Exemple #1
0
        private async Task <Tokens> GetTokensAsync()
        {
            await _mockPipeline.LoginAsync("bob");

            var authorizationResponse = await _mockPipeline.RequestAuthorizationEndpointAsync(
                client_id,
                "code",
                "api offline_access",
                "https://client/callback");

            authorizationResponse.IsError.Should().BeFalse();
            authorizationResponse.Code.Should().NotBeNull();

            var tokenResponse = await _mockPipeline.BackChannelClient.RequestAuthorizationCodeTokenAsync(new AuthorizationCodeTokenRequest
            {
                Address      = IdentityServerPipeline.TokenEndpoint,
                ClientId     = client_id,
                ClientSecret = client_secret,

                Code        = authorizationResponse.Code,
                RedirectUri = redirect_uri
            });

            tokenResponse.IsError.Should().BeFalse();
            tokenResponse.AccessToken.Should().NotBeNull();
            tokenResponse.RefreshToken.Should().NotBeNull();

            return(new Tokens(tokenResponse));
        }
Exemple #2
0
        public async Task Authenticated_user_with_valid_anonymous_request_should_receive_authorization_response_with_valid_access_token_expires_in()
        {
            await _mockPipeline.LoginAsync("bob");

            var url = _mockPipeline.CreateAuthorizeUrl(
                clientId: "client4",
                responseType: "code",
                scope: "openid",
                redirectUri: "https://client4/callback",
                state: "123_state",
                nonce: "123_nonce",
                acrValues: "0",
                responseMode: "json");
            var response = await _mockPipeline.BrowserClient.GetAsync(url);

            var result = JObject.Parse(await response.Content.ReadAsStringAsync());

            var tokenResponse = await _mockPipeline.BrowserClient.RequestAuthorizationCodeTokenAsync(new AuthorizationCodeTokenRequest()
            {
                Code        = (string)result["code"],
                RedirectUri = "https://client4/callback",
                Address     = IdentityServerPipeline.TokenEndpoint,
                ClientId    = "client4",
            });

            tokenResponse.ExpiresIn.Should().Be(3600);
        }
Exemple #3
0
        public async Task Request_with_response_type_code_supported()
        {
            await _mockPipeline.LoginAsync("bob");

            var metadata = await _mockPipeline.BackChannelClient.GetAsync(IdentityServerPipeline.DiscoveryEndpoint);

            metadata.StatusCode.Should().Be(HttpStatusCode.OK);

            var state = Guid.NewGuid().ToString();
            var nonce = Guid.NewGuid().ToString();

            var url = _mockPipeline.CreateAuthorizeUrl(
                clientId: "code_client",
                responseType: "code",
                scope: "openid",
                redirectUri: "https://code_client/callback",
                state: state,
                nonce: nonce);
            var response = await _mockPipeline.BrowserClient.GetAsync(url);

            response.StatusCode.Should().Be(HttpStatusCode.Found);

            var authorization = new IdentityModel.Client.AuthorizeResponse(response.Headers.Location.ToString());

            authorization.IsError.Should().BeFalse();
            authorization.Code.Should().NotBeNull();
            authorization.State.Should().Be(state);
        }
Exemple #4
0
        public async Task No_state_should_not_result_in_shash()
        {
            await _pipeline.LoginAsync("bob");

            var nonce = Guid.NewGuid().ToString();

            _pipeline.BrowserClient.AllowAutoRedirect = false;
            var url = _pipeline.CreateAuthorizeUrl(
                clientId: "code_pipeline.Client",
                responseType: "code",
                scope: "openid",
                redirectUri: "https://code_pipeline.Client/callback?foo=bar&baz=quux",
                nonce: nonce);
            var response = await _pipeline.BrowserClient.GetAsync(url);

            var authorization = _pipeline.ParseAuthorizationResponseUrl(response.Headers.Location.ToString());

            authorization.Code.Should().NotBeNull();

            var code = authorization.Code;

            // backchannel client
            var wrapper     = new MessageHandlerWrapper(_pipeline.Handler);
            var tokenClient = new HttpClient(wrapper);
            var tokenResult = await tokenClient.RequestAuthorizationCodeTokenAsync(new AuthorizationCodeTokenRequest
            {
                Address      = IdentityServerPipeline.TokenEndpoint,
                ClientId     = "code_pipeline.Client",
                ClientSecret = "secret",

                Code        = code,
                RedirectUri = "https://code_pipeline.Client/callback?foo=bar&baz=quux"
            });

            tokenResult.IsError.Should().BeFalse();
            tokenResult.HttpErrorReason.Should().Be("OK");
            tokenResult.TokenType.Should().Be("Bearer");
            tokenResult.AccessToken.Should().NotBeNull();
            tokenResult.ExpiresIn.Should().BeGreaterThan(0);
            tokenResult.IdentityToken.Should().NotBeNull();

            var token = new JwtSecurityToken(tokenResult.IdentityToken);

            token.Claims.Count().Should().Be(12);
            var s_hash = token.Claims.FirstOrDefault(c => c.Type == "s_hash");

            s_hash.Should().BeNull();
        }
Exemple #5
0
        public async Task custom_profile_should_return_claims_for_implicit_client()
        {
            await _mockPipeline.LoginAsync("bob");

            var url = _mockPipeline.CreateAuthorizeUrl(
                clientId: "implicit",
                responseType: "id_token",
                scope: "openid custom_identity",
                redirectUri: "https://client/callback",
                state: "state",
                nonce: "nonce");

            _mockPipeline.BrowserClient.AllowAutoRedirect = false;
            var response = await _mockPipeline.BrowserClient.GetAsync(url);

            response.StatusCode.Should().Be(HttpStatusCode.Redirect);
            response.Headers.Location.ToString().Should().StartWith("https://client/callback");

            var authorization = new IdentityModel.Client.AuthorizeResponse(response.Headers.Location.ToString());

            authorization.IsError.Should().BeFalse();
            authorization.IdentityToken.Should().NotBeNull();

            var payload = authorization.IdentityToken.Split('.')[1];
            var json    = Encoding.UTF8.GetString(Base64Url.Decode(payload));
            var obj     = JObject.Parse(json);

            obj.GetValue("foo").Should().NotBeNull();
            obj["foo"].ToString().Should().Be("bar");
        }
Exemple #6
0
        public async Task client_requires_consent_should_show_consent_page()
        {
            await _mockPipeline.LoginAsync("bob");

            var url = _mockPipeline.CreateAuthorizeUrl(
                clientId: "client2",
                responseType: "id_token",
                scope: "openid",
                redirectUri: "https://client2/callback",
                state: "123_state",
                nonce: "123_nonce"
                );
            var response = await _mockPipeline.BrowserClient.GetAsync(url);

            _mockPipeline.ConsentWasCalled.Should().BeTrue();
        }
Exemple #7
0
    public async Task Token_endpoint_supports_client_authentication_with_basic_authentication_with_POST()
    {
        await _pipeline.LoginAsync("bob");

        var nonce = Guid.NewGuid().ToString();

        _pipeline.BrowserClient.AllowAutoRedirect = false;
        var url = _pipeline.CreateAuthorizeUrl(
            clientId: "code_pipeline.Client",
            responseType: "code",
            scope: "openid",
            redirectUri: "https://code_pipeline.Client/callback?foo=bar&baz=quux",
            nonce: nonce);
        var response = await _pipeline.BrowserClient.GetAsync(url);

        var authorization = _pipeline.ParseAuthorizationResponseUrl(response.Headers.Location.ToString());

        authorization.Code.Should().NotBeNull();

        var code = authorization.Code;

        // backchannel client
        var wrapper     = new MessageHandlerWrapper(_pipeline.Handler);
        var tokenClient = new HttpClient(wrapper);
        var tokenResult = await tokenClient.RequestAuthorizationCodeTokenAsync(new AuthorizationCodeTokenRequest
        {
            Address      = IdentityServerPipeline.TokenEndpoint,
            ClientId     = "code_pipeline.Client",
            ClientSecret = "secret",

            Code        = code,
            RedirectUri = "https://code_pipeline.Client/callback?foo=bar&baz=quux"
        });

        tokenResult.IsError.Should().BeFalse();
        tokenResult.HttpErrorReason.Should().Be("OK");
        tokenResult.TokenType.Should().Be("Bearer");
        tokenResult.AccessToken.Should().NotBeNull();
        tokenResult.ExpiresIn.Should().BeGreaterThan(0);
        tokenResult.IdentityToken.Should().NotBeNull();

        wrapper.Response.Headers.CacheControl.NoCache.Should().BeTrue();
        wrapper.Response.Headers.CacheControl.NoStore.Should().BeTrue();
    }
Exemple #8
0
        public async Task Reject_redirect_uri_not_matching_registered_redirect_uri()
        {
            await _mockPipeline.LoginAsync("bob");

            var nonce = Guid.NewGuid().ToString();
            var state = Guid.NewGuid().ToString();

            var url = _mockPipeline.CreateAuthorizeUrl(
                clientId: "code_client",
                responseType: "code",
                scope: "openid",
                redirectUri: "https://bad",
                state: state,
                nonce: nonce);
            var response = await _mockPipeline.BrowserClient.GetAsync(url);

            _mockPipeline.ErrorWasCalled.Should().BeTrue();
            _mockPipeline.ErrorMessage.Error.Should().Be("invalid_request");
        }
Exemple #9
0
        public async Task malformed_clientId_should_be_handled_correctly()
        {
            await _mockPipeline.LoginAsync("bob");

            _mockPipeline.BrowserClient.AllowAutoRedirect = false;

            var url = _mockPipeline.CreateAuthorizeUrl(
                clientId: "client1}",
                responseType: "id_token",
                responseMode: "form_post",
                scope: "openid",
                redirectUri: "https://client1/callback",
                state: "123_state",
                nonce: "123_nonce");
            var response = await _mockPipeline.BrowserClient.GetAsync(url);

            response.StatusCode.Should().Be(HttpStatusCode.Redirect);
            response.Headers.Location.ToString().Should().StartWith("https://server/home/error");
        }
Exemple #10
0
        public async Task valid_request_to_federated_signout_endpoint_should_render_page_with_iframe()
        {
            await _pipeline.LoginAsync(_user);

            await _pipeline.RequestAuthorizationEndpointAsync(
                clientId : "client1",
                responseType : "id_token",
                scope : "openid",
                redirectUri : "https://client1/callback",
                state : "123_state",
                nonce : "123_nonce");

            var response = await _pipeline.BrowserClient.GetAsync(IdentityServerPipeline.FederatedSignOutUrl + "?sid=123");

            response.StatusCode.Should().Be(HttpStatusCode.OK);
            response.Content.Headers.ContentType.MediaType.Should().Be("text/html");
            var html = await response.Content.ReadAsStringAsync();

            html.Should().Contain("https://server/connect/endsession/callback?endSessionId=");
        }
Exemple #11
0
        public async Task no_resource_indicator_on_code_exchange_should_succeed()
        {
            await _mockPipeline.LoginAsync("bob");

            _mockPipeline.BrowserClient.AllowAutoRedirect = false;

            var url = _mockPipeline.CreateAuthorizeUrl(
                clientId: "client1",
                responseType: "code",
                scope: "openid profile scope1 scope2 scope3 scope4 offline_access",
                redirectUri: "https://client1/callback");

            url += "&resource=urn:resource1";
            url += "&resource=urn:resource3";

            var response = await _mockPipeline.BrowserClient.GetAsync(url);

            var code = GetCode(response);

            var tokenResponse = await _mockPipeline.BackChannelClient.RequestAuthorizationCodeTokenAsync(new AuthorizationCodeTokenRequest
            {
                Address      = IdentityServerPipeline.TokenEndpoint,
                ClientId     = "client1",
                ClientSecret = "secret",
                Code         = code,
                RedirectUri  = "https://client1/callback"
            });

            {
                var claims = ParseAccessTokenClaims(tokenResponse);
                claims.Where(x => x.Type == "aud").Select(x => x.Value).Should().BeEquivalentTo(new[] { "urn:resource1", "urn:resource2" });
                claims.Where(x => x.Type == "scope").Select(x => x.Value).Should().BeEquivalentTo(new[] { "openid", "profile", "scope1", "scope2", "scope3", "scope4", "offline_access" });
            }
        }
Exemple #12
0
        private async Task <Tokens> GetTokensAsync()
        {
            await _mockPipeline.LoginAsync("bob");

            var authorizationResponse = await _mockPipeline.RequestAuthorizationEndpointAsync(
                client_id,
                "code",
                "api offline_access",
                "https://client/callback");

            authorizationResponse.IsError.Should().BeFalse();
            authorizationResponse.Code.Should().NotBeNull();

            var tokenClient   = new TokenClient(IdentityServerPipeline.TokenEndpoint, client_id, client_secret, _mockPipeline.Handler);
            var tokenResponse = await tokenClient.RequestAuthorizationCodeAsync(authorizationResponse.Code, redirect_uri);

            tokenResponse.IsError.Should().BeFalse();
            tokenResponse.AccessToken.Should().NotBeNull();
            tokenResponse.RefreshToken.Should().NotBeNull();

            return(new Tokens(tokenResponse));
        }
Exemple #13
0
        public async Task Unrestricted_implicit_client_can_request_IdToken()
        {
            await _mockPipeline.LoginAsync(_user);

            var url = _mockPipeline.CreateAuthorizeUrl("client1",
                                                       "id_token", "openid", "https://client1/callback", "state", "nonce");

            _mockPipeline.BrowserClient.AllowAutoRedirect = false;
            var response = await _mockPipeline.BrowserClient.GetAsync(url);

            response.StatusCode.Should().Be(HttpStatusCode.Found);
            response.Headers.Location.AbsoluteUri.Should().StartWith("https://client1/callback");
            var authorization = new IdentityModel.Client.AuthorizeResponse(response.Headers.Location.ToString());

            authorization.IdentityToken.Should().NotBeNull();
            authorization.AccessToken.Should().BeNull();
        }
Exemple #14
0
        public async Task session_id_should_be_reissued_if_session_cookie_absent()
        {
            await _mockPipeline.LoginAsync("bob");

            var sid1 = _mockPipeline.GetSessionCookie().Value;

            sid1.Should().NotBeNull();

            _mockPipeline.RemoveSessionCookie();

            await _mockPipeline.BrowserClient.GetAsync(IdentityServerPipeline.DiscoveryEndpoint);

            var sid2 = _mockPipeline.GetSessionCookie().Value;

            sid2.Should().Be(sid1);
        }
Exemple #15
0
    public async Task login_should_create_server_side_session()
    {
        (await _sessionStore.GetSessionsAsync(new SessionFilter {
            SubjectId = "bob"
        })).Should().BeEmpty();
        await _pipeline.LoginAsync("bob");

        (await _sessionStore.GetSessionsAsync(new SessionFilter {
            SubjectId = "bob"
        })).Should().NotBeEmpty();
        (await IsLoggedIn()).Should().BeTrue();
    }
Exemple #16
0
        public async Task get_request_should_redirect_to_configured_logout_path()
        {
            _mockPipeline.Options.UserInteraction.LogoutUrl         = "/logout";
            _mockPipeline.Options.UserInteraction.LogoutIdParameter = "id";

            await _mockPipeline.LoginAsync("bob");

            var url = _mockPipeline.CreateAuthorizeUrl(
                clientId: "client1",
                responseType: "id_token",
                scope: "openid",
                redirectUri: "https://client1/callback",
                state: "123_state",
                nonce: "123_nonce");

            _mockPipeline.BrowserClient.AllowAutoRedirect = false;
            var response = await _mockPipeline.BrowserClient.GetAsync(url);

            var authorization = new IdentityModel.Client.AuthorizeResponse(response.Headers.Location.ToString());
            var id_token      = authorization.IdentityToken;

            response = await _mockPipeline.BrowserClient.GetAsync(IdentityServerPipeline.EndSessionEndpoint +
                                                                  "?id_token_hint=" + id_token +
                                                                  "&post_logout_redirect_uri=https://client1/signout-callback");

            response.StatusCode.Should().Be(HttpStatusCode.Redirect);
            response.Headers.Location.ToString().Should().StartWith("https://server/logout?id=");
        }
Exemple #17
0
        public async Task Client_cannot_use_plain_code_challenge_method(string clientId)
        {
            await _pipeline.LoginAsync("bob");

            var nonce             = Guid.NewGuid().ToString();
            var code_challenge    = code_verifier;
            var authorizeResponse = await _pipeline.RequestAuthorizationEndpointAsync(clientId,
                                                                                      response_type,
                                                                                      IdentityServerConstants.StandardScopes.OpenId,
                                                                                      redirect_uri,
                                                                                      nonce : nonce,
                                                                                      codeChallenge : code_challenge,
                                                                                      codeChallengeMethod : OidcConstants.CodeChallengeMethods.Plain);

            _pipeline.ErrorWasCalled.Should().BeTrue();
            _pipeline.ErrorMessage.Error.Should().Be(OidcConstants.AuthorizeErrors.InvalidRequest);
        }
Exemple #18
0
        public async Task Shared_session_id_should_be_included_in_authenticated_access_token()
        {
            await _mockPipeline.LoginAsync("bob");

            var url = _mockPipeline.CreateAuthorizeUrl(
                clientId: "client4",
                responseType: "code",
                scope: "openid",
                redirectUri: "https://client4/callback",
                state: "123_state",
                nonce: "123_nonce",
                acrValues: "0",
                responseMode: "json");
            var response = await _mockPipeline.BrowserClient.GetAsync(url);

            var result        = JObject.Parse(await response.Content.ReadAsStringAsync());
            var tokenResponse = await _mockPipeline.BrowserClient.RequestAuthorizationCodeTokenAsync(new AuthorizationCodeTokenRequest()
            {
                Code        = (string)result["code"],
                RedirectUri = "https://client4/callback",
                Address     = IdentityServerPipeline.TokenEndpoint,
                ClientId    = "client4",
            });

            var token = _mockPipeline.ReadJwtToken(tokenResponse.AccessToken);

            token.Claims.Should().Contain(c => c.Type == JwtClaimTypes.SharedSessionId);
        }
Exemple #19
0
        public async Task Shared_session_id_should_be_included_in_authenticated_access_token()
        {
            await _mockPipeline.LoginAsync("bob");

            var url = _mockPipeline.CreateAuthorizeUrl(
                clientId: "client2",
                responseType: "id_token token",
                scope: "openid api2",
                redirectUri: "https://client2/callback",
                state: "123_state",
                nonce: "123_nonce",
                acrValues: "0",
                responseMode: "json");
            var response = await _mockPipeline.BrowserClient.GetAsync(url);

            var result = JObject.Parse(await response.Content.ReadAsStringAsync());
            var token  = _mockPipeline.ReadJwtToken(((string)result["access_token"]));

            token.Claims.Should().Contain(c => c.Type == JwtClaimTypes.SharedSessionId);
        }
Exemple #20
0
        public async Task authenticated_user_with_valid_request_should_receive_authorization_response()
        {
            await _mockPipeline.LoginAsync("bob");

            _mockPipeline.BrowserClient.AllowAutoRedirect = false;

            var url = _mockPipeline.CreateAuthorizeUrl(
                clientId: "client1",
                responseType: "id_token",
                scope: "openid",
                redirectUri: "https://client1/callback",
                state: "123_state",
                nonce: "123_nonce");
            var response = await _mockPipeline.BrowserClient.GetAsync(url);

            response.StatusCode.Should().Be(HttpStatusCode.Redirect);
            response.Headers.Location.ToString().Should().StartWith("https://client1/callback");

            var authorization = new IdentityModel.Client.AuthorizeResponse(response.Headers.Location.ToString());

            authorization.IsError.Should().BeFalse();
            authorization.IdentityToken.Should().NotBeNull();
            authorization.State.Should().Be("123_state");
        }