public async Task When_Requesting_IdentityToken_JwsPayload_And_NumberOfAudiencesIsMoreThanOne_Then_Azp_Should_Be_Returned() { // ARRANGE InitializeMockObjects(); const string issuerName = "IssuerName"; var clientId = FakeOpenIdAssets.GetClients().First().ClientId; const string subject = "*****@*****.**"; var claims = new List <Claim> { new Claim(Constants.StandardResourceOwnerClaimNames.Subject, subject) }; var authorizationParameter = new AuthorizationParameter { ClientId = clientId }; _clientRepositoryStub.Setup(c => c.GetAllAsync()).Returns(Task.FromResult(FakeOpenIdAssets.GetClients())); // ACT var result = await _jwtGenerator.GenerateIdTokenPayloadForScopesAsync(claims, authorizationParameter, issuerName); // ASSERT Assert.NotNull(result); Assert.True(result.ContainsKey(Constants.StandardResourceOwnerClaimNames.Subject)); Assert.True(result.Audiences.Count() > 1); Assert.True(result.Azp == clientId); }
public void When_JwsAlg_Is_RS512_And_AuthorizationCode_And_AccessToken_Are_Not_Empty_Then_OtherClaims_Are_FilledIn() { // ARRANGE InitializeMockObjects(); var client = FakeOpenIdAssets.GetClients().First(); client.IdTokenSignedResponseAlg = Constants.JwsAlgNames.RS512; var jwsPayload = new JwsPayload(); var authorizationParameter = new AuthorizationParameter { ClientId = client.ClientId }; // ACT & ASSERT _jwtGenerator.FillInOtherClaimsIdentityTokenPayload(jwsPayload, "authorization_code", "access_token", authorizationParameter, client); Assert.True(jwsPayload.ContainsKey(StandardClaimNames.AtHash)); Assert.True(jwsPayload.ContainsKey(StandardClaimNames.CHash)); }
public void When_JwsAlg_Is_None_And_Trying_To_FillIn_Other_Claims_Then_The_Properties_Are_Not_Filled_In() { // ARRANGE InitializeMockObjects(); var client = FakeOpenIdAssets.GetClients().First(); client.IdTokenSignedResponseAlg = "none"; var jwsPayload = new JwsPayload(); var authorizationParameter = new AuthorizationParameter { ClientId = client.ClientId }; // ACT & ASSERT _jwtGenerator.FillInOtherClaimsIdentityTokenPayload(jwsPayload, null, null, authorizationParameter, new Client()); Assert.False(jwsPayload.ContainsKey(StandardClaimNames.AtHash)); Assert.False(jwsPayload.ContainsKey(StandardClaimNames.CHash)); }
public async Task When_Encrypt_Jws_Then_Jwe_Is_Returned() { // ARRANGE InitializeMockObjects(); var client = FakeOpenIdAssets.GetClients().First(); client.IdTokenEncryptedResponseAlg = Constants.JweAlgNames.RSA1_5; var serializedRsa = string.Empty; using (var provider = new RSACryptoServiceProvider()) { serializedRsa = provider.ToXmlString(true); }; var jsonWebKey = new JsonWebKey { Alg = AllAlg.RSA1_5, KeyOps = new[] { KeyOperations.Encrypt, KeyOperations.Decrypt }, Kid = "3", Kty = KeyType.RSA, Use = Use.Enc, SerializedKey = serializedRsa, }; var jws = "jws"; ICollection <JsonWebKey> jwks = new List <JsonWebKey> { jsonWebKey }; _jsonWebKeyRepositoryStub.Setup(j => j.GetByAlgorithmAsync(It.IsAny <Use>(), It.IsAny <AllAlg>(), It.IsAny <KeyOperations[]>())) .Returns(Task.FromResult(jwks)); _clientRepositoryStub.Setup(c => c.GetClientByIdAsync(It.IsAny <string>())).Returns(Task.FromResult(client)); // ACT var jwe = await _jwtGenerator.EncryptAsync(jws, JweAlg.RSA1_5, JweEnc.A128CBC_HS256); // ASSERT Assert.NotEmpty(jwe); }
public async Task When_Sign_Payload_Then_Jws_Is_Returned() { // ARRANGE InitializeMockObjects(); var client = FakeOpenIdAssets.GetClients().First(); client.IdTokenEncryptedResponseAlg = Constants.JwsAlgNames.RS256; var serializedRsa = string.Empty; using (var provider = new RSACryptoServiceProvider()) { serializedRsa = provider.ToXmlString(true); }; var jsonWebKey = new JsonWebKey { Alg = AllAlg.RS256, KeyOps = new[] { KeyOperations.Sign, KeyOperations.Verify }, Kid = "a3rMUgMFv9tPclLa6yF3zAkfquE", Kty = KeyType.RSA, Use = Use.Sig, SerializedKey = serializedRsa }; ICollection <JsonWebKey> jwks = new List <JsonWebKey> { jsonWebKey }; _jsonWebKeyRepositoryStub.Setup(j => j.GetByAlgorithmAsync(It.IsAny <Use>(), It.IsAny <AllAlg>(), It.IsAny <KeyOperations[]>())) .Returns(Task.FromResult(jwks)); _clientRepositoryStub.Setup(c => c.GetClientByIdAsync(It.IsAny <string>())).Returns(Task.FromResult(client)); var jwsPayload = new JwsPayload(); // ACT var jws = await _jwtGenerator.SignAsync(jwsPayload, JwsAlg.RS256); // ASSERT Assert.NotEmpty(jws); }
public void When_Requesting_UserInformation_For_Some_Valid_Claims_Then_The_JwsPayload_Is_Correct() { // ARRANGE InitializeMockObjects(); const string subject = "*****@*****.**"; const string name = "Habart Thierry"; var claims = new List <Claim> { new Claim(Constants.StandardResourceOwnerClaimNames.Name, name), new Claim(Constants.StandardResourceOwnerClaimNames.Subject, subject) }; var claimsParameter = new List <ClaimParameter> { new ClaimParameter { Name = Constants.StandardResourceOwnerClaimNames.Name, Parameters = new Dictionary <string, object> { { SimpleIdServer.Core.Constants.StandardClaimParameterValueNames.EssentialName, true } } }, new ClaimParameter { Name = Constants.StandardResourceOwnerClaimNames.Subject, Parameters = new Dictionary <string, object> { { SimpleIdServer.Core.Constants.StandardClaimParameterValueNames.EssentialName, true }, { SimpleIdServer.Core.Constants.StandardClaimParameterValueNames.ValueName, subject } } } }; var authorizationParameter = new AuthorizationParameter { Scope = "profile" }; ICollection <Scope> scopes = FakeOpenIdAssets.GetScopes().Where(s => s.Name == "profile").ToList(); _clientRepositoryStub.Setup(c => c.GetAllAsync()).Returns(Task.FromResult(FakeOpenIdAssets.GetClients())); _scopeRepositoryStub.Setup(s => s.SearchByNamesAsync(It.IsAny <IEnumerable <string> >())) .Returns(Task.FromResult(scopes)); // ACT var result = _jwtGenerator.GenerateFilteredUserInfoPayload( claimsParameter, authorizationParameter, claims); // ASSERT Assert.NotNull(result); Assert.True(result.ContainsKey(Constants.StandardResourceOwnerClaimNames.Subject)); Assert.True(result.ContainsKey(Constants.StandardResourceOwnerClaimNames.Name)); Assert.True(result[Constants.StandardResourceOwnerClaimNames.Subject].ToString().Equals(subject)); Assert.True(result[Constants.StandardResourceOwnerClaimNames.Name].ToString().Equals(name)); }
public void When_Requesting_UserInformation_But_The_Name_Claim_Value_Is_Not_Correct_Then_Exception_Is_Thrown() { // ARRANGE InitializeMockObjects(); const string subject = "*****@*****.**"; const string state = "state"; var claims = new List <Claim> { new Claim(Constants.StandardResourceOwnerClaimNames.Subject, subject), new Claim(Constants.StandardResourceOwnerClaimNames.Name, "invalid_name") }; var claimsParameter = new List <ClaimParameter> { new ClaimParameter { Name = Constants.StandardResourceOwnerClaimNames.Subject, Parameters = new Dictionary <string, object> { { SimpleIdServer.Core.Constants.StandardClaimParameterValueNames.ValueName, subject } } }, new ClaimParameter { Name = Constants.StandardResourceOwnerClaimNames.Name, Parameters = new Dictionary <string, object> { { SimpleIdServer.Core.Constants.StandardClaimParameterValueNames.ValueName, "name" } } } }; var authorizationParameter = new AuthorizationParameter { Scope = "profile", State = state }; ICollection <Scope> scopes = FakeOpenIdAssets.GetScopes().Where(s => s.Name == "profile").ToList(); _clientRepositoryStub.Setup(c => c.GetAllAsync()).Returns(Task.FromResult(FakeOpenIdAssets.GetClients())); _scopeRepositoryStub.Setup(s => s.SearchByNamesAsync(It.IsAny <IEnumerable <string> >())) .Returns(Task.FromResult(scopes)); // ACT & ASSERT var exception = Assert.Throws <IdentityServerExceptionWithState>(() => _jwtGenerator.GenerateFilteredUserInfoPayload( claimsParameter, authorizationParameter, claims)); Assert.NotNull(exception); Assert.True(exception.Code == ErrorCodes.InvalidGrant); Assert.True(exception.Message == string.Format(ErrorDescriptions.TheClaimIsNotValid, Constants.StandardResourceOwnerClaimNames.Name)); Assert.True(exception.State == state); }
public async Task When_Requesting_UserInformation_JwsPayload_For_Scopes_Then_The_JwsPayload_Is_Correct() { // ARRANGE InitializeMockObjects(); const string subject = "*****@*****.**"; const string name = "Habart Thierry"; var claims = new List <Claim> { new Claim(Constants.StandardResourceOwnerClaimNames.Name, name), new Claim(Constants.StandardResourceOwnerClaimNames.Subject, subject) }; var authorizationParameter = new AuthorizationParameter { Scope = "profile" }; ICollection <Scope> scopes = FakeOpenIdAssets.GetScopes().Where(s => s.Name == "profile").ToList(); _clientRepositoryStub.Setup(c => c.GetAllAsync()).Returns(Task.FromResult(FakeOpenIdAssets.GetClients())); _scopeRepositoryStub.Setup(s => s.SearchByNamesAsync(It.IsAny <IEnumerable <string> >())) .Returns(Task.FromResult(scopes)); // ACT var result = await _jwtGenerator.GenerateUserInfoPayloadForScopeAsync(authorizationParameter, claims); // ASSERT Assert.NotNull(result); Assert.True(result.ContainsKey(Constants.StandardResourceOwnerClaimNames.Subject)); Assert.True(result.ContainsKey(Constants.StandardResourceOwnerClaimNames.Name)); Assert.True(result[Constants.StandardResourceOwnerClaimNames.Subject].ToString().Equals(subject)); Assert.True(result[Constants.StandardResourceOwnerClaimNames.Name].ToString().Equals(name)); }
public async Task When_Requesting_IdentityToken_JwsPayload_And_Pass_AuthTime_As_ClaimEssential_Then_TheJwsPayload_Contains_AuthenticationTime() { // ARRANGE InitializeMockObjects(); const string subject = "*****@*****.**"; const string nonce = "nonce"; var currentDateTimeOffset = DateTimeOffset.UtcNow.ConvertToUnixTimestamp(); var claims = new List <Claim> { new Claim(ClaimTypes.AuthenticationInstant, currentDateTimeOffset.ToString()), new Claim(Constants.StandardResourceOwnerClaimNames.Subject, subject), new Claim(Constants.StandardResourceOwnerClaimNames.Role, "['role1', 'role2']") }; var authorizationParameter = new AuthorizationParameter { Nonce = nonce }; var claimsParameter = new List <ClaimParameter> { new ClaimParameter { Name = StandardClaimNames.AuthenticationTime, Parameters = new Dictionary <string, object> { { SimpleIdServer.Core.Constants.StandardClaimParameterValueNames.EssentialName, true } } }, new ClaimParameter { Name = StandardClaimNames.Audiences, Parameters = new Dictionary <string, object> { { SimpleIdServer.Core.Constants.StandardClaimParameterValueNames.ValuesName, new [] { FakeOpenIdAssets.GetClients().First().ClientId } } } }, new ClaimParameter { Name = StandardClaimNames.Nonce, Parameters = new Dictionary <string, object> { { SimpleIdServer.Core.Constants.StandardClaimParameterValueNames.ValueName, nonce } } }, new ClaimParameter { Name = Constants.StandardResourceOwnerClaimNames.Role, Parameters = new Dictionary <string, object> { { SimpleIdServer.Core.Constants.StandardClaimParameterValueNames.EssentialName, true } } } }; _clientRepositoryStub.Setup(c => c.GetAllAsync()).Returns(Task.FromResult(FakeOpenIdAssets.GetClients())); // ACT var result = await _jwtGenerator.GenerateFilteredIdTokenPayloadAsync( claims, authorizationParameter, claimsParameter, null, currentDateTimeOffset); // ASSERT Assert.NotNull(result); Assert.True(result.ContainsKey(Constants.StandardResourceOwnerClaimNames.Subject)); Assert.True(result.ContainsKey(Constants.StandardResourceOwnerClaimNames.Role)); Assert.True(result.ContainsKey(StandardClaimNames.AuthenticationTime)); Assert.True(result.ContainsKey(StandardClaimNames.Nonce)); Assert.True(result[Constants.StandardResourceOwnerClaimNames.Subject].ToString().Equals(subject)); Assert.True(long.Parse(result[StandardClaimNames.AuthenticationTime].ToString()).Equals(currentDateTimeOffset)); }
public async Task When_Requesting_IdentityToken_JwsPayload_And_PassingANotValidClaimValue_Then_An_Exception_Is_Thrown() { // ARRANGE InitializeMockObjects(); const string subject = "*****@*****.**"; const string notValidSubject = "*****@*****.**"; var claims = new List <Claim> { new Claim(Constants.StandardResourceOwnerClaimNames.Subject, subject) }; var authorizationParameter = new AuthorizationParameter(); var claimsParameter = new List <ClaimParameter> { new ClaimParameter { Name = Constants.StandardResourceOwnerClaimNames.Subject, Parameters = new Dictionary <string, object> { { SimpleIdServer.Core.Constants.StandardClaimParameterValueNames.EssentialName, true }, { SimpleIdServer.Core.Constants.StandardClaimParameterValueNames.ValueName, notValidSubject } } } }; _clientRepositoryStub.Setup(c => c.GetAllAsync()).Returns(Task.FromResult(FakeOpenIdAssets.GetClients())); // ACT & ASSERTS var result = await Assert.ThrowsAsync <IdentityServerExceptionWithState>(() => _jwtGenerator.GenerateFilteredIdTokenPayloadAsync( claims, authorizationParameter, claimsParameter, null)); Assert.True(result.Code.Equals(ErrorCodes.InvalidGrant)); Assert.True(result.Message.Equals(string.Format(ErrorDescriptions.TheClaimIsNotValid, Constants.StandardResourceOwnerClaimNames.Subject))); }
public async Task When_Requesting_Identity_Token_And_ExpirationTime_Is_Not_Correct_Then_Exception_Is_Thrown() { // ARRANGE InitializeMockObjects(); const string subject = "*****@*****.**"; const string state = "state"; var currentDateTimeOffset = DateTimeOffset.UtcNow.ConvertToUnixTimestamp(); var claims = new List <Claim> { new Claim(ClaimTypes.AuthenticationInstant, currentDateTimeOffset.ToString()), new Claim(Constants.StandardResourceOwnerClaimNames.Subject, subject) }; var authorizationParameter = new AuthorizationParameter { State = state }; var claimsParameter = new List <ClaimParameter> { new ClaimParameter { Name = StandardClaimNames.ExpirationTime, Parameters = new Dictionary <string, object> { { SimpleIdServer.Core.Constants.StandardClaimParameterValueNames.EssentialName, true }, { SimpleIdServer.Core.Constants.StandardClaimParameterValueNames.ValueName, 12 } } } }; _clientRepositoryStub.Setup(c => c.GetAllAsync()).Returns(Task.FromResult(FakeOpenIdAssets.GetClients())); // ACT & ASSERT var exception = await Assert.ThrowsAsync <IdentityServerExceptionWithState>(() => _jwtGenerator.GenerateFilteredIdTokenPayloadAsync( claims, authorizationParameter, claimsParameter, null)); Assert.NotNull(exception); Assert.True(exception.Code == ErrorCodes.InvalidGrant); Assert.True(exception.Message == string.Format(ErrorDescriptions.TheClaimIsNotValid, StandardClaimNames.ExpirationTime)); Assert.True(exception.State == state); }
public async Task When_Requesting_IdentityToken_JwsPayload_With_No_Authorization_Request_Then_MandatoriesClaims_Are_Returned() { // ARRANGE InitializeMockObjects(); const string issuerName = "IssuerName"; const string subject = "*****@*****.**"; var authorizationParameter = new AuthorizationParameter(); var claims = new List <Claim> { new Claim(Constants.StandardResourceOwnerClaimNames.Subject, subject) }; _clientRepositoryStub.Setup(c => c.GetAllAsync()).Returns(Task.FromResult(FakeOpenIdAssets.GetClients())); // ACT var result = await _jwtGenerator.GenerateIdTokenPayloadForScopesAsync(claims, authorizationParameter, null); // ASSERT Assert.NotNull(result); Assert.True(result.ContainsKey(Constants.StandardResourceOwnerClaimNames.Subject)); Assert.True(result.ContainsKey(StandardClaimNames.Audiences)); Assert.True(result.ContainsKey(StandardClaimNames.ExpirationTime)); Assert.True(result.ContainsKey(StandardClaimNames.Iat)); Assert.True(result.GetClaimValue(Constants.StandardResourceOwnerClaimNames.Subject) == subject); }
public async Task When_Requesting_IdentityToken_JwsPayload_And_IndicateTheMaxAge_Then_TheJwsPayload_Contains_AuthenticationTime() { // ARRANGE InitializeMockObjects(); const string subject = "*****@*****.**"; var currentDateTimeOffset = DateTimeOffset.UtcNow.ConvertToUnixTimestamp(); var claims = new List <Claim> { new Claim(ClaimTypes.AuthenticationInstant, currentDateTimeOffset.ToString()), new Claim(Constants.StandardResourceOwnerClaimNames.Subject, subject) }; var authorizationParameter = new AuthorizationParameter { MaxAge = 2 }; _clientRepositoryStub.Setup(c => c.GetAllAsync()).Returns(Task.FromResult(FakeOpenIdAssets.GetClients())); // ACT var result = await _jwtGenerator.GenerateIdTokenPayloadForScopesAsync(claims, authorizationParameter, null, currentDateTimeOffset); // ASSERT Assert.NotNull(result); Assert.True(result.ContainsKey(Constants.StandardResourceOwnerClaimNames.Subject)); Assert.True(result.ContainsKey(StandardClaimNames.AuthenticationTime)); Assert.True(result[Constants.StandardResourceOwnerClaimNames.Subject].ToString().Equals(subject)); Assert.NotEmpty(result[StandardClaimNames.AuthenticationTime].ToString()); }
public void When_Requesting_UserInformation_But_The_Essential_Claim_Subject_Is_Empty_Then_Exception_Is_Thrown() { // ARRANGE InitializeMockObjects(); const string subject = ""; const string state = "state"; var claims = new List <Claim> { new Claim(Jwt.Constants.StandardResourceOwnerClaimNames.Subject, subject) }; var claimIdentity = new ClaimsIdentity(claims, "fake"); var claimsPrincipal = new ClaimsPrincipal(claimIdentity); var claimsParameter = new List <ClaimParameter> { new ClaimParameter { Name = Jwt.Constants.StandardResourceOwnerClaimNames.Subject, Parameters = new Dictionary <string, object> { { Constants.StandardClaimParameterValueNames.EssentialName, true } } } }; var authorizationParameter = new AuthorizationParameter { Scope = "profile", State = state }; ICollection <Scope> scopes = FakeOpenIdAssets.GetScopes().Where(s => s.Name == "profile").ToList(); _clientRepositoryStub.Setup(c => c.GetAllAsync()).Returns(Task.FromResult(FakeOpenIdAssets.GetClients())); _scopeRepositoryStub.Setup(s => s.SearchByNamesAsync(It.IsAny <IEnumerable <string> >())) .Returns(Task.FromResult(scopes)); // ACT & ASSERT var exception = Assert.Throws <IdentityServerExceptionWithState>(() => _jwtGenerator.GenerateFilteredUserInfoPayload( claimsParameter, claimsPrincipal, authorizationParameter)); Assert.NotNull(exception); Assert.True(exception.Code == ErrorCodes.InvalidGrant); Assert.True(exception.Message == string.Format(ErrorDescriptions.TheClaimIsNotValid, Jwt.Constants.StandardResourceOwnerClaimNames.Subject)); Assert.True(exception.State == state); }