adal 1.0.0

data/lib/adal/noop_cache.rb

@@ -0,0 +1,38 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2015 Micorosft Corporation
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+#-------------------------------------------------------------------------------
+
+module ADAL
+  # A cache implementation that holds no values and ignores all method calls.
+  class NoopCache
+    # Swallows any number of parameters and returns nil.
+    def noop(*); end
+
+    alias_method :add, :noop
+    alias_method :add_many, :noop
+    alias_method :remove, :noop
+    alias_method :remove_many, :noop
+
+    def find(*)
+      []
+    end
+  end
+end

data/lib/adal/oauth_request.rb

@@ -0,0 +1,76 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2015 Micorosft Corporation
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+#-------------------------------------------------------------------------------
+
+require_relative './logging'
+require_relative './request_parameters'
+require_relative './util'
+
+require 'net/http'
+require 'uri'
+
+module ADAL
+  # A request that can be made to an authentication or token server.
+  class OAuthRequest
+    include RequestParameters
+    include Util
+
+    DEFAULT_CONTENT_TYPE = 'application/x-www-form-urlencoded'
+    DEFAULT_ENCODING = 'utf8'
+    SSL_SCHEME = 'https'
+
+    def initialize(endpoint, params)
+      @endpoint_uri = URI.parse(endpoint.to_s)
+      @params = params
+    end
+
+    def params
+      default_parameters.merge(@params)
+    end
+
+    ##
+    # Requests and waits for a token from the endpoint.
+    # @return TokenResponse
+    def execute
+      request = Net::HTTP::Post.new(@endpoint_uri.path)
+      add_headers(request)
+      request.body = URI.encode_www_form(string_hash(params))
+      TokenResponse.parse(http(@endpoint_uri).request(request).body)
+    end
+
+    private
+
+    ##
+    # Adds the necessary OAuth headers.
+    #
+    # @param Net::HTTPGenericRequest
+    def add_headers(request)
+      return if Logging.correlation_id.nil?
+      request.add_field(CLIENT_REQUEST_ID.to_s, Logging.correlation_id)
+      request.add_field(CLIENT_RETURN_CLIENT_REQUEST_ID.to_s, true)
+    end
+
+    def default_parameters
+      { encoding: DEFAULT_ENCODING,
+        AAD_API_VERSION => '1.0' }
+    end
+  end
+end

data/lib/adal/request_parameters.rb

@@ -0,0 +1,48 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2015 Micorosft Corporation
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+#-------------------------------------------------------------------------------
+
+module ADAL
+  # Names of parameters in OAuth requests. This module can be included in any
+  # class to reference the parameters instead of referring to them as strings
+  # or symbols
+  module RequestParameters
+    AAD_API_VERSION = 'api-version'.to_sym
+    ASSERTION = 'assertion'.to_sym
+    CLIENT_ASSERTION = 'client_assertion'.to_sym
+    CLIENT_ASSERTION_TYPE = 'client_assertion_type'.to_sym
+    CLIENT_ID = 'client_id'.to_sym
+    CLIENT_REQUEST_ID = 'client-request-id'.to_sym
+    CLIENT_RETURN_CLIENT_REQUEST_ID = 'client-return-client-request-id'.to_sym
+    CLIENT_SECRET = 'client_secret'.to_sym
+    CODE = 'code'.to_sym
+    FORM_POST = 'form_post'.to_sym
+    GRANT_TYPE = 'grant_type'.to_sym
+    PASSWORD = 'password'.to_sym
+    REDIRECT_URI = 'redirect_uri'.to_sym
+    REFRESH_TOKEN = 'refresh_token'.to_sym
+    RESOURCE = 'resource'.to_sym
+    SCOPE = 'scope'.to_sym
+    UNIQUE_ID = 'unique_id'.to_sym
+    USER_INFO = 'user_info'.to_sym
+    USERNAME = 'username'.to_sym
+  end
+end

data/lib/adal/self_signed_jwt_factory.rb

@@ -0,0 +1,96 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2015 Micorosft Corporation
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+#-------------------------------------------------------------------------------
+
+require_relative './jwt_parameters'
+require_relative './logging'
+
+require 'jwt'
+require 'openssl'
+require 'securerandom'
+
+module ADAL
+  # Converts client certificates into self signed JWTs.
+  class SelfSignedJwtFactory
+    include JwtParameters
+    include Logging
+
+    ##
+    # Constructs a new SelfSignedJwtFactory.
+    #
+    # @param String client_id
+    #   The client id of the calling application.
+    # @param String token_endpoint
+    #   The token endpoint that will accept the certificate.
+    def initialize(client_id, token_endpoint)
+      @client_id = client_id
+      @token_endpoint = token_endpoint
+    end
+
+    ##
+    # Creates a JWT from a client certificate and signs it with a private key.
+    #
+    # @param OpenSSL::X509::Certificate certificate
+    #   The certifcate object to be converted to a JWT and signed for use
+    #   in an authentication flow.
+    # @param OpenSSL::PKey::RSA private_key
+    #   The private key used to sign the certificate.
+    # @return String
+    def create_and_sign_jwt(certificate, private_key)
+      JWT.encode(payload, private_key, RS256, header(certificate))
+    end
+
+    private
+
+    # The JWT header for a certificate to be encoded.
+    def header(certificate)
+      x5t = thumbprint(certificate)
+      logger.verbose("Creating self signed JWT header with thumbprint: #{x5t}.")
+      { TYPE => TYPE_JWT,
+        ALGORITHM => RS256,
+        THUMBPRINT => x5t }
+    end
+
+    # The JWT payload.
+    def payload
+      now = Time.now - 1
+      expires = now + 60 * SELF_SIGNED_JWT_LIFETIME
+      logger.verbose("Creating self signed JWT payload. Expires: #{expires}. " \
+                     "NotBefore: #{now}.")
+      { AUDIENCE => @token_endpoint,
+        ISSUER => @client_id,
+        SUBJECT => @client_id,
+        NOT_BEFORE => now.to_i,
+        EXPIRES_ON => expires.to_i,
+        JWT_ID => SecureRandom.uuid }
+    end
+
+    ##
+    # Base 64 encoded thumbprint AKA fingerprint AKA SHA1 hash of the
+    # DER representation of the cert.
+    #
+    # @param OpenSSL::X509::Certificate certificate
+    # @return String
+    def thumbprint(certificate)
+      OpenSSL::Digest::SHA1.new(certificate.to_der).base64digest
+    end
+  end
+end

data/lib/adal/templates/rst.13.xml.erb

@@ -0,0 +1,35 @@
+<?xml version="1.0"?>
+<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
+  <s:Header>
+    <a:Action s:mustUnderstand="1">http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue</a:Action>
+    <a:messageID>urn:uuid:<%= message_id %></a:messageID>
+    <a:ReplyTo>
+      <a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
+    </a:ReplyTo>
+    <a:To s:mustUnderstand="1"><%= @endpoint %></a:To>
+    <o:Security xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" s:mustUnderstand="1">
+      <u:Timestamp u:Id="_0">
+        <u:Created><%= created.utc.iso8601 %></u:Created>
+        <u:Expires><%= expires.utc.iso8601 %></u:Expires>
+      </u:Timestamp>
+      <o:UsernameToken u:Id="ADALUsernameToken">
+        <o:Username><%= username.encode(xml: :text) %></o:Username>
+        <o:Password><%= password.encode(xml: :text) %></o:Password>
+      </o:UsernameToken>
+    </o:Security>
+  </s:Header>
+  <s:Body>
+    <trust:RequestSecurityToken xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
+      <wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
+        <a:EndpointReference>
+          <a:Address><%= @applies_to %></a:Address>
+        </a:EndpointReference>
+      </wsp:AppliesTo>
+      <trust:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer</trust:KeyType>
+      <trust:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</trust:RequestType>
+    </trust:RequestSecurityToken>
+  </s:Body>
+</s:Envelope>
+
+
+

data/lib/adal/templates/rst.2005.xml.erb

@@ -0,0 +1,32 @@
+<?xml version="1.0"?>
+<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
+  <s:Header>
+    <a:Action s:mustUnderstand="1">http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue</a:Action>
+    <a:messageID>urn:uuid:<%= message_id %></a:messageID>
+    <a:ReplyTo>
+      <a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
+    </a:ReplyTo>
+    <a:To s:mustUnderstand="1"><%= @endpoint %></a:To>
+    <o:Security xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" s:mustUnderstand="1">
+      <u:Timestamp u:Id="_0">
+        <u:Created><%= created.utc.iso8601 %></u:Created>
+        <u:Expires><%= expires.utc.iso8601 %></u:Expires>
+      </u:Timestamp>
+      <o:UsernameToken u:Id="ADALUsernameToken">
+        <o:Username><%= username.encode(xml: :text) %></o:Username>
+        <o:Password><%= password.encode(xml: :text) %></o:Password>
+      </o:UsernameToken>
+    </o:Security>
+  </s:Header>
+  <s:Body>
+    <trust:RequestSecurityToken xmlns:trust="http://schemas.xmlsoap.org/ws/2005/02/trust">
+      <wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
+        <a:EndpointReference>
+          <a:Address><%= @applies_to %></a:Address>
+        </a:EndpointReference>
+      </wsp:AppliesTo>
+      <trust:KeyType>http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey</trust:KeyType>
+      <trust:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</trust:RequestType>
+    </trust:RequestSecurityToken>
+  </s:Body>
+</s:Envelope>

data/lib/adal/token_request.rb

@@ -0,0 +1,231 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2015 Micorosft Corporation
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+#-------------------------------------------------------------------------------
+
+require_relative './cache_driver'
+require_relative './logging'
+require_relative './noop_cache'
+require_relative './oauth_request'
+require_relative './request_parameters'
+
+require 'openssl'
+
+module ADAL
+  # A request for a token that may be fulfilled by a cache or an OAuthRequest
+  # to a token endpoint.
+  class TokenRequest
+    include Logging
+    include RequestParameters
+
+    # An error that signifies an attempt to perform OAuth with a UserIdentifier.
+    # UserIdentifiers can only be used to retrieve access tokens from the cache,
+    # so if no matching cache token is found, this error is thrown.
+    class UserCredentialError < StandardError; end
+
+    # All accepted grant types. This module can be mixed-in to other classes
+    # that require them.
+    module GrantType
+      AUTHORIZATION_CODE = 'authorization_code'
+      CLIENT_CREDENTIALS = 'client_credentials'
+      JWT_BEARER = 'urn:ietf:params:oauth:grant-type:jwt-bearer'
+      PASSWORD = 'password'
+      REFRESH_TOKEN = 'refresh_token'
+      SAML1 = 'urn:ietf:params:oauth:grant-type:saml1_1-bearer'
+      SAML2 = 'urn:ietf:params:oauth:grant-type:saml2-bearer'
+    end
+
+    ##
+    # Constructs a TokenRequest.
+    #
+    # @param [Authority] authority
+    #   The Authority providing authorization and token endpoints.
+    # @param ClientCredential|ClientAssertion|ClientAssertionCertificate
+    #   Used to identify the client. Provides a request_parameters method
+    #   that yields the relevant client credential parameters.
+    # @option [TokenCache] token_cache
+    #   The cache implementation to store tokens. A NoopCache that stores no
+    #   tokens will be used by default.
+    def initialize(authority, client, token_cache = NoopCache.new)
+      @authority = authority
+      @cache_driver = CacheDriver.new(authority, client, token_cache)
+      @client = client
+      @token_cache = token_cache
+    end
+
+    public
+
+    ##
+    # Gets a token based solely on the clients credentials that were used to
+    # initialize the token request.
+    #
+    # @param String resource
+    #   The resource for which the requested access token will provide access.
+    # @return TokenResponse
+    def get_for_client(resource)
+      logger.verbose("TokenRequest getting token for client for #{resource}.")
+      request(GRANT_TYPE => GrantType::CLIENT_CREDENTIALS,
+              RESOURCE => resource)
+    end
+
+    ##
+    # Gets a token based on a previously acquired authentication code.
+    #
+    # @param String auth_code
+    #   An authentication code that was previously acquired from an
+    #   authentication endpoint.
+    # @param String redirect_uri
+    #   The redirect uri that was passed to the authentication endpoint when the
+    #   auth code was acquired.
+    # @optional String resource
+    #   The resource for which the requested access token will provide access.
+    # @return TokenResponse
+    def get_with_authorization_code(auth_code, redirect_uri, resource = nil)
+      logger.verbose('TokenRequest getting token with authorization code ' \
+                     "#{auth_code}, redirect_uri #{redirect_uri} and " \
+                     "resource #{resource}.")
+      request(CODE => auth_code,
+              GRANT_TYPE => GrantType::AUTHORIZATION_CODE,
+              REDIRECT_URI => URI.parse(redirect_uri.to_s),
+              RESOURCE => resource)
+    end
+
+    ##
+    # Gets a token based on a previously acquired refresh token.
+    #
+    # @param String refresh_token
+    #   The refresh token that was previously acquired from a token response.
+    # @optional String resource
+    #   The resource for which the requested access token will provide access.
+    # @return TokenResponse
+    def get_with_refresh_token(refresh_token, resource = nil)
+      logger.verbose('TokenRequest getting token with refresh token digest ' \
+                     "#{Digest::SHA256.hexdigest refresh_token} and resource " \
+                     "#{resource}.")
+      request_no_cache(GRANT_TYPE => GrantType::REFRESH_TOKEN,
+                       REFRESH_TOKEN => refresh_token,
+                       RESOURCE => resource)
+    end
+
+    ##
+    # Gets a token based on possessing the users credentials.
+    #
+    # @param UserCredential|UserIdentifier user_cred
+    #   Something that can be used to verify the user. Typically a username
+    #   and password. If it is a UserIdentifier, only the cache will be checked.
+    #   If a matching token is not there, it will fail.
+    # @optional String resource
+    #   The resource for which the requested access token will provide access.
+    # @return TokenResponse
+    def get_with_user_credential(user_cred, resource = nil)
+      logger.verbose('TokenRequest getting token with user credential ' \
+                     "#{user_cred} and resource #{resource}.")
+      oauth = if user_cred.is_a? UserIdentifier
+                lambda do
+                  fail UserCredentialError,
+                       'UserIdentifier can only be used once there is a ' \
+                       'matching token in the cache.'
+                end
+              end || -> {}
+      request(user_cred.request_params.merge(RESOURCE => resource), &oauth)
+    end
+
+    private
+
+    ##
+    # The OAuth parameters that are specific to the client for which tokens will
+    # be requested.
+    #
+    # @return Hash
+    def client_params
+      @client.request_params
+    end
+
+    ##
+    # Attempts to fulfill a token request, first via the token cache and then
+    # through OAuth.
+    #
+    # @param Hash params
+    #   Any additional request parameters that should be used.
+    # @return TokenResponse
+    def request(params, &block)
+      cached_token = check_cache(request_params(params))
+      return cached_token if cached_token
+      cache_response(request_no_cache(request_params(params), &block))
+    end
+
+    ##
+    # Executes an OAuth request based on the params and returns it.
+    #
+    # @param Hash params
+    #   Any additional request parameters that should be used.
+    # @return TokenResponse
+    def request_no_cache(params)
+      yield if block_given?
+      oauth_request(request_params(params)).execute
+    end
+
+    ##
+    # Adds client params to additional params. If there is a conflict, the value
+    # from additional_params is used. It can be called multiple times, because
+    # request_params(request_params(x)) == request_params(x).
+    #
+    # @param Hash
+    # @return Hash
+    def request_params(additional_params)
+      client_params.merge(additional_params).select { |_, v| !v.nil? }
+    end
+
+    ##
+    # Helper method to chain OAuthRequest and cache operation.
+    #
+    # @param TokenResponse
+    #   The token response to cache.
+    # @return TokenResponse
+    def cache_response(token_response)
+      @cache_driver.add(token_response)
+      token_response
+    end
+
+    ##
+    # Attempts to fulfill the request from @token_cache.
+    #
+    # @return TokenResponse
+    #   If the cache contains a valid response it wil be returned as a
+    #   SuccessResponse. Otherwise returns nil.
+    def check_cache(params)
+      logger.verbose("TokenRequest checking cache #{@token_cache} for token.")
+      result = @cache_driver.find(params)
+      logger.info("#{result ? 'Found' : 'Did not find'} token in cache.")
+      result
+    end
+
+    ##
+    # Constructs an OAuthRequest from the TokenRequest instance.
+    #
+    # @param Hash params
+    #   The OAuth parameters specific to the TokenRequest instance.
+    # @return OAuthRequest
+    def oauth_request(params)
+      logger.verbose('Resorting to OAuth to fulfill token request.')
+      OAuthRequest.new(@authority.token_endpoint, params)
+    end
+  end
+end