Merge branch 'development' of https://git01.codeplex.com/forks/tsone/casadev into development

Author: arturl

Release/include/cpprest/oauth2_handler.h

@@ -61,30 +61,39 @@ class oauth2_exception : public std::exception
 /// OAuth 2.0 configuration.
 ///
 /// Encapsulates functionality for:
-/// - Authenticating requests with an access token.
-/// - Performing the OAuth 2.0 authorization code grant authorization flow.
-///   See: http://tools.ietf.org/html/rfc6749#section-4.1
+/// -  Authenticating requests with an access token.
+/// -  Performing the OAuth 2.0 authorization code grant authorization flow.
+///    See: http://tools.ietf.org/html/rfc6749#section-4.1
+/// -  Performing the OAuth 2.0 implicit grant authorization flow.
+///    See: http://tools.ietf.org/html/rfc6749#section-4.2
 ///
-/// Usage for authorization:
+/// Performing OAuth 2.0 authorization:
 /// 1. Set service and client/app parameters:
-/// - Client/app key & secret (as provided by the service).
-/// - The service authorization endpoint and token endpoint.
-/// - Your client/app redirect URI.
-/// - Set if bearer token is passed in query or header field (default: header).
-///   See: http://tools.ietf.org/html/rfc6750#section-2
-/// - If the service uses "non-standard" access token key, set it also (default: "access_token").
-/// 2. Open web browser with URI from build_authorization_uri().
-/// - The passed state string should be unique for this authorization session.
-/// 3. In the web browser, the resource owner clicks "Yes" to authorize your client/app.
-/// 4. To signal authorization, web browser is redirected to redirect_uri().
-/// 5. The redirect contains the authorization code and the state string.
-/// 6. Check the state string equals the one in step 2.
-/// 7. Pass the authorization code to fetch_token() to create a token fetch task.
+/// -  Client/app key & secret (as provided by the service).
+/// -  The service authorization endpoint and token endpoint.
+/// -  Your client/app redirect URI.
+/// -  Use set_state() to assign a unique state string for the authorization
+///    session (default: "").
+/// -  If needed, use set_bearer_auth() to control bearer token passing in either
+///    query or header (default: header). See: http://tools.ietf.org/html/rfc6750#section-2
+/// -  If needed, use set_access_token_key() to set "non-standard" access token
+///    key (default: "access_token").
+/// -  If needed, use set_implicit_grant() to enable implicit grant flow.
+/// 2. Build authorization URI with build_authorization_uri() and open this in web browser/control.
+/// 3. The resource owner should then clicks "Yes" to authorize your client/app, and
+///    as a result the web browser/control is redirected to redirect_uri().
+/// 5. Capture the redirected URI either in web control or by HTTP listener.
+/// 6. Pass the redirected URI to token_from_redirected_uri() to obtain access token.
+/// -  The method ensures redirected URI contains same state() as set in step 1.
+/// -  In implicit_grant() is false, this will create HTTP request to fetch access token
+///    from the service. Otherwise access token is already included in the redirected URI.
 ///
 /// Usage for issuing authenticated requests:
-/// 1. Obtain token. (Perform authorization as above or get token otherwise.)
-/// 2. Use http_client_config::set_oauth2() to set configuration, and construct http_client using it.
-/// 3. All requests issued with that http_client will be OAuth 2.0 -authenticated.
+/// 1. Perform authorization as above to obtain the access token or use an existing token.
+/// -  Some services provice option to generate access tokens for testing purposes.
+/// 2. Pass the resulting oauth2_config with the access token to http_client_config::set_oauth2().
+/// 3. Construct http_client with this http_client_config. After this all requests
+///    by that client will be OAuth 2.0 authenticated.
 ///
 /// </summary>
 class oauth2_config
@@ -98,6 +107,7 @@ class oauth2_config
                 m_auth_endpoint(auth_endpoint),
                 m_token_endpoint(token_endpoint),
                 m_redirect_uri(redirect_uri),
+                m_implicit_grant(false),
                 m_bearer_auth(true),
                 m_http_basic_auth(true),
                 m_access_token_key(_XPLATSTR("access_token"))
@@ -106,6 +116,7 @@ class oauth2_config
 
     oauth2_config(utility::string_t token) :
         m_token(std::move(token)),
+        m_implicit_grant(false),
         m_bearer_auth(true),
         m_http_basic_auth(true),
         m_access_token_key(_XPLATSTR("access_token"))
@@ -115,17 +126,25 @@ class oauth2_config
     /// <summary>
     /// Builds an authorization URI to be loaded in the web browser.
     /// The URI is built with auth_endpoint() as basis.
+    /// The implicit_grant() affects the built URI by selecting
+    /// either authorization code or implicit grant flow.
     /// </summary>
     _ASYNCRTIMP utility::string_t build_authorization_uri() const;
 
     /// <summary>
-    /// Parses authorization code from the redirected URI when resource owner
-    /// has accepted the authorization.
-    /// Redirected URI must satisfy the following (otherwise an exception is thrown):
-    /// - Must contain both 'code' and 'state' query parameters.
-    /// - The 'state' parameter must be equal to state().
+    /// Get the access token based on redirected URI.
+    /// Behavior depends on the implicit_grant() setting.
+    /// If implicit_grant() is false redirect URI is parsed for 'code' query
+    /// parameter which is then used to fetch a token
+    /// from token_endpoint().
+    /// Otherwise, redirect URI fragment part is parsed for 'access_token'
+    /// parameter containing the token.
+    /// In both cases 'state' parameter is parsed and verified to match state().
+    /// When token is successfully obtained, set_token() is called, and config is
+    /// ready for use.
+    /// An oauth2_exception is thrown if anything fails.
     /// </summary>
-    _ASYNCRTIMP utility::string_t parse_code_from_redirected_uri(uri redirected_uri) const;
+    _ASYNCRTIMP pplx::task<void> token_from_redirected_uri(uri redirected_uri);
 
     /// <summary>
     /// Creates a task to fetch token from the token endpoint.
@@ -158,13 +177,21 @@ class oauth2_config
     const utility::string_t& state() const { return m_state; }
     /// <summary>
     /// State string should be unique for each authorization session.
-    /// This state string should be returned by the authorization server on redirect
+    /// This state string should be returned by the authorization server on redirect.
     /// </summary>
     void set_state(utility::string_t state) { m_state = std::move(state); }
 
     const utility::string_t& token() const { return m_token; }
     void set_token(utility::string_t token) { m_token = std::move(token); }
 
+    bool implicit_grant() const { return m_implicit_grant; }
+    /// <summary>
+    /// False means authorization code grant flow is used.
+    /// True means implicit grant flow is used.
+    /// Default: False.
+    /// </summary>
+    void set_implicit_grant(bool enable) { m_implicit_grant = std::move(enable); }
+
     bool bearer_auth() const { return m_bearer_auth; }
     /// <summary>
     /// Bearer token passing method. This must be selected based on what the service accepts.
@@ -202,6 +229,7 @@ class oauth2_config
     utility::string_t m_scope;
     utility::string_t m_state;
 
+    bool m_implicit_grant;
     bool m_bearer_auth;
     bool m_http_basic_auth;
     utility::string_t m_access_token_key;

Release/samples/OAuth2Live/MainPage.xaml

@@ -21,6 +21,7 @@
                 <StackPanel Orientation="Horizontal" Margin="0,4,0,4">
                     <TextBlock TextWrapping="Wrap" Style="{StaticResource BasicTextStyle}" Text="OAuth 2.0 Live sample." VerticalAlignment="Center" Margin="4,0,4,0"/>
                     <Button x:Name="StartButton" Content="Start" Click="StartButtonClick" Margin="4,0,4,0"/>
+                    <CheckBox x:Name="ImplicitGrantCheckBox" Content="Implicit grant" Unchecked="ImplicitGrantUnchecked" Checked="ImplicitGrantChecked"/>
                     <Button x:Name="InfoButton" Content="Info" Click="InfoButtonClick" Margin="4,0,4,0" IsEnabled="False"/>
                     <Button x:Name="ContactsButton" Content="Contacts" Click="ContactsButtonClick" Margin="4,0,4,0" IsEnabled="False"/>
                     <Button x:Name="EventsButton" Content="Events" Click="EventsButtonClick" Margin="4,0,4,0" IsEnabled="False"/>

Release/samples/OAuth2Live/MainPage.xaml.cpp

@@ -21,17 +21,9 @@ using namespace Windows::UI::Xaml::Media;
 using namespace Windows::UI::Xaml::Navigation;
 using namespace Windows::Security::Authentication::Web;
 
-//using namespace web;
-//using namespace web::http;
-//using namespace web::http::client;
-//using namespace web::http::client::experimental;
-
-//using namespace web::details;
-//using namespace web::http::details;
 
-
-static const utility::string_t s_live_key = L"0000000048119F29";
-static const utility::string_t s_live_secret = L"lJSaBqD42czHGkLIrq4uH9Aadb7LtvIx";
+static const utility::string_t s_live_key = L"";
+static const utility::string_t s_live_secret = L"";
 
 static const utility::string_t s_state = L"1234ABCD";
 
@@ -79,42 +71,43 @@ void OAuth2Live::MainPage::StartButtonClick(Platform::Object^ sender, Windows::U
         {
             String^ statusString;
 
+            DebugArea->Text += "< WebAuthenticationBroker returned: ";
             switch (result->ResponseStatus)
             {
                 case WebAuthenticationStatus::ErrorHttp:
                 {
-                    statusString = "ErrorHttp: " + result->ResponseErrorDetail;
+                    DebugArea->Text += "ErrorHttp: " + result->ResponseErrorDetail + "\n";
                     break;
                 }
                 case WebAuthenticationStatus::Success:
                 {
-                    statusString = "Success";
+                    DebugArea->Text += "Success\n";
                     utility::string_t data = result->ResponseData->Data();
                     try
                     {
-                        statusString += "\nParsing authorization code: ";
-                        utility::string_t code = m_live_oauth2_config.parse_code_from_redirected_uri(data);
-                        AuthorizationCode->Text = ref new String(code.c_str());
-                        statusString += "Success";
+                        DebugArea->Text += "Redirect URI:\n" + result->ResponseData + "\n";
+                        DebugArea->Text += "> Obtaining token from redirect...\n";
+                        m_live_oauth2_config.token_from_redirected_uri(data).then([this]()
+                        {
+                            DebugArea->Text += "< Got token.\n";
+                            AccessToken->Text = ref new String(m_live_oauth2_config.token().c_str());
+                        }, pplx::task_continuation_context::use_current());
                     }
                     catch (oauth2_exception& e)
                     {
                         String^ error = ref new String(utility::conversions::to_string_t(e.what()).c_str());
-                        statusString += "Error: " + error;
+                        DebugArea->Text += "Error: " + error + "\n";
                     }
                     break;
                 }
                 default:
                 case WebAuthenticationStatus::UserCancel:
                 {
-                    statusString = "UserCancel";
+                    DebugArea->Text += "UserCancel\n";
                     break;
                 }
             }
-
-            DebugArea->Text += "< WebAuthenticationBroker returned: " + statusString + "\n";
         });
-
 #endif
     }
     catch (Exception^ ex)
@@ -123,7 +116,6 @@ void OAuth2Live::MainPage::StartButtonClick(Platform::Object^ sender, Windows::U
     }
 }
 
-
 void OAuth2Live::MainPage::InfoButtonClick(Platform::Object^ sender, Windows::UI::Xaml::Navigation::NavigationEventArgs^ e)
 {
     DebugArea->Text += "> Get user info...\n";
@@ -181,7 +173,6 @@ void OAuth2Live::MainPage::AuthCodeTextChanged(Platform::Object^ sender, Windows
     }, pplx::task_continuation_context::use_current());
 }
 
-
 void OAuth2Live::MainPage::AccessTokenTextChanged(Platform::Object^ sender, Windows::UI::Xaml::Controls::TextChangedEventArgs^ e)
 {
     http_client_config http_config;
@@ -193,3 +184,13 @@ void OAuth2Live::MainPage::AccessTokenTextChanged(Platform::Object^ sender, Wind
     ContactsButton->IsEnabled = true;
     EventsButton->IsEnabled = true;
 }
+
+void OAuth2Live::MainPage::ImplicitGrantUnchecked(Platform::Object^ sender, Windows::UI::Xaml::RoutedEventArgs^ e)
+{
+    m_live_oauth2_config.set_implicit_grant(false);
+}
+
+void OAuth2Live::MainPage::ImplicitGrantChecked(Platform::Object^ sender, Windows::UI::Xaml::RoutedEventArgs^ e)
+{
+    m_live_oauth2_config.set_implicit_grant(true);
+}

Release/samples/OAuth2Live/MainPage.xaml.h

@@ -29,6 +29,9 @@ namespace OAuth2Live
         void ContactsButtonClick(Platform::Object^ sender, Windows::UI::Xaml::Navigation::NavigationEventArgs^ e);
         void EventsButtonClick(Platform::Object^ sender, Windows::UI::Xaml::Navigation::NavigationEventArgs^ e);
 
+        void ImplicitGrantUnchecked(Platform::Object^ sender, Windows::UI::Xaml::RoutedEventArgs^ e);
+        void ImplicitGrantChecked(Platform::Object^ sender, Windows::UI::Xaml::RoutedEventArgs^ e);
+
         void AuthCodeTextChanged(Platform::Object^ sender, Windows::UI::Xaml::Controls::TextChangedEventArgs^ e);
         void AccessTokenTextChanged(Platform::Object^ sender, Windows::UI::Xaml::Controls::TextChangedEventArgs^ e);
 

Release/samples/Oauth2Client/Oauth2Client.cpp

@@ -25,8 +25,8 @@
 
 INSTRUCTIONS
 
-This sample performs authorization code authorization flow againts
-various OAuth 2.0 services and then requests basic user information.
+This sample performs authorization code grant flow on various OAuth 2.0
+services and then requests basic user information.
 
 This sample is for Windows Desktop, OS X and Linux.
 Execute with administrator privileges.
@@ -54,20 +54,19 @@ using namespace web;
 using namespace web::http;
 using namespace web::http::details;
 using namespace web::http::client;
-using namespace web::http::experimental::listener;
+using namespace web::http::experimental::listener; 
 
 // Set to 1 to run an extensive client sample parts.
-#define EXTENSIVE 0
+#define EXTENSIVE       0
 
+static const utility::string_t s_dropbox_key(U(""));
+static const utility::string_t s_dropbox_secret(U(""));
 
-static const utility::string_t s_dropbox_key(U("wvf3odtrwgwq91o"));
-static const utility::string_t s_dropbox_secret(U("w4s8zajiz197iip"));
+static const utility::string_t s_linkedin_key(U(""));
+static const utility::string_t s_linkedin_secret(U(""));
 
-static const utility::string_t s_linkedin_key(U("758evsaj4o491o"));
-static const utility::string_t s_linkedin_secret(U("vPRl6ED5jaakbZrx"));
-
-static const utility::string_t s_live_key(U("0000000048119F29"));
-static const utility::string_t s_live_secret(U("lJSaBqD42czHGkLIrq4uH9Aadb7LtvIx"));
+static const utility::string_t s_live_key(U(""));
+static const utility::string_t s_live_secret(U(""));
 
 // State should be generated per authorization/session. Here we just hard-code it.
 static const utility::string_t s_state(U("1234ABCD"));
@@ -95,7 +94,7 @@ class oauth2_code_listener
 public:
     oauth2_code_listener(
         uri listen_uri,
-        const oauth2_config& config) :
+        oauth2_config& config) :
             m_listener(utility::details::make_unique<http_listener>(listen_uri)),
             m_config(config)
     {
@@ -104,14 +103,15 @@ class oauth2_code_listener
             pplx::extensibility::scoped_critical_section_t lck(m_resplock);
             try
             {
-                auto code(m_config.parse_code_from_redirected_uri(request.request_uri()));
-                request.reply(status_codes::OK, U("Ok.")).then([this,code]() -> void
+                m_config.token_from_redirected_uri(request.request_uri()).then([this,request]() -> void
                 {
-                    m_tce.set(code);
+                    request.reply(status_codes::OK, U("Ok."));
+                    m_tce.set();
                 });
             }
-            catch (oauth2_exception&)
+            catch (oauth2_exception& e)
             {
+                ucout << "Error: " << e.what() << std::endl;
                 request.reply(status_codes::NotFound, U("Not found."));
             }
         });
@@ -123,15 +123,15 @@ class oauth2_code_listener
         m_listener->close().wait();
     }
 
-    pplx::task<utility::string_t> listen_for_code()
+    pplx::task<void> listen_for_code()
     {
         return pplx::create_task(m_tce);
     }
 
 private:
     std::unique_ptr<http_listener> m_listener;
-    pplx::task_completion_event<utility::string_t> m_tce;
-    const oauth2_config& m_config;
+    pplx::task_completion_event<void> m_tce;
+    oauth2_config& m_config;
     pplx::extensibility::critical_section_t m_resplock;
 };
 
@@ -188,10 +188,7 @@ class oauth2_session_sample
     pplx::task<void> authorization_code_flow()
     {
         open_browser_auth();
-        return m_listener->listen_for_code().then([this](utility::string_t auth_code)
-        {
-            return m_oauth2_config.fetch_token(auth_code);
-        });
+        return m_listener->listen_for_code();
     }
 
     http_client_config m_http_config;