public void JwtPalyoad_Claims()
{
List<string> errors = new List<string>();
var jwtPayload = new JwtPayload();
// multiple audiences
foreach (string aud in IdentityUtilities.DefaultAudiences)
{
jwtPayload.AddClaim(new Claim(JwtRegisteredClaimNames.Aud, aud));
}
string encodedPayload = jwtPayload.Base64UrlEncode();
var deserializedPayload = JwtPayload.Base64UrlDeserialize(encodedPayload);
if (!IdentityComparer.AreEqual(jwtPayload, deserializedPayload))
{
errors.Add("!IdentityComparer.AreEqual(jwtPayload, deserializedPayload)");
}
if (!IdentityComparer.AreEqual<IEnumerable<string>>(jwtPayload.Aud, IdentityUtilities.DefaultAudiences))
{
errors.Add("!IdentityComparer.AreEqual<IEnumerable<string>>(jwtPayload.Aud, IdentityUtilities.DefaultAudiences)");
}
TestUtilities.AssertFailIfErrors(MethodInfo.GetCurrentMethod().Name, errors);
}
public async Task <string> BuildSerializedIdTokenAsync(string issuer, string audience, int duration, string userEmail)
{
// Parameters that are transmited in the ID Token assertion are communicated as claims
var claims = new List <System.Security.Claims.Claim>
{
new System.Security.Claims.Claim("email", userEmail, System.Security.Claims.ClaimValueTypes.String, issuer)
};
var header = new JwtHeader(_vaultCryptoValues.Value.SigningCredentials);
var payload = new JwtPayload(
issuer,
audience,
claims,
DateTime.Now,
DateTime.Now.AddMinutes(duration));
// Use the intended JWT Token's Header and Payload value as the data for the token's Signature
var unsignedTokenText = $"{header.Base64UrlEncode()}.{payload.Base64UrlEncode()}";
var byteData = Encoding.UTF8.GetBytes(unsignedTokenText);
// Use KV Cryptography Client to compute the signature
var cryptographyClient = _vaultCryptoValues.Value.CryptographyClient;
// SignData will create the digest and encode it (whereas Sign requires that the digest is computed here and to be sent in.)
var signatureResult = await cryptographyClient
.SignDataAsync(_vaultCryptoValues.Value.SigningCredentials.Algorithm, byteData)
.ConfigureAwait(false);
var encodedSignature = Base64UrlEncoder.Encode(signatureResult.Signature);
// Assemble the header, payload, and encoded signatures
var result = $"{unsignedTokenText}.{encodedSignature}";
return(result);
}
public PrivateApiResponse <T> SendRequestWithIdentityHeaderConvertJwt <T>(object content, Dictionary <string, object> headerValue, HttpMethod httpMethod, string contentType = "application/json")
{
string contentString = ConvertToJsonString(content);
using (LogHelper.LoggerForCurrentTest.EnterReproStep($"Send request that contains Jwt X-IDENTITY header with {InternalTestEndpoint}"))
{
var HrbcAuth = InternalConnection.GetCookieValue("HRBCAUTH");
var tokenHeader = HrbcAuth.Split('.')[0];
var tokenSecret = HrbcAuth.Split('.')[2];
var tokenhandler = new JwtSecurityTokenHandler();
var tokenObj = tokenhandler.ReadJwtToken(HrbcAuth);
var newPayLoad = tokenObj.Payload.ToDictionary(p => p.Key, p => p.Value);
var curPayLoad = new Dictionary <string, object>();
foreach (var item in headerValue)
{
curPayLoad[item.Key.ToString()] = item.Value;
}
newPayLoad["payload"] = curPayLoad;
JwtPayload jwtPayload = new JwtPayload();
foreach (var item in newPayLoad)
{
jwtPayload.Add(item.Key, item.Value);
}
InternalConnection.DeleteAllCookies();
InternalConnection.Headers.Clear();
InternalConnection.Headers.Add("X-IDENTITY", $"{tokenHeader}.{jwtPayload.Base64UrlEncode()}.{tokenSecret}");
return(ProcessResponseWithContent <T>(InternalConnection.SendAsync(InternalTestEndpoint, contentString, httpMethod, contentType).Result));
}
}
public static JwtSecurityToken CreateJwtSecurityToken(string issuer, string audience, IEnumerable <Claim> claims, DateTime?nbf, DateTime?exp, DateTime?iat, SigningCredentials signingCredentials)
{
JwtPayload payload = new JwtPayload(issuer, audience, claims, nbf, exp, iat);
JwtHeader header = (signingCredentials != null) ? new JwtHeader(signingCredentials) : new JwtHeader();
return(new JwtSecurityToken(header, payload, header.Base64UrlEncode(), payload.Base64UrlEncode(), ""));
}
public void JwtPayload_Claims()
{
List <string> errors = new List <string>();
var jwtPayload = new JwtPayload();
// multiple audiences
foreach (string aud in IdentityUtilities.DefaultAudiences)
{
jwtPayload.AddClaim(new Claim(JwtRegisteredClaimNames.Aud, aud));
}
string encodedPayload = jwtPayload.Base64UrlEncode();
var deserializedPayload = JwtPayload.Base64UrlDeserialize(encodedPayload);
if (!IdentityComparer.AreEqual(jwtPayload, deserializedPayload))
{
errors.Add("!IdentityComparer.AreEqual(jwtPayload, deserializedPayload)");
}
if (!IdentityComparer.AreEqual <IEnumerable <string> >(jwtPayload.Aud, IdentityUtilities.DefaultAudiences))
{
errors.Add("!IdentityComparer.AreEqual<IEnumerable<string>>(jwtPayload.Aud, IdentityUtilities.DefaultAudiences)");
}
TestUtilities.AssertFailIfErrors(MethodInfo.GetCurrentMethod().Name, errors);
}
public PrivateApiResponse<T> ForcePasswordChangeDiffHeaderWithContent<T>(IEnumerable<KeyValuePair<string, object>> parameters, object content, HttpMethod httpMethod, string contentType = "application/json")
{
string contentString = ConvertToJsonString(content);
var HrbcAuth = Connection.GetCookieValue("HRBCAUTH");
var tokenHeader = HrbcAuth.Split('.')[0];
var tokenSecret = HrbcAuth.Split('.')[2];
var tokenhandler = new JwtSecurityTokenHandler();
var tokenObj = tokenhandler.ReadJwtToken(HrbcAuth);
var newPayLoad = tokenObj.Payload.ToDictionary(p => p.Key, p => p.Value);
var curPayLoad = JsonConvert.DeserializeObject<Dictionary<string, object>>(newPayLoad["payload"].ToString());
foreach (var item in parameters)
{
curPayLoad[item.Key] = item.Value;
}
newPayLoad["payload"] = curPayLoad;
JwtPayload jwtPayload = new JwtPayload();
foreach (var item in newPayLoad)
{
jwtPayload.Add(item.Key, item.Value);
}
Connection.AddCookie("HRBCAUTH", $"{tokenHeader}.{jwtPayload.Base64UrlEncode()}.{tokenSecret}");
using (LogHelper.LoggerForCurrentTest.EnterReproStep($"Force password change with {ForceEndpoint}"))
{
return ProcessResponseWithContent<T>(Connection.SendAsync(ForceEndpoint, contentString, httpMethod, contentType).Result);
}
}
public static JwtSecurityToken GenerateToken(string username)
{
var header = new JwtHeader {
["alg"] = "HS256"
};
var payload = new JwtPayload(new[] { new Claim("username", username) });
var hmac = new HMACSHA256(Secret);
var hash = hmac.ComputeHash(Encoding.UTF8.GetBytes(string.Join(".", header.Base64UrlEncode(), payload.Base64UrlEncode())));
return(new JwtSecurityToken(header, payload, header.Base64UrlEncode(), payload.Base64UrlEncode(), System.IdentityModel.Tokens.Base64UrlEncoder.Encode(hash)));
}
private void RunEncodingVariation(List <Claim> claims, Dictionary <string, object> values, CompareContext context)
{
var jwtPayload1 = new JwtPayload(claims);
var jwtPayload2 = new JwtPayload();
foreach (var kv in values)
{
jwtPayload2[kv.Key] = kv.Value;
}
IdentityComparer.AreEqual(jwtPayload1, jwtPayload2, context);
jwtPayload1 = JwtPayload.Base64UrlDeserialize(jwtPayload1.Base64UrlEncode());
jwtPayload2 = JwtPayload.Base64UrlDeserialize(jwtPayload2.Base64UrlEncode());
IdentityComparer.AreEqual(jwtPayload1, jwtPayload2, context);
}
public async Task <string> BuildSerializedIdTokenAsync(string issuer, string audience, int duration, string userEmail)
{
// Parameters that are transmited in the ID Token assertion are communicated as claims
var claims = new List <System.Security.Claims.Claim>
{
new System.Security.Claims.Claim("email", userEmail, System.Security.Claims.ClaimValueTypes.String, issuer)
};
var header = new JwtHeader(_vaultCryptoValues.Value.SigningCredentials);
var payload = new JwtPayload(
issuer,
audience,
claims,
DateTime.Now,
DateTime.Now.AddMinutes(duration));
// Use the intended JWT Token's Header and Payload value as the data for the token's Signature
var unsignedTokenText = $"{header.Base64UrlEncode()}.{payload.Base64UrlEncode()}";
var byteData = Encoding.UTF8.GetBytes(unsignedTokenText);
// Use KV Cryptography Client to compute the signature
var cryptographyClient = _vaultCryptoValues.Value.CryptographyClient;
// SignData will create the digest and encode it (whereas Sign requires that the digest is computed here and to be sent in.)
var signatureResult = await cryptographyClient
.SignDataAsync(_vaultCryptoValues.Value.SigningCredentials.Algorithm, byteData)
.ConfigureAwait(false);
var encodedSignature = Base64UrlEncoder.Encode(signatureResult.Signature);
// Alternatively, download the certificate and sign it locally to minimize the request count to the KeyVault instance
// TODO - Download once - replace ReadCertificate with DownloadCertificate and (CAREFULLY) hold on to the downloaded Private Key
////var downloadCertificateResult = _certificateClient.DownloadCertificate(certificateName); // Use download instead of "Get" to retrieve the full certificate with Private Key.
////var downloadedCert = downloadCertificateResult.Value;
// TODO - Create a local crypto client instance using the RSA Private Key and use it to sign the data
////var localCryptographyClient = new Azure.Security.KeyVault.Keys.Cryptography.CryptographyClient(new Azure.Security.KeyVault.Keys.JsonWebKey(downloadedCert.GetRSAPrivateKey()));
////var signatureResult = await localCryptographyClient
//// .SignDataAsync(_vaultCryptoValues.Value.SigningCredentials.Algorithm, byteData)
//// .ConfigureAwait(false);
// Assemble the header, payload, and encoded signatures
var result = $"{unsignedTokenText}.{encodedSignature}";
return(result);
}
public JwtSecurityToken GenerateToken(List <Claim> parametrs)
{
if (parametrs == null)
{
throw new Exception("Token payload can not be null");
}
var header = new JwtHeader();
var payload = new JwtPayload("CHNU", string.Empty, parametrs, DateTime.Now, DateTime.Now.AddDays(7));
header["alg"] = ALGORITHM;
var encHeader = header.Base64UrlEncode();
var encPayload = payload.Base64UrlEncode();
var token = new JwtSecurityToken(header, payload, encHeader, encPayload,
CryptoProvider.GenerateSHMACHash($"{encHeader}.{encPayload}"));
return(token);
}
public void JwtPayloadUnicodeMapping()
{
string issuer = "a\\b";
List <Claim> claims = new List <Claim>();
JwtPayload unicodePayload = new JwtPayload("a\u005Cb", "", claims, null, null);
string json = unicodePayload.SerializeToJson();
JwtPayload payload = new JwtPayload(issuer, "", claims, null, null);
string json2 = payload.SerializeToJson();
Assert.Equal(json, json2);
JwtPayload retrievePayload = JwtPayload.Deserialize(json);
Assert.Equal(retrievePayload.Iss, issuer);
json = unicodePayload.Base64UrlEncode();
json2 = payload.Base64UrlEncode();
Assert.Equal(json, json2);
retrievePayload = JwtPayload.Base64UrlDeserialize(json);
Assert.Equal(retrievePayload.Iss, issuer);
}
public static void InsertParamToHeader(IEnumerable <KeyValuePair <string, object> > parameters, ref AuthApiConnection connectionAuthApi)
{
var HrbcAuth = connectionAuthApi.GetCookieValue("HRBCAUTH");
var tokenHeader = HrbcAuth.Split('.')[0];
var tokenSecret = HrbcAuth.Split('.')[2];
var tokenhandler = new JwtSecurityTokenHandler();
var tokenObj = tokenhandler.ReadJwtToken(HrbcAuth);
var newPayLoad = tokenObj.Payload.ToDictionary(p => p.Key, p => p.Value);
var curPayLoad = JsonConvert.DeserializeObject <Dictionary <string, object> >(newPayLoad["payload"].ToString());
foreach (var item in parameters)
{
curPayLoad[item.Key] = item.Value;
}
newPayLoad["payload"] = curPayLoad;
JwtPayload jwtPayload = new JwtPayload();
foreach (var item in newPayLoad)
{
jwtPayload.Add(item.Key, item.Value);
}
connectionAuthApi.AddCookie("HRBCAUTH", $"{tokenHeader}.{jwtPayload.Base64UrlEncode()}.{tokenSecret}");
}
private void GetJWT(Dictionary <string, string> request)
{
var connection = AuthApiConnection.GetConnectionForCurrentTest();
var HrbcAuth = connection.GetCookieValue("HRBCAUTH");
var tokenHeader = HrbcAuth.Split('.')[0];
var tokenSecret = HrbcAuth.Split('.')[2];
var tokenhandler = new JwtSecurityTokenHandler();
var tokenObj = tokenhandler.ReadJwtToken(HrbcAuth);
var newPayLoad = tokenObj.Payload.ToDictionary(p => p.Key, p => p.Value);
var curPayLoad = JsonConvert.DeserializeObject <Dictionary <string, object> >(newPayLoad["payload"].ToString());
foreach (var item in request)
{
curPayLoad[item.Key] = item.Value;
}
newPayLoad["payload"] = curPayLoad;
JwtPayload jwtPayload = new JwtPayload();
foreach (var item in newPayLoad)
{
jwtPayload.Add(item.Key, item.Value);
}
connection.AddCookie("HRBCAUTH", $"{tokenHeader}.{jwtPayload.Base64UrlEncode()}.{tokenSecret}");
}
public void EmptyToken()
{
var handler = new JwtSecurityTokenHandler();
var payload = new JwtPayload();
var header = new JwtHeader();
var jwtToken = new JwtSecurityToken(header, payload, header.Base64UrlEncode(), payload.Base64UrlEncode(), "");
var jwt = handler.WriteToken(jwtToken);
var context = new CompareContext();
IdentityComparer.AreJwtSecurityTokensEqual(jwtToken, new JwtSecurityToken(handler.WriteToken(jwtToken)), context);
TestUtilities.AssertFailIfErrors(context.Diffs);
}
public void JwtHeader_SigningKeyIdentifier()
{
var cert = KeyingMaterial.DefaultAsymmetricCert_2048;
var header = new JwtHeader(new X509SigningCredentials(cert));
var payload = new JwtPayload(new Claim[] { new Claim("iss", "issuer") });
var jwt = new JwtSecurityToken(header, payload, header.Base64UrlEncode(), payload.Base64UrlEncode(), "");
var handler = new JwtSecurityTokenHandler();
var signedJwt = handler.WriteToken(jwt);
SecurityToken token = null;
var validationParameters =
new TokenValidationParameters
{
IssuerSigningToken = new X509SecurityToken(cert),
ValidateAudience = false,
ValidateIssuer = false,
ValidateLifetime = false,
};
handler.ValidateToken(signedJwt, validationParameters, out token);
validationParameters =
new TokenValidationParameters
{
IssuerSigningKey = new X509SecurityKey(cert),
ValidateAudience = false,
ValidateIssuer = false,
ValidateLifetime = false,
};
handler.ValidateToken(signedJwt, validationParameters, out token);
}
public void EmptyToken()
{
var handler = new JwtSecurityTokenHandler();
var payload = new JwtPayload();
var header = new JwtHeader();
var jwtToken = new JwtSecurityToken(header, payload, header.Base64UrlEncode(), payload.Base64UrlEncode(), "");
var jwt = handler.WriteToken(jwtToken);
var context = new CompareContext();
context.PropertiesToIgnoreWhenComparing = new Dictionary <Type, List <string> >
{
{ typeof(JwtHeader), new List <string> {
"Item"
} },
{ typeof(JwtPayload), new List <string> {
"Item"
} }
};
IdentityComparer.AreJwtSecurityTokensEqual(jwtToken, new JwtSecurityToken(handler.WriteToken(jwtToken)), context);
TestUtilities.AssertFailIfErrors(context.Diffs);
}
/// <summary>
/// Uses the <see cref="JwtSecurityToken(JwtHeader, JwtPayload, string, string, string)"/> constructor, first creating the <see cref="JwtHeader"/> and <see cref="JwtPayload"/>.
/// <para>If <see cref="SigningCredentials"/> is not null, <see cref="JwtSecurityToken.RawData"/> will be signed.</para>
/// </summary>
/// <param name="issuer">the issuer of the token.</param>
/// <param name="audience">the audience for this token.</param>
/// <param name="subject">the source of the <see cref="Claim"/>(s) for this token.</param>
/// <param name="notBefore">the notbefore time for this token.</param>
/// <param name="expires">the expiration time for this token.</param>
/// <param name="signingCredentials">contains cryptographic material for generating a signature.</param>
/// <param name="signatureProvider">optional <see cref="SignatureProvider"/>.</param>
/// <remarks>If <see cref="ClaimsIdentity.Actor"/> is not null, then a claim { actort, 'value' } will be added to the payload. <see cref="CreateActorValue"/> for details on how the value is created.
/// <para>See <seealso cref="JwtHeader"/> for details on how the HeaderParameters are added to the header.</para>
/// <para>See <seealso cref="JwtPayload"/> for details on how the values are added to the payload.</para></remarks>
/// <para>If signautureProvider is not null, then it will be used to create the signature and <see cref="System.IdentityModel.Tokens.SignatureProviderFactory.CreateForSigning( SecurityKey, string )"/> will not be called.</para>
/// <returns>A <see cref="JwtSecurityToken"/>.</returns>
/// <exception cref="ArgumentException">if 'expires' <= 'notBefore'.</exception>
public virtual JwtSecurityToken CreateToken(string issuer = null, string audience = null, ClaimsIdentity subject = null, DateTime? notBefore = null, DateTime? expires = null, SigningCredentials signingCredentials = null, SignatureProvider signatureProvider = null)
{
if (expires.HasValue && notBefore.HasValue)
{
if (notBefore >= expires)
{
throw new ArgumentException(string.Format(CultureInfo.InvariantCulture, ErrorMessages.IDX10401, expires.Value, notBefore.Value));
}
}
// if not set, use defaults
if (!expires.HasValue && !notBefore.HasValue)
{
DateTime now = DateTime.UtcNow;
expires = now + TimeSpan.FromMinutes(TokenLifetimeInMinutes);
notBefore = now;
}
JwtPayload payload = new JwtPayload(issuer, audience, subject == null ? null : subject.Claims, notBefore, expires);
JwtHeader header = new JwtHeader(signingCredentials);
if (subject != null && subject.Actor != null)
{
payload.AddClaim(new Claim(JwtRegisteredClaimNames.Actort, this.CreateActorValue(subject.Actor)));
}
string rawHeader = header.Base64UrlEncode();
string rawPayload = payload.Base64UrlEncode();
string rawSignature = string.Empty;
string signingInput = string.Concat(rawHeader, ".", rawPayload);
if (signatureProvider != null)
{
rawSignature = Base64UrlEncoder.Encode(this.CreateSignature(signingInput, null, null, signatureProvider));
}
else if (signingCredentials != null)
{
rawSignature = Base64UrlEncoder.Encode(this.CreateSignature(signingInput, signingCredentials.SigningKey, signingCredentials.SignatureAlgorithm, signatureProvider));
}
return new JwtSecurityToken(header, payload, rawHeader, rawPayload, rawSignature);
}
public string GetSignedAndEncodedToken(LoggedInApplication loggedInApp)
{
// Get application
var consumerApplication = _applications.FirstOrDefault(i => i.ID == loggedInApp.ID);
// Get applciation token
var applicationToken = _applicationTokens.FirstOrDefault(i => i.Token == loggedInApp.TokenUsedToAuthorize);
// Get schemas from approved
var providerLicenseIds = _consumerRegistrationRequests.Where(i => i.ConsumerApplicationID == consumerApplication.ID)
.Where(i => i.Status == (int)ConsumerProviderRegistrationStatus.Approved)
.Select(i => i.OrganizationLicenseID);
var schemasFromProviderLicenses = new List <int>();
foreach (var providerLicenseId in providerLicenseIds)
{
var providerLicense = _organisationLicenses.GetById(providerLicenseId);
schemasFromProviderLicenses.Add(providerLicense.DataSchemaID);
}
// Get schemas for each agreements
var schemasFromAgreements = schemasFromProviderLicenses.Distinct().ToList();
// Filter schemas
var schemaIds = schemasFromAgreements.Distinct();
// Setup software statement schemas
var schemas = new List <SoftwareStatementSchema>();
foreach (var schemaId in schemaIds)
{
var schema = _dataSchemas.FirstOrDefault(i => i.ID == schemaId);
var schemaDetails = schema.ToStmtSchema();
schemas.Add(schemaDetails);
}
// Software statement will expire in 5 years for now.
var time = GetDate.AddYears(5) - new DateTime(1970, 1, 1);
var expireEpoch = (int)time.TotalSeconds;
var signingCredentials = new SigningCredentials(GetSigningKey(),
SecurityAlgorithms.HmacSha256Signature, SecurityAlgorithms.Sha256Digest);
// Create Software Statement.
var header = new JwtHeader(signingCredentials);
var payload = new JwtPayload();
payload.AddClaim(new Claim("software_id", consumerApplication.PublicID.ToString()));
payload.AddClaim(new Claim("client_name", consumerApplication.Name));
payload.AddClaim(new Claim("client_uri", applicationToken.OriginHost));
payload.AddClaim(new Claim("iss", "42e01f09-0dea-42b2-b5e1-0f1e87547329"));
payload.AddClaim(new Claim("sub", "10e5766e-aff1-4b2e-b926-1a1b4ccf566c"));
payload.AddClaim(new Claim("aud", "urn:oauth:scim:reg:generic"));
payload.AddClaim(new Claim("exp", expireEpoch.ToString()));
payload.AddClaim(new Claim("schemas", JsonConvert.SerializeObject(schemas)));
payload.Base64UrlEncode();
var jwt = new JwtSecurityToken(header, payload);
// Sign Software Statement.
var tokenHandler = new JwtSecurityTokenHandler();
var signedAndEncodedToken = tokenHandler.WriteToken(jwt);
return(signedAndEncodedToken);
}
public void JwtHeader_SigningKeyIdentifier()
{
var cert = KeyingMaterial.DefaultAsymmetricCert_2048;
var header = new JwtHeader(new X509SigningCredentials(cert));
var payload = new JwtPayload( new Claim[]{new Claim("iss", "issuer")});
var jwt = new JwtSecurityToken(header, payload, header.Base64UrlEncode(), payload.Base64UrlEncode(), "");
var handler = new JwtSecurityTokenHandler();
var signedJwt = handler.WriteToken(jwt);
SecurityToken token = null;
var validationParameters =
new TokenValidationParameters
{
IssuerSigningToken = new X509SecurityToken(cert),
ValidateAudience = false,
ValidateIssuer = false,
ValidateLifetime = false,
};
handler.ValidateToken(signedJwt, validationParameters, out token);
validationParameters =
new TokenValidationParameters
{
IssuerSigningKey = new X509SecurityKey(cert),
ValidateAudience = false,
ValidateIssuer = false,
ValidateLifetime = false,
};
handler.ValidateToken(signedJwt, validationParameters, out token);
}
