microsoft
diff --git a/‎OAuthWebSample/.gitignore
Lines changed: 1 addition & 1 deletion b/‎OAuthWebSample/.gitignore
Lines changed: 1 addition & 1 deletion
diff --git a/‎OAuthWebSample/OAuthWebSample/Controllers/OAuthController.cs
Lines changed: 153 additions & 93 deletions b/‎OAuthWebSample/OAuthWebSample/Controllers/OAuthController.cs
Lines changed: 153 additions & 93 deletions
diff --git a/‎OAuthWebSample/OAuthWebSample/Models/TokenModel.cs
Lines changed: 12 additions & 17 deletions b/‎OAuthWebSample/OAuthWebSample/Models/TokenModel.cs
Lines changed: 12 additions & 17 deletions
diff --git a/‎OAuthWebSample/OAuthWebSample/OAuthWebSample.csproj
Lines changed: 1 addition & 4 deletions b/‎OAuthWebSample/OAuthWebSample/OAuthWebSample.csproj
Lines changed: 1 addition & 4 deletions
@@ -6,7 +6,7 @@
 *.user
 *.sln.docstates
 *.sln.ide/
-OAuthSample/Properties/PublishProfiles/
+OAuthWebSample/Properties/PublishProfiles/
 
 # Build results
 
 
@@ -1,145 +1,205 @@
 using System;
 using System.Configuration;
+using System.Collections.Generic;
 using System.IO;
 using System.Net;
 using System.Web;
 using System.Web.Mvc;
 using Newtonsoft.Json;
 using OAuthSample.Models;
+using System.Net.Http;
+using System.Threading;
+using System.Threading.Tasks;
+using Newtonsoft.Json.Linq;
+using System.Net.Http.Headers;
 
 namespace OAuthSample.Controllers
 {
     public class OAuthController : Controller
     {
-        //
-        // GET: /OAuth/
-        public ActionResult Index()
+        private static readonly HttpClient s_httpClient = new HttpClient();
+        private static readonly Dictionary<Guid, TokenModel> s_authorizationRequests = new Dictionary<Guid, TokenModel>();
+
+        /// <summary>
+        /// Start a new authorization request. 
+        /// 
+        /// This creates a random state value that is used to correlate/validate the request in the callback later.
+        /// </summary>
+        /// <returns></returns>
+        public ActionResult Authorize()
         {
+            Guid state = Guid.NewGuid();
 
-            return View();
+            s_authorizationRequests[state] = new TokenModel() { IsPending = true };
+            
+            return new RedirectResult(GetAuthorizationUrl(state.ToString()));
         }
 
-        public ActionResult RequestToken(string code, string status)
+        /// <summary>
+        /// Constructs an authorization URL with the specified state value.
+        /// </summary>
+        /// <param name="state"></param>
+        /// <returns></returns>
+        private static String GetAuthorizationUrl(String state)
         {
-            return new RedirectResult(GenerateAuthorizeUrl());
+            UriBuilder uriBuilder = new UriBuilder(ConfigurationManager.AppSettings["AuthUrl"]);
+            var queryParams = HttpUtility.ParseQueryString(uriBuilder.Query ?? String.Empty);
+
+            queryParams["client_id"] = ConfigurationManager.AppSettings["ClientAppId"];
+            queryParams["response_type"] = "Assertion";
+            queryParams["state"] = state;
+            queryParams["scope"] = ConfigurationManager.AppSettings["Scope"];
+            queryParams["redirect_uri"] = ConfigurationManager.AppSettings["CallbackUrl"];
+
+            uriBuilder.Query = queryParams.ToString();
+
+            return uriBuilder.ToString();
         }
 
-        public ActionResult RefreshToken(string refreshToken)
+        /// <summary>
+        /// Callback action. Invoked after the user has authorized the app.
+        /// </summary>
+        /// <param name="code"></param>
+        /// <param name="state"></param>
+        /// <returns></returns>
+        public async Task<ActionResult> Callback(String code, Guid state)
         {
-            TokenModel token = new TokenModel();
-            String error = null;
-
-            if (!String.IsNullOrEmpty(refreshToken))
+            String error;
+            if (ValidateCallbackValues(code, state.ToString(), out error))
             {
-                error = PerformTokenRequest(GenerateRefreshPostData(refreshToken), out token);
-                if (String.IsNullOrEmpty(error))
+                // Exchange the auth code for an access token and refresh token
+                HttpRequestMessage requestMessage = new HttpRequestMessage(HttpMethod.Post, ConfigurationManager.AppSettings["TokenUrl"]);
+                requestMessage.Headers.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
+
+                Dictionary<String, String> form = new Dictionary<String, String>()
                 {
-                    ViewBag.Token = token;
-                }
-            }
+                    { "client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" },
+                    { "client_assertion", ConfigurationManager.AppSettings["ClientAppSecret"] },
+                    { "grant_type", "urn:ietf:params:oauth:grant-type:jwt-bearer" },
+                    { "assertion", code },
+                    { "redirect_uri", ConfigurationManager.AppSettings["CallbackUrl"] }
+                };
+                requestMessage.Content = new FormUrlEncodedContent(form);
 
-            ViewBag.Error = error;
+                HttpResponseMessage responseMessage = await s_httpClient.SendAsync(requestMessage);
 
-            return View("TokenView");
-        }
-
-        public ActionResult Callback(string code, string state)
-        {
-            TokenModel token = new TokenModel();
-            String error = null;
+                if (responseMessage.IsSuccessStatusCode)
+                {
+                    String body = await responseMessage.Content.ReadAsStringAsync();
 
-            if (!String.IsNullOrEmpty(code))
-            {
-                error = PerformTokenRequest(GenerateRequestPostData(code), out token);
-                if (String.IsNullOrEmpty(error))
+                    TokenModel tokenModel = s_authorizationRequests[state];
+                    JsonConvert.PopulateObject(body, tokenModel);
+                    
+                    ViewBag.Token = tokenModel;
+                }
+                else
                 {
-                    ViewBag.Token = token;
+                    error = responseMessage.ReasonPhrase;
                 }
             }
 
-            ViewBag.Error = error;
+            if (!String.IsNullOrEmpty(error))
+            {
+                ViewBag.Error = error;
+            }
+
+            ViewBag.ProfileUrl = ConfigurationManager.AppSettings["ProfileUrl"];
 
             return View("TokenView");
         }
 
-        private String PerformTokenRequest(String postData, out TokenModel token)
+        /// <summary>
+        /// Ensures the specified auth code and state value are valid. If both are valid, the state value is marked so it can't be used again.        
+        /// </summary>
+        /// <param name="code"></param>
+        /// <param name="state"></param>
+        /// <param name="error"></param>
+        /// <returns></returns>
+        private static bool ValidateCallbackValues(String code, String state, out String error)
         {
-            var error = String.Empty;
-            var strResponseData = String.Empty;
+            error = null;
 
-            HttpWebRequest webRequest = (HttpWebRequest)WebRequest.Create(
-                ConfigurationManager.AppSettings["TokenUrl"]
-            );
-
-            webRequest.Method = "POST";
-            webRequest.ContentLength = postData.Length;
-            webRequest.ContentType = "application/x-www-form-urlencoded";
-
-            using (StreamWriter swRequestWriter = new StreamWriter(webRequest.GetRequestStream()))
+            if (String.IsNullOrEmpty(code))
             {
-                swRequestWriter.Write(postData);
+                error = "Invalid auth code";
             }
-
-            try
+            else
             {
-                HttpWebResponse hwrWebResponse = (HttpWebResponse)webRequest.GetResponse();
-
-                if (hwrWebResponse.StatusCode == HttpStatusCode.OK)
+                Guid authorizationRequestKey;
+                if (!Guid.TryParse(state, out authorizationRequestKey))
                 {
-                    using (StreamReader srResponseReader = new StreamReader(hwrWebResponse.GetResponseStream()))
+                    error = "Invalid authorization request key";
+                }
+                else
+                {
+                    TokenModel tokenModel;
+                    if (!s_authorizationRequests.TryGetValue(authorizationRequestKey, out tokenModel))
                     {
-                        strResponseData = srResponseReader.ReadToEnd();
+                        error = "Unknown authorization request key";
+                    }
+                    else if (!tokenModel.IsPending)
+                    {
+                        error = "Authorization request key already used";
+                    }
+                    else
+                    {
+                        s_authorizationRequests[authorizationRequestKey].IsPending = false; // mark the state value as used so it can't be reused
                     }
-
-                    token = JsonConvert.DeserializeObject<TokenModel>(strResponseData);
-                    return null;
                 }
             }
-            catch (WebException wex)
-            {
-                error = "Request Issue: " + wex.Message;
-            }
-            catch (Exception ex)
-            {
-                error = "Issue: " + ex.Message;
-            }
 
-            token = new TokenModel();
-            return error;
+            return error == null;
         }
-
-        public String GenerateAuthorizeUrl()
+    
+        /// <summary>
+        /// Gets a new access
+        /// </summary>
+        /// <param name="refreshToken"></param>
+        /// <returns></returns>
+        public async Task<ActionResult> RefreshToken(string refreshToken)
         {
-            UriBuilder uriBuilder = new UriBuilder(ConfigurationManager.AppSettings["AuthUrl"]);
-            var queryParams = HttpUtility.ParseQueryString(uriBuilder.Query ?? String.Empty);
-
-            queryParams["client_id"] = ConfigurationManager.AppSettings["ClientAppId"];
-            queryParams["response_type"] = "Assertion";
-            queryParams["state"] = "state";
-            queryParams["scope"] = ConfigurationManager.AppSettings["Scope"];
-            queryParams["redirect_uri"] = ConfigurationManager.AppSettings["CallbackUrl"];
-
-            uriBuilder.Query = queryParams.ToString();
+            String error = null;
+            if (!String.IsNullOrEmpty(refreshToken))
+            {
+                // Form the request to exchange an auth code for an access token and refresh token
+                HttpRequestMessage requestMessage = new HttpRequestMessage(HttpMethod.Post, ConfigurationManager.AppSettings["TokenUrl"]);
+                requestMessage.Headers.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
 
-            return uriBuilder.ToString();
-        }
+                Dictionary<String, String> form = new Dictionary<String, String>()
+                {
+                    { "client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" },
+                    { "client_assertion", ConfigurationManager.AppSettings["ClientAppSecret"] },
+                    { "grant_type", "refresh_token" },
+                    { "assertion", refreshToken },
+                    { "redirect_uri", ConfigurationManager.AppSettings["CallbackUrl"] }
+                };
+                requestMessage.Content = new FormUrlEncodedContent(form);
+
+                // Make the request to exchange the auth code for an access token (and refresh token)
+                HttpResponseMessage responseMessage = await s_httpClient.SendAsync(requestMessage);
+
+                if (responseMessage.IsSuccessStatusCode)
+                {
+                    // Handle successful request
+                    String body = await responseMessage.Content.ReadAsStringAsync();
+                    ViewBag.Token = JObject.Parse(body).ToObject<TokenModel>();
+                }
+                else
+                {
+                    error = responseMessage.ReasonPhrase;
+                }
+            }
+            else
+            {
+                error = "Invalid refresh token";
+            }
 
-        public string GenerateRequestPostData(string code)
-        {
-            return string.Format("client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&client_assertion={0}&grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&assertion={1}&redirect_uri={2}",
-                HttpUtility.UrlEncode(ConfigurationManager.AppSettings["ClientAppSecret"]),
-                HttpUtility.UrlEncode(code),
-                ConfigurationManager.AppSettings["CallbackUrl"]
-            );
-        }
+            if (!String.IsNullOrEmpty(error))
+            {
+                ViewBag.Error = error;
+            }
 
-        public string GenerateRefreshPostData(string refreshToken)
-        {
-            return string.Format("client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&client_assertion={0}&grant_type=refresh_token&assertion={1}&redirect_uri={2}",
-                HttpUtility.UrlEncode(ConfigurationManager.AppSettings["ClientAppSecret"]),
-                HttpUtility.UrlEncode(refreshToken),
-                ConfigurationManager.AppSettings["CallbackUrl"]
-            );
-        }
+            return View("TokenView");
+        }       
     }
 }
@@ -1,28 +1,23 @@
 using System;
-using Newtonsoft.Json;
-
+using System.Runtime.Serialization;
 
 namespace OAuthSample.Models
 {
+    [DataContract]
     public class TokenModel
-    {
-        public TokenModel()
-        {
-
-        }
+    {    
+        [DataMember(Name = "access_token")]
+        public String AccessToken { get; set; }
 
-        [JsonProperty(PropertyName = "access_token")]
-        public String accessToken { get; set; }
+        [DataMember(Name = "token_type")]
+        public String TokenType { get; set; }
 
-        [JsonProperty(PropertyName = "token_type")]
-        public String tokenType { get; set; }
+        [DataMember(Name = "refresh_token")]
+        public String RefreshToken { get; set; }
 
-        [JsonProperty(PropertyName = "expires_in")]
-        public String expiresIn { get; set; }
-
-        [JsonProperty(PropertyName = "refresh_token")]
-        public String refreshToken { get; set; }
+        [DataMember(Name = "expires_in")]
+        public int ExpiresIn { get; set; }
 
+        public bool IsPending { get; set; }
     }
-
 }
@@ -46,6 +46,7 @@
     <Reference Include="System.Data" />
     <Reference Include="System.Data.Entity" />
     <Reference Include="System.Drawing" />
+    <Reference Include="System.Runtime.Serialization" />
     <Reference Include="System.Web.DynamicData" />
     <Reference Include="System.Web.Entity" />
     <Reference Include="System.Web.ApplicationServices" />
@@ -134,9 +135,6 @@
     <Content Include="Content\Site.css" />
     <Content Include="Scripts\bootstrap.js" />
     <Content Include="Scripts\bootstrap.min.js" />
-    <None Include="Properties\PublishProfiles\OAuthSample.pubxml" />
-    <None Include="Properties\PublishProfiles\vsoalmoauthtest.pubxml" />
-    <None Include="Properties\PublishProfiles\vsooauthsample.pubxml" />
     <None Include="Scripts\jquery-1.10.2.intellisense.js" />
     <Content Include="Scripts\jquery-1.10.2.js" />
     <Content Include="Scripts\jquery-1.10.2.min.js" />
@@ -159,7 +157,6 @@
     <Content Include="Views\Home\Contact.cshtml" />
     <Content Include="Views\Home\Index.cshtml" />
     <Content Include="Scripts\jquery-1.10.2.min.map" />
-    <Content Include="Views\OAuth\Index.cshtml" />
     <Content Include="Views\OAuth\TokenView.cshtml" />
   </ItemGroup>
   <ItemGroup />