public async Task IssueAndRefreshAccessTokenWithLongTerm()
{
string longTermExpiry = "XRefreshExpiry";
var jwtService = JwtServiceFactory.Create(
TimeSpan.FromSeconds(1),
TimeSpan.FromSeconds(2),
TimeSpan.FromSeconds(5),
longTermExpiry,
TimeSpan.FromSeconds(1));
var user = GetUser();
var access = jwtService
.IssueAccessToken(user.id, user.name, user.roles, true);
await Task.Delay(4000);
var refreshedAccess = jwtService
.RefreshAccessToken(
access.Tokens.AccessToken.Value,
access.Tokens.RefreshToken.Value);
Assert.True(refreshedAccess.Result == JwtTokenResult.TokenResult.Ok);
var refreshDetails = new JwtTokenDetails()
.Get(refreshedAccess.Tokens.RefreshToken.Value);
Assert.True(refreshDetails.Expiration > DateTime.UtcNow.AddSeconds(2) &&
refreshDetails.Expiration < DateTime.UtcNow.AddSeconds(5));
Assert.Contains(refreshDetails.Claims, x => x.Type.Equals(longTermExpiry) &&
x.Value.Equals(Boolean.TrueString));
}
public void IssueAccessTokenWithLongTermRefresh()
{
string longTermExpiry = "XRefreshExpiry";
var jwtService = JwtServiceFactory.Create(
TimeSpan.FromSeconds(10),
TimeSpan.FromMinutes(5),
TimeSpan.FromHours(1),
longTermExpiry,
TimeSpan.FromSeconds(10));
var user = GetUser();
var access = jwtService
.IssueAccessToken(user.id, user.name, user.roles, true);
Assert.True(access.Result == JwtTokenResult.TokenResult.Ok);
Assert.NotNull(access.Tokens);
Assert.NotNull(access.Tokens.AccessToken);
Assert.NotNull(access.Tokens.RefreshToken);
var refreshDetails = new JwtTokenDetails()
.Get(access.Tokens.RefreshToken.Value);
Assert.True(refreshDetails.Expiration > DateTime.UtcNow.AddMinutes(5) &&
refreshDetails.Expiration < DateTime.UtcNow.AddMinutes(60));
Assert.Contains(refreshDetails.Claims, x => x.Type.Equals(longTermExpiry) &&
x.Value.Equals(Boolean.TrueString));
}
/// <summary>
/// Validate current JWT server authorization token and renew if expired
/// </summary>
/// <param name="context">context</param>
/// <returns>true if authorization server's authorization token is valid, false if not</returns>
private async Task <bool> Validate(IWorkContext context, bool renewIfRequired = true)
{
Verify.IsNotNull(nameof(context), context);
if (_jwtTokenDetails != null && !_jwtTokenDetails.IsExpired)
{
return(true);
}
string requestToken = await _clientTokenManager.CreateRequestToken(context);
if (requestToken == null || !renewIfRequired)
{
return(false);
}
RestResponse <string> response = await _clientTokenManager.RequestServerAuthorizationToken(context, requestToken);
response.AssertSuccessStatusCode(context);
Verify.IsNotNull(nameof(response.Value), response.Value);
JwtTokenDetails jwtToken = await _clientTokenManager.ParseAuthorizationToken(context, response.Value);
_jwtTokenDetails = jwtToken;
return(true);
}
public void IssueTokenAndAssertDetails()
{
var jwtService = JwtServiceFactory.Create(
TimeSpan.FromSeconds(10),
TimeSpan.FromMinutes(5),
TimeSpan.FromSeconds(10));
var user = GetUserWithCustomClaime();
var tokenModel = jwtService
.IssueAccessToken(user.id, user.name, user.roles, user.claims);
var tokenDetails = new JwtTokenDetails()
.Get(tokenModel.Tokens.AccessToken.Value);
Assert.Equal(tokenModel.Tokens.AccessToken.Expiration.ToShortTimeString(), tokenDetails.Expiration.ToShortTimeString());
Assert.Equal(tokenModel.Tokens.AccessToken.Jti, tokenDetails.Jti);
Assert.Equal(user.id, tokenDetails.Subject);
Assert.All(tokenDetails.Roles, role => user.roles.Contains(role));
}
/// <summary>
/// Create JWT token for access to server
/// </summary>
/// <param name="context">context</param>
/// <param name="requestToken"></param>
/// <returns></returns>
public async Task <string> CreateAutorizationToken(IWorkContext context, string requestToken)
{
Verify.IsNotNull(nameof(context), context);
Verify.IsNotEmpty(nameof(requestToken), requestToken);
context = context.WithTag(_tag);
var certificateList = new List <X509Certificate2>();
foreach (var item in _configuration.TokenAuthorizationRequestCertificateKeys)
{
certificateList.Add(await _certificateRepository.GetCertificate(context, item, true));
}
JwtTokenParser requestTokenParser = new JwtTokenParserBuilder()
.AddCertificates(certificateList)
.AddValidIssuers(_configuration.ValidIssuers)
.Build();
JwtTokenDetails details = requestTokenParser.Parse(context, requestToken);
if (details == null || details.JwtSecurityToken.Payload.Sub.IsEmpty())
{
NetEventSource.Log.Verbose(context, "Payload.Sub is empty");
return(null);
}
IdentityPrincipal identity = await _identityRepository.GetAsync(context, new PrincipalId(details.JwtSecurityToken.Payload.Sub));
// If JWT subject is a valid issuer, then this should be a service principal
if (_configuration.ValidIssuers.Any(x => x == details.JwtSecurityToken.Payload.Sub))
{
if (identity == null)
{
identity = new IdentityPrincipal(new PrincipalId(details.JwtSecurityToken.Payload.Sub), IdentityPrincipalType.Service);
}
else
{
if (identity.PrincipalType != IdentityPrincipalType.Service)
{
NetEventSource.Log.Verbose(context, $"Identity {details.JwtSecurityToken.Payload.Sub} is not a service principal");
return(null);
}
}
}
else
{
// Identity principal does not exist
if (identity == null)
{
NetEventSource.Log.Verbose(context, $"Identity {details.JwtSecurityToken.Payload.Sub} does not exist");
return(null);
}
}
DateTime expires = DateTime.UtcNow + _configuration.TokenAuthorization.GoodFor;
identity = identity.With(ApiKey.CreateApiKey(expires));
await _identityRepository.SetAsync(context, identity);
X509Certificate2 certificate = await _certificateRepository.GetCertificate(
context,
_configuration.TokenAuthorization.AuthorizationSigningCertificateKey,
throwOnNotFound : true);
string token = new JwtTokenBuilder()
.AddSubject(identity.PrincipalId)
.SetAudience(_configuration.TokenAuthorization.Audience)
.SetIssuer(_configuration.TokenAuthorization.Issuer)
.SetExpires(expires)
.SetIssuedAt(DateTime.Now)
.SetWebKey(identity.ApiKey.Value)
.SetCertificate(certificate)
.Build();
return(token);
}
