Switch to IUrlEncoder, introduce AddAuthentication

Author: HaoK

samples/CookieSample/Startup.cs

@@ -11,8 +11,7 @@ public class Startup
     {
         public void ConfigureServices(IServiceCollection services)
         {
-            services.AddWebEncoders();
-            services.AddDataProtection();
+            services.AddAuthentication();
         }
 
         public void Configure(IApplicationBuilder app, ILoggerFactory loggerfactory)

samples/CookieSessionSample/Startup.cs

@@ -12,8 +12,7 @@ public class Startup
     {
         public void ConfigureServices(IServiceCollection services)
         {
-            services.AddWebEncoders();
-            services.AddDataProtection();
+            services.AddAuthentication();
         }
 
         public void Configure(IApplicationBuilder app, ILoggerFactory loggerfactory)

samples/OpenIdConnectSample/Startup.cs

@@ -13,8 +13,7 @@ public class Startup
     {
         public void ConfigureServices(IServiceCollection services)
         {
-            services.AddWebEncoders();
-            services.AddDataProtection();
+            services.AddAuthentication();
             services.Configure<ExternalAuthenticationOptions>(options =>
             {
                 options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;

samples/SocialSample/Startup.cs

@@ -19,8 +19,7 @@ public class Startup
     {
         public void ConfigureServices(IServiceCollection services)
         {
-            services.AddWebEncoders();
-            services.AddDataProtection();
+            services.AddAuthentication();
             services.Configure<ExternalAuthenticationOptions>(options =>
             {
                 options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
@@ -139,13 +138,13 @@ dnx . web
                     OnGetUserInformationAsync = async (context) =>
                     {
                         // Get the GitHub user
-                        HttpRequestMessage userRequest = new HttpRequestMessage(HttpMethod.Get, context.Options.UserInformationEndpoint);
+                        var userRequest = new HttpRequestMessage(HttpMethod.Get, context.Options.UserInformationEndpoint);
                         userRequest.Headers.Authorization = new AuthenticationHeaderValue("Bearer", context.AccessToken);
                         userRequest.Headers.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
-                        HttpResponseMessage userResponse = await context.Backchannel.SendAsync(userRequest, context.HttpContext.RequestAborted);
+                        var userResponse = await context.Backchannel.SendAsync(userRequest, context.HttpContext.RequestAborted);
                         userResponse.EnsureSuccessStatusCode();
                         var text = await userResponse.Content.ReadAsStringAsync();
-                        JObject user = JObject.Parse(text);
+                        var user = JObject.Parse(text);
 
                         var identity = new ClaimsIdentity(
                             context.Options.AuthenticationScheme,
@@ -184,7 +183,7 @@ dnx . web
             {
                 signoutApp.Run(async context =>
                 {
-                    string authType = context.Request.Query["authscheme"];
+                    var authType = context.Request.Query["authscheme"];
                     if (!string.IsNullOrEmpty(authType))
                     {
                         // By default the client will be redirect back to the URL that issued the challenge (/login?authtype=foo),

src/Microsoft.AspNet.Authentication.Cookies/CookieAuthenticationMiddleware.cs

@@ -22,7 +22,7 @@ public CookieAuthenticationMiddleware(
             [NotNull] IUrlEncoder urlEncoder,
             [NotNull] IOptions<CookieAuthenticationOptions> options,
             ConfigureOptions<CookieAuthenticationOptions> configureOptions)
-            : base(next, options, loggerFactory, configureOptions)
+            : base(next, options, loggerFactory, urlEncoder, configureOptions)
         {
             if (Options.Notifications == null)
             {

src/Microsoft.AspNet.Authentication.Cookies/CookieServiceCollectionExtensions.cs

@@ -20,7 +20,6 @@ public static IServiceCollection ConfigureCookieAuthentication([NotNull] this IS
 
         public static IServiceCollection ConfigureCookieAuthentication([NotNull] this IServiceCollection services, [NotNull] Action<CookieAuthenticationOptions> configure, string optionsName)
         {
-            services.AddWebEncoders();
             return services.Configure(configure, optionsName);
         }
 
@@ -31,7 +30,6 @@ public static IServiceCollection ConfigureCookieAuthentication([NotNull] this IS
 
         public static IServiceCollection ConfigureCookieAuthentication([NotNull] this IServiceCollection services, [NotNull] IConfiguration config, string optionsName)
         {
-            services.AddWebEncoders();
             return services.Configure<CookieAuthenticationOptions>(config, optionsName);
         }
     }

src/Microsoft.AspNet.Authentication.Facebook/FacebookAuthenticationHandler.cs

@@ -8,13 +8,12 @@
 using System.Security.Cryptography;
 using System.Text;
 using System.Threading.Tasks;
-using Microsoft.AspNet.Http;
+using Microsoft.AspNet.Authentication.OAuth;
+using Microsoft.AspNet.Http.Authentication;
 using Microsoft.AspNet.Http.Collections;
 using Microsoft.AspNet.Http.Extensions;
-using Microsoft.AspNet.Http.Authentication;
-using Microsoft.AspNet.Authentication.OAuth;
 using Microsoft.AspNet.WebUtilities;
-using Microsoft.Framework.Logging;
+using Microsoft.Framework.WebEncoders;
 using Newtonsoft.Json.Linq;
 
 namespace Microsoft.AspNet.Authentication.Facebook
@@ -53,7 +52,7 @@ protected override async Task<TokenResponse> ExchangeCodeAsync(string code, stri
 
         protected override async Task<AuthenticationTicket> GetUserInformationAsync(AuthenticationProperties properties, TokenResponse tokens)
         {
-            var graphAddress = Options.UserInformationEndpoint + "?access_token=" + Uri.EscapeDataString(tokens.AccessToken);
+            var graphAddress = Options.UserInformationEndpoint + "?access_token=" + UrlEncoder.UrlEncode(tokens.AccessToken);
             if (Options.SendAppSecretProof)
             {
                 graphAddress += "&appsecret_proof=" + GenerateAppSecretProof(tokens.AccessToken);

src/Microsoft.AspNet.Authentication.Facebook/FacebookAuthenticationMiddleware.cs

@@ -9,6 +9,7 @@
 using Microsoft.Framework.Internal;
 using Microsoft.Framework.Logging;
 using Microsoft.Framework.OptionsModel;
+using Microsoft.Framework.WebEncoders;
 
 namespace Microsoft.AspNet.Authentication.Facebook
 {
@@ -28,10 +29,11 @@ public FacebookAuthenticationMiddleware(
             [NotNull] RequestDelegate next,
             [NotNull] IDataProtectionProvider dataProtectionProvider,
             [NotNull] ILoggerFactory loggerFactory,
+            [NotNull] IUrlEncoder encoder,
             [NotNull] IOptions<ExternalAuthenticationOptions> externalOptions,
             [NotNull] IOptions<FacebookAuthenticationOptions> options,
             ConfigureOptions<FacebookAuthenticationOptions> configureOptions = null)
-            : base(next, dataProtectionProvider, loggerFactory, externalOptions, options, configureOptions)
+            : base(next, dataProtectionProvider, loggerFactory, encoder, externalOptions, options, configureOptions)
         {
             if (string.IsNullOrWhiteSpace(Options.AppId))
             {

src/Microsoft.AspNet.Authentication.Google/GoogleAuthenticationMiddleware.cs

@@ -9,6 +9,7 @@
 using Microsoft.Framework.Internal;
 using Microsoft.Framework.Logging;
 using Microsoft.Framework.OptionsModel;
+using Microsoft.Framework.WebEncoders;
 
 namespace Microsoft.AspNet.Authentication.Google
 {
@@ -29,10 +30,11 @@ public GoogleAuthenticationMiddleware(
             [NotNull] RequestDelegate next,
             [NotNull] IDataProtectionProvider dataProtectionProvider,
             [NotNull] ILoggerFactory loggerFactory,
+            [NotNull] IUrlEncoder encoder,
             [NotNull] IOptions<ExternalAuthenticationOptions> externalOptions,
             [NotNull] IOptions<GoogleAuthenticationOptions> options,
             ConfigureOptions<GoogleAuthenticationOptions> configureOptions = null)
-            : base(next, dataProtectionProvider, loggerFactory, externalOptions, options, configureOptions)
+            : base(next, dataProtectionProvider, loggerFactory, encoder, externalOptions, options, configureOptions)
         {
             if (Options.Notifications == null)
             {

src/Microsoft.AspNet.Authentication.MicrosoftAccount/MicrosoftAccountAuthenticationMiddleware.cs

@@ -7,6 +7,7 @@
 using Microsoft.Framework.Internal;
 using Microsoft.Framework.Logging;
 using Microsoft.Framework.OptionsModel;
+using Microsoft.Framework.WebEncoders;
 
 namespace Microsoft.AspNet.Authentication.MicrosoftAccount
 {
@@ -26,10 +27,11 @@ public MicrosoftAccountAuthenticationMiddleware(
             [NotNull] RequestDelegate next,
             [NotNull] IDataProtectionProvider dataProtectionProvider,
             [NotNull] ILoggerFactory loggerFactory,
+            [NotNull] IUrlEncoder encoder,
             [NotNull] IOptions<ExternalAuthenticationOptions> externalOptions,
             [NotNull] IOptions<MicrosoftAccountAuthenticationOptions> options,
             ConfigureOptions<MicrosoftAccountAuthenticationOptions> configureOptions = null)
-            : base(next, dataProtectionProvider, loggerFactory, externalOptions, options, configureOptions)
+            : base(next, dataProtectionProvider, loggerFactory, encoder, externalOptions, options, configureOptions)
         {
             if (Options.Notifications == null)
             {

src/Microsoft.AspNet.Authentication.OAuth/OAuthAuthenticationMiddleware.cs

@@ -11,6 +11,7 @@
 using Microsoft.Framework.Internal;
 using Microsoft.Framework.Logging;
 using Microsoft.Framework.OptionsModel;
+using Microsoft.Framework.WebEncoders;
 
 namespace Microsoft.AspNet.Authentication.OAuth
 {
@@ -33,10 +34,11 @@ public OAuthAuthenticationMiddleware(
             [NotNull] RequestDelegate next,
             [NotNull] IDataProtectionProvider dataProtectionProvider,
             [NotNull] ILoggerFactory loggerFactory,
+            [NotNull] IUrlEncoder encoder,
             [NotNull] IOptions<ExternalAuthenticationOptions> externalOptions,
             [NotNull] IOptions<TOptions> options,
             ConfigureOptions<TOptions> configureOptions = null)
-            : base(next, options, loggerFactory, configureOptions)
+            : base(next, options, loggerFactory, encoder, configureOptions)
         {
             // todo: review error handling
             if (string.IsNullOrWhiteSpace(Options.AuthenticationScheme))

src/Microsoft.AspNet.Authentication.OAuthBearer/OAuthBearerAuthenticationMiddleware.cs

@@ -11,6 +11,7 @@
 using Microsoft.Framework.Internal;
 using Microsoft.Framework.Logging;
 using Microsoft.Framework.OptionsModel;
+using Microsoft.Framework.WebEncoders;
 using Microsoft.IdentityModel.Protocols;
 
 namespace Microsoft.AspNet.Authentication.OAuthBearer
@@ -32,9 +33,10 @@ public class OAuthBearerAuthenticationMiddleware : AuthenticationMiddleware<OAut
         public OAuthBearerAuthenticationMiddleware(
             [NotNull] RequestDelegate next,
             [NotNull] ILoggerFactory loggerFactory,
+            [NotNull] IUrlEncoder encoder,
             [NotNull] IOptions<OAuthBearerAuthenticationOptions> options,
             ConfigureOptions<OAuthBearerAuthenticationOptions> configureOptions)
-            : base(next, options, loggerFactory, configureOptions)
+            : base(next, options, loggerFactory, encoder, configureOptions)
         {
             if (Options.Notifications == null)
             {

src/Microsoft.AspNet.Authentication.OpenIdConnect/OpenIdConnectAuthenticationHandler.cs

@@ -180,7 +180,7 @@ protected override async Task ApplyResponseChallengeAsync()
                 ResponseMode = Options.ResponseMode,
                 ResponseType = Options.ResponseType,
                 Scope = Options.Scope,
-                State = OpenIdConnectAuthenticationDefaults.AuthenticationPropertiesKey + "=" + Uri.EscapeDataString(Options.StateDataFormat.Protect(properties))
+                State = OpenIdConnectAuthenticationDefaults.AuthenticationPropertiesKey + "=" + UrlEncoder.UrlEncode(Options.StateDataFormat.Protect(properties))
             };
 
             if (Options.ProtocolValidator.RequireNonce)

src/Microsoft.AspNet.Authentication.OpenIdConnect/OpenIdConnectAuthenticationMiddleware.cs

@@ -17,6 +17,7 @@
 using Microsoft.Framework.OptionsModel;
 using Microsoft.IdentityModel.Protocols;
 using Microsoft.Framework.Internal;
+using Microsoft.Framework.WebEncoders;
 
 namespace Microsoft.AspNet.Authentication.OpenIdConnect
 {
@@ -40,10 +41,11 @@ public OpenIdConnectAuthenticationMiddleware(
             [NotNull] RequestDelegate next,
             [NotNull] IDataProtectionProvider dataProtectionProvider,
             [NotNull] ILoggerFactory loggerFactory,
+            [NotNull] IUrlEncoder encoder,
             [NotNull] IOptions<ExternalAuthenticationOptions> externalOptions,
             [NotNull] IOptions<OpenIdConnectAuthenticationOptions> options,
             ConfigureOptions<OpenIdConnectAuthenticationOptions> configureOptions = null)
-            : base(next, options, loggerFactory, configureOptions)
+            : base(next, options, loggerFactory, encoder, configureOptions)
         {
             if (string.IsNullOrEmpty(Options.SignInScheme) && !string.IsNullOrEmpty(externalOptions.Options.SignInScheme))
             {

src/Microsoft.AspNet.Authentication.Twitter/TwitterAuthenticationHandler.cs

@@ -244,17 +244,17 @@ private async Task<RequestToken> ObtainRequestTokenAsync(string consumerKey, str
             var parameterBuilder = new StringBuilder();
             foreach (var authorizationKey in authorizationParts)
             {
-                parameterBuilder.AppendFormat("{0}={1}&", Uri.EscapeDataString(authorizationKey.Key), Uri.EscapeDataString(authorizationKey.Value));
+                parameterBuilder.AppendFormat("{0}={1}&", UrlEncoder.UrlEncode(authorizationKey.Key), UrlEncoder.UrlEncode(authorizationKey.Value));
             }
             parameterBuilder.Length--;
             var parameterString = parameterBuilder.ToString();
 
             var canonicalizedRequestBuilder = new StringBuilder();
             canonicalizedRequestBuilder.Append(HttpMethod.Post.Method);
             canonicalizedRequestBuilder.Append("&");
-            canonicalizedRequestBuilder.Append(Uri.EscapeDataString(RequestTokenEndpoint));
+            canonicalizedRequestBuilder.Append(UrlEncoder.UrlEncode(RequestTokenEndpoint));
             canonicalizedRequestBuilder.Append("&");
-            canonicalizedRequestBuilder.Append(Uri.EscapeDataString(parameterString));
+            canonicalizedRequestBuilder.Append(UrlEncoder.UrlEncode(parameterString));
 
             var signature = ComputeSignature(consumerSecret, null, canonicalizedRequestBuilder.ToString());
             authorizationParts.Add("oauth_signature", signature);
@@ -264,7 +264,7 @@ private async Task<RequestToken> ObtainRequestTokenAsync(string consumerKey, str
             foreach (var authorizationPart in authorizationParts)
             {
                 authorizationHeaderBuilder.AppendFormat(
-                    "{0}=\"{1}\", ", authorizationPart.Key, Uri.EscapeDataString(authorizationPart.Value));
+                    "{0}=\"{1}\", ", authorizationPart.Key, UrlEncoder.UrlEncode(authorizationPart.Value));
             }
             authorizationHeaderBuilder.Length = authorizationHeaderBuilder.Length - 2;
 
@@ -306,17 +306,17 @@ private async Task<AccessToken> ObtainAccessTokenAsync(string consumerKey, strin
             var parameterBuilder = new StringBuilder();
             foreach (var authorizationKey in authorizationParts)
             {
-                parameterBuilder.AppendFormat("{0}={1}&", Uri.EscapeDataString(authorizationKey.Key), Uri.EscapeDataString(authorizationKey.Value));
+                parameterBuilder.AppendFormat("{0}={1}&", UrlEncoder.UrlEncode(authorizationKey.Key), UrlEncoder.UrlEncode(authorizationKey.Value));
             }
             parameterBuilder.Length--;
             var parameterString = parameterBuilder.ToString();
 
             var canonicalizedRequestBuilder = new StringBuilder();
             canonicalizedRequestBuilder.Append(HttpMethod.Post.Method);
             canonicalizedRequestBuilder.Append("&");
-            canonicalizedRequestBuilder.Append(Uri.EscapeDataString(AccessTokenEndpoint));
+            canonicalizedRequestBuilder.Append(UrlEncoder.UrlEncode(AccessTokenEndpoint));
             canonicalizedRequestBuilder.Append("&");
-            canonicalizedRequestBuilder.Append(Uri.EscapeDataString(parameterString));
+            canonicalizedRequestBuilder.Append(UrlEncoder.UrlEncode(parameterString));
 
             var signature = ComputeSignature(consumerSecret, token.TokenSecret, canonicalizedRequestBuilder.ToString());
             authorizationParts.Add("oauth_signature", signature);
@@ -327,7 +327,7 @@ private async Task<AccessToken> ObtainAccessTokenAsync(string consumerKey, strin
             foreach (var authorizationPart in authorizationParts)
             {
                 authorizationHeaderBuilder.AppendFormat(
-                    "{0}=\"{1}\", ", authorizationPart.Key, Uri.EscapeDataString(authorizationPart.Value));
+                    "{0}=\"{1}\", ", authorizationPart.Key, UrlEncoder.UrlEncode(authorizationPart.Value));
             }
             authorizationHeaderBuilder.Length = authorizationHeaderBuilder.Length - 2;
 
@@ -367,15 +367,15 @@ private static string GenerateTimeStamp()
             return Convert.ToInt64(secondsSinceUnixEpocStart.TotalSeconds).ToString(CultureInfo.InvariantCulture);
         }
 
-        private static string ComputeSignature(string consumerSecret, string tokenSecret, string signatureData)
+        private string ComputeSignature(string consumerSecret, string tokenSecret, string signatureData)
         {
             using (var algorithm = new HMACSHA1())
             {
                 algorithm.Key = Encoding.ASCII.GetBytes(
                     string.Format(CultureInfo.InvariantCulture,
                         "{0}&{1}",
-                        Uri.EscapeDataString(consumerSecret),
-                        string.IsNullOrEmpty(tokenSecret) ? string.Empty : Uri.EscapeDataString(tokenSecret)));
+                        UrlEncoder.UrlEncode(consumerSecret),
+                        string.IsNullOrEmpty(tokenSecret) ? string.Empty : UrlEncoder.UrlEncode(tokenSecret)));
                 var hash = algorithm.ComputeHash(Encoding.ASCII.GetBytes(signatureData));
                 return Convert.ToBase64String(hash);
             }

src/Microsoft.AspNet.Authentication.Twitter/TwitterAuthenticationMiddleware.cs

@@ -13,6 +13,7 @@
 using Microsoft.Framework.Internal;
 using Microsoft.Framework.Logging;
 using Microsoft.Framework.OptionsModel;
+using Microsoft.Framework.WebEncoders;
 
 namespace Microsoft.AspNet.Authentication.Twitter
 {
@@ -36,10 +37,11 @@ public TwitterAuthenticationMiddleware(
             [NotNull] RequestDelegate next,
             [NotNull] IDataProtectionProvider dataProtectionProvider,
             [NotNull] ILoggerFactory loggerFactory,
+            [NotNull] IUrlEncoder encoder,
             [NotNull] IOptions<ExternalAuthenticationOptions> externalOptions,
             [NotNull] IOptions<TwitterAuthenticationOptions> options,
             ConfigureOptions<TwitterAuthenticationOptions> configureOptions = null)
-            : base(next, options, loggerFactory, configureOptions)
+            : base(next, options, loggerFactory, encoder, configureOptions)
         {
             if (string.IsNullOrWhiteSpace(Options.ConsumerSecret))
             {

src/Microsoft.AspNet.Authentication/AuthenticationHandler.cs

@@ -10,6 +10,7 @@
 using Microsoft.AspNet.Http.Authentication;
 using Microsoft.Framework.Internal;
 using Microsoft.Framework.Logging;
+using Microsoft.Framework.WebEncoders;
 
 namespace Microsoft.AspNet.Authentication
 {
@@ -50,6 +51,8 @@ protected HttpResponse Response
 
         protected ILogger Logger { get; private set; }
 
+        protected IUrlEncoder UrlEncoder { get; private set; }
+
         internal AuthenticationOptions BaseOptions
         {
             get { return _baseOptions; }
@@ -61,12 +64,13 @@ internal AuthenticationOptions BaseOptions
 
         public bool Faulted { get; set; }
 
-        protected async Task BaseInitializeAsync([NotNull] AuthenticationOptions options, [NotNull] HttpContext context, [NotNull] ILogger logger)
+        protected async Task BaseInitializeAsync([NotNull] AuthenticationOptions options, [NotNull] HttpContext context, [NotNull] ILogger logger, [NotNull] IUrlEncoder encoder)
         {
             _baseOptions = options;
             Context = context;
             RequestPathBase = Request.PathBase;
             Logger = logger;
+            UrlEncoder = encoder;
 
             RegisterAuthenticationHandler();