/***

* ==++==

*

* Copyright (c) Microsoft Corporation. All rights reserved.

* Licensed under the Apache License, Version 2.0 (the "License");

* you may not use this file except in compliance with the License.

* You may obtain a copy of the License at

* http://www.apache.org/licenses/LICENSE-2.0

*

* Unless required by applicable law or agreed to in writing, software

* distributed under the License is distributed on an "AS IS" BASIS,

* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

* See the License for the specific language governing permissions and

* limitations under the License.

*

* ==--==

* =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

*

* HTTP Library: Oauth 2.0

*

* For the latest on this and related APIs, please see: https://github.com/Microsoft/cpprestsdk

*

* =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

****/

#include "stdafx.h"

using web::http::client::http_client;

using web::http::client::http_client_config;

using web::http::oauth2::details::oauth2_strings;

using web::http::details::mime_types;

using utility::conversions::to_utf8string;

// Expose base64 conversion for arbitrary buffer.

extern utility::string_t _to_base64(const unsigned char *ptr, size_t size);

namespace web { namespace http { namespace oauth2

{

namespace details

{

#define _OAUTH2_STRINGS

#define DAT(a_, b_) const oauth2_string oauth2_strings::a_(_XPLATSTR(b_));

#include "cpprest/details/http_constants.dat"

#undef _OAUTH2_STRINGS

#undef DAT

} // namespace web::http::oauth2::details

namespace experimental

{

utility::string_t oauth2_config::build_authorization_uri(bool generate_state)

{

const utility::string_t response_type((implicit_grant()) ? oauth2_strings::token : oauth2_strings::code);

uri_builder ub(auth_endpoint());

ub.append_query(oauth2_strings::response_type, response_type);

ub.append_query(oauth2_strings::client_id, client_key());

ub.append_query(oauth2_strings::redirect_uri, redirect_uri());

if (generate_state)

{

m_state = m_state_generator.generate();

}

ub.append_query(oauth2_strings::state, state());

if (!scope().empty())

{

ub.append_query(oauth2_strings::scope, scope());

}

return ub.to_string();

}

pplx::task<void> oauth2_config::token_from_redirected_uri(const web::http::uri& redirected_uri)

{

auto query = uri::split_query((implicit_grant()) ? redirected_uri.fragment() : redirected_uri.query());

auto state_param = query.find(oauth2_strings::state);

if (state_param == query.end())

{

return pplx::task_from_exception<void>(oauth2_exception(U("parameter 'state' missing from redirected URI.")));

}

if (state() != state_param->second)

{

utility::ostringstream_t err;

err.imbue(std::locale::classic());

err << U("redirected URI parameter 'state'='") << state_param->second

<< U("' does not match state='") << state() << U("'.");

return pplx::task_from_exception<void>(oauth2_exception(err.str()));

}

auto code_param = query.find(oauth2_strings::code);

if (code_param != query.end())

{

return token_from_code(code_param->second);

}

// NOTE: The redirected URI contains access token only in the implicit grant.

// The implicit grant never passes a refresh token.

auto token_param = query.find(oauth2_strings::access_token);

if (token_param == query.end())

{

return pplx::task_from_exception<void>(oauth2_exception(U("either 'code' or 'access_token' parameter must be in the redirected URI.")));

}

set_token(token_param->second);

return pplx::task_from_result();

}

pplx::task<void> oauth2_config::_request_token(uri_builder& request_body_ub)

{

http_request request;

request.set_method(methods::POST);

request.set_request_uri(utility::string_t());

if (!scope().empty())

{

request_body_ub.append_query(oauth2_strings::scope, uri::encode_data_string(scope()), false);

}

if (http_basic_auth())

{

// Build HTTP Basic authorization header.

const std::string creds_utf8(to_utf8string(

uri::encode_data_string(client_key()) + U(":") + uri::encode_data_string(client_secret())));

request.headers().add(header_names::authorization, U("Basic ")

+ _to_base64(reinterpret_cast<const unsigned char*>(creds_utf8.data()), creds_utf8.size()));

}

else

{

// Add credentials to query as-is.

request_body_ub.append_query(oauth2_strings::client_id, uri::encode_data_string(client_key()), false);

request_body_ub.append_query(oauth2_strings::client_secret, uri::encode_data_string(client_secret()), false);

}

request.set_body(request_body_ub.query(), mime_types::application_x_www_form_urlencoded);

// configure proxy

http_client_config config;

config.set_proxy(m_proxy);

http_client token_client(token_endpoint(), config);

return token_client.request(request)

.then([](http_response resp)

{

return resp.extract_json();

})

.then([this](json::value json_resp) -> void

{

set_token(_parse_token_from_json(json_resp));

});

}

oauth2_token oauth2_config::_parse_token_from_json(const json::value& token_json)

{

oauth2_token result;

if (token_json.has_field(oauth2_strings::access_token))

{

result.set_access_token(token_json.at(oauth2_strings::access_token).as_string());

}

else

{

throw oauth2_exception(U("response json contains no 'access_token': ") + token_json.serialize());

}

if (token_json.has_field(oauth2_strings::token_type))

{

result.set_token_type(token_json.at(oauth2_strings::token_type).as_string());

}

else

{

// Some services don't return 'token_type' while it's required by OAuth 2.0 spec:

// http://tools.ietf.org/html/rfc6749#section-5.1

// As workaround we act as if 'token_type=bearer' was received.

result.set_token_type(oauth2_strings::bearer);

}

if (!utility::details::str_icmp(result.token_type(), oauth2_strings::bearer))

{

throw oauth2_exception(U("only 'token_type=bearer' access tokens are currently supported: ") + token_json.serialize());

}

if (token_json.has_field(oauth2_strings::refresh_token))

{

result.set_refresh_token(token_json.at(oauth2_strings::refresh_token).as_string());

}

else

{

// Do nothing. Preserves the old refresh token.

}

if (token_json.has_field(oauth2_strings::expires_in))

{

const auto &json_expires_in_val = token_json.at(oauth2_strings::expires_in);

if (json_expires_in_val.is_number())

result.set_expires_in(json_expires_in_val.as_number().to_int64());

else

{

// Handle the case of a number as a JSON "string".

// Using streams because std::stoll isn't avaliable on Android.

int64_t expires;

utility::istringstream_t iss(json_expires_in_val.as_string());

iss.exceptions(std::ios::badbit | std::ios::failbit);

iss >> expires;

result.set_expires_in(expires);

}

}

else

{

result.set_expires_in(oauth2_token::undefined_expiration);

}

if (token_json.has_field(oauth2_strings::scope))

{

// The authorization server may return different scope from the one requested.

// This however doesn't necessarily mean the token authorization scope is different.

// See: http://tools.ietf.org/html/rfc6749#section-3.3

result.set_scope(token_json.at(oauth2_strings::scope).as_string());

}

else

{

// Use the requested scope() if no scope parameter was returned.

result.set_scope(scope());

}

return result;

}

}}}} // namespace web::http::oauth2::experimental