public async Task ConfidentialClientUsingAdfsAsync()
{
using (var httpManager = new MockHttpManager())
{
var app = ConfidentialClientApplicationBuilder.Create(MsalTestConstants.ClientId)
.WithAuthority(new Uri(MsalTestConstants.OnPremiseAuthority), true)
.WithRedirectUri(MsalTestConstants.RedirectUri)
.WithClientSecret(MsalTestConstants.ClientSecret)
.WithHttpManager(httpManager)
.BuildConcrete();
var appCacheAccess = app.AppTokenCache.RecordAccess();
var userCacheAccess = app.UserTokenCache.RecordAccess();
httpManager.AddMockHandler(
new MockHttpMessageHandler
{
ExpectedMethod = HttpMethod.Get,
ExpectedUrl = "https://fs.contoso.com/.well-known/webfinger",
ExpectedQueryParams = new Dictionary <string, string>
{
{ "resource", "https://fs.contoso.com" },
{ "rel", "http://schemas.microsoft.com/rel/trusted-realm" }
},
ResponseMessage = MockHelpers.CreateSuccessWebFingerResponseMessage("https://fs.contoso.com")
});
httpManager.AddMockHandler(new MockHttpMessageHandler
{
ExpectedMethod = HttpMethod.Get,
ResponseMessage = MockHelpers.CreateOpenIdConfigurationResponse(MsalTestConstants.OnPremiseAuthority)
});
httpManager.AddMockHandlerSuccessfulClientCredentialTokenResponseMessage();
var result = await app.AcquireTokenForClient(MsalTestConstants.Scope.ToArray()).ExecuteAsync().ConfigureAwait(false);
Assert.IsNotNull(result);
Assert.IsNotNull("header.payload.signature", result.AccessToken);
Assert.AreEqual(MsalTestConstants.Scope.AsSingleString(), result.Scopes.AsSingleString());
appCacheAccess.AssertAccessCounts(1, 1);
userCacheAccess.AssertAccessCounts(0, 0);
// make sure user token cache is empty
Assert.AreEqual(0, app.UserTokenCacheInternal.Accessor.GetAllAccessTokens().Count());
Assert.AreEqual(0, app.UserTokenCacheInternal.Accessor.GetAllRefreshTokens().Count());
// check app token cache count to be 1
Assert.AreEqual(1, app.AppTokenCacheInternal.Accessor.GetAllAccessTokens().Count());
Assert.AreEqual(0, app.AppTokenCacheInternal.Accessor.GetAllRefreshTokens().Count()); // no refresh tokens are returned
// call AcquireTokenForClientAsync again to get result back from the cache
result = await app.AcquireTokenForClient(MsalTestConstants.Scope.ToArray()).ExecuteAsync().ConfigureAwait(false);
Assert.IsNotNull(result);
Assert.IsNotNull("header.payload.signature", result.AccessToken);
Assert.AreEqual(MsalTestConstants.Scope.AsSingleString(), result.Scopes.AsSingleString());
// make sure user token cache is empty
Assert.AreEqual(0, app.UserTokenCacheInternal.Accessor.GetAllAccessTokens().Count());
Assert.AreEqual(0, app.UserTokenCacheInternal.Accessor.GetAllRefreshTokens().Count());
// check app token cache count to be 1
Assert.AreEqual(1, app.AppTokenCacheInternal.Accessor.GetAllAccessTokens().Count());
Assert.AreEqual(0, app.AppTokenCacheInternal.Accessor.GetAllRefreshTokens().Count()); // no refresh tokens are returned
appCacheAccess.AssertAccessCounts(2, 1);
userCacheAccess.AssertAccessCounts(0, 0);
}
}
public async Task CacheKey_Includes_POPKid_Async()
{
using (var httpManager = new MockHttpManager())
{
ConfidentialClientApplication app =
ConfidentialClientApplicationBuilder.Create(TestConstants.ClientId)
.WithClientSecret(TestConstants.ClientSecret)
.WithHttpManager(httpManager)
.WithExperimentalFeatures(true)
.BuildConcrete();
var testTimeService = new TestTimeService();
PoPProviderFactory.TimeService = testTimeService;
HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Get, new Uri(ProtectedUrl));
var popConfig = new PoPAuthenticationConfiguration(request);
var cacheAccess = app.AppTokenCache.RecordAccess();
httpManager.AddInstanceDiscoveryMockHandler();
httpManager.AddMockHandlerSuccessfulClientCredentialTokenResponseMessage(tokenType: "pop");
// Act
Trace.WriteLine("1. AcquireTokenForClient ");
var result = await app.AcquireTokenForClient(TestConstants.s_scope.ToArray())
.WithAuthority(TestConstants.AuthorityUtidTenant)
.WithProofOfPossession(popConfig)
.ExecuteAsync()
.ConfigureAwait(false);
// Assert
Assert.AreEqual(TokenSource.IdentityProvider, result.AuthenticationResultMetadata.TokenSource);
string expectedKid = GetKidFromJwk(PoPProviderFactory.GetOrCreateProvider().CannonicalPublicKeyJwk);
string actualCacheKey = cacheAccess.LastBeforeAccessNotificationArgs.SuggestedCacheKey;
Assert.AreEqual(
string.Format(
CultureInfo.InvariantCulture,
"{0}{1}_{2}_AppTokenCache",
expectedKid,
TestConstants.ClientId,
TestConstants.Utid),
actualCacheKey);
// Arrange - force a new key by moving to the future
(PoPProviderFactory.TimeService as TestTimeService).MoveToFuture(
PoPProviderFactory.KeyRotationInterval.Add(TimeSpan.FromMinutes(10)));
httpManager.AddMockHandlerSuccessfulClientCredentialTokenResponseMessage(tokenType: "pop");
// Act
Trace.WriteLine("1. AcquireTokenForClient again, after time passes - expect POP key rotation");
result = await app.AcquireTokenForClient(TestConstants.s_scope.ToArray())
.WithAuthority(TestConstants.AuthorityUtidTenant)
.WithProofOfPossession(popConfig)
.ExecuteAsync()
.ConfigureAwait(false);
// Assert
Assert.AreEqual(TokenSource.IdentityProvider, result.AuthenticationResultMetadata.TokenSource);
string expectedKid2 = GetKidFromJwk(PoPProviderFactory.GetOrCreateProvider().CannonicalPublicKeyJwk);
string actualCacheKey2 = cacheAccess.LastBeforeAccessNotificationArgs.SuggestedCacheKey;
Assert.AreEqual(
string.Format(
CultureInfo.InvariantCulture,
"{0}{1}_{2}_AppTokenCache",
expectedKid2,
TestConstants.ClientId,
TestConstants.Utid),
actualCacheKey2);
Assert.AreNotEqual(actualCacheKey, actualCacheKey2);
}
}
