IsAuthorizationValid not invoked for Resource Owner Password Grants?

[Brad Laney]

When TryAuthorizeResourceOwnerCredentialGrant is invoked it is not garaunteed that the client has been authenticated because IsAuthorizationValid is never invoked by DNOA. Seems like a bug?

Also, IClientDescription GetClient() is invoked before authorization is marked as valid. This will throw an error in the example:

throw new ArgumentOutOfRangeException("clientIdentifier");

Is this correct behavior? I feel like GetClient() must always invoke IsAuthorizationValid() but cannot because we cannot construct an impl.

[Andrew Arnott]

Brad,

IsAuthorizationValid isn't intended for validating clients.  It's for checking whether a given client was previously authorized for certain permissions that haven't been revoked yet.  Authenticating the client is done yes, by throwing an ArgumentException if the client_id isn't recognized, or by IClientDescription.IsValidClientSecret returning false if the client_secret is wrong.  

For verifying the resource owner password, and whether a client is authorized to use resource owner password grants, the IAuthorizationServerHost.TryAuthorizeResourceOwnerCredentialGrant method fulfills this.

I hope that clarifies it.

--
You received this message because you are subscribed to the Google Groups "DotNetOpenAuth" group.
To view this discussion on the web visit https://groups.google.com/d/msg/dotnetopenid/-/6rejHOnColUJ.
To post to this group, send email to dotnet...@googlegroups.com.
To unsubscribe from this group, send email to dotnetopenid...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/dotnetopenid?hl=en.

--
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre

[Brad Laney]

But in that method, it does not give you the client_secret. I couldn't find any overloads that expose the client_secret.

I am trying to validate that the client_id and client_secret match because the OAuth specs say to never rely on the client_id alone for authentication.

[Andrew Arnott]

Brad,

First of all, props to you for reading the spec -- I think many folks use these security protocols without doing that. 

The client_secret is indeed validated.  DNOA uses IAuthorizationServerHost.GetClient(client_id) to obtain an IClientDescription, and then calls IClientDescription.IsValidClientSecret to validate that the client secret is valid.  It does this before ever calling IAuthorizationServerHost.TryAuthorizeResourceOwnerCredentialGrant.  If the client_id and secret do not match, it rejects the request.  If the secret is omitted, the client is assumed to be public.

When DNOA calls IAuthorizationServerHost.TryAuthorizeResourceOwnerCredentialGrant, the IAccessTokenRequest instance that it passes in as the third parameter can be used to determine whether it is an anonymous client, a public client, or a confidential client.  

So I believe everything you need is already there.  Let me know if you disagree.

--

You received this message because you are subscribed to the Google Groups "DotNetOpenAuth" group.

To view this discussion on the web visit https://groups.google.com/d/msg/dotnetopenid/-/LSO89aq4oPoJ.

To post to this group, send email to dotnet...@googlegroups.com.
To unsubscribe from this group, send email to dotnetopenid...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/dotnetopenid?hl=en.

[Brad Laney]

I see... I am getting 401 when the error is thrown. My mistake for bringing up the topic, I thought I wasn't receiving a 401 on the client because of the thrown exception. I am guessing that GetClient is wrapped in a try/catch and throws a 401 if an exception is thrown. Awesome.

Thanks