public async void OnRedirectToIdentityProvider_CustomUserFlow_UpdatesContext()
{
var options = new MicrosoftIdentityOptions()
{
SignUpSignInPolicyId = DefaultUserFlow
};
var handler = new AzureADB2COpenIDConnectEventHandlers(OpenIdConnectDefaults.AuthenticationScheme, options);
var httpContext = HttpContextUtilities.CreateHttpContext();
var authProperties = new AuthenticationProperties();
authProperties.Items.Add(OidcConstants.PolicyKey, CustomUserFlow);
var context = new RedirectContext(httpContext, _authScheme, new OpenIdConnectOptions(), authProperties)
{
ProtocolMessage = new OpenIdConnectMessage()
{
IssuerAddress = _defaultIssuer
}
};
await handler.OnRedirectToIdentityProvider(context).ConfigureAwait(false);
Assert.Equal(OpenIdConnectScope.OpenIdProfile, context.ProtocolMessage.Scope);
Assert.Equal(OpenIdConnectResponseType.IdToken, context.ProtocolMessage.ResponseType);
Assert.Equal(_customIssuer, context.ProtocolMessage.IssuerAddress, true);
Assert.False(context.Properties.Items.ContainsKey(OidcConstants.PolicyKey));
}
private void AddProtectedWebApiCallsProtectedWebApi_TestCommon(IServiceCollection services, ServiceProvider provider)
{
// Correct services added
Assert.Contains(services, s => s.ServiceType == typeof(IHttpContextAccessor));
Assert.Contains(services, s => s.ServiceType == typeof(ITokenAcquisition));
Assert.Contains(services, s => s.ServiceType == typeof(IConfigureOptions <ConfidentialClientApplicationOptions>));
Assert.Contains(services, s => s.ServiceType == typeof(IConfigureOptions <MicrosoftIdentityOptions>));
Assert.Contains(services, s => s.ServiceType == typeof(IConfigureOptions <JwtBearerOptions>));
// JWT options added correctly
var configuredJwtOptions = provider.GetService <IConfigureOptions <JwtBearerOptions> >() as ConfigureNamedOptions <JwtBearerOptions>;
Assert.Equal(_jwtBearerScheme, configuredJwtOptions.Name);
// Token validated event added correctly
var jwtOptions = provider.GetRequiredService <IOptionsFactory <JwtBearerOptions> >().Create(_jwtBearerScheme);
var httpContext = HttpContextUtilities.CreateHttpContext();
var authScheme = new AuthenticationScheme(JwtBearerDefaults.AuthenticationScheme, JwtBearerDefaults.AuthenticationScheme, typeof(JwtBearerHandler));
var tokenValidatedContext = new TokenValidatedContext(httpContext, authScheme, jwtOptions)
{
SecurityToken = new JwtSecurityToken()
};
jwtOptions.Events.TokenValidated(tokenValidatedContext);
Assert.NotNull(httpContext.GetTokenUsedToCallWebAPI());
}
private async void AddMicrosoftWebApi_TestJwtBearerTokenValidatedEvent(JwtBearerOptions jwtOptions, Func <TokenValidatedContext, Task> tokenValidatedFunc)
{
var scopeTypes = new[] { ClaimConstants.Scope, ClaimConstants.Scp, ClaimConstants.Roles, ClaimConstants.Role };
var expectedExceptionMessage = IDWebErrorMessage.NeitherScopeOrRolesClaimFoundInToken;
var scopeValue = "scope";
var httpContext = HttpContextUtilities.CreateHttpContext();
var authScheme = new AuthenticationScheme(JwtBearerDefaults.AuthenticationScheme, JwtBearerDefaults.AuthenticationScheme, typeof(JwtBearerHandler));
var tokenValidatedContext = new TokenValidatedContext(httpContext, authScheme, jwtOptions);
tokenValidatedContext.Principal = new ClaimsPrincipal();
// No scopes throws exception
var exception = await Assert.ThrowsAsync <UnauthorizedAccessException>(async() => { await jwtOptions.Events.TokenValidated(tokenValidatedContext).ConfigureAwait(false); }).ConfigureAwait(false);
Assert.Equal(expectedExceptionMessage, exception.Message);
// At least one scope executes successfully
foreach (var scopeType in scopeTypes)
{
tokenValidatedContext.Principal = new ClaimsPrincipal(
new ClaimsIdentity(new Claim[]
{
new Claim(scopeType, scopeValue),
}));
await jwtOptions.Events.TokenValidated(tokenValidatedContext).ConfigureAwait(false);
}
await tokenValidatedFunc.Received(4).Invoke(Arg.Any <TokenValidatedContext>()).ConfigureAwait(false);
}
private async Task AddMicrosoftWebApiCallsWebApi_TestCommon(IServiceCollection services, ServiceProvider provider, Func <TokenValidatedContext, Task> tokenValidatedFuncMock)
{
// Assert correct services added
Assert.Contains(services, s => s.ServiceType == typeof(IHttpContextAccessor));
Assert.Contains(services, s => s.ServiceType == typeof(ITokenAcquisition));
Assert.Contains(services, s => s.ServiceType == typeof(IConfigureOptions <ConfidentialClientApplicationOptions>));
Assert.Contains(services, s => s.ServiceType == typeof(IConfigureOptions <MicrosoftIdentityOptions>));
Assert.Contains(services, s => s.ServiceType == typeof(IConfigureOptions <JwtBearerOptions>));
// Assert token validated event added correctly
var jwtOptions = provider.GetRequiredService <IOptionsFactory <JwtBearerOptions> >().Create(JwtBearerScheme);
var httpContext = HttpContextUtilities.CreateHttpContext();
var authScheme = new AuthenticationScheme(JwtBearerDefaults.AuthenticationScheme, JwtBearerDefaults.AuthenticationScheme, typeof(JwtBearerHandler));
var tokenValidatedContext = new TokenValidatedContext(httpContext, authScheme, jwtOptions)
{
SecurityToken = new JwtSecurityToken(),
Principal = new ClaimsPrincipal(),
};
await jwtOptions.Events.TokenValidated(tokenValidatedContext).ConfigureAwait(false);
// Assert events called
await tokenValidatedFuncMock.ReceivedWithAnyArgs().Invoke(Arg.Any <TokenValidatedContext>()).ConfigureAwait(false);
Assert.NotNull(httpContext.GetTokenUsedToCallWebAPI());
}
public void VerifyUserHasAnyAcceptedScope_RequiredScopesEmptyString_Throws()
{
RequiredScopeFilter requiredScopeFilter = new RequiredScopeFilter(new string[] { });
var httpContext = HttpContextUtilities.CreateHttpContext(new string[] { }, new string[] { });
Assert.Throws <ArgumentNullException>(() => requiredScopeFilter.OnAuthorization(CreateRequiredContext(httpContext)));
}
public async Task OnRedirectToIdentityProvider_DefaultUserFlow_DoesntUpdateContext()
{
var errorAccessor = Substitute.For <ILoginErrorAccessor>();
var options = new MicrosoftIdentityOptions()
{
SignUpSignInPolicyId = DefaultUserFlow
};
var handler = new AzureADB2COpenIDConnectEventHandlers(OpenIdConnectDefaults.AuthenticationScheme, options, errorAccessor);
var httpContext = HttpContextUtilities.CreateHttpContext();
var authProperties = new AuthenticationProperties();
authProperties.Items.Add(OidcConstants.PolicyKey, DefaultUserFlow);
var context = new RedirectContext(httpContext, _authScheme, new OpenIdConnectOptions(), authProperties)
{
ProtocolMessage = new OpenIdConnectMessage()
{
IssuerAddress = _defaultIssuer
}
};
await handler.OnRedirectToIdentityProvider(context).ConfigureAwait(false);
errorAccessor.DidNotReceive().SetMessage(httpContext, Arg.Any <string>());
Assert.Null(context.ProtocolMessage.Scope);
Assert.Null(context.ProtocolMessage.ResponseType);
Assert.Equal(_defaultIssuer, context.ProtocolMessage.IssuerAddress);
Assert.True(context.Properties.Items.ContainsKey(OidcConstants.PolicyKey));
}
public CookiePolicyOptionsExtensionsTests()
{
_cookiePolicyOptions = new CookiePolicyOptions()
{
MinimumSameSitePolicy = SameSiteMode.Strict
};
_httpContext = HttpContextUtilities.CreateHttpContext();
}
public void StoreTokenUsedToCallWebAPI()
{
var httpContext = HttpContextUtilities.CreateHttpContext();
var token = new JwtSecurityToken();
httpContext.StoreTokenUsedToCallWebAPI(token);
Assert.Same(token, httpContext.Items[WebApiTokenKeyName]);
}
/// <summary>
/// Create a session object for specific user account
/// </summary>
/// <param name="username"></param>
/// <param name="password"></param>
/// <returns></returns>
internal static BaseSessionObject GetSessionObject(string username, string password)
{
BaseSessionObject sessionObject = CreateSessionObject();
sessionObject.Init(username, password);
var context = HttpContextUtilities.GetHttpContext();
SaveSessionObjectToHttpContext(sessionObject, context);
return(sessionObject);
}
public SessionDataLoadingResult Load()
{
var context = HttpContextUtilities.GetHttpContext();
if (context != null)
{
return(LoadSessionObjectDataFromCookie(context));
}
return(LoadSessionObjectDataFromAssemblyIsolatedStorage());
}
public void VerifyUserHasAnyAcceptedScope_NullParameters_ThrowsException()
{
HttpContext httpContext = null;
Assert.Throws <ArgumentNullException>(() => httpContext.VerifyUserHasAnyAcceptedScope(string.Empty));
httpContext = HttpContextUtilities.CreateHttpContext();
Assert.Throws <ArgumentNullException>("acceptedScopes", () => httpContext.VerifyUserHasAnyAcceptedScope(null));
}
public void VerifyUserHasAnyAcceptedScope_WithNoUserContext_Throws()
{
string[] expectedScopes = new string[] { ScopeOne };
RequiredScopeFilter requiredScopeFilter = new RequiredScopeFilter(expectedScopes);
var httpContext = HttpContextUtilities.CreateHttpContext();
var exc = Assert.Throws <UnauthorizedAccessException>(() => requiredScopeFilter.OnAuthorization(CreateRequiredContext(httpContext)));
Assert.Equal(IDWebErrorMessage.UnauthenticatedUser, exc.Message);
}
/// <summary>
///
/// </summary>
/// <param name="user"></param>
/// <returns></returns>
internal static BaseSessionObject GetSessionObject(User user)
{
BaseSessionObject sessionObject = CreateSessionObject();
sessionObject.Init(user);
var context = HttpContextUtilities.GetHttpContext();
SaveSessionObjectToHttpContext(sessionObject, context);
return(sessionObject);
}
public void VerifyAppHasAnyAcceptedRoles_NoClaims_ThrowsException()
{
var acceptedRoles = new[] { "access_as_application", "access_as_application_for_write" };
var expectedStatusCode = (int)HttpStatusCode.Unauthorized;
var httpContext = HttpContextUtilities.CreateHttpContext();
Assert.Throws <UnauthorizedAccessException>(() => httpContext.ValidateAppRole(acceptedRoles));
Assert.Equal(expectedStatusCode, httpContext.Response.StatusCode);
}
public void VerifyUserHasAnyAcceptedScope()
{
string[] expectedScopes = new string[] { ScopeOne };
RequiredScopeFilter requiredScopeFilter = new RequiredScopeFilter(expectedScopes);
var httpContext = HttpContextUtilities.CreateHttpContext(expectedScopes, new string[] { });
requiredScopeFilter.OnAuthorization(CreateRequiredContext(httpContext));
Assert.Equal(expectedScopes, requiredScopeFilter._acceptedScopes);
Assert.Equal(expectedScopes, requiredScopeFilter._effectiveAcceptedScopes);
}
public void Remove()
{
var context = HttpContextUtilities.GetHttpContext();
if (context != null)
{
RemoveSessionObjectDataFromCookie(context);
return;
}
RemoveSessionObjectDataFromAssemblyIsolatedStorage();
}
public void VerifyUserHasAnyAcceptedScope_NoClaims_ThrowsException()
{
var acceptedScopes = new[] { "acceptedScope1", "acceptedScope2" };
var expectedStatusCode = (int)HttpStatusCode.Unauthorized;
var httpContext = HttpContextUtilities.CreateHttpContext();
Assert.Throws <UnauthorizedAccessException>(() => httpContext.VerifyUserHasAnyAcceptedScope(acceptedScopes));
Assert.Equal(expectedStatusCode, httpContext.Response.StatusCode);
}
private (HttpContext, AuthenticationScheme, AuthenticationProperties) CreateContextParameters(IServiceProvider provider)
{
var httpContext = HttpContextUtilities.CreateHttpContext();
httpContext.RequestServices = provider;
var authScheme = new AuthenticationScheme(OpenIdConnectDefaults.AuthenticationScheme, OpenIdConnectDefaults.AuthenticationScheme, typeof(OpenIdConnectHandler));
var authProperties = new AuthenticationProperties();
return(httpContext, authScheme, authProperties);
}
public void GetTokenUsedToCallWebAPI()
{
var httpContext = HttpContextUtilities.CreateHttpContext();
var token = new JwtSecurityToken();
Assert.Null(httpContext.GetTokenUsedToCallWebAPI());
httpContext.StoreTokenUsedToCallWebAPI(token);
Assert.Same(token, httpContext.GetTokenUsedToCallWebAPI());
}
public void Save(SessionData data)
{
var context = HttpContextUtilities.GetHttpContext();
if (context != null)
{
SaveSessionObjectDataToCookie(data, context);
return;
}
SaveSessionObjectDataToAssemblyIsolatedStorage(data);
}
public void VerifyUserHasAnyAcceptedScope_NoAcceptedScopes_ThrowsException()
{
var acceptedScopes = new[] { "acceptedScope1", "acceptedScope2" };
var actualScopes = new[] { "acceptedScope3", "acceptedScope4" };
var expectedErrorMessage = string.Format(CultureInfo.InvariantCulture, IDWebErrorMessage.MissingScopes, string.Join(",", acceptedScopes));
var expectedStatusCode = (int)HttpStatusCode.Forbidden;
var httpContext = HttpContextUtilities.CreateHttpContext(actualScopes, new string[] { });
Assert.Throws <UnauthorizedAccessException>(() => httpContext.VerifyUserHasAnyAcceptedScope(acceptedScopes));
Assert.Equal(expectedStatusCode, httpContext.Response.StatusCode);
}
public void VerifyAppHasAnyAcceptedRole_NoAcceptedRoles_ThrowsException()
{
var acceptedRoles = new[] { "access_as_application", "access_as_application_for_write" };
var actualRoles = new[] { "access_as_application_for_read_all_directory", "access_as_application_for_read" };
var expectedErrorMessage = string.Format(CultureInfo.InvariantCulture, IDWebErrorMessage.MissingRoles, string.Join(", ", acceptedRoles));
var expectedStatusCode = (int)HttpStatusCode.Forbidden;
var httpContext = HttpContextUtilities.CreateHttpContext(new string[] { }, actualRoles);
Assert.Throws <UnauthorizedAccessException>(() => httpContext.ValidateAppRole(acceptedRoles));
Assert.Equal(expectedStatusCode, httpContext.Response.StatusCode);
}
public void VerifyUserHasAnyAcceptedScope_NoClaims_ThrowsException()
{
var acceptedScopes = new[] { "acceptedScope1", "acceptedScope2" };
var expectedErrorMessage = $"The 'scope' claim does not contain scopes '{string.Join(",", acceptedScopes)}' or was not found";
var expectedStatusCode = (int)HttpStatusCode.Unauthorized;
var httpContext = HttpContextUtilities.CreateHttpContext();
var exception = Assert.Throws <HttpRequestException>(() => httpContext.VerifyUserHasAnyAcceptedScope(acceptedScopes));
Assert.Equal(expectedStatusCode, httpContext.Response.StatusCode);
Assert.Equal(expectedErrorMessage, exception.Message);
}
public JwtBearerMiddlewareDiagnosticsTests()
{
_customEventWasRaised = false;
_httpContext = HttpContextUtilities.CreateHttpContext();
_logger = Substitute.For <ILogger <JwtBearerMiddlewareDiagnostics> >();
_jwtDiagnostics = new JwtBearerMiddlewareDiagnostics(new LoggerMock <JwtBearerMiddlewareDiagnostics>(_logger));
_jwtOptions = new JwtBearerOptions();
_jwtEvents = new JwtBearerEvents();
_authScheme = new AuthenticationScheme(JwtBearerDefaults.AuthenticationScheme, JwtBearerDefaults.AuthenticationScheme, typeof(JwtBearerHandler));
_eventHandler = (context) => {
_customEventWasRaised = true;
return(Task.CompletedTask);
};
}
public void VerifyUserHasAnyAcceptedScope_WithMismatchScope_Throws()
{
string[] expectedScopes = new string[] { ScopeOne };
RequiredScopeFilter requiredScopeFilter = new RequiredScopeFilter(expectedScopes);
var httpContext = HttpContextUtilities.CreateHttpContext(new string[] { ScopeTwo }, new string[] { });
string message = string.Format(
CultureInfo.InvariantCulture,
IDWebErrorMessage.MissingScopes,
string.Join(",", expectedScopes));
var exc = Assert.Throws <UnauthorizedAccessException>(() => requiredScopeFilter.OnAuthorization(CreateRequiredContext(httpContext)));
Assert.Equal(message, exc.Message);
}
private (HttpContext, AuthenticationScheme, AuthenticationProperties) CreateContextParameters(IServiceProvider provider)
{
var httpContext = HttpContextUtilities.CreateHttpContext();
httpContext.RequestServices = provider;
httpContext.Request.Form = new FormCollection(
new Dictionary <string, StringValues>()
{
{ ClaimConstants.ClientInfo, Base64UrlHelpers.Encode($"{{\"uid\":\"{TestConstants.Uid}\",\"utid\":\"{TestConstants.Utid}\"}}") }
});
var authScheme = new AuthenticationScheme(OpenIdConnectDefaults.AuthenticationScheme, OpenIdConnectDefaults.AuthenticationScheme, typeof(OpenIdConnectHandler));
var authProperties = new AuthenticationProperties();
return(httpContext, authScheme, authProperties);
}
public OpenIdConnectMiddlewareDiagnosticsTests()
{
_customEventWasRaised = false;
_httpContext = HttpContextUtilities.CreateHttpContext();
_logger = Substitute.For <ILogger <OpenIdConnectMiddlewareDiagnostics> >();
_openIdDiagnostics = new OpenIdConnectMiddlewareDiagnostics(new LoggerMock <OpenIdConnectMiddlewareDiagnostics>(_logger));
_openIdOptions = new OpenIdConnectOptions();
_openIdEvents = new OpenIdConnectEvents();
_authProperties = new AuthenticationProperties();
_authScheme = new AuthenticationScheme(OpenIdConnectDefaults.AuthenticationScheme, OpenIdConnectDefaults.AuthenticationScheme, typeof(OpenIdConnectHandler));
_eventHandler = (context) => {
_customEventWasRaised = true;
return(Task.CompletedTask);
};
}
public void VerifyUserHasAnyAcceptedScope_MatchesAcceptedScopes_ExecutesSuccessfully()
{
var httpContext = HttpContextUtilities.CreateHttpContext(new[] { "acceptedScope1" });
httpContext.VerifyUserHasAnyAcceptedScope("acceptedScope1");
httpContext = HttpContextUtilities.CreateHttpContext(new[] { "acceptedScope1 acceptedScope2" });
httpContext.VerifyUserHasAnyAcceptedScope("acceptedScope2");
httpContext = HttpContextUtilities.CreateHttpContext(new[] { "acceptedScope2" });
httpContext.VerifyUserHasAnyAcceptedScope("acceptedScope1", "acceptedScope2");
httpContext = HttpContextUtilities.CreateHttpContext(new[] { "acceptedScope2 acceptedScope1" });
httpContext.VerifyUserHasAnyAcceptedScope("acceptedScope1", "acceptedScope2");
}
public void VerifyAppHasAnyAcceptedRole_MatchesAcceptedRoles_ExecutesSuccessfully()
{
var httpContext = HttpContextUtilities.CreateHttpContext(new string[] { }, new[] { "acceptedRole1" });
httpContext.ValidateAppRole("acceptedRole1");
httpContext = HttpContextUtilities.CreateHttpContext(new string[] { }, new[] { "acceptedRole1 acceptedRole2" });
httpContext.ValidateAppRole("acceptedRole2");
httpContext = HttpContextUtilities.CreateHttpContext(new string[] { }, new[] { "acceptedRole2" });
httpContext.ValidateAppRole("acceptedRole1", "acceptedRole2");
httpContext = HttpContextUtilities.CreateHttpContext(new string[] { }, new[] { "acceptedRole2 acceptedRole1" });
httpContext.ValidateAppRole("acceptedRole1", "acceptedRole2");
}
public async Task OnRedirectToIdentityProvider_CustomUserFlow_UpdatesContext(bool hasClientCredentials)
{
var errorAccessor = Substitute.For <ILoginErrorAccessor>();
var options = new MicrosoftIdentityOptions()
{
SignUpSignInPolicyId = DefaultUserFlow
};
if (hasClientCredentials)
{
options.ClientSecret = TestConstants.ClientSecret;
}
var handler = new AzureADB2COpenIDConnectEventHandlers(OpenIdConnectDefaults.AuthenticationScheme, options, errorAccessor);
var httpContext = HttpContextUtilities.CreateHttpContext();
var authProperties = new AuthenticationProperties();
authProperties.Items.Add(OidcConstants.PolicyKey, CustomUserFlow);
var context = new RedirectContext(httpContext, _authScheme, new OpenIdConnectOptions(), authProperties)
{
ProtocolMessage = new OpenIdConnectMessage()
{
IssuerAddress = _defaultIssuer,
Scope = TestConstants.Scopes,
},
};
await handler.OnRedirectToIdentityProvider(context).ConfigureAwait(false);
errorAccessor.DidNotReceive().SetMessage(httpContext, Arg.Any <string>());
Assert.Equal(TestConstants.Scopes, context.ProtocolMessage.Scope);
Assert.Equal(_customIssuer, context.ProtocolMessage.IssuerAddress, true);
Assert.False(context.Properties.Items.ContainsKey(OidcConstants.PolicyKey));
if (hasClientCredentials)
{
Assert.Equal(OpenIdConnectResponseType.CodeIdToken, context.ProtocolMessage.ResponseType);
}
else
{
Assert.Equal(OpenIdConnectResponseType.IdToken, context.ProtocolMessage.ResponseType);
}
}
