public async Task VerifyCorrectAuthorityUsedInTokenAcquisition_B2CAuthorityTestsAsync(
string authorityInstance,
bool withTfp = false)
{
_microsoftIdentityOptions = new MicrosoftIdentityOptions
{
SignUpSignInPolicyId = TestConstants.B2CSignUpSignInUserFlow,
Domain = TestConstants.B2CTenant,
};
if (withTfp)
{
BuildTheRequiredServices(authorityInstance + "/tfp/");
}
else
{
BuildTheRequiredServices(authorityInstance);
}
InitializeTokenAcquisitionObjects();
IConfidentialClientApplication app = await _tokenAcquisition.GetOrBuildConfidentialClientApplicationAsync().ConfigureAwait(false);
string expectedAuthority = string.Format(
CultureInfo.InvariantCulture,
"{0}/tfp/{1}/{2}/",
authorityInstance,
TestConstants.B2CTenant,
TestConstants.B2CSignUpSignInUserFlow);
Assert.Equal(expectedAuthority, app.Authority);
}
public async void OnRedirectToIdentityProvider_CustomUserFlow_UpdatesContext()
{
var options = new MicrosoftIdentityOptions()
{
SignUpSignInPolicyId = DefaultUserFlow
};
var handler = new AzureADB2COpenIDConnectEventHandlers(OpenIdConnectDefaults.AuthenticationScheme, options);
var httpContext = HttpContextUtilities.CreateHttpContext();
var authProperties = new AuthenticationProperties();
authProperties.Items.Add(OidcConstants.PolicyKey, CustomUserFlow);
var context = new RedirectContext(httpContext, _authScheme, new OpenIdConnectOptions(), authProperties)
{
ProtocolMessage = new OpenIdConnectMessage()
{
IssuerAddress = _defaultIssuer
}
};
await handler.OnRedirectToIdentityProvider(context).ConfigureAwait(false);
Assert.Equal(OpenIdConnectScope.OpenIdProfile, context.ProtocolMessage.Scope);
Assert.Equal(OpenIdConnectResponseType.IdToken, context.ProtocolMessage.ResponseType);
Assert.Equal(_customIssuer, context.ProtocolMessage.IssuerAddress, true);
Assert.False(context.Properties.Items.ContainsKey(OidcConstants.PolicyKey));
}
public void ValidateRequiredMicrosoftIdentityOptions(
string clientId,
string instance,
string tenantid,
string signUpSignInPolicyId,
string domain,
string optionsName,
MissingParam missingParam = MissingParam.None)
{
_microsoftIdentityOptions = new MicrosoftIdentityOptions
{
ClientId = clientId,
Instance = instance,
TenantId = tenantid,
};
if (optionsName == AzureAdB2C)
{
_microsoftIdentityOptions.SignUpSignInPolicyId = signUpSignInPolicyId;
_microsoftIdentityOptions.Domain = domain;
}
MicrosoftIdentityOptionsValidation microsoftIdentityOptionsValidation = new MicrosoftIdentityOptionsValidation();
ValidateOptionsResult result = microsoftIdentityOptionsValidation.Validate(optionsName, _microsoftIdentityOptions);
CheckReturnValueAgainstExpectedMissingParam(missingParam, result);
}
public void BothCredentialTypesDefined_Throw()
{
// Arrange
CertificateDescription certificateDescription =
CertificateDescription.FromBase64Encoded("encoded");
MicrosoftIdentityOptions microsoftIdentityOptions = new MicrosoftIdentityOptions
{
Authority = TestConstants.AuthorityCommonTenant,
ClientId = TestConstants.ConfidentialClientId,
ClientCertificates = new CertificateDescription[] { certificateDescription },
};
ConfidentialClientApplicationOptions options = new ConfidentialClientApplicationOptions
{
ClientSecret = "some secret",
};
// Act
Action credentialAction = () =>
MicrosoftIdentityOptionsValidation.ValidateEitherClientCertificateOrClientSecret(options.ClientSecret, microsoftIdentityOptions.ClientCertificates);
// Assert
var exception = Assert.Throws <MsalClientException>(credentialAction);
Assert.Equal(IDWebErrorMessage.BothClientSecretAndCertificateProvided, exception.Message);
Assert.Equal(ErrorCodes.DuplicateClientCredentials, exception.ErrorCode);
}
public void TestAudience()
{
JwtBearerOptions options = new JwtBearerOptions();
MicrosoftIdentityOptions microsoftIdentityOptions = new MicrosoftIdentityOptions()
{
ClientId = Guid.NewGuid().ToString()
};
// Act and Assert
options.Audience = "https://localhost";
WebApiServiceCollectionExtensions.EnsureValidAudiencesContainsApiGuidIfGuidProvided(options, microsoftIdentityOptions);
Assert.True(options.TokenValidationParameters.ValidAudiences.Count() == 1);
Assert.True(options.TokenValidationParameters.ValidAudiences.First() == "https://localhost");
options.Audience = "api://1EE5A092-0DFD-42B6-88E5-C517C0141321";
WebApiServiceCollectionExtensions.EnsureValidAudiencesContainsApiGuidIfGuidProvided(options, microsoftIdentityOptions);
Assert.True(options.TokenValidationParameters.ValidAudiences.Count() == 1);
Assert.True(options.TokenValidationParameters.ValidAudiences.First() == "api://1EE5A092-0DFD-42B6-88E5-C517C0141321");
options.Audience = "1EE5A092-0DFD-42B6-88E5-C517C0141321";
WebApiServiceCollectionExtensions.EnsureValidAudiencesContainsApiGuidIfGuidProvided(options, microsoftIdentityOptions);
Assert.True(options.TokenValidationParameters.ValidAudiences.Count() == 2);
Assert.Contains("api://1EE5A092-0DFD-42B6-88E5-C517C0141321", options.TokenValidationParameters.ValidAudiences);
Assert.Contains("1EE5A092-0DFD-42B6-88E5-C517C0141321", options.TokenValidationParameters.ValidAudiences);
options.Audience = null;
WebApiServiceCollectionExtensions.EnsureValidAudiencesContainsApiGuidIfGuidProvided(options, microsoftIdentityOptions);
Assert.True(options.TokenValidationParameters.ValidAudiences.Count() == 2);
Assert.Contains($"api://{microsoftIdentityOptions.ClientId}", options.TokenValidationParameters.ValidAudiences);
Assert.Contains($"{microsoftIdentityOptions.ClientId}", options.TokenValidationParameters.ValidAudiences);
}
public void NoCredentialTypesDefined_Throw()
{
// Arrange
MicrosoftIdentityOptions microsoftIdentityOptions = new MicrosoftIdentityOptions
{
Authority = TestConstants.AuthorityCommonTenant,
ClientId = TestConstants.ConfidentialClientId,
};
ConfidentialClientApplicationOptions options = new ConfidentialClientApplicationOptions
{
ClientSecret = string.Empty,
};
// Act
MicrosoftIdentityOptionsValidation microsoftIdentityOptionsValidation = new MicrosoftIdentityOptionsValidation();
Action credentialAction = () =>
microsoftIdentityOptionsValidation.ValidateEitherClientCertificateOrClientSecret(options.ClientSecret, microsoftIdentityOptions.ClientCertificates);
// Assert
var exception = Assert.Throws <MsalClientException>(credentialAction);
Assert.Equal(
string.Format(CultureInfo.InvariantCulture, "Both client secret & client certificate cannot be null or whitespace, " +
"and ONE, must be included in the configuration of the web app when calling a web API. " +
"For instance, in the appsettings.json file. "), exception.Message);
Assert.Equal("missing_client_credentials", exception.ErrorCode);
}
public void BothCredentialTypesDefined_Throw()
{
// Arrange
CertificateDescription certificateDescription =
CertificateDescription.FromBase64Encoded("encoded");
MicrosoftIdentityOptions microsoftIdentityOptions = new MicrosoftIdentityOptions
{
Authority = TestConstants.AuthorityCommonTenant,
ClientId = TestConstants.ConfidentialClientId,
ClientCertificates = new CertificateDescription[] { certificateDescription },
};
ConfidentialClientApplicationOptions options = new ConfidentialClientApplicationOptions
{
ClientSecret = "some secret",
};
// Act
MicrosoftIdentityOptionsValidation microsoftIdentityOptionsValidation = new MicrosoftIdentityOptionsValidation();
Action credentialAction = () =>
microsoftIdentityOptionsValidation.ValidateEitherClientCertificateOrClientSecret(options.ClientSecret, microsoftIdentityOptions.ClientCertificates);
// Assert
var exception = Assert.Throws <MsalClientException>(credentialAction);
Assert.Equal(
string.Format(CultureInfo.InvariantCulture, "Both Client secret & client certificate, " +
"cannot be included in the configuration of the web app when calling a web API. "), exception.Message);
Assert.Equal("duplicate_client_credentials", exception.ErrorCode);
}
public async Task VerifyCorrectRedirectUriAsync(
string redirectUri)
{
_microsoftIdentityOptions = new MicrosoftIdentityOptions
{
Authority = TestConstants.AuthorityCommonTenant,
ClientId = TestConstants.ConfidentialClientId,
CallbackPath = string.Empty,
};
BuildTheRequiredServices();
_applicationOptions.RedirectUri = redirectUri;
InitializeTokenAcquisitionObjects();
IConfidentialClientApplication app = await _tokenAcquisition.GetOrBuildConfidentialClientApplicationAsync().ConfigureAwait(false);
if (!string.IsNullOrEmpty(redirectUri))
{
Assert.Equal(redirectUri, app.AppConfig.RedirectUri);
}
else
{
Assert.Equal("https://IdentityDotNetSDKAutomation/", app.AppConfig.RedirectUri);
}
}
public void VerifyCorrectAuthorityUsedInTokenAcquisitionTests(string tenant)
{
_microsoftIdentityOptions = new MicrosoftIdentityOptions
{
Authority = TestConstants.AuthorityCommonTenant,
ClientId = TestConstants.ConfidentialClientId,
CallbackPath = string.Empty,
};
BuildTheRequiredServices();
InitializeTokenAcquisitionObjects();
IConfidentialClientApplication app = ConfidentialClientApplicationBuilder
.CreateWithApplicationOptions(_applicationOptions)
.WithAuthority(TestConstants.AuthorityCommonTenant).Build();
if (!string.IsNullOrEmpty(tenant))
{
Assert.Equal(
string.Format(
CultureInfo.InvariantCulture, "{0}/{1}/", TestConstants.AadInstance, tenant),
_tokenAcquisition.CreateAuthorityBasedOnTenantIfProvided(
app,
tenant));
}
else
{
Assert.Equal(app.Authority, _tokenAcquisition.CreateAuthorityBasedOnTenantIfProvided(app, tenant));
}
}
public async Task OnRedirectToIdentityProvider_DefaultUserFlow_DoesntUpdateContext()
{
var errorAccessor = Substitute.For <ILoginErrorAccessor>();
var options = new MicrosoftIdentityOptions()
{
SignUpSignInPolicyId = DefaultUserFlow
};
var handler = new AzureADB2COpenIDConnectEventHandlers(OpenIdConnectDefaults.AuthenticationScheme, options, errorAccessor);
var httpContext = HttpContextUtilities.CreateHttpContext();
var authProperties = new AuthenticationProperties();
authProperties.Items.Add(OidcConstants.PolicyKey, DefaultUserFlow);
var context = new RedirectContext(httpContext, _authScheme, new OpenIdConnectOptions(), authProperties)
{
ProtocolMessage = new OpenIdConnectMessage()
{
IssuerAddress = _defaultIssuer
}
};
await handler.OnRedirectToIdentityProvider(context).ConfigureAwait(false);
errorAccessor.DidNotReceive().SetMessage(httpContext, Arg.Any <string>());
Assert.Null(context.ProtocolMessage.Scope);
Assert.Null(context.ProtocolMessage.ResponseType);
Assert.Equal(_defaultIssuer, context.ProtocolMessage.IssuerAddress);
Assert.True(context.Properties.Items.ContainsKey(OidcConstants.PolicyKey));
}
public void IsB2C_NotNullOrEmptyUserFlow_ReturnsTrue()
{
var options = new MicrosoftIdentityOptions()
{
SignUpSignInPolicyId = TestConstants.B2CSignUpSignInUserFlow
};
Assert.True(options.IsB2C);
}
public void IsB2C_NullOrEmptyUserFlow_ReturnsFalse()
{
var options = new MicrosoftIdentityOptions();
Assert.False(options.IsB2C);
options.SignUpSignInPolicyId = "";
Assert.False(options.IsB2C);
}
public void BuildAuthority_AadEmptyTenantId_ReturnsNull()
{
MicrosoftIdentityOptions options = new MicrosoftIdentityOptions
{
TenantId = string.Empty,
Instance = TestConstants.AadInstance
};
string result = AuthorityHelpers.BuildAuthority(options);
Assert.Null(result);
}
public void BuildAuthority_EmptyInstance_ReturnsNull()
{
MicrosoftIdentityOptions options = new MicrosoftIdentityOptions
{
Domain = TestConstants.Domain,
Instance = string.Empty
};
string result = AuthorityHelpers.BuildAuthority(options);
Assert.Null(result);
}
public void BuildAuthority_NullOptions_ReturnsNull()
{
//Arrange
MicrosoftIdentityOptions options = null;
string result = null;
//Act
result = AuthorityHelpers.BuildAuthority(options);
//Assert
Assert.Null(result);
}
public void BuildAuthority_B2CEmptyDomain_ReturnsNull()
{
MicrosoftIdentityOptions options = new MicrosoftIdentityOptions
{
Domain = string.Empty,
Instance = TestConstants.B2CInstance,
SignUpSignInPolicyId = TestConstants.B2CSignUpSignInUserFlow
};
string result = AuthorityHelpers.BuildAuthority(options);
Assert.Null(result);
}
public void BuildAuthority_AadInstanceWithTrailingSlash_ReturnsValidAadAuthority()
{
MicrosoftIdentityOptions options = new MicrosoftIdentityOptions
{
TenantId = TestConstants.TenantIdAsGuid,
Instance = TestConstants.AadInstance + "/",
};
string expectedResult = $"{TestConstants.AadInstance}/{options.TenantId}/v2.0";
string result = AuthorityHelpers.BuildAuthority(options);
Assert.NotNull(result);
Assert.Equal(expectedResult, result);
}
public void RegisterAudienceValidation(
TokenValidationParameters validationParameters,
MicrosoftIdentityOptions microsoftIdentityOptions)
{
if (validationParameters == null)
{
throw new ArgumentNullException(nameof(validationParameters));
}
ClientId = microsoftIdentityOptions.ClientId;
IsB2C = microsoftIdentityOptions.IsB2C;
validationParameters.AudienceValidator = ValidateAudience;
}
public void BuildAuthority_AADEmptyTenantId_ReturnsNull()
{
//Arrange
MicrosoftIdentityOptions options = new MicrosoftIdentityOptions();
options.TenantId = "";
options.Instance = "https://login.microsoftonline.com/";
string result = null;
//Act
result = AuthorityHelpers.BuildAuthority(options);
//Assert
Assert.Null(result);
}
public void BuildAuthority_EmptyInstance_ReturnsNull()
{
//Arrange
MicrosoftIdentityOptions options = new MicrosoftIdentityOptions();
options.Domain = "contoso.onmicrosoft.com";
options.Instance = "";
string result = null;
//Act
result = AuthorityHelpers.BuildAuthority(options);
//Assert
Assert.Null(result);
}
public MicrosoftIdentityAuthenticationMessageHandlerTests()
{
_authenticationResult = GetAuthenticationResult();
_mockedMessageHandler = new MockHttpMessageHandler();
_handlerOptions = new MicrosoftIdentityAuthenticationMessageHandlerOptions
{
AuthenticationScheme = JwtBearerDefaults.AuthenticationScheme,
IsProofOfPossessionRequest = false,
Scopes = TestConstants.Scopes,
Tenant = TestConstants.TenantIdAsGuid,
TokenAcquisitionOptions = new TokenAcquisitionOptions(),
UserFlow = TestConstants.B2CSignUpSignInUserFlow,
};
_identityOptions = new MicrosoftIdentityOptions();
}
public void BuildAuthority_B2CValidOptions_ReturnsValidB2CAuthority()
{
MicrosoftIdentityOptions options = new MicrosoftIdentityOptions
{
Domain = TestConstants.B2CTenant,
Instance = TestConstants.B2CInstance,
SignUpSignInPolicyId = TestConstants.B2CSignUpSignInUserFlow,
};
string expectedResult = $"{options.Instance}/{options.Domain}/{options.DefaultUserFlow}/v2.0";
string result = AuthorityHelpers.BuildAuthority(options);
Assert.NotNull(result);
Assert.Equal(expectedResult, result);
}
public void BuildAuthority_B2CEmptyDomain_ReturnsNull()
{
//Arrange
MicrosoftIdentityOptions options = new MicrosoftIdentityOptions();
options.Domain = "";
options.Instance = "https://login.microsoftonline.com/";
options.SignUpSignInPolicyId = "b2c_1_susi";
string result = null;
//Act
result = AuthorityHelpers.BuildAuthority(options);
//Assert
Assert.Null(result);
}
public void EnsureValidAudiencesContainsApiGuidIfGuidProvided(string initialAudience, string[] expectedAudiences)
{
JwtBearerOptions jwtOptions = new JwtBearerOptions()
{
Audience = initialAudience
};
MicrosoftIdentityOptions msIdentityOptions = new MicrosoftIdentityOptions()
{
ClientId = TestConstants.ApiClientId
};
WebApiAuthenticationBuilderExtensions.EnsureValidAudiencesContainsApiGuidIfGuidProvided(jwtOptions, msIdentityOptions);
Assert.Equal(expectedAudiences.Length, jwtOptions.TokenValidationParameters.ValidAudiences.Count());
Assert.Equal(expectedAudiences.OrderBy(x => x), jwtOptions.TokenValidationParameters.ValidAudiences.OrderBy(x => x));
}
public void BuildAuthority_OptionsInstaceWithTrailing_BuildAadAuthorityWithoutExtraTrailing()
{
//Arrange
MicrosoftIdentityOptions options = new MicrosoftIdentityOptions();
options.TenantId = "da41245a5-11b3-996c-00a8-4d99re19f292";
options.Instance = "https://login.microsoftonline.com/";
string result = null;
string expectedResult = $"https://login.microsoftonline.com/{options.TenantId}/v2.0";
//Act
result = AuthorityHelpers.BuildAuthority(options);
//Assert
Assert.NotNull(result);
Assert.Equal(result, expectedResult);
}
public void ValidateCredentialType()
{
// Arrange
MicrosoftIdentityOptions microsoftIdentityOptions = new MicrosoftIdentityOptions
{
Authority = TestConstants.AuthorityCommonTenant,
ClientId = TestConstants.ConfidentialClientId,
};
ConfidentialClientApplicationOptions options = new ConfidentialClientApplicationOptions
{
ClientSecret = "some secret",
};
// Act & Assert
// Should not throw
MicrosoftIdentityOptionsValidation.ValidateEitherClientCertificateOrClientSecret(options.ClientSecret, microsoftIdentityOptions.ClientCertificates);
}
public void BuildAuthority_B2CInstanceDomainAndPolicy_BuildB2CAuthority()
{
//Arrange
MicrosoftIdentityOptions options = new MicrosoftIdentityOptions();
options.Domain = "fabrikamb2c.onmicrosoft.com";
options.Instance = "https://fabrikamb2c.b2clogin.com";
options.SignUpSignInPolicyId = "b2c_1_susi";
string result = null;
string expectedResult = $"{options.Instance}/{options.Domain}/{options.DefaultUserFlow}/v2.0";
//Act
result = AuthorityHelpers.BuildAuthority(options);
//Assert
Assert.NotNull(result);
Assert.Equal(result, expectedResult);
}
public async Task OnRedirectToIdentityProvider_CustomUserFlow_UpdatesContext(bool hasClientCredentials)
{
var errorAccessor = Substitute.For <ILoginErrorAccessor>();
var options = new MicrosoftIdentityOptions()
{
SignUpSignInPolicyId = DefaultUserFlow
};
if (hasClientCredentials)
{
options.ClientSecret = TestConstants.ClientSecret;
}
var handler = new AzureADB2COpenIDConnectEventHandlers(OpenIdConnectDefaults.AuthenticationScheme, options, errorAccessor);
var httpContext = HttpContextUtilities.CreateHttpContext();
var authProperties = new AuthenticationProperties();
authProperties.Items.Add(OidcConstants.PolicyKey, CustomUserFlow);
var context = new RedirectContext(httpContext, _authScheme, new OpenIdConnectOptions(), authProperties)
{
ProtocolMessage = new OpenIdConnectMessage()
{
IssuerAddress = _defaultIssuer,
Scope = TestConstants.Scopes,
},
};
await handler.OnRedirectToIdentityProvider(context).ConfigureAwait(false);
errorAccessor.DidNotReceive().SetMessage(httpContext, Arg.Any <string>());
Assert.Equal(TestConstants.Scopes, context.ProtocolMessage.Scope);
Assert.Equal(_customIssuer, context.ProtocolMessage.IssuerAddress, true);
Assert.False(context.Properties.Items.ContainsKey(OidcConstants.PolicyKey));
if (hasClientCredentials)
{
Assert.Equal(OpenIdConnectResponseType.CodeIdToken, context.ProtocolMessage.ResponseType);
}
else
{
Assert.Equal(OpenIdConnectResponseType.IdToken, context.ProtocolMessage.ResponseType);
}
}
public void ValidateCredentialType_Certificate(string base64Encoded)
{
// Arrange
CertificateDescription certificateDescription =
CertificateDescription.FromBase64Encoded(base64Encoded);
MicrosoftIdentityOptions microsoftIdentityOptions = new MicrosoftIdentityOptions
{
Authority = TestConstants.AuthorityCommonTenant,
ClientId = TestConstants.ConfidentialClientId,
ClientCertificates = new CertificateDescription[] { certificateDescription },
};
ConfidentialClientApplicationOptions options = new ConfidentialClientApplicationOptions
{
ClientSecret = string.Empty,
};
// Act & Assert
// Should not throw
MicrosoftIdentityOptionsValidation.ValidateEitherClientCertificateOrClientSecret(options.ClientSecret, microsoftIdentityOptions.ClientCertificates);
}
private void InitializeTests(
bool isB2C,
string tokenVersion)
{
_options = new MicrosoftIdentityOptions
{
ClientId = TestConstants.ClientId,
};
if (isB2C)
{
_options.SignUpSignInPolicyId = TestConstants.B2CSignUpSignInUserFlow;
}
if (tokenVersion == V2 || isB2C)
{
_expectedAudience = _options.ClientId;
}
else
{
_expectedAudience = $"api://{_options.ClientId}";
}
IEnumerable <Claim> claims = new Claim[]
{
new Claim(Version, tokenVersion),
new Claim(Audience, _expectedAudience),
};
_token = new JwtSecurityToken(null, null, claims);
_validationParams = new TokenValidationParameters();
_registerValidAudience = new RegisterValidAudience();
_registerValidAudience.RegisterAudienceValidation(_validationParams, _options);
_validAudiences = new List <string> {
_expectedAudience
};
}
