public async Task when_setting_disabled_logout_should_not_revoke_refreshtoken()
{
BffHost.BffOptions.RevokeRefreshTokenOnLogout = false;
await BffHost.InitializeAsync();
await BffHost.BffLoginAsync("alice", "sid");
{
var store = IdentityServerHost.Resolve <IPersistedGrantStore>();
var grants = await store.GetAllAsync(new PersistedGrantFilter
{
SubjectId = "alice"
});
var rt = grants.Single(x => x.Type == "refresh_token");
rt.Should().NotBeNull();
}
await BffHost.BffLogoutAsync("sid");
{
var store = IdentityServerHost.Resolve <IPersistedGrantStore>();
var grants = await store.GetAllAsync(new PersistedGrantFilter
{
SubjectId = "alice"
});
var rt = grants.Single(x => x.Type == "refresh_token");
rt.Should().NotBeNull();
}
}
public async Task user_endpoint_when_sliding_flag_is_passed_cookie_should_not_slide()
{
await BffHost.BffLoginAsync("alice");
var sessions = await _sessionStore.GetUserSessionsAsync(new UserSessionsFilter { SubjectId = "alice" });
sessions.Count().Should().Be(1);
var session = sessions.Single();
var ticketStore = BffHost.Resolve <IServerTicketStore>();
var firstTicket = await ticketStore.RetrieveAsync(session.Key);
firstTicket.Should().NotBeNull();
_clock.UtcNow = _clock.UtcNow.AddMinutes(8);
(await BffHost.GetIsUserLoggedInAsync("slide=false")).Should().BeTrue();
var secondTicket = await ticketStore.RetrieveAsync(session.Key);
secondTicket.Should().NotBeNull();
(secondTicket.Properties.IssuedUtc == firstTicket.Properties.IssuedUtc).Should().BeTrue();
(secondTicket.Properties.ExpiresUtc == firstTicket.Properties.ExpiresUtc).Should().BeTrue();
}
public async Task when_BackchannelLogoutAllUserSessions_is_true_backchannel_logout_should_logout_all_sessions()
{
BffHost.BffOptions.BackchannelLogoutAllUserSessions = true;
await BffHost.BffLoginAsync("alice", "sid1");
BffHost.BrowserClient.RemoveCookie("bff");
await BffHost.BffLoginAsync("alice", "sid2");
{
var store = BffHost.Resolve <IUserSessionStore>();
var sessions = await store.GetUserSessionsAsync(new UserSessionsFilter { SubjectId = "alice" });
sessions.Count().Should().Be(2);
}
await IdentityServerHost.RevokeSessionCookieAsync();
{
var store = BffHost.Resolve <IUserSessionStore>();
var sessions = await store.GetUserSessionsAsync(new UserSessionsFilter { SubjectId = "alice" });
sessions.Should().BeEmpty();
}
}
public async Task backchannel_logout_endpoint_should_revoke_refreshtoken()
{
await BffHost.BffLoginAsync("alice", "sid123");
{
var store = IdentityServerHost.Resolve <IPersistedGrantStore>();
var grants = await store.GetAllAsync(new PersistedGrantFilter
{
SubjectId = "alice"
});
var rt = grants.Single(x => x.Type == "refresh_token");
rt.Should().NotBeNull();
}
await IdentityServerHost.RevokeSessionCookieAsync();
{
var store = IdentityServerHost.Resolve <IPersistedGrantStore>();
var grants = await store.GetAllAsync(new PersistedGrantFilter
{
SubjectId = "alice"
});
var rt = grants.Should().BeEmpty();
}
}
public async Task logout_endpoint_should_reject_non_local_returnUrl()
{
await BffHost.BffLoginAsync("alice", "sid123");
Func <Task> f = () => BffHost.BrowserClient.GetAsync(BffHost.Url("/bff/logout") + "?sid=sid123&returnUrl=https://foo");
f.Should().Throw <Exception>().And.Message.Should().Contain("returnUrl");
}
public async Task backchannel_logout_endpoint_should_signout()
{
await BffHost.BffLoginAsync("alice", "sid123");
await IdentityServerHost.RevokeSessionCookieAsync();
(await BffHost.GetIsUserLoggedInAsync()).Should().BeFalse();
}
public async Task logout_endpoint_should_signout()
{
await BffHost.BffLoginAsync("alice", "sid123");
await BffHost.BffLogoutAsync("sid123");
(await BffHost.GetIsUserLoggedInAsync()).Should().BeFalse();
}
public async Task calls_to_local_endpoint_should_require_csrf()
{
await BffHost.BffLoginAsync("alice");
var req = new HttpRequestMessage(HttpMethod.Get, BffHost.Url("/local_anon"));
var response = await BffHost.BrowserClient.SendAsync(req);
response.StatusCode.Should().Be(HttpStatusCode.Unauthorized);
}
public async Task logout_endpoint_should_redirect_to_external_signout_and_return_to_root()
{
await BffHost.BffLoginAsync("alice", "sid123");
await BffHost.BffLogoutAsync("sid123");
BffHost.BrowserClient.CurrentUri.ToString().ToLowerInvariant().Should().Be(BffHost.Url("/"));
(await BffHost.GetIsUserLoggedInAsync()).Should().BeFalse();
}
public async Task login_endpoint_with_existing_session_should_challenge()
{
await BffHost.BffLoginAsync("alice");
var response = await BffHost.BrowserClient.GetAsync(BffHost.Url("/bff/login"));
response.StatusCode.Should().Be(HttpStatusCode.Redirect);
response.Headers.Location.ToString().Should().StartWith(IdentityServerHost.Url("/connect/authorize"));
}
public async Task user_endpoint_when_uservalidate_renews_and_sliding_flag_is_passed_cookie_should_not_slide()
{
var shouldRenew = false;
#if NET6_0_OR_GREATER
BffHost.OnConfigureServices += services =>
{
services.Configure <CookieAuthenticationOptions>("cookie", options =>
{
options.Events.OnCheckSlidingExpiration = ctx =>
{
ctx.ShouldRenew = shouldRenew;
return(Task.CompletedTask);
};
});
};
#else
BffHost.OnConfigureServices += services =>
{
services.Configure <CookieAuthenticationOptions>("cookie", options =>
{
options.Events.OnValidatePrincipal = ctx =>
{
ctx.ShouldRenew = shouldRenew;
return(Task.CompletedTask);
};
});
};
#endif
await BffHost.InitializeAsync();
await BffHost.BffLoginAsync("alice");
var sessions = await _sessionStore.GetUserSessionsAsync(new UserSessionsFilter { SubjectId = "alice" });
sessions.Count().Should().Be(1);
var session = sessions.Single();
var ticketStore = BffHost.Resolve <IServerTicketStore>();
var firstTicket = await ticketStore.RetrieveAsync(session.Key);
firstTicket.Should().NotBeNull();
shouldRenew = true;
_clock.UtcNow = _clock.UtcNow.AddSeconds(1);
(await BffHost.GetIsUserLoggedInAsync("slide=false")).Should().BeTrue();
var secondTicket = await ticketStore.RetrieveAsync(session.Key);
secondTicket.Should().NotBeNull();
(secondTicket.Properties.IssuedUtc == firstTicket.Properties.IssuedUtc).Should().BeTrue();
(secondTicket.Properties.ExpiresUtc == firstTicket.Properties.ExpiresUtc).Should().BeTrue();
}
public async Task backchannel_logout_endpoint_for_incorrect_sid_should_not_logout_user()
{
await BffHost.BffLoginAsync("alice", "sid123");
await IdentityServerHost.CreateIdentityServerSessionCookieAsync("alice", "sid999");
await IdentityServerHost.RevokeSessionCookieAsync();
(await BffHost.GetIsUserLoggedInAsync()).Should().BeTrue();
}
public async Task logout_endpoint_for_authenticated_should_require_sid()
{
await BffHost.BffLoginAsync("alice", "sid123");
Func <Task> f = () => BffHost.BffLogoutAsync();
f.Should().Throw <Exception>();
(await BffHost.GetIsUserLoggedInAsync()).Should().BeTrue();
}
public async Task logout_endpoint_for_authenticated_when_require_otpion_is_false_should_not_require_sid()
{
await BffHost.BffLoginAsync("alice", "sid123");
BffHost.BffOptions.RequireLogoutSessionId = false;
var response = await BffHost.BrowserClient.GetAsync(BffHost.Url("/bff/logout"));
response.StatusCode.Should().Be(302); // endsession
response.Headers.Location.ToString().ToLowerInvariant().Should().StartWith(IdentityServerHost.Url("/connect/endsession"));
}
public async Task forbidden_api_call_should_return_403()
{
await BffHost.BffLoginAsync("alice");
var req = new HttpRequestMessage(HttpMethod.Get, BffHost.Url("/always_fail_authz"));
req.Headers.Add("x-csrf", "1");
var response = await BffHost.BrowserClient.SendAsync(req);
response.StatusCode.Should().Be(HttpStatusCode.Forbidden);
}
public async Task response_status_403_from_remote_endpoint_should_return_403_from_bff()
{
await BffHost.BffLoginAsync("alice");
ApiHost.ApiStatusCodeToReturn = 403;
var req = new HttpRequestMessage(HttpMethod.Get, BffHost.Url("/api_user/test"));
req.Headers.Add("x-csrf", "1");
var response = await BffHost.BrowserClient.SendAsync(req);
response.StatusCode.Should().Be(HttpStatusCode.Forbidden);
}
public async Task response_status_403_should_return_403()
{
await BffHost.BffLoginAsync("alice");
BffHost.LocalApiStatusCodeToReturn = 403;
var req = new HttpRequestMessage(HttpMethod.Get, BffHost.Url("/local_authz"));
req.Headers.Add("x-csrf", "1");
var response = await BffHost.BrowserClient.SendAsync(req);
response.StatusCode.Should().Be(HttpStatusCode.Forbidden);
}
public async Task StoreAsync_should_remove_conflicting_entries_prior_to_creating_new_entry()
{
await BffHost.BffLoginAsync("alice");
BffHost.BrowserClient.RemoveCookie("bff");
(await _sessionStore.GetUserSessionsAsync(new UserSessionsFilter {
SubjectId = "alice"
})).Count().Should().Be(1);
await BffHost.BffOidcLoginAsync();
(await _sessionStore.GetUserSessionsAsync(new UserSessionsFilter {
SubjectId = "alice"
})).Count().Should().Be(1);
}
public async Task calls_to_authorized_local_endpoint_without_csrf_should_succeed()
{
await BffHost.BffLoginAsync("alice");
var req = new HttpRequestMessage(HttpMethod.Get, BffHost.Url("/local_authz_no_csrf"));
var response = await BffHost.BrowserClient.SendAsync(req);
response.IsSuccessStatusCode.Should().BeTrue();
response.Content.Headers.ContentType.MediaType.Should().Be("application/json");
var json = await response.Content.ReadAsStringAsync();
var apiResult = JsonSerializer.Deserialize <ApiResponse>(json);
apiResult.Method.Should().Be("GET");
apiResult.Path.Should().Be("/local_authz_no_csrf");
apiResult.Sub.Should().Be("alice");
}
public async Task endpoints_that_disable_csrf_should_not_require_csrf_header()
{
await BffHost.BffLoginAsync("alice");
var req = new HttpRequestMessage(HttpMethod.Get, BffHost.Url("/api_user_no_csrf/test"));
var response = await BffHost.BrowserClient.SendAsync(req);
response.IsSuccessStatusCode.Should().BeTrue();
response.Content.Headers.ContentType.MediaType.Should().Be("application/json");
var json = await response.Content.ReadAsStringAsync();
var apiResult = JsonSerializer.Deserialize <ApiResponse>(json);
apiResult.Method.Should().Be("GET");
apiResult.Path.Should().Be("/test");
apiResult.Sub.Should().Be("alice");
apiResult.ClientId.Should().Be("spa");
}
public async Task calls_to_remote_endpoint_should_forward_user_to_api()
{
await BffHost.BffLoginAsync("alice");
var req = new HttpRequestMessage(HttpMethod.Get, BffHost.Url("/api_user/test"));
req.Headers.Add("x-csrf", "1");
var response = await BffHost.BrowserClient.SendAsync(req);
response.IsSuccessStatusCode.Should().BeTrue();
response.Content.Headers.ContentType.MediaType.Should().Be("application/json");
var json = await response.Content.ReadAsStringAsync();
var apiResult = JsonSerializer.Deserialize <ApiResponse>(json);
apiResult.Method.Should().Be("GET");
apiResult.Path.Should().Be("/test");
apiResult.Sub.Should().Be("alice");
apiResult.ClientId.Should().Be("spa");
}
public async Task put_to_local_endpoint_should_succeed()
{
await BffHost.BffLoginAsync("alice");
var req = new HttpRequestMessage(HttpMethod.Put, BffHost.Url("/local_authz"));
req.Headers.Add("x-csrf", "1");
req.Content = new StringContent(JsonSerializer.Serialize(new TestPayload("hello test api")), Encoding.UTF8, "application/json");
var response = await BffHost.BrowserClient.SendAsync(req);
response.IsSuccessStatusCode.Should().BeTrue();
response.Content.Headers.ContentType.MediaType.Should().Be("application/json");
var json = await response.Content.ReadAsStringAsync();
var apiResult = JsonSerializer.Deserialize <ApiResponse>(json);
apiResult.Method.Should().Be("PUT");
apiResult.Path.Should().Be("/local_authz");
apiResult.Sub.Should().Be("alice");
var body = JsonSerializer.Deserialize <TestPayload>(apiResult.Body);
body.message.Should().Be("hello test api");
}
public async Task logout_endpoint_should_accept_returnUrl()
{
await BffHost.BffLoginAsync("alice", "sid123");
var response = await BffHost.BrowserClient.GetAsync(BffHost.Url("/bff/logout") + "?sid=sid123&returnUrl=/foo");
response.StatusCode.Should().Be(302); // endsession
response.Headers.Location.ToString().ToLowerInvariant().Should().StartWith(IdentityServerHost.Url("/connect/endsession"));
response = await IdentityServerHost.BrowserClient.GetAsync(response.Headers.Location.ToString());
response.StatusCode.Should().Be(302); // logout
response.Headers.Location.ToString().ToLowerInvariant().Should().StartWith(IdentityServerHost.Url("/account/logout"));
response = await IdentityServerHost.BrowserClient.GetAsync(response.Headers.Location.ToString());
response.StatusCode.Should().Be(302); // post logout redirect uri
response.Headers.Location.ToString().ToLowerInvariant().Should().StartWith(BffHost.Url("/signout-callback-oidc"));
response = await BffHost.BrowserClient.GetAsync(response.Headers.Location.ToString());
response.StatusCode.Should().Be(302); // root
response.Headers.Location.ToString().ToLowerInvariant().Should().Be("/foo");
}
