Reputation: 986
DotNetOpenAuth - request access token immediately
Ok - I'm a DotNetOpenAuth newb, just to get that out of the way.
Here's a little overview first
I'm building an app that will be an OAuth consumer of another app. This other app has what they call an "App Marketplace" where users who are logged into their site can launch consumer sites directly. This marketplace will contain a link to our app - and when clicked on will already contain the request token and request token secret. With that said, we obviously don't have to make the OAuth request to get the request token, etc, because we already have it.
Now - here's my problem
From what I can tell - DotNetOpenAuth doesn't seem to contain a way to skip the first couple of requests in the authorization process and go straight to the request to get the access token. Now, obviously, I can build my own HttpWebRequest to get it, but I was hoping to not have to do that since DotNetOpenAuth hides all that messy Authorization header stuff out of plain sight. So, anyone know of any way to skip to the access token step going through DotNetOpenAuth?
I tried calling WebConsumer.Send(PrepareRequestUserAuthorization()) but that seems to start the OAuth authorization from the beginning. I also tried calling WebConsumer.ProcessUserAuthorization() but that just returns null. And, to be quite frank, the documentation around DotNetOpenAuth isn't specific enough for this newb to determine what exactly these methods are supposed to do anyway. So, any help would be much appreciated.
Upvotes: 0
Views: 1988
Answers (1)
Reputation: 81791
What this app marketplace is proposing is not standard OAuth 1.0(a), and therefore not something that DotNetOpenAuth supports. That said, you could play a few tricks to make it work. Calling WebConsumer.ProcessUserAuthorization(HttpRequestInfo) with a carefully crafted argument would "fool" DotNetOpenAuth into proceeding from the point this app marketplace leaves you. You would need to craft the HttpRequestInfo object such that it contains all the message parts that would be included in a normal OAuth flow when the request token has been authorized:
- oauth_token
- oauth_verifier (if this is an OAuth 1.0a flow)
In addition, you'd need to artificially inject the request token and its secret into your instance of the token manager in WebConsumer.TokenManager. This also may not be trivial, depending on how you're implementing it.
I would caution you though, that whenever you depart from the standard OAuth flow, thorough security reviews are critical, because you may be defeating security mechanisms built into the protocol.
Upvotes: 3
Related Questions
- DotNetOpenAuth and Refresh Tokens
- OAuth with DotNetOpenAuth?
- DotNetOpenAuth and C# desktop application
- DotNetOpenAuth Login without asking credential in second Time (if less then 10 to 15 Sec)
- DotNetOpenAuth RequestUserAuthorization callback
- DotNetOpenAuth: when is StoreNewRequestToken called?
- DotNetOpenAuth request login from provider
- DotNetOpenAuth and Async WebRequest (BeginGetResponse)
- DotNetOpenAuth authentication
- DotNetOpenID Programmatic Login