public async Task When_Requesting_UserInformation_JwsPayload_For_Scopes_Then_The_JwsPayload_Is_Correct()
{
// ARRANGE
InitializeMockObjects();
const string subject = "*****@*****.**";
const string name = "Habart Thierry";
var claims = new List <Claim>
{
new Claim(Constants.StandardResourceOwnerClaimNames.Name, name),
new Claim(Constants.StandardResourceOwnerClaimNames.Subject, subject)
};
var authorizationParameter = new AuthorizationParameter
{
Scope = "profile"
};
ICollection <Scope> scopes = FakeOpenIdAssets.GetScopes().Where(s => s.Name == "profile").ToList();
_clientRepositoryStub.Setup(c => c.GetAllAsync()).Returns(Task.FromResult(FakeOpenIdAssets.GetClients()));
_scopeRepositoryStub.Setup(s => s.SearchByNamesAsync(It.IsAny <IEnumerable <string> >()))
.Returns(Task.FromResult(scopes));
// ACT
var result = await _jwtGenerator.GenerateUserInfoPayloadForScopeAsync(authorizationParameter, claims);
// ASSERT
Assert.NotNull(result);
Assert.True(result.ContainsKey(Constants.StandardResourceOwnerClaimNames.Subject));
Assert.True(result.ContainsKey(Constants.StandardResourceOwnerClaimNames.Name));
Assert.True(result[Constants.StandardResourceOwnerClaimNames.Subject].ToString().Equals(subject));
Assert.True(result[Constants.StandardResourceOwnerClaimNames.Name].ToString().Equals(name));
}
public async Task When_Requesting_IdentityToken_JwsPayload_And_NumberOfAudiencesIsMoreThanOne_Then_Azp_Should_Be_Returned()
{
// ARRANGE
InitializeMockObjects();
const string issuerName = "IssuerName";
var clientId = FakeOpenIdAssets.GetClients().First().ClientId;
const string subject = "*****@*****.**";
var claims = new List <Claim>
{
new Claim(Constants.StandardResourceOwnerClaimNames.Subject, subject)
};
var authorizationParameter = new AuthorizationParameter
{
ClientId = clientId
};
_clientRepositoryStub.Setup(c => c.GetAllAsync()).Returns(Task.FromResult(FakeOpenIdAssets.GetClients()));
// ACT
var result = await _jwtGenerator.GenerateIdTokenPayloadForScopesAsync(claims, authorizationParameter, issuerName);
// ASSERT
Assert.NotNull(result);
Assert.True(result.ContainsKey(Constants.StandardResourceOwnerClaimNames.Subject));
Assert.True(result.Audiences.Count() > 1);
Assert.True(result.Azp == clientId);
}
public void When_Requesting_UserInformation_But_The_Name_Claim_Value_Is_Not_Correct_Then_Exception_Is_Thrown()
{
// ARRANGE
InitializeMockObjects();
const string subject = "*****@*****.**";
const string state = "state";
var claims = new List <Claim>
{
new Claim(Constants.StandardResourceOwnerClaimNames.Subject, subject),
new Claim(Constants.StandardResourceOwnerClaimNames.Name, "invalid_name")
};
var claimsParameter = new List <ClaimParameter>
{
new ClaimParameter
{
Name = Constants.StandardResourceOwnerClaimNames.Subject,
Parameters = new Dictionary <string, object>
{
{
SimpleIdServer.Core.Constants.StandardClaimParameterValueNames.ValueName,
subject
}
}
},
new ClaimParameter
{
Name = Constants.StandardResourceOwnerClaimNames.Name,
Parameters = new Dictionary <string, object>
{
{
SimpleIdServer.Core.Constants.StandardClaimParameterValueNames.ValueName,
"name"
}
}
}
};
var authorizationParameter = new AuthorizationParameter
{
Scope = "profile",
State = state
};
ICollection <Scope> scopes = FakeOpenIdAssets.GetScopes().Where(s => s.Name == "profile").ToList();
_clientRepositoryStub.Setup(c => c.GetAllAsync()).Returns(Task.FromResult(FakeOpenIdAssets.GetClients()));
_scopeRepositoryStub.Setup(s => s.SearchByNamesAsync(It.IsAny <IEnumerable <string> >()))
.Returns(Task.FromResult(scopes));
// ACT & ASSERT
var exception = Assert.Throws <IdentityServerExceptionWithState>(() => _jwtGenerator.GenerateFilteredUserInfoPayload(
claimsParameter,
authorizationParameter, claims));
Assert.NotNull(exception);
Assert.True(exception.Code == ErrorCodes.InvalidGrant);
Assert.True(exception.Message == string.Format(ErrorDescriptions.TheClaimIsNotValid, Constants.StandardResourceOwnerClaimNames.Name));
Assert.True(exception.State == state);
}
public void When_Requesting_UserInformation_But_The_Essential_Claim_Subject_Is_Empty_Then_Exception_Is_Thrown()
{
// ARRANGE
InitializeMockObjects();
const string subject = "";
const string state = "state";
var claims = new List <Claim>
{
new Claim(Jwt.Constants.StandardResourceOwnerClaimNames.Subject, subject)
};
var claimIdentity = new ClaimsIdentity(claims, "fake");
var claimsPrincipal = new ClaimsPrincipal(claimIdentity);
var claimsParameter = new List <ClaimParameter>
{
new ClaimParameter
{
Name = Jwt.Constants.StandardResourceOwnerClaimNames.Subject,
Parameters = new Dictionary <string, object>
{
{
Constants.StandardClaimParameterValueNames.EssentialName,
true
}
}
}
};
var authorizationParameter = new AuthorizationParameter
{
Scope = "profile",
State = state
};
ICollection <Scope> scopes = FakeOpenIdAssets.GetScopes().Where(s => s.Name == "profile").ToList();
_clientRepositoryStub.Setup(c => c.GetAllAsync()).Returns(Task.FromResult(FakeOpenIdAssets.GetClients()));
_scopeRepositoryStub.Setup(s => s.SearchByNamesAsync(It.IsAny <IEnumerable <string> >()))
.Returns(Task.FromResult(scopes));
// ACT & ASSERT
var exception = Assert.Throws <IdentityServerExceptionWithState>(() => _jwtGenerator.GenerateFilteredUserInfoPayload(
claimsParameter,
claimsPrincipal,
authorizationParameter));
Assert.NotNull(exception);
Assert.True(exception.Code == ErrorCodes.InvalidGrant);
Assert.True(exception.Message == string.Format(ErrorDescriptions.TheClaimIsNotValid, Jwt.Constants.StandardResourceOwnerClaimNames.Subject));
Assert.True(exception.State == state);
}
public void When_JwsAlg_Is_RS512_And_AuthorizationCode_And_AccessToken_Are_Not_Empty_Then_OtherClaims_Are_FilledIn()
{
// ARRANGE
InitializeMockObjects();
var client = FakeOpenIdAssets.GetClients().First();
client.IdTokenSignedResponseAlg = Constants.JwsAlgNames.RS512;
var jwsPayload = new JwsPayload();
var authorizationParameter = new AuthorizationParameter
{
ClientId = client.ClientId
};
// ACT & ASSERT
_jwtGenerator.FillInOtherClaimsIdentityTokenPayload(jwsPayload, "authorization_code", "access_token", authorizationParameter, client);
Assert.True(jwsPayload.ContainsKey(StandardClaimNames.AtHash));
Assert.True(jwsPayload.ContainsKey(StandardClaimNames.CHash));
}
public void When_JwsAlg_Is_None_And_Trying_To_FillIn_Other_Claims_Then_The_Properties_Are_Not_Filled_In()
{
// ARRANGE
InitializeMockObjects();
var client = FakeOpenIdAssets.GetClients().First();
client.IdTokenSignedResponseAlg = "none";
var jwsPayload = new JwsPayload();
var authorizationParameter = new AuthorizationParameter
{
ClientId = client.ClientId
};
// ACT & ASSERT
_jwtGenerator.FillInOtherClaimsIdentityTokenPayload(jwsPayload, null, null, authorizationParameter, new Client());
Assert.False(jwsPayload.ContainsKey(StandardClaimNames.AtHash));
Assert.False(jwsPayload.ContainsKey(StandardClaimNames.CHash));
}
public async Task When_Encrypt_Jws_Then_Jwe_Is_Returned()
{
// ARRANGE
InitializeMockObjects();
var client = FakeOpenIdAssets.GetClients().First();
client.IdTokenEncryptedResponseAlg = Constants.JweAlgNames.RSA1_5;
var serializedRsa = string.Empty;
using (var provider = new RSACryptoServiceProvider())
{
serializedRsa = provider.ToXmlString(true);
};
var jsonWebKey = new JsonWebKey
{
Alg = AllAlg.RSA1_5,
KeyOps = new[]
{
KeyOperations.Encrypt,
KeyOperations.Decrypt
},
Kid = "3",
Kty = KeyType.RSA,
Use = Use.Enc,
SerializedKey = serializedRsa,
};
var jws = "jws";
ICollection <JsonWebKey> jwks = new List <JsonWebKey> {
jsonWebKey
};
_jsonWebKeyRepositoryStub.Setup(j => j.GetByAlgorithmAsync(It.IsAny <Use>(), It.IsAny <AllAlg>(), It.IsAny <KeyOperations[]>()))
.Returns(Task.FromResult(jwks));
_clientRepositoryStub.Setup(c => c.GetClientByIdAsync(It.IsAny <string>())).Returns(Task.FromResult(client));
// ACT
var jwe = await _jwtGenerator.EncryptAsync(jws,
JweAlg.RSA1_5,
JweEnc.A128CBC_HS256);
// ASSERT
Assert.NotEmpty(jwe);
}
public async Task When_Sign_Payload_Then_Jws_Is_Returned()
{
// ARRANGE
InitializeMockObjects();
var client = FakeOpenIdAssets.GetClients().First();
client.IdTokenEncryptedResponseAlg = Constants.JwsAlgNames.RS256;
var serializedRsa = string.Empty;
using (var provider = new RSACryptoServiceProvider())
{
serializedRsa = provider.ToXmlString(true);
};
var jsonWebKey = new JsonWebKey
{
Alg = AllAlg.RS256,
KeyOps = new[]
{
KeyOperations.Sign,
KeyOperations.Verify
},
Kid = "a3rMUgMFv9tPclLa6yF3zAkfquE",
Kty = KeyType.RSA,
Use = Use.Sig,
SerializedKey = serializedRsa
};
ICollection <JsonWebKey> jwks = new List <JsonWebKey> {
jsonWebKey
};
_jsonWebKeyRepositoryStub.Setup(j => j.GetByAlgorithmAsync(It.IsAny <Use>(), It.IsAny <AllAlg>(), It.IsAny <KeyOperations[]>()))
.Returns(Task.FromResult(jwks));
_clientRepositoryStub.Setup(c => c.GetClientByIdAsync(It.IsAny <string>())).Returns(Task.FromResult(client));
var jwsPayload = new JwsPayload();
// ACT
var jws = await _jwtGenerator.SignAsync(jwsPayload,
JwsAlg.RS256);
// ASSERT
Assert.NotEmpty(jws);
}
public void When_Requesting_UserInformation_For_Some_Valid_Claims_Then_The_JwsPayload_Is_Correct()
{
// ARRANGE
InitializeMockObjects();
const string subject = "*****@*****.**";
const string name = "Habart Thierry";
var claims = new List <Claim>
{
new Claim(Constants.StandardResourceOwnerClaimNames.Name, name),
new Claim(Constants.StandardResourceOwnerClaimNames.Subject, subject)
};
var claimsParameter = new List <ClaimParameter>
{
new ClaimParameter
{
Name = Constants.StandardResourceOwnerClaimNames.Name,
Parameters = new Dictionary <string, object>
{
{
SimpleIdServer.Core.Constants.StandardClaimParameterValueNames.EssentialName,
true
}
}
},
new ClaimParameter
{
Name = Constants.StandardResourceOwnerClaimNames.Subject,
Parameters = new Dictionary <string, object>
{
{
SimpleIdServer.Core.Constants.StandardClaimParameterValueNames.EssentialName,
true
},
{
SimpleIdServer.Core.Constants.StandardClaimParameterValueNames.ValueName,
subject
}
}
}
};
var authorizationParameter = new AuthorizationParameter
{
Scope = "profile"
};
ICollection <Scope> scopes = FakeOpenIdAssets.GetScopes().Where(s => s.Name == "profile").ToList();
_clientRepositoryStub.Setup(c => c.GetAllAsync()).Returns(Task.FromResult(FakeOpenIdAssets.GetClients()));
_scopeRepositoryStub.Setup(s => s.SearchByNamesAsync(It.IsAny <IEnumerable <string> >()))
.Returns(Task.FromResult(scopes));
// ACT
var result = _jwtGenerator.GenerateFilteredUserInfoPayload(
claimsParameter,
authorizationParameter, claims);
// ASSERT
Assert.NotNull(result);
Assert.True(result.ContainsKey(Constants.StandardResourceOwnerClaimNames.Subject));
Assert.True(result.ContainsKey(Constants.StandardResourceOwnerClaimNames.Name));
Assert.True(result[Constants.StandardResourceOwnerClaimNames.Subject].ToString().Equals(subject));
Assert.True(result[Constants.StandardResourceOwnerClaimNames.Name].ToString().Equals(name));
}
public async Task When_Requesting_IdentityToken_JwsPayload_And_Pass_AuthTime_As_ClaimEssential_Then_TheJwsPayload_Contains_AuthenticationTime()
{
// ARRANGE
InitializeMockObjects();
const string subject = "*****@*****.**";
const string nonce = "nonce";
var currentDateTimeOffset = DateTimeOffset.UtcNow.ConvertToUnixTimestamp();
var claims = new List <Claim>
{
new Claim(ClaimTypes.AuthenticationInstant, currentDateTimeOffset.ToString()),
new Claim(Constants.StandardResourceOwnerClaimNames.Subject, subject),
new Claim(Constants.StandardResourceOwnerClaimNames.Role, "['role1', 'role2']")
};
var authorizationParameter = new AuthorizationParameter
{
Nonce = nonce
};
var claimsParameter = new List <ClaimParameter>
{
new ClaimParameter
{
Name = StandardClaimNames.AuthenticationTime,
Parameters = new Dictionary <string, object>
{
{
SimpleIdServer.Core.Constants.StandardClaimParameterValueNames.EssentialName,
true
}
}
},
new ClaimParameter
{
Name = StandardClaimNames.Audiences,
Parameters = new Dictionary <string, object>
{
{
SimpleIdServer.Core.Constants.StandardClaimParameterValueNames.ValuesName,
new [] { FakeOpenIdAssets.GetClients().First().ClientId }
}
}
},
new ClaimParameter
{
Name = StandardClaimNames.Nonce,
Parameters = new Dictionary <string, object>
{
{
SimpleIdServer.Core.Constants.StandardClaimParameterValueNames.ValueName,
nonce
}
}
},
new ClaimParameter
{
Name = Constants.StandardResourceOwnerClaimNames.Role,
Parameters = new Dictionary <string, object>
{
{
SimpleIdServer.Core.Constants.StandardClaimParameterValueNames.EssentialName,
true
}
}
}
};
_clientRepositoryStub.Setup(c => c.GetAllAsync()).Returns(Task.FromResult(FakeOpenIdAssets.GetClients()));
// ACT
var result = await _jwtGenerator.GenerateFilteredIdTokenPayloadAsync(
claims,
authorizationParameter,
claimsParameter, null, currentDateTimeOffset);
// ASSERT
Assert.NotNull(result);
Assert.True(result.ContainsKey(Constants.StandardResourceOwnerClaimNames.Subject));
Assert.True(result.ContainsKey(Constants.StandardResourceOwnerClaimNames.Role));
Assert.True(result.ContainsKey(StandardClaimNames.AuthenticationTime));
Assert.True(result.ContainsKey(StandardClaimNames.Nonce));
Assert.True(result[Constants.StandardResourceOwnerClaimNames.Subject].ToString().Equals(subject));
Assert.True(long.Parse(result[StandardClaimNames.AuthenticationTime].ToString()).Equals(currentDateTimeOffset));
}
public async Task When_Requesting_IdentityToken_JwsPayload_And_PassingANotValidClaimValue_Then_An_Exception_Is_Thrown()
{
// ARRANGE
InitializeMockObjects();
const string subject = "*****@*****.**";
const string notValidSubject = "*****@*****.**";
var claims = new List <Claim>
{
new Claim(Constants.StandardResourceOwnerClaimNames.Subject, subject)
};
var authorizationParameter = new AuthorizationParameter();
var claimsParameter = new List <ClaimParameter>
{
new ClaimParameter
{
Name = Constants.StandardResourceOwnerClaimNames.Subject,
Parameters = new Dictionary <string, object>
{
{
SimpleIdServer.Core.Constants.StandardClaimParameterValueNames.EssentialName,
true
},
{
SimpleIdServer.Core.Constants.StandardClaimParameterValueNames.ValueName,
notValidSubject
}
}
}
};
_clientRepositoryStub.Setup(c => c.GetAllAsync()).Returns(Task.FromResult(FakeOpenIdAssets.GetClients()));
// ACT & ASSERTS
var result = await Assert.ThrowsAsync <IdentityServerExceptionWithState>(() => _jwtGenerator.GenerateFilteredIdTokenPayloadAsync(
claims,
authorizationParameter,
claimsParameter, null));
Assert.True(result.Code.Equals(ErrorCodes.InvalidGrant));
Assert.True(result.Message.Equals(string.Format(ErrorDescriptions.TheClaimIsNotValid, Constants.StandardResourceOwnerClaimNames.Subject)));
}
public async Task When_Requesting_Identity_Token_And_ExpirationTime_Is_Not_Correct_Then_Exception_Is_Thrown()
{
// ARRANGE
InitializeMockObjects();
const string subject = "*****@*****.**";
const string state = "state";
var currentDateTimeOffset = DateTimeOffset.UtcNow.ConvertToUnixTimestamp();
var claims = new List <Claim>
{
new Claim(ClaimTypes.AuthenticationInstant, currentDateTimeOffset.ToString()),
new Claim(Constants.StandardResourceOwnerClaimNames.Subject, subject)
};
var authorizationParameter = new AuthorizationParameter
{
State = state
};
var claimsParameter = new List <ClaimParameter>
{
new ClaimParameter
{
Name = StandardClaimNames.ExpirationTime,
Parameters = new Dictionary <string, object>
{
{
SimpleIdServer.Core.Constants.StandardClaimParameterValueNames.EssentialName,
true
},
{
SimpleIdServer.Core.Constants.StandardClaimParameterValueNames.ValueName,
12
}
}
}
};
_clientRepositoryStub.Setup(c => c.GetAllAsync()).Returns(Task.FromResult(FakeOpenIdAssets.GetClients()));
// ACT & ASSERT
var exception = await Assert.ThrowsAsync <IdentityServerExceptionWithState>(() => _jwtGenerator.GenerateFilteredIdTokenPayloadAsync(
claims,
authorizationParameter,
claimsParameter, null));
Assert.NotNull(exception);
Assert.True(exception.Code == ErrorCodes.InvalidGrant);
Assert.True(exception.Message == string.Format(ErrorDescriptions.TheClaimIsNotValid, StandardClaimNames.ExpirationTime));
Assert.True(exception.State == state);
}
public async Task When_Requesting_IdentityToken_JwsPayload_With_No_Authorization_Request_Then_MandatoriesClaims_Are_Returned()
{
// ARRANGE
InitializeMockObjects();
const string issuerName = "IssuerName";
const string subject = "*****@*****.**";
var authorizationParameter = new AuthorizationParameter();
var claims = new List <Claim>
{
new Claim(Constants.StandardResourceOwnerClaimNames.Subject, subject)
};
_clientRepositoryStub.Setup(c => c.GetAllAsync()).Returns(Task.FromResult(FakeOpenIdAssets.GetClients()));
// ACT
var result = await _jwtGenerator.GenerateIdTokenPayloadForScopesAsync(claims, authorizationParameter, null);
// ASSERT
Assert.NotNull(result);
Assert.True(result.ContainsKey(Constants.StandardResourceOwnerClaimNames.Subject));
Assert.True(result.ContainsKey(StandardClaimNames.Audiences));
Assert.True(result.ContainsKey(StandardClaimNames.ExpirationTime));
Assert.True(result.ContainsKey(StandardClaimNames.Iat));
Assert.True(result.GetClaimValue(Constants.StandardResourceOwnerClaimNames.Subject) == subject);
}
public async Task When_Requesting_IdentityToken_JwsPayload_And_IndicateTheMaxAge_Then_TheJwsPayload_Contains_AuthenticationTime()
{
// ARRANGE
InitializeMockObjects();
const string subject = "*****@*****.**";
var currentDateTimeOffset = DateTimeOffset.UtcNow.ConvertToUnixTimestamp();
var claims = new List <Claim>
{
new Claim(ClaimTypes.AuthenticationInstant, currentDateTimeOffset.ToString()),
new Claim(Constants.StandardResourceOwnerClaimNames.Subject, subject)
};
var authorizationParameter = new AuthorizationParameter
{
MaxAge = 2
};
_clientRepositoryStub.Setup(c => c.GetAllAsync()).Returns(Task.FromResult(FakeOpenIdAssets.GetClients()));
// ACT
var result = await _jwtGenerator.GenerateIdTokenPayloadForScopesAsync(claims, authorizationParameter, null, currentDateTimeOffset);
// ASSERT
Assert.NotNull(result);
Assert.True(result.ContainsKey(Constants.StandardResourceOwnerClaimNames.Subject));
Assert.True(result.ContainsKey(StandardClaimNames.AuthenticationTime));
Assert.True(result[Constants.StandardResourceOwnerClaimNames.Subject].ToString().Equals(subject));
Assert.NotEmpty(result[StandardClaimNames.AuthenticationTime].ToString());
}
