public void JwtSecurityTokenHandler_Extensibility()
{
DerivedJwtSecurityTokenHandler handler = new DerivedJwtSecurityTokenHandler()
{
DerivedTokenType = typeof(DerivedJwtSecurityToken)
};
JwtSecurityToken jwt =
new JwtSecurityToken
(
issuer: Default.Issuer,
audience: Default.Audience,
claims: ClaimSets.Simple(Default.Issuer, Default.Issuer),
signingCredentials: KeyingMaterial.DefaultX509SigningCreds_2048_RsaSha2_Sha2,
expires: DateTime.UtcNow + TimeSpan.FromHours(10),
notBefore: DateTime.UtcNow
);
string encodedJwt = handler.WriteToken(jwt);
TokenValidationParameters tvp = new TokenValidationParameters()
{
IssuerSigningKey = KeyingMaterial.DefaultX509Key_2048,
ValidateAudience = false,
ValidIssuer = Default.Issuer,
};
List <string> errors = new List <string>();
ValidateDerived(encodedJwt, handler, tvp, ExpectedException.NoExceptionExpected, errors);
}
public static JwtSecurityToken CreateJwtSecurityToken(string issuer = null, string originalIssuer = null)
{
string iss = issuer ?? IdentityUtilities.DefaultIssuer;
string originalIss = originalIssuer ?? IdentityUtilities.DefaultOriginalIssuer;
return(new JwtSecurityToken(issuer, "http://www.contoso.com", ClaimSets.Simple(iss, originalIss)));
}
/// <summary>
/// Clears the cache, the database will be hit lazily.
/// </summary>
protected void Reset()
{
Application.Reset();
Actions.Reset();
ClaimSets.Reset();
ResourceClaims.Reset();
AuthorizationStrategies.Reset();
ClaimSetResourceClaimActions.Reset();
ResourceClaimActions.Reset();
}
public static TheoryData <JwtTheoryData> RoundTripTokensTheoryData()
{
var theoryData = new TheoryData <JwtTheoryData>();
var handler = new JwtSecurityTokenHandler();
theoryData.Add(new JwtTheoryData
{
TestId = "Test1",
TokenDescriptor = Default.AsymmetricSignSecurityTokenDescriptor(null),
ValidationParameters = Default.AsymmetricSignTokenValidationParameters,
});
theoryData.Add(new JwtTheoryData
{
TestId = "Test2",
TokenDescriptor = new SecurityTokenDescriptor(),
ValidationParameters = new TokenValidationParameters
{
RequireSignedTokens = false,
ValidateAudience = false,
ValidateLifetime = false,
ValidateIssuer = false,
}
});
theoryData.Add(new JwtTheoryData
{
TestId = "Test3",
TokenDescriptor = Default.AsymmetricSignSecurityTokenDescriptor(ClaimSets.DuplicateTypes()),
ValidationParameters = Default.AsymmetricSignTokenValidationParameters,
});
theoryData.Add(new JwtTheoryData
{
TestId = "Test4",
TokenDescriptor = Default.AsymmetricSignSecurityTokenDescriptor(ClaimSets.DefaultClaims),
ValidationParameters = Default.AsymmetricSignTokenValidationParameters
});
theoryData.Add(new JwtTheoryData
{
TestId = "Test5",
TokenDescriptor = Default.SymmetricSignSecurityTokenDescriptor(ClaimSets.DefaultClaims),
ValidationParameters = Default.SymmetricEncryptSignTokenValidationParameters
});
theoryData.Add(new JwtTheoryData
{
TestId = "Test6",
TokenDescriptor = Default.SymmetricSignSecurityTokenDescriptor(ClaimSets.GetDefaultRoleClaims(handler)),
ValidationParameters = Default.SymmetricEncryptSignTokenValidationParameters
});
return(theoryData);
}
public void Variations()
{
var context = new CompareContext();
RunAudienceVariation(ClaimSets.MultipleAudiences(), IdentityUtilities.DefaultAudiences, context);
RunAudienceVariation(ClaimSets.SingleAudience(), new List <string> {
IdentityUtilities.DefaultAudience
}, context);
TestUtilities.AssertFailIfErrors("AudienceValidation: ", context.Diffs);
}
public void Variations()
{
var context = new CompareContext {
IgnoreType = true
};
RunAudienceVariation(ClaimSets.MultipleAudiences(), Default.Audiences, context);
RunAudienceVariation(ClaimSets.SingleAudience(), new List <string> {
Default.Audience
}, context);
TestUtilities.AssertFailIfErrors("AudienceValidation: ", context.Diffs);
}
public static TheoryData <string, string, TokenValidationParameters, JwtPayload, ExpectedException> CreationJWEParams()
{
var theoryData = new TheoryData <string, string, TokenValidationParameters, JwtPayload, ExpectedException>();
JwtPayload expectedPayload = new JwtPayload(ClaimSets.DefaultClaimsAsCreatedInPayload());
theoryData.Add(
"Test1",
EncodedJwts.JweTest1,
Default.SymmetricEncyptSignInfiniteLifetimeTokenValidationParameters,
expectedPayload,
ExpectedException.NoExceptionExpected
);
theoryData.Add(
"Test2",
EncodedJwts.JweTest2,
Default.SymmetricEncyptSignInfiniteLifetimeTokenValidationParameters,
expectedPayload,
ExpectedException.NoExceptionExpected
);
// signing key not found
theoryData.Add(
"Test3",
EncodedJwts.JweTest3,
new TokenValidationParameters
{
IssuerSigningKey = NotDefault.SymmetricSigningKey256,
TokenDecryptionKey = Default.SymmetricEncryptionKey256,
ValidateLifetime = false
},
expectedPayload,
ExpectedException.SecurityTokenSignatureKeyNotFoundException("IDX10501:")
);
// encryption key not found
theoryData.Add(
"Test4",
EncodedJwts.JweTest4,
new TokenValidationParameters
{
IssuerSigningKey = Default.SymmetricSigningKey256,
TokenDecryptionKey = NotDefault.SymmetricEncryptionKey,
ValidateLifetime = false
},
expectedPayload,
ExpectedException.SecurityTokenDecryptionFailedException("IDX10609:")
);
return(theoryData);
}
public void RoleClaims()
{
JwtSecurityTokenHandler handler = new JwtSecurityTokenHandler();
TokenValidationParameters validationParameters = new TokenValidationParameters
{
RequireSignedTokens = false,
ValidateAudience = false,
ValidateIssuer = false
};
DateTime utcNow = DateTime.UtcNow;
DateTime expire = utcNow + TimeSpan.FromHours(1);
ClaimsIdentity subject = new ClaimsIdentity(claims: ClaimSets.GetDefaultRoleClaims(null));
JwtSecurityToken jwtToken = handler.CreateJwtSecurityToken(Default.Issuer, Default.Audience, subject, utcNow, expire, utcNow);
SecurityToken securityToken;
ClaimsPrincipal principal = handler.ValidateToken(jwtToken.RawData, validationParameters, out securityToken);
CheckForRoles(ClaimSets.GetDefaultRoles(), new string[] { Guid.NewGuid().ToString(), Guid.NewGuid().ToString() }, principal);
ClaimsIdentity expectedIdentity =
new ClaimsIdentity(
authenticationType: "Federation",
claims: ClaimSets.GetDefaultRoleClaims(handler)
);
expectedIdentity.AddClaim(new Claim(JwtRegisteredClaimNames.Iss, Default.Issuer, ClaimValueTypes.String, Default.Issuer));
expectedIdentity.AddClaim(new Claim(JwtRegisteredClaimNames.Aud, Default.Audience, ClaimValueTypes.String, Default.Issuer));
expectedIdentity.AddClaim(new Claim(JwtRegisteredClaimNames.Exp, EpochTime.GetIntDate(expire).ToString(), ClaimValueTypes.Integer, Default.Issuer));
expectedIdentity.AddClaim(new Claim(JwtRegisteredClaimNames.Nbf, EpochTime.GetIntDate(utcNow).ToString(), ClaimValueTypes.Integer, Default.Issuer));
expectedIdentity.AddClaim(new Claim(JwtRegisteredClaimNames.Iat, EpochTime.GetIntDate(utcNow).ToString(), ClaimValueTypes.Integer, Default.Issuer));
CompareContext context = new CompareContext {
IgnoreType = true
};
IdentityComparer.AreEqual(principal.Claims, expectedIdentity.Claims, context);
TestUtilities.AssertFailIfErrors(GetType().ToString() + ".RoleClaims", context.Diffs);
}
public void ClaimSourceAndClaimName()
{
string claimSources = "_claim_sources";
string claimNames = "_claim_names";
var context = new CompareContext();
JwtPayload payload = new JwtPayload();
payload.Add(claimSources, JsonClaims.ClaimSourcesAsDictionary);
payload.Add(claimNames, JsonClaims.ClaimNamesAsDictionary);
payload.Add("iss", IdentityUtilities.DefaultIssuer);
JwtSecurityToken jwtToken = new JwtSecurityToken(new JwtHeader(), payload);
JwtSecurityTokenHandler jwtHandler = new JwtSecurityTokenHandler();
string encodedJwt = jwtHandler.WriteToken(new JwtSecurityToken(new JwtHeader(), payload));
var validationParameters = new TokenValidationParameters
{
IssuerValidator = (issuer, st, tvp) => { return(issuer); },
RequireSignedTokens = false,
ValidateAudience = false,
ValidateLifetime = false,
};
SecurityToken validatedJwt = null;
var claimsPrincipal = jwtHandler.ValidateToken(encodedJwt, validationParameters, out validatedJwt);
var expectedIdentity = JsonClaims.ClaimsIdentityDistributedClaims(
IdentityUtilities.DefaultIssuer,
TokenValidationParameters.DefaultAuthenticationType,
JsonClaims.ClaimSourcesAsDictionary,
JsonClaims.ClaimNamesAsDictionary);
IdentityComparer.AreEqual(claimsPrincipal.Identity as ClaimsIdentity, expectedIdentity, context);
jwtToken = new JwtSecurityToken(new JwtHeader(), new JwtPayload(IdentityUtilities.DefaultIssuer, null, ClaimSets.EntityAsJsonClaim(IdentityUtilities.DefaultIssuer, IdentityUtilities.DefaultIssuer), null, null));
encodedJwt = jwtHandler.WriteToken(jwtToken);
SecurityToken validatedToken;
var cp = jwtHandler.ValidateToken(encodedJwt, validationParameters, out validatedToken);
IdentityComparer.AreEqual(
cp.FindFirst(typeof(Entity).ToString()),
new Claim(typeof(Entity).ToString(), JsonExtensions.SerializeToJson(Entity.Default), JsonClaimValueTypes.Json, IdentityUtilities.DefaultIssuer, IdentityUtilities.DefaultIssuer, cp.Identity as ClaimsIdentity),
context);
TestUtilities.AssertFailIfErrors(context.Diffs);
}
public static TheoryData <CreateAndValidateParams> CreationParams()
{
var theoryData = new TheoryData <CreateAndValidateParams>();
var handler = new JwtSecurityTokenHandler();
theoryData.Add(new CreateAndValidateParams
{
Case = "Test1",
SecurityTokenDescriptor = Default.AsymmetricSignSecurityTokenDescriptor(null),
TokenValidationParameters = Default.AsymmetricSignTokenValidationParameters,
});
theoryData.Add(new CreateAndValidateParams
{
Case = "Test2",
SecurityTokenDescriptor = new SecurityTokenDescriptor(),
TokenValidationParameters = new TokenValidationParameters
{
RequireSignedTokens = false,
ValidateAudience = false,
ValidateLifetime = false,
ValidateIssuer = false,
}
});
theoryData.Add(new CreateAndValidateParams
{
Case = "Test3",
ExceptionType = null,
SecurityTokenDescriptor = Default.AsymmetricSignSecurityTokenDescriptor(ClaimSets.DuplicateTypes()),
TokenValidationParameters = Default.AsymmetricSignTokenValidationParameters,
});
theoryData.Add(new CreateAndValidateParams
{
Case = "Test4",
ExceptionType = null,
SecurityTokenDescriptor = Default.AsymmetricSignSecurityTokenDescriptor(ClaimSets.DefaultClaims),
TokenValidationParameters = Default.AsymmetricSignTokenValidationParameters
});
theoryData.Add(new CreateAndValidateParams
{
Case = "Test5",
ExceptionType = null,
SecurityTokenDescriptor = Default.SymmetricSignSecurityTokenDescriptor(ClaimSets.DefaultClaims),
TokenValidationParameters = Default.SymmetricEncyptSignTokenValidationParameters
});
theoryData.Add(new CreateAndValidateParams
{
Case = "Test6",
ExceptionType = null,
SecurityTokenDescriptor = Default.SymmetricSignSecurityTokenDescriptor(ClaimSets.GetDefaultRoleClaims(handler)),
TokenValidationParameters = Default.SymmetricEncyptSignTokenValidationParameters
});
return(theoryData);
}
public static TheoryData <CreateAndValidateParams> CreationParams()
{
var createParams = new TheoryData <CreateAndValidateParams>();
var expires = DateTime.UtcNow + TimeSpan.FromDays(1);
var handler = new JwtSecurityTokenHandler();
var nbf = DateTime.UtcNow;
var signingCredentials = new SigningCredentials(KeyingMaterial.X509SecurityKeySelfSigned2048_SHA256, SecurityAlgorithms.RsaSha256Signature);
var verifyingKey = KeyingMaterial.X509SecurityKeySelfSigned2048_SHA256_Public;
createParams.Add(new CreateAndValidateParams
{
Case = "ClaimSets.NoClaims",
SecurityTokenDescriptor = IdentityUtilities.DefaultAsymmetricSecurityTokenDescriptor(null),
TokenValidationParameters = IdentityUtilities.DefaultAsymmetricTokenValidationParameters,
});
createParams.Add(new CreateAndValidateParams
{
Case = "EmptyToken",
SecurityTokenDescriptor = new SecurityTokenDescriptor(),
TokenValidationParameters = new TokenValidationParameters
{
RequireSignedTokens = false,
ValidateAudience = false,
ValidateLifetime = false,
ValidateIssuer = false,
}
});
createParams.Add(new CreateAndValidateParams
{
Case = "ClaimSets.DuplicateTypes",
ExceptionType = null,
SecurityTokenDescriptor = IdentityUtilities.DefaultAsymmetricSecurityTokenDescriptor(ClaimSets.DuplicateTypes()),
TokenValidationParameters = IdentityUtilities.DefaultAsymmetricTokenValidationParameters,
});
createParams.Add(new CreateAndValidateParams
{
Case = "ClaimSets.Simple_Asymmetric",
ExceptionType = null,
SecurityTokenDescriptor = IdentityUtilities.DefaultAsymmetricSecurityTokenDescriptor(ClaimSets.DefaultClaims),
TokenValidationParameters = IdentityUtilities.DefaultAsymmetricTokenValidationParameters
});
createParams.Add(new CreateAndValidateParams
{
Case = "ClaimSets.Simple_Symmetric",
ExceptionType = null,
SecurityTokenDescriptor = IdentityUtilities.DefaultSymmetricSecurityTokenDescriptor(ClaimSets.DefaultClaims),
TokenValidationParameters = IdentityUtilities.DefaultSymmetricTokenValidationParameters
});
createParams.Add(new CreateAndValidateParams
{
Case = "ClaimSets.RoleClaims",
ExceptionType = null,
SecurityTokenDescriptor = IdentityUtilities.DefaultSymmetricSecurityTokenDescriptor(ClaimSets.GetDefaultRoleClaims(handler)),
TokenValidationParameters = IdentityUtilities.DefaultSymmetricTokenValidationParameters
});
return(createParams);
}
