DotNetOpenAuth
diff --git a/‎samples/OAuthAuthorizationServer/OAuthAuthorizationServer.csproj‎
Lines changed: 4 additions & 0 deletions b/‎samples/OAuthAuthorizationServer/OAuthAuthorizationServer.csproj‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎src/DotNetOpenAuth.AspNet/Clients/OAuth/AuthenticationOnlyCookieOAuthTokenManager.cs‎
Lines changed: 35 additions & 11 deletions b/‎src/DotNetOpenAuth.AspNet/Clients/OAuth/AuthenticationOnlyCookieOAuthTokenManager.cs‎
Lines changed: 35 additions & 11 deletions
diff --git a/‎src/DotNetOpenAuth.AspNet/Clients/OAuth/CookieOAuthTokenManager.cs‎
Lines changed: 79 additions & 0 deletions b/‎src/DotNetOpenAuth.AspNet/Clients/OAuth/CookieOAuthTokenManager.cs‎
Lines changed: 79 additions & 0 deletions
diff --git a/‎src/DotNetOpenAuth.AspNet/Clients/OAuth/DotNetOpenAuthWebConsumer.cs‎
Lines changed: 1 addition & 1 deletion b/‎src/DotNetOpenAuth.AspNet/Clients/OAuth/DotNetOpenAuthWebConsumer.cs‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/DotNetOpenAuth.AspNet/Clients/OAuth/LinkedInClient.cs‎
Lines changed: 1 addition & 1 deletion b/‎src/DotNetOpenAuth.AspNet/Clients/OAuth/LinkedInClient.cs‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/DotNetOpenAuth.AspNet/Clients/OAuth2/MicrosoftClient.cs‎
Lines changed: 2 additions & 2 deletions b/‎src/DotNetOpenAuth.AspNet/Clients/OAuth2/MicrosoftClient.cs‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎src/DotNetOpenAuth.AspNet/DotNetOpenAuth.AspNet.csproj‎
Lines changed: 2 additions & 1 deletion b/‎src/DotNetOpenAuth.AspNet/DotNetOpenAuth.AspNet.csproj‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎src/DotNetOpenAuth.Core/Messaging/DataBagFormatterBase.cs‎
Lines changed: 2 additions & 2 deletions b/‎src/DotNetOpenAuth.Core/Messaging/DataBagFormatterBase.cs‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎src/DotNetOpenAuth.Core/Messaging/MessagingStrings.Designer.cs‎
Lines changed: 10 additions & 1 deletion b/‎src/DotNetOpenAuth.Core/Messaging/MessagingStrings.Designer.cs‎
Lines changed: 10 additions & 1 deletion
diff --git a/‎src/DotNetOpenAuth.Core/Messaging/MessagingStrings.resx‎
Lines changed: 5 additions & 2 deletions b/‎src/DotNetOpenAuth.Core/Messaging/MessagingStrings.resx‎
Lines changed: 5 additions & 2 deletions
@@ -63,6 +63,10 @@
       <RequiredTargetFramework>3.5</RequiredTargetFramework>
     </Reference>
     <Reference Include="System.Web.Mvc, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL" />
+    <Reference Include="System.Net.Http, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL">
+      <SpecificVersion>False</SpecificVersion>
+      <HintPath>..\..\lib\net-v4.0\System.Net.Http.dll</HintPath>
+    </Reference>
     <Reference Include="System.Xml.Linq">
       <RequiredTargetFramework>3.5</RequiredTargetFramework>
     </Reference>
 
@@ -17,7 +17,7 @@ public class AuthenticationOnlyCookieOAuthTokenManager : IOAuthTokenManager {
 		/// <summary>
 		/// Key used for token cookie
 		/// </summary>
-		private const string TokenCookieKey = "OAuthTokenSecret";
+		protected const string TokenCookieKey = "OAuthTokenSecret";
 
 		/// <summary>
 		/// Primary request context.
@@ -41,7 +41,7 @@ public AuthenticationOnlyCookieOAuthTokenManager(HttpContextBase context) {
 		/// <summary>
 		/// Gets the effective HttpContext object to use.
 		/// </summary>
-		private HttpContextBase Context {
+		protected HttpContextBase Context {
 			get {
 				return this.primaryContext ?? new HttpContextWrapper(HttpContext.Current);
 			}
@@ -54,15 +54,13 @@ private HttpContextBase Context {
 		/// <returns>
 		/// The token's secret
 		/// </returns>
-		public string GetTokenSecret(string token) {
+		public virtual string GetTokenSecret(string token) {
 			HttpCookie cookie = this.Context.Request.Cookies[TokenCookieKey];
 			if (cookie == null || string.IsNullOrEmpty(cookie.Values[token])) {
 				return null;
 			}
-			byte[] cookieBytes = HttpServerUtility.UrlTokenDecode(cookie.Values[token]);
-			byte[] clearBytes = MachineKeyUtil.Unprotect(cookieBytes, TokenCookieKey, "Token:" + token);
 
-			string secret = Encoding.UTF8.GetString(clearBytes);
+			string secret = DecodeAndUnprotectToken(token, cookie.Values[token]);
 			return secret;
 		}
 
@@ -72,7 +70,7 @@ public string GetTokenSecret(string token) {
 		/// <param name="requestToken">The request token.</param>
 		/// <param name="accessToken">The access token.</param>
 		/// <param name="accessTokenSecret">The access token secret.</param>
-		public void ReplaceRequestTokenWithAccessToken(string requestToken, string accessToken, string accessTokenSecret) {
+		public virtual void ReplaceRequestTokenWithAccessToken(string requestToken, string accessToken, string accessTokenSecret) {
 			var cookie = new HttpCookie(TokenCookieKey) {
 				Value = string.Empty,
 				Expires = DateTime.UtcNow.AddDays(-5)
@@ -85,7 +83,7 @@ public void ReplaceRequestTokenWithAccessToken(string requestToken, string acces
 		/// </summary>
 		/// <param name="requestToken">The request token.</param>
 		/// <param name="requestTokenSecret">The request token secret.</param>
-		public void StoreRequestToken(string requestToken, string requestTokenSecret) {
+		public virtual void StoreRequestToken(string requestToken, string requestTokenSecret) {
 			var cookie = new HttpCookie(TokenCookieKey) {
 				HttpOnly = true
 			};
@@ -94,10 +92,36 @@ public void StoreRequestToken(string requestToken, string requestTokenSecret) {
 				cookie.Secure = true;
 			}
 
-			byte[] cookieBytes = Encoding.UTF8.GetBytes(requestTokenSecret);
-			var secretBytes = MachineKeyUtil.Protect(cookieBytes, TokenCookieKey, "Token:" + requestToken);
-			cookie.Values[requestToken] = HttpServerUtility.UrlTokenEncode(secretBytes);
+			var encryptedToken = ProtectAndEncodeToken(requestToken, requestTokenSecret);
+			cookie.Values[requestToken] = encryptedToken;
+
 			this.Context.Response.Cookies.Set(cookie);
 		}
+
+		/// <summary>
+		/// Protect and url-encode the specified token secret.
+		/// </summary>
+		/// <param name="token">The token to be used as a key.</param>
+		/// <param name="tokenSecret">The token secret to be protected</param>
+		/// <returns>The encrypted and protected string.</returns>
+		protected static string ProtectAndEncodeToken(string token, string tokenSecret)
+		{
+			byte[] cookieBytes = Encoding.UTF8.GetBytes(tokenSecret);
+			var secretBytes = MachineKeyUtil.Protect(cookieBytes, TokenCookieKey, "Token:" + token);
+			return HttpServerUtility.UrlTokenEncode(secretBytes);
+		}
+
+		/// <summary>
+		/// Url-decode and unprotect the specified encrypted token string.
+		/// </summary>
+		/// <param name="token">The token to be used as a key.</param>
+		/// <param name="encryptedToken">The encrypted token to be decrypted</param>
+		/// <returns>The original token secret</returns>
+		protected static string DecodeAndUnprotectToken(string token, string encryptedToken)
+		{
+			byte[] cookieBytes = HttpServerUtility.UrlTokenDecode(encryptedToken);
+			byte[] clearBytes = MachineKeyUtil.Unprotect(cookieBytes, TokenCookieKey, "Token:" + token);
+			return Encoding.UTF8.GetString(clearBytes);
+		}
 	}
 }
@@ -0,0 +1,79 @@
+//-----------------------------------------------------------------------
+// <copyright file="CookieOAuthTokenManager.cs" company="Microsoft">
+//     Copyright (c) Microsoft. All rights reserved.
+// </copyright>
+//-----------------------------------------------------------------------
+
+namespace DotNetOpenAuth.AspNet.Clients {
+	using System.Web;
+	using System.Web.Security;
+
+	/// <summary>
+	/// Stores OAuth tokens in the current request's cookie.
+	/// </summary>
+	/// <remarks>
+	/// This class is different from the <see cref="AuthenticationOnlyCookieOAuthTokenManager"/> in that 
+	/// it also stores the access token after the authentication has succeeded.
+	/// </remarks>
+	public class CookieOAuthTokenManager : AuthenticationOnlyCookieOAuthTokenManager {
+		/// <summary>
+		/// Initializes a new instance of the <see cref="CookieOAuthTokenManager"/> class.
+		/// </summary>
+		public CookieOAuthTokenManager() {
+		}
+
+		/// <summary>
+		/// Initializes a new instance of the <see cref="CookieOAuthTokenManager"/> class.
+		/// </summary>
+		/// <param name="context">The current request context.</param>
+		public CookieOAuthTokenManager(HttpContextBase context)
+			: base(context) {
+		}
+
+		/// <summary>
+		/// Gets the token secret from the specified token.
+		/// </summary>
+		/// <param name="token">The token.</param>
+		/// <returns>
+		/// The token's secret
+		/// </returns>
+		public override string GetTokenSecret(string token) {
+			string secret = base.GetTokenSecret(token);
+			if (secret != null) {
+				return secret;
+			}
+
+			// The base class checks for cookies in the Request object. 
+			// Here we check in the Response object as well because we 
+			// may have set it earlier in the request life cycle.
+			HttpCookie cookie = this.Context.Response.Cookies[TokenCookieKey];
+			if (cookie == null || string.IsNullOrEmpty(cookie.Values[token])) {
+				return null;
+			}
+
+			secret = DecodeAndUnprotectToken(token, cookie.Values[token]);
+			return secret;
+		}
+
+		/// <summary>
+		/// Replaces the request token with access token.
+		/// </summary>
+		/// <param name="requestToken">The request token.</param>
+		/// <param name="accessToken">The access token.</param>
+		/// <param name="accessTokenSecret">The access token secret.</param>
+		public override void ReplaceRequestTokenWithAccessToken(string requestToken, string accessToken, string accessTokenSecret) {
+			var cookie = new HttpCookie(TokenCookieKey) {
+				HttpOnly = true
+			};
+
+			if (FormsAuthentication.RequireSSL) {
+				cookie.Secure = true;
+			}
+
+			var encryptedToken = ProtectAndEncodeToken(accessToken, accessTokenSecret);
+			cookie.Values[accessToken] = encryptedToken;
+
+			this.Context.Response.Cookies.Set(cookie);
+		}
+	}
+}
@@ -77,7 +77,7 @@ public AuthorizedTokenResponse ProcessUserAuthorization() {
 		/// The callback.
 		/// </param>
 		public void RequestAuthentication(Uri callback) {
-			var redirectParameters = new Dictionary<string, string> { { "force_login", "false" } };
+			var redirectParameters = new Dictionary<string, string>();
 			UserAuthorizationRequest request = this.webConsumer.PrepareRequestUserAuthorization(
 				callback, null, redirectParameters);
 			this.webConsumer.Channel.PrepareResponse(request).Send();
 
@@ -60,7 +60,7 @@ public sealed class LinkedInClient : OAuthClient {
 		[SuppressMessage("Microsoft.Reliability", "CA2000:Dispose objects before losing scope",
 			Justification = "We can't dispose the object because we still need it through the app lifetime.")]
 		public LinkedInClient(string consumerKey, string consumerSecret)
-			: this(consumerKey, consumerSecret, new AuthenticationOnlyCookieOAuthTokenManager()) { }
+			: this(consumerKey, consumerSecret, new CookieOAuthTokenManager()) { }
 
 		/// <summary>
 		/// Initializes a new instance of the <see cref="LinkedInClient"/> class.
 
@@ -20,12 +20,12 @@ public class MicrosoftClient : OAuth2Client {
 		/// <summary>
 		/// The authorization endpoint.
 		/// </summary>
-		private const string AuthorizationEndpoint = "https://oauth.live.com/authorize";
+		private const string AuthorizationEndpoint = "https://login.live.com/oauth20_authorize.srf";
 
 		/// <summary>
 		/// The token endpoint.
 		/// </summary>
-		private const string TokenEndpoint = "https://oauth.live.com/token";
+		private const string TokenEndpoint = "https://login.live.com/oauth20_token.srf";
 
 		/// <summary>
 		/// The _app id.
 
@@ -28,7 +28,7 @@
   <Import Project="$(ProjectRoot)tools\DotNetOpenAuth.props" />
   <Import Project="$(ProjectRoot)tools\DotNetOpenAuth.Product.props" />
   <PropertyGroup>
-     <RootNamespace>DotNetOpenAuth.AspNet</RootNamespace>
+    <RootNamespace>DotNetOpenAuth.AspNet</RootNamespace>
   </PropertyGroup>
   <ItemGroup>
     <Reference Include="System" />
@@ -48,6 +48,7 @@
     <Compile Include="Clients\OAuth\AuthenticationOnlyCookieOAuthTokenManager.cs">
       <SubType>Code</SubType>
     </Compile>
+    <Compile Include="Clients\OAuth\CookieOAuthTokenManager.cs" />
     <Compile Include="Clients\OAuth\IOAuthTokenManager.cs" />
     <Compile Include="Clients\OAuth\SimpleConsumerTokenManager.cs" />
     <Compile Include="IAuthenticationClient.cs" />
 
@@ -215,8 +215,8 @@ public void Deserialize(T message, string value, IProtocolMessage containingMess
 			if (this.signed) {
 				using (var dataStream = new MemoryStream(data)) {
 					var dataReader = new BinaryReader(dataStream);
-					signature = dataReader.ReadBuffer();
-					data = dataReader.ReadBuffer();
+					signature = dataReader.ReadBuffer(1024);
+					data = dataReader.ReadBuffer(8 * 1024);
 				}
 
 				// Verify that the verification code was issued by message authorization server.
 
@@ -112,10 +112,10 @@
     <value>2.0</value>
   </resheader>
   <resheader name="reader">
-    <value>System.Resources.ResXResourceReader, System.Windows.Forms, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</value>
+    <value>System.Resources.ResXResourceReader, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</value>
   </resheader>
   <resheader name="writer">
-    <value>System.Resources.ResXResourceWriter, System.Windows.Forms, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</value>
+    <value>System.Resources.ResXResourceWriter, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</value>
   </resheader>
   <data name="ArgumentPropertyMissing" xml:space="preserve">
     <value>Argument's {0}.{1} property is required but is empty or null.</value>
@@ -333,4 +333,7 @@
   <data name="UnexpectedBufferLength" xml:space="preserve">
     <value>Unexpected buffer length.</value>
   </data>
+  <data name="DataCorruptionDetected" xml:space="preserve">
+    <value>Decoding failed due to data corruption.</value>
+  </data>
 </root>