protected override void ValidateTestCase(string testVariation)
{
IdentityConfiguration identityConfig = new IdentityConfiguration(IdentityConfiguration.DefaultServiceName);
Assert.IsNotNull(identityConfig.IssuerTokenResolver);
Assert.IsFalse(identityConfig.IssuerTokenResolver.GetType() != typeof(NamedKeyIssuerTokenResolver), string.Format("Expected identityConfiguration.IsuerTokenResolver.GetType() == typeof( NamedKeyIssuerTokenResolver ), was: '{0}'", identityConfig.IssuerTokenResolver.GetType()));
NamedKeyIssuerTokenResolver resolver = identityConfig.IssuerTokenResolver as NamedKeyIssuerTokenResolver;
Assert.IsTrue(resolver.SecurityKeys.Count == 0);
Assert.IsTrue(IssuerTokenResolver.DefaultStoreName == StoreName.TrustedPeople);
Assert.IsTrue(IssuerTokenResolver.DefaultStoreLocation == StoreLocation.LocalMachine);
// Should not find key
SecurityKey key = null;
NamedKeySecurityKeyIdentifierClause clause = new NamedKeySecurityKeyIdentifierClause("keyName", "KeyingMaterial.SymmetricKeyBytes_256");
Assert.IsFalse(resolver.TryResolveSecurityKey(clause, out key));
Assert.IsNull(key);
// Should not find token
SecurityToken token = null;
Assert.IsFalse(resolver.TryResolveToken(clause, out token));
Assert.IsNull(token);
}
public void NamedKeySecurityKeyIdentifierClause_Publics()
{
// new NameKeyParametersVariation
//{
// TestCase = "MatchesName",
// TestAction =
// () => (new NamedKeySecurityKeyIdentifierClause("bob", null)).Matches(null)
//},
NamedKeySecurityKeyIdentifierClause namedKeySecurityKeyIdentifierClause = new NamedKeySecurityKeyIdentifierClause("name", "keyidentifier");
Assert.IsTrue("name" == namedKeySecurityKeyIdentifierClause.Name);
Assert.IsTrue("keyidentifier" == namedKeySecurityKeyIdentifierClause.Id);
// *** Matches (null)
ExpectedException expectedException = new ExpectedException(typeExpected: typeof(ArgumentNullException), substringExpected: "keyIdentifierClause");
try
{
namedKeySecurityKeyIdentifierClause.Matches(null);
expectedException.ProcessNoException();
}
catch (Exception exception)
{
expectedException.ProcessException(exception);
}
}
public SigningCredentials GetSigningCredentials()
{
string signatureAlgorithm;
string digestAlgorithm;
var key = GetKey();
if (key is RsaSecurityKey)
{
signatureAlgorithm = SecurityAlgorithms.RsaSha256Signature;
digestAlgorithm = SecurityAlgorithms.Sha256Digest;
}
else if (key is EcDsaSecurityKey)
{
var ecdsaKey = key as EcDsaSecurityKey;
signatureAlgorithm = ecdsaKey.SignatureAlgorithm;
digestAlgorithm = ecdsaKey.DigestAlgorithm;
}
else
{
throw new NotImplementedException();
}
var keyIdentifierClause = new NamedKeySecurityKeyIdentifierClause(name: "kid", id: Id);
var securityKeyIdentifier = new SecurityKeyIdentifier(keyIdentifierClause);
var signingCredentials = new SigningCredentials(
GetKey(),
signatureAlgorithm,
digestAlgorithm,
securityKeyIdentifier);
return(signingCredentials);
}
public override ReadOnlyCollection <ClaimsIdentity> ValidateToken(SecurityToken token)
{
SimpleWebToken swt = token as SimpleWebToken;
if (swt == null)
{
throw new SecurityTokenValidationException("The received token is of incorrect token type.Expected SimpleWebToken");
}
// check issuer name registry for allowed issuers
string issuerName = swt.Issuer;
// check expiration
if (DateTime.Compare(swt.ValidTo, DateTime.UtcNow) <= 0)
{
throw new SecurityTokenExpiredException("The incoming token has expired. Get a new access token from the Authorization Server.");
}
// check audience
if (base.Configuration.AudienceRestriction.AudienceMode != AudienceUriMode.Never)
{
var allowedAudiences = base.Configuration.AudienceRestriction.AllowedAudienceUris;
if (!allowedAudiences.Any(uri => uri == swt.AudienceUri))
{
throw new AudienceUriValidationFailedException();
}
}
// retrieve signing key
var clause = new NamedKeySecurityKeyIdentifierClause(swt.Issuer, swt.Issuer);
var securityKey = Configuration.IssuerTokenResolver.ResolveSecurityKey(clause) as InMemorySymmetricSecurityKey;
if (securityKey == null)
{
throw new SecurityTokenValidationException("No signing key found");
}
// check signature
if (!swt.VerifySignature(securityKey.GetSymmetricKey()))
{
throw new SecurityTokenValidationException("Signature verification of the incoming token failed.");
}
var id = new ClaimsIdentity("SWT");
foreach (var claim in swt.Claims)
{
var value = claim.Value;
value.Split(',').ToList().ForEach(v => id.AddClaim(new Claim(claim.Type, HttpUtility.UrlDecode(v), ClaimValueTypes.String, issuerName)));
}
return(new ReadOnlyCollection <ClaimsIdentity>(new ClaimsIdentity[] { id }));
}
public void NamedKeySecurityKeyIdentifierClause_Constructor()
{
NamedKeySecurityKeyIdentifierClause namedKeySecurityKeyIdentifierClause;
ExpectedException expectedException = new ExpectedException(typeExpected: typeof(ArgumentNullException), substringExpected: "name");
try
{
namedKeySecurityKeyIdentifierClause = new NamedKeySecurityKeyIdentifierClause(null, null);
expectedException.ProcessNoException();
}
catch (Exception exception)
{
expectedException.ProcessException(exception);
}
expectedException = new ExpectedException(typeExpected: typeof(ArgumentNullException), substringExpected: "id");
try
{
namedKeySecurityKeyIdentifierClause = new NamedKeySecurityKeyIdentifierClause("name", null);
expectedException.ProcessNoException();
}
catch (Exception exception)
{
expectedException.ProcessException(exception);
}
expectedException = ExpectedException.ArgumentNullException(substringExpected: "name");
try
{
namedKeySecurityKeyIdentifierClause = new NamedKeySecurityKeyIdentifierClause(name: " ", id: "id");
expectedException.ProcessNoException();
}
catch (Exception exception)
{
expectedException.ProcessException(exception);
}
expectedException = ExpectedException.ArgumentNullException(substringExpected: "id");
try
{
namedKeySecurityKeyIdentifierClause = new NamedKeySecurityKeyIdentifierClause("name", " ");
expectedException.ProcessNoException();
}
catch (Exception exception)
{
expectedException.ProcessException(exception);
}
}
public void JwtSecurityKeyIdentifyier_Extensibility()
{
string clauseName = "kid";
string keyId = Issuers.GotJwt;
NamedKeySecurityKeyIdentifierClause clause = new NamedKeySecurityKeyIdentifierClause(clauseName, keyId);
SecurityKeyIdentifier keyIdentifier = new SecurityKeyIdentifier(clause);
SigningCredentials signingCredentials = new SigningCredentials(KeyingMaterial.SymmetricSecurityKey_256, SecurityAlgorithms.HmacSha256Signature, SecurityAlgorithms.Sha256Digest, keyIdentifier);
JwtHeader jwtHeader = new JwtHeader(signingCredentials);
SecurityKeyIdentifier ski = jwtHeader.SigningKeyIdentifier;
Assert.IsFalse(ski.Count != 1, "ski.Count != 1 ");
NamedKeySecurityKeyIdentifierClause clauseOut = ski.Find <NamedKeySecurityKeyIdentifierClause>();
Assert.IsFalse(clauseOut == null, "NamedKeySecurityKeyIdentifierClause not found");
Assert.IsFalse(clauseOut.Name != clauseName, "clauseOut.Id != clauseId");
Assert.IsFalse(clauseOut.KeyIdentifier != keyId, "clauseOut.KeyIdentifier != keyId");
NamedKeySecurityToken NamedKeySecurityToken = new NamedKeySecurityToken(clauseName, new SecurityKey[] { KeyingMaterial.SymmetricSecurityKey_256 });
Assert.IsFalse(!NamedKeySecurityToken.MatchesKeyIdentifierClause(clause), "NamedKeySecurityToken.MatchesKeyIdentifierClause( clause ), failed");
List <SecurityKey> list = new List <SecurityKey>()
{
KeyingMaterial.SymmetricSecurityKey_256
};
Dictionary <string, IList <SecurityKey> > keys = new Dictionary <string, IList <SecurityKey> >()
{
{ "kid", list },
};
NamedKeyIssuerTokenResolver nkitr = new NamedKeyIssuerTokenResolver(keys: keys);
SecurityKey sk = nkitr.ResolveSecurityKey(clause);
Assert.IsFalse(sk == null, "NamedKeySecurityToken.MatchesKeyIdentifierClause( clause ), failed");
JwtSecurityTokenHandler handler = new JwtSecurityTokenHandler();
JwtSecurityToken jwt = handler.CreateToken(issuer: Issuers.GotJwt, signingCredentials: signingCredentials) as JwtSecurityToken;
handler.Configuration = new SecurityTokenHandlerConfiguration()
{
IssuerTokenResolver = new NamedKeyIssuerTokenResolver(keys: keys),
AudienceRestriction = new AudienceRestriction(AudienceUriMode.Never),
IssuerNameRegistry = new SetNameIssuerNameRegistry("http://GotJwt.com"),
};
handler.ValidateToken(jwt);
}
public void NamedKeySecurityKeyIdentifierClause_Extensibility()
{
string clauseName = "kid";
string keyId = Issuers.GotJwt;
NamedKeySecurityKeyIdentifierClause clause = new NamedKeySecurityKeyIdentifierClause(clauseName, keyId);
SecurityKeyIdentifier keyIdentifier = new SecurityKeyIdentifier(clause);
SigningCredentials signingCredentials = new SigningCredentials(KeyingMaterial.DefaultSymmetricSecurityKey_256, SecurityAlgorithms.HmacSha256Signature, SecurityAlgorithms.Sha256Digest, keyIdentifier);
JwtHeader jwtHeader = new JwtHeader(signingCredentials);
SecurityKeyIdentifier ski = jwtHeader.SigningKeyIdentifier;
Assert.AreEqual(ski.Count, 1, "ski.Count != 1 ");
NamedKeySecurityKeyIdentifierClause clauseOut = ski.Find <NamedKeySecurityKeyIdentifierClause>();
Assert.IsNotNull(clauseOut, "NamedKeySecurityKeyIdentifierClause not found");
Assert.AreEqual(clauseOut.Name, clauseName, "clauseOut.Id != clauseId");
Assert.AreEqual(clauseOut.Id, keyId, "clauseOut.KeyIdentifier != keyId");
NamedKeySecurityToken NamedKeySecurityToken = new NamedKeySecurityToken(clauseName, keyId, new SecurityKey[] { KeyingMaterial.DefaultSymmetricSecurityKey_256 });
Assert.IsTrue(NamedKeySecurityToken.MatchesKeyIdentifierClause(clause), "NamedKeySecurityToken.MatchesKeyIdentifierClause( clause ), failed");
List <SecurityKey> list = new List <SecurityKey>()
{
KeyingMaterial.DefaultSymmetricSecurityKey_256
};
Dictionary <string, IList <SecurityKey> > keys = new Dictionary <string, IList <SecurityKey> >()
{
{ "kid", list },
};
NamedKeyIssuerTokenResolver nkitr = new NamedKeyIssuerTokenResolver(keys: keys);
SecurityKey sk = nkitr.ResolveSecurityKey(clause);
Assert.IsNotNull(sk, "NamedKeySecurityToken.MatchesKeyIdentifierClause( clause ), failed");
}
public void NamedKeySecurityKeyIdentifierClause_Defaults()
{
NamedKeySecurityKeyIdentifierClause namedKeySecurityKeyIdentifierClause = new NamedKeySecurityKeyIdentifierClause("name", "keyidentifier");
Assert.IsTrue("NamedKeySecurityKeyIdentifierClause" == namedKeySecurityKeyIdentifierClause.ClauseType);
}
