Example #1
0
        public async Task When_Requesting_IdentityToken_JwsPayload_And_NumberOfAudiencesIsMoreThanOne_Then_Azp_Should_Be_Returned()
        {
            // ARRANGE
            InitializeMockObjects();
            const string issuerName = "IssuerName";
            var          clientId   = FakeOpenIdAssets.GetClients().First().ClientId;
            const string subject    = "*****@*****.**";
            var          claims     = new List <Claim>
            {
                new Claim(Constants.StandardResourceOwnerClaimNames.Subject, subject)
            };
            var authorizationParameter = new AuthorizationParameter
            {
                ClientId = clientId
            };

            _clientRepositoryStub.Setup(c => c.GetAllAsync()).Returns(Task.FromResult(FakeOpenIdAssets.GetClients()));

            // ACT
            var result = await _jwtGenerator.GenerateIdTokenPayloadForScopesAsync(claims, authorizationParameter, issuerName);

            // ASSERT
            Assert.NotNull(result);
            Assert.True(result.ContainsKey(Constants.StandardResourceOwnerClaimNames.Subject));
            Assert.True(result.Audiences.Count() > 1);
            Assert.True(result.Azp == clientId);
        }
Example #2
0
        public void When_JwsAlg_Is_RS512_And_AuthorizationCode_And_AccessToken_Are_Not_Empty_Then_OtherClaims_Are_FilledIn()
        {
            // ARRANGE
            InitializeMockObjects();
            var client = FakeOpenIdAssets.GetClients().First();

            client.IdTokenSignedResponseAlg = Constants.JwsAlgNames.RS512;
            var jwsPayload             = new JwsPayload();
            var authorizationParameter = new AuthorizationParameter
            {
                ClientId = client.ClientId
            };

            // ACT & ASSERT
            _jwtGenerator.FillInOtherClaimsIdentityTokenPayload(jwsPayload, "authorization_code", "access_token", authorizationParameter, client);
            Assert.True(jwsPayload.ContainsKey(StandardClaimNames.AtHash));
            Assert.True(jwsPayload.ContainsKey(StandardClaimNames.CHash));
        }
Example #3
0
        public void When_JwsAlg_Is_None_And_Trying_To_FillIn_Other_Claims_Then_The_Properties_Are_Not_Filled_In()
        {
            // ARRANGE
            InitializeMockObjects();
            var client = FakeOpenIdAssets.GetClients().First();

            client.IdTokenSignedResponseAlg = "none";
            var jwsPayload             = new JwsPayload();
            var authorizationParameter = new AuthorizationParameter
            {
                ClientId = client.ClientId
            };

            // ACT & ASSERT
            _jwtGenerator.FillInOtherClaimsIdentityTokenPayload(jwsPayload, null, null, authorizationParameter, new Client());
            Assert.False(jwsPayload.ContainsKey(StandardClaimNames.AtHash));
            Assert.False(jwsPayload.ContainsKey(StandardClaimNames.CHash));
        }
Example #4
0
        public async Task When_Encrypt_Jws_Then_Jwe_Is_Returned()
        {
            // ARRANGE
            InitializeMockObjects();
            var client = FakeOpenIdAssets.GetClients().First();

            client.IdTokenEncryptedResponseAlg = Constants.JweAlgNames.RSA1_5;
            var serializedRsa = string.Empty;

            using (var provider = new RSACryptoServiceProvider())
            {
                serializedRsa = provider.ToXmlString(true);
            };

            var jsonWebKey = new JsonWebKey
            {
                Alg    = AllAlg.RSA1_5,
                KeyOps = new[]
                {
                    KeyOperations.Encrypt,
                    KeyOperations.Decrypt
                },
                Kid           = "3",
                Kty           = KeyType.RSA,
                Use           = Use.Enc,
                SerializedKey = serializedRsa,
            };
            var jws = "jws";
            ICollection <JsonWebKey> jwks = new List <JsonWebKey> {
                jsonWebKey
            };

            _jsonWebKeyRepositoryStub.Setup(j => j.GetByAlgorithmAsync(It.IsAny <Use>(), It.IsAny <AllAlg>(), It.IsAny <KeyOperations[]>()))
            .Returns(Task.FromResult(jwks));
            _clientRepositoryStub.Setup(c => c.GetClientByIdAsync(It.IsAny <string>())).Returns(Task.FromResult(client));

            // ACT
            var jwe = await _jwtGenerator.EncryptAsync(jws,
                                                       JweAlg.RSA1_5,
                                                       JweEnc.A128CBC_HS256);

            // ASSERT
            Assert.NotEmpty(jwe);
        }
Example #5
0
        public async Task When_Sign_Payload_Then_Jws_Is_Returned()
        {
            // ARRANGE
            InitializeMockObjects();
            var client = FakeOpenIdAssets.GetClients().First();

            client.IdTokenEncryptedResponseAlg = Constants.JwsAlgNames.RS256;
            var serializedRsa = string.Empty;

            using (var provider = new RSACryptoServiceProvider())
            {
                serializedRsa = provider.ToXmlString(true);
            };
            var jsonWebKey = new JsonWebKey
            {
                Alg    = AllAlg.RS256,
                KeyOps = new[]
                {
                    KeyOperations.Sign,
                    KeyOperations.Verify
                },
                Kid           = "a3rMUgMFv9tPclLa6yF3zAkfquE",
                Kty           = KeyType.RSA,
                Use           = Use.Sig,
                SerializedKey = serializedRsa
            };
            ICollection <JsonWebKey> jwks = new List <JsonWebKey> {
                jsonWebKey
            };

            _jsonWebKeyRepositoryStub.Setup(j => j.GetByAlgorithmAsync(It.IsAny <Use>(), It.IsAny <AllAlg>(), It.IsAny <KeyOperations[]>()))
            .Returns(Task.FromResult(jwks));
            _clientRepositoryStub.Setup(c => c.GetClientByIdAsync(It.IsAny <string>())).Returns(Task.FromResult(client));
            var jwsPayload = new JwsPayload();

            // ACT
            var jws = await _jwtGenerator.SignAsync(jwsPayload,
                                                    JwsAlg.RS256);

            // ASSERT
            Assert.NotEmpty(jws);
        }
Example #6
0
        public void When_Requesting_UserInformation_For_Some_Valid_Claims_Then_The_JwsPayload_Is_Correct()
        {
            // ARRANGE
            InitializeMockObjects();
            const string subject = "*****@*****.**";
            const string name    = "Habart Thierry";
            var          claims  = new List <Claim>
            {
                new Claim(Constants.StandardResourceOwnerClaimNames.Name, name),
                new Claim(Constants.StandardResourceOwnerClaimNames.Subject, subject)
            };
            var claimsParameter = new List <ClaimParameter>
            {
                new ClaimParameter
                {
                    Name       = Constants.StandardResourceOwnerClaimNames.Name,
                    Parameters = new Dictionary <string, object>
                    {
                        {
                            SimpleIdServer.Core.Constants.StandardClaimParameterValueNames.EssentialName,
                            true
                        }
                    }
                },
                new ClaimParameter
                {
                    Name       = Constants.StandardResourceOwnerClaimNames.Subject,
                    Parameters = new Dictionary <string, object>
                    {
                        {
                            SimpleIdServer.Core.Constants.StandardClaimParameterValueNames.EssentialName,
                            true
                        },
                        {
                            SimpleIdServer.Core.Constants.StandardClaimParameterValueNames.ValueName,
                            subject
                        }
                    }
                }
            };

            var authorizationParameter = new AuthorizationParameter
            {
                Scope = "profile"
            };
            ICollection <Scope> scopes = FakeOpenIdAssets.GetScopes().Where(s => s.Name == "profile").ToList();

            _clientRepositoryStub.Setup(c => c.GetAllAsync()).Returns(Task.FromResult(FakeOpenIdAssets.GetClients()));
            _scopeRepositoryStub.Setup(s => s.SearchByNamesAsync(It.IsAny <IEnumerable <string> >()))
            .Returns(Task.FromResult(scopes));

            // ACT
            var result = _jwtGenerator.GenerateFilteredUserInfoPayload(
                claimsParameter,
                authorizationParameter, claims);

            // ASSERT
            Assert.NotNull(result);
            Assert.True(result.ContainsKey(Constants.StandardResourceOwnerClaimNames.Subject));
            Assert.True(result.ContainsKey(Constants.StandardResourceOwnerClaimNames.Name));
            Assert.True(result[Constants.StandardResourceOwnerClaimNames.Subject].ToString().Equals(subject));
            Assert.True(result[Constants.StandardResourceOwnerClaimNames.Name].ToString().Equals(name));
        }
Example #7
0
        public void When_Requesting_UserInformation_But_The_Name_Claim_Value_Is_Not_Correct_Then_Exception_Is_Thrown()
        {
            // ARRANGE
            InitializeMockObjects();
            const string subject = "*****@*****.**";
            const string state   = "state";
            var          claims  = new List <Claim>
            {
                new Claim(Constants.StandardResourceOwnerClaimNames.Subject, subject),
                new Claim(Constants.StandardResourceOwnerClaimNames.Name, "invalid_name")
            };
            var claimsParameter = new List <ClaimParameter>
            {
                new ClaimParameter
                {
                    Name       = Constants.StandardResourceOwnerClaimNames.Subject,
                    Parameters = new Dictionary <string, object>
                    {
                        {
                            SimpleIdServer.Core.Constants.StandardClaimParameterValueNames.ValueName,
                            subject
                        }
                    }
                },
                new ClaimParameter
                {
                    Name       = Constants.StandardResourceOwnerClaimNames.Name,
                    Parameters = new Dictionary <string, object>
                    {
                        {
                            SimpleIdServer.Core.Constants.StandardClaimParameterValueNames.ValueName,
                            "name"
                        }
                    }
                }
            };

            var authorizationParameter = new AuthorizationParameter
            {
                Scope = "profile",
                State = state
            };
            ICollection <Scope> scopes = FakeOpenIdAssets.GetScopes().Where(s => s.Name == "profile").ToList();

            _clientRepositoryStub.Setup(c => c.GetAllAsync()).Returns(Task.FromResult(FakeOpenIdAssets.GetClients()));
            _scopeRepositoryStub.Setup(s => s.SearchByNamesAsync(It.IsAny <IEnumerable <string> >()))
            .Returns(Task.FromResult(scopes));

            // ACT & ASSERT
            var exception = Assert.Throws <IdentityServerExceptionWithState>(() => _jwtGenerator.GenerateFilteredUserInfoPayload(
                                                                                 claimsParameter,
                                                                                 authorizationParameter, claims));

            Assert.NotNull(exception);
            Assert.True(exception.Code == ErrorCodes.InvalidGrant);
            Assert.True(exception.Message == string.Format(ErrorDescriptions.TheClaimIsNotValid, Constants.StandardResourceOwnerClaimNames.Name));
            Assert.True(exception.State == state);
        }
Example #8
0
        public async Task When_Requesting_UserInformation_JwsPayload_For_Scopes_Then_The_JwsPayload_Is_Correct()
        {
            // ARRANGE
            InitializeMockObjects();
            const string subject = "*****@*****.**";
            const string name    = "Habart Thierry";
            var          claims  = new List <Claim>
            {
                new Claim(Constants.StandardResourceOwnerClaimNames.Name, name),
                new Claim(Constants.StandardResourceOwnerClaimNames.Subject, subject)
            };
            var authorizationParameter = new AuthorizationParameter
            {
                Scope = "profile"
            };
            ICollection <Scope> scopes = FakeOpenIdAssets.GetScopes().Where(s => s.Name == "profile").ToList();

            _clientRepositoryStub.Setup(c => c.GetAllAsync()).Returns(Task.FromResult(FakeOpenIdAssets.GetClients()));
            _scopeRepositoryStub.Setup(s => s.SearchByNamesAsync(It.IsAny <IEnumerable <string> >()))
            .Returns(Task.FromResult(scopes));

            // ACT
            var result = await _jwtGenerator.GenerateUserInfoPayloadForScopeAsync(authorizationParameter, claims);

            // ASSERT
            Assert.NotNull(result);
            Assert.True(result.ContainsKey(Constants.StandardResourceOwnerClaimNames.Subject));
            Assert.True(result.ContainsKey(Constants.StandardResourceOwnerClaimNames.Name));
            Assert.True(result[Constants.StandardResourceOwnerClaimNames.Subject].ToString().Equals(subject));
            Assert.True(result[Constants.StandardResourceOwnerClaimNames.Name].ToString().Equals(name));
        }
Example #9
0
        public async Task When_Requesting_IdentityToken_JwsPayload_And_Pass_AuthTime_As_ClaimEssential_Then_TheJwsPayload_Contains_AuthenticationTime()
        {
            // ARRANGE
            InitializeMockObjects();
            const string subject = "*****@*****.**";
            const string nonce   = "nonce";
            var          currentDateTimeOffset = DateTimeOffset.UtcNow.ConvertToUnixTimestamp();
            var          claims = new List <Claim>
            {
                new Claim(ClaimTypes.AuthenticationInstant, currentDateTimeOffset.ToString()),
                new Claim(Constants.StandardResourceOwnerClaimNames.Subject, subject),
                new Claim(Constants.StandardResourceOwnerClaimNames.Role, "['role1', 'role2']")
            };
            var authorizationParameter = new AuthorizationParameter
            {
                Nonce = nonce
            };
            var claimsParameter = new List <ClaimParameter>
            {
                new ClaimParameter
                {
                    Name       = StandardClaimNames.AuthenticationTime,
                    Parameters = new Dictionary <string, object>
                    {
                        {
                            SimpleIdServer.Core.Constants.StandardClaimParameterValueNames.EssentialName,
                            true
                        }
                    }
                },
                new ClaimParameter
                {
                    Name       = StandardClaimNames.Audiences,
                    Parameters = new Dictionary <string, object>
                    {
                        {
                            SimpleIdServer.Core.Constants.StandardClaimParameterValueNames.ValuesName,
                            new [] { FakeOpenIdAssets.GetClients().First().ClientId }
                        }
                    }
                },
                new ClaimParameter
                {
                    Name       = StandardClaimNames.Nonce,
                    Parameters = new Dictionary <string, object>
                    {
                        {
                            SimpleIdServer.Core.Constants.StandardClaimParameterValueNames.ValueName,
                            nonce
                        }
                    }
                },
                new ClaimParameter
                {
                    Name       = Constants.StandardResourceOwnerClaimNames.Role,
                    Parameters = new Dictionary <string, object>
                    {
                        {
                            SimpleIdServer.Core.Constants.StandardClaimParameterValueNames.EssentialName,
                            true
                        }
                    }
                }
            };

            _clientRepositoryStub.Setup(c => c.GetAllAsync()).Returns(Task.FromResult(FakeOpenIdAssets.GetClients()));

            // ACT
            var result = await _jwtGenerator.GenerateFilteredIdTokenPayloadAsync(
                claims,
                authorizationParameter,
                claimsParameter, null, currentDateTimeOffset);

            // ASSERT
            Assert.NotNull(result);
            Assert.True(result.ContainsKey(Constants.StandardResourceOwnerClaimNames.Subject));
            Assert.True(result.ContainsKey(Constants.StandardResourceOwnerClaimNames.Role));
            Assert.True(result.ContainsKey(StandardClaimNames.AuthenticationTime));
            Assert.True(result.ContainsKey(StandardClaimNames.Nonce));
            Assert.True(result[Constants.StandardResourceOwnerClaimNames.Subject].ToString().Equals(subject));
            Assert.True(long.Parse(result[StandardClaimNames.AuthenticationTime].ToString()).Equals(currentDateTimeOffset));
        }
Example #10
0
        public async Task When_Requesting_IdentityToken_JwsPayload_And_PassingANotValidClaimValue_Then_An_Exception_Is_Thrown()
        {
            // ARRANGE
            InitializeMockObjects();
            const string subject         = "*****@*****.**";
            const string notValidSubject = "*****@*****.**";
            var          claims          = new List <Claim>
            {
                new Claim(Constants.StandardResourceOwnerClaimNames.Subject, subject)
            };
            var authorizationParameter = new AuthorizationParameter();
            var claimsParameter        = new List <ClaimParameter>
            {
                new ClaimParameter
                {
                    Name       = Constants.StandardResourceOwnerClaimNames.Subject,
                    Parameters = new Dictionary <string, object>
                    {
                        {
                            SimpleIdServer.Core.Constants.StandardClaimParameterValueNames.EssentialName,
                            true
                        },
                        {
                            SimpleIdServer.Core.Constants.StandardClaimParameterValueNames.ValueName,
                            notValidSubject
                        }
                    }
                }
            };

            _clientRepositoryStub.Setup(c => c.GetAllAsync()).Returns(Task.FromResult(FakeOpenIdAssets.GetClients()));

            // ACT & ASSERTS
            var result = await Assert.ThrowsAsync <IdentityServerExceptionWithState>(() => _jwtGenerator.GenerateFilteredIdTokenPayloadAsync(
                                                                                         claims,
                                                                                         authorizationParameter,
                                                                                         claimsParameter, null));

            Assert.True(result.Code.Equals(ErrorCodes.InvalidGrant));
            Assert.True(result.Message.Equals(string.Format(ErrorDescriptions.TheClaimIsNotValid, Constants.StandardResourceOwnerClaimNames.Subject)));
        }
Example #11
0
        public async Task When_Requesting_Identity_Token_And_ExpirationTime_Is_Not_Correct_Then_Exception_Is_Thrown()
        {
            // ARRANGE
            InitializeMockObjects();
            const string subject = "*****@*****.**";
            const string state   = "state";
            var          currentDateTimeOffset = DateTimeOffset.UtcNow.ConvertToUnixTimestamp();
            var          claims = new List <Claim>
            {
                new Claim(ClaimTypes.AuthenticationInstant, currentDateTimeOffset.ToString()),
                new Claim(Constants.StandardResourceOwnerClaimNames.Subject, subject)
            };
            var authorizationParameter = new AuthorizationParameter
            {
                State = state
            };
            var claimsParameter = new List <ClaimParameter>
            {
                new ClaimParameter
                {
                    Name       = StandardClaimNames.ExpirationTime,
                    Parameters = new Dictionary <string, object>
                    {
                        {
                            SimpleIdServer.Core.Constants.StandardClaimParameterValueNames.EssentialName,
                            true
                        },
                        {
                            SimpleIdServer.Core.Constants.StandardClaimParameterValueNames.ValueName,
                            12
                        }
                    }
                }
            };

            _clientRepositoryStub.Setup(c => c.GetAllAsync()).Returns(Task.FromResult(FakeOpenIdAssets.GetClients()));

            // ACT & ASSERT
            var exception = await Assert.ThrowsAsync <IdentityServerExceptionWithState>(() => _jwtGenerator.GenerateFilteredIdTokenPayloadAsync(
                                                                                            claims,
                                                                                            authorizationParameter,
                                                                                            claimsParameter, null));

            Assert.NotNull(exception);
            Assert.True(exception.Code == ErrorCodes.InvalidGrant);
            Assert.True(exception.Message == string.Format(ErrorDescriptions.TheClaimIsNotValid, StandardClaimNames.ExpirationTime));
            Assert.True(exception.State == state);
        }
Example #12
0
        public async Task When_Requesting_IdentityToken_JwsPayload_With_No_Authorization_Request_Then_MandatoriesClaims_Are_Returned()
        {
            // ARRANGE
            InitializeMockObjects();
            const string issuerName             = "IssuerName";
            const string subject                = "*****@*****.**";
            var          authorizationParameter = new AuthorizationParameter();
            var          claims = new List <Claim>
            {
                new Claim(Constants.StandardResourceOwnerClaimNames.Subject, subject)
            };

            _clientRepositoryStub.Setup(c => c.GetAllAsync()).Returns(Task.FromResult(FakeOpenIdAssets.GetClients()));

            // ACT
            var result = await _jwtGenerator.GenerateIdTokenPayloadForScopesAsync(claims, authorizationParameter, null);

            // ASSERT
            Assert.NotNull(result);
            Assert.True(result.ContainsKey(Constants.StandardResourceOwnerClaimNames.Subject));
            Assert.True(result.ContainsKey(StandardClaimNames.Audiences));
            Assert.True(result.ContainsKey(StandardClaimNames.ExpirationTime));
            Assert.True(result.ContainsKey(StandardClaimNames.Iat));
            Assert.True(result.GetClaimValue(Constants.StandardResourceOwnerClaimNames.Subject) == subject);
        }
Example #13
0
        public async Task When_Requesting_IdentityToken_JwsPayload_And_IndicateTheMaxAge_Then_TheJwsPayload_Contains_AuthenticationTime()
        {
            // ARRANGE
            InitializeMockObjects();
            const string subject = "*****@*****.**";
            var          currentDateTimeOffset = DateTimeOffset.UtcNow.ConvertToUnixTimestamp();
            var          claims = new List <Claim>
            {
                new Claim(ClaimTypes.AuthenticationInstant, currentDateTimeOffset.ToString()),
                new Claim(Constants.StandardResourceOwnerClaimNames.Subject, subject)
            };
            var authorizationParameter = new AuthorizationParameter
            {
                MaxAge = 2
            };

            _clientRepositoryStub.Setup(c => c.GetAllAsync()).Returns(Task.FromResult(FakeOpenIdAssets.GetClients()));

            // ACT
            var result = await _jwtGenerator.GenerateIdTokenPayloadForScopesAsync(claims, authorizationParameter, null, currentDateTimeOffset);

            // ASSERT
            Assert.NotNull(result);
            Assert.True(result.ContainsKey(Constants.StandardResourceOwnerClaimNames.Subject));
            Assert.True(result.ContainsKey(StandardClaimNames.AuthenticationTime));
            Assert.True(result[Constants.StandardResourceOwnerClaimNames.Subject].ToString().Equals(subject));
            Assert.NotEmpty(result[StandardClaimNames.AuthenticationTime].ToString());
        }
Example #14
0
        public void When_Requesting_UserInformation_But_The_Essential_Claim_Subject_Is_Empty_Then_Exception_Is_Thrown()
        {
            // ARRANGE
            InitializeMockObjects();
            const string subject = "";
            const string state   = "state";
            var          claims  = new List <Claim>
            {
                new Claim(Jwt.Constants.StandardResourceOwnerClaimNames.Subject, subject)
            };
            var claimIdentity   = new ClaimsIdentity(claims, "fake");
            var claimsPrincipal = new ClaimsPrincipal(claimIdentity);
            var claimsParameter = new List <ClaimParameter>
            {
                new ClaimParameter
                {
                    Name       = Jwt.Constants.StandardResourceOwnerClaimNames.Subject,
                    Parameters = new Dictionary <string, object>
                    {
                        {
                            Constants.StandardClaimParameterValueNames.EssentialName,
                            true
                        }
                    }
                }
            };

            var authorizationParameter = new AuthorizationParameter
            {
                Scope = "profile",
                State = state
            };
            ICollection <Scope> scopes = FakeOpenIdAssets.GetScopes().Where(s => s.Name == "profile").ToList();

            _clientRepositoryStub.Setup(c => c.GetAllAsync()).Returns(Task.FromResult(FakeOpenIdAssets.GetClients()));
            _scopeRepositoryStub.Setup(s => s.SearchByNamesAsync(It.IsAny <IEnumerable <string> >()))
            .Returns(Task.FromResult(scopes));

            // ACT & ASSERT
            var exception = Assert.Throws <IdentityServerExceptionWithState>(() => _jwtGenerator.GenerateFilteredUserInfoPayload(
                                                                                 claimsParameter,
                                                                                 claimsPrincipal,
                                                                                 authorizationParameter));

            Assert.NotNull(exception);
            Assert.True(exception.Code == ErrorCodes.InvalidGrant);
            Assert.True(exception.Message == string.Format(ErrorDescriptions.TheClaimIsNotValid, Jwt.Constants.StandardResourceOwnerClaimNames.Subject));
            Assert.True(exception.State == state);
        }