The access token.

Gets or sets the scope of the if one is given; otherwise the scope of the authorization code.

The scope.

Gets or sets the lifetime of the authorization.

The lifetime.

The message sent by the Authorization Server to the Client via the user agent to indicate that user authorization was granted, carrying an authorization code and possibly an access token, and to return the user to the Client where they started their experience.

Initializes a new instance of the class.

The URL to redirect to so the client receives the message. This may not be built into the request message if the client pre-registered the URL with the authorization server. The protocol version.

Initializes a new instance of the class.

Gets or sets the authorization code.

The authorization code.

The types of authorizations that a client can use to obtain a refresh token and/or an access token.

The client is providing the authorization code previously obtained from an end user authorization response.

The client is providing the end user's username and password to the authorization server.

The client is providing an assertion it obtained from another source.

The client is providing a refresh token.

No authorization to access a user's data has been given. The client is requesting an access token authorized for its own private data. This fits the classic OAuth 1.0(a) "2-legged OAuth" scenario.

When requesting an access token using the none access grant type (no access grant is included), the client is requesting access to the protected resources under its control, or those of another resource owner which has been previously arranged with the authorization server (the method of which is beyond the scope of this specification).

Describes an error generated by an Authorization Server's token endpoint.

The message being processed that caused this exception to be thrown.

The WWW-Authenticate header to add to the response message.

Initializes a new instance of the class.

The message whose processing resulted in this error. A single error code from . A human-readable UTF-8 encoded text providing additional information, used to assist the client developer in understanding the error that occurred. A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error. The WWW-Authenticate header to add to the response.

Initializes a new instance of the class.

The inner exception.

Gets the response message to send to the client.

A message.

Gets a single error code from .

Gets a human-readable UTF-8 encoded text providing additional information, used to assist the client developer in understanding the error that occurred.

Gets a URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error.