So I’m trying to re-implement the OAuth1 OAuthConsumer and OAuthServiceProvider samples from DotNetOpenAuth using MVC 4 Webapi instead of WCF. I have everything going up to the point in the Callback endpoint. When it makes the ProcessUserAuthorization call it seems to take a different path in the DotNetOpenAuth code in the MVC 4 version then it does in the sample. In the sample it makes a call to the DatabaseTokenManager.GetRequestToken method. However in the MVC 4 version it calls the GetAccessToken method.
I’m using the same Consumer project in each case. I copied the OAuth.ashx from the original sample to the MVC 4 version. I created a new token manager, using the same database but not using EntityFramework, I’m using PetaPoco for DB access.
The question I have is why is this happening, and if anyone has done a sample of OAuth1 using MVC4/WebApi. It would be nice to see this in action under current web frameworks.
Here is the call stack:
DotNetOpenAuth.OAuth.ServiceProvider.dll!DotNetOpenAuth.OAuth.ChannelElements.TokenHandlingBindingElement.VerifyThrowTokenNotExpired(DotNetOpenAuth.OAuth.Messages.AccessProtectedResourceRequest message) + 0x7d bytes
DotNetOpenAuth.OAuth.ServiceProvider.dll!DotNetOpenAuth.OAuth.ChannelElements.TokenHandlingBindingElement.ProcessIncomingMessage(DotNetOpenAuth.Messaging.IProtocolMessage message) + 0x92 bytes
DotNetOpenAuth.Core.dll!DotNetOpenAuth.Messaging.Channel.ProcessIncomingMessage(DotNetOpenAuth.Messaging.IProtocolMessage message = {DotNetOpenAuth.OAuth.Messages.AccessProtectedResourceRequest}) + 0x1d3 bytes
DotNetOpenAuth.Core.dll!DotNetOpenAuth.Messaging.Channel.ReadFromRequest(System.Web.HttpRequestBase httpRequest) + 0x26d bytes
Provider.dll!Provider.OAuthHandler.ProcessRequest(System.Web.HttpContext context = {System.Web.HttpContext}) Line 29 + 0x23 bytes C#
System.Web.dll!System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() + 0x391 bytes
System.Web.dll!System.Web.HttpApplication.ExecuteStep(System.Web.HttpApplication.IExecutionStep step = {System.Web.HttpApplication.CallHandlerExecutionStep}, ref bool completedSynchronously = false) + 0xa5 bytes
System.Web.dll!System.Web.HttpApplication.PipelineStepManager.ResumeSteps(System.Exception error) + 0x7d1 bytes
System.Web.dll!System.Web.HttpApplication.BeginProcessRequestNotification(System.Web.HttpContext context, System.AsyncCallback cb) + 0x80 bytes
System.Web.dll!System.Web.HttpRuntime.ProcessRequestNotificationPrivate(System.Web.Hosting.IIS7WorkerRequest wr = {System.Web.Hosting.IIS7WorkerRequest}, System.Web.HttpContext context = {System.Web.HttpContext}) + 0x2ae bytes
System.Web.dll!System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(System.IntPtr rootedObjectsPointer, System.IntPtr nativeRequestContext = 74727914648, System.IntPtr moduleData, int flags) + 0x491 bytes
System.Web.dll!System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(System.IntPtr rootedObjectsPointer, System.IntPtr nativeRequestContext, System.IntPtr moduleData, int flags) + 0x22 bytes
Here is the log output:
2012-09-21 07:57:31,143 (GMT-5) [10] INFO DotNetOpenAuth.OAuthServiceProvider - Sample starting...
2012-09-21 07:57:31,835 (GMT-5) [8] INFO DotNetOpenAuth - DotNetOpenAuth.Core, Version=4.1.0.12182, Culture=neutral, PublicKeyToken=2780ccd10d57b246 (official)
2012-09-21 07:57:31,838 (GMT-5) [8] INFO DotNetOpenAuth - Reporting will use isolated storage with scope: User, Domain, Assembly
2012-09-21 07:57:31,850 (GMT-5) [8] ERROR DotNetOpenAuth - Error while trying to initialize reporting.
2012-09-21 07:57:31,858 (GMT-5) [8] INFO DotNetOpenAuth.Messaging.Channel - Scanning incoming request for messages: http://localhost:8092/OAuthHandler.ashx
2012-09-21 07:57:31,953 (GMT-5) [8] DEBUG DotNetOpenAuth.Messaging.Channel - Incoming request received: UnauthorizedTokenRequest
2012-09-21 07:57:31,960 (GMT-5) [8] INFO DotNetOpenAuth.Messaging.Channel - Processing incoming UnauthorizedTokenRequest (1.0.1) message:
oauth_callback: http://localhost:8093/Home/OAuthCallBack
oauth_consumer_key: consumerkey
oauth_nonce: Z8GPrfzX
oauth_signature_method: HMAC-SHA1
oauth_signature: A1RrN/A/VpmGF4/cMT55qS2m4RU=
oauth_version: 1.0
oauth_timestamp: 1348232249
scope: testScope
2012-09-21 07:57:31,978 (GMT-5) [8] DEBUG DotNetOpenAuth.Messaging.Bindings - Verifying incoming UnauthorizedTokenRequest message signature of: A1RrN/A/VpmGF4/cMT55qS2m4RU=
2012-09-21 07:57:31,979 (GMT-5) [8] DEBUG DotNetOpenAuth.Messaging.Channel - Applying secrets to message to prepare for signing or signature verification.
2012-09-21 07:57:32,085 (GMT-5) [8] DEBUG DotNetOpenAuth.Messaging.Bindings - Constructed signature base string: POST&http%3A%2F%2Flocalhost%3A8092%2FOAuthHandler.ashx&oauth_callback%3Dhttp%253A%252F%252Flocalhost%253A8093%252FHome%252FOAuthCallBack%26oauth_consumer_key%3Dconsumerkey%26oauth_nonce%3DZ8GPrfzX%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1348232249%26oauth_version%3D1.0%26scope%3DtestScope
2012-09-21 07:57:32,085 (GMT-5) [8] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.OAuth.ChannelElements.SigningBindingElementChain applied to message.
2012-09-21 07:57:32,088 (GMT-5) [8] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.Messaging.Bindings.StandardExpirationBindingElement applied to message.
2012-09-21 07:57:32,097 (GMT-5) [8] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.Messaging.Bindings.StandardReplayProtectionBindingElement applied to message.
2012-09-21 07:57:32,098 (GMT-5) [8] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.OAuth.ChannelElements.OAuthHttpMethodBindingElement did not apply to message.
2012-09-21 07:57:32,099 (GMT-5) [8] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.OAuth.ChannelElements.TokenHandlingBindingElement did not apply to message.
2012-09-21 07:57:32,100 (GMT-5) [8] DEBUG DotNetOpenAuth.Messaging.Channel - After binding element processing, the received UnauthorizedTokenRequest (1.0.1) message is:
oauth_callback: http://localhost:8093/Home/OAuthCallBack
oauth_consumer_key: consumerkey
oauth_nonce: Z8GPrfzX
oauth_signature_method: HMAC-SHA1
oauth_signature: A1RrN/A/VpmGF4/cMT55qS2m4RU=
oauth_version: 1.0
oauth_timestamp: 1348232249
scope: testScope
2012-09-21 07:57:32,111 (GMT-5) [8] DEBUG DotNetOpenAuth.Messaging.Channel - Preparing to send UnauthorizedTokenResponse (1.0.1) message.
2012-09-21 07:57:32,143 (GMT-5) [8] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.OAuth.ChannelElements.TokenHandlingBindingElement applied to message.
2012-09-21 07:57:32,144 (GMT-5) [8] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.OAuth.ChannelElements.OAuthHttpMethodBindingElement did not apply to message.
2012-09-21 07:57:32,145 (GMT-5) [8] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.Messaging.Bindings.StandardReplayProtectionBindingElement did not apply to message.
2012-09-21 07:57:32,146 (GMT-5) [8] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.Messaging.Bindings.StandardExpirationBindingElement did not apply to message.
2012-09-21 07:57:32,148 (GMT-5) [8] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.OAuth.ChannelElements.SigningBindingElementChain did not apply to message.
2012-09-21 07:57:32,151 (GMT-5) [8] INFO DotNetOpenAuth.Messaging.Channel - Prepared outgoing UnauthorizedTokenResponse (1.0.1) message for :
oauth_token: XO93OJQIsiEtVdKuN3GCce1gYIU=
oauth_token_secret: br6QQ1ZwOyx7MJuxD23nM2Ro690=
oauth_callback_confirmed: true
2012-09-21 07:57:32,151 (GMT-5) [8] DEBUG DotNetOpenAuth.Messaging.Channel - Sending message: UnauthorizedTokenResponse
2012-09-21 07:57:32,337 (GMT-5) [8] INFO DotNetOpenAuth.Messaging.Channel - Scanning incoming request for messages: http://localhost:8092/OAuthHandler.ashx
2012-09-21 07:57:32,352 (GMT-5) [8] DEBUG DotNetOpenAuth.Messaging.Channel - Incoming request received: UserAuthorizationRequest
2012-09-21 07:57:32,352 (GMT-5) [8] INFO DotNetOpenAuth.Messaging.Channel - Processing incoming UserAuthorizationRequest (1.0.1) message:
oauth_token: XO93OJQIsiEtVdKuN3GCce1gYIU=
2012-09-21 07:57:32,352 (GMT-5) [8] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.OAuth.ChannelElements.SigningBindingElementChain did not apply to message.
2012-09-21 07:57:32,352 (GMT-5) [8] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.Messaging.Bindings.StandardExpirationBindingElement did not apply to message.
2012-09-21 07:57:32,352 (GMT-5) [8] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.Messaging.Bindings.StandardReplayProtectionBindingElement did not apply to message.
2012-09-21 07:57:32,352 (GMT-5) [8] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.OAuth.ChannelElements.OAuthHttpMethodBindingElement did not apply to message.
2012-09-21 07:57:32,357 (GMT-5) [8] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.OAuth.ChannelElements.TokenHandlingBindingElement did not apply to message.
2012-09-21 07:57:32,357 (GMT-5) [8] DEBUG DotNetOpenAuth.Messaging.Channel - After binding element processing, the received UserAuthorizationRequest (1.0.1) message is:
oauth_token: XO93OJQIsiEtVdKuN3GCce1gYIU=
2012-09-21 07:57:32,373 (GMT-5) [8] DEBUG DotNetOpenAuth.Messaging.Channel - Preparing to send UserAuthorizationResponse (1.0.1) message.
2012-09-21 07:57:32,375 (GMT-5) [8] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.OAuth.ChannelElements.TokenHandlingBindingElement applied to message.
2012-09-21 07:57:32,375 (GMT-5) [8] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.OAuth.ChannelElements.OAuthHttpMethodBindingElement did not apply to message.
2012-09-21 07:57:32,376 (GMT-5) [8] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.Messaging.Bindings.StandardReplayProtectionBindingElement did not apply to message.
2012-09-21 07:57:32,376 (GMT-5) [8] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.Messaging.Bindings.StandardExpirationBindingElement did not apply to message.
2012-09-21 07:57:32,376 (GMT-5) [8] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.OAuth.ChannelElements.SigningBindingElementChain did not apply to message.
2012-09-21 07:57:32,379 (GMT-5) [8] INFO DotNetOpenAuth.Messaging.Channel - Prepared outgoing UserAuthorizationResponse (1.0.1) message for http://localhost:8093/Home/OAuthCallBack:
oauth_verifier: adbSjIo=
oauth_token: XO93OJQIsiEtVdKuN3GCce1gYIU=
2012-09-21 07:57:32,379 (GMT-5) [8] DEBUG DotNetOpenAuth.Messaging.Channel - Sending message: UserAuthorizationResponse
2012-09-21 07:57:32,385 (GMT-5) [8] DEBUG DotNetOpenAuth.Http - Redirecting to http://localhost:8093/Home/OAuthCallBack?oauth_verifier=adbSjIo%3D&oauth_token=XO93OJQIsiEtVdKuN3GCce1gYIU%3D
2012-09-21 07:57:32,423 (GMT-5) [5] INFO DotNetOpenAuth.Messaging.Channel - Scanning incoming request for messages: http://localhost:8092/OAuthHandler.ashx
2012-09-21 07:57:32,428 (GMT-5) [5] DEBUG DotNetOpenAuth.Messaging.Channel - Incoming request received: AccessProtectedResourceRequest
2012-09-21 07:57:32,428 (GMT-5) [5] INFO DotNetOpenAuth.Messaging.Channel - Processing incoming AccessProtectedResourceRequest (1.0) message:
oauth_token: XO93OJQIsiEtVdKuN3GCce1gYIU=
oauth_consumer_key: consumerkey
oauth_nonce: DxRe5Bax
oauth_signature_method: HMAC-SHA1
oauth_signature: U1gDRYSdm6cD+lWjc3BdJObEnhE=
oauth_version: 1.0
oauth_timestamp: 1348232252
oauth_verifier: adbSjIo=
2012-09-21 07:57:32,428 (GMT-5) [5] DEBUG DotNetOpenAuth.Messaging.Bindings - Verifying incoming AccessProtectedResourceRequest message signature of: U1gDRYSdm6cD+lWjc3BdJObEnhE=
2012-09-21 07:57:32,428 (GMT-5) [5] DEBUG DotNetOpenAuth.Messaging.Channel - Applying secrets to message to prepare for signing or signature verification.
2012-09-21 07:57:32,442 (GMT-5) [5] DEBUG DotNetOpenAuth.Messaging.Bindings - Constructed signature base string: POST&http%3A%2F%2Flocalhost%3A8092%2FOAuthHandler.ashx&oauth_consumer_key%3Dconsumerkey%26oauth_nonce%3DDxRe5Bax%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1348232252%26oauth_token%3DXO93OJQIsiEtVdKuN3GCce1gYIU%253D%26oauth_verifier%3DadbSjIo%253D%26oauth_version%3D1.0
2012-09-21 07:57:32,442 (GMT-5) [5] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.OAuth.ChannelElements.SigningBindingElementChain applied to message.
2012-09-21 07:57:32,442 (GMT-5) [5] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.Messaging.Bindings.StandardExpirationBindingElement applied to message.
2012-09-21 07:57:32,443 (GMT-5) [5] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.Messaging.Bindings.StandardReplayProtectionBindingElement applied to message.
2012-09-21 07:57:32,443 (GMT-5) [5] DEBUG DotNetOpenAuth.Messaging.Bindings - Binding element DotNetOpenAuth.OAuth.ChannelElements.OAuthHttpMethodBindingElement did not apply to message.
Here’s the code in the handler on the Provider:
public void ProcessRequest(HttpContext context)
{
IProtocolMessage protocolMessagerequest = sp.ReadRequest();
UnauthorizedTokenRequest requestToken;
UserAuthorizationRequest requestAuth;
AuthorizedTokenRequest requestAccessToken;
if ((requestToken = protocolMessagerequest as UnauthorizedTokenRequest) != null)
{
var response = sp.PrepareUnauthorizedTokenMessage(requestToken);
sp.Channel.Send(response);
}
else if ((requestAuth = protocolMessagerequest as UserAuthorizationRequest) != null)
{
TokenManager mgr = new TokenManager();
mgr.AuthorizeRequestToken(((ITokenContainingMessage)requestAuth).Token);
var autoAuthorizeResponse = sp.PrepareAuthorizationResponse(requestAuth);
sp.Channel.Send(autoAuthorizeResponse);
}
else if ((requestAccessToken = protocolMessagerequest as AuthorizedTokenRequest) != null)
{
var response = sp.PrepareAccessTokenMessage(requestAccessToken);
sp.Channel.Send(response);
}
else
{
throw new InvalidOperationException();
}
}
Here is the code from the consumer:
public ActionResult StartOAuth()
{
OAuthHelper helper = new OAuthHelper();
var serviceProvider = helper.GetServiceDescription();
var consumer = new WebConsumer(serviceProvider, InMemoryTokenManager.Instance);
// Url to redirect to
var authUrl = new Uri(Request.Url.Scheme + "://" + Request.Url.Authority + "/Home/OAuthCallBack");
var requestParams = new Dictionary<string, string>
{
{"scope", "testScope"}
};
//request access
consumer.Channel.Send(consumer.PrepareRequestUserAuthorization(authUrl, requestParams, null));
// This will not get hit!
return null;
}
public ActionResult OAuthCallback()
{
OAuthHelper helper = new OAuthHelper();
// Process result from the service provider
var serviceProvider = helper.GetServiceDescription();
var consumer = new WebConsumer(serviceProvider, InMemoryTokenManager.Instance);
var accessTokenResponse = consumer.ProcessUserAuthorization();
// If we didn't have an access token response, this wasn't called by the service provider
if (accessTokenResponse == null)
return RedirectToAction("Index");
// Extract the access token
string accessToken = accessTokenResponse.AccessToken;
ViewBag.Token = accessToken;
ViewBag.Secret = InMemoryTokenManager.Instance.GetTokenSecret(accessToken);
return View();
}
So I found the issue, bug in the GetTokenType method of my TokenManager implementation.