Develop Reference

Setting up authentication endpoints class in minimal API

In Program.cs I have a post endpoint for getting a Jwt token:
app.MapPost("/api/security/getToken", [AllowAnonymous] async (UserManager<IdentityUser> userMgr, UserLoginDTO user) => {
var identityUser = await userMgr.FindByEmailAsync(user.Email);
if (await userMgr.CheckPasswordAsync(identityUser, user.Password)) {
var issuer = builder.Configuration["Jwt:Issuer"];
var audience = builder.Configuration["Jwt:Audience"];
var securityKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(builder.Configuration["Jwt:Key"]));
var credentials = new SigningCredentials(securityKey, SecurityAlgorithms.HmacSha256);
var claims = new List<Claim> {
new Claim(ClaimTypes.Email, identityUser.Email),
new Claim(ClaimTypes.GivenName, identityUser.UserName)
};;
var token = new JwtSecurityToken(issuer: issuer, audience: audience, signingCredentials: credentials, claims: claims);
var tokenHandler = new JwtSecurityTokenHandler();
var stringToken = tokenHandler.WriteToken(token);
return Results.Ok(stringToken);
}
else {
return Results.Unauthorized();
}
}).WithTags("Security");
I want to move that logic in a separate class for readability.
public static class SecurityEndpoints {
public static void MapSecurityEndpoints(this WebApplication app) {
app.MapPost("/api/security/getToken", GetToken).AllowAnonymous();
app.MapPost("/api/security/createUser", CreateUser).AllowAnonymous();
}
internal static async Task<IResult> GetToken(this WebApplicationBuilder builder, UserManager<IdentityUser> userMgr,[FromBody] UserLoginDTO user) {
//same logic
}
...
}
Because of the WebApplicationBuilder I'm getting a InvalidOperationException.
How to refactor the GetToken method to get rid of WebApplicationBuilder and maybe access the builder.Configuration details that I need form another service? How would that service look like?
Or how else would you approach this?

You should not use WebApplication(Builder) in your handlers. Use standard approaches for working with the configuration in .NET/ASP.NET Core which are described here.
For example create type for jwt settings, register it with options pattern and inject into handler. Something along this lines:
public class JwtOptions
{
public const string Position = "Jwt";
public string Issuer { get; set; } = String.Empty;
public string Audience { get; set; } = String.Empty;
}
builder.Services.Configure<JwtOptions>(
builder.Configuration.GetSection(JwtOptions.Position));
internal static async Task<IResult> GetToken(IOptions<JwtOptions> jwtOptions,...) {
// use jwtOptions
}

I get a 400 error code when trying to validate a jwt token endpoint .net core 2.1

I am trying to validate a jwt token so I am having it sent to me within the header of my request but I get a 400 error when I pass in my token.
[HttpPost("validateToken/{token}")]
public IActionResult ValidateToken ([FromRoute] string token)
{
var jwthandler = new JwtSecurityTokenHandler();
var jwttoken = jwthandler.ReadJwtToken(token);
var expDate = jwttoken.ValidTo;
if (expDate < DateTime.UtcNow.AddMinutes(3))
{
return Ok("invalid");
}
else
{
return Ok("valid");
}
}
I can pass in any string but when I pass in a token it fails. I may not be doing this right any help would be apperciated

change you code to this and pass your token as a string in the body and your logic should work
[HttpPost("validateToken")]
public string ValidateToken ([FromBody] string token)
{
var jwthandler = new JwtSecurityTokenHandler();
var jwttoken = jwthandler.ReadJwtToken(token);
var expDate = jwttoken.ValidTo;
if (expDate < DateTime.UtcNow.AddMinutes(3))
{
return ("invalid");
}
else
{
return("valid");
}
}

Web API giving 401 on JWT

I have the following problem:
The web api uses JWT to authorize people. I have been following this tutorial: here
The token provider works fine as shown on the postman picture:
But when I try to pass the token in postman to the following controller:
[Authorize]
[Route("ChangePassword")]
public async Task<IHttpActionResult> ChangePassword(ChangePasswordBindingModel model) {
if (!ModelState.IsValid) {
return BadRequest(ModelState);
}
IdentityResult result = await this.AppUserManager.ChangePasswordAsync(User.Identity.GetUserId(), model.OldPassword, model.NewPassword);
if (!result.Succeeded)
return GetErrorResult(result);
return Ok();
}
Then this will be the result:
I can't see what the problem should be. I do in the startup file also start the API last.
public class Startup {
public void Configuration(IAppBuilder app) {
HttpConfiguration httpConfig = new HttpConfiguration();
ConfigureOAuthTokenGeneration(app);
ConfigureOAuthTokenConsumption(app);
ConfigureWebApi(httpConfig);
app.UseCors(Microsoft.Owin.Cors.CorsOptions.AllowAll);
app.UseWebApi(httpConfig);
}
private void ConfigureWebApi(HttpConfiguration httpConfig) {
httpConfig.MapHttpAttributeRoutes();
var jsonFormatter = httpConfig.Formatters.OfType<JsonMediaTypeFormatter>().First();
jsonFormatter.SerializerSettings.ContractResolver = new CamelCasePropertyNamesContractResolver();
}
private void ConfigureOAuthTokenGeneration(IAppBuilder app) {
app.CreatePerOwinContext(ApplicationDbContext.Create);
app.CreatePerOwinContext<ApplicationUserManager>(ApplicationUserManager.Create);
OAuthAuthorizationServerOptions OAuthServerOptions = new OAuthAuthorizationServerOptions() {
//Set to false in production
AllowInsecureHttp = true,
TokenEndpointPath = new PathString("/oauth/token"),
AccessTokenExpireTimeSpan = TimeSpan.FromDays(1),
Provider = new CustomOAuthProvider(),
AccessTokenFormat = new CustomJwtFormat("http://localhost:44300")
};
app.UseOAuthAuthorizationServer(OAuthServerOptions);
}
private void ConfigureOAuthTokenConsumption(IAppBuilder app) {
var issuer = "http://localhost:44300";
var audienceId = "414e1927a3884f68abc79f7283837fd1";
var audienceSecret = TextEncodings.Base64Url.Decode("qMCdFDQuF23RV1Y-1Gq9L3cF3VmuFwVbam4fMTdAfpo");
// Api controllers with an [Authorize] attribute will be validated with JWT
app.UseJwtBearerAuthentication(
new JwtBearerAuthenticationOptions
{
AuthenticationMode = AuthenticationMode.Active,
AllowedAudiences = new[] { audienceId },
IssuerSecurityTokenProviders = new IIssuerSecurityTokenProvider[]
{
new SymmetricKeyIssuerSecurityTokenProvider(issuer, audienceSecret)
}
});
}
}

I've recently went through the same tutorial and had a similar problem. All endpoints with an [Authorize] attribute were returning 401. I completely broke apart the JwtBearerAuthentication middleware and discovered a problem with the JWTSecurityTokenHandler determining whether an audience was valid.
For starters, as most guides will tell you, verify your audience, issuer, and secret are the same where you generate your JWT token and where you ConfigureOAuthConsumption. I found it was easy to confuse these on the JWT creation side. If they are both correct look at the code below.
I ended up creating my own JWT Handler which derives from JwtSecurityTokenHandler. It mostly just calls the base methods, but it does give you great insight into how the validation process works. Please note the code change in ValidateToken.
class CustomJWTTokenHandler : JwtSecurityTokenHandler
{
public CustomJWTTokenHandler():base()
{
}
public override bool CanReadToken(string tokenString)
{
var rtn = base.CanReadToken(tokenString);
return rtn;
}
public override bool CanValidateToken
{
get
{
return base.CanValidateToken;
}
}
protected override ClaimsIdentity CreateClaimsIdentity(JwtSecurityToken jwt, string issuer, TokenValidationParameters validationParameters)
{
return base.CreateClaimsIdentity(jwt, issuer, validationParameters);
}
public override ReadOnlyCollection<ClaimsIdentity> ValidateToken(SecurityToken token)
{
try
{
var rtn = base.ValidateToken(token);
return rtn;
}
catch (Exception)
{
throw;
}
}
public override ClaimsPrincipal ValidateToken(string securityToken, TokenValidationParameters validationParameters, out SecurityToken validatedToken)
{
var jwt = this.ValidateSignature(securityToken, validationParameters);
if (validationParameters.ValidateAudience)
{
if (validationParameters.AudienceValidator != null)
{
if (!validationParameters.AudienceValidator(jwt.Audiences, jwt, validationParameters))
{
throw new SecurityTokenInvalidAudienceException(string.Format(CultureInfo.InvariantCulture, ErrorMessages.IDX10231, jwt.ToString()));
}
}
else
{
base.ValidateAudience(validationParameters.ValidAudiences, jwt, validationParameters);
}
}
string issuer = jwt.Issuer;
if (validationParameters.ValidateIssuer)
{
if (validationParameters.IssuerValidator != null)
{
issuer = validationParameters.IssuerValidator(issuer, jwt, validationParameters);
}
else
{
issuer = ValidateIssuer(issuer, jwt, validationParameters);
}
}
if (validationParameters.ValidateActor && !string.IsNullOrWhiteSpace(jwt.Actor))
{
SecurityToken actor = null;
ValidateToken(jwt.Actor, validationParameters, out actor);
}
ClaimsIdentity identity = this.CreateClaimsIdentity(jwt, issuer, validationParameters);
if (validationParameters.SaveSigninToken)
{
identity.BootstrapContext = new BootstrapContext(securityToken);
}
validatedToken = jwt;
return new ClaimsPrincipal(identity);
}
protected override JwtSecurityToken ValidateSignature(string token, TokenValidationParameters validationParameters)
{
var rtn = base.ValidateSignature(token, validationParameters);
var issuer = rtn.Issuer;
return rtn;
}
protected override void ValidateAudience(IEnumerable<string> audiences, SecurityToken securityToken, TokenValidationParameters validationParameters)
{
if (audiences !=null && audiences.Any())
{
var jwt = securityToken as JwtSecurityToken;
if (!jwt.Audiences.Any())
{
throw new Exception("token has no audiences defined");
}
var inBothList= audiences.Where(X => jwt.Audiences.Contains(X)).ToList();
if (!inBothList.Any()){
throw new Exception("token not in audience list");
}
}
//base.ValidateAudience(audiences, securityToken, validationParameters);
}
public override SecurityToken ReadToken(string tokenString)
{
var rtnToken = base.ReadToken(tokenString);
//var validations = this.ValidateToken(rtnToken);
return rtnToken;
}
}
This handler is wired up when you setup the UseJwtBearerAuthentication middleware:
app.UseJwtBearerAuthentication(
new JwtBearerAuthenticationOptions
{
AuthenticationMode = Microsoft.Owin.Security.AuthenticationMode.Active,
AllowedAudiences = new List<string>() { JWTConfigs.audience },
IssuerSecurityTokenProviders = new IIssuerSecurityTokenProvider[]
{
new CustomSymmetricKeyIssuerSecurityTokenProvider(JWTConfigs.issuer, key)
},
TokenHandler = new CustomJWTTokenHandler()
}
);
Hopefully this works for you or at least points you to why your Token is failing.

I think I figured out the problem with both tutorials (this and this). Take a look at CustomJwtFormat class Protect() method
public string Protect(AuthenticationTicket data) {
...
var issued = data.Properties.IssuedUtc;
...
var token = new JwtSecurityToken(_issuer, audienceId, data.Identity.Claims,
issued.Value.UtcDateTime, expires.Value.UtcDateTime, signingKey);
...
}
It looks like JwtSecurityToken is expecting notBefore parameter in local and not in UTC timezone. If the author is in Jordan (UTC+2), it will mean that notBefore will be 2 hours earlier than now, but it will still work. However, since I am in California (UTC-8), notBefore is set to 8 hours later and token validation fails! The solution is to have
DateTimeOffset issued = data.Properties.IssuedUtc?.ToLocalTime();
in the new C# 6 format, or
DateTimeOffset issued = data.Properties.IssuedUtc.Value.ToLocalTime()
using classic syntax. Thank you #Treetopvt for pushing me to debug through middleware. With this change standard JwtSecurityTokenHandler works fine

Consuming secure ASP Net 5 web api using local account

I need to consume ASP.NET 5 secure Web API from a web client using local accounts. In the past there was a handler issuing bearer tokens in order to support OAuth, now bearer token issuance responsibility was removed from identity. Some people recommends to use identityServer3, which require clients registration, unlike identity2 approach. What is the simplest way to achieve authorization in ASP.NET 5 Web API? How can I avoid to pass client id and client secret in order to get an access token when using resource owner password flow? How to call api avoiding to pass scope?

I have built a simple bearer token issuer from this but using Identity password hasher. You can see full code below:
public class TokenController : Controller
{
private readonly IBearerTokenGenerator generator;
private readonly IClientsManager clientsManager;
private readonly IOptions<TokenAuthOptions> options;
public TokenController(IBearerTokenGenerator generator,
IClientsManager clientsManager,
IOptions<TokenAuthOptions> options)
{
this.generator = generator;
this.clientsManager = clientsManager;
this.options = options;
}
[HttpPost, AllowAnonymous]
public IActionResult Post(AuthenticationViewModel req)
{
return clientsManager
.Find(req.client_id, req.client_secret)
.Map(c => c.Client)
.Map(c => (IActionResult)new ObjectResult(new {
access_token = generator.Generate(c),
expires_in = options.Value.ExpirationDelay.TotalSeconds,
token_type = "Bearer"
}))
.ValueOrDefault(HttpUnauthorized);
}
}
public class BearerTokenGenerator : IBearerTokenGenerator
{
private readonly IOptions<TokenAuthOptions> tokenOptions;
public BearerTokenGenerator(IOptions<TokenAuthOptions> tokenOptions)
{
this.tokenOptions = tokenOptions;
}
public string Generate(Client client)
{
var expires = Clock.UtcNow.Add(tokenOptions.Value.ExpirationDelay);
var handler = new JwtSecurityTokenHandler();
var identity = new ClaimsIdentity(new GenericIdentity(client.Identifier, "TokenAuth"), new Claim[] {
new Claim("client_id", client.Identifier)
});
var securityToken = handler.CreateToken(
issuer: tokenOptions.Value.Issuer,
audience: tokenOptions.Value.Audience,
signingCredentials: tokenOptions.Value.SigningCredentials,
subject: identity,
expires: expires);
return handler.WriteToken(securityToken);
}
}
public class ClientsManager : IClientsManager
{
private readonly MembershipDataContext db;
private readonly ISecretHasher hasher;
public ClientsManager(MembershipDataContext db,
ISecretHasher hasher)
{
this.db = db;
this.hasher = hasher;
}
public void Create(string name, string identifier, string secret, Company company)
{
var client = new Client(name, identifier, company);
db.Clients.Add(client);
var hash = hasher.HashSecret(secret);
var apiClient = new ApiClient(client, hash);
db.ApiClients.Add(apiClient);
}
public Option<ApiClient> Find(string identifier, string secret)
{
return FindByIdentifier(identifier)
.Where(c => hasher.Verify(c.SecretHash, secret));
}
public void ChangeSecret(string identifier, string secret)
{
var client = FindByIdentifier(identifier).ValueOrDefault(() => {
throw new ArgumentException($"could not find any client with identifier { identifier }");
});
var hash = hasher.HashSecret(secret);
client.ChangeSecret(hash);
}
public string GenerateRandomSecret()
{
const string chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
var random = new Random();
var generated = new string(Enumerable.Repeat(chars, 12).Select(s => s[random.Next(s.Length)]).ToArray());
return Convert.ToBase64String(Encoding.UTF8.GetBytes(generated));
}
private Option<ApiClient> FindByIdentifier(string identifier)
{
return db.ApiClients
.Include(c => c.Client)
.SingleOrDefault(c => c.Client.Identifier == identifier)
.ToOptionByRef();
}
}
public class SecretHasher : ISecretHasher
{
private static Company fakeCompany = new Company("fake", "fake");
private static Client fakeClient = new Client("fake", "fake", fakeCompany);
private readonly IPasswordHasher<Client> hasher;
public SecretHasher(IPasswordHasher<Client> hasher)
{
this.hasher = hasher;
}
public string HashSecret(string secret)
{
return hasher.HashPassword(fakeClient, secret);
}
public bool Verify(string hashed, string secret)
{
return hasher.VerifyHashedPassword(fakeClient, hashed, secret) == PasswordVerificationResult.Success;
}
}
Now in Startup.cs
services.Configure<TokenAuthOptions>(options =>
{
options.Audience = "API";
options.Issuer = "Web-App";
options.SigningCredentials = new SigningCredentials(GetSigninKey(), SecurityAlgorithms.RsaSha256Signature);
options.ExpirationDelay = TimeSpan.FromDays(365);
});
services.AddAuthorization(auth =>
{
auth.AddPolicy("Bearer", new AuthorizationPolicyBuilder()
.AddAuthenticationSchemes(JwtBearerDefaults.AuthenticationScheme‌​)
.RequireAuthenticatedUser()
.Build());
}
app.UseJwtBearerAuthentication(options =>
{
options.TokenValidationParameters.IssuerSigningKey = GetSigninKey();
options.TokenValidationParameters.ValidAudience = "API";
options.TokenValidationParameters.ValidIssuer = "Web-App";
options.TokenValidationParameters.ValidateSignature = true;
options.TokenValidationParameters.ValidateLifetime = true;
options.TokenValidationParameters.ClockSkew = TimeSpan.FromMinutes(0);
});

Unable to use PLAINTEXT signature with a DotNetOpenAuth ServiceProvider

I am building an OAuth 1.0(a) authorization server using DotNetOpenAuth (NuGet package DotNetOpenAuth.OAuth.ServiceProvider, version = 4.1.4.12333). The server is hosted in an ASP.NET application but that's irrelevant to the question.
My ServiceProvider is configured like this:
private ServiceProvider GetServiceProvider()
{
var baseUri = "http://myauth.com";
return new ServiceProvider(
new ServiceProviderDescription
{
UserAuthorizationEndpoint = new MessageReceivingEndpoint(
new Uri(baseUri + "/get_request_token"),
HttpDeliveryMethods.GetRequest
),
RequestTokenEndpoint = new MessageReceivingEndpoint(
new Uri(baseUri + "/authorize"),
HttpDeliveryMethods.PostRequest
),
AccessTokenEndpoint = new MessageReceivingEndpoint(
new Uri(baseUri + "/get_token"),
HttpDeliveryMethods.PostRequest
),
ProtocolVersion = ProtocolVersion.V10a,
TamperProtectionElements = new ITamperProtectionChannelBindingElement[]
{
new PlaintextSigningBindingElement(),
new HmacSha1SigningBindingElement(),
},
},
tokenManager,
new OAuthServiceProviderMessageFactory(tokenManager)
);
}
The relevant part of my get_request_token endpoint looks like this:
var serviceProvider = GetServiceProvider();
var tokenRequest = serviceProvider.ReadTokenRequest();
Now when a consumer sends the following request to this endpoint:
GET /get_request_token?oauth_nonce=C5657420BCE5F3224914304376B5334696B09B7FFC17C105A7F9629A008869DC&oauth_timestamp=1356006599&oauth_consumer_key=sampleconsumer&oauth_signature_method=plaintext&oauth_signature=samplesecret%26&oauth_version=1.0&oauth_callback=http%3a%2f%2flocalhost%3a30103%2fCustomOAuth1 HTTP/1.1
Host: localhost:8180
Connection: close
(broken for clarity):
oauth_nonce=C5657420BCE5F3224914304376B5334696B09B7FFC17C105A7F9629A008869DC
oauth_timestamp=1356006599
oauth_consumer_key=sampleconsumer
oauth_signature_method=plaintext
oauth_signature=samplesecret%26
oauth_version=1.0
oauth_callback=http%3a%2f%2flocalhost%3a30103%2fCustomOAuth1
The serviceProvider.ReadTokenRequest() method throws an exception:
The UnauthorizedTokenRequest message required protections {All} but the channel could only apply {Expiration, ReplayProtection}.
at DotNetOpenAuth.Messaging.Channel.ProcessIncomingMessage(IProtocolMessage message)
at DotNetOpenAuth.Messaging.Channel.ReadFromRequest(HttpRequestBase httpRequest)
at DotNetOpenAuth.Messaging.Channel.TryReadFromRequest[TRequest](HttpRequestBase httpRequest, TRequest& request)
at DotNetOpenAuth.OAuth.ServiceProvider.ReadTokenRequest(HttpRequestBase request)
at DotNetOpenAuth.OAuth.ServiceProvider.ReadTokenRequest()
at OAuthServers.OAuth1.Services.OAuth1Service.Any(GetRequestTokenRequest request)
at lambda_method(Closure , Object , Object )
at ServiceStack.ServiceHost.ServiceRunner`1.Execute(IRequestContext requestContext, Object instance, TRequest request)
On the other hand if the client sends the following request:
GET /get_request_token?oauth_callback=http%3a%2f%2flocalhost%3a65271%2foauth1%2fHandleAccessToken&oauth_consumer_key=sampleconsumer&oauth_nonce=rGFvxlWm&oauth_signature_method=HMAC-SHA1&oauth_signature=HV%2f5Vq%2b0cF3NrtiISE9k4jmgCrY%3d&oauth_version=1.0&oauth_timestamp=1356007830 HTTP/1.1
Host: localhost:8180
Connection: close
(broken for clarity):
oauth_callback=http%3a%2f%2flocalhost%3a65271%2foauth1%2fHandleAccessToken
oauth_consumer_key=sampleconsumer
oauth_nonce=rGFvxlWm
oauth_signature_method=HMAC-SHA1
oauth_signature=HV%2f5Vq%2b0cF3NrtiISE9k4jmgCrY%3d
oauth_version=1.0
oauth_timestamp=1356007830
it succeeds.
As you can see the only difference between those 2 requests is the oauth_signature_method being used. In the first case PLAINTEXT is used whereas in the second HMAC-SHA1.
Is it possible to make DotNetOpenAuth accept a PLAINTEXT signature method for the request token endpoint along with the GET verb (even if the OAuth 1.0(a) specification recommends POST to be used for this endpoint)? Is there some config option that could relax this requirement on the server?
At the moment modifying the client is not an option for me.

OAuth Authentication is done in three steps:
The Consumer obtains an unauthorized Request Token.
The User authorizes the Request Token.
The Consumer exchanges the Request Token for an Access Token.
So here's what that would look like:
public class InMemoryTokenManager : IConsumerTokenManager, IOpenIdOAuthTokenManager
{
private Dictionary<string, string> tokensAndSecrets = new Dictionary<string, string>();
public InMemoryTokenManager(string consumerKey, string consumerSecret)
{
if (String.IsNullOrEmpty(consumerKey))
{
throw new ArgumentNullException("consumerKey");
}
this.ConsumerKey = consumerKey;
this.ConsumerSecret = consumerSecret;
}
public string ConsumerKey { get; private set; }
public string ConsumerSecret { get; private set; }
#region ITokenManager Members
public string GetConsumerSecret(string consumerKey)
{
if (consumerKey == this.ConsumerKey)
{
return this.ConsumerSecret;
}
else
{
throw new ArgumentException("Unrecognized consumer key.", "consumerKey");
}
}
public string GetTokenSecret(string token)
{
return this.tokensAndSecrets[token];
}
public void StoreNewRequestToken(UnauthorizedTokenRequest request, ITokenSecretContainingMessage response)
{
this.tokensAndSecrets[response.Token] = response.TokenSecret;
}
public void ExpireRequestTokenAndStoreNewAccessToken(string consumerKey, string requestToken, string accessToken, string accessTokenSecret)
{
this.tokensAndSecrets.Remove(requestToken);
this.tokensAndSecrets[accessToken] = accessTokenSecret;
}
/// <summary>
/// Classifies a token as a request token or an access token.
/// </summary>
/// <param name="token">The token to classify.</param>
/// <returns>Request or Access token, or invalid if the token is not recognized.</returns>
public TokenType GetTokenType(string token)
{
throw new NotImplementedException();
}
#endregion
#region IOpenIdOAuthTokenManager Members
public void StoreOpenIdAuthorizedRequestToken(string consumerKey, AuthorizationApprovedResponse authorization)
{
this.tokensAndSecrets[authorization.RequestToken] = string.Empty;
}
#endregion
}

Following block of code may help you to generate plain text signature
public static string GetSignature(OAuthSignatureMethod signatureMethod, AuthSignatureTreatment signatureTreatment, string signatureBase, string consumerSecret, string tokenSecret)
{
if (tokenSecret.IsNullOrBlank())
{
tokenSecret = String.Empty;
}
consumerSecret = UrlEncodeRelaxed(consumerSecret);
tokenSecret = UrlEncodeRelaxed(tokenSecret);
string signature;
switch (signatureMethod)
{
case OAuthSignatureMethod.HmacSha1:
{
var crypto = new HMACSHA1();
var key = "{0}&{1}".FormatWith(consumerSecret, tokenSecret);
crypto.Key = _encoding.GetBytes(key);
signature = signatureBase.HashWith(crypto);
break;
}
case OAuthSignatureMethod.PlainText:
{
signature = "{0}&{1}".FormatWith(consumerSecret, tokenSecret);
break;
}
default:
throw new NotImplementedException("Only HMAC-SHA1 is currently supported.");
}
var result = signatureTreatment == OAuthSignatureTreatment.Escaped
? UrlEncodeRelaxed(signature)
: signature;
return result;
}