Home/ Questions/Q 7548223
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-30T09:38:39+00:00

The question: Are there any means (perhaps a workaround) to support the PUT and

  • 0

The question:

Are there any means (perhaps a workaround) to support the PUT and DELETE HTTP verbs with a WCF 4.0 REST service secured using OAuth 2.0 and DotNetOpenAuth 4? I’m not using the WCF Web API or WCF Starter Kit.

What I have done so far:

Consider the following WCF 4.0 REST Service:

[ServiceContract]
[AspNetCompatibilityRequirements(RequirementsMode = AspNetCompatibilityRequirementsMode.Allowed)]
[ServiceBehavior(InstanceContextMode = InstanceContextMode.PerCall)]
public class MyService
{
    [WebGet(UriTemplate = "")]
    public List<Resource> GetCollection()
    {
        /* some implementation */
    }

    [WebInvoke(UriTemplate = "", Method = "POST")]
    public Resource Create(Resource instance)
    {
        /* some implementation */
    }

    [WebGet(UriTemplate = "{id}")]
    public Resource Get(string id)
    {
        /* some implementation */
    }

    [WebInvoke(UriTemplate = "{id}", Method = "PUT")]
    public Resource Update(string id, Resource instance)
    {
        /* some implementation */
    }

    [WebInvoke(UriTemplate = "{id}", Method = "DELETE")]
    public void Delete(string id)
    {
        /* some implementation */
    }
}

OAuth 2.0 is used for controlling access to the service. It is achieved with a custom ServiceAuthorizationManager implementation using DotNetOpenAuth to do all the work. The implementation is almost identical to that provided by the DotNetOpenAuth 4.0 samples.

For POST and GET requests it works great. However, the requests fail for the PUT and DELETE requests with the error message: 

'AccessProtectedResourceRequest' messages cannot be received with HTTP verb 'PutRequest'

The client code looks as similar to:

public class ResourceClient
{
    public Resource UpdateResource(Resource resource)
    {
        var uri = new Uri(new Uri("http://api.example.com/"), Resource.Format("resources/{0}", resource.Id));
        var serializer = new DataContractSerializer(typeof(Resource));
        var request = (HttpWebRequest)WebRequest.Create(uri);
        request.Method = "PUT";
        request.ContentType = "application/xml";
        ClientBase.AuthorizeRequest(request, Authorization.AccessToken);

        using (var requestStream = request.GetRequestStream())
        {
            serializer.WriteObject(requestStream, resource);
        }

        using (var response = (HttpWebResponse)request.GetResponse())
        {
            using (var responseStream = response.GetResponseStream())
            {
                Debug.Assert(responseStream != null, "responseStream != null");
                return (Resource)serializer.ReadObject(responseStream);
            }
        }
    }
}

From the answer of another question it seems that this is may be a deficiency in DotNetOpenAuth. Looking at the OAuth 2.0 spec, I don’t see anything prohibiting the use of the PUT or DELETE http verbs when accessing resources. That said, I’m not an expert in OAuth 2.0, nor do I know it by heart.

So I thought I would be “clever” and use the “X-HTTP-Method-Override” to specify PUT and then POST the request to the resource server. I implemented the behaviour as explained in this sample. Interestingly enough the custom behavior was called before my ServiceAuthorizationManager implementation, resulting in the exact same error.

An alternative would be to address the issue within DotNetOpenAuth itself, but I have no idea where to start.

I’m running out of ideas and I’d appreciate any suggestions.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    This is tracked by Issue #62. You can glance at the fix for it if you want to port it to your version without waiting for the next release.

    • 0