public void CreateAndValidateTokens_RoundTripTokens()
{
JwtSecurityTokenHandler handler = new JwtSecurityTokenHandler();
CreateAndValidateParams createAndValidateParams;
string issuer = "issuer";
string originalIssuer = "originalIssuer";
createAndValidateParams = new CreateAndValidateParams
{
Case = "ClaimSets.DuplicateTypes",
Claims = ClaimSets.DuplicateTypes(issuer, originalIssuer),
CompareTo = IdentityUtilities.CreateJwtSecurityToken(issuer, originalIssuer, ClaimSets.DuplicateTypes(issuer, originalIssuer), null),
ExceptionType = null,
TokenValidationParameters = new TokenValidationParameters
{
RequireSignedTokens = false,
ValidateAudience = false,
ValidateLifetime = false,
ValidateIssuer = false,
}
};
RunRoundTrip(createAndValidateParams, handler);
createAndValidateParams = new CreateAndValidateParams
{
Case = "ClaimSets.Simple_simpleSigned_Asymmetric",
Claims = ClaimSets.Simple(issuer, originalIssuer),
CompareTo = IdentityUtilities.CreateJwtSecurityToken(issuer, originalIssuer, ClaimSets.Simple(issuer, originalIssuer), KeyingMaterial.DefaultX509SigningCreds_2048_RsaSha2_Sha2),
ExceptionType = null,
SigningCredentials = KeyingMaterial.DefaultX509SigningCreds_2048_RsaSha2_Sha2,
SigningToken = KeyingMaterial.DefaultX509Token_2048,
TokenValidationParameters = new TokenValidationParameters
{
ValidateAudience = false,
IssuerSigningKey = new X509SecurityKey(KeyingMaterial.DefaultCert_2048),
ValidIssuer = issuer,
}
};
RunRoundTrip(createAndValidateParams, handler);
createAndValidateParams = new CreateAndValidateParams
{
Case = "ClaimSets.Simple_simpleSigned_Symmetric",
Claims = ClaimSets.Simple(issuer, originalIssuer),
CompareTo = IdentityUtilities.CreateJwtSecurityToken(issuer, originalIssuer, ClaimSets.Simple(issuer, originalIssuer), KeyingMaterial.DefaultSymmetricSigningCreds_256_Sha2),
ExceptionType = null,
SigningCredentials = KeyingMaterial.DefaultSymmetricSigningCreds_256_Sha2,
SigningToken = KeyingMaterial.DefaultSymmetricSecurityToken_256,
TokenValidationParameters = new TokenValidationParameters
{
ValidateAudience = false,
IssuerSigningKey = KeyingMaterial.DefaultSymmetricSecurityKey_256,
ValidIssuer = issuer,
}
};
RunRoundTrip(createAndValidateParams, handler);
}
public void CreateAndValidateTokens_DuplicateClaims()
{
SecurityToken validatedToken;
string encodedJwt = IdentityUtilities.CreateJwtToken(
new SecurityTokenDescriptor
{
AppliesToAddress = IdentityUtilities.DefaultAudience,
SigningCredentials = IdentityUtilities.DefaultSymmetricSigningCredentials,
Subject = new ClaimsIdentity(ClaimSets.DuplicateTypes(IdentityUtilities.DefaultIssuer, IdentityUtilities.DefaultIssuer)),
TokenIssuerName = IdentityUtilities.DefaultIssuer,
});
JwtSecurityTokenHandler tokenHandler = new JwtSecurityTokenHandler();
JwtSecurityTokenHandler.InboundClaimFilter.Add("aud");
JwtSecurityTokenHandler.InboundClaimFilter.Add("exp");
JwtSecurityTokenHandler.InboundClaimFilter.Add("iat");
JwtSecurityTokenHandler.InboundClaimFilter.Add("iss");
JwtSecurityTokenHandler.InboundClaimFilter.Add("nbf");
ClaimsPrincipal claimsPrincipal = tokenHandler.ValidateToken(encodedJwt, IdentityUtilities.DefaultSymmetricTokenValidationParameters, out validatedToken);
Assert.IsTrue(IdentityComparer.AreEqual <IEnumerable <Claim> >(claimsPrincipal.Claims, ClaimSets.DuplicateTypes(IdentityUtilities.DefaultIssuer, IdentityUtilities.DefaultIssuer), new CompareContext {
IgnoreProperties = true, IgnoreSubject = true
}));
JwtSecurityTokenHandler.InboundClaimFilter.Clear();
}
public void JwtSecurityTokenHandler_Extensibility()
{
DerivedJwtSecurityTokenHandler handler = new DerivedJwtSecurityTokenHandler()
{
DerivedTokenType = typeof(DerivedJwtSecurityToken)
};
JwtSecurityToken jwt =
new JwtSecurityToken
(
issuer: Issuers.GotJwt,
audience: Audiences.AuthFactors,
claims: ClaimSets.Simple(Issuers.GotJwt, Issuers.GotJwt),
signingCredentials: KeyingMaterial.DefaultSymmetricSigningCreds_256_Sha2,
expires: DateTime.UtcNow + TimeSpan.FromHours(10),
notBefore: DateTime.UtcNow
);
string encodedJwt = handler.WriteToken(jwt);
TokenValidationParameters tvp = new TokenValidationParameters()
{
IssuerSigningKey = KeyingMaterial.DefaultSymmetricSecurityKey_256,
ValidateAudience = false,
ValidIssuer = Issuers.GotJwt,
};
ValidateDerived(encodedJwt, handler, tvp, ExpectedException.NoExceptionExpected);
}
public static JwtSecurityToken Create(string issuer, string originalIssuer, SigningCredentials signingCredentials)
{
JwtPayload payload = new JwtPayload(issuer, "urn:uri", ClaimSets.Simple(issuer, originalIssuer), new Lifetime(DateTime.UtcNow, DateTime.UtcNow + TimeSpan.FromHours(10)));
JwtHeader header = new JwtHeader(signingCredentials);
return(new JwtSecurityToken(header, payload, header.Encode() + "." + payload.Encode() + "."));
}
public void JwtSecurityTokenHandler_Extensibility()
{
DerivedJwtSecurityTokenHandler handler = new DerivedJwtSecurityTokenHandler()
{
DerivedTokenType = typeof(DerivedJwtSecurityToken)
};
JwtSecurityToken jwt =
new JwtSecurityToken
(
issuer: Issuers.GotJwt,
audience: Audiences.AuthFactors,
claims: ClaimSets.Simple(Issuers.GotJwt, Issuers.GotJwt),
signingCredentials: KeyingMaterial.SymmetricSigningCreds_256_Sha2,
lifetime: new Lifetime(DateTime.UtcNow, DateTime.UtcNow + TimeSpan.FromHours(10))
);
string encodedJwt = handler.WriteToken(jwt);
JwtSecurityToken jwtReadAsDerived = handler.ReadToken(DerivedJwtSecurityToken.Prefix + encodedJwt) as JwtSecurityToken;
DerivedJwtSecurityToken jwtDerivedNotValidated = jwtReadAsDerived as DerivedJwtSecurityToken;
TokenValidationParameters tvp = new TokenValidationParameters()
{
SigningToken = KeyingMaterial.BinarySecretToken_256,
AudienceUriMode = Selectors.AudienceUriMode.Never,
ValidIssuer = Issuers.GotJwt,
};
ValidateDerived(jwtReadAsDerived, null, handler, tvp, ExpectedException.Null);
ValidateDerived(null, DerivedJwtSecurityToken.Prefix + encodedJwt, handler, tvp, ExpectedException.Null);
handler.Configuration = new SecurityTokenHandlerConfiguration()
{
IssuerTokenResolver = new SetReturnSecurityTokenResolver(KeyingMaterial.BinarySecretToken_256, KeyingMaterial.SymmetricSecurityKey_256),
SaveBootstrapContext = true,
CertificateValidator = AlwaysSucceedCertificateValidator.New,
IssuerNameRegistry = new SetNameIssuerNameRegistry(Audiences.AuthFactors),
AudienceRestriction = new AudienceRestriction(AudienceUriMode.Always),
};
handler.Configuration.AudienceRestriction.AllowedAudienceUris.Add(new Uri(Audiences.AuthFactors));
ValidateDerived(null, DerivedJwtSecurityToken.Prefix + encodedJwt, handler, null, ExpectedException.Null);
ValidateDerived(handler.ReadToken(DerivedJwtSecurityToken.Prefix + encodedJwt) as JwtSecurityToken, null, handler, null, ExpectedException.Null);
handler.DerivedTokenType = typeof(JwtSecurityToken);
JwtSecurityToken jwtRead = handler.ReadToken(encodedJwt) as JwtSecurityToken;
ValidateDerived(jwtRead, null, handler, tvp, ExpectedException.Null);
ValidateDerived(null, encodedJwt, handler, tvp, ExpectedException.Null);
ValidateDerived(null, encodedJwt, handler, null, ExpectedException.Null);
ValidateDerived(jwtRead as JwtSecurityToken, null, handler, null, ExpectedException.Null);
}
public void DuplicateClaims()
{
Console.WriteLine("Entering: " + MethodBase.GetCurrentMethod());
string issuer = "http://www.dupsRus.com";
string audience = "http://www.contoso.com";
JwtSecurityToken jwt = new JwtSecurityToken(issuer: issuer, audience: audience, claims: ClaimSets.DuplicateTypes(issuer, issuer), signingCredentials: KeyingMaterial.SymmetricSigningCreds_256_Sha2, lifetime: new Lifetime(DateTime.UtcNow, DateTime.UtcNow + TimeSpan.FromHours(10)));
JwtSecurityTokenHandler jwtHandler = new JwtSecurityTokenHandler();
string encodedJwt = jwtHandler.WriteToken(jwt);
JwtSecurityToken jwtRead = jwtHandler.ReadToken(encodedJwt) as JwtSecurityToken;
TokenValidationParameters validationParameters = new TokenValidationParameters()
{
SigningToken = KeyingMaterial.BinarySecretToken_256,
AudienceUriMode = Selectors.AudienceUriMode.Never,
ValidIssuer = issuer,
};
Console.WriteLine("Comparing jwt.Claims");
IEnumerable <Claim> claims = ClaimSets.ClaimsPlus(claims: ClaimSets.DuplicateTypes(issuer, issuer), lifetime: new Lifetime(jwt.ValidFrom, jwt.ValidTo), issuer: issuer, audience: audience);
// ClaimTypes would have been translated outbound, when the jwt was created.
// Comparision should take that into account.
List <Claim> translatedClaims = new List <Claim>();
foreach (Claim c in claims)
{
translatedClaims.Add(ClaimSets.OutboundClaim(c));
}
if (!IdentityComparer.AreEqual(jwt.Claims, translatedClaims))
{
Assert.Fail("Claims are different");
}
// ClaimTypes would have been translated inbound, when the identity was created.
// Comparision should take that into account.
Console.WriteLine("Comparing Claimsprincipal Claims");
var cp = jwtHandler.ValidateToken(jwtRead, validationParameters);
translatedClaims.Clear();
foreach (Claim c in claims)
{
translatedClaims.Add(ClaimSets.InboundClaim(c));
}
Assert.IsTrue(IdentityComparer.AreEqual(translatedClaims, cp.Claims), "Claims are different");
}
public void CreateAndValidateTokens_MultipleAudiences()
{
List <string> errors = new List <string>();
var handler = new JwtSecurityTokenHandler();
var payload = new JwtPayload();
var header = new JwtHeader();
payload.AddClaims(ClaimSets.MultipleAudiences(IdentityUtilities.DefaultIssuer, IdentityUtilities.DefaultIssuer));
var jwtToken = new JwtSecurityToken(header, payload);
var jwt = handler.WriteToken(jwtToken);
var validationParameters =
new TokenValidationParameters
{
RequireExpirationTime = false,
RequireSignedTokens = false,
ValidateAudience = false,
ValidateIssuer = false,
ValidateLifetime = false,
};
SecurityToken validatedJwt = null;
var cp = handler.ValidateToken(jwt, validationParameters, out validatedJwt);
var ci = new ClaimsIdentity(ClaimSets.MultipleAudiences(IdentityUtilities.DefaultIssuer, IdentityUtilities.DefaultIssuer), AuthenticationTypes.Federation);
var cpExpected = new ClaimsPrincipal(ci);
var compareContext = new CompareContext();
if (!IdentityComparer.AreEqual <ClaimsPrincipal>(cp, cpExpected, compareContext))
{
errors.Add("IdentityComparer.AreEqual<ClaimsPrincipal>(cp, cpExpected, compareContext)");
}
var audiences = (validatedJwt as JwtSecurityToken).Audiences;
var jwtAudiences = jwtToken.Audiences;
if (!IdentityComparer.AreEqual <IEnumerable <string> >(audiences, jwtAudiences))
{
errors.Add("!IdentityComparer.AreEqual<IEnumerable<string>>(audiences, jwtAudiences)");
}
if (!IdentityComparer.AreEqual <IEnumerable <string> >(audiences, IdentityUtilities.DefaultAudiences))
{
errors.Add("!IdentityComparer.AreEqual<IEnumerable<string>>(audiences, IdentityUtilities.DefaultAudiences)");
}
TestUtilities.AssertFailIfErrors(MethodInfo.GetCurrentMethod().Name, errors);
}
private List <JwtSecurityTokenTestVariation> GetJWTTypedConstructorsCases()
{
string issuer = "GetJWTTypedConstructorsCases";
List <JwtSecurityTokenTestVariation> constructionParams = new List <JwtSecurityTokenTestVariation>()
{
// ensure format is not format is not checked
new JwtSecurityTokenTestVariation
{
Name = "SimpleJwt",
Claims = ClaimSets.Simple(issuer, issuer),
ExpectedJwtSecurityToken = JwtTestTokens.Simple(issuer, issuer),
},
};
return(constructionParams);
}
public void CreateAndValidateTokens_RoleClaims()
{
JwtSecurityTokenHandler handler = new JwtSecurityTokenHandler();
TokenValidationParameters validationParameters = new TokenValidationParameters
{
IssuerSigningToken = KeyingMaterial.DefaultX509Token_2048,
ValidateAudience = false,
ValidateIssuer = false,
};
string issuer = "https://gotjwt.com";
DateTime utcNow = DateTime.UtcNow;
DateTime expire = utcNow + TimeSpan.FromHours(1);
ClaimsIdentity subject = new ClaimsIdentity(claims: ClaimSets.RoleClaimsShortType(issuer, issuer));
JwtSecurityToken jwtToken = handler.CreateToken(issuer: issuer, signingCredentials: KeyingMaterial.DefaultX509SigningCreds_2048_RsaSha2_Sha2, subject: subject) as JwtSecurityToken;
SecurityToken securityToken;
ClaimsPrincipal principal = handler.ValidateToken(jwtToken.RawData, validationParameters, out securityToken);
CheckForRoles(new string[] { "role1", "roles1" }, new string[] { "notrole1", "notrole2" }, principal);
ClaimsIdentity expectedIdentity =
new ClaimsIdentity(
authenticationType: "Federation",
claims: ClaimSets.RoleClaimsLongType(issuer, issuer)
);
Claim claim = new Claim(type: JwtRegisteredClaimNames.Iss, value: issuer, valueType: ClaimValueTypes.String, issuer: issuer);
expectedIdentity.AddClaim(claim);
claim = new Claim(JwtRegisteredClaimNames.Exp, EpochTime.GetIntDate(expire).ToString(), valueType: "JSON", issuer: issuer);
claim.Properties.Add(JwtSecurityTokenHandler.JsonClaimTypeProperty, "System.Int32");
expectedIdentity.AddClaim(claim);
claim = new Claim(JwtRegisteredClaimNames.Nbf, EpochTime.GetIntDate(utcNow).ToString(), valueType: "JSON", issuer: issuer);
claim.Properties.Add(JwtSecurityTokenHandler.JsonClaimTypeProperty, "System.Int32");
expectedIdentity.AddClaim(claim);
CompareContext context = new CompareContext();
IdentityComparer.AreEqual <IEnumerable <Claim> >(principal.Claims, expectedIdentity.Claims, context);
Assert.IsTrue(context.Errors.Count == 0);
}
public void CreateAndValidateTokens_MultipleX5C()
{
List <string> errors = new List <string>();
var handler = new JwtSecurityTokenHandler();
var payload = new JwtPayload();
var header = new JwtHeader();
payload.AddClaims(ClaimSets.MultipleAudiences(IdentityUtilities.DefaultIssuer, IdentityUtilities.DefaultIssuer));
List <string> x5cs = new List <string> {
"x5c1", "x5c2"
};
header.Add(JwtHeaderParameterNames.X5c, x5cs);
var jwtToken = new JwtSecurityToken(header, payload);
var jwt = handler.WriteToken(jwtToken);
var validationParameters =
new TokenValidationParameters
{
RequireExpirationTime = false,
RequireSignedTokens = false,
ValidateAudience = false,
ValidateIssuer = false,
ValidateLifetime = false,
};
SecurityToken validatedSecurityToken = null;
var cp = handler.ValidateToken(jwt, validationParameters, out validatedSecurityToken);
JwtSecurityToken validatedJwt = validatedSecurityToken as JwtSecurityToken;
object x5csInHeader = validatedJwt.Header[JwtHeaderParameterNames.X5c];
if (x5csInHeader == null)
{
errors.Add("1: validatedJwt.Header[JwtHeaderParameterNames.X5c]");
}
else
{
var list = x5csInHeader as IEnumerable <object>;
if (list == null)
{
errors.Add("2: var list = x5csInHeader as IEnumerable<object>; is NULL.");
}
int num = 0;
foreach (var str in list)
{
num++;
if (!(str is string))
{
errors.Add("3: str is not string, is:" + str.ToString());
}
}
if (num != x5cs.Count)
{
errors.Add("4: num != x5cs.Count. num: " + num.ToString() + "x5cs.Count: " + x5cs.Count.ToString());
}
}
// make sure we can still validate with existing logic.
header = new JwtHeader(KeyingMaterial.DefaultAsymmetricSigningCreds_2048_RsaSha2_Sha2);
header.Add(JwtHeaderParameterNames.X5c, x5cs);
jwtToken = new JwtSecurityToken(header, payload);
jwt = handler.WriteToken(jwtToken);
validationParameters.IssuerSigningToken = KeyingMaterial.DefaultAsymmetricX509Token_2048;
validationParameters.RequireSignedTokens = true;
validatedSecurityToken = null;
cp = handler.ValidateToken(jwt, validationParameters, out validatedSecurityToken);
TestUtilities.AssertFailIfErrors(MethodInfo.GetCurrentMethod().Name, errors);
}
public void CreateAndValidateTokens_JsonClaims()
{
List <string> errors = new List <string>();
string issuer = "http://www.GotJWT.com";
string claimSources = "_claim_sources";
string claimNames = "_claim_names";
JwtPayload jwtPayloadClaimSources = new JwtPayload();
jwtPayloadClaimSources.Add(claimSources, JsonClaims.ClaimSources);
jwtPayloadClaimSources.Add(claimNames, JsonClaims.ClaimNames);
JwtSecurityToken jwtClaimSources =
new JwtSecurityToken(
new JwtHeader(),
jwtPayloadClaimSources);
JwtSecurityTokenHandler jwtHandler = new JwtSecurityTokenHandler();
string encodedJwt = jwtHandler.WriteToken(jwtClaimSources);
var validationParameters =
new TokenValidationParameters
{
IssuerValidator = (s, st, tvp) => { return(issuer); },
RequireSignedTokens = false,
ValidateAudience = false,
ValidateLifetime = false,
};
SecurityToken validatedJwt = null;
var claimsPrincipal = jwtHandler.ValidateToken(encodedJwt, validationParameters, out validatedJwt);
if (!IdentityComparer.AreEqual
(claimsPrincipal.Identity as ClaimsIdentity,
JsonClaims.ClaimsIdentityDistributedClaims(issuer, TokenValidationParameters.DefaultAuthenticationType, JsonClaims.ClaimSources, JsonClaims.ClaimNames)))
{
errors.Add("JsonClaims.ClaimSources, JsonClaims.ClaimNames: test failed");
}
;
Claim c = claimsPrincipal.FindFirst(claimSources);
if (!c.Properties.ContainsKey(JwtSecurityTokenHandler.JsonClaimTypeProperty))
{
errors.Add(claimSources + " claim, did not have json property: " + JwtSecurityTokenHandler.JsonClaimTypeProperty);
}
else
{
if (!string.Equals(c.Properties[JwtSecurityTokenHandler.JsonClaimTypeProperty], typeof(IDictionary <string, object>).ToString(), StringComparison.Ordinal))
{
errors.Add("!string.Equals(c.Properties[JwtSecurityTokenHandler.JsonClaimTypeProperty], typeof(IDictionary<string, object>).ToString(), StringComparison.Ordinal)" +
"value is: " + c.Properties[JwtSecurityTokenHandler.JsonClaimTypeProperty]);
}
}
JwtSecurityToken jwtWithEntity =
new JwtSecurityToken(
new JwtHeader(),
new JwtPayload(claims: ClaimSets.EntityAsJsonClaim(issuer, issuer)));
encodedJwt = jwtHandler.WriteToken(jwtWithEntity);
JwtSecurityToken jwtRead = jwtHandler.ReadToken(encodedJwt) as JwtSecurityToken;
SecurityToken validatedToken;
var cp = jwtHandler.ValidateToken(jwtRead.RawData, validationParameters, out validatedToken);
Claim jsonClaim = cp.FindFirst(typeof(Entity).ToString());
if (jsonClaim == null)
{
errors.Add("Did not find Jsonclaims. Looking for claim of type: '" + typeof(Entity).ToString() + "'");
}
;
string jsString = JsonExtensions.SerializeToJson(Entity.Default);
if (!string.Equals(jsString, jsonClaim.Value, StringComparison.Ordinal))
{
errors.Add(string.Format(CultureInfo.InvariantCulture, "Find Jsonclaims of type: '{0}', but they weren't equal.\nExpecting:\n'{1}'.\nReceived:\n'{2}'", typeof(Entity).ToString(), jsString, jsonClaim.Value));
}
TestUtilities.AssertFailIfErrors(MethodInfo.GetCurrentMethod().Name, errors);
}
public static ClaimsIdentity Simple(string issuer, string originalIssuer)
{
return(new ClaimsIdentity(ClaimSets.Simple(issuer, originalIssuer)));
}
public static JwtSecurityToken Simple(string issuer, string originalIssuer)
{
return(new JwtSecurityToken(issuer, "http://www.contoso.com", ClaimSets.Simple(issuer, originalIssuer)));
}
public void SubClaim()
{
string issuer = "http://www.GotJWT.com";
string audience = "http://www.contoso.com";
JwtSecurityToken jwt = new JwtSecurityToken(issuer: issuer, audience: audience, claims: ClaimSets.JsonClaims(issuer, issuer), lifetime: new Lifetime(DateTime.UtcNow, DateTime.UtcNow + TimeSpan.FromHours(1)));
JwtSecurityTokenHandler jwtHandler = new JwtSecurityTokenHandler();
jwtHandler.RequireSignedTokens = false;
string encodedJwt = jwtHandler.WriteToken(jwt);
JwtSecurityToken jwtRead = jwtHandler.ReadToken(encodedJwt) as JwtSecurityToken;
TokenValidationParameters validationParameters = new TokenValidationParameters()
{
AudienceUriMode = Selectors.AudienceUriMode.Never,
ValidIssuer = issuer,
};
var cp = jwtHandler.ValidateToken(jwtRead, validationParameters);
Claim jsonClaim = cp.FindFirst(typeof(Entity).ToString());
Assert.IsFalse(jsonClaim == null, string.Format(CultureInfo.InvariantCulture, "Did not find Jsonclaims. Looking for claim of type: '{0}'", typeof(Entity).ToString()));
JavaScriptSerializer js = new JavaScriptSerializer();
string jsString = js.Serialize(Entity.Default);
Assert.IsFalse(jsString != jsonClaim.Value, string.Format(CultureInfo.InvariantCulture, "Find Jsonclaims of type: '{0}', but they weren't equal.\nExpecting '{1}'.\nReceived '{2}'", typeof(Entity).ToString(), jsString, jsonClaim.Value));
}
