public async Task AddParameters_AddsAccessTokenToResponse_WhenAccessTokenIsEmitted()
{
// Arrange
var provider = new DefaultTokenResponseParameterProvider(new TimeStampManager());
var response = new OpenIdConnectMessage();
var context = new TokenGeneratingContext(
new ClaimsPrincipal(),
new ClaimsPrincipal(),
new OpenIdConnectMessage(),
new RequestGrants()
{
Scopes = new[] { ApplicationScope.OpenId, new ApplicationScope("resourceId", "read") }
});
context.InitializeForToken(TokenTypes.AccessToken);
context.AddToken(new TokenResult(new TestToken(TokenTypes.AccessToken), "serialized_access_token"));
// Act
await provider.AddParameters(context, response);
// Assert
Assert.Equal("serialized_access_token", response.AccessToken);
Assert.Equal("3600", response.ExpiresIn);
Assert.True(response.Parameters.ContainsKey("expires_on"));
Assert.Equal("946688400", response.Parameters["expires_on"]);
Assert.True(response.Parameters.ContainsKey("not_before"));
Assert.Equal("946684800", response.Parameters["not_before"]);
Assert.Equal("resourceId", response.Resource);
Assert.Equal("Bearer", response.TokenType);
}
public async Task DefaultTokenClaimsManager_CallsProviders_InAscendingOrderAsync()
{
// Arrange
var context = new TokenGeneratingContext(new ClaimsPrincipal(), new ClaimsPrincipal(), new OpenIdConnectMessage(), new RequestGrants());
var resultsList = new List <string>();
var firstProvider = new Mock <ITokenClaimsProvider>();
firstProvider.SetupGet(p => p.Order).Returns(100);
firstProvider.Setup(p => p.OnGeneratingClaims(It.IsAny <TokenGeneratingContext>()))
.Callback(() => resultsList.Add("first"))
.Returns(Task.CompletedTask);
var secondProvider = new Mock <ITokenClaimsProvider>();
secondProvider.SetupGet(p => p.Order).Returns(101);
secondProvider.Setup(p => p.OnGeneratingClaims(It.IsAny <TokenGeneratingContext>()))
.Callback(() => resultsList.Add("second"))
.Returns(Task.CompletedTask);
var manager = new DefaultTokenClaimsManager(new[] { secondProvider.Object, firstProvider.Object });
// Act
await manager.CreateClaimsAsync(context);
// Assert
Assert.Equal(new List <string> {
"first", "second"
}, resultsList);
}
public async Task CreateClaimsAsync(TokenGeneratingContext context)
{
foreach (var provider in _providers)
{
await provider.OnGeneratingClaims(context);
}
}
public async Task CreateTokenResponse_CallsParameterProvidersInOrder()
{
// Arrange
var context = new TokenGeneratingContext(new ClaimsPrincipal(), new ClaimsPrincipal(), new OpenIdConnectMessage(), new RequestGrants());
var resultsList = new List <string>();
var firstProvider = new Mock <ITokenResponseParameterProvider>();
firstProvider.SetupGet(p => p.Order).Returns(100);
firstProvider.Setup(p => p.AddParameters(It.IsAny <TokenGeneratingContext>(), It.IsAny <OpenIdConnectMessage>()))
.Callback(() => resultsList.Add("first"))
.Returns(Task.CompletedTask);
var secondProvider = new Mock <ITokenResponseParameterProvider>();
secondProvider.SetupGet(p => p.Order).Returns(101);
secondProvider.Setup(p => p.AddParameters(It.IsAny <TokenGeneratingContext>(), It.IsAny <OpenIdConnectMessage>()))
.Callback(() => resultsList.Add("second"))
.Returns(Task.CompletedTask);
var responseFactory = new DefaultTokenResponseFactory(new[] { secondProvider.Object, firstProvider.Object });
// Act
var response = await responseFactory.CreateTokenResponseAsync(context);
// Assert
Assert.Equal(new List <string> {
"first", "second"
}, resultsList);
}
public async Task AddParameters_AddsIdTokenToResponse_WhenIdTokenIsEmitted()
{
// Arrange
var provider = new DefaultAuthorizationResponseParameterProvider(new TimeStampManager());
var response = new AuthorizationResponse()
{
Message = new OpenIdConnectMessage(),
RedirectUri = "http://www.example.com/callback",
ResponseMode = "query"
};
var context = new TokenGeneratingContext(
new ClaimsPrincipal(),
new ClaimsPrincipal(),
new OpenIdConnectMessage()
{
State = "state"
},
new RequestGrants());
context.InitializeForToken(TokenTypes.IdToken);
context.AddToken(new TokenResult(new TestToken(TokenTypes.IdToken), "serialized_id_token"));
// Act
await provider.AddParameters(context, response);
// Assert
Assert.Equal("state", response.Message.State);
Assert.Equal("serialized_id_token", response.Message.IdToken);
}
public async Task IssueAccessTokenAsync(TokenGeneratingContext context)
{
var accessToken = await CreateAccessTokenAsync(context);
var subjectIdentity = CreateSubject(accessToken);
var descriptor = new SecurityTokenDescriptor();
descriptor.Issuer = accessToken.Issuer;
descriptor.Audience = accessToken.Audience;
descriptor.Subject = subjectIdentity;
descriptor.Expires = accessToken.Expires.UtcDateTime;
descriptor.NotBefore = accessToken.NotBefore.UtcDateTime;
var credentialsDescriptor = await _credentialsProvider.GetSigningCredentialsAsync();
descriptor.SigningCredentials = credentialsDescriptor.Credentials;
var token = _handler.CreateJwtSecurityToken(descriptor);
token.Payload.Remove(IdentityServiceClaimTypes.JwtId);
token.Payload.Remove(IdentityServiceClaimTypes.IssuedAt);
//token.Payload.Add(IdentityServiceClaimTypes.JwtId, accessToken.Id);
context.AddToken(new TokenResult(accessToken, _handler.WriteToken(token), TokenKinds.Bearer));
}
public async Task IssueTokensAsync(TokenGeneratingContext context)
{
if (context.RequestGrants.Tokens.Contains(TokenTypes.AuthorizationCode))
{
context.InitializeForToken(TokenTypes.AuthorizationCode);
await _codeIssuer.CreateAuthorizationCodeAsync(context);
}
if (context.RequestGrants.Tokens.Contains(TokenTypes.AccessToken))
{
context.InitializeForToken(TokenTypes.AccessToken);
await _accessTokenIssuer.IssueAccessTokenAsync(context);
}
if (context.RequestGrants.Tokens.Contains(TokenTypes.IdToken))
{
context.InitializeForToken(TokenTypes.IdToken);
await _idTokenIssuer.IssueIdTokenAsync(context);
}
if (context.RequestGrants.Tokens.Contains(TokenTypes.RefreshToken))
{
context.InitializeForToken(TokenTypes.RefreshToken);
await _refreshTokenIssuer.IssueRefreshTokenAsync(context);
}
}
private async Task <RefreshToken> CreateRefreshTokenAsync(TokenGeneratingContext context)
{
await _claimsManager.CreateClaimsAsync(context);
var claims = context.CurrentClaims;
return(new RefreshToken(claims));
}
public async Task IssueRefreshTokenAsync(TokenGeneratingContext context)
{
var refreshToken = await CreateRefreshTokenAsync(context);
var token = _dataFormat.Protect(refreshToken);
context.AddToken(new TokenResult(refreshToken, token));
}
public async Task <OpenIdConnectMessage> CreateTokenResponseAsync(TokenGeneratingContext context)
{
var response = new OpenIdConnectMessage();
foreach (var provider in _providers)
{
await provider.AddParameters(context, response);
}
return(response);
}
public async Task CreateAuthorizationCodeAsync(TokenGeneratingContext context)
{
await _claimsManager.CreateClaimsAsync(context);
var claims = context.CurrentClaims;
var code = new AuthorizationCode(claims);
var tokenResult = new TokenResult(code, _dataFormat.Protect(code));
context.AddToken(tokenResult);
}
public async Task <AuthorizationResponse> CreateAuthorizationResponseAsync(TokenGeneratingContext context)
{
var result = new AuthorizationResponse();
result.Message = new OpenIdConnectMessage();
result.ResponseMode = context.RequestGrants.ResponseMode;
result.RedirectUri = context.RequestGrants.RedirectUri;
foreach (var provider in _providers)
{
await provider.AddParameters(context, result);
}
return(result);
}
public async Task IssueIdTokenAsync(TokenGeneratingContext context)
{
var idToken = await CreateIdTokenAsync(context);
var subjectIdentity = CreateSubject(idToken);
var descriptor = new SecurityTokenDescriptor();
descriptor.Issuer = idToken.Issuer;
descriptor.Audience = idToken.Audience;
descriptor.Subject = subjectIdentity;
descriptor.IssuedAt = idToken.IssuedAt.UtcDateTime;
descriptor.Expires = idToken.Expires.UtcDateTime;
descriptor.NotBefore = idToken.NotBefore.UtcDateTime;
var credentialsDescriptor = await _credentialsProvider.GetSigningCredentialsAsync();
descriptor.SigningCredentials = credentialsDescriptor.Credentials;
var token = _handler.CreateJwtSecurityToken(descriptor);
token.Payload.Remove(IdentityServiceClaimTypes.JwtId);
//token.Payload.Add(IdentityServiceClaimTypes.JwtId, idToken.Id);
if (idToken.Nonce != null)
{
token.Payload.AddClaim(new Claim(IdentityServiceClaimTypes.Nonce, idToken.Nonce));
}
if (idToken.CodeHash != null)
{
token.Payload.AddClaim(new Claim(IdentityServiceClaimTypes.CodeHash, idToken.CodeHash));
}
if (idToken.AccessTokenHash != null)
{
token.Payload.AddClaim(new Claim(IdentityServiceClaimTypes.AccessTokenHash, idToken.AccessTokenHash));
}
context.AddToken(new TokenResult(idToken, _handler.WriteToken(token)));
}
public Task AddParameters(TokenGeneratingContext context, OpenIdConnectMessage response)
{
if (context.IdToken != null)
{
response.IdToken = context.IdToken.SerializedValue;
var expiresIn = _manager.GetDurationInSeconds(
context.IdToken.Token.Expires,
context.IdToken.Token.IssuedAt);
response.Parameters.Add(
"id_token_expires_in",
expiresIn.ToString(CultureInfo.InvariantCulture));
}
if (context.AccessToken != null)
{
response.AccessToken = context.AccessToken.SerializedValue;
response.ExpiresIn = GetExpirationTime(context.AccessToken.Token);
response.Parameters["expires_on"] = context.AccessToken.Token.GetClaimValue(IdentityServiceClaimTypes.Expires);
response.Parameters["not_before"] = context.AccessToken.Token.GetClaimValue(IdentityServiceClaimTypes.NotBefore);
response.Resource = context.RequestGrants.Scopes.First(s => s.ClientId != null).ClientId;
}
if (context.RefreshToken != null)
{
response.RefreshToken = context.RefreshToken.SerializedValue;
var expiresIn = _manager.GetDurationInSeconds(
context.RefreshToken.Token.Expires,
context.RefreshToken.Token.IssuedAt);
response.Parameters.Add(
"refresh_token_expires_in",
expiresIn.ToString(CultureInfo.InvariantCulture));
}
response.TokenType = "Bearer";
return(Task.CompletedTask);
}
public Task AddParameters(TokenGeneratingContext context, AuthorizationResponse response)
{
if (context.AuthorizationCode != null)
{
response.Message.Code = context.AuthorizationCode.SerializedValue;
}
if (context.AccessToken != null)
{
response.Message.AccessToken = context.AccessToken.SerializedValue;
response.Message.TokenType = "Bearer";
response.Message.ExpiresIn = GetExpirationTime(context.AccessToken.Token);
response.Message.Scope = string.Join(" ", context.RequestGrants.Scopes.Select(s => s.Scope));
}
if (context.IdToken != null)
{
response.Message.IdToken = context.IdToken.SerializedValue;
}
response.Message.State = context.RequestParameters.State;
return(Task.CompletedTask);
}
public async Task AddParameters_AddsRefreshTokenToResponse_WhenRefreshTokenIsEmitted()
{
// Arrange
var provider = new DefaultTokenResponseParameterProvider(new TimeStampManager());
var response = new OpenIdConnectMessage();
var context = new TokenGeneratingContext(
new ClaimsPrincipal(),
new ClaimsPrincipal(),
new OpenIdConnectMessage(),
new RequestGrants());
context.InitializeForToken(TokenTypes.RefreshToken);
context.AddToken(new TokenResult(new TestToken(TokenTypes.RefreshToken), "serialized_refresh_token"));
// Act
await provider.AddParameters(context, response);
// Assert
Assert.Equal("serialized_refresh_token", response.RefreshToken);
Assert.True(response.Parameters.ContainsKey("refresh_token_expires_in"));
Assert.Equal("3600", response.Parameters["refresh_token_expires_in"]);
Assert.Equal("Bearer", response.TokenType);
}
public async Task AddParameters_AddsAccessTokenToResponse_WhenAccessTokenIsEmitted()
{
// Arrange
var provider = new DefaultAuthorizationResponseParameterProvider(new TimeStampManager());
var response = new AuthorizationResponse()
{
Message = new OpenIdConnectMessage(),
RedirectUri = "http://www.example.com/callback",
ResponseMode = "query"
};
var context = new TokenGeneratingContext(
new ClaimsPrincipal(),
new ClaimsPrincipal(),
new OpenIdConnectMessage()
{
State = "state"
},
new RequestGrants()
{
Scopes = { ApplicationScope.OpenId, new ApplicationScope("resourceId", "read") }
});
context.InitializeForToken(TokenTypes.AccessToken);
context.AddToken(new TokenResult(new TestToken(TokenTypes.AccessToken), "serialized_access_token"));
// Act
await provider.AddParameters(context, response);
// Assert
Assert.Equal("state", response.Message.State);
Assert.Equal("serialized_access_token", response.Message.AccessToken);
Assert.Equal("3600", response.Message.ExpiresIn);
Assert.Equal("openid read", response.Message.Scope);
Assert.Equal("Bearer", response.Message.TokenType);
}
