public void Should_Nonce_Be_Present_In_Implicit()
{
rpid = "rp-nonce-unless_code_flow";
// given
OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage();
requestMessage.ClientId = clientInformation.ClientId;
OIDClaims requestClaims = new OIDClaims();
requestClaims.Userinfo = new Dictionary<string, OIDClaimData>();
requestClaims.Userinfo.Add("name", new OIDClaimData());
requestMessage.Scope = new List<MessageScope>() { MessageScope.Openid };
requestMessage.ResponseType = new List<ResponseType>() { ResponseType.IdToken, ResponseType.Token };
requestMessage.RedirectUri = clientInformation.RedirectUris[0];
requestMessage.Nonce = WebOperations.RandomString();
requestMessage.State = WebOperations.RandomString();
requestMessage.Claims = requestClaims;
requestMessage.Validate();
OpenIdRelyingParty rp = new OpenIdRelyingParty();
rp.Authenticate(GetBaseUrl("/authorization"), requestMessage);
semaphore.WaitOne();
OIDCAuthImplicitResponseMessage response = rp.ParseAuthImplicitResponse(result, requestMessage.Scope, requestMessage.State);
OIDCIdToken idToken = response.GetIdToken(providerMetadata.Keys, clientInformation.ClientSecret);
// then
idToken.Validate();
}
public void Should_Authenticate_With_Claims_In_Scope_Basic()
{
rpid = "rp-scope-userinfo_claims";
// given
OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage();
requestMessage.ClientId = clientInformation.ClientId;
OIDClaims requestClaims = new OIDClaims();
requestClaims.Userinfo = new Dictionary<string, OIDClaimData>();
requestClaims.Userinfo.Add("name", new OIDClaimData());
requestMessage.Scope = new List<MessageScope>() { MessageScope.Openid, MessageScope.Profile, MessageScope.Email, MessageScope.Address, MessageScope.Phone };
requestMessage.ResponseType = new List<ResponseType>() { ResponseType.IdToken, ResponseType.Token };
requestMessage.RedirectUri = clientInformation.RedirectUris[0];
requestMessage.Nonce = WebOperations.RandomString();
requestMessage.State = WebOperations.RandomString();
requestMessage.Claims = requestClaims;
requestMessage.Validate();
OpenIdRelyingParty rp = new OpenIdRelyingParty();
rp.Authenticate(GetBaseUrl("/authorization"), requestMessage);
semaphore.WaitOne();
OIDCAuthImplicitResponseMessage authResponse = rp.ParseAuthImplicitResponse(result, requestMessage.Scope, requestMessage.State);
OIDCUserInfoRequestMessage userInfoRequestMessage = new OIDCUserInfoRequestMessage();
userInfoRequestMessage.Scope = authResponse.Scope;
userInfoRequestMessage.State = authResponse.State;
// when
OIDCUserInfoResponseMessage response = rp.GetUserInfo(GetBaseUrl("/userinfo"), userInfoRequestMessage, authResponse.AccessToken);
// then
response.Validate();
Assert.IsNotNullOrEmpty(response.Name);
Assert.IsNotNullOrEmpty(response.GivenName);
Assert.IsNotNullOrEmpty(response.FamilyName);
Assert.IsNotNullOrEmpty(response.Email);
Assert.IsNotNull(response.Address);
Assert.IsNotNullOrEmpty(response.Address.StreetAddress);
Assert.IsNotNullOrEmpty(response.Address.PostalCode);
Assert.IsNotNullOrEmpty(response.Address.Locality);
Assert.IsNotNullOrEmpty(response.Address.Country);
Assert.IsNotNullOrEmpty(response.PhoneNumber);
}
public void Should_Accept_Encrypted_UserInfo()
{
rpid = "rp-user_info-enc";
// given
OpenIdRelyingParty rp = new OpenIdRelyingParty();
string registrationEndopoint = GetBaseUrl("/registration");
OIDCClientInformation clientMetadata = new OIDCClientInformation();
clientMetadata.ApplicationType = "web";
clientMetadata.ResponseTypes = new List<ResponseType>() { ResponseType.IdToken };
clientMetadata.RedirectUris = new List<string>() { myBaseUrl + "id_token_flow_callback" };
clientMetadata.UserinfoEncryptedResponseAlg = "RSA1_5";
clientMetadata.UserinfoEncryptedResponseEnc = "A128CBC-HS256";
clientMetadata.JwksUri = myBaseUrl + "my_public_keys.jwks";
OIDCClientInformation clientInformation = rp.RegisterClient(registrationEndopoint, clientMetadata);
OIDClaims requestClaims = new OIDClaims();
requestClaims.IdToken = new Dictionary<string, OIDClaimData>();
requestClaims.IdToken.Add("name", new OIDClaimData());
OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage();
requestMessage.ClientId = clientInformation.ClientId;
requestMessage.Scope = new List<MessageScope>() { MessageScope.Openid, MessageScope.Profile, MessageScope.Address, MessageScope.Phone, MessageScope.Email };
requestMessage.ResponseType = new List<ResponseType>() { ResponseType.IdToken, ResponseType.Token };
requestMessage.RedirectUri = clientInformation.RedirectUris[0];
requestMessage.Nonce = WebOperations.RandomString();
requestMessage.State = WebOperations.RandomString();
requestMessage.Claims = requestClaims;
requestMessage.Validate();
rp.Authenticate(GetBaseUrl("/authorization"), requestMessage);
semaphore.WaitOne();
OIDCAuthImplicitResponseMessage authResponse = rp.ParseAuthImplicitResponse(result, requestMessage.Scope, requestMessage.State);
X509Certificate2 encCert = new X509Certificate2("server.pfx", "", X509KeyStorageFlags.Exportable);
List<OIDCKey> myKeys = KeyManager.GetKeysJwkList(null, encCert);
// when
OIDCUserInfoResponseMessage response = GetUserInfo(authResponse.Scope, authResponse.State, authResponse.AccessToken, null, true, null, myKeys);
// then
response.Validate();
Assert.IsNotNullOrEmpty(response.Name);
}
public void Should_Request_And_Use_Claims_Userinfo()
{
rpid = "rp-claims_request-userinfo_claims";
GetProviderMetadata();
// given
OIDClaims requestClaims = new OIDClaims();
requestClaims.IdToken = new Dictionary<string, OIDClaimData>();
requestClaims.IdToken.Add("name", new OIDClaimData());
OIDCAuthImplicitResponseMessage authResponse = (OIDCAuthImplicitResponseMessage) GetAuthResponse(ResponseType.IdToken, null, true, requestClaims);
// when
OIDCUserInfoResponseMessage response = GetUserInfo(authResponse.Scope, authResponse.State, authResponse.AccessToken);
// then
response.Validate();
Assert.IsNotNullOrEmpty(response.Name);
}
public OIDClientSerializableMessage GetAuthResponse(ResponseType RespType, string Nonce = null, bool Profile = false, OIDClaims Claims = null)
{
OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage();
requestMessage.ClientId = clientInformation.ClientId;
requestMessage.Scope = new List<MessageScope>() { MessageScope.Openid };
requestMessage.RedirectUri = clientInformation.RedirectUris[0];
requestMessage.Nonce = (Nonce == null) ? WebOperations.RandomString() : Nonce;
requestMessage.State = WebOperations.RandomString();
requestMessage.Claims = Claims;
if (Profile)
{
requestMessage.Scope.Add(MessageScope.Profile);
requestMessage.Scope.Add(MessageScope.Address);
requestMessage.Scope.Add(MessageScope.Phone);
requestMessage.Scope.Add(MessageScope.Email);
}
if (ResponseType.Code == RespType)
{
requestMessage.ResponseType = new List<ResponseType>() { ResponseType.Code };
}
else if (ResponseType.IdToken == RespType)
{
requestMessage.ResponseType = new List<ResponseType>() { ResponseType.IdToken, ResponseType.Token };
}
requestMessage.Validate();
OpenIdRelyingParty rp = new OpenIdRelyingParty();
rp.Authenticate(GetBaseUrl("/authorization"), requestMessage);
semaphore.WaitOne();
if (ResponseType.Code == RespType)
{
return rp.ParseAuthCodeResponse(result, requestMessage.Scope, requestMessage.State);
}
else if (ResponseType.IdToken == RespType)
{
return rp.ParseAuthImplicitResponse(result, requestMessage.Scope, requestMessage.State);
}
throw new Exception("Error in parameter passed");
}
public void Should_Request_And_Use_Claims_Id_Token()
{
rpid = "rp-response_type-id_token+token";
signalg = "RS256";
GetProviderMetadata();
// given
string Nonce = WebOperations.RandomString();
OIDClaims requestClaims = new OIDClaims();
requestClaims.IdToken = new Dictionary<string, OIDClaimData>();
requestClaims.IdToken.Add("name", new OIDClaimData());
// when
OIDCAuthImplicitResponseMessage response = (OIDCAuthImplicitResponseMessage) GetAuthResponse(ResponseType.IdToken, Nonce, true, requestClaims);
// then
response.Validate();
Assert.NotNull(response.AccessToken);
OpenIdRelyingParty rp = new OpenIdRelyingParty();
OIDCIdToken idToken = response.GetIdToken(providerMetadata.Keys, clientInformation.ClientSecret);
rp.ValidateIdToken(idToken, clientInformation, providerMetadata.Issuer, Nonce);
Assert.IsNotNullOrEmpty(idToken.Name);
}
public void Should_Send_AccessToken_In_HTTP_Authorization()
{
rpid = "rp-user_info-bearer_header";
// given
OIDClaims requestClaims = new OIDClaims();
requestClaims.IdToken = new Dictionary<string, OIDClaimData>();
requestClaims.IdToken.Add("name", new OIDClaimData());
OIDCAuthImplicitResponseMessage authResponse = (OIDCAuthImplicitResponseMessage) GetAuthResponse(ResponseType.IdToken, null, true, requestClaims);
// when
OIDCUserInfoResponseMessage response = GetUserInfo(authResponse.Scope, authResponse.State, authResponse.AccessToken);
// then
response.Validate();
Assert.IsNotNullOrEmpty(response.Name);
}
public void Should_Reject_Userinfo_With_Invalid_Sub()
{
rpid = "rp-user_info-bad_sub_claim";
// given
OIDClaims requestClaims = new OIDClaims();
requestClaims.IdToken = new Dictionary<string, OIDClaimData>();
requestClaims.IdToken.Add("name", new OIDClaimData());
OIDCAuthImplicitResponseMessage authResponse = (OIDCAuthImplicitResponseMessage)GetAuthResponse(ResponseType.IdToken, null, true, requestClaims);
OIDCIdToken idToken = authResponse.GetIdToken(providerMetadata.Keys);
idToken.Validate();
// when
OIDCUserInfoResponseMessage response = GetUserInfo(authResponse.Scope, authResponse.State, authResponse.AccessToken, idToken.Sub + "Wrong");
// then
response.Validate();
Assert.IsNotNullOrEmpty(response.Name);
}
public void Should_Accept_Signed_UserInfo()
{
rpid = "rp-user_info-sign";
// given
OpenIdRelyingParty rp = new OpenIdRelyingParty();
string registrationEndopoint = GetBaseUrl("/registration");
OIDCClientInformation clientMetadata = new OIDCClientInformation();
clientMetadata.ApplicationType = "web";
clientMetadata.ResponseTypes = new List<ResponseType>() { ResponseType.IdToken };
clientMetadata.RedirectUris = new List<string>() { myBaseUrl + "id_token_flow_callback" };
clientMetadata.UserinfoSignedResponseAlg = "HS256";
clientMetadata.JwksUri = myBaseUrl + "my_public_keys.jwks";
OIDCClientInformation clientInformation = rp.RegisterClient(registrationEndopoint, clientMetadata);
OIDClaims requestClaims = new OIDClaims();
requestClaims.IdToken = new Dictionary<string, OIDClaimData>();
requestClaims.IdToken.Add("name", new OIDClaimData());
OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage();
requestMessage.ClientId = clientInformation.ClientId;
requestMessage.Scope = new List<MessageScope>() { MessageScope.Openid, MessageScope.Profile, MessageScope.Address, MessageScope.Phone, MessageScope.Email };
requestMessage.ResponseType = new List<ResponseType>() { ResponseType.IdToken, ResponseType.Token };
requestMessage.RedirectUri = clientInformation.RedirectUris[0];
requestMessage.Nonce = WebOperations.RandomString();
requestMessage.State = WebOperations.RandomString();
requestMessage.Claims = requestClaims;
requestMessage.Validate();
rp.Authenticate(GetBaseUrl("/authorization"), requestMessage);
semaphore.WaitOne();
OIDCAuthImplicitResponseMessage authResponse = rp.ParseAuthImplicitResponse(result, requestMessage.Scope, requestMessage.State);
// when
OIDCUserInfoResponseMessage response = GetUserInfo(authResponse.Scope, authResponse.State, authResponse.AccessToken, null, true, clientInformation.ClientSecret, null);
// then
response.Validate();
Assert.IsNotNullOrEmpty(response.Name);
}
private OIDCUserInfoResponseMessage GetUserInfo(OIDCAuthCodeResponseMessage authResponse, IOptions options, HttpSessionState session, string accessToken)
{
OpenIDProviderData providerData = options.OpenIDProviders[session["op"] as string];
OpenIdRelyingParty rp = new OpenIdRelyingParty();
OIDClaims requestClaims = new OIDClaims();
requestClaims.IdToken = new Dictionary<string, OIDClaimData>();
requestClaims.IdToken.Add("name", new OIDClaimData());
requestClaims.IdToken.Add("family_name", new OIDClaimData());
requestClaims.IdToken.Add("given_name", new OIDClaimData());
requestClaims.IdToken.Add("email", new OIDClaimData());
requestClaims.IdToken.Add("gender", new OIDClaimData());
OIDCUserInfoRequestMessage userInfoRequestMessage = new OIDCUserInfoRequestMessage();
userInfoRequestMessage.Scope = authResponse.Scope;
userInfoRequestMessage.State = authResponse.State;
userInfoRequestMessage.Claims = requestClaims;
var urlInfoUrl = providerData.ProviderMatadata.UserinfoEndpoint;
return rp.GetUserInfo(urlInfoUrl, userInfoRequestMessage, accessToken);
}
