diff --git a/Owin.Security.Providers/ArcGISOnline/ArcGISOnlineAuthenticationHandler.cs b/Owin.Security.Providers/ArcGISOnline/ArcGISOnlineAuthenticationHandler.cs index b9f9ee1..a5c71ce 100644 --- a/Owin.Security.Providers/ArcGISOnline/ArcGISOnlineAuthenticationHandler.cs +++ b/Owin.Security.Providers/ArcGISOnline/ArcGISOnlineAuthenticationHandler.cs @@ -34,6 +34,7 @@ namespace Owin.Security.Providers.ArcGISOnline try { string code = null; + string state = null; IReadableStringCollection query = Request.Query; IList values = query.GetValues("code"); @@ -41,18 +42,34 @@ namespace Owin.Security.Providers.ArcGISOnline { code = values[0]; } + values = query.GetValues("state"); + if (values != null && values.Count == 1) + { + state = values[0]; + } + properties = Options.StateDataFormat.Unprotect(state); + if (properties == null) + { + return null; + } + // OAuth2 10.12 CSRF + if (!ValidateCorrelationId(properties,logger)) + { + return new AuthenticationTicket(null, properties); + } + string requestPrefix = Request.Scheme + "://" + Request.Host; string redirectUri = requestPrefix + Request.PathBase + Options.CallbackPath; // Build up the body for the token request var body = new List>(); + body.Add(new KeyValuePair("grant_type", "authorization_code")); body.Add(new KeyValuePair("code", code)); body.Add(new KeyValuePair("redirect_uri", redirectUri)); body.Add(new KeyValuePair("client_id", Options.ClientId)); body.Add(new KeyValuePair("client_secret", Options.ClientSecret)); - body.Add(new KeyValuePair("grant_type", "authorization_code")); - + // Request the token var requestMessage = new HttpRequestMessage(HttpMethod.Post, Options.Endpoints.TokenEndpoint); requestMessage.Headers.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json")); @@ -104,12 +121,8 @@ namespace Owin.Security.Providers.ArcGISOnline Request.Host + Request.PathBase; - context.Properties = new AuthenticationProperties - { - RedirectUri = baseUri + - "/Account/ExternalLoginCallback" - }; - + context.Properties = properties; + await Options.Provider.Authenticated(context); return new AuthenticationTicket(context.Identity, context.Properties); @@ -146,7 +159,14 @@ namespace Owin.Security.Providers.ArcGISOnline string redirectUri = baseUri + Options.CallbackPath; + AuthenticationProperties properties=challenge.Properties; + if (string.IsNullOrEmpty(properties.RedirectUri)) + { + properties.RedirectUri = currentUri; + } + GenerateCorrelationId(properties); + string state = Options.StateDataFormat.Protect(properties); // comma separated string scope = string.Join(",", Options.Scope); @@ -154,7 +174,8 @@ namespace Owin.Security.Providers.ArcGISOnline Options.Endpoints.AuthorizationEndpoint + "?client_id=" + Uri.EscapeDataString(Options.ClientId) + "&response_type=" + Uri.EscapeDataString(scope) + - "&redirect_uri=" + Uri.EscapeDataString(redirectUri); + "&redirect_uri=" + Uri.EscapeDataString(redirectUri) + + "&state=" + Uri.EscapeDataString(state); Response.Redirect(authorizationEndpoint); } diff --git a/OwinOAuthProvidersDemo/App_Data/aspnet-OwinOAuthProvidersDemo-20131113093838.mdf b/OwinOAuthProvidersDemo/App_Data/aspnet-OwinOAuthProvidersDemo-20131113093838.mdf index 0961ca7..ca288e8 100644 Binary files a/OwinOAuthProvidersDemo/App_Data/aspnet-OwinOAuthProvidersDemo-20131113093838.mdf and b/OwinOAuthProvidersDemo/App_Data/aspnet-OwinOAuthProvidersDemo-20131113093838.mdf differ diff --git a/OwinOAuthProvidersDemo/App_Data/aspnet-OwinOAuthProvidersDemo-20131113093838_log.ldf b/OwinOAuthProvidersDemo/App_Data/aspnet-OwinOAuthProvidersDemo-20131113093838_log.ldf index 75f6af2..b232d0f 100644 Binary files a/OwinOAuthProvidersDemo/App_Data/aspnet-OwinOAuthProvidersDemo-20131113093838_log.ldf and b/OwinOAuthProvidersDemo/App_Data/aspnet-OwinOAuthProvidersDemo-20131113093838_log.ldf differ