static private string GenerateTokenRequirements(TokenType mytokentype, string _sampleAudience, string _sampleIssuer, IList <TokenClaim> tokenclaimslist, bool AddContentKeyIdentifierClaim, TokenVerificationKey mytokenverificationkey, string openIdDiscoveryURL = null) { TokenRestrictionTemplate TokenrestrictionTemplate = new TokenRestrictionTemplate(mytokentype) { Audience = _sampleAudience, Issuer = _sampleIssuer, }; if (AddContentKeyIdentifierClaim) { TokenrestrictionTemplate.RequiredClaims.Add(TokenClaim.ContentKeyIdentifierClaim); } if (openIdDiscoveryURL != null) { TokenrestrictionTemplate.OpenIdConnectDiscoveryDocument = new OpenIdConnectDiscoveryDocument(openIdDiscoveryURL); } else { TokenrestrictionTemplate.PrimaryVerificationKey = mytokenverificationkey; } foreach (var t in tokenclaimslist) { TokenrestrictionTemplate.RequiredClaims.Add(t); } return(TokenRestrictionTemplateSerializer.Serialize(TokenrestrictionTemplate)); }
public void RoundTripTest() { TokenRestrictionTemplate template = new TokenRestrictionTemplate(); template.PrimaryVerificationKey = new SymmetricVerificationKey(); template.AlternateVerificationKeys.Add(new SymmetricVerificationKey()); template.Audience = _sampleAudience; template.Issuer = _sampleIssuer; template.RequiredClaims.Add(TokenClaim.ContentKeyIdentifierClaim); template.RequiredClaims.Add(new TokenClaim("Rental", "true")); string serializedTemplate = TokenRestrictionTemplateSerializer.Serialize(template); Assert.IsFalse(String.IsNullOrWhiteSpace(serializedTemplate)); TokenRestrictionTemplate template2 = TokenRestrictionTemplateSerializer.Deserialize(serializedTemplate); Assert.IsNotNull(template2); Assert.AreEqual(template.Issuer, template2.Issuer); Assert.AreEqual(template.Audience, template2.Audience); SymmetricVerificationKey fromTemplate = (SymmetricVerificationKey)template.PrimaryVerificationKey; SymmetricVerificationKey fromTemplate2 = (SymmetricVerificationKey)template2.PrimaryVerificationKey; Assert.IsTrue(fromTemplate.KeyValue.SequenceEqual(fromTemplate2.KeyValue)); }
private void FetchKeyWithJWTAuth(string audience, string issuer) { IContentKey contentKey = null; IContentKeyAuthorizationPolicy contentKeyAuthorizationPolicy = null; IContentKeyAuthorizationPolicyOption policyOption = null; try { byte[] expectedKey = null; contentKey = CreateTestKey(_mediaContext, ContentKeyType.EnvelopeEncryption, out expectedKey); var templatex509Certificate2 = new X509Certificate2("amscer.pfx", "AMSGIT"); SigningCredentials cred = new X509SigningCredentials(templatex509Certificate2); TokenRestrictionTemplate tokenRestrictionTemplate = new TokenRestrictionTemplate(TokenType.JWT); tokenRestrictionTemplate.PrimaryVerificationKey = new X509CertTokenVerificationKey(templatex509Certificate2); tokenRestrictionTemplate.Audience = audience; tokenRestrictionTemplate.Issuer = issuer; string optionName = "GetHlsKeyDeliveryUrlAndFetchKeyWithJWTAuthentication"; string requirements = TokenRestrictionTemplateSerializer.Serialize(tokenRestrictionTemplate); policyOption = ContentKeyAuthorizationPolicyOptionTests.CreateOption(_mediaContext, optionName, ContentKeyDeliveryType.BaselineHttp, requirements, null, ContentKeyRestrictionType.TokenRestricted); JwtSecurityToken token = new JwtSecurityToken(issuer: tokenRestrictionTemplate.Issuer, audience: tokenRestrictionTemplate.Audience, notBefore: DateTime.Now.AddMinutes(-5), expires: DateTime.Now.AddMinutes(5), signingCredentials: cred); JwtSecurityTokenHandler handler = new JwtSecurityTokenHandler(); string jwtTokenString = handler.WriteToken(token); List <IContentKeyAuthorizationPolicyOption> options = new List <IContentKeyAuthorizationPolicyOption> { policyOption }; contentKeyAuthorizationPolicy = CreateTestPolicy(_mediaContext, String.Empty, options, ref contentKey); Uri keyDeliveryServiceUri = contentKey.GetKeyDeliveryUrl(ContentKeyDeliveryType.BaselineHttp); Assert.IsNotNull(keyDeliveryServiceUri); // Enable once all accounts are enabled for per customer Key Delivery Urls //Assert.IsTrue(keyDeliveryServiceUri.Host.StartsWith(_mediaContext.Credentials.ClientId)); KeyDeliveryServiceClient keyClient = new KeyDeliveryServiceClient(RetryPolicy.DefaultFixed); byte[] key = keyClient.AcquireHlsKeyWithBearerHeader(keyDeliveryServiceUri, jwtTokenString); string expectedString = GetString(expectedKey); string fetchedString = GetString(key); Assert.AreEqual(expectedString, fetchedString); } finally { CleanupKeyAndPolicy(contentKey, contentKeyAuthorizationPolicy, policyOption); } }
private void FetchKeyWithSWTToken(string audience, string issuer) { IContentKey contentKey = null; IContentKeyAuthorizationPolicy contentKeyAuthorizationPolicy = null; IContentKeyAuthorizationPolicyOption policyOption = null; try { byte[] expectedKey = null; contentKey = CreateTestKey(_mediaContext, ContentKeyType.EnvelopeEncryption, out expectedKey); var contentKeyId = Guid.Parse(contentKey.Id.Replace("nb:kid:UUID:", String.Empty)); TokenRestrictionTemplate tokenRestrictionTemplate = new TokenRestrictionTemplate(TokenType.SWT); tokenRestrictionTemplate.PrimaryVerificationKey = new SymmetricVerificationKey(); // the default constructor automatically generates a random key tokenRestrictionTemplate.Audience = audience; tokenRestrictionTemplate.Issuer = issuer; tokenRestrictionTemplate.TokenType = TokenType.SWT; tokenRestrictionTemplate.RequiredClaims.Add(new TokenClaim(TokenClaim.ContentKeyIdentifierClaimType, contentKeyId.ToString())); string optionName = "GetHlsKeyDeliveryUrlAndFetchKeyWithSWTAuthentication"; string requirements = TokenRestrictionTemplateSerializer.Serialize(tokenRestrictionTemplate); ContentKeyRestrictionType restrictionType = ContentKeyRestrictionType.TokenRestricted; var _testOption = ContentKeyAuthorizationPolicyOptionTests.CreateOption(_mediaContext, optionName, ContentKeyDeliveryType.BaselineHttp, requirements, null, restrictionType); List <IContentKeyAuthorizationPolicyOption> options = new List <IContentKeyAuthorizationPolicyOption> { _testOption }; contentKeyAuthorizationPolicy = CreateTestPolicy(_mediaContext, String.Empty, options, ref contentKey); Uri keyDeliveryServiceUri = contentKey.GetKeyDeliveryUrl(ContentKeyDeliveryType.BaselineHttp); Assert.IsNotNull(keyDeliveryServiceUri); Assert.IsTrue(keyDeliveryServiceUri.Host.StartsWith(_mediaContext.Credentials.ClientId)); KeyDeliveryServiceClient keyClient = new KeyDeliveryServiceClient(RetryPolicy.DefaultFixed); string swtTokenString = TokenRestrictionTemplateSerializer.GenerateTestToken(tokenRestrictionTemplate, tokenRestrictionTemplate.PrimaryVerificationKey, contentKeyId, DateTime.Now.AddDays(2)); byte[] key = keyClient.AcquireHlsKeyWithBearerHeader(keyDeliveryServiceUri, swtTokenString); string expectedString = GetString(expectedKey); string fetchedString = GetString(key); Assert.AreEqual(expectedString, fetchedString); } finally { CleanupKeyAndPolicy(contentKey, contentKeyAuthorizationPolicy, policyOption); } }
public IContentKey AddAuthorizationPolicyToContentKey(string assetID, CloudMediaContext mediaContext, IContentKey objIContentKey, string claimType, string claimValue, JwtSecurityToken token) { //we name auth policy same as asset var policy = mediaContext.ContentKeyAuthorizationPolicies.Where(c => c.Name == assetID).FirstOrDefault(); // Create ContentKeyAuthorizationPolicy with restrictions and create authorization policy if (policy == null) { policy = mediaContext.ContentKeyAuthorizationPolicies.CreateAsync(assetID).Result; } //naming policyOption same as asset var policyOption = mediaContext.ContentKeyAuthorizationPolicyOptions.Where(name => name.Name == assetID).FirstOrDefault(); if (policyOption == null) { List <ContentKeyAuthorizationPolicyRestriction> restrictions = new List <ContentKeyAuthorizationPolicyRestriction>(); TokenRestrictionTemplate template = new TokenRestrictionTemplate(); template.TokenType = TokenType.JWT; //Using Active Directory Open ID discovery spec to use Json Web Keys during token verification template.OpenIdConnectDiscoveryDocument = new OpenIdConnectDiscoveryDocument("https://login.windows.net/common/.well-known/openid-configuration"); //Ignore Empty claims if (!String.IsNullOrEmpty(claimType) && !String.IsNullOrEmpty(claimValue)) { template.RequiredClaims.Add(new TokenClaim(claimType, claimValue)); } var audience = token.Audiences.First(); template.Audience = audience; template.Issuer = token.Issuer; string requirements = TokenRestrictionTemplateSerializer.Serialize(template); ContentKeyAuthorizationPolicyRestriction restriction = new ContentKeyAuthorizationPolicyRestriction { Name = "Authorization Policy with Token Restriction", KeyRestrictionType = (int)ContentKeyRestrictionType.TokenRestricted, Requirements = requirements }; restrictions.Add(restriction); policyOption = mediaContext.ContentKeyAuthorizationPolicyOptions.Create(assetID, ContentKeyDeliveryType.BaselineHttp, restrictions, null); policy.Options.Add(policyOption); policy.UpdateAsync(); } // Add ContentKeyAutorizationPolicy to ContentKey objIContentKey.AuthorizationPolicyId = policy.Id; IContentKey IContentKeyUpdated = objIContentKey.UpdateAsync().Result; return(IContentKeyUpdated); }
public void RSATokenVerificationKeySerializeShouldIncudePrpoperTypeAttribbute() { TokenRestrictionTemplate template = new TokenRestrictionTemplate(TokenType.JWT); RsaTokenVerificationKey tokenVerificationKey = new RsaTokenVerificationKey(); template.PrimaryVerificationKey = tokenVerificationKey; var templateAsString = TokenRestrictionTemplateSerializer.Serialize(template); Assert.IsTrue(templateAsString.Contains("<PrimaryVerificationKey i:type=\"RsaTokenVerificationKey\">")); }
static private string GenerateTokenRequirements(Uri _sampleAudience, Uri _sampleIssuer) { TokenRestrictionTemplate template = new TokenRestrictionTemplate(); template.PrimaryVerificationKey = new SymmetricVerificationKey(); template.AlternateVerificationKeys.Add(new SymmetricVerificationKey()); template.Audience = _sampleAudience; template.Issuer = _sampleIssuer; template.RequiredClaims.Add(TokenClaim.ContentKeyIdentifierClaim); return(TokenRestrictionTemplateSerializer.Serialize(template)); }
static private string GenerateTokenRequirements() { TokenRestrictionTemplate template = new TokenRestrictionTemplate(TokenType.SWT); template.PrimaryVerificationKey = new SymmetricVerificationKey(); template.AlternateVerificationKeys.Add(new SymmetricVerificationKey()); template.Audience = ConfigurationManager.AppSettings["Audience"]; template.Issuer = ConfigurationManager.AppSettings["Issuer"]; template.RequiredClaims.Add(TokenClaim.ContentKeyIdentifierClaim); return(TokenRestrictionTemplateSerializer.Serialize(template)); }
private List <ContentKeyAuthorizationPolicyRestriction> CreateContentKeyAuthPolicyRestrictions(string policyName, ContentProtection contentProtection) { List <ContentKeyAuthorizationPolicyRestriction> policyRestrictions = new List <ContentKeyAuthorizationPolicyRestriction>(); if (contentProtection.ContentAuthTypeAddress) { ContentKeyAuthorizationPolicyRestriction policyRestriction = new ContentKeyAuthorizationPolicyRestriction(); policyRestriction.Name = string.Concat(policyName, Constant.Media.ContentProtection.AuthPolicyAddressRestrictionName); policyRestriction.SetKeyRestrictionTypeValue(ContentKeyRestrictionType.IPRestricted); policyRestriction.Requirements = GetAddressRangeXml(contentProtection.ContentAuthAddressRange); policyRestrictions.Add(policyRestriction); } if (contentProtection.ContentAuthTypeToken) { string settingKey = Constant.AppSettingKey.DirectoryTenantId; settingKey = string.Format(settingKey, contentProtection.DirectoryId); string directoryTenantId = AppSetting.GetValue(settingKey); settingKey = Constant.AppSettingKey.DirectoryTenantDomain; settingKey = string.Format(settingKey, contentProtection.DirectoryId); string directoryTenantDomain = AppSetting.GetValue(settingKey); string discoveryUrl = Account.GetDiscoveryUrl(contentProtection.DirectoryId, directoryTenantDomain); if (string.Equals(contentProtection.DirectoryId, Constant.DirectoryService.B2C, StringComparison.OrdinalIgnoreCase)) { settingKey = Constant.AppSettingKey.DirectoryPolicyIdSignUpIn; string policyIdSignUpIn = AppSetting.GetValue(settingKey); discoveryUrl = string.Concat(discoveryUrl, "?p=", policyIdSignUpIn); } TokenRestrictionTemplate tokenTemplate = new TokenRestrictionTemplate(TokenType.JWT); tokenTemplate.OpenIdConnectDiscoveryDocument = new OpenIdConnectDiscoveryDocument(discoveryUrl); tokenTemplate.Issuer = Account.GetIssuerUrl(contentProtection.DirectoryId, directoryTenantId); tokenTemplate.Audience = contentProtection.Audience; ContentKeyAuthorizationPolicyRestriction policyRestriction = new ContentKeyAuthorizationPolicyRestriction(); policyRestriction.Name = string.Concat(policyName, Constant.Media.ContentProtection.AuthPolicyTokenRestrictionName); policyRestriction.SetKeyRestrictionTypeValue(ContentKeyRestrictionType.TokenRestricted); policyRestriction.Requirements = TokenRestrictionTemplateSerializer.Serialize(tokenTemplate); policyRestrictions.Add(policyRestriction); } if (policyRestrictions.Count == 0) { ContentKeyAuthorizationPolicyRestriction policyRestriction = new ContentKeyAuthorizationPolicyRestriction(); policyRestriction.Name = string.Concat(policyName, Constant.Media.ContentProtection.AuthPolicyOpenRestrictionName); policyRestriction.SetKeyRestrictionTypeValue(ContentKeyRestrictionType.Open); policyRestrictions.Add(policyRestriction); } return(policyRestrictions); }
private static string GetJwtRequirements() { var primaryVerificationKey = ConfigurationManager.AppSettings["JWTRestrictionPrimaryVerificationKeyBase64"]; var audience = ConfigurationManager.AppSettings["JWTRestrictionAudience"]; var issuer = ConfigurationManager.AppSettings["JWTRestrictionIssuer"]; var template = new TokenRestrictionTemplate(TokenType.JWT) { PrimaryVerificationKey = new SymmetricVerificationKey(Convert.FromBase64String(primaryVerificationKey)), Audience = audience, Issuer = issuer }; return(TokenRestrictionTemplateSerializer.Serialize(template)); }
public void TokenRestrictionTemplateSerializeNotPrimaryKeyAndNoOpenConnectIdDocument() { TokenRestrictionTemplate template = new TokenRestrictionTemplate(TokenType.JWT); template.Audience = _sampleAudience; template.Issuer = _sampleIssuer; try { TokenRestrictionTemplateSerializer.Serialize(template); } catch (Exception ex) { Assert.AreEqual("Both PrimaryVerificationKey and OpenIdConnectDiscoveryDocument are null", ex.Message); throw; } }
/*This code generates the following XML: * <TokenRestrictionTemplate xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.microsoft.com/Azure/MediaServices/KeyDelivery/TokenRestrictionTemplate/v1"> * <AlternateVerificationKeys> * <TokenVerificationKey i:type="SymmetricVerificationKey"> * <KeyValue>hhv74VzJ+pOiuYw1z2wxh6ZkX4tRl/WVhBTvM6T/vUo=</KeyValue> * </TokenVerificationKey> * </AlternateVerificationKeys> * <Audience>urn:test</Audience> * <Issuer>https://willzhanacs.accesscontrol.windows.net/</Issuer> * <PrimaryVerificationKey i:type="SymmetricVerificationKey"> * <KeyValue>7V1WtGGAylmZTMKA8RlVMrPNhukYBF2sW04UMpuD8bw=</KeyValue> * </PrimaryVerificationKey> * <RequiredClaims> * <TokenClaim> * <ClaimType>urn:microsoft:azure:mediaservices:contentkeyidentifier</ClaimType> * <ClaimValue i:nil="true" /> * </TokenClaim> * </RequiredClaims> * </TokenRestrictionTemplate> * * <TokenRestrictionTemplate xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.microsoft.com/Azure/MediaServices/KeyDelivery/TokenRestrictionTemplate/v1"> * <AlternateVerificationKeys> * <TokenVerificationKey i:type="SymmetricVerificationKey"> * <KeyValue>hhv74VzJ+pOiuYw1z2wxh6ZkX4tRl/WVhBTvM6T/vUo=</KeyValue> * </TokenVerificationKey> * </AlternateVerificationKeys> * <Audience>urn:test</Audience> * <Issuer>https://willzhanacs.accesscontrol.windows.net/</Issuer> * <PrimaryVerificationKey i:type="SymmetricVerificationKey"> * <KeyValue>7V1WtGGAylmZTMKA8RlVMrPNhukYBF2sW04UMpuD8bw=</KeyValue> * </PrimaryVerificationKey> * <RequiredClaims /> * </TokenRestrictionTemplate> */ //Sample code: https://raw.githubusercontent.com/Azure/azure-media-services-samples/master/KDWithACS/ConsoleApplication6/Program.cs public static string CreateRestrictionRequirements() { string primarySymmetricKey = System.Configuration.ConfigurationManager.AppSettings["PrimarySymmetricKey"]; string secondarySymmetricKey = System.Configuration.ConfigurationManager.AppSettings["SecondarySymmetricKey"]; string scope = System.Configuration.ConfigurationManager.AppSettings["AcsScope"]; string issuer = System.Configuration.ConfigurationManager.AppSettings["AcsIssuer"]; TokenRestrictionTemplate objTokenRestrictionTemplate = new TokenRestrictionTemplate(); objTokenRestrictionTemplate.PrimaryVerificationKey = new SymmetricVerificationKey(Convert.FromBase64String(primarySymmetricKey)); objTokenRestrictionTemplate.AlternateVerificationKeys.Add(new SymmetricVerificationKey(Convert.FromBase64String(secondarySymmetricKey))); objTokenRestrictionTemplate.Audience = new Uri(scope); objTokenRestrictionTemplate.Issuer = new Uri(issuer); //objTokenRestrictionTemplate.RequiredClaims.Add(TokenClaim.ContentKeyIdentifierClaim); objTokenRestrictionTemplate.TokenType = TokenType.SWT; //new change: the default is JWT, a "gotcha" return(TokenRestrictionTemplateSerializer.Serialize(objTokenRestrictionTemplate)); }
private string GenerateTokenRequirements() { //TokenRestrictionTemplate template = new TokenRestrictionTemplate(); //template.PrimaryVerificationKey = new SymmetricVerificationKey(); //template.AlternateVerificationKeys.Add(new SymmetricVerificationKey()); //template.Audience = new Uri( myConfig.sampleAudience); //template.Issuer = new Uri( myConfig.sampleIssuer) ; //template.RequiredClaims.Add(TokenClaim.ContentKeyIdentifierClaim); //return TokenRestrictionTemplateSerializer.Serialize(template); string primarySymmetricKey = "8sAEcbUnsHJOnMpRU0f7z4gAROCoQ3ailkK5ARIt12iDxOu5KTf5mihIbims0uJHTTQQSkO/W+WDTEdFFH7rug=="; string secondarySymmetricKey = "vga/o4PJT+IQAaH1Po0uhBrL7aoUu0prBTO9jmWsk71CFtPwBJiwwBiWMN45NGXp3rDIIi81E3QU0dXg7pmDxw=="; TokenRestrictionTemplate objTokenRestrictionTemplate = new TokenRestrictionTemplate(); objTokenRestrictionTemplate.PrimaryVerificationKey = new SymmetricVerificationKey(Convert.FromBase64String(primarySymmetricKey)); objTokenRestrictionTemplate.AlternateVerificationKeys.Add(new SymmetricVerificationKey(Convert.FromBase64String(secondarySymmetricKey))); objTokenRestrictionTemplate.Audience = new Uri(myConfig.sampleAudience); objTokenRestrictionTemplate.Issuer = new Uri(myConfig.sampleIssuer); return(TokenRestrictionTemplateSerializer.Serialize(objTokenRestrictionTemplate)); }
private List <ContentKeyAuthorizationPolicyRestriction> CreateContentKeyAuthPolicyRestrictions(string policyName, ContentProtection contentProtection) { List <ContentKeyAuthorizationPolicyRestriction> policyRestrictions = new List <ContentKeyAuthorizationPolicyRestriction>(); if (contentProtection.ContentAuthTypeAddress) { ContentKeyAuthorizationPolicyRestriction policyRestriction = new ContentKeyAuthorizationPolicyRestriction(); policyRestriction.Name = string.Concat(policyName, Constants.Media.ContentProtection.AuthPolicyAddressRestrictionName); policyRestriction.SetKeyRestrictionTypeValue(ContentKeyRestrictionType.IPRestricted); policyRestriction.Requirements = GetAddressRangeXml(contentProtection.ContentAuthAddressRange); policyRestrictions.Add(policyRestriction); } if (contentProtection.ContentAuthTypeToken) { string settingKey = Constants.AppSettingKey.DirectoryDiscoveryUrl; string discoveryUrl = AppSetting.GetValue(settingKey); settingKey = Constants.AppSettingKey.DirectoryIssuerUrl; string issuerUrl = AppSetting.GetValue(settingKey); settingKey = Constants.AppSettingKey.DirectoryClientId; string clientId = AppSetting.GetValue(settingKey); TokenRestrictionTemplate tokenTemplate = new TokenRestrictionTemplate(TokenType.JWT); tokenTemplate.OpenIdConnectDiscoveryDocument = new OpenIdConnectDiscoveryDocument(discoveryUrl); tokenTemplate.Issuer = issuerUrl; tokenTemplate.Audience = clientId; ContentKeyAuthorizationPolicyRestriction policyRestriction = new ContentKeyAuthorizationPolicyRestriction(); policyRestriction.Name = string.Concat(policyName, Constants.Media.ContentProtection.AuthPolicyTokenRestrictionName); policyRestriction.SetKeyRestrictionTypeValue(ContentKeyRestrictionType.TokenRestricted); policyRestriction.Requirements = TokenRestrictionTemplateSerializer.Serialize(tokenTemplate); policyRestrictions.Add(policyRestriction); } if (policyRestrictions.Count == 0) { ContentKeyAuthorizationPolicyRestriction policyRestriction = new ContentKeyAuthorizationPolicyRestriction(); policyRestriction.Name = string.Concat(policyName, Constants.Media.ContentProtection.AuthPolicyOpenRestrictionName); policyRestriction.SetKeyRestrictionTypeValue(ContentKeyRestrictionType.Open); policyRestrictions.Add(policyRestriction); } return(policyRestrictions); }
public void RSATokenVerificationKeyRoundTrip() { TokenRestrictionTemplate template = new TokenRestrictionTemplate(TokenType.JWT); RsaTokenVerificationKey tokenVerificationKey = new RsaTokenVerificationKey(); RSAParameters inputRsaParameters; using (RSACryptoServiceProvider provider = new RSACryptoServiceProvider()) { inputRsaParameters = provider.ExportParameters(true); tokenVerificationKey.InitFromRsaParameters(inputRsaParameters); } Assert.IsNotNull(tokenVerificationKey.RawBody); template.Audience = _sampleAudience; template.Issuer = _sampleIssuer; template.PrimaryVerificationKey = tokenVerificationKey; var templateAsString = TokenRestrictionTemplateSerializer.Serialize(template); Assert.IsTrue(templateAsString.Contains("<PrimaryVerificationKey i:type=\"RsaTokenVerificationKey\">")); TokenRestrictionTemplate output = TokenRestrictionTemplateSerializer.Deserialize(templateAsString); Assert.AreEqual(TokenType.JWT, output.TokenType); Assert.IsNotNull(output.PrimaryVerificationKey); Assert.IsNotNull(output.PrimaryVerificationKey as RsaTokenVerificationKey); RsaTokenVerificationKey key = output.PrimaryVerificationKey as RsaTokenVerificationKey; Assert.IsNotNull(key.RawBody); RSAParameters outputRsaParametersutParameters = key.GetRsaParameters(); Assert.IsNotNull(outputRsaParametersutParameters); Assert.IsNotNull(outputRsaParametersutParameters.Exponent); Assert.IsNotNull(outputRsaParametersutParameters.Modulus); //Check that we are storing only public signing key Assert.IsNull(outputRsaParametersutParameters.P); Assert.IsNull(outputRsaParametersutParameters.Q); Assert.IsNull(outputRsaParametersutParameters.D); Assert.IsNull(outputRsaParametersutParameters.DP); Assert.IsNull(outputRsaParametersutParameters.DQ); //Checking that public key matching Assert.IsTrue(inputRsaParameters.Exponent.SequenceEqual(outputRsaParametersutParameters.Exponent), "Exponent value mismatch"); Assert.IsTrue(inputRsaParameters.Modulus.SequenceEqual(outputRsaParametersutParameters.Modulus), "Modulus value mismatch"); }
private static string GenerateTokenRequirements() { TokenType tType = TokenType.SWT; if (_isTokenTypeJWT) { tType = TokenType.JWT; } TokenRestrictionTemplate template = new TokenRestrictionTemplate(tType); template.PrimaryVerificationKey = new SymmetricVerificationKey(Convert.FromBase64String(_symmetricVerificationKey)); //template.AlternateVerificationKeys.Add(new SymmetricVerificationKey()); template.Audience = _sampleAudience.ToString(); template.Issuer = _sampleIssuer.ToString(); if (_enableKidClaim) { template.RequiredClaims.Add(TokenClaim.ContentKeyIdentifierClaim); } return(TokenRestrictionTemplateSerializer.Serialize(template)); }
private static void CreatePolicyOption(string assetID, CloudMediaContext mediaContext, string claimType, string claim, IContentKeyAuthorizationPolicy policy) { IContentKeyAuthorizationPolicyOption policyOption; List <ContentKeyAuthorizationPolicyRestriction> restrictions = new List <ContentKeyAuthorizationPolicyRestriction>(); List <X509Certificate2> certs = GetX509Certificate2FromADMetadataEndpoint(); JwtSecurityToken token = GetJwtSecurityToken(); TokenRestrictionTemplate template = new TokenRestrictionTemplate(); template.TokenType = TokenType.JWT; template.PrimaryVerificationKey = new X509CertTokenVerificationKey(certs[0]); certs.GetRange(1, certs.Count - 1) .ForEach(c => template.AlternateVerificationKeys.Add(new X509CertTokenVerificationKey(c))); //Ignore Empty claims if (!String.IsNullOrEmpty(claimType) && !String.IsNullOrEmpty(claim)) { template.RequiredClaims.Add(new TokenClaim(claimType, claim)); } var audience = token.Audiences.First(); template.Audience = new Uri(audience); template.Issuer = new Uri(token.Issuer); string requirements = TokenRestrictionTemplateSerializer.Serialize(template); ContentKeyAuthorizationPolicyRestriction restriction = new ContentKeyAuthorizationPolicyRestriction { Name = "Authorization Policy with Token Restriction", KeyRestrictionType = (int)ContentKeyRestrictionType.TokenRestricted, Requirements = requirements }; restrictions.Add(restriction); policyOption = mediaContext.ContentKeyAuthorizationPolicyOptions.Create(assetID + "_group:" + claim, ContentKeyDeliveryType.BaselineHttp, restrictions, null); policy.Options.Add(policyOption); }
public void SetupTest() { _mediaContext = WindowsAzureMediaServicesTestConfiguration.CreateCloudMediaContext(); PlayReadyLicenseResponseTemplate responseTemplate = new PlayReadyLicenseResponseTemplate(); responseTemplate.LicenseTemplates.Add(new PlayReadyLicenseTemplate()); TokenRestrictionTemplate tokenRestrictionTemplate = new TokenRestrictionTemplate(TokenType.JWT); tokenRestrictionTemplate.PrimaryVerificationKey = new SymmetricVerificationKey(); // the default constructor automatically generates a random key tokenRestrictionTemplate.Audience = "http://sampleIssuerUrl"; tokenRestrictionTemplate.Issuer = "http://sampleAudience"; string optionName = "integrationtest-crud-749"; string requirements = TokenRestrictionTemplateSerializer.Serialize(tokenRestrictionTemplate); string configuration = MediaServicesLicenseTemplateSerializer.Serialize(responseTemplate); ContentKeyRestrictionType restrictionType = ContentKeyRestrictionType.TokenRestricted; _testOption = CreateOption(_mediaContext, optionName, ContentKeyDeliveryType.PlayReadyLicense, requirements, configuration, restrictionType); }
public void FetchKeyWithRSATokenValidationKeyAsPrimaryVerificationKey() { //Create a new RSACryptoServiceProvider object. using (RSACryptoServiceProvider RSA = new RSACryptoServiceProvider()) { //Export the key information to an RSAParameters object. //Pass false to export the public key information or pass //true to export public and private key information. RSAParameters RSAParams = RSA.ExportParameters(true); TokenRestrictionTemplate tokenRestrictionTemplate = new TokenRestrictionTemplate(TokenType.JWT); var tokenVerificationKey = new RsaTokenVerificationKey(); tokenVerificationKey.InitFromRsaParameters(RSAParams); tokenRestrictionTemplate.PrimaryVerificationKey = tokenVerificationKey; tokenRestrictionTemplate.Audience = "http://sampleIssuerUrl"; tokenRestrictionTemplate.Issuer = "http://sampleAudience"; string requirements = TokenRestrictionTemplateSerializer.Serialize(tokenRestrictionTemplate); } }
//for JWT token issued by AAD public static string CreateRestrictionRequirementsForJWT() { string audience = System.Configuration.ConfigurationManager.AppSettings["ida:audience"]; string issuer = System.Configuration.ConfigurationManager.AppSettings["ida:issuer"]; List <X509Certificate2> objList_cert = GetX509Certificate2FromADMetadataEndpoint(); TokenRestrictionTemplate objTokenRestrictionTemplate = new TokenRestrictionTemplate(); objTokenRestrictionTemplate.PrimaryVerificationKey = new X509CertTokenVerificationKey(objList_cert[0]); objList_cert.GetRange(1, objList_cert.Count - 1).ForEach(c => objTokenRestrictionTemplate.AlternateVerificationKeys.Add(new X509CertTokenVerificationKey(c))); objTokenRestrictionTemplate.Audience = new Uri(audience); objTokenRestrictionTemplate.Issuer = new Uri(issuer); objTokenRestrictionTemplate.TokenType = TokenType.JWT; //add required claims string entitledGroupObjectId = System.Configuration.ConfigurationManager.AppSettings["ida:EntitledGroupObjectId"]; objTokenRestrictionTemplate.RequiredClaims.Add(new TokenClaim("groups", entitledGroupObjectId)); return(TokenRestrictionTemplateSerializer.Serialize(objTokenRestrictionTemplate)); }
static private string GenerateTokenRequirements(byte[] tokenSecret, TokenType tokenType, string audience, string issuer, TokenClaim[] tokenClaims) { TokenRestrictionTemplate template = new TokenRestrictionTemplate(tokenType) { PrimaryVerificationKey = new SymmetricVerificationKey(tokenSecret), Audience = audience, Issuer = issuer, }; // template.AlternateVerificationKeys.Add(new SymmetricVerificationKey()); // could add an alternate key here, but easy to just share secret with other sites since we use only one if (tokenClaims != null) { foreach (TokenClaim claim in tokenClaims) { template.RequiredClaims.Add(claim); } } return(TokenRestrictionTemplateSerializer.Serialize(template)); }
public void OpenIdDocumentAsVerificationKeyRoundTrip() { string openConnectId = "https://openconnectIddiscoveryUri"; string expectedElement = "<OpenIdConnectDiscoveryDocument><OpenIdDiscoveryUri>https://openconnectIddiscoveryUri</OpenIdDiscoveryUri>"; TokenRestrictionTemplate template = new TokenRestrictionTemplate(TokenType.JWT); template.Audience = _sampleAudience; template.Issuer = _sampleIssuer; template.OpenIdConnectDiscoveryDocument = new OpenIdConnectDiscoveryDocument(openConnectId); var templateAsString = TokenRestrictionTemplateSerializer.Serialize(template); Assert.IsTrue(templateAsString.Contains("<PrimaryVerificationKey i:nil=\"true\" />")); Assert.IsTrue(templateAsString.Contains(expectedElement)); TokenRestrictionTemplate output = TokenRestrictionTemplateSerializer.Deserialize(templateAsString); Assert.IsNotNull(output); Assert.IsNotNull(output.OpenIdConnectDiscoveryDocument); Assert.IsNull(output.PrimaryVerificationKey); Assert.AreEqual(0, output.AlternateVerificationKeys.Count); Assert.AreEqual(output.OpenIdConnectDiscoveryDocument.OpenIdDiscoveryUri, openConnectId); }
/// <summary> /// This function sets up a ContentKeyAuthorizationPolicyRestriction from the given inputs. This enables the /// Key Delivery Service to validate tokens presented by clients against this values, ensuring that the tokens /// are signed with the correct key and that they have the specified issuer and scope value. /// </summary> /// <param name="name">The name given to the ContentKeyAuthorizationPolicyRestriction object</param> /// <param name="issuer">The ACS endpoint to send the token request to</param> /// <param name="scope">The Realm configured in the ACS Relying Party Application</param> /// <param name="signingKey">The TokenSigning Keyfrom the ACS Relying Party Application</param> /// <returns>A list containing a single policy restriction requiring the client to provide a token with the given parameters</returns> private static List <ContentKeyAuthorizationPolicyRestriction> GetTokenRestriction(string name, string issuer, string scope, byte[] signingKey) { TokenRestrictionTemplate tokenTemplate = new TokenRestrictionTemplate(); tokenTemplate.Issuer = issuer; tokenTemplate.Audience = scope; tokenTemplate.TokenType = TokenType.SWT; tokenTemplate.PrimaryVerificationKey = new SymmetricVerificationKey(signingKey); string requirements = TokenRestrictionTemplateSerializer.Serialize(tokenTemplate); List <ContentKeyAuthorizationPolicyRestriction> restrictions = new List <ContentKeyAuthorizationPolicyRestriction>() { new ContentKeyAuthorizationPolicyRestriction() { KeyRestrictionType = (int)ContentKeyRestrictionType.TokenRestricted, Requirements = requirements, Name = name } }; return(restrictions); }
public void AddingOptionsToCreatedPolicy() { string optionName = "AddingOptionsToCreatedPolicy Test Option"; PlayReadyLicenseResponseTemplate responseTemplate = new PlayReadyLicenseResponseTemplate(); responseTemplate.LicenseTemplates.Add(new PlayReadyLicenseTemplate()); TokenRestrictionTemplate tokenRestrictionTemplate = new TokenRestrictionTemplate(TokenType.JWT); tokenRestrictionTemplate.PrimaryVerificationKey = new SymmetricVerificationKey(); // the default constructor automatically generates a random key tokenRestrictionTemplate.Audience = "urn:someaudience"; tokenRestrictionTemplate.Issuer = "http://someissuerurl"; string requirements = TokenRestrictionTemplateSerializer.Serialize(tokenRestrictionTemplate); string configuration = MediaServicesLicenseTemplateSerializer.Serialize(responseTemplate); ContentKeyRestrictionType restrictionType = ContentKeyRestrictionType.TokenRestricted; IContentKeyAuthorizationPolicy policy = _mediaContext.ContentKeyAuthorizationPolicies.CreateAsync(testRun).Result; var option1 = ContentKeyAuthorizationPolicyOptionTests.CreateOption(_mediaContext, optionName, ContentKeyDeliveryType.PlayReadyLicense, requirements, configuration, restrictionType); policy.Options.Add(option1); }
public void GetHlsKeyDeliveryUrlAndFetchKeyWithADJWTAuthUsingADOpenConnectDiscovery() { // // The Client ID is used by the application to uniquely identify itself to Azure AD. // The App Key is a credential used by the application to authenticate to Azure AD. // The Tenant is the name of the Azure AD tenant in which this application is registered. // The AAD Instance is the instance of Azure, for example public Azure or Azure China. // The Authority is the sign-in URL of the tenant. // string aadInstance = ConfigurationManager.AppSettings["ida:AADInstance"]; string tenant = ConfigurationManager.AppSettings["ida:Tenant"]; string clientId = ConfigurationManager.AppSettings["ida:ClientId"]; string appKey = ConfigurationManager.AppSettings["ida:AppKey"]; string authority = String.Format(CultureInfo.InvariantCulture, aadInstance, tenant); // // To authenticate to the To Do list service, the client needs to know the service's App ID URI. // To contact the To Do list service we need it's URL as well. // string appResourceId = ConfigurationManager.AppSettings["app:AppResourceId"]; IContentKey contentKey = null; IContentKeyAuthorizationPolicy contentKeyAuthorizationPolicy = null; IContentKeyAuthorizationPolicyOption policyOption = null; var authContext = new AuthenticationContext(authority); var clientCredential = new ClientCredential(clientId, appKey); try { byte[] expectedKey = null; contentKey = CreateTestKey(_mediaContext, ContentKeyType.EnvelopeEncryption, out expectedKey, "GetHlsKeyDeliveryUrlAndFetchKeyWithADJWTAuthUsingADOpenConnectDiscovery" + Guid.NewGuid().ToString()); TokenRestrictionTemplate tokenRestrictionTemplate = new TokenRestrictionTemplate(TokenType.JWT); tokenRestrictionTemplate.OpenIdConnectDiscoveryDocument = new OpenIdConnectDiscoveryDocument("https://login.windows.net/common/.well-known/openid-configuration"); var result = authContext.AcquireTokenAsync(appResourceId, clientCredential).Result; string jwtTokenString = result.AccessToken; JwtSecurityTokenHandler handler = new JwtSecurityTokenHandler(); Assert.IsTrue(handler.CanReadToken(jwtTokenString)); JwtSecurityToken token = handler.ReadToken(jwtTokenString) as JwtSecurityToken; Assert.IsNotNull(token); tokenRestrictionTemplate.Audience = token.Audiences.First(); tokenRestrictionTemplate.Issuer = token.Issuer; string optionName = "GetHlsKeyDeliveryUrlAndFetchKeyWithJWTAuthentication"; string requirements = TokenRestrictionTemplateSerializer.Serialize(tokenRestrictionTemplate); policyOption = ContentKeyAuthorizationPolicyOptionTests.CreateOption(_mediaContext, optionName, ContentKeyDeliveryType.BaselineHttp, requirements, null, ContentKeyRestrictionType.TokenRestricted); List <IContentKeyAuthorizationPolicyOption> options = new List <IContentKeyAuthorizationPolicyOption> { policyOption }; contentKeyAuthorizationPolicy = CreateTestPolicy(_mediaContext, String.Empty, options, ref contentKey); Uri keyDeliveryServiceUri = contentKey.GetKeyDeliveryUrl(ContentKeyDeliveryType.BaselineHttp); Assert.IsNotNull(keyDeliveryServiceUri); // Enable once all accounts are enabled for per customer Key Delivery Urls //Assert.IsTrue(keyDeliveryServiceUri.Host.StartsWith(_mediaContext.Credentials.ClientId)); KeyDeliveryServiceClient keyClient = new KeyDeliveryServiceClient(RetryPolicy.DefaultFixed); byte[] key = keyClient.AcquireHlsKeyWithBearerHeader(keyDeliveryServiceUri, jwtTokenString); string expectedString = GetString(expectedKey); string fetchedString = GetString(key); Assert.AreEqual(expectedString, fetchedString); } finally { CleanupKeyAndPolicy(contentKey, contentKeyAuthorizationPolicy, policyOption); } }
public static string GenerateTokenRequirementsString(string primaryVerificationKey, string alternativeVerificationKey, string scope, string issuer, bool requireContentKeyIdentifier, params TokenClaim[] claims) { var tokenTemplate = GenerateTokenRequirements(primaryVerificationKey, alternativeVerificationKey, scope, issuer, requireContentKeyIdentifier, claims); return(TokenRestrictionTemplateSerializer.Serialize(tokenTemplate)); }