public void Should_Spport_Third_Party_Initiated_Login()
{
rpid = "rp-support_3rd_party_init_login";
// given
OIDCThirdPartyLoginRequest thirdPartyRequest = new OIDCThirdPartyLoginRequest();
thirdPartyRequest.Iss = GetBaseUrl("/");
WebRequest webRequest = WebRequest.Create(clientInformation.InitiateLoginUri + "?" + thirdPartyRequest.SerializeToQueryString());
OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage();
requestMessage.ClientId = clientInformation.ClientId;
requestMessage.Scope = new List<MessageScope>{ MessageScope.Openid };
requestMessage.ResponseType = new List<ResponseType>() { ResponseType.Code };
requestMessage.RedirectUri = clientInformation.RedirectUris[0];
requestMessage.Validate();
request = requestMessage.SerializeToQueryString();
param = providerMetadata.AuthorizationEndpoint;
OpenIdRelyingParty rp = new OpenIdRelyingParty();
// when
WebOperations.GetUrlContent(webRequest);
semaphore.WaitOne();
OIDCAuthCodeResponseMessage response = rp.ParseAuthCodeResponse(result);
// then
response.Validate();
}
public void Should_Authenticate_Client_With_Client_Secret_Basic()
{
rpid = "rp-token_endpoint-client_secret_basic";
// given
OIDCAuthCodeResponseMessage response = (OIDCAuthCodeResponseMessage) GetAuthResponse(ResponseType.Code);
OIDCTokenRequestMessage tokenRequestMessage = new OIDCTokenRequestMessage();
tokenRequestMessage.Scope = response.Scope;
tokenRequestMessage.State = response.State;
tokenRequestMessage.Code = response.Code;
tokenRequestMessage.ClientId = clientInformation.ClientId;
tokenRequestMessage.ClientSecret = clientInformation.ClientSecret;
tokenRequestMessage.GrantType = "authorization_code";
tokenRequestMessage.RedirectUri = clientInformation.RedirectUris[0];
// when
OpenIdRelyingParty rp = new OpenIdRelyingParty();
clientInformation.TokenEndpointAuthMethod = "client_secret_basic";
OIDCTokenResponseMessage tokenResponse = rp.SubmitTokenRequest(GetBaseUrl("/token"), tokenRequestMessage, clientInformation);
// then
Assert.NotNull(tokenResponse.IdToken);
OIDCIdToken idToken = tokenResponse.GetIdToken(providerMetadata.Keys);
idToken.Validate();
}
public void Should_Nonce_Be_Present_In_Implicit()
{
rpid = "rp-nonce-unless_code_flow";
// given
OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage();
requestMessage.ClientId = clientInformation.ClientId;
OIDClaims requestClaims = new OIDClaims();
requestClaims.Userinfo = new Dictionary<string, OIDClaimData>();
requestClaims.Userinfo.Add("name", new OIDClaimData());
requestMessage.Scope = new List<MessageScope>() { MessageScope.Openid };
requestMessage.ResponseType = new List<ResponseType>() { ResponseType.IdToken, ResponseType.Token };
requestMessage.RedirectUri = clientInformation.RedirectUris[0];
requestMessage.Nonce = WebOperations.RandomString();
requestMessage.State = WebOperations.RandomString();
requestMessage.Claims = requestClaims;
requestMessage.Validate();
OpenIdRelyingParty rp = new OpenIdRelyingParty();
rp.Authenticate(GetBaseUrl("/authorization"), requestMessage);
semaphore.WaitOne();
OIDCAuthImplicitResponseMessage response = rp.ParseAuthImplicitResponse(result, requestMessage.Scope, requestMessage.State);
OIDCIdToken idToken = response.GetIdToken(providerMetadata.Keys, clientInformation.ClientSecret);
// then
idToken.Validate();
}
public void Should_Discover_OpenID_Providers_Using_URI_Syntax()
{
rpid = "rp-discovery-webfinger_acct";
// given
string userid = rpid + "@" + opBaseurl.Host;
OpenIdRelyingParty rp = new OpenIdRelyingParty();
// when
string issuer = rp.ObtainIssuerFromEmail(userid, opBaseurl.ToString());
// then
Assert.AreEqual(issuer.TrimEnd('/'), GetBaseUrl("/").TrimEnd('/'));
}
public void Should_Discover_OpenID_Providers_Using_URL_Syntax()
{
rpid = "rp-discovery-webfinger_url";
// given
string userid = "https://" + opBaseurl.Host + ":" + opBaseurl.Port + "/" + rpid;
OpenIdRelyingParty rp = new OpenIdRelyingParty();
// when
string issuer = rp.ObtainIssuerFromURL(userid, opBaseurl.ToString());
// then
Assert.AreEqual(issuer.TrimEnd('/'), GetBaseUrl("/").TrimEnd('/'));
}
public OIDCProviderMetadata(dynamic o)
{
deserializeFromDynamic(o);
if (JwksUri != null)
{
Keys = new List <OIDCKey>();
Dictionary <string, object> jwks = OpenIdRelyingParty.GetUrlContent(WebRequest.Create(JwksUri));
ArrayList keys = (ArrayList)jwks["keys"];
foreach (Dictionary <string, object> key in keys)
{
OIDCKey newKey = new OIDCKey(key);
Keys.Add(newKey);
}
}
}
public void Should_Reject_Id_Token_Without_Kid_If_Multiple_JWK()
{
rpid = "rp-id_token-kid_absent_multiple_jwks";
// given
// when
OIDCAuthImplicitResponseMessage response = (OIDCAuthImplicitResponseMessage)GetAuthResponse(ResponseType.IdToken);
// then
OpenIdRelyingParty rp = new OpenIdRelyingParty();
// then
Assert.NotNull(response.IdToken);
OIDCIdToken idToken = response.GetIdToken(providerMetadata.Keys);
idToken.Validate();
}
public void Should_Authenticate_With_Claims_In_Scope_Basic()
{
rpid = "rp-scope-userinfo_claims";
// given
OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage();
requestMessage.ClientId = clientInformation.ClientId;
OIDClaims requestClaims = new OIDClaims();
requestClaims.Userinfo = new Dictionary<string, OIDClaimData>();
requestClaims.Userinfo.Add("name", new OIDClaimData());
requestMessage.Scope = new List<MessageScope>() { MessageScope.Openid, MessageScope.Profile, MessageScope.Email, MessageScope.Address, MessageScope.Phone };
requestMessage.ResponseType = new List<ResponseType>() { ResponseType.IdToken, ResponseType.Token };
requestMessage.RedirectUri = clientInformation.RedirectUris[0];
requestMessage.Nonce = WebOperations.RandomString();
requestMessage.State = WebOperations.RandomString();
requestMessage.Claims = requestClaims;
requestMessage.Validate();
OpenIdRelyingParty rp = new OpenIdRelyingParty();
rp.Authenticate(GetBaseUrl("/authorization"), requestMessage);
semaphore.WaitOne();
OIDCAuthImplicitResponseMessage authResponse = rp.ParseAuthImplicitResponse(result, requestMessage.Scope, requestMessage.State);
OIDCUserInfoRequestMessage userInfoRequestMessage = new OIDCUserInfoRequestMessage();
userInfoRequestMessage.Scope = authResponse.Scope;
userInfoRequestMessage.State = authResponse.State;
// when
OIDCUserInfoResponseMessage response = rp.GetUserInfo(GetBaseUrl("/userinfo"), userInfoRequestMessage, authResponse.AccessToken);
// then
response.Validate();
Assert.IsNotNullOrEmpty(response.Name);
Assert.IsNotNullOrEmpty(response.GivenName);
Assert.IsNotNullOrEmpty(response.FamilyName);
Assert.IsNotNullOrEmpty(response.Email);
Assert.IsNotNull(response.Address);
Assert.IsNotNullOrEmpty(response.Address.StreetAddress);
Assert.IsNotNullOrEmpty(response.Address.PostalCode);
Assert.IsNotNullOrEmpty(response.Address.Locality);
Assert.IsNotNullOrEmpty(response.Address.Country);
Assert.IsNotNullOrEmpty(response.PhoneNumber);
}
public void Should_Accept_Encrypted_UserInfo()
{
rpid = "rp-user_info-enc";
// given
OpenIdRelyingParty rp = new OpenIdRelyingParty();
string registrationEndopoint = GetBaseUrl("/registration");
OIDCClientInformation clientMetadata = new OIDCClientInformation();
clientMetadata.ApplicationType = "web";
clientMetadata.ResponseTypes = new List<ResponseType>() { ResponseType.IdToken };
clientMetadata.RedirectUris = new List<string>() { myBaseUrl + "id_token_flow_callback" };
clientMetadata.UserinfoEncryptedResponseAlg = "RSA1_5";
clientMetadata.UserinfoEncryptedResponseEnc = "A128CBC-HS256";
clientMetadata.JwksUri = myBaseUrl + "my_public_keys.jwks";
OIDCClientInformation clientInformation = rp.RegisterClient(registrationEndopoint, clientMetadata);
OIDClaims requestClaims = new OIDClaims();
requestClaims.IdToken = new Dictionary<string, OIDClaimData>();
requestClaims.IdToken.Add("name", new OIDClaimData());
OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage();
requestMessage.ClientId = clientInformation.ClientId;
requestMessage.Scope = new List<MessageScope>() { MessageScope.Openid, MessageScope.Profile, MessageScope.Address, MessageScope.Phone, MessageScope.Email };
requestMessage.ResponseType = new List<ResponseType>() { ResponseType.IdToken, ResponseType.Token };
requestMessage.RedirectUri = clientInformation.RedirectUris[0];
requestMessage.Nonce = WebOperations.RandomString();
requestMessage.State = WebOperations.RandomString();
requestMessage.Claims = requestClaims;
requestMessage.Validate();
rp.Authenticate(GetBaseUrl("/authorization"), requestMessage);
semaphore.WaitOne();
OIDCAuthImplicitResponseMessage authResponse = rp.ParseAuthImplicitResponse(result, requestMessage.Scope, requestMessage.State);
X509Certificate2 encCert = new X509Certificate2("server.pfx", "", X509KeyStorageFlags.Exportable);
List<OIDCKey> myKeys = KeyManager.GetKeysJwkList(null, encCert);
// when
OIDCUserInfoResponseMessage response = GetUserInfo(authResponse.Scope, authResponse.State, authResponse.AccessToken, null, true, null, myKeys);
// then
response.Validate();
Assert.IsNotNullOrEmpty(response.Name);
}
public void Should_Client_Be_Able_To_Register()
{
rpid = "rp-registration-dynamic";
// given
string registrationEndopoint = GetBaseUrl("/registration");
OIDCClientInformation clientMetadata = new OIDCClientInformation();
clientMetadata.ApplicationType = "web";
clientMetadata.RedirectUris = new List<string>() { myBaseUrl + "code_flow_callback" };
clientMetadata.ResponseTypes = new List<ResponseType>() { ResponseType.Code };
OpenIdRelyingParty rp = new OpenIdRelyingParty();
// when
OIDCClientInformation response = rp.RegisterClient(registrationEndopoint, clientMetadata);
// then
response.Validate();
}
public OIDClientSerializableMessage GetAuthResponse(ResponseType RespType, string Nonce = null, bool Profile = false, OIDClaims Claims = null)
{
OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage();
requestMessage.ClientId = clientInformation.ClientId;
requestMessage.Scope = new List<MessageScope>() { MessageScope.Openid };
requestMessage.RedirectUri = clientInformation.RedirectUris[0];
requestMessage.Nonce = (Nonce == null) ? WebOperations.RandomString() : Nonce;
requestMessage.State = WebOperations.RandomString();
requestMessage.Claims = Claims;
if (Profile)
{
requestMessage.Scope.Add(MessageScope.Profile);
requestMessage.Scope.Add(MessageScope.Address);
requestMessage.Scope.Add(MessageScope.Phone);
requestMessage.Scope.Add(MessageScope.Email);
}
if (ResponseType.Code == RespType)
{
requestMessage.ResponseType = new List<ResponseType>() { ResponseType.Code };
}
else if (ResponseType.IdToken == RespType)
{
requestMessage.ResponseType = new List<ResponseType>() { ResponseType.IdToken, ResponseType.Token };
}
requestMessage.Validate();
OpenIdRelyingParty rp = new OpenIdRelyingParty();
rp.Authenticate(GetBaseUrl("/authorization"), requestMessage);
semaphore.WaitOne();
if (ResponseType.Code == RespType)
{
return rp.ParseAuthCodeResponse(result, requestMessage.Scope, requestMessage.State);
}
else if (ResponseType.IdToken == RespType)
{
return rp.ParseAuthImplicitResponse(result, requestMessage.Scope, requestMessage.State);
}
throw new Exception("Error in parameter passed");
}
public void Should_Client_Only_Use_Https_Endpoints()
{
rpid = "rp-registration-uses_https_endpoints";
// given
string registrationEndopoint = GetBaseUrl("/registration");
OIDCClientInformation clientMetadata = new OIDCClientInformation();
clientMetadata.ApplicationType = "web";
clientMetadata.RedirectUris = new List<string>() { myBaseUrl + "code_flow_callback" };
clientMetadata.ResponseTypes = new List<ResponseType>() { ResponseType.Code };
clientMetadata.JwksUri = myBaseUrl + "my_public_keys.jwks";
OpenIdRelyingParty rp = new OpenIdRelyingParty();
// when
OIDCClientInformation response = rp.RegisterClient(registrationEndopoint, clientMetadata);
response.JwksUri = clientMetadata.JwksUri.Replace("https", "http");
// then
response.Validate();
}
public void Should_Use_Distributed_Claims()
{
rpid = "rp-claims-distributed";
claims = "distributed";
// given
OpenIdRelyingParty rp = new OpenIdRelyingParty();
string hostname = GetBaseUrl("/");
providerMetadata = rp.ObtainProviderInformation(hostname);
OIDCAuthCodeResponseMessage authResponse = GetAuthResponse(ResponseType.Code, null, true) as OIDCAuthCodeResponseMessage;
OIDCTokenResponseMessage tokenResponse = GetToken(authResponse);
OIDCUserInfoRequestMessage userInfoRequestMessage = new OIDCUserInfoRequestMessage();
// when
OIDCUserInfoResponseMessage userInfoResponse = GetUserInfo(authResponse.Scope, authResponse.State, tokenResponse.AccessToken);
// then
Assert.NotNull(userInfoResponse);
Assert.AreEqual(userInfoResponse.CustomClaims["age"], 30);
}
public void Should_Use_Request_Uri_Parameter_Signed()
{
rpid = "rp-request_uri-sig";
// given
OIDCAuthorizationRequestMessage requestMessage = generateRequestMessage();
OIDCAuthorizationRequestMessage requestObject = generateRequestObject(requestMessage.State, requestMessage.Nonce);
RSACryptoServiceProvider signKey = getSignKey();
request = JWT.Encode(requestObject.SerializeToJsonString(), signKey, JwsAlgorithm.RS256);
OpenIdRelyingParty rp = new OpenIdRelyingParty();
// when
rp.Authenticate(GetBaseUrl("/authorization"), requestMessage);
semaphore.WaitOne();
OIDCAuthCodeResponseMessage response = rp.ParseAuthCodeResponse(result, requestMessage.Scope);
// then
response.Validate();
}
public void Should_Authenticate_With_Code_Response_Type()
{
rpid = "rp-response_type-code";
// given
OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage();
requestMessage.ClientId = clientInformation.ClientId;
requestMessage.Scope = new List<MessageScope>() { MessageScope.Openid };
requestMessage.ResponseType = new List<ResponseType>() { ResponseType.Code };
requestMessage.RedirectUri = clientInformation.RedirectUris[0];
requestMessage.Validate();
OpenIdRelyingParty rp = new OpenIdRelyingParty();
// when
rp.Authenticate(GetBaseUrl("/authorization"), requestMessage);
semaphore.WaitOne();
OIDCAuthCodeResponseMessage response = rp.ParseAuthCodeResponse(result, requestMessage.Scope);
// then
response.Validate();
}
public override void validate()
{
if (RedirectUris != null && ResponseTypes != null && RedirectUris.Count != ResponseTypes.Count)
{
throw new OIDCException("The redirect_uris do not match response_types.");
}
if (RedirectUris != null && SectorIdentifierUri != null)
{
List <string> siUris = new List <string>();
dynamic uris = OpenIdRelyingParty.GetUrlContent(WebRequest.Create(SectorIdentifierUri));
foreach (string uri in uris)
{
siUris.Add(uri);
}
foreach (string uri in RedirectUris)
{
if (!siUris.Contains(uri))
{
throw new OIDCException("The sector_identifier_uri json must include URIs from the redirect_uri array.");
}
}
}
if (ResponseTypes != null && GrantTypes != null)
{
foreach (string responseType in ResponseTypes)
{
if ((responseType == "code" && !GrantTypes.Contains("authorization_code")) ||
(responseType == "id_token" && !GrantTypes.Contains("implicit")) ||
(responseType == "token" && !GrantTypes.Contains("implicit")) ||
(responseType == "id_token" && !GrantTypes.Contains("implicit")))
{
throw new OIDCException("The response_types do not match grant_types.");
}
}
}
}
public void Should_Authenticate_With_IdToken_Response_Type()
{
rpid = "rp-response_type-id_token";
// given
OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage();
requestMessage.ClientId = clientInformation.ClientId;
requestMessage.Scope = new List<MessageScope>() { MessageScope.Openid };
requestMessage.ResponseType = new List<ResponseType>() { ResponseType.IdToken };
requestMessage.RedirectUri = clientInformation.RedirectUris[1];
requestMessage.Nonce = WebOperations.RandomString();
requestMessage.State = WebOperations.RandomString();
requestMessage.Validate();
OpenIdRelyingParty rp = new OpenIdRelyingParty();
// when
rp.Authenticate(GetBaseUrl("/authorization"), requestMessage);
semaphore.WaitOne();
OIDCAuthImplicitResponseMessage response = rp.ParseAuthImplicitResponse(result, requestMessage.Scope, requestMessage.State);
// then
response.Validate();
}
public void Should_Request_And_Use_Claims_Id_Token()
{
rpid = "rp-response_type-id_token+token";
signalg = "RS256";
GetProviderMetadata();
// given
string Nonce = WebOperations.RandomString();
OIDClaims requestClaims = new OIDClaims();
requestClaims.IdToken = new Dictionary<string, OIDClaimData>();
requestClaims.IdToken.Add("name", new OIDClaimData());
// when
OIDCAuthImplicitResponseMessage response = (OIDCAuthImplicitResponseMessage) GetAuthResponse(ResponseType.IdToken, Nonce, true, requestClaims);
// then
response.Validate();
Assert.NotNull(response.AccessToken);
OpenIdRelyingParty rp = new OpenIdRelyingParty();
OIDCIdToken idToken = response.GetIdToken(providerMetadata.Keys, clientInformation.ClientSecret);
rp.ValidateIdToken(idToken, clientInformation, providerMetadata.Issuer, Nonce);
Assert.IsNotNullOrEmpty(idToken.Name);
}
public void Should_Support_Signing_Key_Rotation()
{
rpid = "rp-key_rotation-rp_sign_key";
// given
RSACryptoServiceProvider signKey1 = getSignKey("server.pfx");
OIDCAuthorizationRequestMessage requestMessage1 = generateRequestMessage(true);
OIDCAuthorizationRequestMessage requestObject1 = generateRequestMessage(false, requestMessage1.State, requestMessage1.Nonce);
RSACryptoServiceProvider signKey2 = getSignKey("server2.pfx");
OIDCAuthorizationRequestMessage requestMessage2 = generateRequestMessage(true);
OIDCAuthorizationRequestMessage requestObject2 = generateRequestMessage(false, requestMessage1.State, requestMessage1.Nonce);
OpenIdRelyingParty rp = new OpenIdRelyingParty();
// when
request = JWT.Encode(requestObject1.SerializeToJsonString(), signKey1, JwsAlgorithm.RS256);
rp.Authenticate(GetBaseUrl("/authorization"), requestMessage1);
semaphore.WaitOne();
OIDCAuthCodeResponseMessage response1 = rp.ParseAuthCodeResponse(result, requestMessage1.Scope, requestMessage1.State);
request = JWT.Encode(requestObject2.SerializeToJsonString(), signKey1, JwsAlgorithm.RS256);
rp.Authenticate(GetBaseUrl("/authorization"), requestMessage2);
semaphore.WaitOne();
OIDCAuthCodeResponseMessage response2 = rp.ParseAuthCodeResponse(result, requestMessage2.Scope, requestMessage2.State);
// then
response1.Validate();
response2.Validate();
}
public void Should_Obtain_Provider_Information_With_JWKS_Json()
{
rpid = "rp-discovery-jwks_uri_keys";
// given
string hostname = GetBaseUrl("/");
OpenIdRelyingParty rp = new OpenIdRelyingParty();
// when
OIDCProviderMetadata response = rp.ObtainProviderInformation(hostname);
// then
response.Validate();
Assert.IsNotNull(response.Keys);
Assert.Greater(response.Keys.Count, 0);
}
public void Should_Keys_Be_Published_As_JWK()
{
rpid = "rp-registration-well_formed_jwk";
// given
string registrationEndopoint = GetBaseUrl("/registration");
OIDCClientInformation clientMetadata = new OIDCClientInformation();
clientMetadata.ApplicationType = "web";
clientMetadata.RedirectUris = new List<string>() { myBaseUrl + "code_flow_callback" };
clientMetadata.ResponseTypes = new List<ResponseType>() { ResponseType.Code };
clientMetadata.JwksUri = myBaseUrl + "my_public_keys.jwks";
OpenIdRelyingParty rp = new OpenIdRelyingParty();
// when
OIDCClientInformation response = rp.RegisterClient(registrationEndopoint, clientMetadata);
// then
response.Validate();
}
public void Should_Registration_Request_Has_RedirectUris()
{
rpid = "rp-registration-redirect_uris";
// given
string registrationEndopoint = GetBaseUrl("/registration");
OIDCClientInformation clientMetadata = new OIDCClientInformation();
clientMetadata.ApplicationType = "web";
clientMetadata.RedirectUris = new List<string>() { myBaseUrl + "code_flow_callback" };
clientMetadata.ResponseTypes = new List<ResponseType>() { ResponseType.Code };
OpenIdRelyingParty rp = new OpenIdRelyingParty();
// when
OIDCClientInformation response = rp.RegisterClient(registrationEndopoint, clientMetadata);
// then
response.Validate();
CollectionAssert.AreEquivalent(clientMetadata.RedirectUris, response.RedirectUris);
}
public void Should_Wrong_Discovered_Issuer_Be_Rejected()
{
rpid = "rp-discovery-issuer_not_matching_config";
// given
string hostname = GetBaseUrl("/");
string userid = "https://" + opBaseurl.Host + ":" + opBaseurl.Port + "/" + rpid;
OpenIdRelyingParty rp = new OpenIdRelyingParty();
string issuer = rp.ObtainIssuerFromURL(userid, opBaseurl.ToString());
issuer = issuer.Replace("localhost", "wrong.hostname");
// when
rp.ObtainProviderInformation(hostname, issuer);
// then
}
public void Should_Authenticate_Client_With_Private_Key_Jwt()
{
rpid = "rp-token_endpoint-client_secret_jwt";
// given
OIDCAuthCodeResponseMessage response = (OIDCAuthCodeResponseMessage)GetAuthResponse(ResponseType.Code);
OIDCTokenRequestMessage tokenRequestMessage = new OIDCTokenRequestMessage();
tokenRequestMessage.Scope = response.Scope;
tokenRequestMessage.State = response.State;
tokenRequestMessage.Code = response.Code;
tokenRequestMessage.ClientId = clientInformation.ClientId;
tokenRequestMessage.ClientSecret = clientInformation.ClientSecret;
tokenRequestMessage.GrantType = "authorization_code";
tokenRequestMessage.RedirectUri = clientInformation.RedirectUris[0];
RSACryptoServiceProvider privateKey = providerMetadata.Keys.Find(
delegate(OIDCKey k)
{
return k.Use == "enc" && k.Kty == "RSA";
}
).GetRSA();
// when
OpenIdRelyingParty rp = new OpenIdRelyingParty();
clientInformation.TokenEndpointAuthMethod = "private_key_jwt";
OIDCTokenResponseMessage tokenResponse = rp.SubmitTokenRequest(GetBaseUrl("/token"), tokenRequestMessage, clientInformation, privateKey.ExportCspBlob(false));
// then
Assert.NotNull(tokenResponse.IdToken);
OIDCIdToken idToken = tokenResponse.GetIdToken(providerMetadata.Keys);
idToken.Validate();
}
public void Should_Obtain_Provider_Information()
{
rpid = "rp-discovery-openid_configuration";
// given
string hostname = GetBaseUrl("/");
OpenIdRelyingParty rp = new OpenIdRelyingParty();
// when
OIDCProviderMetadata response = rp.ObtainProviderInformation(hostname);
// then
response.Validate();
}
private OIDCTokenResponseMessage AuthenticateAndRetrieveIdToken()
{
OIDCAuthorizationRequestMessage requestMessage = generateRequestMessage();
OpenIdRelyingParty rp = new OpenIdRelyingParty();
rp.Authenticate(GetBaseUrl("/authorization"), requestMessage);
semaphore.WaitOne();
OIDCAuthCodeResponseMessage response = rp.ParseAuthCodeResponse(result, requestMessage.Scope, requestMessage.State);
OIDCTokenRequestMessage tokenRequestMessage = new OIDCTokenRequestMessage();
tokenRequestMessage.Scope = response.Scope;
tokenRequestMessage.Code = response.Code;
tokenRequestMessage.ClientId = clientInformation.ClientId;
tokenRequestMessage.ClientSecret = clientInformation.ClientSecret;
tokenRequestMessage.GrantType = "authorization_code";
tokenRequestMessage.RedirectUri = clientInformation.RedirectUris[0];
return rp.SubmitTokenRequest(GetBaseUrl("/token"), tokenRequestMessage, clientInformation);
}
public void GetProviderMetadata()
{
string hostname = GetBaseUrl("/");
OpenIdRelyingParty rp = new OpenIdRelyingParty();
providerMetadata = rp.ObtainProviderInformation(hostname);
}
private static void ThirdPartyInitiatedLoginCallback(IHttpContext context)
{
result = context.Request.Uri.Query;
OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage();
requestMessage.DeserializeFromQueryString(request);
OpenIdRelyingParty rp = new OpenIdRelyingParty();
rp.ThirdPartyInitiatedLogin(requestMessage, param);
}
public void RegisterClient(ResponseType? RespType, bool JWKs = false, bool RequestUri = false, bool InitateLoginUri = false)
{
string registrationEndopoint = GetBaseUrl("/registration");
OIDCClientInformation clientMetadata = new OIDCClientInformation();
clientMetadata.ApplicationType = "web";
if (JWKs)
{
clientMetadata.JwksUri = myBaseUrl + "my_public_keys.jwks";
}
if (RequestUri)
{
clientMetadata.RequestUris = new List<string>() { myBaseUrl + "request.jwt" };
}
if (InitateLoginUri)
{
clientMetadata.InitiateLoginUri = myBaseUrl + "initiated_login";
}
if (ResponseType.IdToken == RespType)
{
clientMetadata.ResponseTypes = new List<ResponseType>() { ResponseType.IdToken };
clientMetadata.RedirectUris = new List<string>() { myBaseUrl + "id_token_flow_callback" };
}
else if(ResponseType.Code == RespType)
{
clientMetadata.ResponseTypes = new List<ResponseType>() { ResponseType.Code };
clientMetadata.RedirectUris = new List<string>() { myBaseUrl + "code_flow_callback" };
}
else
{
clientMetadata.ResponseTypes = new List<ResponseType>() {
ResponseType.Code,
ResponseType.IdToken
};
clientMetadata.RedirectUris = new List<string>() {
myBaseUrl + "code_flow_callback",
myBaseUrl + "id_token_flow_callback"
};
}
OpenIdRelyingParty rp = new OpenIdRelyingParty();
clientInformation = rp.RegisterClient(registrationEndopoint, clientMetadata);
}
public OIDCUserInfoResponseMessage GetUserInfo(List<MessageScope> scope, string state, string accessToken, string idTokenSub = null, bool bearer = true, string ClientSecret = null, List<OIDCKey> RPKeys = null)
{
OIDCUserInfoRequestMessage userInfoRequestMessage = new OIDCUserInfoRequestMessage();
userInfoRequestMessage.Scope = scope;
userInfoRequestMessage.State = state;
OpenIdRelyingParty rp = new OpenIdRelyingParty();
var urlInfoUrl = providerMetadata.UserinfoEndpoint;
return rp.GetUserInfo(urlInfoUrl, userInfoRequestMessage, accessToken, idTokenSub, bearer, ClientSecret, RPKeys);
}
public OIDCTokenResponseMessage GetToken(OIDCAuthCodeResponseMessage authResponse)
{
OIDCTokenRequestMessage tokenRequestMessage = new OIDCTokenRequestMessage();
tokenRequestMessage.Scope = authResponse.Scope;
tokenRequestMessage.State = authResponse.State;
tokenRequestMessage.Code = authResponse.Code;
tokenRequestMessage.ClientId = clientInformation.ClientId;
tokenRequestMessage.ClientSecret = clientInformation.ClientSecret;
tokenRequestMessage.RedirectUri = clientInformation.RedirectUris[0];
tokenRequestMessage.GrantType = "authorization_code";
OpenIdRelyingParty rp = new OpenIdRelyingParty();
OIDCTokenResponseMessage response = rp.SubmitTokenRequest(providerMetadata.TokenEndpoint, tokenRequestMessage, clientInformation);
OIDCIdToken idToken = response.GetIdToken(providerMetadata.Keys, tokenRequestMessage.ClientSecret);
rp.ValidateIdToken(idToken, clientInformation, providerMetadata.Issuer, null);
return response;
}
public void Should_Support_Provider_Crypt_Key_Rotation()
{
rpid = "rp-key_rotation-op_enc_key";
// given
OIDCAuthorizationRequestMessage requestMessage1 = generateRequestMessage(true);
OIDCAuthorizationRequestMessage requestObject1 = generateRequestMessage(false, requestMessage1.State, requestMessage1.Nonce);
RSACryptoServiceProvider encKey1 = getEncKey();
OIDCAuthorizationRequestMessage requestMessage2 = generateRequestMessage(true);
OIDCAuthorizationRequestMessage requestObject2 = generateRequestMessage(false, requestMessage2.State, requestMessage2.Nonce);
RSACryptoServiceProvider encKey2 = getEncKey();
OpenIdRelyingParty rp = new OpenIdRelyingParty();
// when
request = JWT.Encode(requestObject1.SerializeToJsonString(), encKey1, JweAlgorithm.RSA1_5, JweEncryption.A128CBC_HS256);
rp.Authenticate(GetBaseUrl("/authorization"), requestMessage1);
semaphore.WaitOne();
OIDCAuthCodeResponseMessage response1 = rp.ParseAuthCodeResponse(result, requestMessage1.Scope);
request = JWT.Encode(requestObject2.SerializeToJsonString(), encKey2, JweAlgorithm.RSA1_5, JweEncryption.A128CBC_HS256);
rp.Authenticate(GetBaseUrl("/authorization"), requestMessage2);
semaphore.WaitOne();
OIDCAuthCodeResponseMessage response2 = rp.ParseAuthCodeResponse(result, requestMessage2.Scope);
// then
response1.Validate();
response2.Validate();
}