public void Should_Keys_Be_Published_As_JWK()
{
rpid = "rp-registration-well_formed_jwk";
// given
string registrationEndopoint = GetBaseUrl("/registration");
OIDCClientInformation clientMetadata = new OIDCClientInformation();
clientMetadata.ApplicationType = "web";
clientMetadata.RedirectUris = new List <string>()
{
myBaseUrl + "code_flow_callback"
};
clientMetadata.ResponseTypes = new List <ResponseType>()
{
ResponseType.Code
};
clientMetadata.JwksUri = myBaseUrl + "my_public_keys.jwks";
OpenIdRelyingParty rp = new OpenIdRelyingParty();
// when
OIDCClientInformation response = rp.RegisterClient(registrationEndopoint, clientMetadata);
// then
response.Validate();
}
public void Should_Client_Be_Able_To_Register()
{
rpid = "rp-registration-dynamic";
// given
string registrationEndopoint = GetBaseUrl("/registration");
OIDCClientInformation clientMetadata = new OIDCClientInformation();
clientMetadata.ApplicationType = "web";
clientMetadata.RedirectUris = new List <string>()
{
myBaseUrl + "code_flow_callback"
};
clientMetadata.ResponseTypes = new List <ResponseType>()
{
ResponseType.Code
};
OpenIdRelyingParty rp = new OpenIdRelyingParty();
// when
OIDCClientInformation response = rp.RegisterClient(registrationEndopoint, clientMetadata);
// then
response.Validate();
}
public void Should_Registration_Request_Has_RedirectUris()
{
rpid = "rp-registration-redirect_uris";
// given
string registrationEndopoint = GetBaseUrl("/registration");
OIDCClientInformation clientMetadata = new OIDCClientInformation();
clientMetadata.ApplicationType = "web";
clientMetadata.RedirectUris = new List <string>()
{
myBaseUrl + "code_flow_callback"
};
clientMetadata.ResponseTypes = new List <ResponseType>()
{
ResponseType.Code
};
OpenIdRelyingParty rp = new OpenIdRelyingParty();
// when
OIDCClientInformation response = rp.RegisterClient(registrationEndopoint, clientMetadata);
// then
response.Validate();
CollectionAssert.AreEquivalent(clientMetadata.RedirectUris, response.RedirectUris);
}
public void RegisterClient(IRPOptions rpOptions, OpenIDUrls urls)
{
if (SelfRegistered && ClientInformation == null)
{
OIDCClientInformation clientMetadata = new OIDCClientInformation();
clientMetadata.ApplicationType = "web";
clientMetadata.ResponseTypes = new List <ResponseType>()
{
ResponseType.Code
};
clientMetadata.RedirectUris = new List <string>()
{
urls.CodeCallbackCommand.ToString()
};
clientMetadata.TokenEndpointAuthMethod = "client_secret_basic";
if ((Sign && rpOptions.SignCertificate != null) || (Encrypt && rpOptions.EncCertificate != null))
{
clientMetadata.JwksUri = urls.JwksCallbackCommand.ToString();
}
OpenIdRelyingParty rp = new OpenIdRelyingParty();
ClientInformation = rp.RegisterClient(ProviderMatadata.RegistrationEndpoint, clientMetadata);
}
}
public void Should_Client_Only_Use_Https_Endpoints()
{
rpid = "rp-registration-uses_https_endpoints";
// given
string registrationEndopoint = GetBaseUrl("/registration");
OIDCClientInformation clientMetadata = new OIDCClientInformation();
clientMetadata.ApplicationType = "web";
clientMetadata.RedirectUris = new List <string>()
{
myBaseUrl + "code_flow_callback"
};
clientMetadata.ResponseTypes = new List <ResponseType>()
{
ResponseType.Code
};
clientMetadata.JwksUri = myBaseUrl + "my_public_keys.jwks";
OpenIdRelyingParty rp = new OpenIdRelyingParty();
// when
OIDCClientInformation response = rp.RegisterClient(registrationEndopoint, clientMetadata);
response.JwksUri = clientMetadata.JwksUri.Replace("https", "http");
// then
response.Validate();
}
private void LoadClientInformation(OpenIDProviderElement opEntry, IRPOptions options)
{
SelfRegistered = opEntry.SelfRegistration;
if (!SelfRegistered)
{
foreach (string value in new List <string>()
{
opEntry.ClientId, opEntry.ClientSecret
})
{
if (string.IsNullOrEmpty(value))
{
throw new ArgumentException("Missign one requred value for configuration. When configuring client without dynamic registration both clientid and clientsecred must be specified.");
}
}
ClientInformation = new OIDCClientInformation()
{
ClientId = opEntry.ClientId,
ClientSecret = opEntry.ClientSecret,
TokenEndpointAuthMethod = "client_secret_basic"
};
}
}
public void Should_Accept_Encrypted_UserInfo()
{
rpid = "rp-user_info-enc";
// given
OpenIdRelyingParty rp = new OpenIdRelyingParty();
string registrationEndopoint = GetBaseUrl("/registration");
OIDCClientInformation clientMetadata = new OIDCClientInformation();
clientMetadata.ApplicationType = "web";
clientMetadata.ResponseTypes = new List <ResponseType>()
{
ResponseType.IdToken
};
clientMetadata.RedirectUris = new List <string>()
{
myBaseUrl + "id_token_flow_callback"
};
clientMetadata.UserinfoEncryptedResponseAlg = "RSA1_5";
clientMetadata.UserinfoEncryptedResponseEnc = "A128CBC-HS256";
clientMetadata.JwksUri = myBaseUrl + "my_public_keys.jwks";
OIDCClientInformation clientInformation = rp.RegisterClient(registrationEndopoint, clientMetadata);
OIDClaims requestClaims = new OIDClaims();
requestClaims.IdToken = new Dictionary <string, OIDClaimData>();
requestClaims.IdToken.Add("name", new OIDClaimData());
OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage();
requestMessage.ClientId = clientInformation.ClientId;
requestMessage.Scope = new List <MessageScope>()
{
MessageScope.Openid, MessageScope.Profile, MessageScope.Address, MessageScope.Phone, MessageScope.Email
};
requestMessage.ResponseType = new List <ResponseType>()
{
ResponseType.IdToken, ResponseType.Token
};
requestMessage.RedirectUri = clientInformation.RedirectUris[0];
requestMessage.Nonce = WebOperations.RandomString();
requestMessage.State = WebOperations.RandomString();
requestMessage.Claims = requestClaims;
requestMessage.Validate();
rp.Authenticate(GetBaseUrl("/authorization"), requestMessage);
semaphore.WaitOne();
OIDCAuthImplicitResponseMessage authResponse = rp.ParseAuthImplicitResponse(result, requestMessage.Scope, requestMessage.State);
X509Certificate2 encCert = new X509Certificate2("server.pfx", "", X509KeyStorageFlags.Exportable);
List <OIDCKey> myKeys = KeyManager.GetKeysJwkList(null, encCert);
// when
OIDCUserInfoResponseMessage response = GetUserInfo(authResponse.Scope, authResponse.State, authResponse.AccessToken, null, true, null, myKeys);
// then
response.Validate();
Assert.IsNotNullOrEmpty(response.Name);
}
public void Should_Accept_Signed_UserInfo()
{
rpid = "rp-user_info-sign";
// given
OpenIdRelyingParty rp = new OpenIdRelyingParty();
string registrationEndopoint = GetBaseUrl("/registration");
OIDCClientInformation clientMetadata = new OIDCClientInformation();
clientMetadata.ApplicationType = "web";
clientMetadata.ResponseTypes = new List <ResponseType>()
{
ResponseType.IdToken
};
clientMetadata.RedirectUris = new List <string>()
{
myBaseUrl + "id_token_flow_callback"
};
clientMetadata.UserinfoSignedResponseAlg = "HS256";
clientMetadata.JwksUri = myBaseUrl + "my_public_keys.jwks";
OIDCClientInformation clientInformation = rp.RegisterClient(registrationEndopoint, clientMetadata);
OIDClaims requestClaims = new OIDClaims();
requestClaims.IdToken = new Dictionary <string, OIDClaimData>();
requestClaims.IdToken.Add("name", new OIDClaimData());
OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage();
requestMessage.ClientId = clientInformation.ClientId;
requestMessage.Scope = new List <MessageScope>()
{
MessageScope.Openid, MessageScope.Profile, MessageScope.Address, MessageScope.Phone, MessageScope.Email
};
requestMessage.ResponseType = new List <ResponseType>()
{
ResponseType.IdToken, ResponseType.Token
};
requestMessage.RedirectUri = clientInformation.RedirectUris[0];
requestMessage.Nonce = WebOperations.RandomString();
requestMessage.State = WebOperations.RandomString();
requestMessage.Claims = requestClaims;
requestMessage.Validate();
rp.Authenticate(GetBaseUrl("/authorization"), requestMessage);
semaphore.WaitOne();
OIDCAuthImplicitResponseMessage authResponse = rp.ParseAuthImplicitResponse(result, requestMessage.Scope, requestMessage.State);
// when
OIDCUserInfoResponseMessage response = GetUserInfo(authResponse.Scope, authResponse.State, authResponse.AccessToken, null, true, clientInformation.ClientSecret, null);
// then
response.Validate();
Assert.IsNotNullOrEmpty(response.Name);
}
public void RegisterClient(IRPOptions rpOptions, OpenIDUrls urls)
{
if (SelfRegistered && ClientInformation == null)
{
OIDCClientInformation clientMetadata = new OIDCClientInformation();
clientMetadata.ApplicationType = "web";
clientMetadata.ResponseTypes = new List<ResponseType>() { ResponseType.Code };
clientMetadata.RedirectUris = new List<string>() { urls.CodeCallbackCommand.ToString() };
clientMetadata.TokenEndpointAuthMethod = "client_secret_basic";
if ((Sign && rpOptions.SignCertificate != null) || (Encrypt && rpOptions.EncCertificate != null))
{
clientMetadata.JwksUri = urls.JwksCallbackCommand.ToString();
}
OpenIdRelyingParty rp = new OpenIdRelyingParty();
ClientInformation = rp.RegisterClient(ProviderMatadata.RegistrationEndpoint, clientMetadata);
}
}
public void Can_Register_Client()
{
// given
rpid = "rp-registration-dynamic";
claims = "normal";
string registrationEndopoint = GetBaseUrl("/registration");
OIDCClientInformation clientMetadata = new OIDCClientInformation();
clientMetadata.ApplicationType = "web";
clientMetadata.RedirectUris = new List <string> {
"https://localhost:8090/code_flow_callback"
};
clientMetadata.ResponseTypes = new List <string> {
"code"
};
OpenIdRelyingParty rp = new OpenIdRelyingParty();
// when
OIDCClientInformation response = rp.RegisterClient(registrationEndopoint, clientMetadata);
// then
response.validate();
}
public void RegisterClient(ResponseType?RespType, bool JWKs = false, bool RequestUri = false, bool InitateLoginUri = false)
{
string registrationEndopoint = GetBaseUrl("/registration");
OIDCClientInformation clientMetadata = new OIDCClientInformation();
clientMetadata.ApplicationType = "web";
if (JWKs)
{
clientMetadata.JwksUri = myBaseUrl + "my_public_keys.jwks";
}
if (RequestUri)
{
clientMetadata.RequestUris = new List <string>()
{
myBaseUrl + "request.jwt"
};
}
if (InitateLoginUri)
{
clientMetadata.InitiateLoginUri = myBaseUrl + "initiated_login";
}
if (ResponseType.IdToken == RespType)
{
clientMetadata.ResponseTypes = new List <ResponseType>()
{
ResponseType.IdToken
};
clientMetadata.RedirectUris = new List <string>()
{
myBaseUrl + "id_token_flow_callback"
};
}
else if (ResponseType.Code == RespType)
{
clientMetadata.ResponseTypes = new List <ResponseType>()
{
ResponseType.Code
};
clientMetadata.RedirectUris = new List <string>()
{
myBaseUrl + "code_flow_callback"
};
}
else
{
clientMetadata.ResponseTypes = new List <ResponseType>()
{
ResponseType.Code,
ResponseType.IdToken
};
clientMetadata.RedirectUris = new List <string>()
{
myBaseUrl + "code_flow_callback",
myBaseUrl + "id_token_flow_callback"
};
}
OpenIdRelyingParty rp = new OpenIdRelyingParty();
clientInformation = rp.RegisterClient(registrationEndopoint, clientMetadata);
}
public void Should_Request_And_Use_Unsigned_Id_Token()
{
rpid = "rp-id_token-sig_none";
// givens
OpenIdRelyingParty rp = new OpenIdRelyingParty();
string registrationEndopoint = GetBaseUrl("/registration");
OIDCClientInformation clientMetadata = new OIDCClientInformation();
clientMetadata.ApplicationType = "web";
clientMetadata.RedirectUris = new List <string>()
{
myBaseUrl + "code_flow_callback"
};
clientMetadata.ResponseTypes = new List <ResponseType>()
{
ResponseType.Code
};
clientMetadata.IdTokenSignedResponseAlg = "none";
OIDCClientInformation clientInformation = rp.RegisterClient(registrationEndopoint, clientMetadata);
OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage();
requestMessage.ClientId = clientInformation.ClientId;
requestMessage.Scope = new List <MessageScope>()
{
MessageScope.Openid
};
requestMessage.ResponseType = new List <ResponseType>()
{
ResponseType.Code
};
requestMessage.RedirectUri = clientInformation.RedirectUris[0];
requestMessage.Nonce = WebOperations.RandomString();
requestMessage.State = WebOperations.RandomString();
requestMessage.Validate();
rp.Authenticate(GetBaseUrl("/authorization"), requestMessage);
semaphore.WaitOne();
OIDCAuthCodeResponseMessage response = rp.ParseAuthCodeResponse(result, requestMessage.Scope, requestMessage.State);
OIDCTokenRequestMessage tokenRequestMessage = new OIDCTokenRequestMessage();
tokenRequestMessage.Scope = response.Scope;
tokenRequestMessage.State = response.State;
tokenRequestMessage.Code = response.Code;
tokenRequestMessage.ClientId = clientInformation.ClientId;
tokenRequestMessage.ClientSecret = clientInformation.ClientSecret;
tokenRequestMessage.GrantType = "authorization_code";
tokenRequestMessage.RedirectUri = clientInformation.RedirectUris[0];
// when
OIDCTokenResponseMessage tokenResponse = rp.SubmitTokenRequest(GetBaseUrl("/token"), tokenRequestMessage, clientInformation);
// then
Assert.NotNull(tokenResponse.IdToken);
OIDCIdToken idToken = tokenResponse.GetIdToken();
idToken.Validate();
}
public void Should_Request_And_Use_Signed_And_Encrypted_Id_Token()
{
rpid = "rp-id_token-sig+enc";
signalg = "RS256";
encalg = "RSA1_5:A128CBC-HS256";
// given
OpenIdRelyingParty rp = new OpenIdRelyingParty();
string registrationEndopoint = GetBaseUrl("/registration");
OIDCClientInformation clientMetadata = new OIDCClientInformation();
clientMetadata.ApplicationType = "web";
clientMetadata.RedirectUris = new List <string>()
{
myBaseUrl + "code_flow_callback"
};
clientMetadata.ResponseTypes = new List <ResponseType>()
{
ResponseType.Code
};
clientMetadata.IdTokenEncryptedResponseAlg = "RSA1_5";
clientMetadata.IdTokenEncryptedResponseEnc = "A128CBC-HS256";
clientMetadata.JwksUri = myBaseUrl + "my_public_keys.jwks";
OIDCClientInformation clientInformation = rp.RegisterClient(registrationEndopoint, clientMetadata);
OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage();
requestMessage.ClientId = clientInformation.ClientId;
requestMessage.Scope = new List <MessageScope>()
{
MessageScope.Openid
};
requestMessage.ResponseType = new List <ResponseType>()
{
ResponseType.Code
};
requestMessage.RedirectUri = clientInformation.RedirectUris[0];
requestMessage.Nonce = WebOperations.RandomString();
requestMessage.State = WebOperations.RandomString();
requestMessage.Validate();
rp.Authenticate(GetBaseUrl("/authorization"), requestMessage);
semaphore.WaitOne();
OIDCAuthCodeResponseMessage response = rp.ParseAuthCodeResponse(result, requestMessage.Scope, requestMessage.State);
OIDCTokenRequestMessage tokenRequestMessage = new OIDCTokenRequestMessage();
tokenRequestMessage.Scope = response.Scope;
tokenRequestMessage.State = response.State;
tokenRequestMessage.Code = response.Code;
tokenRequestMessage.ClientId = clientInformation.ClientId;
tokenRequestMessage.ClientSecret = clientInformation.ClientSecret;
tokenRequestMessage.GrantType = "authorization_code";
tokenRequestMessage.RedirectUri = clientInformation.RedirectUris[0];
X509Certificate2 signCert = new X509Certificate2("server.pfx", "", X509KeyStorageFlags.Exportable);
X509Certificate2 encCert = new X509Certificate2("server.pfx", "", X509KeyStorageFlags.Exportable);
List <OIDCKey> myKeys = KeyManager.GetKeysJwkList(signCert, encCert);
// when
OIDCTokenResponseMessage tokenResponse = rp.SubmitTokenRequest(GetBaseUrl("/token"), tokenRequestMessage, clientInformation);
// then
Assert.NotNull(tokenResponse.IdToken);
OIDCIdToken idToken = tokenResponse.GetIdToken(providerMetadata.Keys, null, myKeys);
idToken.Validate();
}
private void LoadClientInformation(OpenIDProviderElement opEntry, IRPOptions options)
{
SelfRegistered = opEntry.SelfRegistration;
if (!SelfRegistered)
{
foreach (string value in new List<string>() { opEntry.ClientId, opEntry.ClientSecret })
{
if (string.IsNullOrEmpty(value))
{
throw new ArgumentException("Missign one requred value for configuration. When configuring client without dynamic registration both clientid and clientsecred must be specified.");
}
}
ClientInformation = new OIDCClientInformation()
{
ClientId = opEntry.ClientId,
ClientSecret = opEntry.ClientSecret,
TokenEndpointAuthMethod = "client_secret_basic"
};
}
}
