public void Should_Request_And_Use_Claims_Id_Token() { rpid = "rp-response_type-id_token+token"; signalg = "RS256"; GetProviderMetadata(); // given string Nonce = WebOperations.RandomString(); OIDClaims requestClaims = new OIDClaims(); requestClaims.IdToken = new Dictionary<string, OIDClaimData>(); requestClaims.IdToken.Add("name", new OIDClaimData()); // when OIDCAuthImplicitResponseMessage response = (OIDCAuthImplicitResponseMessage) GetAuthResponse(ResponseType.IdToken, Nonce, true, requestClaims); // then response.Validate(); Assert.NotNull(response.AccessToken); OpenIdRelyingParty rp = new OpenIdRelyingParty(); OIDCIdToken idToken = response.GetIdToken(providerMetadata.Keys, clientInformation.ClientSecret); rp.ValidateIdToken(idToken, clientInformation, providerMetadata.Issuer, Nonce); Assert.IsNotNullOrEmpty(idToken.Name); }
public void Should_Reject_Id_Token_With_Wrong_Nonce() { rpid = "rp-nonce-invalid"; // given OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage(); requestMessage.ClientId = clientInformation.ClientId; OIDClaims requestClaims = new OIDClaims(); requestClaims.Userinfo = new Dictionary<string, OIDClaimData>(); requestClaims.Userinfo.Add("name", new OIDClaimData()); requestMessage.Scope = new List<MessageScope>() { MessageScope.Openid }; requestMessage.ResponseType = new List<ResponseType>() { ResponseType.IdToken, ResponseType.Token }; requestMessage.RedirectUri = clientInformation.RedirectUris[0]; requestMessage.Nonce = WebOperations.RandomString(); requestMessage.State = WebOperations.RandomString(); requestMessage.Claims = requestClaims; requestMessage.Validate(); OpenIdRelyingParty rp = new OpenIdRelyingParty(); rp.Authenticate(GetBaseUrl("/authorization"), requestMessage); semaphore.WaitOne(); OIDCAuthImplicitResponseMessage response = rp.ParseAuthImplicitResponse(result, requestMessage.Scope, requestMessage.State); OIDCIdToken idToken = response.GetIdToken(providerMetadata.Keys, clientInformation.ClientSecret); // then rp.ValidateIdToken(idToken, clientInformation, idToken.Iss, "wrong-nonce"); }
public OIDCTokenResponseMessage GetToken(OIDCAuthCodeResponseMessage authResponse) { OIDCTokenRequestMessage tokenRequestMessage = new OIDCTokenRequestMessage(); tokenRequestMessage.Scope = authResponse.Scope; tokenRequestMessage.State = authResponse.State; tokenRequestMessage.Code = authResponse.Code; tokenRequestMessage.ClientId = clientInformation.ClientId; tokenRequestMessage.ClientSecret = clientInformation.ClientSecret; tokenRequestMessage.RedirectUri = clientInformation.RedirectUris[0]; tokenRequestMessage.GrantType = "authorization_code"; OpenIdRelyingParty rp = new OpenIdRelyingParty(); OIDCTokenResponseMessage response = rp.SubmitTokenRequest(providerMetadata.TokenEndpoint, tokenRequestMessage, clientInformation); OIDCIdToken idToken = response.GetIdToken(providerMetadata.Keys, tokenRequestMessage.ClientSecret); rp.ValidateIdToken(idToken, clientInformation, providerMetadata.Issuer, null); return response; }
public void Should_Authenticate_With_Claims_In_Scope_Self_Issued() { rpid = "rp-scope-userinfo_claims"; WebRequest.RegisterPrefix("openid", new OIDCWebRequestCreate()); // given OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage(); requestMessage.ClientId = clientInformation.RedirectUris[0]; requestMessage.Scope = new List<MessageScope>() { MessageScope.Openid, MessageScope.Profile, MessageScope.Email, MessageScope.Address, MessageScope.Phone }; requestMessage.State = WebOperations.RandomString(); requestMessage.Nonce = WebOperations.RandomString(); requestMessage.ResponseType = new List<ResponseType>() { ResponseType.IdToken }; requestMessage.RedirectUri = clientInformation.RedirectUris[0]; requestMessage.Validate(); X509Certificate2 certificate = new X509Certificate2("server.pfx", "", X509KeyStorageFlags.Exportable); OpenIdRelyingParty rp = new OpenIdRelyingParty(); // when OIDCAuthImplicitResponseMessage response = rp.Authenticate("openid://", requestMessage, certificate); OIDCIdToken idToken = response.GetIdToken(); // then response.Validate(); rp.ValidateIdToken(idToken, clientInformation, idToken.Iss, requestMessage.Nonce); Assert.IsNotNullOrEmpty(idToken.Name); Assert.IsNotNullOrEmpty(idToken.GivenName); Assert.IsNotNullOrEmpty(idToken.FamilyName); Assert.IsNotNullOrEmpty(idToken.Email); Assert.IsNotNull(idToken.Address); Assert.IsNotNullOrEmpty(idToken.Address.StreetAddress); Assert.IsNotNullOrEmpty(idToken.Address.PostalCode); Assert.IsNotNullOrEmpty(idToken.Address.Locality); Assert.IsNotNullOrEmpty(idToken.Address.Country); Assert.IsNotNullOrEmpty(idToken.PhoneNumber); }