Beispiel #1
0
        public void Should_Spport_Third_Party_Initiated_Login()
        {
            rpid = "rp-support_3rd_party_init_login";

            // given
            OIDCThirdPartyLoginRequest thirdPartyRequest = new OIDCThirdPartyLoginRequest();
            thirdPartyRequest.Iss = GetBaseUrl("/");
            WebRequest webRequest = WebRequest.Create(clientInformation.InitiateLoginUri + "?" + thirdPartyRequest.SerializeToQueryString());

            OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage();
            requestMessage.ClientId = clientInformation.ClientId;
            requestMessage.Scope = new List<MessageScope>{ MessageScope.Openid };
            requestMessage.ResponseType = new List<ResponseType>() { ResponseType.Code };
            requestMessage.RedirectUri = clientInformation.RedirectUris[0];
            requestMessage.Validate();
            request = requestMessage.SerializeToQueryString();

            param = providerMetadata.AuthorizationEndpoint;

            OpenIdRelyingParty rp = new OpenIdRelyingParty();

            // when
            WebOperations.GetUrlContent(webRequest);
            semaphore.WaitOne();
            OIDCAuthCodeResponseMessage response = rp.ParseAuthCodeResponse(result);

            // then
            response.Validate();
        }
Beispiel #2
0
        public void Should_Authenticate_Client_With_Client_Secret_Basic()
        {
            rpid = "rp-token_endpoint-client_secret_basic";

            // given
            OIDCAuthCodeResponseMessage response = (OIDCAuthCodeResponseMessage) GetAuthResponse(ResponseType.Code);

            OIDCTokenRequestMessage tokenRequestMessage = new OIDCTokenRequestMessage();
            tokenRequestMessage.Scope = response.Scope;
            tokenRequestMessage.State = response.State;
            tokenRequestMessage.Code = response.Code;
            tokenRequestMessage.ClientId = clientInformation.ClientId;
            tokenRequestMessage.ClientSecret = clientInformation.ClientSecret;
            tokenRequestMessage.GrantType = "authorization_code";
            tokenRequestMessage.RedirectUri = clientInformation.RedirectUris[0];

            // when
            OpenIdRelyingParty rp = new OpenIdRelyingParty();
            clientInformation.TokenEndpointAuthMethod = "client_secret_basic";
            OIDCTokenResponseMessage tokenResponse = rp.SubmitTokenRequest(GetBaseUrl("/token"), tokenRequestMessage, clientInformation);

            // then
            Assert.NotNull(tokenResponse.IdToken);
            OIDCIdToken idToken = tokenResponse.GetIdToken(providerMetadata.Keys);
            idToken.Validate();
        }
Beispiel #3
0
        public void Should_Nonce_Be_Present_In_Implicit()
        {
            rpid = "rp-nonce-unless_code_flow";

            // given
            OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage();
            requestMessage.ClientId = clientInformation.ClientId;

            OIDClaims requestClaims = new OIDClaims();
            requestClaims.Userinfo = new Dictionary<string, OIDClaimData>();
            requestClaims.Userinfo.Add("name", new OIDClaimData());

            requestMessage.Scope = new List<MessageScope>() { MessageScope.Openid };
            requestMessage.ResponseType = new List<ResponseType>() { ResponseType.IdToken, ResponseType.Token };
            requestMessage.RedirectUri = clientInformation.RedirectUris[0];
            requestMessage.Nonce = WebOperations.RandomString();
            requestMessage.State = WebOperations.RandomString();
            requestMessage.Claims = requestClaims;
            requestMessage.Validate();

            OpenIdRelyingParty rp = new OpenIdRelyingParty();

            rp.Authenticate(GetBaseUrl("/authorization"), requestMessage);
            semaphore.WaitOne();
            OIDCAuthImplicitResponseMessage response = rp.ParseAuthImplicitResponse(result, requestMessage.Scope, requestMessage.State);
            OIDCIdToken idToken = response.GetIdToken(providerMetadata.Keys, clientInformation.ClientSecret);

            // then
            idToken.Validate();
        }
Beispiel #4
0
        public void Should_Discover_OpenID_Providers_Using_URI_Syntax()
        {
            rpid = "rp-discovery-webfinger_acct";

            // given
            string userid = rpid + "@" + opBaseurl.Host;
            OpenIdRelyingParty rp = new OpenIdRelyingParty();

            // when
            string issuer = rp.ObtainIssuerFromEmail(userid, opBaseurl.ToString());

            // then
            Assert.AreEqual(issuer.TrimEnd('/'), GetBaseUrl("/").TrimEnd('/'));
        }
Beispiel #5
0
        public void Should_Discover_OpenID_Providers_Using_URL_Syntax()
        {
            rpid = "rp-discovery-webfinger_url";

            // given
            string userid = "https://" + opBaseurl.Host + ":" + opBaseurl.Port + "/" + rpid;
            OpenIdRelyingParty rp = new OpenIdRelyingParty();

            // when
            string issuer = rp.ObtainIssuerFromURL(userid, opBaseurl.ToString());

            // then
            Assert.AreEqual(issuer.TrimEnd('/'), GetBaseUrl("/").TrimEnd('/'));
        }
Beispiel #6
0
        public OIDCProviderMetadata(dynamic o)
        {
            deserializeFromDynamic(o);

            if (JwksUri != null)
            {
                Keys = new List <OIDCKey>();
                Dictionary <string, object> jwks = OpenIdRelyingParty.GetUrlContent(WebRequest.Create(JwksUri));
                ArrayList keys = (ArrayList)jwks["keys"];
                foreach (Dictionary <string, object> key in keys)
                {
                    OIDCKey newKey = new OIDCKey(key);
                    Keys.Add(newKey);
                }
            }
        }
Beispiel #7
0
        public void Should_Reject_Id_Token_Without_Kid_If_Multiple_JWK()
        {
            rpid = "rp-id_token-kid_absent_multiple_jwks";

            // given

            // when
            OIDCAuthImplicitResponseMessage response = (OIDCAuthImplicitResponseMessage)GetAuthResponse(ResponseType.IdToken);

            // then
            OpenIdRelyingParty rp = new OpenIdRelyingParty();

            // then
            Assert.NotNull(response.IdToken);
            OIDCIdToken idToken = response.GetIdToken(providerMetadata.Keys);
            idToken.Validate();
        }
Beispiel #8
0
        public void Should_Authenticate_With_Claims_In_Scope_Basic()
        {
            rpid = "rp-scope-userinfo_claims";

            // given
            OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage();
            requestMessage.ClientId = clientInformation.ClientId;

            OIDClaims requestClaims = new OIDClaims();
            requestClaims.Userinfo = new Dictionary<string, OIDClaimData>();
            requestClaims.Userinfo.Add("name", new OIDClaimData());

            requestMessage.Scope = new List<MessageScope>() { MessageScope.Openid, MessageScope.Profile, MessageScope.Email, MessageScope.Address, MessageScope.Phone };
            requestMessage.ResponseType = new List<ResponseType>() { ResponseType.IdToken, ResponseType.Token };
            requestMessage.RedirectUri = clientInformation.RedirectUris[0];
            requestMessage.Nonce = WebOperations.RandomString();
            requestMessage.State = WebOperations.RandomString();
            requestMessage.Claims = requestClaims;
            requestMessage.Validate();

            OpenIdRelyingParty rp = new OpenIdRelyingParty();

            rp.Authenticate(GetBaseUrl("/authorization"), requestMessage);
            semaphore.WaitOne();
            OIDCAuthImplicitResponseMessage authResponse = rp.ParseAuthImplicitResponse(result, requestMessage.Scope, requestMessage.State);

            OIDCUserInfoRequestMessage userInfoRequestMessage = new OIDCUserInfoRequestMessage();
            userInfoRequestMessage.Scope = authResponse.Scope;
            userInfoRequestMessage.State = authResponse.State;

            // when
            OIDCUserInfoResponseMessage response = rp.GetUserInfo(GetBaseUrl("/userinfo"), userInfoRequestMessage, authResponse.AccessToken);

            // then
            response.Validate();
            Assert.IsNotNullOrEmpty(response.Name);
            Assert.IsNotNullOrEmpty(response.GivenName);
            Assert.IsNotNullOrEmpty(response.FamilyName);
            Assert.IsNotNullOrEmpty(response.Email);
            Assert.IsNotNull(response.Address);
            Assert.IsNotNullOrEmpty(response.Address.StreetAddress);
            Assert.IsNotNullOrEmpty(response.Address.PostalCode);
            Assert.IsNotNullOrEmpty(response.Address.Locality);
            Assert.IsNotNullOrEmpty(response.Address.Country);
            Assert.IsNotNullOrEmpty(response.PhoneNumber);
        }
Beispiel #9
0
        public void Should_Accept_Encrypted_UserInfo()
        {
            rpid = "rp-user_info-enc";

            // given
            OpenIdRelyingParty rp = new OpenIdRelyingParty();

            string registrationEndopoint = GetBaseUrl("/registration");
            OIDCClientInformation clientMetadata = new OIDCClientInformation();
            clientMetadata.ApplicationType = "web";
            clientMetadata.ResponseTypes = new List<ResponseType>() { ResponseType.IdToken };
            clientMetadata.RedirectUris = new List<string>() { myBaseUrl + "id_token_flow_callback" };
            clientMetadata.UserinfoEncryptedResponseAlg = "RSA1_5";
            clientMetadata.UserinfoEncryptedResponseEnc = "A128CBC-HS256";
            clientMetadata.JwksUri = myBaseUrl + "my_public_keys.jwks";
            OIDCClientInformation clientInformation = rp.RegisterClient(registrationEndopoint, clientMetadata);

            OIDClaims requestClaims = new OIDClaims();
            requestClaims.IdToken = new Dictionary<string, OIDClaimData>();
            requestClaims.IdToken.Add("name", new OIDClaimData());

            OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage();
            requestMessage.ClientId = clientInformation.ClientId;
            requestMessage.Scope = new List<MessageScope>() { MessageScope.Openid, MessageScope.Profile, MessageScope.Address, MessageScope.Phone, MessageScope.Email };
            requestMessage.ResponseType = new List<ResponseType>() { ResponseType.IdToken, ResponseType.Token };
            requestMessage.RedirectUri = clientInformation.RedirectUris[0];
            requestMessage.Nonce = WebOperations.RandomString();
            requestMessage.State = WebOperations.RandomString();
            requestMessage.Claims = requestClaims;
            requestMessage.Validate();

            rp.Authenticate(GetBaseUrl("/authorization"), requestMessage);
            semaphore.WaitOne();
            OIDCAuthImplicitResponseMessage authResponse = rp.ParseAuthImplicitResponse(result, requestMessage.Scope, requestMessage.State);

            X509Certificate2 encCert = new X509Certificate2("server.pfx", "", X509KeyStorageFlags.Exportable);
            List<OIDCKey> myKeys = KeyManager.GetKeysJwkList(null, encCert);

            // when
            OIDCUserInfoResponseMessage response = GetUserInfo(authResponse.Scope, authResponse.State, authResponse.AccessToken, null, true, null, myKeys);

            // then
            response.Validate();
            Assert.IsNotNullOrEmpty(response.Name);
        }
Beispiel #10
0
        public void Should_Client_Be_Able_To_Register()
        {
            rpid = "rp-registration-dynamic";

            // given
            string registrationEndopoint = GetBaseUrl("/registration");
            OIDCClientInformation clientMetadata = new OIDCClientInformation();
            clientMetadata.ApplicationType = "web";
            clientMetadata.RedirectUris = new List<string>() { myBaseUrl + "code_flow_callback" };
            clientMetadata.ResponseTypes = new List<ResponseType>() { ResponseType.Code };
            OpenIdRelyingParty rp = new OpenIdRelyingParty();

            // when
            OIDCClientInformation response = rp.RegisterClient(registrationEndopoint, clientMetadata);

            // then
            response.Validate();
        }
Beispiel #11
0
        public OIDClientSerializableMessage GetAuthResponse(ResponseType RespType, string Nonce = null, bool Profile = false, OIDClaims Claims = null)
        {
            OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage();
            requestMessage.ClientId = clientInformation.ClientId;
            requestMessage.Scope = new List<MessageScope>() { MessageScope.Openid };
            requestMessage.RedirectUri = clientInformation.RedirectUris[0];
            requestMessage.Nonce = (Nonce == null) ? WebOperations.RandomString() : Nonce;
            requestMessage.State = WebOperations.RandomString();
            requestMessage.Claims = Claims;

            if (Profile)
            {
                requestMessage.Scope.Add(MessageScope.Profile);
                requestMessage.Scope.Add(MessageScope.Address);
                requestMessage.Scope.Add(MessageScope.Phone);
                requestMessage.Scope.Add(MessageScope.Email);
            }

            if (ResponseType.Code == RespType)
            {
                requestMessage.ResponseType = new List<ResponseType>() { ResponseType.Code };
            }
            else if (ResponseType.IdToken == RespType)
            {
                requestMessage.ResponseType = new List<ResponseType>() { ResponseType.IdToken, ResponseType.Token };
            }

            requestMessage.Validate();

            OpenIdRelyingParty rp = new OpenIdRelyingParty();
            rp.Authenticate(GetBaseUrl("/authorization"), requestMessage);
            semaphore.WaitOne();
            if (ResponseType.Code == RespType)
            {
                return rp.ParseAuthCodeResponse(result, requestMessage.Scope, requestMessage.State);
            }
            else if (ResponseType.IdToken == RespType)
            {
                return rp.ParseAuthImplicitResponse(result, requestMessage.Scope, requestMessage.State);
            }

            throw new Exception("Error in parameter passed");
        }
Beispiel #12
0
        public void Should_Client_Only_Use_Https_Endpoints()
        {
            rpid = "rp-registration-uses_https_endpoints";

            // given
            string registrationEndopoint = GetBaseUrl("/registration");
            OIDCClientInformation clientMetadata = new OIDCClientInformation();
            clientMetadata.ApplicationType = "web";
            clientMetadata.RedirectUris = new List<string>() { myBaseUrl + "code_flow_callback" };
            clientMetadata.ResponseTypes = new List<ResponseType>() { ResponseType.Code };
            clientMetadata.JwksUri = myBaseUrl + "my_public_keys.jwks";
            OpenIdRelyingParty rp = new OpenIdRelyingParty();

            // when
            OIDCClientInformation response = rp.RegisterClient(registrationEndopoint, clientMetadata);
            response.JwksUri = clientMetadata.JwksUri.Replace("https", "http");

            // then
            response.Validate();
        }
Beispiel #13
0
        public void Should_Use_Distributed_Claims()
        {
            rpid = "rp-claims-distributed";
            claims = "distributed";

            // given
            OpenIdRelyingParty rp = new OpenIdRelyingParty();
            string hostname = GetBaseUrl("/");
            providerMetadata = rp.ObtainProviderInformation(hostname);

            OIDCAuthCodeResponseMessage authResponse = GetAuthResponse(ResponseType.Code, null, true) as OIDCAuthCodeResponseMessage;
            OIDCTokenResponseMessage tokenResponse = GetToken(authResponse);
            OIDCUserInfoRequestMessage userInfoRequestMessage = new OIDCUserInfoRequestMessage();

            // when
            OIDCUserInfoResponseMessage userInfoResponse = GetUserInfo(authResponse.Scope, authResponse.State, tokenResponse.AccessToken);

            // then
            Assert.NotNull(userInfoResponse);
            Assert.AreEqual(userInfoResponse.CustomClaims["age"], 30);
        }
Beispiel #14
0
        public void Should_Use_Request_Uri_Parameter_Signed()
        {
            rpid = "rp-request_uri-sig";

            // given
            OIDCAuthorizationRequestMessage requestMessage = generateRequestMessage();
            OIDCAuthorizationRequestMessage requestObject = generateRequestObject(requestMessage.State, requestMessage.Nonce);
            RSACryptoServiceProvider signKey = getSignKey();

            request = JWT.Encode(requestObject.SerializeToJsonString(), signKey, JwsAlgorithm.RS256);

            OpenIdRelyingParty rp = new OpenIdRelyingParty();

            // when
            rp.Authenticate(GetBaseUrl("/authorization"), requestMessage);
            semaphore.WaitOne();
            OIDCAuthCodeResponseMessage response = rp.ParseAuthCodeResponse(result, requestMessage.Scope);

            // then
            response.Validate();
        }
Beispiel #15
0
        public void Should_Authenticate_With_Code_Response_Type()
        {
            rpid = "rp-response_type-code";

            // given
            OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage();
            requestMessage.ClientId = clientInformation.ClientId;
            requestMessage.Scope = new List<MessageScope>() { MessageScope.Openid };
            requestMessage.ResponseType = new List<ResponseType>() { ResponseType.Code };
            requestMessage.RedirectUri = clientInformation.RedirectUris[0];
            requestMessage.Validate();

            OpenIdRelyingParty rp = new OpenIdRelyingParty();

            // when
            rp.Authenticate(GetBaseUrl("/authorization"), requestMessage);
            semaphore.WaitOne();
            OIDCAuthCodeResponseMessage response = rp.ParseAuthCodeResponse(result, requestMessage.Scope);

            // then
            response.Validate();
        }
Beispiel #16
0
        public override void validate()
        {
            if (RedirectUris != null && ResponseTypes != null && RedirectUris.Count != ResponseTypes.Count)
            {
                throw new OIDCException("The redirect_uris do not match response_types.");
            }

            if (RedirectUris != null && SectorIdentifierUri != null)
            {
                List <string> siUris = new List <string>();
                dynamic       uris   = OpenIdRelyingParty.GetUrlContent(WebRequest.Create(SectorIdentifierUri));
                foreach (string uri in uris)
                {
                    siUris.Add(uri);
                }

                foreach (string uri in RedirectUris)
                {
                    if (!siUris.Contains(uri))
                    {
                        throw new OIDCException("The sector_identifier_uri json must include URIs from the redirect_uri array.");
                    }
                }
            }

            if (ResponseTypes != null && GrantTypes != null)
            {
                foreach (string responseType in ResponseTypes)
                {
                    if ((responseType == "code" && !GrantTypes.Contains("authorization_code")) ||
                        (responseType == "id_token" && !GrantTypes.Contains("implicit")) ||
                        (responseType == "token" && !GrantTypes.Contains("implicit")) ||
                        (responseType == "id_token" && !GrantTypes.Contains("implicit")))
                    {
                        throw new OIDCException("The response_types do not match grant_types.");
                    }
                }
            }
        }
Beispiel #17
0
        public void Should_Authenticate_With_IdToken_Response_Type()
        {
            rpid = "rp-response_type-id_token";

            // given
            OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage();
            requestMessage.ClientId = clientInformation.ClientId;
            requestMessage.Scope = new List<MessageScope>() { MessageScope.Openid };
            requestMessage.ResponseType = new List<ResponseType>() { ResponseType.IdToken };
            requestMessage.RedirectUri = clientInformation.RedirectUris[1];
            requestMessage.Nonce = WebOperations.RandomString();
            requestMessage.State = WebOperations.RandomString();
            requestMessage.Validate();

            OpenIdRelyingParty rp = new OpenIdRelyingParty();

            // when
            rp.Authenticate(GetBaseUrl("/authorization"), requestMessage);
            semaphore.WaitOne();
            OIDCAuthImplicitResponseMessage response = rp.ParseAuthImplicitResponse(result, requestMessage.Scope, requestMessage.State);

            // then
            response.Validate();
        }
Beispiel #18
0
        public void Should_Request_And_Use_Claims_Id_Token()
        {
            rpid = "rp-response_type-id_token+token";
            signalg = "RS256";
            GetProviderMetadata();

            // given
            string Nonce = WebOperations.RandomString();
            OIDClaims requestClaims = new OIDClaims();
            requestClaims.IdToken = new Dictionary<string, OIDClaimData>();
            requestClaims.IdToken.Add("name", new OIDClaimData());

            // when
            OIDCAuthImplicitResponseMessage response = (OIDCAuthImplicitResponseMessage) GetAuthResponse(ResponseType.IdToken, Nonce, true, requestClaims);

            // then
            response.Validate();
            Assert.NotNull(response.AccessToken);

            OpenIdRelyingParty rp = new OpenIdRelyingParty();
            OIDCIdToken idToken = response.GetIdToken(providerMetadata.Keys, clientInformation.ClientSecret);
            rp.ValidateIdToken(idToken, clientInformation, providerMetadata.Issuer, Nonce);
            Assert.IsNotNullOrEmpty(idToken.Name);
        }
Beispiel #19
0
        public void Should_Support_Signing_Key_Rotation()
        {
            rpid = "rp-key_rotation-rp_sign_key";

            // given
            RSACryptoServiceProvider signKey1 = getSignKey("server.pfx");
            OIDCAuthorizationRequestMessage requestMessage1 = generateRequestMessage(true);
            OIDCAuthorizationRequestMessage requestObject1 = generateRequestMessage(false, requestMessage1.State, requestMessage1.Nonce);

            RSACryptoServiceProvider signKey2 = getSignKey("server2.pfx");
            OIDCAuthorizationRequestMessage requestMessage2 = generateRequestMessage(true);
            OIDCAuthorizationRequestMessage requestObject2 = generateRequestMessage(false, requestMessage1.State, requestMessage1.Nonce);

            OpenIdRelyingParty rp = new OpenIdRelyingParty();

            // when
            request = JWT.Encode(requestObject1.SerializeToJsonString(), signKey1, JwsAlgorithm.RS256);
            rp.Authenticate(GetBaseUrl("/authorization"), requestMessage1);
            semaphore.WaitOne();
            OIDCAuthCodeResponseMessage response1 = rp.ParseAuthCodeResponse(result, requestMessage1.Scope, requestMessage1.State);

            request = JWT.Encode(requestObject2.SerializeToJsonString(), signKey1, JwsAlgorithm.RS256);
            rp.Authenticate(GetBaseUrl("/authorization"), requestMessage2);
            semaphore.WaitOne();
            OIDCAuthCodeResponseMessage response2 = rp.ParseAuthCodeResponse(result, requestMessage2.Scope, requestMessage2.State);

            // then
            response1.Validate();
            response2.Validate();
        }
Beispiel #20
0
        public void Should_Obtain_Provider_Information_With_JWKS_Json()
        {
            rpid = "rp-discovery-jwks_uri_keys";

            // given
            string hostname = GetBaseUrl("/");
            OpenIdRelyingParty rp = new OpenIdRelyingParty();

            // when
            OIDCProviderMetadata response = rp.ObtainProviderInformation(hostname);

            // then
            response.Validate();

            Assert.IsNotNull(response.Keys);
            Assert.Greater(response.Keys.Count, 0);
        }
Beispiel #21
0
        public void Should_Keys_Be_Published_As_JWK()
        {
            rpid = "rp-registration-well_formed_jwk";

            // given
            string registrationEndopoint = GetBaseUrl("/registration");
            OIDCClientInformation clientMetadata = new OIDCClientInformation();
            clientMetadata.ApplicationType = "web";
            clientMetadata.RedirectUris = new List<string>() { myBaseUrl + "code_flow_callback" };
            clientMetadata.ResponseTypes = new List<ResponseType>() { ResponseType.Code };
            clientMetadata.JwksUri = myBaseUrl + "my_public_keys.jwks";
            OpenIdRelyingParty rp = new OpenIdRelyingParty();

            // when
            OIDCClientInformation response = rp.RegisterClient(registrationEndopoint, clientMetadata);

            // then
            response.Validate();
        }
Beispiel #22
0
        public void Should_Registration_Request_Has_RedirectUris()
        {
            rpid = "rp-registration-redirect_uris";

            // given
            string registrationEndopoint = GetBaseUrl("/registration");
            OIDCClientInformation clientMetadata = new OIDCClientInformation();
            clientMetadata.ApplicationType = "web";
            clientMetadata.RedirectUris = new List<string>() { myBaseUrl + "code_flow_callback" };
            clientMetadata.ResponseTypes = new List<ResponseType>() { ResponseType.Code };
            OpenIdRelyingParty rp = new OpenIdRelyingParty();

            // when
            OIDCClientInformation response = rp.RegisterClient(registrationEndopoint, clientMetadata);

            // then
            response.Validate();
            CollectionAssert.AreEquivalent(clientMetadata.RedirectUris, response.RedirectUris);
        }
Beispiel #23
0
        public void Should_Wrong_Discovered_Issuer_Be_Rejected()
        {
            rpid = "rp-discovery-issuer_not_matching_config";

            // given
            string hostname = GetBaseUrl("/");
            string userid = "https://" + opBaseurl.Host + ":" + opBaseurl.Port + "/" + rpid;
            OpenIdRelyingParty rp = new OpenIdRelyingParty();
            string issuer = rp.ObtainIssuerFromURL(userid, opBaseurl.ToString());
            issuer = issuer.Replace("localhost", "wrong.hostname");

            // when
            rp.ObtainProviderInformation(hostname, issuer);

            // then
        }
Beispiel #24
0
        public void Should_Authenticate_Client_With_Private_Key_Jwt()
        {
            rpid = "rp-token_endpoint-client_secret_jwt";

            // given
            OIDCAuthCodeResponseMessage response = (OIDCAuthCodeResponseMessage)GetAuthResponse(ResponseType.Code);

            OIDCTokenRequestMessage tokenRequestMessage = new OIDCTokenRequestMessage();
            tokenRequestMessage.Scope = response.Scope;
            tokenRequestMessage.State = response.State;
            tokenRequestMessage.Code = response.Code;
            tokenRequestMessage.ClientId = clientInformation.ClientId;
            tokenRequestMessage.ClientSecret = clientInformation.ClientSecret;
            tokenRequestMessage.GrantType = "authorization_code";
            tokenRequestMessage.RedirectUri = clientInformation.RedirectUris[0];

            RSACryptoServiceProvider privateKey = providerMetadata.Keys.Find(
                delegate(OIDCKey k)
                {
                    return k.Use == "enc" && k.Kty == "RSA";
                }
            ).GetRSA();

            // when
            OpenIdRelyingParty rp = new OpenIdRelyingParty();
            clientInformation.TokenEndpointAuthMethod = "private_key_jwt";
            OIDCTokenResponseMessage tokenResponse = rp.SubmitTokenRequest(GetBaseUrl("/token"), tokenRequestMessage, clientInformation, privateKey.ExportCspBlob(false));

            // then
            Assert.NotNull(tokenResponse.IdToken);
            OIDCIdToken idToken = tokenResponse.GetIdToken(providerMetadata.Keys);
            idToken.Validate();
        }
Beispiel #25
0
        public void Should_Obtain_Provider_Information()
        {
            rpid = "rp-discovery-openid_configuration";

            // given
            string hostname = GetBaseUrl("/");
            OpenIdRelyingParty rp = new OpenIdRelyingParty();

            // when
            OIDCProviderMetadata response = rp.ObtainProviderInformation(hostname);

            // then
            response.Validate();
        }
Beispiel #26
0
        private OIDCTokenResponseMessage AuthenticateAndRetrieveIdToken()
        {
            OIDCAuthorizationRequestMessage requestMessage = generateRequestMessage();
            OpenIdRelyingParty rp = new OpenIdRelyingParty();

            rp.Authenticate(GetBaseUrl("/authorization"), requestMessage);
            semaphore.WaitOne();
            OIDCAuthCodeResponseMessage response = rp.ParseAuthCodeResponse(result, requestMessage.Scope, requestMessage.State);

            OIDCTokenRequestMessage tokenRequestMessage = new OIDCTokenRequestMessage();
            tokenRequestMessage.Scope = response.Scope;
            tokenRequestMessage.Code = response.Code;
            tokenRequestMessage.ClientId = clientInformation.ClientId;
            tokenRequestMessage.ClientSecret = clientInformation.ClientSecret;
            tokenRequestMessage.GrantType = "authorization_code";
            tokenRequestMessage.RedirectUri = clientInformation.RedirectUris[0];

            return rp.SubmitTokenRequest(GetBaseUrl("/token"), tokenRequestMessage, clientInformation);
        }
Beispiel #27
0
 public void GetProviderMetadata()
 {
     string hostname = GetBaseUrl("/");
     OpenIdRelyingParty rp = new OpenIdRelyingParty();
     providerMetadata = rp.ObtainProviderInformation(hostname);
 }
Beispiel #28
0
        private static void ThirdPartyInitiatedLoginCallback(IHttpContext context)
        {
            result = context.Request.Uri.Query;
            OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage();
            requestMessage.DeserializeFromQueryString(request);

            OpenIdRelyingParty rp = new OpenIdRelyingParty();
            rp.ThirdPartyInitiatedLogin(requestMessage, param);
        }
Beispiel #29
0
        public void RegisterClient(ResponseType? RespType, bool JWKs = false, bool RequestUri = false, bool InitateLoginUri = false)
        {
            string registrationEndopoint = GetBaseUrl("/registration");
            OIDCClientInformation clientMetadata = new OIDCClientInformation();
            clientMetadata.ApplicationType = "web";

            if (JWKs)
            {
                clientMetadata.JwksUri = myBaseUrl + "my_public_keys.jwks";
            }

            if (RequestUri)
            {
                clientMetadata.RequestUris = new List<string>() { myBaseUrl + "request.jwt" };
            }

            if (InitateLoginUri)
            {
                clientMetadata.InitiateLoginUri = myBaseUrl + "initiated_login";
            }

            if (ResponseType.IdToken == RespType)
            {
                clientMetadata.ResponseTypes = new List<ResponseType>() { ResponseType.IdToken };
                clientMetadata.RedirectUris = new List<string>() { myBaseUrl + "id_token_flow_callback" };

            }
            else if(ResponseType.Code == RespType)
            {
                clientMetadata.ResponseTypes = new List<ResponseType>() { ResponseType.Code };
                clientMetadata.RedirectUris = new List<string>() { myBaseUrl + "code_flow_callback" };
            }
            else
            {
                clientMetadata.ResponseTypes = new List<ResponseType>() {
                    ResponseType.Code,
                    ResponseType.IdToken
                };
                clientMetadata.RedirectUris = new List<string>() {
                    myBaseUrl + "code_flow_callback",
                    myBaseUrl + "id_token_flow_callback"
                };
            }

            OpenIdRelyingParty rp = new OpenIdRelyingParty();
            clientInformation = rp.RegisterClient(registrationEndopoint, clientMetadata);
        }
Beispiel #30
0
        public OIDCUserInfoResponseMessage GetUserInfo(List<MessageScope> scope, string state, string accessToken, string idTokenSub = null, bool bearer = true, string ClientSecret = null, List<OIDCKey> RPKeys = null)
        {
            OIDCUserInfoRequestMessage userInfoRequestMessage = new OIDCUserInfoRequestMessage();
            userInfoRequestMessage.Scope = scope;
            userInfoRequestMessage.State = state;

            OpenIdRelyingParty rp = new OpenIdRelyingParty();
            var urlInfoUrl = providerMetadata.UserinfoEndpoint;
            return rp.GetUserInfo(urlInfoUrl, userInfoRequestMessage, accessToken, idTokenSub, bearer, ClientSecret, RPKeys);
        }
Beispiel #31
0
        public OIDCTokenResponseMessage GetToken(OIDCAuthCodeResponseMessage authResponse)
        {
            OIDCTokenRequestMessage tokenRequestMessage = new OIDCTokenRequestMessage();
            tokenRequestMessage.Scope = authResponse.Scope;
            tokenRequestMessage.State = authResponse.State;
            tokenRequestMessage.Code = authResponse.Code;
            tokenRequestMessage.ClientId = clientInformation.ClientId;
            tokenRequestMessage.ClientSecret = clientInformation.ClientSecret;
            tokenRequestMessage.RedirectUri = clientInformation.RedirectUris[0];
            tokenRequestMessage.GrantType = "authorization_code";

            OpenIdRelyingParty rp = new OpenIdRelyingParty();
            OIDCTokenResponseMessage response = rp.SubmitTokenRequest(providerMetadata.TokenEndpoint, tokenRequestMessage, clientInformation);
            OIDCIdToken idToken = response.GetIdToken(providerMetadata.Keys, tokenRequestMessage.ClientSecret);
            rp.ValidateIdToken(idToken, clientInformation, providerMetadata.Issuer, null);
            return response;
        }
Beispiel #32
0
        public void Should_Support_Provider_Crypt_Key_Rotation()
        {
            rpid = "rp-key_rotation-op_enc_key";

            // given
            OIDCAuthorizationRequestMessage requestMessage1 = generateRequestMessage(true);
            OIDCAuthorizationRequestMessage requestObject1 = generateRequestMessage(false, requestMessage1.State, requestMessage1.Nonce);
            RSACryptoServiceProvider encKey1 = getEncKey();

            OIDCAuthorizationRequestMessage requestMessage2 = generateRequestMessage(true);
            OIDCAuthorizationRequestMessage requestObject2 = generateRequestMessage(false, requestMessage2.State, requestMessage2.Nonce);
            RSACryptoServiceProvider encKey2 = getEncKey();

            OpenIdRelyingParty rp = new OpenIdRelyingParty();

            // when
            request = JWT.Encode(requestObject1.SerializeToJsonString(), encKey1, JweAlgorithm.RSA1_5, JweEncryption.A128CBC_HS256);
            rp.Authenticate(GetBaseUrl("/authorization"), requestMessage1);
            semaphore.WaitOne();
            OIDCAuthCodeResponseMessage response1 = rp.ParseAuthCodeResponse(result, requestMessage1.Scope);

            request = JWT.Encode(requestObject2.SerializeToJsonString(), encKey2, JweAlgorithm.RSA1_5, JweEncryption.A128CBC_HS256);
            rp.Authenticate(GetBaseUrl("/authorization"), requestMessage2);
            semaphore.WaitOne();
            OIDCAuthCodeResponseMessage response2 = rp.ParseAuthCodeResponse(result, requestMessage2.Scope);

            // then
            response1.Validate();
            response2.Validate();
        }