public void CreateAndValidateTokens_DuplicateClaims()
{
SecurityToken validatedToken;
string encodedJwt = IdentityUtilities.CreateJwtToken(
new SecurityTokenDescriptor
{
AppliesToAddress = IdentityUtilities.DefaultAudience,
SigningCredentials = IdentityUtilities.DefaultSymmetricSigningCredentials,
Subject = new ClaimsIdentity(ClaimSets.DuplicateTypes(IdentityUtilities.DefaultIssuer, IdentityUtilities.DefaultIssuer)),
TokenIssuerName = IdentityUtilities.DefaultIssuer,
});
JwtSecurityTokenHandler tokenHandler = new JwtSecurityTokenHandler();
JwtSecurityTokenHandler.InboundClaimFilter.Add("aud");
JwtSecurityTokenHandler.InboundClaimFilter.Add("exp");
JwtSecurityTokenHandler.InboundClaimFilter.Add("iat");
JwtSecurityTokenHandler.InboundClaimFilter.Add("iss");
JwtSecurityTokenHandler.InboundClaimFilter.Add("nbf");
ClaimsPrincipal claimsPrincipal = tokenHandler.ValidateToken(encodedJwt, IdentityUtilities.DefaultSymmetricTokenValidationParameters, out validatedToken);
Assert.IsTrue(IdentityComparer.AreEqual <IEnumerable <Claim> >(claimsPrincipal.Claims, ClaimSets.DuplicateTypes(IdentityUtilities.DefaultIssuer, IdentityUtilities.DefaultIssuer), new CompareContext {
IgnoreProperties = true, IgnoreSubject = true
}));
JwtSecurityTokenHandler.InboundClaimFilter.Clear();
}
public void CreateAndValidateTokens_RoundTripTokens()
{
JwtSecurityTokenHandler handler = new JwtSecurityTokenHandler();
CreateAndValidateParams createAndValidateParams;
string issuer = "issuer";
string originalIssuer = "originalIssuer";
createAndValidateParams = new CreateAndValidateParams
{
Case = "ClaimSets.DuplicateTypes",
Claims = ClaimSets.DuplicateTypes(issuer, originalIssuer),
CompareTo = IdentityUtilities.CreateJwtSecurityToken(issuer, originalIssuer, ClaimSets.DuplicateTypes(issuer, originalIssuer), null),
ExceptionType = null,
TokenValidationParameters = new TokenValidationParameters
{
RequireSignedTokens = false,
ValidateAudience = false,
ValidateLifetime = false,
ValidateIssuer = false,
}
};
RunRoundTrip(createAndValidateParams, handler);
createAndValidateParams = new CreateAndValidateParams
{
Case = "ClaimSets.Simple_simpleSigned_Asymmetric",
Claims = ClaimSets.Simple(issuer, originalIssuer),
CompareTo = IdentityUtilities.CreateJwtSecurityToken(issuer, originalIssuer, ClaimSets.Simple(issuer, originalIssuer), KeyingMaterial.DefaultX509SigningCreds_2048_RsaSha2_Sha2),
ExceptionType = null,
SigningCredentials = KeyingMaterial.DefaultX509SigningCreds_2048_RsaSha2_Sha2,
SigningToken = KeyingMaterial.DefaultX509Token_2048,
TokenValidationParameters = new TokenValidationParameters
{
ValidateAudience = false,
IssuerSigningKey = new X509SecurityKey(KeyingMaterial.DefaultCert_2048),
ValidIssuer = issuer,
}
};
RunRoundTrip(createAndValidateParams, handler);
createAndValidateParams = new CreateAndValidateParams
{
Case = "ClaimSets.Simple_simpleSigned_Symmetric",
Claims = ClaimSets.Simple(issuer, originalIssuer),
CompareTo = IdentityUtilities.CreateJwtSecurityToken(issuer, originalIssuer, ClaimSets.Simple(issuer, originalIssuer), KeyingMaterial.DefaultSymmetricSigningCreds_256_Sha2),
ExceptionType = null,
SigningCredentials = KeyingMaterial.DefaultSymmetricSigningCreds_256_Sha2,
SigningToken = KeyingMaterial.DefaultSymmetricSecurityToken_256,
TokenValidationParameters = new TokenValidationParameters
{
ValidateAudience = false,
IssuerSigningKey = KeyingMaterial.DefaultSymmetricSecurityKey_256,
ValidIssuer = issuer,
}
};
RunRoundTrip(createAndValidateParams, handler);
}
public void ValidateToken()
{
// parameter validation
Saml2SecurityTokenHandler tokenHandler = new Saml2SecurityTokenHandler();
TestUtilities.ValidateToken(securityToken: null, validationParameters: new TokenValidationParameters(), tokenValidator: tokenHandler, expectedException: ExpectedException.ArgumentNullException(substringExpected: "name: securityToken"));
TestUtilities.ValidateToken(securityToken: "s", validationParameters: null, tokenValidator: tokenHandler, expectedException: ExpectedException.ArgumentNullException(substringExpected: "name: validationParameters"));
tokenHandler.MaximumTokenSizeInBytes = 1;
TestUtilities.ValidateToken(securityToken: "ss", validationParameters: new TokenValidationParameters(), tokenValidator: tokenHandler, expectedException: ExpectedException.ArgumentException(substringExpected: "IDX10209"));
tokenHandler.MaximumTokenSizeInBytes = TokenValidationParameters.DefaultMaximumTokenSizeInBytes;
string samlToken = IdentityUtilities.CreateSaml2Token();
TestUtilities.ValidateToken(samlToken, IdentityUtilities.DefaultAsymmetricTokenValidationParameters, tokenHandler, ExpectedException.NoExceptionExpected);
// EncryptedAssertion
SecurityTokenDescriptor tokenDescriptor =
new SecurityTokenDescriptor
{
AppliesToAddress = IdentityUtilities.DefaultAudience,
EncryptingCredentials = new EncryptedKeyEncryptingCredentials(KeyingMaterial.DefaultAsymmetricCert_2048),
Lifetime = new Lifetime(DateTime.UtcNow, DateTime.UtcNow + TimeSpan.FromHours(1)),
SigningCredentials = KeyingMaterial.DefaultAsymmetricSigningCreds_2048_RsaSha2_Sha2,
Subject = IdentityUtilities.DefaultClaimsIdentity,
TokenIssuerName = IdentityUtilities.DefaultIssuer,
};
samlToken = IdentityUtilities.CreateSaml2Token(tokenDescriptor);
TestUtilities.ValidateToken(samlToken, IdentityUtilities.DefaultAsymmetricTokenValidationParameters, tokenHandler, new ExpectedException(typeExpected: typeof(EncryptedTokenDecryptionFailedException), substringExpected: "ID4022"));
TokenValidationParameters validationParameters = IdentityUtilities.DefaultAsymmetricTokenValidationParameters;
validationParameters.TokenDecryptionKeys = new List <SecurityKey> {
KeyingMaterial.DefaultX509Key_2048
}.AsReadOnly();
TestUtilities.ValidateToken(samlToken, validationParameters, tokenHandler, ExpectedException.NoExceptionExpected);
TestUtilities.ValidateTokenReplay(samlToken, tokenHandler, validationParameters);
TestUtilities.ValidateToken(samlToken, validationParameters, tokenHandler, ExpectedException.NoExceptionExpected);
validationParameters.LifetimeValidator =
(nb, exp, st, tvp) =>
{
return(false);
};
TestUtilities.ValidateToken(samlToken, validationParameters, tokenHandler, new ExpectedException(typeExpected: typeof(SecurityTokenInvalidLifetimeException), substringExpected: "IDX10230:"));
validationParameters.ValidateLifetime = false;
validationParameters.LifetimeValidator = IdentityUtilities.LifetimeValidatorThrows;
TestUtilities.ValidateToken(securityToken: samlToken, validationParameters: validationParameters, tokenValidator: tokenHandler, expectedException: ExpectedException.NoExceptionExpected);
}
public void CrossToken_ValidateToken()
{
JwtSecurityTokenHandler jwtHandler = new JwtSecurityTokenHandler();
Saml2TokenHandler saml2Handler = new Saml2TokenHandler();
SamlTokenHandler samlHandler = new SamlTokenHandler();
JwtSecurityTokenHandler.InboundClaimFilter.Add("aud");
JwtSecurityTokenHandler.InboundClaimFilter.Add("exp");
JwtSecurityTokenHandler.InboundClaimFilter.Add("iat");
JwtSecurityTokenHandler.InboundClaimFilter.Add("iss");
JwtSecurityTokenHandler.InboundClaimFilter.Add("nbf");
string jwtToken = IdentityUtilities.CreateJwtToken(IdentityUtilities.DefaultAsymmetricSecurityTokenDescriptor, jwtHandler);
// saml tokens created using Microsoft.IdentityModel.Extensions
string imSaml2Token = IdentityUtilities.CreateSaml2Token(IdentityUtilities.DefaultAsymmetricSecurityTokenDescriptor, imSaml2Handler);
string imSamlToken = IdentityUtilities.CreateSamlToken(IdentityUtilities.DefaultAsymmetricSecurityTokenDescriptor, imSamlHandler);
// saml tokens created using System.IdentityModel.Tokens
string smSaml2Token = IdentityUtilities.CreateSaml2Token(IdentityUtilities.DefaultAsymmetricSecurityTokenDescriptor, smSaml2Handler);
string smSamlToken = IdentityUtilities.CreateSamlToken(IdentityUtilities.DefaultAsymmetricSecurityTokenDescriptor, smSamlHandler);
ClaimsPrincipal jwtPrincipal = ValidateToken(jwtToken, IdentityUtilities.DefaultAsymmetricTokenValidationParameters, jwtHandler, ExpectedException.NoExceptionExpected);
ClaimsPrincipal imSaml2Principal = ValidateToken(imSaml2Token, IdentityUtilities.DefaultAsymmetricTokenValidationParameters, imSaml2Handler, ExpectedException.NoExceptionExpected);
ClaimsPrincipal imSamlPrincipal = ValidateToken(imSamlToken, IdentityUtilities.DefaultAsymmetricTokenValidationParameters, imSamlHandler, ExpectedException.NoExceptionExpected);
ClaimsPrincipal smSaml2Principal = ValidateToken(smSaml2Token, IdentityUtilities.DefaultAsymmetricTokenValidationParameters, imSaml2Handler, ExpectedException.NoExceptionExpected);
ClaimsPrincipal smSamlPrincipal = ValidateToken(smSamlToken, IdentityUtilities.DefaultAsymmetricTokenValidationParameters, imSamlHandler, ExpectedException.NoExceptionExpected);
Assert.IsTrue(IdentityComparer.AreEqual <ClaimsPrincipal>(imSamlPrincipal, imSaml2Principal, new CompareContext {
IgnoreSubject = true
}));
Assert.IsTrue(IdentityComparer.AreEqual <ClaimsPrincipal>(smSamlPrincipal, imSaml2Principal, new CompareContext {
IgnoreSubject = true
}));
Assert.IsTrue(IdentityComparer.AreEqual <ClaimsPrincipal>(smSaml2Principal, imSaml2Principal, new CompareContext {
IgnoreSubject = true
}));
// false = ignore type of objects, we expect all objects in the principal to be of same type (no derived types)
// true = ignore subject, claims have a backpointer to their ClaimsIdentity. Most of the time this will be different as we are comparing two different ClaimsIdentities.
// true = ignore properties of claims, any mapped claims short to long for JWT's will have a property that represents the short type.
Assert.IsTrue(IdentityComparer.AreEqual <ClaimsPrincipal>(jwtPrincipal, imSaml2Principal, new CompareContext {
IgnoreType = false, IgnoreSubject = true, IgnoreProperties = true
}));
JwtSecurityTokenHandler.InboundClaimFilter.Clear();
}
private void RunAudienceVariation(List <Claim> audienceClaims, List <string> expectedAudiences, CompareContext context)
{
var handler = new JwtSecurityTokenHandler();
var tokenDescriptor = IdentityUtilities.DefaultAsymmetricSecurityTokenDescriptor(audienceClaims);
tokenDescriptor.Audience = null;
var jwt = handler.CreateEncodedJwt(tokenDescriptor);
SecurityToken token = null;
var claimsPrincipal = handler.ValidateToken(jwt, IdentityUtilities.DefaultAsymmetricTokenValidationParameters, out token);
var jwtToken = token as JwtSecurityToken;
var audiences = jwtToken.Audiences;
IdentityComparer.AreEqual(audiences, expectedAudiences as IEnumerable <string>, context);
ClaimsIdentity identity = claimsPrincipal.Identity as ClaimsIdentity;
IdentityComparer.AreEqual(identity.FindAll(JwtRegisteredClaimNames.Aud), audienceClaims, context);
}
private void CanReadToken()
{
// CanReadToken
Saml2SecurityTokenHandler samlSecurityTokenHandler = new Saml2SecurityTokenHandler();
Assert.False(CanReadToken(securityToken: null, samlSecurityTokenHandler: samlSecurityTokenHandler, expectedException: ExpectedException.NoExceptionExpected));
string samlString = new string('S', TokenValidationParameters.DefaultMaximumTokenSizeInBytes + 1);
Assert.False(CanReadToken(samlString, samlSecurityTokenHandler, ExpectedException.NoExceptionExpected));
samlString = new string('S', TokenValidationParameters.DefaultMaximumTokenSizeInBytes);
CanReadToken(securityToken: samlString, samlSecurityTokenHandler: samlSecurityTokenHandler, expectedException: ExpectedException.NoExceptionExpected);
samlString = IdentityUtilities.CreateSamlToken();
Assert.False(CanReadToken(securityToken: samlString, samlSecurityTokenHandler: samlSecurityTokenHandler, expectedException: ExpectedException.NoExceptionExpected));
samlString = IdentityUtilities.CreateSaml2Token();
Assert.True(CanReadToken(securityToken: samlString, samlSecurityTokenHandler: samlSecurityTokenHandler, expectedException: ExpectedException.NoExceptionExpected));
}
public void InboundFilterTest()
{
var handler = new JwtSecurityTokenHandler();
handler.OutboundClaimTypeMap.Clear();
var claims = ClaimSets.DefaultClaims;
string encodedJwt = handler.CreateEncodedJwt(IdentityUtilities.DefaultAsymmetricSecurityTokenDescriptor(claims));
handler.InboundClaimTypeMap.Clear();
handler.InboundClaimFilter.Add("aud");
handler.InboundClaimFilter.Add("exp");
handler.InboundClaimFilter.Add("iat");
handler.InboundClaimFilter.Add("iss");
handler.InboundClaimFilter.Add("nbf");
SecurityToken validatedToken;
ClaimsPrincipal claimsPrincipal = handler.ValidateToken(encodedJwt, IdentityUtilities.DefaultAsymmetricTokenValidationParameters, out validatedToken);
var context = new CompareContext();
IdentityComparer.AreEqual(claimsPrincipal.Claims, claims, context);
TestUtilities.AssertFailIfErrors(context.Diffs);
}
public static TheoryData <CreateAndValidateParams> CreationParams()
{
var createParams = new TheoryData <CreateAndValidateParams>();
var expires = DateTime.UtcNow + TimeSpan.FromDays(1);
var handler = new JwtSecurityTokenHandler();
var nbf = DateTime.UtcNow;
var signingCredentials = new SigningCredentials(KeyingMaterial.X509SecurityKeySelfSigned2048_SHA256, SecurityAlgorithms.RsaSha256Signature);
var verifyingKey = KeyingMaterial.X509SecurityKeySelfSigned2048_SHA256_Public;
createParams.Add(new CreateAndValidateParams
{
Case = "ClaimSets.NoClaims",
SecurityTokenDescriptor = IdentityUtilities.DefaultAsymmetricSecurityTokenDescriptor(null),
TokenValidationParameters = IdentityUtilities.DefaultAsymmetricTokenValidationParameters,
});
createParams.Add(new CreateAndValidateParams
{
Case = "EmptyToken",
SecurityTokenDescriptor = new SecurityTokenDescriptor(),
TokenValidationParameters = new TokenValidationParameters
{
RequireSignedTokens = false,
ValidateAudience = false,
ValidateLifetime = false,
ValidateIssuer = false,
}
});
createParams.Add(new CreateAndValidateParams
{
Case = "ClaimSets.DuplicateTypes",
ExceptionType = null,
SecurityTokenDescriptor = IdentityUtilities.DefaultAsymmetricSecurityTokenDescriptor(ClaimSets.DuplicateTypes()),
TokenValidationParameters = IdentityUtilities.DefaultAsymmetricTokenValidationParameters,
});
createParams.Add(new CreateAndValidateParams
{
Case = "ClaimSets.Simple_Asymmetric",
ExceptionType = null,
SecurityTokenDescriptor = IdentityUtilities.DefaultAsymmetricSecurityTokenDescriptor(ClaimSets.DefaultClaims),
TokenValidationParameters = IdentityUtilities.DefaultAsymmetricTokenValidationParameters
});
createParams.Add(new CreateAndValidateParams
{
Case = "ClaimSets.Simple_Symmetric",
ExceptionType = null,
SecurityTokenDescriptor = IdentityUtilities.DefaultSymmetricSecurityTokenDescriptor(ClaimSets.DefaultClaims),
TokenValidationParameters = IdentityUtilities.DefaultSymmetricTokenValidationParameters
});
createParams.Add(new CreateAndValidateParams
{
Case = "ClaimSets.RoleClaims",
ExceptionType = null,
SecurityTokenDescriptor = IdentityUtilities.DefaultSymmetricSecurityTokenDescriptor(ClaimSets.GetDefaultRoleClaims(handler)),
TokenValidationParameters = IdentityUtilities.DefaultSymmetricTokenValidationParameters
});
return(createParams);
}
private void ValidateAudience()
{
Saml2SecurityTokenHandler tokenHandler = new Saml2SecurityTokenHandler();
ExpectedException expectedException;
string samlString = IdentityUtilities.CreateSaml2Token();
TokenValidationParameters validationParameters =
new TokenValidationParameters
{
IssuerSigningKey = IdentityUtilities.DefaultAsymmetricSigningKey,
RequireExpirationTime = false,
RequireSignedTokens = false,
ValidIssuer = IdentityUtilities.DefaultIssuer,
};
// Do not validate audience
validationParameters.ValidateAudience = false;
expectedException = ExpectedException.NoExceptionExpected;
TestUtilities.ValidateToken(securityToken: samlString, validationParameters: validationParameters, tokenValidator: tokenHandler, expectedException: expectedException);
// no valid audiences
validationParameters.ValidateAudience = true;
expectedException = ExpectedException.SecurityTokenInvalidAudienceException("IDX10208");
TestUtilities.ValidateToken(securityToken: samlString, validationParameters: validationParameters, tokenValidator: tokenHandler, expectedException: expectedException);
validationParameters.ValidateAudience = true;
validationParameters.ValidAudience = "John";
expectedException = new ExpectedException(typeExpected: typeof(SecurityTokenInvalidAudienceException), substringExpected: "IDX10214");
TestUtilities.ValidateToken(securityToken: samlString, validationParameters: validationParameters, tokenValidator: tokenHandler, expectedException: expectedException);
// UriKind.Absolute, no match.
validationParameters.ValidateAudience = true;
validationParameters.ValidAudience = IdentityUtilities.NotDefaultAudience;
expectedException = new ExpectedException(typeExpected: typeof(SecurityTokenInvalidAudienceException), substringExpected: "IDX10214");
TestUtilities.ValidateToken(securityToken: samlString, validationParameters: validationParameters, tokenValidator: tokenHandler, expectedException: expectedException);
expectedException = ExpectedException.NoExceptionExpected;
validationParameters.ValidAudience = IdentityUtilities.DefaultAudience;
validationParameters.ValidAudiences = null;
TestUtilities.ValidateToken(securityToken: samlString, validationParameters: validationParameters, tokenValidator: tokenHandler, expectedException: expectedException);
// !UriKind.Absolute
List <string> audiences = new List <string> {
"John", "Paul", "George", "Ringo"
};
validationParameters.ValidAudience = null;
validationParameters.ValidAudiences = audiences;
validationParameters.ValidateAudience = false;
expectedException = ExpectedException.NoExceptionExpected;
TestUtilities.ValidateToken(securityToken: samlString, validationParameters: validationParameters, tokenValidator: tokenHandler, expectedException: expectedException);
// UriKind.Absolute, no match
audiences = new List <string> {
"http://www.John.com", "http://www.Paul.com", "http://www.George.com", "http://www.Ringo.com", " "
};
validationParameters.ValidAudience = null;
validationParameters.ValidAudiences = audiences;
validationParameters.ValidateAudience = false;
expectedException = ExpectedException.NoExceptionExpected;
TestUtilities.ValidateToken(securityToken: samlString, validationParameters: validationParameters, tokenValidator: tokenHandler, expectedException: expectedException);
validationParameters.ValidateAudience = true;
expectedException = new ExpectedException(typeExpected: typeof(SecurityTokenInvalidAudienceException), substringExpected: "IDX10214");
TestUtilities.ValidateToken(securityToken: samlString, validationParameters: validationParameters, tokenValidator: tokenHandler, expectedException: expectedException);
validationParameters.ValidateAudience = true;
expectedException = ExpectedException.NoExceptionExpected;
audiences.Add(IdentityUtilities.DefaultAudience);
TestUtilities.ValidateToken(securityToken: samlString, validationParameters: validationParameters, tokenValidator: tokenHandler, expectedException: expectedException);
validationParameters.AudienceValidator =
(aud, token, tvp) =>
{
return(false);
};
expectedException = new ExpectedException(typeExpected: typeof(SecurityTokenInvalidAudienceException), substringExpected: "IDX10231:");
audiences.Add(IdentityUtilities.DefaultAudience);
TestUtilities.ValidateToken(securityToken: samlString, validationParameters: validationParameters, tokenValidator: tokenHandler, expectedException: expectedException);
validationParameters.ValidateAudience = false;
validationParameters.AudienceValidator = IdentityUtilities.AudienceValidatorThrows;
TestUtilities.ValidateToken(securityToken: samlString, validationParameters: validationParameters, tokenValidator: tokenHandler, expectedException: ExpectedException.NoExceptionExpected);
}