DotNetOpenAuth.OAuth2

Represents the <oauth> element in the host's .config file.

The name of the oauth section.

Initializes a new instance of the class.

A short-lived token that accompanies HTTP requests to protected data to authorize the request.

A data bag that stores authorization data.

Describes a delegated authorization between a resource server, a client, and a user.

Gets the identifier of the client authorized to access protected data.

Gets the date this authorization was established or the token was issued.

A date/time expressed in UTC.

Gets the name on the account whose data on the resource server is accessible using this authorization.

Gets the scope of operations the client is allowed to invoke.

Initializes a new instance of the class.

Gets or sets the identifier of the client authorized to access protected data.

Gets the date this authorization was established or the token was issued.

A date/time expressed in UTC.

Gets or sets the name on the account whose data on the resource server is accessible using this authorization.

Gets the scope of operations the client is allowed to invoke.

Initializes a new instance of the class.

Creates a formatter capable of serializing/deserializing an access token.

The crypto service provider with the authorization server's private key used to asymmetrically sign the access token. The crypto service provider with the resource server's public key used to encrypt the access token. An access token serializer.

Initializes this instance of the class.

The authorization to apply to this access token.

Initializes this instance of the class.

The scopes. The username of the account that authorized this token. The lifetime for this access token. The is left null in this case because this constructor is invoked in the case where the client is not authenticated, and therefore no trust in the client_id is appropriate.

Serializes this instance to a simple string for transmission to the client.

A non-empty string.

Checks the message state for conformity to the protocol specification and throws an exception if the message is invalid.

Some messages have required fields, or combinations of fields that must relate to each other in specialized ways. After deserializing a message, this method checks the state of the message to see if it conforms to the protocol. Note that this property should not check signatures or perform any state checks outside this scope of this particular message. Thrown if the message is invalid.

Gets or sets the lifetime of the access token.

The lifetime.

Gets the type of this instance.

The type of the bag. This ensures that one token cannot be misused as another kind of token.

Describes the various levels at which client information may be extracted from an inbound message.

No client identification or authentication was discovered.

The client identified itself, but did not attempt to authenticate itself.

The client authenticated itself (provided compelling evidence that it was who it claims to be).

The client failed in an attempt to authenticate itself, claimed to be an unrecognized client, or otherwise messed up.

A message that carries an access token between client and authorization server.

A message that carries some kind of token from the client to the authorization or resource server.

Gets the authorization that the code or token describes.

Gets or sets the access token.

Gets or sets the authorization that the token describes.

An extensibility point that allows authorization servers and resource servers to customize how scopes may be considered supersets of each other.

Implementations must be thread-safe.

Checks whether the granted scope is a superset of the required scope.

The set of strings that the resource server demands in an access token's scope in order to complete some operation. The set of strings that define the scope within an access token that the client is authorized to. true if is a superset of to allow the request to proceed; false otherwise. The default reasonable implementation of this is:


                return .IsSupersetOf();

In some advanced cases it may not be so simple. One case is that there may be a string that aggregates the capabilities of several others in order to simplify common scenarios. For example, the scope "ReadAll" may represent the same authorization as "ReadProfile", "ReadEmail", and "ReadFriends". Great care should be taken in implementing this method as this is a critical security module for the authorization and resource servers.

Encodes or decodes a set of scopes into the OAuth 2.0 scope message part.

Initializes a new instance of the class.

Encodes the specified value.

The value. Guaranteed to never be null. The in string form, ready for message transport.

Decodes the specified value.

The string value carried by the transport. Guaranteed to never be null, although it may be empty. The deserialized form of the given string. Thrown when the string value given cannot be decoded into the required object type.

Code contract for the interface.

Prevents a default instance of the class from being created.

Gets the identifier of the client authorized to access protected data.

Gets the date this authorization was established or the token was issued.

A date/time expressed in UTC.

Gets the name on the account whose data on the resource server is accessible using this authorization, if applicable.

A username, or null if the authorization is to access the client's own data (not a distinct resource owner's data).

Gets the scope of operations the client is allowed to invoke.

A message that accompanies an HTTP request to a resource server that provides authorization.

In its current form, this class only accepts bearer access tokens. When support for additional access token types is added, this class should probably be refactored into derived types, where each derived type supports a particular access token type.

A common message base class for OAuth messages.

A dictionary to contain extra message data.

The originating request.

The backing field for the property.

A value indicating whether this message is a direct or indirect message.

Initializes a new instance of the class that is used for direct response messages.

The version.

Initializes a new instance of the class.

The originating request. The recipient of the directed message. Null if not applicable.

Initializes a new instance of the class that is used for directed messages.

The version. The message transport. The recipient.

Checks the message state for conformity to the protocol specification and throws an exception if the message is invalid.

Gets the version of the protocol or extension this message is prepared to implement.

Implementations of this interface should ensure that this property never returns null.

Gets the extra, non-standard Protocol parameters included in the message.

Implementations of this interface should ensure that this property never returns null.

Gets the level of protection this message requires.

Gets a value indicating whether this is a direct or indirect message.

Gets the preferred method of transport for the message.

For indirect messages this will likely be GET+POST, which both can be simulated in the user agent: the GET with a simple 301 Redirect, and the POST with an HTML form in the response with javascript to automate submission.

Gets the URL of the intended receiver of this message.

Gets the originating request message that caused this response to be formed.

Gets the level of protection this message requires.

Gets a value indicating whether this is a direct or indirect message.

Gets the version of the protocol or extension this message is prepared to implement.

Gets or sets the preferred method of transport for the message.

Gets the originating request message that caused this response to be formed.

Gets the URL of the intended receiver of this message.

Initializes a new instance of the class.

The recipient. The version.

Gets or sets the access token.

Gets or sets the authorization that the token describes.

Gets the authorization that the token describes.

Gets the type of the access token.

Always "bearer".

Gets or sets the access token.

The access token.

A direct response sent in response to a rejected Bearer access token.

This satisfies the spec in: http://self-issued.info/docs/draft-ietf-oauth-v2-bearer.html#authn-header

The headers in the response message.

Initializes a new instance of the class.

The protocol version.

Initializes a new instance of the class.

The request.

Initializes a new instance of the class to inform the client that the request was invalid.

The exception. The version of OAuth 2 that is in use. The error message.

Initializes a new instance of the class to inform the client that the bearer token included in the request was rejected.

The request. The exception. The error message.

Initializes a new instance of the class to inform the client of the required set of scopes required to perform this operation.

The request. The set of scopes required to perform this operation. The error message.

Ensures the message is valid.

Ensures the error or error_description parameters contain only allowed characters.

The argument. The name of the parameter being validated. Used when errors are reported.

Ensures the error_uri parameter contains only allowed characters and is an absolute URI.

The absolute URI.

Gets or sets the HTTP status code that the direct response should be sent with.

Gets the HTTP headers to add to the response.

May be an empty collection, but must not be null.

Gets or sets the well known error code.

One of the values from .

Gets or sets a human-readable explanation for developers that is not meant to be displayed to end users.

Gets or sets an absolute URI identifying a human-readable web page explaining the error.

Gets or sets the realm.

The realm.

Gets or sets the scope.

The scope.

Gets the scheme to use in the WWW-Authenticate header.

Some common utility methods for OAuth 2.0.

The string "Basic ".

The instance to use when comparing scope equivalence.

The delimiter between scope elements.

A colon, in a 1-length character array.

The encoding to use when preparing credentials for transit in HTTP Basic base64 encoding form.

The characters that may appear in an access token that is included in an HTTP Authorization header.

This is defined in OAuth 2.0 DRAFT 10, section 5.1.1. (http://tools.ietf.org/id/draft-ietf-oauth-v2-10.html#authz-header)

Identifies individual scope elements

The space-delimited list of scopes. A set of individual scopes, with any duplicates removed.

Serializes a set of scopes as a space-delimited list.

The scopes to serialize. A space-delimited list.

Parses a space-delimited list of scopes into a set.

The space-delimited string. A set.

Creates a set out of an array of strings.

The array of strings. A set.

Verifies that a sequence of scope tokens are all valid.

The scopes.

Verifies that a given scope token (not a space-delimited set, but a single token) is valid.

The scope token.

Authorizes an HTTP request using an OAuth 2.0 access token in an HTTP Authorization header.

The request to authorize. The access token previously obtained from the Authorization Server.

Authorizes an HTTP request using an OAuth 2.0 access token in an HTTP Authorization header.

The headers on the request for protected resources from the service provider. The access token previously obtained from the Authorization Server.

Applies the HTTP Authorization header for HTTP Basic authentication.

The headers collection to set the authorization header to. The username. Cannot be empty. The password. Cannot be null.

Extracts the username and password from an HTTP Basic authorized web header.

The incoming web headers. The network credentials; or null if none could be discovered in the request.

The default scope superset checker, which assumes that no scopes overlap.

Checks whether the granted scope is a superset of the required scope.


                return .IsSupersetOf();

An enumeration of the OAuth protocol versions supported by this library.

The OAuth 2.0 specification.

Protocol constants for OAuth 2.0.

The HTTP authorization scheme "Bearer";

The HTTP authorization scheme "Bearer ";

The format of the HTTP Authorization header value that authorizes OAuth 2.0 requests using bearer access tokens.

The name of the parameter whose value is an OAuth 2.0 bearer access token, as it is defined in a URL-encoded POST entity or URL query string.

The "state" string.

The "redirect_uri_mismatch" string.

The "redirect_uri" string.

The "client_id" string.

The "scope" string.

The "client_secret" string.

The "code" string.

The "error" string.

The "access_token" string.

The "token_type" string.

The "refresh_token" string.

The "expires_in" string.

The "username" string.

The "password" string.

The "error_uri" string.

The "error_description" string.

The "response_type" string.

The "grant_type" string.

Gets the instance with values initialized for V1.0 of the protocol.

A list of all supported OAuth versions, in order starting from newest version.

The default (or most recent) supported version of the OpenID protocol.

Gets the OAuth Protocol instance to use for the given version.

The OAuth version to get. A matching instance.

Gets or sets the OAuth 2.0 version represented by this instance.

The version.

Gets or sets the OAuth 2.0 version represented by this instance.

The protocol version.

Values for the "response_type" parameter.

The string "code".

The string "token".

Error codes that an authorization server can return to a client in response to a malformed or unsupported access token request.

The request is missing a required parameter, includes an unknown parameter or parameter value, repeats a parameter, includes multiple credentials, utilizes more than one mechanism for authenticating the client, or is otherwise malformed.

Client authentication failed (e.g. unknown client, no client authentication included, or unsupported authentication method). The authorization server MAY return an HTTP 401 (Unauthorized) status code to indicate which HTTP authentication schemes are supported. If the client attempted to authenticate via the Authorization request header field, the authorization server MUST respond with an HTTP 401 (Unauthorized) status code, and include the WWW-Authenticate response header field matching the authentication scheme used by the client.

The provided authorization grant (e.g. authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client.

The authenticated client is not authorized to use this authorization grant type.

The authorization grant type is not supported by the authorization server.

The requested scope is invalid, unknown, malformed, or exceeds the scope granted by the resource owner.

Error codes that an authorization server can return to a client in response to a malformed or unsupported end user authorization request.

The request is missing a required parameter, includes an unknown parameter or parameter value, or is otherwise malformed.

The client is not authorized to use the requested response type.

The end-user or authorization server denied the request.

The requested response type is not supported by the authorization server.

The requested scope is invalid, unknown, or malformed.

The authorization server encountered an unexpected condition which prevented it from fulfilling the request.

The authorization server is currently unable to handle the request due to a temporary overloading or maintenance of the server.

Recognized access token types.

The "bearer" token type.

The error codes prescribed in http://self-issued.info/docs/draft-ietf-oauth-v2-bearer.html#resource-error-codes

The request is missing a required parameter, includes an unsupported parameter or parameter value, repeats the same parameter, uses more than one method for including an access token, or is otherwise malformed. The resource server SHOULD respond with the HTTP 400 (Bad Request) status code.

The access token provided is expired, revoked, malformed, or invalid for other reasons. The resource SHOULD respond with the HTTP 401 (Unauthorized) status code. The client MAY request a new access token and retry the protected resource request.

The request requires higher privileges than provided by the access token. The resource server SHOULD respond with the HTTP 403 (Forbidden) status code and MAY include the scope attribute with the scope necessary to access the protected resource.

A strongly-typed resource class, for looking up localized strings, etc.

Returns the cached ResourceManager instance used by this class.

Overrides the current thread's CurrentUICulture property for all resource lookups using this strongly typed resource class.

Looks up a localized string similar to The value for message part "{0}" must be an absolute URI..

Looks up a localized string similar to The access token contains characters that must not appear in the HTTP Authorization header..

Looks up a localized string similar to At least one parameter is required for the Bearer scheme in its WWW-Authenticate header..

Looks up a localized string similar to This message can only be sent over HTTPS..

Looks up a localized string similar to The scope token "{0}" contains illegal characters or is empty..

Looks up a localized string similar to Refresh tokens should not be granted without the request including an access grant..

Looks up a localized string similar to The '{0}' parameter contains the illegal character '{1}'..

Looks up a localized string similar to The return value of {0}.{1} should never be null..

Looks up a localized string similar to Individual scopes may not contain spaces..