public static TokenValidator CreateTokenValidator(IReferenceTokenStore store = null, IProfileService profile = null)
{
if (profile == null)
{
profile = new TestProfileService();
}
if (store == null)
{
store = CreateReferenceTokenStore();
}
var clients = CreateClientStore();
var options = TestIdentityServerOptions.Create();
var context = new MockHttpContextAccessor(options);
var logger = TestLogger.Create <TokenValidator>();
var validator = new TokenValidator(
clients: clients,
referenceTokenStore: store,
customValidator: new DefaultCustomTokenValidator(
profile: profile,
clients: clients,
logger: TestLogger.Create <DefaultCustomTokenValidator>()),
keys: new DefaultKeyMaterialService(new[] { new DefaultValidationKeysStore(new[] { TestCert.LoadSigningCredentials().Key }) }),
logger: logger,
options: options,
context: context);
return(validator);
}
public async Task JWT_Token_with_scopes_have_expected_claims(bool flag)
{
var options = TestIdentityServerOptions.Create();
options.EmitScopesAsSpaceDelimitedStringInJwt = flag;
var signer = Factory.CreateDefaultTokenCreator(options);
var jwt = await signer.CreateTokenAsync(TokenFactory.CreateAccessToken(new Client {
ClientId = "roclient"
}, "valid", 600, "read", "write"));
var validator = Factory.CreateTokenValidator(null);
var result = await validator.ValidateAccessTokenAsync(jwt);
result.IsError.Should().BeFalse();
result.Jwt.Should().NotBeNullOrEmpty();
result.Client.ClientId.Should().Be("roclient");
result.Claims.Count().Should().Be(9);
var scopes = result.Claims.Where(c => c.Type == "scope").Select(c => c.Value).ToArray();
scopes.Count().Should().Be(2);
scopes[0].Should().Be("read");
scopes[1].Should().Be("write");
}
public static IClientSecretValidator CreateClientSecretValidator(IClientStore clients = null, SecretParser parser = null, SecretValidator validator = null, IdentityServerOptions options = null)
{
options = options ?? TestIdentityServerOptions.Create();
if (clients == null)
{
clients = new InMemoryClientStore(TestClients.Get());
}
if (parser == null)
{
var parsers = new List <ISecretParser>
{
new BasicAuthenticationSecretParser(options, TestLogger.Create <BasicAuthenticationSecretParser>()),
new PostBodySecretParser(options, TestLogger.Create <PostBodySecretParser>())
};
parser = new SecretParser(parsers, TestLogger.Create <SecretParser>());
}
if (validator == null)
{
var validators = new List <ISecretValidator>
{
new HashedSharedSecretValidator(TestLogger.Create <HashedSharedSecretValidator>()),
new PlainTextSharedSecretValidator(TestLogger.Create <PlainTextSharedSecretValidator>())
};
validator = new SecretValidator(new StubClock(), validators, TestLogger.Create <SecretValidator>());
}
return(new ClientSecretValidator(clients, parser, validator, new TestEventService(), TestLogger.Create <ClientSecretValidator>()));
}
public static DeviceAuthorizationRequestValidator CreateDeviceAuthorizationRequestValidator(
IdentityServerOptions options = null,
IResourceStore resourceStore = null,
IResourceValidator resourceValidator = null)
{
if (options == null)
{
options = TestIdentityServerOptions.Create();
}
if (resourceStore == null)
{
resourceStore = new InMemoryResourcesStore(TestScopes.GetIdentity(), TestScopes.GetApis(), TestScopes.GetScopes());
}
if (resourceValidator == null)
{
resourceValidator = CreateResourceValidator(resourceStore);
}
return(new DeviceAuthorizationRequestValidator(
options,
resourceValidator,
TestLogger.Create <DeviceAuthorizationRequestValidator>()));
}
public static TokenRequestValidator CreateTokenRequestValidator(
IdentityServerOptions options = null,
IScopeStore scopes = null,
IAuthorizationCodeStore authorizationCodeStore = null,
IRefreshTokenStore refreshTokens = null,
IUserService userService = null,
ICustomGrantValidator customGrantValidator = null,
ICustomRequestValidator customRequestValidator = null,
ScopeValidator scopeValidator = null,
IDictionary <string, object> environment = null)
{
if (options == null)
{
options = TestIdentityServerOptions.Create();
}
if (scopes == null)
{
scopes = new InMemoryScopeStore(TestScopes.Get());
}
if (userService == null)
{
userService = new TestUserService();
}
if (customRequestValidator == null)
{
customRequestValidator = new DefaultCustomRequestValidator();
}
if (customGrantValidator == null)
{
customGrantValidator = new TestGrantValidator();
}
if (refreshTokens == null)
{
refreshTokens = new InMemoryRefreshTokenStore();
}
if (scopeValidator == null)
{
scopeValidator = new ScopeValidator(scopes);
}
IOwinContext context;
if (environment == null)
{
context = new OwinContext(new Dictionary <string, object>());
}
else
{
context = new OwinContext(environment);
}
return(new TokenRequestValidator(options, authorizationCodeStore, refreshTokens, userService, scopes, customGrantValidator, customRequestValidator, scopeValidator, context));
}
internal static ITokenCreationService CreateDefaultTokenCreator()
{
return(new DefaultTokenCreationService(
new StubClock(),
new DefaultKeyMaterialService(new IValidationKeysStore[] { },
new ISigningCredentialStore[] { new InMemorySigningCredentialsStore(TestCert.LoadSigningCredentials()) }),
TestIdentityServerOptions.Create(),
TestLogger.Create <DefaultTokenCreationService>()));
}
public static TokenValidator CreateTokenValidator(
IReferenceTokenStore store = null,
IRefreshTokenStore refreshTokenStore = null,
IProfileService profile = null,
IdentityServerOptions options = null, ISystemClock clock = null)
{
if (options == null)
{
options = TestIdentityServerOptions.Create();
}
if (profile == null)
{
profile = new TestProfileService();
}
if (store == null)
{
store = CreateReferenceTokenStore();
}
clock = clock ?? new StubClock();
if (refreshTokenStore == null)
{
refreshTokenStore = CreateRefreshTokenStore();
}
var clients = CreateClientStore();
var context = new MockHttpContextAccessor(options);
var logger = TestLogger.Create <TokenValidator>();
var keyInfo = new SecurityKeyInfo
{
Key = TestCert.LoadSigningCredentials().Key,
SigningAlgorithm = "RS256"
};
var validator = new TokenValidator(
clients: clients,
clock: clock,
profile: profile,
referenceTokenStore: store,
refreshTokenStore: refreshTokenStore,
customValidator: new DefaultCustomTokenValidator(),
keys: new DefaultKeyMaterialService(
new[] { new InMemoryValidationKeysStore(new[] { keyInfo }) },
Enumerable.Empty <ISigningCredentialStore>(),
new NopAutomaticKeyManagerKeyStore()
),
logger: logger,
options: options,
context: context);
return(validator);
}
public async Task Valid_JWT_Token()
{
var signer = new DefaultTokenSigningService(TestIdentityServerOptions.Create());
var jwt = await signer.SignTokenAsync(TokenFactory.CreateAccessToken("roclient", "valid", 600, "read", "write"));
var validator = Factory.CreateTokenValidator(null);
var result = await validator.ValidateAccessTokenAsync(jwt);
Assert.IsFalse(result.IsError);
}
public async Task Valid_IdentityToken_no_ClientId_supplied()
{
var signer = new DefaultTokenSigningService(TestIdentityServerOptions.Create());
var jwt = await signer.SignTokenAsync(TokenFactory.CreateIdentityToken("roclient", "valid"));
var validator = Factory.CreateTokenValidator();
var result = await validator.ValidateIdentityTokenAsync(jwt);
result.IsError.Should().BeFalse();
}
public async Task Valid_IdentityToken_SymmetricKeyType()
{
var signer = new DefaultTokenSigningService(TestIdentityServerOptions.Create());
var jwt = await signer.SignTokenAsync(TokenFactory.CreateIdentityToken("roclient_symmetric", "valid"));
var validator = Factory.CreateTokenValidator();
var result = await validator.ValidateIdentityTokenAsync(jwt, "roclient_symmetric");
Assert.IsFalse(result.IsError);
}
public async Task IdentityToken_InvalidClientId()
{
var signer = new DefaultTokenSigningService(TestIdentityServerOptions.Create());
var jwt = await signer.SignTokenAsync(TokenFactory.CreateIdentityToken("roclient", "valid"));
var validator = Factory.CreateTokenValidator();
var result = await validator.ValidateIdentityTokenAsync(jwt, "invalid");
Assert.IsTrue(result.IsError);
Assert.AreEqual(Constants.ProtectedResourceErrors.InvalidToken, result.Error);
}
public async Task IdentityToken_Too_Long()
{
var signer = new DefaultTokenSigningService(TestIdentityServerOptions.Create());
var jwt = await signer.SignTokenAsync(TokenFactory.CreateIdentityTokenLong("roclient", "valid", 1000));
var validator = Factory.CreateTokenValidator();
var result = await validator.ValidateIdentityTokenAsync(jwt, "roclient");
result.IsError.Should().BeTrue();
result.Error.Should().Be(Constants.ProtectedResourceErrors.InvalidToken);
}
public static AuthorizeRequestValidator CreateAuthorizeRequestValidator(
IdentityServerOptions options = null,
IScopeStore scopes = null,
IClientStore clients = null,
IUserService users = null,
ICustomRequestValidator customValidator = null,
IRedirectUriValidator uriValidator = null,
ScopeValidator scopeValidator = null,
IDictionary <string, object> environment = null)
{
if (options == null)
{
options = TestIdentityServerOptions.Create();
}
if (scopes == null)
{
scopes = new InMemoryScopeStore(TestScopes.Get());
}
if (clients == null)
{
clients = new InMemoryClientStore(TestClients.Get());
}
if (customValidator == null)
{
customValidator = new DefaultCustomRequestValidator();
}
if (uriValidator == null)
{
uriValidator = new DefaultRedirectUriValidator();
}
if (scopeValidator == null)
{
scopeValidator = new ScopeValidator(scopes);
}
IOwinContext context;
if (environment == null)
{
context = new OwinContext(new Dictionary <string, object>());
}
else
{
context = new OwinContext(environment);
}
return(new AuthorizeRequestValidator(options, clients, customValidator, uriValidator, scopeValidator, context));
}
public async Task JWT_Token_Too_Long()
{
var signer = new DefaultTokenSigningService(TestIdentityServerOptions.Create());
var jwt = await signer.SignTokenAsync(TokenFactory.CreateAccessTokenLong(new Client {
ClientId = "roclient"
}, "valid", 600, 1000, "read", "write"));
var validator = Factory.CreateTokenValidator(null);
var result = await validator.ValidateAccessTokenAsync(jwt);
result.IsError.Should().BeTrue();
result.Error.Should().Be(Constants.ProtectedResourceErrors.InvalidToken);
}
public async Task JWT_Token_invalid_Audience()
{
var signer = new DefaultTokenSigningService(TestIdentityServerOptions.Create());
var token = TokenFactory.CreateAccessToken("roclient", "valid", 600, "read", "write");
token.Audience = "invalid";
var jwt = await signer.SignTokenAsync(token);
var validator = Factory.CreateTokenValidator(null);
var result = await validator.ValidateAccessTokenAsync(jwt);
Assert.IsTrue(result.IsError);
Assert.AreEqual(Constants.ProtectedResourceErrors.InvalidToken, result.Error);
}
public static AuthorizeRequestValidator CreateAuthorizeRequestValidator(
IdentityServerOptions options = null,
IResourceStore resourceStore = null,
IClientStore clients = null,
IProfileService profile = null,
ICustomAuthorizeRequestValidator customValidator = null,
IRedirectUriValidator uriValidator = null,
ScopeValidator scopeValidator = null)
{
if (options == null)
{
options = TestIdentityServerOptions.Create();
}
if (resourceStore == null)
{
resourceStore = new InMemoryResourcesStore(TestScopes.GetIdentity(), TestScopes.GetApis());
}
if (clients == null)
{
clients = new InMemoryClientStore(TestClients.Get());
}
if (customValidator == null)
{
customValidator = new DefaultCustomAuthorizeRequestValidator();
}
if (uriValidator == null)
{
uriValidator = new StrictRedirectUriValidator();
}
if (scopeValidator == null)
{
scopeValidator = new ScopeValidator(resourceStore, new LoggerFactory().CreateLogger <ScopeValidator>());
}
var sessionId = new MockSessionIdService();
return(new AuthorizeRequestValidator(
options,
clients,
customValidator,
uriValidator,
scopeValidator,
sessionId,
TestLogger.Create <AuthorizeRequestValidator>()));
}
public EndSessionRequestValidatorTests()
{
_user = new IdentityServerUser("alice").CreatePrincipal();
_options = TestIdentityServerOptions.Create();
_subject = new EndSessionRequestValidator(
_context,
_options,
_stubTokenValidator,
_stubRedirectUriValidator,
_userSession,
_mockLogoutNotificationService,
_mockEndSessionMessageStore,
TestLogger.Create <EndSessionRequestValidator>());
}
public EndSessionRequestValidatorTests()
{
_user = IdentityServerPrincipal.Create("alice", "Alice");
_clientStore = new InMemoryClientStore(new Client[0]);
_options = TestIdentityServerOptions.Create();
_subject = new EndSessionRequestValidator(
_context,
_options,
_stubTokenValidator,
_stubRedirectUriValidator,
_userSession,
_clientStore,
_mockEndSessionMessageStore,
TestLogger.Create <EndSessionRequestValidator>());
}
public static TokenValidator CreateTokenValidator(ITokenHandleStore tokenStore = null)
{
var users = new TestUserService();
var clients = CreateClientStore();
var validator = new TokenValidator(
options: TestIdentityServerOptions.Create(),
users: users,
clients: clients,
tokenHandles: tokenStore,
customValidator: new DefaultCustomTokenValidator(
users: users,
clients: clients));
return(validator);
}
public MockHttpContextAccessor(
IdentityServerOptions options = null,
IUserSession userSession = null,
IMessageStore <LogoutNotificationContext> endSessionStore = null,
IServerUrls urls = null)
{
options = options ?? TestIdentityServerOptions.Create();
var services = new ServiceCollection();
services.AddSingleton(options);
services.AddSingleton <IAuthenticationSchemeProvider>(Schemes);
services.AddSingleton <IAuthenticationService>(AuthenticationService);
services.AddAuthentication(auth =>
{
auth.DefaultAuthenticateScheme = Schemes.Default;
});
if (userSession == null)
{
services.AddScoped <IUserSession, DefaultUserSession>();
}
else
{
services.AddSingleton(userSession);
}
if (endSessionStore == null)
{
services.AddTransient <IMessageStore <LogoutNotificationContext>, ProtectedDataMessageStore <LogoutNotificationContext> >();
}
else
{
services.AddSingleton(endSessionStore);
}
if (urls != null)
{
services.AddSingleton <IServerUrls>(urls);
}
_context.RequestServices = services.BuildServiceProvider();
}
public static TokenValidator CreateTokenValidator(
IReferenceTokenStore store = null,
IRefreshTokenStore refreshTokenStore = null,
IProfileService profile = null,
IIssuerNameService issuerNameService = null,
IdentityServerOptions options = null,
ISystemClock clock = null)
{
options ??= TestIdentityServerOptions.Create();
profile ??= new TestProfileService();
store ??= CreateReferenceTokenStore();
clock ??= new StubClock();
refreshTokenStore ??= CreateRefreshTokenStore();
issuerNameService ??= new TestIssuerNameService(options.IssuerUri);
var clients = CreateClientStore();
var logger = TestLogger.Create <TokenValidator>();
var keyInfo = new SecurityKeyInfo
{
Key = TestCert.LoadSigningCredentials().Key,
SigningAlgorithm = "RS256"
};
var validator = new TokenValidator(
clients: clients,
clock: clock,
profile: profile,
referenceTokenStore: store,
customValidator: new DefaultCustomTokenValidator(),
keys: new DefaultKeyMaterialService(
new[] { new InMemoryValidationKeysStore(new[] { keyInfo }) },
Enumerable.Empty <ISigningCredentialStore>(),
new NopAutomaticKeyManagerKeyStore()
),
sessionCoordinationService: new StubSessionCoordinationService(),
logger: logger,
options: options,
issuerNameService: issuerNameService);
return(validator);
}
public static TokenRequestValidator CreateTokenRequestValidator(
IdentityServerOptions options = null,
IScopeStore scopes = null,
IPersistedGrantService grants = null,
IResourceOwnerPasswordValidator resourceOwnerValidator = null,
IProfileService profile = null,
IEnumerable <IExtensionGrantValidator> extensionGrantValidators = null,
ICustomTokenRequestValidator customRequestValidator = null,
ScopeValidator scopeValidator = null)
{
if (options == null)
{
options = TestIdentityServerOptions.Create();
}
if (scopes == null)
{
scopes = new InMemoryScopeStore(TestScopes.Get());
}
if (resourceOwnerValidator == null)
{
resourceOwnerValidator = new TestResourceOwnerPasswordValidator();
}
if (profile == null)
{
profile = new TestProfileService();
}
if (customRequestValidator == null)
{
customRequestValidator = new DefaultCustomTokenRequestValidator();
}
ExtensionGrantValidator aggregateExtensionGrantValidator;
if (extensionGrantValidators == null)
{
aggregateExtensionGrantValidator = new ExtensionGrantValidator(new[] { new TestGrantValidator() }, TestLogger.Create <ExtensionGrantValidator>());
}
else
{
aggregateExtensionGrantValidator = new ExtensionGrantValidator(extensionGrantValidators, TestLogger.Create <ExtensionGrantValidator>());
}
if (grants == null)
{
grants = CreateGrantService();
}
if (scopeValidator == null)
{
scopeValidator = new ScopeValidator(scopes, new LoggerFactory().CreateLogger <ScopeValidator>());
}
return(new TokenRequestValidator(
options,
grants,
resourceOwnerValidator,
profile,
aggregateExtensionGrantValidator,
customRequestValidator,
scopeValidator,
new TestEventService(),
TestLogger.Create <TokenRequestValidator>()));
}
public static TokenRequestValidator CreateTokenRequestValidator(
IdentityServerOptions options = null,
IIssuerNameService issuerNameService = null,
IResourceStore resourceStore = null,
IAuthorizationCodeStore authorizationCodeStore = null,
IRefreshTokenStore refreshTokenStore = null,
IResourceOwnerPasswordValidator resourceOwnerValidator = null,
IProfileService profile = null,
IDeviceCodeValidator deviceCodeValidator = null,
IEnumerable <IExtensionGrantValidator> extensionGrantValidators = null,
ICustomTokenRequestValidator customRequestValidator = null,
IRefreshTokenService refreshTokenService = null,
IResourceValidator resourceValidator = null)
{
if (options == null)
{
options = TestIdentityServerOptions.Create();
}
if (issuerNameService == null)
{
issuerNameService = new TestIssuerNameService(options.IssuerUri);
}
if (resourceStore == null)
{
resourceStore = new InMemoryResourcesStore(TestScopes.GetIdentity(), TestScopes.GetApis(), TestScopes.GetScopes());
}
if (resourceOwnerValidator == null)
{
resourceOwnerValidator = new TestResourceOwnerPasswordValidator();
}
if (profile == null)
{
profile = new TestProfileService();
}
if (deviceCodeValidator == null)
{
deviceCodeValidator = new TestDeviceCodeValidator();
}
if (customRequestValidator == null)
{
customRequestValidator = new DefaultCustomTokenRequestValidator();
}
ExtensionGrantValidator aggregateExtensionGrantValidator;
if (extensionGrantValidators == null)
{
aggregateExtensionGrantValidator = new ExtensionGrantValidator(new[] { new TestGrantValidator() }, TestLogger.Create <ExtensionGrantValidator>());
}
else
{
aggregateExtensionGrantValidator = new ExtensionGrantValidator(extensionGrantValidators, TestLogger.Create <ExtensionGrantValidator>());
}
if (authorizationCodeStore == null)
{
authorizationCodeStore = CreateAuthorizationCodeStore();
}
if (refreshTokenStore == null)
{
refreshTokenStore = CreateRefreshTokenStore();
}
if (resourceValidator == null)
{
resourceValidator = CreateResourceValidator(resourceStore);
}
if (refreshTokenService == null)
{
refreshTokenService = CreateRefreshTokenService(
refreshTokenStore,
profile);
}
return(new TokenRequestValidator(
options,
issuerNameService,
authorizationCodeStore,
resourceOwnerValidator,
profile,
deviceCodeValidator,
aggregateExtensionGrantValidator,
customRequestValidator,
resourceValidator,
resourceStore,
refreshTokenService,
new TestEventService(),
new StubClock(),
TestLogger.Create <TokenRequestValidator>()));
}
public static AuthorizeRequestValidator CreateAuthorizeRequestValidator(
IdentityServerOptions options = null,
IIssuerNameService issuerNameService = null,
IResourceStore resourceStore = null,
IClientStore clients = null,
IProfileService profile = null,
ICustomAuthorizeRequestValidator customValidator = null,
IRedirectUriValidator uriValidator = null,
IResourceValidator resourceValidator = null,
JwtRequestValidator jwtRequestValidator = null,
IJwtRequestUriHttpClient jwtRequestUriHttpClient = null)
{
if (options == null)
{
options = TestIdentityServerOptions.Create();
}
if (issuerNameService == null)
{
issuerNameService = new TestIssuerNameService(options.IssuerUri);
}
if (resourceStore == null)
{
resourceStore = new InMemoryResourcesStore(TestScopes.GetIdentity(), TestScopes.GetApis(), TestScopes.GetScopes());
}
if (clients == null)
{
clients = new InMemoryClientStore(TestClients.Get());
}
if (customValidator == null)
{
customValidator = new DefaultCustomAuthorizeRequestValidator();
}
if (uriValidator == null)
{
uriValidator = new StrictRedirectUriValidator();
}
if (resourceValidator == null)
{
resourceValidator = CreateResourceValidator(resourceStore);
}
if (jwtRequestValidator == null)
{
jwtRequestValidator = new JwtRequestValidator("https://identityserver", new LoggerFactory().CreateLogger <JwtRequestValidator>());
}
if (jwtRequestUriHttpClient == null)
{
jwtRequestUriHttpClient = new DefaultJwtRequestUriHttpClient(new HttpClient(new NetworkHandler(new Exception("no jwt request uri response configured"))), options, new LoggerFactory());
}
var userSession = new MockUserSession();
return(new AuthorizeRequestValidator(
options,
issuerNameService,
clients,
customValidator,
uriValidator,
resourceValidator,
userSession,
jwtRequestValidator,
jwtRequestUriHttpClient,
TestLogger.Create <AuthorizeRequestValidator>()));
}
public static TokenRequestValidator CreateTokenRequestValidator(
IdentityServerOptions options = null,
IResourceStore resourceStore = null,
IAuthorizationCodeStore authorizationCodeStore = null,
IRefreshTokenStore refreshTokenStore = null,
IResourceOwnerPasswordValidator resourceOwnerValidator = null,
IProfileService profile = null,
IEnumerable <IExtensionGrantValidator> extensionGrantValidators = null,
ICustomTokenRequestValidator customRequestValidator = null,
ScopeValidator scopeValidator = null)
{
if (options == null)
{
options = TestIdentityServerOptions.Create();
}
if (resourceStore == null)
{
resourceStore = new InMemoryResourcesStore(TestScopes.GetIdentity(), TestScopes.GetApis());
}
if (resourceOwnerValidator == null)
{
resourceOwnerValidator = new TestResourceOwnerPasswordValidator();
}
if (profile == null)
{
profile = new TestProfileService();
}
if (customRequestValidator == null)
{
customRequestValidator = new DefaultCustomTokenRequestValidator();
}
ExtensionGrantValidator aggregateExtensionGrantValidator;
if (extensionGrantValidators == null)
{
aggregateExtensionGrantValidator = new ExtensionGrantValidator(new[] { new TestGrantValidator() }, TestLogger.Create <ExtensionGrantValidator>());
}
else
{
aggregateExtensionGrantValidator = new ExtensionGrantValidator(extensionGrantValidators, TestLogger.Create <ExtensionGrantValidator>());
}
if (authorizationCodeStore == null)
{
authorizationCodeStore = CreateAuthorizationCodeStore();
}
if (refreshTokenStore == null)
{
refreshTokenStore = CreateRefreshTokenStore();
}
if (scopeValidator == null)
{
scopeValidator = new ScopeValidator(resourceStore, new LoggerFactory().CreateLogger <ScopeValidator>());
}
return(new TokenRequestValidator(
options,
authorizationCodeStore,
refreshTokenStore,
resourceOwnerValidator,
profile,
aggregateExtensionGrantValidator,
customRequestValidator,
scopeValidator,
new TestEventService(),
TestLogger.Create <TokenRequestValidator>()));
}
