public void JwtPalyoad_Claims() { List<string> errors = new List<string>(); var jwtPayload = new JwtPayload(); // multiple audiences foreach (string aud in IdentityUtilities.DefaultAudiences) { jwtPayload.AddClaim(new Claim(JwtRegisteredClaimNames.Aud, aud)); } string encodedPayload = jwtPayload.Base64UrlEncode(); var deserializedPayload = JwtPayload.Base64UrlDeserialize(encodedPayload); if (!IdentityComparer.AreEqual(jwtPayload, deserializedPayload)) { errors.Add("!IdentityComparer.AreEqual(jwtPayload, deserializedPayload)"); } if (!IdentityComparer.AreEqual<IEnumerable<string>>(jwtPayload.Aud, IdentityUtilities.DefaultAudiences)) { errors.Add("!IdentityComparer.AreEqual<IEnumerable<string>>(jwtPayload.Aud, IdentityUtilities.DefaultAudiences)"); } TestUtilities.AssertFailIfErrors(MethodInfo.GetCurrentMethod().Name, errors); }
public async Task <string> BuildSerializedIdTokenAsync(string issuer, string audience, int duration, string userEmail) { // Parameters that are transmited in the ID Token assertion are communicated as claims var claims = new List <System.Security.Claims.Claim> { new System.Security.Claims.Claim("email", userEmail, System.Security.Claims.ClaimValueTypes.String, issuer) }; var header = new JwtHeader(_vaultCryptoValues.Value.SigningCredentials); var payload = new JwtPayload( issuer, audience, claims, DateTime.Now, DateTime.Now.AddMinutes(duration)); // Use the intended JWT Token's Header and Payload value as the data for the token's Signature var unsignedTokenText = $"{header.Base64UrlEncode()}.{payload.Base64UrlEncode()}"; var byteData = Encoding.UTF8.GetBytes(unsignedTokenText); // Use KV Cryptography Client to compute the signature var cryptographyClient = _vaultCryptoValues.Value.CryptographyClient; // SignData will create the digest and encode it (whereas Sign requires that the digest is computed here and to be sent in.) var signatureResult = await cryptographyClient .SignDataAsync(_vaultCryptoValues.Value.SigningCredentials.Algorithm, byteData) .ConfigureAwait(false); var encodedSignature = Base64UrlEncoder.Encode(signatureResult.Signature); // Assemble the header, payload, and encoded signatures var result = $"{unsignedTokenText}.{encodedSignature}"; return(result); }
public PrivateApiResponse <T> SendRequestWithIdentityHeaderConvertJwt <T>(object content, Dictionary <string, object> headerValue, HttpMethod httpMethod, string contentType = "application/json") { string contentString = ConvertToJsonString(content); using (LogHelper.LoggerForCurrentTest.EnterReproStep($"Send request that contains Jwt X-IDENTITY header with {InternalTestEndpoint}")) { var HrbcAuth = InternalConnection.GetCookieValue("HRBCAUTH"); var tokenHeader = HrbcAuth.Split('.')[0]; var tokenSecret = HrbcAuth.Split('.')[2]; var tokenhandler = new JwtSecurityTokenHandler(); var tokenObj = tokenhandler.ReadJwtToken(HrbcAuth); var newPayLoad = tokenObj.Payload.ToDictionary(p => p.Key, p => p.Value); var curPayLoad = new Dictionary <string, object>(); foreach (var item in headerValue) { curPayLoad[item.Key.ToString()] = item.Value; } newPayLoad["payload"] = curPayLoad; JwtPayload jwtPayload = new JwtPayload(); foreach (var item in newPayLoad) { jwtPayload.Add(item.Key, item.Value); } InternalConnection.DeleteAllCookies(); InternalConnection.Headers.Clear(); InternalConnection.Headers.Add("X-IDENTITY", $"{tokenHeader}.{jwtPayload.Base64UrlEncode()}.{tokenSecret}"); return(ProcessResponseWithContent <T>(InternalConnection.SendAsync(InternalTestEndpoint, contentString, httpMethod, contentType).Result)); } }
public static JwtSecurityToken CreateJwtSecurityToken(string issuer, string audience, IEnumerable <Claim> claims, DateTime?nbf, DateTime?exp, DateTime?iat, SigningCredentials signingCredentials) { JwtPayload payload = new JwtPayload(issuer, audience, claims, nbf, exp, iat); JwtHeader header = (signingCredentials != null) ? new JwtHeader(signingCredentials) : new JwtHeader(); return(new JwtSecurityToken(header, payload, header.Base64UrlEncode(), payload.Base64UrlEncode(), "")); }
public void JwtPayload_Claims() { List <string> errors = new List <string>(); var jwtPayload = new JwtPayload(); // multiple audiences foreach (string aud in IdentityUtilities.DefaultAudiences) { jwtPayload.AddClaim(new Claim(JwtRegisteredClaimNames.Aud, aud)); } string encodedPayload = jwtPayload.Base64UrlEncode(); var deserializedPayload = JwtPayload.Base64UrlDeserialize(encodedPayload); if (!IdentityComparer.AreEqual(jwtPayload, deserializedPayload)) { errors.Add("!IdentityComparer.AreEqual(jwtPayload, deserializedPayload)"); } if (!IdentityComparer.AreEqual <IEnumerable <string> >(jwtPayload.Aud, IdentityUtilities.DefaultAudiences)) { errors.Add("!IdentityComparer.AreEqual<IEnumerable<string>>(jwtPayload.Aud, IdentityUtilities.DefaultAudiences)"); } TestUtilities.AssertFailIfErrors(MethodInfo.GetCurrentMethod().Name, errors); }
public PrivateApiResponse<T> ForcePasswordChangeDiffHeaderWithContent<T>(IEnumerable<KeyValuePair<string, object>> parameters, object content, HttpMethod httpMethod, string contentType = "application/json") { string contentString = ConvertToJsonString(content); var HrbcAuth = Connection.GetCookieValue("HRBCAUTH"); var tokenHeader = HrbcAuth.Split('.')[0]; var tokenSecret = HrbcAuth.Split('.')[2]; var tokenhandler = new JwtSecurityTokenHandler(); var tokenObj = tokenhandler.ReadJwtToken(HrbcAuth); var newPayLoad = tokenObj.Payload.ToDictionary(p => p.Key, p => p.Value); var curPayLoad = JsonConvert.DeserializeObject<Dictionary<string, object>>(newPayLoad["payload"].ToString()); foreach (var item in parameters) { curPayLoad[item.Key] = item.Value; } newPayLoad["payload"] = curPayLoad; JwtPayload jwtPayload = new JwtPayload(); foreach (var item in newPayLoad) { jwtPayload.Add(item.Key, item.Value); } Connection.AddCookie("HRBCAUTH", $"{tokenHeader}.{jwtPayload.Base64UrlEncode()}.{tokenSecret}"); using (LogHelper.LoggerForCurrentTest.EnterReproStep($"Force password change with {ForceEndpoint}")) { return ProcessResponseWithContent<T>(Connection.SendAsync(ForceEndpoint, contentString, httpMethod, contentType).Result); } }
public static JwtSecurityToken GenerateToken(string username) { var header = new JwtHeader { ["alg"] = "HS256" }; var payload = new JwtPayload(new[] { new Claim("username", username) }); var hmac = new HMACSHA256(Secret); var hash = hmac.ComputeHash(Encoding.UTF8.GetBytes(string.Join(".", header.Base64UrlEncode(), payload.Base64UrlEncode()))); return(new JwtSecurityToken(header, payload, header.Base64UrlEncode(), payload.Base64UrlEncode(), System.IdentityModel.Tokens.Base64UrlEncoder.Encode(hash))); }
private void RunEncodingVariation(List <Claim> claims, Dictionary <string, object> values, CompareContext context) { var jwtPayload1 = new JwtPayload(claims); var jwtPayload2 = new JwtPayload(); foreach (var kv in values) { jwtPayload2[kv.Key] = kv.Value; } IdentityComparer.AreEqual(jwtPayload1, jwtPayload2, context); jwtPayload1 = JwtPayload.Base64UrlDeserialize(jwtPayload1.Base64UrlEncode()); jwtPayload2 = JwtPayload.Base64UrlDeserialize(jwtPayload2.Base64UrlEncode()); IdentityComparer.AreEqual(jwtPayload1, jwtPayload2, context); }
public async Task <string> BuildSerializedIdTokenAsync(string issuer, string audience, int duration, string userEmail) { // Parameters that are transmited in the ID Token assertion are communicated as claims var claims = new List <System.Security.Claims.Claim> { new System.Security.Claims.Claim("email", userEmail, System.Security.Claims.ClaimValueTypes.String, issuer) }; var header = new JwtHeader(_vaultCryptoValues.Value.SigningCredentials); var payload = new JwtPayload( issuer, audience, claims, DateTime.Now, DateTime.Now.AddMinutes(duration)); // Use the intended JWT Token's Header and Payload value as the data for the token's Signature var unsignedTokenText = $"{header.Base64UrlEncode()}.{payload.Base64UrlEncode()}"; var byteData = Encoding.UTF8.GetBytes(unsignedTokenText); // Use KV Cryptography Client to compute the signature var cryptographyClient = _vaultCryptoValues.Value.CryptographyClient; // SignData will create the digest and encode it (whereas Sign requires that the digest is computed here and to be sent in.) var signatureResult = await cryptographyClient .SignDataAsync(_vaultCryptoValues.Value.SigningCredentials.Algorithm, byteData) .ConfigureAwait(false); var encodedSignature = Base64UrlEncoder.Encode(signatureResult.Signature); // Alternatively, download the certificate and sign it locally to minimize the request count to the KeyVault instance // TODO - Download once - replace ReadCertificate with DownloadCertificate and (CAREFULLY) hold on to the downloaded Private Key ////var downloadCertificateResult = _certificateClient.DownloadCertificate(certificateName); // Use download instead of "Get" to retrieve the full certificate with Private Key. ////var downloadedCert = downloadCertificateResult.Value; // TODO - Create a local crypto client instance using the RSA Private Key and use it to sign the data ////var localCryptographyClient = new Azure.Security.KeyVault.Keys.Cryptography.CryptographyClient(new Azure.Security.KeyVault.Keys.JsonWebKey(downloadedCert.GetRSAPrivateKey())); ////var signatureResult = await localCryptographyClient //// .SignDataAsync(_vaultCryptoValues.Value.SigningCredentials.Algorithm, byteData) //// .ConfigureAwait(false); // Assemble the header, payload, and encoded signatures var result = $"{unsignedTokenText}.{encodedSignature}"; return(result); }
public JwtSecurityToken GenerateToken(List <Claim> parametrs) { if (parametrs == null) { throw new Exception("Token payload can not be null"); } var header = new JwtHeader(); var payload = new JwtPayload("CHNU", string.Empty, parametrs, DateTime.Now, DateTime.Now.AddDays(7)); header["alg"] = ALGORITHM; var encHeader = header.Base64UrlEncode(); var encPayload = payload.Base64UrlEncode(); var token = new JwtSecurityToken(header, payload, encHeader, encPayload, CryptoProvider.GenerateSHMACHash($"{encHeader}.{encPayload}")); return(token); }
public void JwtPayloadUnicodeMapping() { string issuer = "a\\b"; List <Claim> claims = new List <Claim>(); JwtPayload unicodePayload = new JwtPayload("a\u005Cb", "", claims, null, null); string json = unicodePayload.SerializeToJson(); JwtPayload payload = new JwtPayload(issuer, "", claims, null, null); string json2 = payload.SerializeToJson(); Assert.Equal(json, json2); JwtPayload retrievePayload = JwtPayload.Deserialize(json); Assert.Equal(retrievePayload.Iss, issuer); json = unicodePayload.Base64UrlEncode(); json2 = payload.Base64UrlEncode(); Assert.Equal(json, json2); retrievePayload = JwtPayload.Base64UrlDeserialize(json); Assert.Equal(retrievePayload.Iss, issuer); }
public static void InsertParamToHeader(IEnumerable <KeyValuePair <string, object> > parameters, ref AuthApiConnection connectionAuthApi) { var HrbcAuth = connectionAuthApi.GetCookieValue("HRBCAUTH"); var tokenHeader = HrbcAuth.Split('.')[0]; var tokenSecret = HrbcAuth.Split('.')[2]; var tokenhandler = new JwtSecurityTokenHandler(); var tokenObj = tokenhandler.ReadJwtToken(HrbcAuth); var newPayLoad = tokenObj.Payload.ToDictionary(p => p.Key, p => p.Value); var curPayLoad = JsonConvert.DeserializeObject <Dictionary <string, object> >(newPayLoad["payload"].ToString()); foreach (var item in parameters) { curPayLoad[item.Key] = item.Value; } newPayLoad["payload"] = curPayLoad; JwtPayload jwtPayload = new JwtPayload(); foreach (var item in newPayLoad) { jwtPayload.Add(item.Key, item.Value); } connectionAuthApi.AddCookie("HRBCAUTH", $"{tokenHeader}.{jwtPayload.Base64UrlEncode()}.{tokenSecret}"); }
private void GetJWT(Dictionary <string, string> request) { var connection = AuthApiConnection.GetConnectionForCurrentTest(); var HrbcAuth = connection.GetCookieValue("HRBCAUTH"); var tokenHeader = HrbcAuth.Split('.')[0]; var tokenSecret = HrbcAuth.Split('.')[2]; var tokenhandler = new JwtSecurityTokenHandler(); var tokenObj = tokenhandler.ReadJwtToken(HrbcAuth); var newPayLoad = tokenObj.Payload.ToDictionary(p => p.Key, p => p.Value); var curPayLoad = JsonConvert.DeserializeObject <Dictionary <string, object> >(newPayLoad["payload"].ToString()); foreach (var item in request) { curPayLoad[item.Key] = item.Value; } newPayLoad["payload"] = curPayLoad; JwtPayload jwtPayload = new JwtPayload(); foreach (var item in newPayLoad) { jwtPayload.Add(item.Key, item.Value); } connection.AddCookie("HRBCAUTH", $"{tokenHeader}.{jwtPayload.Base64UrlEncode()}.{tokenSecret}"); }
public void EmptyToken() { var handler = new JwtSecurityTokenHandler(); var payload = new JwtPayload(); var header = new JwtHeader(); var jwtToken = new JwtSecurityToken(header, payload, header.Base64UrlEncode(), payload.Base64UrlEncode(), ""); var jwt = handler.WriteToken(jwtToken); var context = new CompareContext(); IdentityComparer.AreJwtSecurityTokensEqual(jwtToken, new JwtSecurityToken(handler.WriteToken(jwtToken)), context); TestUtilities.AssertFailIfErrors(context.Diffs); }
public void JwtHeader_SigningKeyIdentifier() { var cert = KeyingMaterial.DefaultAsymmetricCert_2048; var header = new JwtHeader(new X509SigningCredentials(cert)); var payload = new JwtPayload(new Claim[] { new Claim("iss", "issuer") }); var jwt = new JwtSecurityToken(header, payload, header.Base64UrlEncode(), payload.Base64UrlEncode(), ""); var handler = new JwtSecurityTokenHandler(); var signedJwt = handler.WriteToken(jwt); SecurityToken token = null; var validationParameters = new TokenValidationParameters { IssuerSigningToken = new X509SecurityToken(cert), ValidateAudience = false, ValidateIssuer = false, ValidateLifetime = false, }; handler.ValidateToken(signedJwt, validationParameters, out token); validationParameters = new TokenValidationParameters { IssuerSigningKey = new X509SecurityKey(cert), ValidateAudience = false, ValidateIssuer = false, ValidateLifetime = false, }; handler.ValidateToken(signedJwt, validationParameters, out token); }
public void EmptyToken() { var handler = new JwtSecurityTokenHandler(); var payload = new JwtPayload(); var header = new JwtHeader(); var jwtToken = new JwtSecurityToken(header, payload, header.Base64UrlEncode(), payload.Base64UrlEncode(), ""); var jwt = handler.WriteToken(jwtToken); var context = new CompareContext(); context.PropertiesToIgnoreWhenComparing = new Dictionary <Type, List <string> > { { typeof(JwtHeader), new List <string> { "Item" } }, { typeof(JwtPayload), new List <string> { "Item" } } }; IdentityComparer.AreJwtSecurityTokensEqual(jwtToken, new JwtSecurityToken(handler.WriteToken(jwtToken)), context); TestUtilities.AssertFailIfErrors(context.Diffs); }
/// <summary> /// Uses the <see cref="JwtSecurityToken(JwtHeader, JwtPayload, string, string, string)"/> constructor, first creating the <see cref="JwtHeader"/> and <see cref="JwtPayload"/>. /// <para>If <see cref="SigningCredentials"/> is not null, <see cref="JwtSecurityToken.RawData"/> will be signed.</para> /// </summary> /// <param name="issuer">the issuer of the token.</param> /// <param name="audience">the audience for this token.</param> /// <param name="subject">the source of the <see cref="Claim"/>(s) for this token.</param> /// <param name="notBefore">the notbefore time for this token.</param> /// <param name="expires">the expiration time for this token.</param> /// <param name="signingCredentials">contains cryptographic material for generating a signature.</param> /// <param name="signatureProvider">optional <see cref="SignatureProvider"/>.</param> /// <remarks>If <see cref="ClaimsIdentity.Actor"/> is not null, then a claim { actort, 'value' } will be added to the payload. <see cref="CreateActorValue"/> for details on how the value is created. /// <para>See <seealso cref="JwtHeader"/> for details on how the HeaderParameters are added to the header.</para> /// <para>See <seealso cref="JwtPayload"/> for details on how the values are added to the payload.</para></remarks> /// <para>If signautureProvider is not null, then it will be used to create the signature and <see cref="System.IdentityModel.Tokens.SignatureProviderFactory.CreateForSigning( SecurityKey, string )"/> will not be called.</para> /// <returns>A <see cref="JwtSecurityToken"/>.</returns> /// <exception cref="ArgumentException">if 'expires' <= 'notBefore'.</exception> public virtual JwtSecurityToken CreateToken(string issuer = null, string audience = null, ClaimsIdentity subject = null, DateTime? notBefore = null, DateTime? expires = null, SigningCredentials signingCredentials = null, SignatureProvider signatureProvider = null) { if (expires.HasValue && notBefore.HasValue) { if (notBefore >= expires) { throw new ArgumentException(string.Format(CultureInfo.InvariantCulture, ErrorMessages.IDX10401, expires.Value, notBefore.Value)); } } // if not set, use defaults if (!expires.HasValue && !notBefore.HasValue) { DateTime now = DateTime.UtcNow; expires = now + TimeSpan.FromMinutes(TokenLifetimeInMinutes); notBefore = now; } JwtPayload payload = new JwtPayload(issuer, audience, subject == null ? null : subject.Claims, notBefore, expires); JwtHeader header = new JwtHeader(signingCredentials); if (subject != null && subject.Actor != null) { payload.AddClaim(new Claim(JwtRegisteredClaimNames.Actort, this.CreateActorValue(subject.Actor))); } string rawHeader = header.Base64UrlEncode(); string rawPayload = payload.Base64UrlEncode(); string rawSignature = string.Empty; string signingInput = string.Concat(rawHeader, ".", rawPayload); if (signatureProvider != null) { rawSignature = Base64UrlEncoder.Encode(this.CreateSignature(signingInput, null, null, signatureProvider)); } else if (signingCredentials != null) { rawSignature = Base64UrlEncoder.Encode(this.CreateSignature(signingInput, signingCredentials.SigningKey, signingCredentials.SignatureAlgorithm, signatureProvider)); } return new JwtSecurityToken(header, payload, rawHeader, rawPayload, rawSignature); }
public string GetSignedAndEncodedToken(LoggedInApplication loggedInApp) { // Get application var consumerApplication = _applications.FirstOrDefault(i => i.ID == loggedInApp.ID); // Get applciation token var applicationToken = _applicationTokens.FirstOrDefault(i => i.Token == loggedInApp.TokenUsedToAuthorize); // Get schemas from approved var providerLicenseIds = _consumerRegistrationRequests.Where(i => i.ConsumerApplicationID == consumerApplication.ID) .Where(i => i.Status == (int)ConsumerProviderRegistrationStatus.Approved) .Select(i => i.OrganizationLicenseID); var schemasFromProviderLicenses = new List <int>(); foreach (var providerLicenseId in providerLicenseIds) { var providerLicense = _organisationLicenses.GetById(providerLicenseId); schemasFromProviderLicenses.Add(providerLicense.DataSchemaID); } // Get schemas for each agreements var schemasFromAgreements = schemasFromProviderLicenses.Distinct().ToList(); // Filter schemas var schemaIds = schemasFromAgreements.Distinct(); // Setup software statement schemas var schemas = new List <SoftwareStatementSchema>(); foreach (var schemaId in schemaIds) { var schema = _dataSchemas.FirstOrDefault(i => i.ID == schemaId); var schemaDetails = schema.ToStmtSchema(); schemas.Add(schemaDetails); } // Software statement will expire in 5 years for now. var time = GetDate.AddYears(5) - new DateTime(1970, 1, 1); var expireEpoch = (int)time.TotalSeconds; var signingCredentials = new SigningCredentials(GetSigningKey(), SecurityAlgorithms.HmacSha256Signature, SecurityAlgorithms.Sha256Digest); // Create Software Statement. var header = new JwtHeader(signingCredentials); var payload = new JwtPayload(); payload.AddClaim(new Claim("software_id", consumerApplication.PublicID.ToString())); payload.AddClaim(new Claim("client_name", consumerApplication.Name)); payload.AddClaim(new Claim("client_uri", applicationToken.OriginHost)); payload.AddClaim(new Claim("iss", "42e01f09-0dea-42b2-b5e1-0f1e87547329")); payload.AddClaim(new Claim("sub", "10e5766e-aff1-4b2e-b926-1a1b4ccf566c")); payload.AddClaim(new Claim("aud", "urn:oauth:scim:reg:generic")); payload.AddClaim(new Claim("exp", expireEpoch.ToString())); payload.AddClaim(new Claim("schemas", JsonConvert.SerializeObject(schemas))); payload.Base64UrlEncode(); var jwt = new JwtSecurityToken(header, payload); // Sign Software Statement. var tokenHandler = new JwtSecurityTokenHandler(); var signedAndEncodedToken = tokenHandler.WriteToken(jwt); return(signedAndEncodedToken); }
public void JwtHeader_SigningKeyIdentifier() { var cert = KeyingMaterial.DefaultAsymmetricCert_2048; var header = new JwtHeader(new X509SigningCredentials(cert)); var payload = new JwtPayload( new Claim[]{new Claim("iss", "issuer")}); var jwt = new JwtSecurityToken(header, payload, header.Base64UrlEncode(), payload.Base64UrlEncode(), ""); var handler = new JwtSecurityTokenHandler(); var signedJwt = handler.WriteToken(jwt); SecurityToken token = null; var validationParameters = new TokenValidationParameters { IssuerSigningToken = new X509SecurityToken(cert), ValidateAudience = false, ValidateIssuer = false, ValidateLifetime = false, }; handler.ValidateToken(signedJwt, validationParameters, out token); validationParameters = new TokenValidationParameters { IssuerSigningKey = new X509SecurityKey(cert), ValidateAudience = false, ValidateIssuer = false, ValidateLifetime = false, }; handler.ValidateToken(signedJwt, validationParameters, out token); }