public async Task When_Using_PrivateKeyJwtAuthentication_Then_AccessToken_Is_Returned() { // ARRANGE InitializeFakeObjects(); _httpClientFactoryStub.Setup(h => h.GetHttpClient()).Returns(_server.Client); var payload = new JwsPayload { { StandardClaimNames.Issuer, "private_key_client" }, { Core.Jwt.Constants.StandardResourceOwnerClaimNames.Subject, "private_key_client" }, { StandardClaimNames.Audiences, new [] { "http://localhost:5000" } }, { StandardClaimNames.ExpirationTime, DateTime.UtcNow.AddHours(1).ConvertToUnixTimestamp() } }; var jws = _jwsGenerator.Generate(payload, JwsAlg.RS256, _server.SharedCtx.SignatureKey); // ACT var token = await _clientAuthSelector.UseClientPrivateKeyAuth(jws, "private_key_client") .UseClientCredentials("api1") .ResolveAsync(baseUrl + "/.well-known/openid-configuration"); // ASSERTS Assert.NotNull(token); Assert.False(token.ContainsError); Assert.NotEmpty(token.Content.AccessToken); }
public async Task <string> GenerateIdTokenAsync(Client client, JwsPayload jwsPayload) { if (client == null) { throw new ArgumentNullException(nameof(client)); } if (jwsPayload == null) { throw new ArgumentNullException(nameof(jwsPayload)); } var signedResponseAlg = client.GetIdTokenSignedResponseAlg(); var encryptResponseAlg = client.GetIdTokenEncryptedResponseAlg(); var encryptResponseEnc = client.GetIdTokenEncryptedResponseEnc(); if (signedResponseAlg == null) { signedResponseAlg = JwsAlg.RS256; } var idToken = await _jwtGenerator.SignAsync(jwsPayload, signedResponseAlg.Value); if (encryptResponseAlg == null) { return(idToken); } if (encryptResponseEnc == null) { encryptResponseEnc = JweEnc.A128CBC_HS256; } return(await _jwtGenerator.EncryptAsync(idToken, encryptResponseAlg.Value, encryptResponseEnc.Value)); }
public async Task When_Generating_AuthorizationResponse_With_AccessToken_And_ThereIs_No_Granted_Token_Then_Token_Is_Generated_And_Added_To_The_Parameters() { // ARRANGE InitializeFakeObjects(); const string idToken = "idToken"; const string clientId = "clientId"; const string scope = "openid"; var claimsPrincipal = new ClaimsPrincipal(new ClaimsIdentity("fake")); var authorizationParameter = new AuthorizationParameter { ClientId = clientId, Scope = scope }; var grantedToken = new GrantedToken { AccessToken = Guid.NewGuid().ToString() }; var actionResult = new ActionResult { RedirectInstruction = new RedirectInstruction() }; var jwsPayload = new JwsPayload(); _parameterParserHelperFake.Setup(p => p.ParseResponseTypes(It.IsAny <string>())) .Returns(new List <ResponseType> { ResponseType.token }); _jwtGeneratorFake.Setup( j => j.GenerateIdTokenPayloadForScopesAsync(It.IsAny <ClaimsPrincipal>(), It.IsAny <AuthorizationParameter>())) .Returns(Task.FromResult(jwsPayload)); _jwtGeneratorFake.Setup( j => j.GenerateUserInfoPayloadForScopeAsync(It.IsAny <ClaimsPrincipal>(), It.IsAny <AuthorizationParameter>())) .Returns(Task.FromResult(jwsPayload)); _jwtGeneratorFake.Setup(j => j.EncryptAsync(It.IsAny <string>(), It.IsAny <JweAlg>(), It.IsAny <JweEnc>())) .Returns(Task.FromResult(idToken)); _parameterParserHelperFake.Setup(p => p.ParseScopes(It.IsAny <string>())) .Returns(() => new List <string> { scope }); _grantedTokenHelperStub.Setup(r => r.GetValidGrantedTokenAsync(It.IsAny <string>(), It.IsAny <string>(), It.IsAny <JwsPayload>(), It.IsAny <JwsPayload>())) .Returns(Task.FromResult((GrantedToken)null)); _grantedTokenGeneratorHelperFake.Setup(r => r.GenerateTokenAsync(It.IsAny <Client>(), It.IsAny <string>(), It.IsAny <JwsPayload>(), It.IsAny <JwsPayload>())) .Returns(Task.FromResult(grantedToken)); // ACT await _generateAuthorizationResponse.ExecuteAsync(actionResult, authorizationParameter, claimsPrincipal, new Client()); // ASSERTS Assert.True(actionResult.RedirectInstruction.Parameters.Any(p => p.Name == Core.Constants.StandardAuthorizationResponseNames.AccessTokenName)); Assert.True(actionResult.RedirectInstruction.Parameters.Any(p => p.Value == grantedToken.AccessToken)); _grantedTokenRepositoryFake.Verify(g => g.AddToken(grantedToken)); _simpleIdentityServerEventSource.Verify(e => e.GrantAccessToClient(clientId, grantedToken.AccessToken, scope)); }
private async Task FillInResourceOwnerClaimsFromScopes(JwsPayload jwsPayload, AuthorizationParameter authorizationParameter, IList <Claim> cls) { // 1. Fill-in the subject claim var subject = cls.First(c => c.Type == Jwt.Constants.StandardResourceOwnerClaimNames.Subject).Value; jwsPayload.Add(Jwt.Constants.StandardResourceOwnerClaimNames.Subject, subject); if (authorizationParameter == null || string.IsNullOrWhiteSpace(authorizationParameter.Scope)) { return; } // 2. Fill-in the other claims var scopes = _parameterParserHelper.ParseScopes(authorizationParameter.Scope); var claims = await GetClaimsFromRequestedScopes(scopes, cls); foreach (var claim in claims) { if (claim.Key == Jwt.Constants.StandardResourceOwnerClaimNames.Subject) { continue; } jwsPayload.Add(claim.Key, claim.Value); } }
public async Task When_Passing_Valid_Request_To_Unsign_Without_ClientId_Then_No_Exception_Is_Thrown() { // ARRANGE InitializeFakeObjects(); const string jws = "jws"; const string clientId = "client_id"; const string kid = "1"; var jsonWebKey = new JsonWebKey { Kid = kid, SerializedKey = "serialized_key" }; var payLoad = new JwsPayload(); var jwsProtectedHeader = new JwsProtectedHeader { Alg = Jwt.Constants.JwsAlgNames.PS256, Kid = kid }; _jwsParserMock.Setup(j => j.GetHeader(It.IsAny <string>())) .Returns(jwsProtectedHeader); _jsonWebKeyRepositoryMock.Setup(j => j.GetByKidAsync(It.IsAny <string>())) .Returns(Task.FromResult(jsonWebKey)); _jwsParserMock.Setup(j => j.ValidateSignature(It.IsAny <string>(), It.IsAny <JsonWebKey>())) .Returns(payLoad); // ACT var result = await _jwtParser.UnSignAsync(jws); // ASSERT Assert.NotNull(result); _jwsParserMock.Verify(j => j.ValidateSignature(jws, jsonWebKey)); }
public async Task <JwsPayload> UpdatePayloadDate(JwsPayload jwsPayload) { if (jwsPayload == null) { throw new ArgumentNullException(nameof(jwsPayload)); } var timeKeyValuePair = await GetExpirationAndIssuedTime(); var expirationInSeconds = timeKeyValuePair.Key; var issuedAtTime = timeKeyValuePair.Value; if (jwsPayload.ContainsKey(StandardClaimNames.Iat)) { jwsPayload[StandardClaimNames.Iat] = issuedAtTime; } else { jwsPayload.Add(StandardClaimNames.Iat, issuedAtTime); } if (jwsPayload.ContainsKey(StandardClaimNames.ExpirationTime)) { jwsPayload[StandardClaimNames.ExpirationTime] = expirationInSeconds; } else { jwsPayload.Add(StandardClaimNames.ExpirationTime, expirationInSeconds); } return(jwsPayload); }
public async Task When_Pass_IdTokenHint_And_The_Subject_Doesnt_Match_Then_Error_Is_Returned() { // GENERATE JWS InitializeFakeObjects(); _httpClientFactoryStub.Setup(h => h.GetHttpClient()).Returns(_server.Client); var payload = new JwsPayload { { "sub", "adm" } }; payload.Add("aud", new[] { "http://localhost:5000" }); var jws = _jwsGenerator.Generate(payload, JwsAlg.RS256, _server.SharedCtx.SignatureKey); // ACT var result = await _authorizationClient.ResolveAsync(baseUrl + "/.well-known/openid-configuration", new AuthorizationRequest(new[] { "openid", "api1" }, new[] { ResponseTypes.Code }, "authcode_client", "http://localhost:5000/callback", "state") { IdTokenHint = jws, Prompt = "none" }); // ASSERT Assert.NotNull(result); Assert.True(result.ContainsError); Assert.Equal((string)"invalid_request", (string)result.Error.Error); Assert.Equal((string)"the current authenticated user doesn't match with the identity token", (string)result.Error.ErrorDescription); }
public void WhenBuildClaimToken(Table table) { var jwsPayload = new JwsPayload(); foreach (var record in table.Rows) { var key = record["Key"]; var value = record["Value"]; if (value.StartsWith('[') && value.EndsWith(']')) { value = value.TrimStart('[').TrimEnd(']'); var splitted = value.Split(','); jwsPayload.Add(key, JArray.FromObject(splitted)); } else { jwsPayload.Add(key, value); } } var jwtBuilder = (IJwtBuilder)_factory.Server.Host.Services.GetService(typeof(IJwtBuilder)); var jwk = JwksStore.GetInstance().GetJsonWebKey(); var jws = jwtBuilder.Sign(jwsPayload, jwk, jwk.Alg); _scenarioContext.Set(jws, "claim_token"); }
public void WhenBuildSoftwareStatement(Table table) { var jwsPayload = new JwsPayload(); foreach (var record in table.Rows) { var key = record["Key"]; var value = record["Value"]; if (value.StartsWith('[') && value.EndsWith(']')) { value = value.TrimStart('[').TrimEnd(']'); var splitted = value.Split(','); jwsPayload.Add(key, JArray.FromObject(splitted)); } else { jwsPayload.Add(key, value); } } var jwtBuilder = (IJwtBuilder)_factory.Server.Host.Services.GetService(typeof(IJwtBuilder)); var jws = jwtBuilder.Sign(jwsPayload, FakeJwks.GetInstance().Jwks.First()); _scenarioContext.Set(jws, "softwareStatement"); }
public async Task When_A_Jws_Token_With_Invalid_Signature_Is_Passed_To_AuthenticateClientWithPrivateKeyJwt_Then_Null_Is_Returned() { // ARRANGE InitializeFakeObjects(); var instruction = new AuthenticateInstruction { ClientAssertion = "invalid_header.invalid_payload" }; var jwsPayload = new JwsPayload(); _jwtParserFake.Setup(j => j.IsJwsToken(It.IsAny <string>())) .Returns(true); _jwsParserFake.Setup(j => j.GetPayload(It.IsAny <string>())) .Returns(jwsPayload); _jwtParserFake.Setup(j => j.UnSignAsync(It.IsAny <string>(), It.IsAny <string>())) .Returns(() => Task.FromResult((JwsPayload)null)); // ACT var result = await _clientAssertionAuthentication.AuthenticateClientWithPrivateKeyJwtAsync(instruction, null); // ASSERT Assert.Null(result.Client); Assert.True(result.ErrorMessage == ErrorDescriptions.TheSignatureIsNotCorrect); }
public async Task When_Pass_IdTokenHint_And_The_Subject_Matches_The_Authenticated_User_Then_Token_Is_Returned() { // GENERATE JWS InitializeFakeObjects(); _httpClientFactoryStub.Setup(h => h.GetHttpClient()).Returns(_server.Client); var payload = new JwsPayload { { "sub", "administrator" } }; payload.Add("aud", new[] { "http://localhost:5000" }); var jws = _jwsGenerator.Generate(payload, JwsAlg.RS256, _server.SharedCtx.SignatureKey); var jwe = _jweGenerator.GenerateJwe(jws, JweAlg.RSA1_5, JweEnc.A128CBC_HS256, _server.SharedCtx.EncryptionKey); // ACT var result = await _authorizationClient.ResolveAsync(baseUrl + "/.well-known/openid-configuration", new AuthorizationRequest(new[] { "openid", "api1" }, new[] { ResponseTypes.Code }, "authcode_client", "http://localhost:5000/callback", "state") { IdTokenHint = jwe, Prompt = "none" }); // ASSERT Assert.NotNull(result); Assert.False(result.ContainsError); }
public async Task When_Passing_Jws_With_None_Algorithm_To_Unsign_And_No_Uri_And_Jwks_Are_Defined_Then_Payload_Is_Returned() { // ARRANGE InitializeFakeObjects(); const string jws = "jws"; const string clientId = "client_id"; var payLoad = new JwsPayload(); var jwsProtectedHeader = new JwsProtectedHeader { Alg = Jwt.Constants.JwsAlgNames.NONE }; var client = new Models.Client { ClientId = clientId }; _jwsParserMock.Setup(j => j.GetHeader(It.IsAny <string>())) .Returns(jwsProtectedHeader); _clientRepositoryStub.Setup(c => c.GetClientByIdAsync(It.IsAny <string>())) .Returns(Task.FromResult(client)); _jwsParserMock.Setup(j => j.GetPayload(It.IsAny <string>())) .Returns(payLoad); // ACT var result = await _jwtParser.UnSignAsync(jws, clientId); // ASSERT Assert.NotNull(result); _jwsParserMock.Verify(j => j.GetPayload(jws)); }
private static bool CompareJwsPayload(JwsPayload firstJwsPayload, JwsPayload secondJwsPayload) { foreach (var record in firstJwsPayload) { if (!Constants.AllStandardResourceOwnerClaimNames.Contains(record.Key)) { continue; } if (!secondJwsPayload.ContainsKey(record.Key)) { return(false); } if (!string.Equals( record.Value.ToString(), secondJwsPayload[record.Key].ToString(), StringComparison.CurrentCultureIgnoreCase)) { return(false); } } return(true); }
public async Task When_A_Jws_Token_With_Invalid_Issuer_Is_Passed_To_AuthenticateClientWithPrivateKeyJwt_Then_Null_Is_Returned() { // ARRANGE InitializeFakeObjects(); var instruction = new AuthenticateInstruction { ClientAssertion = "invalid_header.invalid_payload" }; var jwsPayload = new JwsPayload { { StandardClaimNames.Issuer, "issuer" } }; _jwtParserFake.Setup(j => j.IsJwsToken(It.IsAny <string>())) .Returns(true); _jwsParserFake.Setup(j => j.GetPayload(It.IsAny <string>())) .Returns(jwsPayload); _jwtParserFake.Setup(j => j.UnSignAsync(It.IsAny <string>(), It.IsAny <string>())) .Returns(Task.FromResult(jwsPayload)); _clientRepositoryStub.Setup(c => c.GetClientByIdAsync(It.IsAny <string>())) .Returns(() => Task.FromResult((Client)null)); // ACT var result = await _clientAssertionAuthentication.AuthenticateClientWithPrivateKeyJwtAsync(instruction, null); // ASSERT Assert.Null(result.Client); Assert.True(result.ErrorMessage == ErrorDescriptions.TheClientIdPassedInJwtIsNotCorrect); }
protected virtual void CheckRequestObject(JwsHeader header, JwsPayload jwsPayload, OpenIdClient openidClient, HandlerContext context) { if (jwsPayload == null) { throw new OAuthException(ErrorCodes.INVALID_REQUEST, OAuth.ErrorMessages.INVALID_JWS_REQUEST_PARAMETER); } if (!string.IsNullOrWhiteSpace(openidClient.RequestObjectSigningAlg) && header.Alg != openidClient.RequestObjectSigningAlg) { throw new OAuthException(ErrorCodes.INVALID_REQUEST_OBJECT, ErrorMessages.INVALID_SIGNATURE_ALG); } if (!jwsPayload.ContainsKey(OAuth.DTOs.AuthorizationRequestParameters.ResponseType)) { throw new OAuthException(ErrorCodes.INVALID_REQUEST_OBJECT, ErrorMessages.MISSING_RESPONSE_TYPE_CLAIM); } if (!jwsPayload.ContainsKey(OAuth.DTOs.AuthorizationRequestParameters.ClientId)) { throw new OAuthException(ErrorCodes.INVALID_REQUEST_OBJECT, ErrorMessages.MISSING_CLIENT_ID_CLAIM); } if (!jwsPayload[OAuth.DTOs.AuthorizationRequestParameters.ResponseType].ToString().Split(' ').OrderBy(s => s).SequenceEqual(context.Request.RequestData.GetResponseTypesFromAuthorizationRequest().OrderBy(s => s))) { throw new OAuthException(ErrorCodes.INVALID_REQUEST_OBJECT, ErrorMessages.INVALID_RESPONSE_TYPE_CLAIM); } if (jwsPayload[OAuth.DTOs.AuthorizationRequestParameters.ClientId].ToString() != context.Client.ClientId) { throw new OAuthException(ErrorCodes.INVALID_REQUEST_OBJECT, ErrorMessages.INVALID_CLIENT_ID_CLAIM); } }
public async Task <JwsPayload> GenerateAccessToken(IEnumerable <string> audiences, IEnumerable <string> scopes, string issuerName) { if (audiences == null) { throw new ArgumentNullException(nameof(audiences)); } if (scopes == null) { throw new ArgumentNullException(nameof(scopes)); } var timeKeyValuePair = await GetExpirationAndIssuedTime(); var expirationInSeconds = timeKeyValuePair.Key; var issuedAtTime = timeKeyValuePair.Value; var jwsPayload = new JwsPayload(); jwsPayload.Add(StandardClaimNames.Audiences, audiences); jwsPayload.Add(StandardClaimNames.Issuer, issuerName); jwsPayload.Add(StandardClaimNames.ExpirationTime, expirationInSeconds); jwsPayload.Add(StandardClaimNames.Iat, issuedAtTime); jwsPayload.Add(StandardClaimNames.Scopes, scopes); return(jwsPayload); }
private static GrantedToken GetGrantedToken(JwsPayload jwsPayload) { if (jwsPayload == null) { throw new ArgumentNullException(nameof(jwsPayload)); } var result = new GrantedToken { Scope = jwsPayload.GetClaimValue(StandardClaimNames.Scopes), ClientId = jwsPayload.GetClaimValue(StandardClaimNames.ClientId), ExpiresIn = (int)jwsPayload.ExpirationTime, TokenType = Constants.StandardTokenTypes.Bearer, IdTokenPayLoad = jwsPayload }; var issuedAt = jwsPayload.GetDoubleClaim(StandardClaimNames.Iat); if (issuedAt != default(double)) { result.CreateDateTime = issuedAt.UnixTimeStampToDateTime(); } return(result); }
public async Task When_Generating_AuthorizationResponse_With_AccessToken_And_ThereIs_A_GrantedToken_Then_Token_Is_Added_To_The_Parameters() { // ARRANGE InitializeFakeObjects(); const string idToken = "idToken"; const string clientId = "clientId"; const string scope = "openid"; var authorizationParameter = new AuthorizationParameter { ClientId = clientId, Scope = scope }; var grantedToken = new GrantedToken { AccessToken = Guid.NewGuid().ToString() }; var actionResult = new ActionResult { RedirectInstruction = new RedirectInstruction() }; var jwsPayload = new JwsPayload(); _parameterParserHelperFake.Setup(p => p.ParseResponseTypes(It.IsAny <string>())) .Returns(new List <ResponseType> { ResponseType.token }); _jwtGeneratorFake.Setup( j => j.GenerateIdTokenPayloadForScopesAsync(It.IsAny <IList <Claim> >(), It.IsAny <AuthorizationParameter>(), null, null)) .Returns(Task.FromResult(jwsPayload)); _jwtGeneratorFake.Setup( j => j.GenerateUserInfoPayloadForScopeAsync(It.IsAny <AuthorizationParameter>(), It.IsAny <IList <Claim> >())) .Returns(Task.FromResult(jwsPayload)); _jwtGeneratorFake.Setup(j => j.EncryptAsync(It.IsAny <string>(), It.IsAny <JweAlg>(), It.IsAny <JweEnc>())) .Returns(Task.FromResult(idToken)); _parameterParserHelperFake.Setup(p => p.ParseScopes(It.IsAny <string>())) .Returns(() => new List <string> { scope }); _grantedTokenHelperStub.Setup(r => r.GetValidGrantedTokenAsync(It.IsAny <string>(), It.IsAny <string>(), It.IsAny <JwsPayload>(), It.IsAny <JwsPayload>())) .Returns(() => Task.FromResult(grantedToken)); _resourceOwnerRepoStub.Setup(r => r.GetAsync(It.IsAny <string>())).Returns(Task.FromResult(new ResourceOwner { Claims = new List <Claim> { new Claim("sub", "fake") } })); // ACT await _generateAuthorizationResponse.ExecuteAsync(actionResult, authorizationParameter, new Client(), null, "fake"); // ASSERTS Assert.True(actionResult.RedirectInstruction.Parameters.Any(p => p.Name == Constants.StandardAuthorizationResponseNames.AccessTokenName)); Assert.True(actionResult.RedirectInstruction.Parameters.Any(p => p.Value == grantedToken.AccessToken)); }
protected virtual async Task <JwsPayload> BuildIdToken(HandlerContext currentContext, JObject queryParameters, IEnumerable <string> requestedScopes, CancellationToken cancellationToken) { var openidClient = (OpenIdClient)currentContext.Client; var result = new JwsPayload { { OAuthClaims.Audiences, new [] { openidClient.ClientId, currentContext.Request.IssuerName } }, { OAuthClaims.Issuer, currentContext.Request.IssuerName }, { OAuthClaims.Iat, DateTime.UtcNow.ConvertToUnixTimestamp() }, { OAuthClaims.ExpirationTime, DateTime.UtcNow.AddSeconds(openidClient.TokenExpirationTimeInSeconds).ConvertToUnixTimestamp() }, { OAuthClaims.Azp, openidClient.ClientId } }; var maxAge = queryParameters.GetMaxAgeFromAuthorizationRequest(); var nonce = queryParameters.GetNonceFromAuthorizationRequest(); var acrValues = queryParameters.GetAcrValuesFromAuthorizationRequest(); var requestedClaims = queryParameters.GetClaimsFromAuthorizationRequest(); var subjectTypeBuilder = _subjectTypeBuilders.First(f => f.SubjectType == (string.IsNullOrWhiteSpace(openidClient.SubjectType) ? PublicSubjectTypeBuilder.SUBJECT_TYPE : openidClient.SubjectType)); var subject = await subjectTypeBuilder.Build(currentContext); string accessToken, code; if (currentContext.Response.TryGet(OAuth.DTOs.AuthorizationResponseParameters.AccessToken, out accessToken)) { result.Add(OAuthClaims.AtHash, ComputeHash(accessToken)); } if (currentContext.Response.TryGet(OAuth.DTOs.AuthorizationResponseParameters.Code, out code)) { result.Add(OAuthClaims.CHash, ComputeHash(code)); } if (maxAge != null) { result.Add(OAuthClaims.AuthenticationTime, currentContext.User.AuthenticationTime.Value.ConvertToUnixTimestamp()); } if (!string.IsNullOrWhiteSpace(nonce)) { result.Add(OAuthClaims.Nonce, nonce); } var defaultAcr = await _amrHelper.FetchDefaultAcr(acrValues, requestedClaims, openidClient, cancellationToken); if (defaultAcr != null) { result.Add(OAuthClaims.Amr, defaultAcr.AuthenticationMethodReferences); result.Add(OAuthClaims.Acr, defaultAcr.Name); } var scopes = openidClient.AllowedOpenIdScopes.Where(s => requestedScopes.Any(r => r == s.Name)); EnrichWithScopeParameter(result, scopes, currentContext.User, subject); _claimsJwsPayloadEnricher.EnrichWithClaimsParameter(result, requestedClaims, currentContext.User, currentContext.User.AuthenticationTime); foreach (var claimsSource in _claimsSources) { await claimsSource.Enrich(result, openidClient).ConfigureAwait(false); } return(result); }
private static void AddExpirationAndIssueTime(JwsPayload jwsPayload, double validityPeriodsInSeconds) { var currentDateTime = DateTime.UtcNow; var expirationDateTime = currentDateTime.AddSeconds(validityPeriodsInSeconds); jwsPayload.Add(OAuthClaims.Iat, currentDateTime.ConvertToUnixTimestamp()); jwsPayload.Add(OAuthClaims.ExpirationTime, expirationDateTime.ConvertToUnixTimestamp()); }
public void RefreshAccessToken(JwsPayload jwsPayload, double validityPeriodsInSeconds) { var currentDateTime = DateTime.UtcNow; var expirationDateTime = currentDateTime.AddSeconds(validityPeriodsInSeconds); jwsPayload[OAuthClaims.Iat] = currentDateTime.ConvertToUnixTimestamp(); jwsPayload[OAuthClaims.ExpirationTime] = expirationDateTime.ConvertToUnixTimestamp(); }
public async Task When_Redirecting_To_Callback_And_There_Is_No_Response_Mode_Specified_Then_The_Response_Mode_Is_Set() { // ARRANGE InitializeFakeObjects(); const string idToken = "idToken"; const string clientId = "clientId"; const string scope = "scope"; const string responseType = "id_token"; var authorizationParameter = new AuthorizationParameter { ClientId = clientId, Scope = scope, ResponseType = responseType, ResponseMode = ResponseMode.None }; var client = new Client { IdTokenEncryptedResponseAlg = SimpleIdServer.Core.Jwt.Constants.JweAlgNames.RSA1_5, IdTokenEncryptedResponseEnc = SimpleIdServer.Core.Jwt.Constants.JweEncNames.A128CBC_HS256, IdTokenSignedResponseAlg = SimpleIdServer.Core.Jwt.Constants.JwsAlgNames.RS256 }; var actionResult = new ActionResult { RedirectInstruction = new RedirectInstruction(), Type = TypeActionResult.RedirectToCallBackUrl }; var jwsPayload = new JwsPayload(); _parameterParserHelperFake.Setup(p => p.ParseResponseTypes(It.IsAny <string>())) .Returns(new List <ResponseType> { ResponseType.id_token }); _jwtGeneratorFake.Setup( j => j.GenerateIdTokenPayloadForScopesAsync(It.IsAny <IList <Claim> >(), It.IsAny <AuthorizationParameter>(), null, null)) .Returns(Task.FromResult(jwsPayload)); _jwtGeneratorFake.Setup( j => j.GenerateUserInfoPayloadForScopeAsync(It.IsAny <AuthorizationParameter>(), It.IsAny <IList <Claim> >())) .Returns(Task.FromResult(jwsPayload)); _jwtGeneratorFake.Setup(j => j.EncryptAsync(It.IsAny <string>(), It.IsAny <JweAlg>(), It.IsAny <JweEnc>())) .Returns(Task.FromResult(idToken)); _authorizationFlowHelperFake.Setup( a => a.GetAuthorizationFlow(It.IsAny <ICollection <ResponseType> >(), It.IsAny <string>())) .Returns(AuthorizationFlow.ImplicitFlow); _resourceOwnerRepoStub.Setup(r => r.GetAsync(It.IsAny <string>())).Returns(Task.FromResult(new ResourceOwner { Claims = new List <Claim> { new Claim("sub", "fake") } })); // ACT await _generateAuthorizationResponse.ExecuteAsync(actionResult, authorizationParameter, new Client(), null, "fake"); // ASSERT Assert.True(actionResult.RedirectInstruction.ResponseMode == ResponseMode.fragment); }
private void FillInResourceOwnerClaimsByClaimsParameter( JwsPayload jwsPayload, List <ClaimParameter> claimParameters, ClaimsPrincipal claimsPrincipal, AuthorizationParameter authorizationParameter) { var state = authorizationParameter == null ? string.Empty : authorizationParameter.State; // 1. Fill-In the subject - set the subject as an essential claim if (claimParameters.All(c => c.Name != Jwt.Constants.StandardResourceOwnerClaimNames.Subject)) { var essentialSubjectClaimParameter = new ClaimParameter { Name = Jwt.Constants.StandardResourceOwnerClaimNames.Subject, Parameters = new Dictionary <string, object> { { Constants.StandardClaimParameterValueNames.EssentialName, true } } }; claimParameters.Add(essentialSubjectClaimParameter); } // 2. Fill-In all the other resource owner claims if (claimParameters == null || !claimParameters.Any()) { return; } var resourceOwnerClaimParameters = claimParameters .Where(c => Jwt.Constants.AllStandardResourceOwnerClaimNames.Contains(c.Name)) .ToList(); if (resourceOwnerClaimParameters.Any()) { var requestedClaimNames = resourceOwnerClaimParameters.Select(r => r.Name); var resourceOwnerClaims = GetClaims(requestedClaimNames, claimsPrincipal); foreach (var resourceOwnerClaimParameter in resourceOwnerClaimParameters) { var resourceOwnerClaim = resourceOwnerClaims.FirstOrDefault(c => c.Key == resourceOwnerClaimParameter.Name); var resourceOwnerClaimValue = resourceOwnerClaim.Equals(default(KeyValuePair <string, string>)) ? string.Empty : resourceOwnerClaim.Value; var isClaimValid = ValidateClaimValue(resourceOwnerClaimValue, resourceOwnerClaimParameter); if (!isClaimValid) { throw new IdentityServerExceptionWithState(ErrorCodes.InvalidGrant, string.Format(ErrorDescriptions.TheClaimIsNotValid, resourceOwnerClaimParameter.Name), state); } jwsPayload.Add(resourceOwnerClaim.Key, resourceOwnerClaim.Value); } } }
public async Task <string> SignAsync(JwsPayload jwsPayload, JwsAlg alg) { var jsonWebKey = await GetJsonWebKey( alg.ToAllAlg(), KeyOperations.Sign, Use.Sig); return(_jwsGenerator.Generate(jwsPayload, alg, jsonWebKey)); }
public async Task <string> Sign(JwsPayload jwsPayload, string jwsAlg) { var jsonWebKeys = await _jsonWebKeyRepository.FindJsonWebKeys(Usages.SIG, jwsAlg, new[] { KeyOperations.Sign }); return(Sign(jwsPayload, jsonWebKeys.First())); }
/// <summary> /// Try to get the value from the PAYLOAD. /// </summary> /// <param name="jwsPayload"></param> /// <param name="key"></param> /// <returns></returns> private static string TryGetKey(JwsPayload jwsPayload, string key) { if (!jwsPayload.ContainsKey(key)) { return(string.Empty); } return(jwsPayload[key].ToString()); }
public async Task <string> Sign(JwsPayload jwsPayload, string jwsAlg, CancellationToken cancellationToken) { var jsonWebKeys = await _jsonWebKeyRepository.FindJsonWebKeys(Usages.SIG, jwsAlg, new[] { KeyOperations.Sign }, cancellationToken); return(Sign(jwsPayload, jsonWebKeys.FirstOrDefault(), jwsAlg)); }
public static IEnumerable <AuthorizationRequestClaimParameter> GetClaims(this JwsPayload jObj) { if (!jObj.ContainsKey(AuthorizationRequestParameters.Claims)) { return(new AuthorizationRequestClaimParameter[0]); } return(((JObject)JsonConvert.DeserializeObject(jObj[AuthorizationRequestParameters.Claims].ToString())).GetClaims()); }
public async Task When_Passing_Jws_With_Algorithm_Other_Than_None_To_Unsign_And_Retrieve_Json_Web_Key_From_Uri_Then_Jwis_Is_Unsigned_And_Payload_Is_Returned() { // ARRANGE InitializeFakeObjects(); const string jws = "jws"; const string clientId = "client_id"; const string kid = "1"; var jsonWebKeySet = new JsonWebKeySet(); var json = jsonWebKeySet.SerializeWithDataContract(); var jsonWebKey = new JsonWebKey { Kid = kid, SerializedKey = "serialized_key" }; var payLoad = new JwsPayload(); var jwsProtectedHeader = new JwsProtectedHeader { Alg = Jwt.Constants.JwsAlgNames.PS256, Kid = kid }; var client = new Core.Common.Models.Client { ClientId = clientId, JwksUri = "http://localhost" }; var httpResponseMessage = new HttpResponseMessage(HttpStatusCode.Accepted) { Content = new StringContent(json) }; var jsonWebKeys = new List <JsonWebKey> { jsonWebKey }; var handler = new FakeHttpMessageHandler(httpResponseMessage); var httpClientFake = new HttpClient(handler); _jwsParserMock.Setup(j => j.GetHeader(It.IsAny <string>())) .Returns(jwsProtectedHeader); _clientRepositoryStub.Setup(c => c.GetClientByIdAsync(It.IsAny <string>())) .Returns(Task.FromResult(client)); _jwsParserMock.Setup(j => j.ValidateSignature(It.IsAny <string>(), It.IsAny <JsonWebKey>())) .Returns(payLoad); _httpClientFactoryMock.Setup(h => h.GetHttpClient()) .Returns(httpClientFake); _jsonWebKeyConverterMock.Setup(j => j.ExtractSerializedKeys(It.IsAny <JsonWebKeySet>())) .Returns(jsonWebKeys); // ACT var result = await _jwtParser.UnSignAsync(jws, clientId); // ASSERT Assert.NotNull(result); _jwsParserMock.Verify(j => j.ValidateSignature(jws, jsonWebKey)); }
public async Task When_An_Authorization_Response_Is_Generated_Then_Events_Are_Logged() { // ARRANGE InitializeFakeObjects(); const string idToken = "idToken"; const string clientId = "clientId"; const string scope = "scope"; const string responseType = "id_token"; var authorizationParameter = new AuthorizationParameter { ClientId = clientId, Scope = scope, ResponseType = responseType }; var client = new Client { IdTokenEncryptedResponseAlg = SimpleIdServer.Core.Jwt.Constants.JweAlgNames.RSA1_5, IdTokenEncryptedResponseEnc = SimpleIdServer.Core.Jwt.Constants.JweEncNames.A128CBC_HS256, IdTokenSignedResponseAlg = SimpleIdServer.Core.Jwt.Constants.JwsAlgNames.RS256 }; var actionResult = new ActionResult { RedirectInstruction = new RedirectInstruction() }; var jwsPayload = new JwsPayload(); _parameterParserHelperFake.Setup(p => p.ParseResponseTypes(It.IsAny <string>())) .Returns(new List <ResponseType> { ResponseType.id_token }); _jwtGeneratorFake.Setup( j => j.GenerateIdTokenPayloadForScopesAsync(It.IsAny <IList <Claim> >(), It.IsAny <AuthorizationParameter>(), null, null)) .Returns(Task.FromResult(jwsPayload)); _jwtGeneratorFake.Setup( j => j.GenerateUserInfoPayloadForScopeAsync(It.IsAny <AuthorizationParameter>(), It.IsAny <IList <Claim> >())) .Returns(Task.FromResult(jwsPayload)); _jwtGeneratorFake.Setup(j => j.EncryptAsync(It.IsAny <string>(), It.IsAny <JweAlg>(), It.IsAny <JweEnc>())) .Returns(Task.FromResult(idToken)); _resourceOwnerRepoStub.Setup(r => r.GetAsync(It.IsAny <string>())).Returns(Task.FromResult(new ResourceOwner { Claims = new List <Claim> { new Claim("sub", "fake") } })); // ACT await _generateAuthorizationResponse.ExecuteAsync(actionResult, authorizationParameter, new Client(), null, "fake"); // ASSERT _oauthEventSource.Verify(s => s.StartGeneratingAuthorizationResponseToClient(clientId, responseType)); _oauthEventSource.Verify(s => s.EndGeneratingAuthorizationResponseToClient(clientId, JsonConvert.SerializeObject(actionResult.RedirectInstruction.Parameters))); }