public async Task ConfidentialClientUsingAdfsAsync() { using (var httpManager = new MockHttpManager()) { var app = ConfidentialClientApplicationBuilder.Create(MsalTestConstants.ClientId) .WithAuthority(new Uri(MsalTestConstants.OnPremiseAuthority), true) .WithRedirectUri(MsalTestConstants.RedirectUri) .WithClientSecret(MsalTestConstants.ClientSecret) .WithHttpManager(httpManager) .BuildConcrete(); var appCacheAccess = app.AppTokenCache.RecordAccess(); var userCacheAccess = app.UserTokenCache.RecordAccess(); httpManager.AddMockHandler( new MockHttpMessageHandler { ExpectedMethod = HttpMethod.Get, ExpectedUrl = "https://fs.contoso.com/.well-known/webfinger", ExpectedQueryParams = new Dictionary <string, string> { { "resource", "https://fs.contoso.com" }, { "rel", "http://schemas.microsoft.com/rel/trusted-realm" } }, ResponseMessage = MockHelpers.CreateSuccessWebFingerResponseMessage("https://fs.contoso.com") }); httpManager.AddMockHandler(new MockHttpMessageHandler { ExpectedMethod = HttpMethod.Get, ResponseMessage = MockHelpers.CreateOpenIdConfigurationResponse(MsalTestConstants.OnPremiseAuthority) }); httpManager.AddMockHandlerSuccessfulClientCredentialTokenResponseMessage(); var result = await app.AcquireTokenForClient(MsalTestConstants.Scope.ToArray()).ExecuteAsync().ConfigureAwait(false); Assert.IsNotNull(result); Assert.IsNotNull("header.payload.signature", result.AccessToken); Assert.AreEqual(MsalTestConstants.Scope.AsSingleString(), result.Scopes.AsSingleString()); appCacheAccess.AssertAccessCounts(1, 1); userCacheAccess.AssertAccessCounts(0, 0); // make sure user token cache is empty Assert.AreEqual(0, app.UserTokenCacheInternal.Accessor.GetAllAccessTokens().Count()); Assert.AreEqual(0, app.UserTokenCacheInternal.Accessor.GetAllRefreshTokens().Count()); // check app token cache count to be 1 Assert.AreEqual(1, app.AppTokenCacheInternal.Accessor.GetAllAccessTokens().Count()); Assert.AreEqual(0, app.AppTokenCacheInternal.Accessor.GetAllRefreshTokens().Count()); // no refresh tokens are returned // call AcquireTokenForClientAsync again to get result back from the cache result = await app.AcquireTokenForClient(MsalTestConstants.Scope.ToArray()).ExecuteAsync().ConfigureAwait(false); Assert.IsNotNull(result); Assert.IsNotNull("header.payload.signature", result.AccessToken); Assert.AreEqual(MsalTestConstants.Scope.AsSingleString(), result.Scopes.AsSingleString()); // make sure user token cache is empty Assert.AreEqual(0, app.UserTokenCacheInternal.Accessor.GetAllAccessTokens().Count()); Assert.AreEqual(0, app.UserTokenCacheInternal.Accessor.GetAllRefreshTokens().Count()); // check app token cache count to be 1 Assert.AreEqual(1, app.AppTokenCacheInternal.Accessor.GetAllAccessTokens().Count()); Assert.AreEqual(0, app.AppTokenCacheInternal.Accessor.GetAllRefreshTokens().Count()); // no refresh tokens are returned appCacheAccess.AssertAccessCounts(2, 1); userCacheAccess.AssertAccessCounts(0, 0); } }
public async Task CacheKey_Includes_POPKid_Async() { using (var httpManager = new MockHttpManager()) { ConfidentialClientApplication app = ConfidentialClientApplicationBuilder.Create(TestConstants.ClientId) .WithClientSecret(TestConstants.ClientSecret) .WithHttpManager(httpManager) .WithExperimentalFeatures(true) .BuildConcrete(); var testTimeService = new TestTimeService(); PoPProviderFactory.TimeService = testTimeService; HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Get, new Uri(ProtectedUrl)); var popConfig = new PoPAuthenticationConfiguration(request); var cacheAccess = app.AppTokenCache.RecordAccess(); httpManager.AddInstanceDiscoveryMockHandler(); httpManager.AddMockHandlerSuccessfulClientCredentialTokenResponseMessage(tokenType: "pop"); // Act Trace.WriteLine("1. AcquireTokenForClient "); var result = await app.AcquireTokenForClient(TestConstants.s_scope.ToArray()) .WithAuthority(TestConstants.AuthorityUtidTenant) .WithProofOfPossession(popConfig) .ExecuteAsync() .ConfigureAwait(false); // Assert Assert.AreEqual(TokenSource.IdentityProvider, result.AuthenticationResultMetadata.TokenSource); string expectedKid = GetKidFromJwk(PoPProviderFactory.GetOrCreateProvider().CannonicalPublicKeyJwk); string actualCacheKey = cacheAccess.LastBeforeAccessNotificationArgs.SuggestedCacheKey; Assert.AreEqual( string.Format( CultureInfo.InvariantCulture, "{0}{1}_{2}_AppTokenCache", expectedKid, TestConstants.ClientId, TestConstants.Utid), actualCacheKey); // Arrange - force a new key by moving to the future (PoPProviderFactory.TimeService as TestTimeService).MoveToFuture( PoPProviderFactory.KeyRotationInterval.Add(TimeSpan.FromMinutes(10))); httpManager.AddMockHandlerSuccessfulClientCredentialTokenResponseMessage(tokenType: "pop"); // Act Trace.WriteLine("1. AcquireTokenForClient again, after time passes - expect POP key rotation"); result = await app.AcquireTokenForClient(TestConstants.s_scope.ToArray()) .WithAuthority(TestConstants.AuthorityUtidTenant) .WithProofOfPossession(popConfig) .ExecuteAsync() .ConfigureAwait(false); // Assert Assert.AreEqual(TokenSource.IdentityProvider, result.AuthenticationResultMetadata.TokenSource); string expectedKid2 = GetKidFromJwk(PoPProviderFactory.GetOrCreateProvider().CannonicalPublicKeyJwk); string actualCacheKey2 = cacheAccess.LastBeforeAccessNotificationArgs.SuggestedCacheKey; Assert.AreEqual( string.Format( CultureInfo.InvariantCulture, "{0}{1}_{2}_AppTokenCache", expectedKid2, TestConstants.ClientId, TestConstants.Utid), actualCacheKey2); Assert.AreNotEqual(actualCacheKey, actualCacheKey2); } }