public void CreateAndValidateTokens_DuplicateClaims()
        {
            SecurityToken validatedToken;
            string        encodedJwt = IdentityUtilities.CreateJwtToken(
                new SecurityTokenDescriptor
            {
                AppliesToAddress   = IdentityUtilities.DefaultAudience,
                SigningCredentials = IdentityUtilities.DefaultSymmetricSigningCredentials,
                Subject            = new ClaimsIdentity(ClaimSets.DuplicateTypes(IdentityUtilities.DefaultIssuer, IdentityUtilities.DefaultIssuer)),
                TokenIssuerName    = IdentityUtilities.DefaultIssuer,
            });

            JwtSecurityTokenHandler tokenHandler = new JwtSecurityTokenHandler();

            JwtSecurityTokenHandler.InboundClaimFilter.Add("aud");
            JwtSecurityTokenHandler.InboundClaimFilter.Add("exp");
            JwtSecurityTokenHandler.InboundClaimFilter.Add("iat");
            JwtSecurityTokenHandler.InboundClaimFilter.Add("iss");
            JwtSecurityTokenHandler.InboundClaimFilter.Add("nbf");

            ClaimsPrincipal claimsPrincipal = tokenHandler.ValidateToken(encodedJwt, IdentityUtilities.DefaultSymmetricTokenValidationParameters, out validatedToken);

            Assert.IsTrue(IdentityComparer.AreEqual <IEnumerable <Claim> >(claimsPrincipal.Claims, ClaimSets.DuplicateTypes(IdentityUtilities.DefaultIssuer, IdentityUtilities.DefaultIssuer), new CompareContext {
                IgnoreProperties = true, IgnoreSubject = true
            }));

            JwtSecurityTokenHandler.InboundClaimFilter.Clear();
        }
        public void CreateAndValidateTokens_RoundTripTokens()
        {
            JwtSecurityTokenHandler handler = new JwtSecurityTokenHandler();
            CreateAndValidateParams createAndValidateParams;
            string issuer         = "issuer";
            string originalIssuer = "originalIssuer";

            createAndValidateParams = new CreateAndValidateParams
            {
                Case                      = "ClaimSets.DuplicateTypes",
                Claims                    = ClaimSets.DuplicateTypes(issuer, originalIssuer),
                CompareTo                 = IdentityUtilities.CreateJwtSecurityToken(issuer, originalIssuer, ClaimSets.DuplicateTypes(issuer, originalIssuer), null),
                ExceptionType             = null,
                TokenValidationParameters = new TokenValidationParameters
                {
                    RequireSignedTokens = false,
                    ValidateAudience    = false,
                    ValidateLifetime    = false,
                    ValidateIssuer      = false,
                }
            };

            RunRoundTrip(createAndValidateParams, handler);

            createAndValidateParams = new CreateAndValidateParams
            {
                Case                      = "ClaimSets.Simple_simpleSigned_Asymmetric",
                Claims                    = ClaimSets.Simple(issuer, originalIssuer),
                CompareTo                 = IdentityUtilities.CreateJwtSecurityToken(issuer, originalIssuer, ClaimSets.Simple(issuer, originalIssuer), KeyingMaterial.DefaultX509SigningCreds_2048_RsaSha2_Sha2),
                ExceptionType             = null,
                SigningCredentials        = KeyingMaterial.DefaultX509SigningCreds_2048_RsaSha2_Sha2,
                SigningToken              = KeyingMaterial.DefaultX509Token_2048,
                TokenValidationParameters = new TokenValidationParameters
                {
                    ValidateAudience = false,
                    IssuerSigningKey = new X509SecurityKey(KeyingMaterial.DefaultCert_2048),
                    ValidIssuer      = issuer,
                }
            };

            RunRoundTrip(createAndValidateParams, handler);

            createAndValidateParams = new CreateAndValidateParams
            {
                Case                      = "ClaimSets.Simple_simpleSigned_Symmetric",
                Claims                    = ClaimSets.Simple(issuer, originalIssuer),
                CompareTo                 = IdentityUtilities.CreateJwtSecurityToken(issuer, originalIssuer, ClaimSets.Simple(issuer, originalIssuer), KeyingMaterial.DefaultSymmetricSigningCreds_256_Sha2),
                ExceptionType             = null,
                SigningCredentials        = KeyingMaterial.DefaultSymmetricSigningCreds_256_Sha2,
                SigningToken              = KeyingMaterial.DefaultSymmetricSecurityToken_256,
                TokenValidationParameters = new TokenValidationParameters
                {
                    ValidateAudience = false,
                    IssuerSigningKey = KeyingMaterial.DefaultSymmetricSecurityKey_256,
                    ValidIssuer      = issuer,
                }
            };

            RunRoundTrip(createAndValidateParams, handler);
        }
        public void ValidateToken()
        {
            // parameter validation
            Saml2SecurityTokenHandler tokenHandler = new Saml2SecurityTokenHandler();

            TestUtilities.ValidateToken(securityToken: null, validationParameters: new TokenValidationParameters(), tokenValidator: tokenHandler, expectedException: ExpectedException.ArgumentNullException(substringExpected: "name: securityToken"));
            TestUtilities.ValidateToken(securityToken: "s", validationParameters: null, tokenValidator: tokenHandler, expectedException: ExpectedException.ArgumentNullException(substringExpected: "name: validationParameters"));

            tokenHandler.MaximumTokenSizeInBytes = 1;
            TestUtilities.ValidateToken(securityToken: "ss", validationParameters: new TokenValidationParameters(), tokenValidator: tokenHandler, expectedException: ExpectedException.ArgumentException(substringExpected: "IDX10209"));

            tokenHandler.MaximumTokenSizeInBytes = TokenValidationParameters.DefaultMaximumTokenSizeInBytes;
            string samlToken = IdentityUtilities.CreateSaml2Token();

            TestUtilities.ValidateToken(samlToken, IdentityUtilities.DefaultAsymmetricTokenValidationParameters, tokenHandler, ExpectedException.NoExceptionExpected);

            // EncryptedAssertion
            SecurityTokenDescriptor tokenDescriptor =
                new SecurityTokenDescriptor
            {
                AppliesToAddress      = IdentityUtilities.DefaultAudience,
                EncryptingCredentials = new EncryptedKeyEncryptingCredentials(KeyingMaterial.DefaultAsymmetricCert_2048),
                Lifetime           = new Lifetime(DateTime.UtcNow, DateTime.UtcNow + TimeSpan.FromHours(1)),
                SigningCredentials = KeyingMaterial.DefaultAsymmetricSigningCreds_2048_RsaSha2_Sha2,
                Subject            = IdentityUtilities.DefaultClaimsIdentity,
                TokenIssuerName    = IdentityUtilities.DefaultIssuer,
            };

            samlToken = IdentityUtilities.CreateSaml2Token(tokenDescriptor);
            TestUtilities.ValidateToken(samlToken, IdentityUtilities.DefaultAsymmetricTokenValidationParameters, tokenHandler, new ExpectedException(typeExpected: typeof(EncryptedTokenDecryptionFailedException), substringExpected: "ID4022"));

            TokenValidationParameters validationParameters = IdentityUtilities.DefaultAsymmetricTokenValidationParameters;

            validationParameters.TokenDecryptionKeys = new List <SecurityKey> {
                KeyingMaterial.DefaultX509Key_2048
            }.AsReadOnly();
            TestUtilities.ValidateToken(samlToken, validationParameters, tokenHandler, ExpectedException.NoExceptionExpected);

            TestUtilities.ValidateTokenReplay(samlToken, tokenHandler, validationParameters);
            TestUtilities.ValidateToken(samlToken, validationParameters, tokenHandler, ExpectedException.NoExceptionExpected);

            validationParameters.LifetimeValidator =
                (nb, exp, st, tvp) =>
            {
                return(false);
            };
            TestUtilities.ValidateToken(samlToken, validationParameters, tokenHandler, new ExpectedException(typeExpected: typeof(SecurityTokenInvalidLifetimeException), substringExpected: "IDX10230:"));

            validationParameters.ValidateLifetime  = false;
            validationParameters.LifetimeValidator = IdentityUtilities.LifetimeValidatorThrows;
            TestUtilities.ValidateToken(securityToken: samlToken, validationParameters: validationParameters, tokenValidator: tokenHandler, expectedException: ExpectedException.NoExceptionExpected);
        }
        public void CrossToken_ValidateToken()
        {
            JwtSecurityTokenHandler jwtHandler   = new JwtSecurityTokenHandler();
            Saml2TokenHandler       saml2Handler = new Saml2TokenHandler();
            SamlTokenHandler        samlHandler  = new SamlTokenHandler();

            JwtSecurityTokenHandler.InboundClaimFilter.Add("aud");
            JwtSecurityTokenHandler.InboundClaimFilter.Add("exp");
            JwtSecurityTokenHandler.InboundClaimFilter.Add("iat");
            JwtSecurityTokenHandler.InboundClaimFilter.Add("iss");
            JwtSecurityTokenHandler.InboundClaimFilter.Add("nbf");

            string jwtToken = IdentityUtilities.CreateJwtToken(IdentityUtilities.DefaultAsymmetricSecurityTokenDescriptor, jwtHandler);

            // saml tokens created using Microsoft.IdentityModel.Extensions
            string imSaml2Token = IdentityUtilities.CreateSaml2Token(IdentityUtilities.DefaultAsymmetricSecurityTokenDescriptor, imSaml2Handler);
            string imSamlToken  = IdentityUtilities.CreateSamlToken(IdentityUtilities.DefaultAsymmetricSecurityTokenDescriptor, imSamlHandler);

            // saml tokens created using System.IdentityModel.Tokens
            string smSaml2Token = IdentityUtilities.CreateSaml2Token(IdentityUtilities.DefaultAsymmetricSecurityTokenDescriptor, smSaml2Handler);
            string smSamlToken  = IdentityUtilities.CreateSamlToken(IdentityUtilities.DefaultAsymmetricSecurityTokenDescriptor, smSamlHandler);

            ClaimsPrincipal jwtPrincipal     = ValidateToken(jwtToken, IdentityUtilities.DefaultAsymmetricTokenValidationParameters, jwtHandler, ExpectedException.NoExceptionExpected);
            ClaimsPrincipal imSaml2Principal = ValidateToken(imSaml2Token, IdentityUtilities.DefaultAsymmetricTokenValidationParameters, imSaml2Handler, ExpectedException.NoExceptionExpected);
            ClaimsPrincipal imSamlPrincipal  = ValidateToken(imSamlToken, IdentityUtilities.DefaultAsymmetricTokenValidationParameters, imSamlHandler, ExpectedException.NoExceptionExpected);
            ClaimsPrincipal smSaml2Principal = ValidateToken(smSaml2Token, IdentityUtilities.DefaultAsymmetricTokenValidationParameters, imSaml2Handler, ExpectedException.NoExceptionExpected);
            ClaimsPrincipal smSamlPrincipal  = ValidateToken(smSamlToken, IdentityUtilities.DefaultAsymmetricTokenValidationParameters, imSamlHandler, ExpectedException.NoExceptionExpected);

            Assert.IsTrue(IdentityComparer.AreEqual <ClaimsPrincipal>(imSamlPrincipal, imSaml2Principal, new CompareContext {
                IgnoreSubject = true
            }));
            Assert.IsTrue(IdentityComparer.AreEqual <ClaimsPrincipal>(smSamlPrincipal, imSaml2Principal, new CompareContext {
                IgnoreSubject = true
            }));
            Assert.IsTrue(IdentityComparer.AreEqual <ClaimsPrincipal>(smSaml2Principal, imSaml2Principal, new CompareContext {
                IgnoreSubject = true
            }));

            // false = ignore type of objects, we expect all objects in the principal to be of same type (no derived types)
            // true = ignore subject, claims have a backpointer to their ClaimsIdentity.  Most of the time this will be different as we are comparing two different ClaimsIdentities.
            // true = ignore properties of claims, any mapped claims short to long for JWT's will have a property that represents the short type.
            Assert.IsTrue(IdentityComparer.AreEqual <ClaimsPrincipal>(jwtPrincipal, imSaml2Principal, new CompareContext {
                IgnoreType = false, IgnoreSubject = true, IgnoreProperties = true
            }));

            JwtSecurityTokenHandler.InboundClaimFilter.Clear();
        }
        private void RunAudienceVariation(List <Claim> audienceClaims, List <string> expectedAudiences, CompareContext context)
        {
            var handler         = new JwtSecurityTokenHandler();
            var tokenDescriptor = IdentityUtilities.DefaultAsymmetricSecurityTokenDescriptor(audienceClaims);

            tokenDescriptor.Audience = null;
            var jwt = handler.CreateEncodedJwt(tokenDescriptor);

            SecurityToken token           = null;
            var           claimsPrincipal = handler.ValidateToken(jwt, IdentityUtilities.DefaultAsymmetricTokenValidationParameters, out token);
            var           jwtToken        = token as JwtSecurityToken;
            var           audiences       = jwtToken.Audiences;

            IdentityComparer.AreEqual(audiences, expectedAudiences as IEnumerable <string>, context);

            ClaimsIdentity identity = claimsPrincipal.Identity as ClaimsIdentity;

            IdentityComparer.AreEqual(identity.FindAll(JwtRegisteredClaimNames.Aud), audienceClaims, context);
        }
        private void CanReadToken()
        {
            // CanReadToken
            Saml2SecurityTokenHandler samlSecurityTokenHandler = new Saml2SecurityTokenHandler();

            Assert.False(CanReadToken(securityToken: null, samlSecurityTokenHandler: samlSecurityTokenHandler, expectedException: ExpectedException.NoExceptionExpected));

            string samlString = new string('S', TokenValidationParameters.DefaultMaximumTokenSizeInBytes + 1);

            Assert.False(CanReadToken(samlString, samlSecurityTokenHandler, ExpectedException.NoExceptionExpected));

            samlString = new string('S', TokenValidationParameters.DefaultMaximumTokenSizeInBytes);
            CanReadToken(securityToken: samlString, samlSecurityTokenHandler: samlSecurityTokenHandler, expectedException: ExpectedException.NoExceptionExpected);

            samlString = IdentityUtilities.CreateSamlToken();
            Assert.False(CanReadToken(securityToken: samlString, samlSecurityTokenHandler: samlSecurityTokenHandler, expectedException: ExpectedException.NoExceptionExpected));

            samlString = IdentityUtilities.CreateSaml2Token();
            Assert.True(CanReadToken(securityToken: samlString, samlSecurityTokenHandler: samlSecurityTokenHandler, expectedException: ExpectedException.NoExceptionExpected));
        }
Beispiel #7
0
        public void InboundFilterTest()
        {
            var handler = new JwtSecurityTokenHandler();

            handler.OutboundClaimTypeMap.Clear();
            var claims = ClaimSets.DefaultClaims;

            string encodedJwt = handler.CreateEncodedJwt(IdentityUtilities.DefaultAsymmetricSecurityTokenDescriptor(claims));

            handler.InboundClaimTypeMap.Clear();
            handler.InboundClaimFilter.Add("aud");
            handler.InboundClaimFilter.Add("exp");
            handler.InboundClaimFilter.Add("iat");
            handler.InboundClaimFilter.Add("iss");
            handler.InboundClaimFilter.Add("nbf");

            SecurityToken   validatedToken;
            ClaimsPrincipal claimsPrincipal = handler.ValidateToken(encodedJwt, IdentityUtilities.DefaultAsymmetricTokenValidationParameters, out validatedToken);
            var             context         = new CompareContext();

            IdentityComparer.AreEqual(claimsPrincipal.Claims, claims, context);
            TestUtilities.AssertFailIfErrors(context.Diffs);
        }
Beispiel #8
0
        public static TheoryData <CreateAndValidateParams> CreationParams()
        {
            var createParams       = new TheoryData <CreateAndValidateParams>();
            var expires            = DateTime.UtcNow + TimeSpan.FromDays(1);
            var handler            = new JwtSecurityTokenHandler();
            var nbf                = DateTime.UtcNow;
            var signingCredentials = new SigningCredentials(KeyingMaterial.X509SecurityKeySelfSigned2048_SHA256, SecurityAlgorithms.RsaSha256Signature);
            var verifyingKey       = KeyingMaterial.X509SecurityKeySelfSigned2048_SHA256_Public;

            createParams.Add(new CreateAndValidateParams
            {
                Case = "ClaimSets.NoClaims",
                SecurityTokenDescriptor   = IdentityUtilities.DefaultAsymmetricSecurityTokenDescriptor(null),
                TokenValidationParameters = IdentityUtilities.DefaultAsymmetricTokenValidationParameters,
            });

            createParams.Add(new CreateAndValidateParams
            {
                Case = "EmptyToken",
                SecurityTokenDescriptor   = new SecurityTokenDescriptor(),
                TokenValidationParameters = new TokenValidationParameters
                {
                    RequireSignedTokens = false,
                    ValidateAudience    = false,
                    ValidateLifetime    = false,
                    ValidateIssuer      = false,
                }
            });

            createParams.Add(new CreateAndValidateParams
            {
                Case                      = "ClaimSets.DuplicateTypes",
                ExceptionType             = null,
                SecurityTokenDescriptor   = IdentityUtilities.DefaultAsymmetricSecurityTokenDescriptor(ClaimSets.DuplicateTypes()),
                TokenValidationParameters = IdentityUtilities.DefaultAsymmetricTokenValidationParameters,
            });

            createParams.Add(new CreateAndValidateParams
            {
                Case                      = "ClaimSets.Simple_Asymmetric",
                ExceptionType             = null,
                SecurityTokenDescriptor   = IdentityUtilities.DefaultAsymmetricSecurityTokenDescriptor(ClaimSets.DefaultClaims),
                TokenValidationParameters = IdentityUtilities.DefaultAsymmetricTokenValidationParameters
            });

            createParams.Add(new CreateAndValidateParams
            {
                Case                      = "ClaimSets.Simple_Symmetric",
                ExceptionType             = null,
                SecurityTokenDescriptor   = IdentityUtilities.DefaultSymmetricSecurityTokenDescriptor(ClaimSets.DefaultClaims),
                TokenValidationParameters = IdentityUtilities.DefaultSymmetricTokenValidationParameters
            });

            createParams.Add(new CreateAndValidateParams
            {
                Case                      = "ClaimSets.RoleClaims",
                ExceptionType             = null,
                SecurityTokenDescriptor   = IdentityUtilities.DefaultSymmetricSecurityTokenDescriptor(ClaimSets.GetDefaultRoleClaims(handler)),
                TokenValidationParameters = IdentityUtilities.DefaultSymmetricTokenValidationParameters
            });

            return(createParams);
        }
        private void ValidateAudience()
        {
            Saml2SecurityTokenHandler tokenHandler = new Saml2SecurityTokenHandler();
            ExpectedException         expectedException;
            string samlString = IdentityUtilities.CreateSaml2Token();

            TokenValidationParameters validationParameters =
                new TokenValidationParameters
            {
                IssuerSigningKey      = IdentityUtilities.DefaultAsymmetricSigningKey,
                RequireExpirationTime = false,
                RequireSignedTokens   = false,
                ValidIssuer           = IdentityUtilities.DefaultIssuer,
            };

            // Do not validate audience
            validationParameters.ValidateAudience = false;
            expectedException = ExpectedException.NoExceptionExpected;
            TestUtilities.ValidateToken(securityToken: samlString, validationParameters: validationParameters, tokenValidator: tokenHandler, expectedException: expectedException);

            // no valid audiences
            validationParameters.ValidateAudience = true;
            expectedException = ExpectedException.SecurityTokenInvalidAudienceException("IDX10208");
            TestUtilities.ValidateToken(securityToken: samlString, validationParameters: validationParameters, tokenValidator: tokenHandler, expectedException: expectedException);

            validationParameters.ValidateAudience = true;
            validationParameters.ValidAudience    = "John";
            expectedException = new ExpectedException(typeExpected: typeof(SecurityTokenInvalidAudienceException), substringExpected: "IDX10214");
            TestUtilities.ValidateToken(securityToken: samlString, validationParameters: validationParameters, tokenValidator: tokenHandler, expectedException: expectedException);

            // UriKind.Absolute, no match.
            validationParameters.ValidateAudience = true;
            validationParameters.ValidAudience    = IdentityUtilities.NotDefaultAudience;
            expectedException = new ExpectedException(typeExpected: typeof(SecurityTokenInvalidAudienceException), substringExpected: "IDX10214");
            TestUtilities.ValidateToken(securityToken: samlString, validationParameters: validationParameters, tokenValidator: tokenHandler, expectedException: expectedException);

            expectedException = ExpectedException.NoExceptionExpected;
            validationParameters.ValidAudience  = IdentityUtilities.DefaultAudience;
            validationParameters.ValidAudiences = null;
            TestUtilities.ValidateToken(securityToken: samlString, validationParameters: validationParameters, tokenValidator: tokenHandler, expectedException: expectedException);

            // !UriKind.Absolute
            List <string> audiences = new List <string> {
                "John", "Paul", "George", "Ringo"
            };

            validationParameters.ValidAudience    = null;
            validationParameters.ValidAudiences   = audiences;
            validationParameters.ValidateAudience = false;
            expectedException = ExpectedException.NoExceptionExpected;
            TestUtilities.ValidateToken(securityToken: samlString, validationParameters: validationParameters, tokenValidator: tokenHandler, expectedException: expectedException);

            // UriKind.Absolute, no match
            audiences = new List <string> {
                "http://www.John.com", "http://www.Paul.com", "http://www.George.com", "http://www.Ringo.com", "    "
            };
            validationParameters.ValidAudience    = null;
            validationParameters.ValidAudiences   = audiences;
            validationParameters.ValidateAudience = false;
            expectedException = ExpectedException.NoExceptionExpected;
            TestUtilities.ValidateToken(securityToken: samlString, validationParameters: validationParameters, tokenValidator: tokenHandler, expectedException: expectedException);

            validationParameters.ValidateAudience = true;
            expectedException = new ExpectedException(typeExpected: typeof(SecurityTokenInvalidAudienceException), substringExpected: "IDX10214");
            TestUtilities.ValidateToken(securityToken: samlString, validationParameters: validationParameters, tokenValidator: tokenHandler, expectedException: expectedException);

            validationParameters.ValidateAudience = true;
            expectedException = ExpectedException.NoExceptionExpected;
            audiences.Add(IdentityUtilities.DefaultAudience);
            TestUtilities.ValidateToken(securityToken: samlString, validationParameters: validationParameters, tokenValidator: tokenHandler, expectedException: expectedException);

            validationParameters.AudienceValidator =
                (aud, token, tvp) =>
            {
                return(false);
            };
            expectedException = new ExpectedException(typeExpected: typeof(SecurityTokenInvalidAudienceException), substringExpected: "IDX10231:");
            audiences.Add(IdentityUtilities.DefaultAudience);
            TestUtilities.ValidateToken(securityToken: samlString, validationParameters: validationParameters, tokenValidator: tokenHandler, expectedException: expectedException);

            validationParameters.ValidateAudience  = false;
            validationParameters.AudienceValidator = IdentityUtilities.AudienceValidatorThrows;
            TestUtilities.ValidateToken(securityToken: samlString, validationParameters: validationParameters, tokenValidator: tokenHandler, expectedException: ExpectedException.NoExceptionExpected);
        }