public async Task When_Client_Cannot_Be_Authenticated_Then_Exception_Is_Thrown() { // ARRANGE InitializeFakeObjects(); const string clientAssertion = "clientAssertion"; const string clientAssertionType = "clientAssertionType"; const string clientId = "clientId"; const string clientSecret = "clientSecret"; var resourceOwnerGrantTypeParameter = new ResourceOwnerGrantTypeParameter { ClientAssertion = clientAssertion, ClientAssertionType = clientAssertionType, ClientId = clientId, ClientSecret = clientSecret }; _authenticateInstructionGeneratorStub.Setup(a => a.GetAuthenticateInstruction(It.IsAny <AuthenticationHeaderValue>())) .Returns(new AuthenticateInstruction()); _authenticateClientFake.Setup(a => a.AuthenticateAsync(It.IsAny <AuthenticateInstruction>(), null)) .Returns(() => Task.FromResult(new AuthenticationResult(null, "error"))); _clientRepositoryStub.Setup(c => c.GetClientByIdAsync(It.IsAny <string>())) .Returns(() => Task.FromResult((Core.Common.Models.Client)null)); // ACT & ASSERTS var exception = await Assert.ThrowsAsync <IdentityServerException>(() => _getTokenByResourceOwnerCredentialsGrantTypeAction.Execute(resourceOwnerGrantTypeParameter, null, null, null)); _oauthEventSource.Verify(s => s.Info("error")); Assert.True(exception.Code == ErrorCodes.InvalidClient); Assert.True(exception.Message == "error"); }
public async Task <GrantedToken> GetTokenByResourceOwnerCredentialsGrantType( ResourceOwnerGrantTypeParameter resourceOwnerGrantTypeParameter, AuthenticationHeaderValue authenticationHeaderValue, X509Certificate2 certificate = null) { if (resourceOwnerGrantTypeParameter == null) { throw new ArgumentNullException(nameof(resourceOwnerGrantTypeParameter)); } var processId = Guid.NewGuid().ToString(); try { _eventPublisher.Publish(new GrantTokenViaResourceOwnerCredentialsReceived(Guid.NewGuid().ToString(), processId, _payloadSerializer.GetPayload(resourceOwnerGrantTypeParameter, authenticationHeaderValue), authenticationHeaderValue, 0)); _simpleIdentityServerEventSource.StartGetTokenByResourceOwnerCredentials(resourceOwnerGrantTypeParameter.ClientId, resourceOwnerGrantTypeParameter.UserName, resourceOwnerGrantTypeParameter.Password); _resourceOwnerGrantTypeParameterValidator.Validate(resourceOwnerGrantTypeParameter); var result = await _getTokenByResourceOwnerCredentialsGrantType.Execute(resourceOwnerGrantTypeParameter, authenticationHeaderValue, certificate); var accessToken = result != null ? result.AccessToken : string.Empty; var identityToken = result != null ? result.IdToken : string.Empty; _simpleIdentityServerEventSource.EndGetTokenByResourceOwnerCredentials(accessToken, identityToken); _eventPublisher.Publish(new TokenGranted(Guid.NewGuid().ToString(), processId, _payloadSerializer.GetPayload(result), 1)); return(result); } catch (IdentityServerException ex) { _eventPublisher.Publish(new OpenIdErrorReceived(Guid.NewGuid().ToString(), processId, ex.Code, ex.Message, 1)); throw; } }
public async Task When_AnonymousClient_Doesnt_Exist_Then_Exception_Is_Thrown() { // ARRANGE InitializeFakeObjects(); const string clientAssertion = "clientAssertion"; const string clientAssertionType = "clientAssertionType"; const string clientId = "clientId"; const string clientSecret = "clientSecret"; var resourceOwnerGrantTypeParameter = new ResourceOwnerGrantTypeParameter { ClientAssertion = clientAssertion, ClientAssertionType = clientAssertionType, ClientId = clientId, ClientSecret = clientSecret }; _authenticateInstructionGeneratorStub.Setup(a => a.GetAuthenticateInstruction(It.IsAny <AuthenticationHeaderValue>())) .Returns(new AuthenticateInstruction()); _authenticateClientFake.Setup(a => a.AuthenticateAsync(It.IsAny <AuthenticateInstruction>())) .Returns(() => Task.FromResult(new AuthenticationResult(null, null))); _clientRepositoryStub.Setup(c => c.GetClientByIdAsync(It.IsAny <string>())) .Returns(() => Task.FromResult((Client)null)); // ACT & ASSERTS var exception = await Assert.ThrowsAsync <IdentityServerException>(() => _getTokenByResourceOwnerCredentialsGrantTypeAction.Execute(resourceOwnerGrantTypeParameter, null)); _simpleIdentityServerEventSourceFake.Verify(s => s.Info(ErrorDescriptions.TheClientCannotBeAuthenticated)); Assert.True(exception.Code == ErrorCodes.InternalError); Assert.True(exception.Message == string.Format(ErrorDescriptions.ClientIsNotValid, Constants.AnonymousClientId)); }
public GrantTokenViaResourceOwnerCredentialsReceived(string id, string processId, ResourceOwnerGrantTypeParameter parameter, AuthenticationHeaderValue authHeader, int order) { Id = id; ProcessId = processId; Parameter = parameter; Order = order; }
public async Task When_Requesting_Token_Via_Resource_Owner_Credentials_Grant_Type_Then_Events_Are_Logged() { // ARRANGE InitializeFakeObjects(); const string clientId = "clientId"; const string userName = "******"; const string password = "******"; const string accessToken = "accessToken"; const string identityToken = "identityToken"; var parameter = new ResourceOwnerGrantTypeParameter { ClientId = clientId, UserName = userName, Password = password }; var grantedToken = new GrantedToken { AccessToken = accessToken, IdToken = identityToken }; _getTokenByResourceOwnerCredentialsGrantTypeActionFake.Setup( g => g.Execute(It.IsAny <ResourceOwnerGrantTypeParameter>(), It.IsAny <AuthenticationHeaderValue>(), It.IsAny <X509Certificate2>())) .Returns(Task.FromResult(grantedToken)); // ACT await _tokenActions.GetTokenByResourceOwnerCredentialsGrantType(parameter, null); // ASSERTS _simpleIdentityServerEventSourceFake.Verify(s => s.StartGetTokenByResourceOwnerCredentials(clientId, userName, password)); _simpleIdentityServerEventSourceFake.Verify(s => s.EndGetTokenByResourceOwnerCredentials(accessToken, identityToken)); }
public async Task When_Client_Cannot_Be_Authenticated_Then_Error_Is_Returned() { InitializeFakeObjects(); const string clientAssertion = "clientAssertion"; const string clientAssertionType = "clientAssertionType"; const string clientId = "clientId"; const string clientSecret = "clientSecret"; var resourceOwnerGrantTypeParameter = new ResourceOwnerGrantTypeParameter { ClientAssertion = clientAssertion, ClientAssertionType = clientAssertionType, ClientId = clientId, ClientSecret = clientSecret }; var authenticationHeader = new AuthenticationHeaderValue( "Basic", $"{clientId}:{clientSecret}".Base64Encode()); var result = await _getTokenByResourceOwnerCredentialsGrantTypeAction.Execute( resourceOwnerGrantTypeParameter, authenticationHeader, null, null, CancellationToken.None) .ConfigureAwait(false) as Option <GrantedToken> .Error; Assert.Equal(ErrorCodes.InvalidClient, result.Details.Title); Assert.Equal(string.Format(SharedStrings.TheClientDoesntExist), result.Details.Detail); }
public async Task When_The_Resource_Owner_Is_Not_Valid_Then_Exception_Is_Thrown() { // ARRANGE InitializeFakeObjects(); const string clientAssertion = "clientAssertion"; const string clientAssertionType = "clientAssertionType"; const string clientId = "clientId"; const string clientSecret = "clientSecret"; var resourceOwnerGrantTypeParameter = new ResourceOwnerGrantTypeParameter { ClientAssertion = clientAssertion, ClientAssertionType = clientAssertionType, ClientId = clientId, ClientSecret = clientSecret }; var client = new AuthenticationResult(new Models.Client(), null); _authenticateInstructionGeneratorStub.Setup(a => a.GetAuthenticateInstruction(It.IsAny <AuthenticationHeaderValue>())) .Returns(new AuthenticateInstruction()); _authenticateClientFake.Setup(a => a.AuthenticateAsync(It.IsAny <AuthenticateInstruction>())) .Returns(() => Task.FromResult(client)); _resourceOwnerValidatorFake.Setup( r => r.AuthenticateResourceOwnerAsync(It.IsAny <string>(), It.IsAny <string>())) .Returns(() => Task.FromResult((ResourceOwner)null)); // ACT & ASSERTS var exception = await Assert.ThrowsAsync <IdentityServerException>(() => _getTokenByResourceOwnerCredentialsGrantTypeAction.Execute(resourceOwnerGrantTypeParameter, null)); Assert.True(exception.Code == ErrorCodes.InvalidGrant); Assert.True(exception.Message == ErrorDescriptions.ResourceOwnerCredentialsAreNotValid); }
public async Task When_Passing_A_Not_Allowed_Scopes_Then_Exception_Is_Throw() { // ARRANGE InitializeFakeObjects(); const string clientAssertion = "clientAssertion"; const string clientAssertionType = "clientAssertionType"; const string clientId = "clientId"; const string clientSecret = "clientSecret"; const string invalidScope = "invalidScope"; var resourceOwnerGrantTypeParameter = new ResourceOwnerGrantTypeParameter { ClientAssertion = clientAssertion, ClientAssertionType = clientAssertionType, ClientId = clientId, ClientSecret = clientSecret, Scope = invalidScope }; var client = new AuthenticationResult(new Models.Client(), null); var resourceOwner = new ResourceOwner(); _authenticateInstructionGeneratorStub.Setup(a => a.GetAuthenticateInstruction(It.IsAny <AuthenticationHeaderValue>())) .Returns(new AuthenticateInstruction()); _authenticateClientFake.Setup(a => a.AuthenticateAsync(It.IsAny <AuthenticateInstruction>())) .Returns(() => Task.FromResult(client)); _resourceOwnerValidatorFake.Setup( r => r.AuthenticateResourceOwnerAsync(It.IsAny <string>(), It.IsAny <string>())) .Returns(() => Task.FromResult(resourceOwner)); _scopeValidatorFake.Setup(s => s.Check(It.IsAny <string>(), It.IsAny <Models.Client>())) .Returns(() => new ScopeValidationResult(false)); // ACT & ASSERTS var exception = await Assert.ThrowsAsync <IdentityServerException>(() => _getTokenByResourceOwnerCredentialsGrantTypeAction.Execute(resourceOwnerGrantTypeParameter, null)); Assert.True(exception.Code == ErrorCodes.InvalidScope); }
public async Task When_Passing_A_Not_Allowed_Scopes_Then_Error_Is_Returned() { const string clientAssertion = "clientAssertion"; const string clientAssertionType = "clientAssertionType"; const string clientId = "clientId"; const string clientSecret = "clientSecret"; const string invalidScope = "invalidScope"; var resourceOwnerGrantTypeParameter = new ResourceOwnerGrantTypeParameter { ClientAssertion = clientAssertion, ClientAssertionType = clientAssertionType, ClientId = clientId, ClientSecret = clientSecret, Scope = invalidScope }; var client = new Client { ClientId = "id", Secrets = new[] { new ClientSecret { Type = ClientSecretTypes.SharedSecret, Value = clientSecret } }, GrantTypes = new[] { GrantTypes.Password }, ResponseTypes = new[] { ResponseTypeNames.IdToken, ResponseTypeNames.Token } }; var resourceOwner = new ResourceOwner(); var authenticateService = new Mock <IAuthenticateResourceOwnerService>(); authenticateService .Setup( x => x.AuthenticateResourceOwner( It.IsAny <string>(), It.IsAny <string>(), It.IsAny <CancellationToken>())) .ReturnsAsync(resourceOwner); authenticateService.Setup(x => x.Amr).Returns("pwd"); InitializeFakeObjects(authenticateService.Object); _clientStore.Setup(x => x.GetById(It.IsAny <string>(), It.IsAny <CancellationToken>())).ReturnsAsync(client); var authenticationHeader = new AuthenticationHeaderValue( "Basic", $"{clientId}:{clientSecret}".Base64Encode()); var result = await _getTokenByResourceOwnerCredentialsGrantTypeAction.Execute( resourceOwnerGrantTypeParameter, authenticationHeader, null, null, CancellationToken.None) .ConfigureAwait(false) as Option <GrantedToken> .Error; Assert.Equal(ErrorCodes.InvalidScope, result.Details.Title); }
private AuthenticateInstruction CreateAuthenticateInstruction( ResourceOwnerGrantTypeParameter resourceOwnerGrantTypeParameter, AuthenticationHeaderValue authenticationHeaderValue, X509Certificate2 certificate) { var result = _authenticateInstructionGenerator.GetAuthenticateInstruction(authenticationHeaderValue); result.ClientAssertion = resourceOwnerGrantTypeParameter.ClientAssertion; result.ClientAssertionType = resourceOwnerGrantTypeParameter.ClientAssertionType; result.ClientIdFromHttpRequestBody = resourceOwnerGrantTypeParameter.ClientId; result.ClientSecretFromHttpRequestBody = resourceOwnerGrantTypeParameter.ClientSecret; result.Certificate = certificate; return(result); }
public void Validate(ResourceOwnerGrantTypeParameter parameter) { if (string.IsNullOrWhiteSpace(parameter.UserName)) { throw new IdentityServerException( ErrorCodes.InvalidRequestCode, string.Format(ErrorDescriptions.MissingParameter, Constants.StandardTokenRequestParameterNames.UserName)); } if (string.IsNullOrWhiteSpace(parameter.Password)) { throw new IdentityServerException( ErrorCodes.InvalidRequestCode, string.Format(ErrorDescriptions.MissingParameter, Constants.StandardTokenRequestParameterNames.PasswordName)); } }
public void When_Passing_Empty_UserName_Then_Exception_Is_Thrown() { // ARRANGE InitializeFakeObject(); var parameter = new ResourceOwnerGrantTypeParameter { ClientId = "clientId", UserName = null }; // ACT & ASSERT var exception = Assert.Throws <IdentityServerException>(() => _resourceOwnerGrantTypeParameterValidator.Validate(parameter)); Assert.True(exception.Code == ErrorCodes.InvalidRequestCode); Assert.True(exception.Message == string.Format(ErrorDescriptions.MissingParameter, Constants.StandardTokenRequestParameterNames.UserName)); }
public async Task <Option <GrantedToken> > GetTokenByResourceOwnerCredentialsGrantType( ResourceOwnerGrantTypeParameter resourceOwnerGrantTypeParameter, AuthenticationHeaderValue?authenticationHeaderValue, X509Certificate2?certificate, string issuerName, CancellationToken cancellationToken) { if (string.IsNullOrWhiteSpace(resourceOwnerGrantTypeParameter.UserName)) { return(new ErrorDetails { Status = HttpStatusCode.BadRequest, Title = ErrorCodes.InvalidRequest, Detail = string.Format(Strings.MissingParameter, StandardTokenRequestParameterNames.UserName) }); } if (string.IsNullOrWhiteSpace(resourceOwnerGrantTypeParameter.Password)) { return(new ErrorDetails { Status = HttpStatusCode.BadRequest, Title = ErrorCodes.InvalidRequest, Detail = string.Format( Strings.MissingParameter, StandardTokenRequestParameterNames.PasswordName) }); } if (string.IsNullOrWhiteSpace(resourceOwnerGrantTypeParameter.Scope)) { return(new ErrorDetails { Status = HttpStatusCode.BadRequest, Title = ErrorCodes.InvalidRequest, Detail = string.Format(Strings.MissingParameter, StandardTokenRequestParameterNames.ScopeName) }); } return(await _getTokenByResourceOwnerCredentialsGrantType.Execute( resourceOwnerGrantTypeParameter, authenticationHeaderValue, certificate, issuerName, cancellationToken).ConfigureAwait(false)); }
public async Task When_Client_GrantType_Is_Not_Valid_Then_Error_Is_Returned() { InitializeFakeObjects(); const string clientAssertion = "clientAssertion"; const string clientAssertionType = "clientAssertionType"; const string clientId = "clientId"; const string clientSecret = "clientSecret"; var resourceOwnerGrantTypeParameter = new ResourceOwnerGrantTypeParameter { ClientAssertion = clientAssertion, ClientAssertionType = clientAssertionType, ClientId = clientId, ClientSecret = clientSecret }; var client = new Client { ClientId = clientId, Secrets = new[] { new ClientSecret { Type = ClientSecretTypes.SharedSecret, Value = clientSecret } }, GrantTypes = new[] { GrantTypes.AuthorizationCode } }; _clientStore.Setup(x => x.GetById(It.IsAny <string>(), It.IsAny <CancellationToken>())).ReturnsAsync(client); var authenticationHeader = new AuthenticationHeaderValue( "Basic", $"{clientId}:{clientSecret}".Base64Encode()); var result = await _getTokenByResourceOwnerCredentialsGrantTypeAction.Execute( resourceOwnerGrantTypeParameter, authenticationHeader, null, null, CancellationToken.None) .ConfigureAwait(false) as Option <GrantedToken> .Error; Assert.Equal(ErrorCodes.InvalidGrant, result.Details.Title); Assert.Equal( string.Format(Strings.TheClientDoesntSupportTheGrantType, clientId, GrantTypes.Password), result.Details.Detail); }
public string GetPayload(ResourceOwnerGrantTypeParameter parameter, AuthenticationHeaderValue authenticationHeaderValue) { if (parameter == null) { throw new ArgumentNullException(nameof(parameter)); } var clientId = GetClientId(authenticationHeaderValue); if (string.IsNullOrWhiteSpace(clientId)) { clientId = parameter.ClientId; } var result = new Payload { ClientId = clientId, Authorization = BuildAuthHeader(authenticationHeaderValue), Content = parameter }; return(JsonConvert.SerializeObject(result)); }
public async Task <Option <GrantedToken> > Execute( ResourceOwnerGrantTypeParameter resourceOwnerGrantTypeParameter, AuthenticationHeaderValue?authenticationHeaderValue, X509Certificate2?certificate, string issuerName, CancellationToken cancellationToken) { // 1. Try to authenticate the client var instruction = authenticationHeaderValue.GetAuthenticateInstruction( resourceOwnerGrantTypeParameter, certificate); var authResult = await _authenticateClient.Authenticate(instruction, issuerName, cancellationToken) .ConfigureAwait(false); var client = authResult.Client; if (client == null) { return(new ErrorDetails { Status = HttpStatusCode.BadRequest, Title = ErrorCodes.InvalidClient, Detail = authResult.ErrorMessage ! });
public async Task When_Client_GrantType_Is_Not_Valid_Then_Exception_Is_Thrown() { // ARRANGE InitializeFakeObjects(); const string clientAssertion = "clientAssertion"; const string clientAssertionType = "clientAssertionType"; const string clientId = "clientId"; const string clientSecret = "clientSecret"; var resourceOwnerGrantTypeParameter = new ResourceOwnerGrantTypeParameter { ClientAssertion = clientAssertion, ClientAssertionType = clientAssertionType, ClientId = clientId, ClientSecret = clientSecret }; _authenticateInstructionGeneratorStub.Setup(a => a.GetAuthenticateInstruction(It.IsAny <AuthenticationHeaderValue>())) .Returns(new AuthenticateInstruction()); _authenticateClientFake.Setup(a => a.AuthenticateAsync(It.IsAny <AuthenticateInstruction>(), null)) .Returns(() => Task.FromResult(new AuthenticationResult(new Core.Common.Models.Client { ClientId = "id", GrantTypes = new List <GrantType> { GrantType.authorization_code } }, null))); _clientRepositoryStub.Setup(c => c.GetClientByIdAsync(It.IsAny <string>())) .Returns(() => Task.FromResult((Core.Common.Models.Client)null)); // ACT & ASSERTS var exception = await Assert.ThrowsAsync <IdentityServerException>(() => _getTokenByResourceOwnerCredentialsGrantTypeAction.Execute(resourceOwnerGrantTypeParameter, null, null, null)); Assert.True(exception.Code == ErrorCodes.InvalidClient); Assert.True(exception.Message == string.Format(ErrorDescriptions.TheClientDoesntSupportTheGrantType, "id", GrantType.password)); }
public async Task When_Requesting_An_AccessToken_For_An_Authenticated_User_Then_AccessToken_Is_Granted() { // ARRANGE InitializeFakeObjects(); const string clientAssertion = "clientAssertion"; const string clientAssertionType = "clientAssertionType"; const string clientId = "clientId"; const string clientSecret = "clientSecret"; const string invalidScope = "invalidScope"; const string accessToken = "accessToken"; var resourceOwnerGrantTypeParameter = new ResourceOwnerGrantTypeParameter { ClientAssertion = clientAssertion, ClientAssertionType = clientAssertionType, ClientId = clientId, ClientSecret = clientSecret, Scope = invalidScope }; var client = new AuthenticationResult(new Core.Common.Models.Client { ClientId = clientId, GrantTypes = new List <GrantType> { GrantType.password }, ResponseTypes = new List <ResponseType> { ResponseType.id_token, ResponseType.token } }, null); var resourceOwner = new ResourceOwner(); var userInformationJwsPayload = new JwsPayload(); var grantedToken = new GrantedToken { AccessToken = accessToken, IdTokenPayLoad = new JwsPayload() }; _authenticateInstructionGeneratorStub.Setup(a => a.GetAuthenticateInstruction(It.IsAny <AuthenticationHeaderValue>())) .Returns(new AuthenticateInstruction()); _authenticateClientFake.Setup(a => a.AuthenticateAsync(It.IsAny <AuthenticateInstruction>(), null)) .Returns(() => Task.FromResult(client)); _resourceOwnerAuthenticateHelperFake.Setup( r => r.Authenticate(It.IsAny <string>(), It.IsAny <string>(), It.IsAny <IEnumerable <string> >())) .Returns(() => Task.FromResult(resourceOwner)); _scopeValidatorFake.Setup(s => s.Check(It.IsAny <string>(), It.IsAny <Core.Common.Models.Client>())) .Returns(() => new ScopeValidationResult(true) { Scopes = new List <string> { invalidScope } }); _jwtGeneratorFake.Setup( j => j.GenerateIdTokenPayloadForScopesAsync(It.IsAny <ClaimsPrincipal>(), It.IsAny <AuthorizationParameter>(), It.IsAny <string>())) .Returns(() => Task.FromResult(userInformationJwsPayload)); _grantedTokenHelperStub.Setup(g => g.GetValidGrantedTokenAsync(It.IsAny <string>(), It.IsAny <string>(), It.IsAny <JwsPayload>(), It.IsAny <JwsPayload>())) .Returns(Task.FromResult((GrantedToken)null)); _grantedTokenGeneratorHelperFake.Setup(g => g.GenerateTokenAsync(It.IsAny <Core.Common.Models.Client>(), It.IsAny <string>(), It.IsAny <string>(), It.IsAny <JwsPayload>(), It.IsAny <JwsPayload>())) .Returns(Task.FromResult(grantedToken)); // ACT await _getTokenByResourceOwnerCredentialsGrantTypeAction.Execute(resourceOwnerGrantTypeParameter, null, null, null); // ASSERT _tokenStoreStub.Verify(g => g.AddToken(grantedToken)); _oauthEventSource.Verify(s => s.GrantAccessToClient(clientId, accessToken, invalidScope)); _clientHelperStub.Verify(c => c.GenerateIdTokenAsync(It.IsAny <Core.Common.Models.Client>(), It.IsAny <JwsPayload>())); }
public async Task <GrantedToken> Execute(ResourceOwnerGrantTypeParameter resourceOwnerGrantTypeParameter, AuthenticationHeaderValue authenticationHeaderValue, X509Certificate2 certificate, string issuerName) { if (resourceOwnerGrantTypeParameter == null) { throw new ArgumentNullException(nameof(resourceOwnerGrantTypeParameter)); } // 1. Try to authenticate the client var instruction = CreateAuthenticateInstruction(resourceOwnerGrantTypeParameter, authenticationHeaderValue, certificate); var authResult = await _authenticateClient.AuthenticateAsync(instruction, issuerName); var client = authResult.Client; if (authResult.Client == null) { _oauthEventSource.Info(authResult.ErrorMessage); throw new IdentityServerException(ErrorCodes.InvalidClient, authResult.ErrorMessage); } // 2. Check the client. if (client.GrantTypes == null || !client.GrantTypes.Contains(GrantType.password)) { throw new IdentityServerException(ErrorCodes.InvalidClient, string.Format(ErrorDescriptions.TheClientDoesntSupportTheGrantType, client.ClientId, GrantType.password)); } if (client.ResponseTypes == null || !client.ResponseTypes.Contains(ResponseType.token) || !client.ResponseTypes.Contains(ResponseType.id_token)) { throw new IdentityServerException(ErrorCodes.InvalidClient, string.Format(ErrorDescriptions.TheClientDoesntSupportTheResponseType, client.ClientId, "token id_token")); } // 3. Try to authenticate a resource owner var resourceOwner = await _resourceOwnerAuthenticateHelper.Authenticate(resourceOwnerGrantTypeParameter.UserName, resourceOwnerGrantTypeParameter.Password, resourceOwnerGrantTypeParameter.AmrValues); if (resourceOwner == null) { throw new IdentityServerException(ErrorCodes.InvalidGrant, ErrorDescriptions.ResourceOwnerCredentialsAreNotValid); } // 4. Check if the requested scopes are valid var allowedTokenScopes = string.Empty; if (!string.IsNullOrWhiteSpace(resourceOwnerGrantTypeParameter.Scope)) { var scopeValidation = _scopeValidator.Check(resourceOwnerGrantTypeParameter.Scope, client); if (!scopeValidation.IsValid) { throw new IdentityServerException(ErrorCodes.InvalidScope, scopeValidation.ErrorMessage); } allowedTokenScopes = string.Join(" ", scopeValidation.Scopes); } // 5. Generate the user information payload and store it. var claims = resourceOwner.Claims; var claimsIdentity = new ClaimsIdentity(claims, "simpleIdentityServer"); var claimsPrincipal = new ClaimsPrincipal(claimsIdentity); var authorizationParameter = new AuthorizationParameter { Scope = resourceOwnerGrantTypeParameter.Scope }; var payload = await _jwtGenerator.GenerateIdTokenPayloadForScopesAsync(claimsPrincipal, authorizationParameter, issuerName); var generatedToken = await _grantedTokenHelper.GetValidGrantedTokenAsync(allowedTokenScopes, client.ClientId, payload, payload); if (generatedToken == null) { generatedToken = await _grantedTokenGeneratorHelper.GenerateTokenAsync(client, allowedTokenScopes, issuerName, payload, payload); if (generatedToken.IdTokenPayLoad != null) { await _jwtGenerator.UpdatePayloadDate(generatedToken.IdTokenPayLoad); generatedToken.IdToken = await _clientHelper.GenerateIdTokenAsync(client, generatedToken.IdTokenPayLoad); } await _tokenStore.AddToken(generatedToken); _oauthEventSource.GrantAccessToClient(client.ClientId, generatedToken.AccessToken, allowedTokenScopes); } return(generatedToken); }
public async Task When_Requesting_An_AccessToken_For_An_Authenticated_User_Then_AccessToken_Is_Granted() { const string clientAssertion = "clientAssertion"; const string clientAssertionType = "clientAssertionType"; const string clientId = "clientId"; const string clientSecret = "clientSecret"; const string invalidScope = "invalidScope"; //const string accessToken = "accessToken"; var resourceOwnerGrantTypeParameter = new ResourceOwnerGrantTypeParameter { ClientAssertion = clientAssertion, ClientAssertionType = clientAssertionType, ClientId = clientId, ClientSecret = clientSecret, Scope = invalidScope }; var client = new Client { AllowedScopes = new[] { invalidScope }, ClientId = clientId, Secrets = new[] { new ClientSecret { Type = ClientSecretTypes.SharedSecret, Value = clientSecret } }, JsonWebKeys = TestKeys.SecretKey.CreateJwk(JsonWebKeyUseNames.Sig, KeyOperations.Sign, KeyOperations.Verify) .ToSet(), IdTokenSignedResponseAlg = SecurityAlgorithms.HmacSha256, GrantTypes = new[] { GrantTypes.Password }, ResponseTypes = new[] { ResponseTypeNames.IdToken, ResponseTypeNames.Token } }; var resourceOwner = new ResourceOwner { Subject = "tester" }; var authenticateService = new Mock <IAuthenticateResourceOwnerService>(); authenticateService .Setup( x => x.AuthenticateResourceOwner( It.IsAny <string>(), It.IsAny <string>(), It.IsAny <CancellationToken>())) .ReturnsAsync(resourceOwner); authenticateService.SetupGet(x => x.Amr).Returns("pwd"); InitializeFakeObjects(authenticateService.Object); _clientStore.Setup(x => x.GetById(It.IsAny <string>(), It.IsAny <CancellationToken>())).ReturnsAsync(client); _scopeRepository.Setup(x => x.SearchByNames(It.IsAny <CancellationToken>(), It.IsAny <string[]>())) .ReturnsAsync(new[] { new Scope { Name = invalidScope } }); var authenticationHeader = new AuthenticationHeaderValue( "Basic", $"{clientId}:{clientSecret}".Base64Encode()); await _getTokenByResourceOwnerCredentialsGrantTypeAction.Execute( resourceOwnerGrantTypeParameter, authenticationHeader, null, "issuer", CancellationToken.None) .ConfigureAwait(false); _tokenStoreStub.Verify(g => g.AddToken(It.IsAny <GrantedToken>(), It.IsAny <CancellationToken>())); _eventPublisher.Verify(s => s.Publish(It.IsAny <TokenGranted>())); }
public async Task <GrantedToken> Execute(ResourceOwnerGrantTypeParameter resourceOwnerGrantTypeParameter, AuthenticationHeaderValue authenticationHeaderValue, X509Certificate2 certificate = null) { if (resourceOwnerGrantTypeParameter == null) { throw new ArgumentNullException(nameof(resourceOwnerGrantTypeParameter)); } // 1. Try to authenticate the client var instruction = CreateAuthenticateInstruction(resourceOwnerGrantTypeParameter, authenticationHeaderValue, certificate); var authResult = await _authenticateClient.AuthenticateAsync(instruction); var client = authResult.Client; if (authResult.Client == null) { _simpleIdentityServerEventSource.Info(ErrorDescriptions.TheClientCannotBeAuthenticated); client = await _clientRepository.GetClientByIdAsync(Constants.AnonymousClientId); if (client == null) { throw new IdentityServerException(ErrorCodes.InternalError, string.Format(ErrorDescriptions.ClientIsNotValid, Constants.AnonymousClientId)); } } // 2. Try to authenticate a resource owner var resourceOwner = await _authenticateResourceOwnerService.AuthenticateResourceOwnerAsync(resourceOwnerGrantTypeParameter.UserName, resourceOwnerGrantTypeParameter.Password); if (resourceOwner == null) { throw new IdentityServerException(ErrorCodes.InvalidGrant, ErrorDescriptions.ResourceOwnerCredentialsAreNotValid); } // 3. Check if the requested scopes are valid var allowedTokenScopes = string.Empty; if (!string.IsNullOrWhiteSpace(resourceOwnerGrantTypeParameter.Scope)) { var scopeValidation = _scopeValidator.Check(resourceOwnerGrantTypeParameter.Scope, client); if (!scopeValidation.IsValid) { throw new IdentityServerException(ErrorCodes.InvalidScope, scopeValidation.ErrorMessage); } allowedTokenScopes = string.Join(" ", scopeValidation.Scopes); } // 4. Generate the user information payload and store it. var claims = resourceOwner.Claims; var claimsIdentity = new ClaimsIdentity(claims, "simpleIdentityServer"); var claimsPrincipal = new ClaimsPrincipal(claimsIdentity); var authorizationParameter = new AuthorizationParameter { Scope = resourceOwnerGrantTypeParameter.Scope }; var payload = await _jwtGenerator.GenerateUserInfoPayloadForScopeAsync(claimsPrincipal, authorizationParameter); var generatedToken = await _grantedTokenHelper.GetValidGrantedTokenAsync(allowedTokenScopes, client.ClientId, payload, payload); if (generatedToken == null) { generatedToken = await _grantedTokenGeneratorHelper.GenerateTokenAsync(client.ClientId, allowedTokenScopes, payload, payload); await _grantedTokenRepository.InsertAsync(generatedToken); // Fill-in the id-token if (generatedToken.IdTokenPayLoad != null) { generatedToken.IdToken = await _clientHelper.GenerateIdTokenAsync(client, generatedToken.IdTokenPayLoad); } _simpleIdentityServerEventSource.GrantAccessToClient(client.ClientId, generatedToken.AccessToken, allowedTokenScopes); } return(generatedToken); }