public void Should_Reject_Id_Token_With_Invalid_ES256_Signature() { rpid = "rp-id_token-bad_es256_sig"; // givens OpenIdRelyingParty rp = new OpenIdRelyingParty(); OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage(); requestMessage.ClientId = clientInformation.ClientId; requestMessage.Scope = new List <MessageScope>() { MessageScope.Openid }; requestMessage.ResponseType = new List <ResponseType>() { ResponseType.Token, ResponseType.IdToken }; requestMessage.RedirectUri = clientInformation.RedirectUris[1]; requestMessage.Nonce = WebOperations.RandomString(); requestMessage.State = WebOperations.RandomString(); requestMessage.Validate(); // Manipulate keys to make them invalid List <OIDCKey> manipulatedKeys = new List <OIDCKey>(); foreach (OIDCKey curKey in providerMetadata.Keys) { OIDCKey newKey = curKey.Clone() as OIDCKey; if (curKey.N != null) { StringBuilder strBuilder = new StringBuilder(newKey.N); strBuilder[17] = (char)(newKey.N[17] + 1); newKey.N = strBuilder.ToString(); } manipulatedKeys.Add(newKey); } rp.Authenticate(GetBaseUrl("/authorization"), requestMessage); semaphore.WaitOne(); // when OIDCAuthImplicitResponseMessage response = rp.ParseAuthImplicitResponse(result, requestMessage.Scope, requestMessage.State); // then Assert.NotNull(response.IdToken); OIDCIdToken idToken = response.GetIdToken(manipulatedKeys); idToken.Validate(); }
public void Should_Reject_Id_Token_With_Invalid_Signature_RS256() { rpid = "rp-id_token-bad_asym_sig_rs256"; signalg = "RS256"; // givens OIDCAuthCodeResponseMessage response = (OIDCAuthCodeResponseMessage)GetAuthResponse(ResponseType.Code); OIDCTokenRequestMessage tokenRequestMessage = new OIDCTokenRequestMessage(); tokenRequestMessage.Scope = response.Scope; tokenRequestMessage.State = response.State; tokenRequestMessage.Code = response.Code; tokenRequestMessage.ClientId = clientInformation.ClientId; tokenRequestMessage.ClientSecret = clientInformation.ClientSecret; tokenRequestMessage.GrantType = "authorization_code"; tokenRequestMessage.RedirectUri = clientInformation.RedirectUris[0]; // Manipulate keys to make them invalid List <OIDCKey> manipulatedKeys = new List <OIDCKey>(); foreach (OIDCKey curKey in providerMetadata.Keys) { OIDCKey newKey = curKey.Clone() as OIDCKey; if (curKey.N != null) { StringBuilder strBuilder = new StringBuilder(newKey.N); strBuilder[17] = (char)(newKey.N[17] + 1); newKey.N = strBuilder.ToString(); } manipulatedKeys.Add(newKey); } // when OpenIdRelyingParty rp = new OpenIdRelyingParty(); OIDCTokenResponseMessage tokenResponse = rp.SubmitTokenRequest(GetBaseUrl("/token"), tokenRequestMessage, clientInformation); // then Assert.NotNull(tokenResponse.IdToken); tokenResponse.GetIdToken(manipulatedKeys); }