public void JwtSecurityFailureTest()
{
var issuer = new Uri("http://localhost/Issuer");
string token = new JwtTokenBuilder()
.SetIssuer(issuer.ToString())
.SetExpires(DateTime.Now.AddDays(10))
.SetIssuedAt(DateTime.Now)
.SetClaim(new Claim("Email", "*****@*****.**"))
.SetCertificate(_jwtVaultTest.GetCertificate(_workContext))
.Build();
token.Should().NotBeNullOrEmpty();
JwtTokenDetails tokenDetails = new JwtTokenParserBuilder()
.AddCertificate(_vaultData.GetCertificate(_workContext))
.AddValidIssuer(issuer.ToString())
.Build()
.Parse(_workContext, token);
// Failure
tokenDetails.Should().BeNull();
tokenDetails = new JwtTokenParserBuilder()
.AddCertificate(_jwtVaultTest.GetCertificate(_workContext))
.AddCertificate(_vaultData.GetCertificate(_workContext))
.AddValidIssuer(issuer.ToString())
.Build()
.Parse(_workContext, token);
tokenDetails.Should().NotBeNull();
tokenDetails.JwtSecurityToken.Header.Kid.Should().Be(_jwtVaultTest.LocalCertificateKey.Thumbprint);
}
public void GivenIdentity_WhenSigned_ShouldValidate()
{
var documentId = new DocumentId("test/unit-tests-identity/identity1");
string kid = Guid.NewGuid().ToString();
string subject = "*****@*****.**";
string digest = Guid.NewGuid().ToString();
RSAParameters rsaParameter = Create(documentId);
IPrincipalSignature principle = new PrincipalSignature(kid, "test.com", "spin.com", subject, rsaParameter);
string token = new JwtTokenBuilder()
.SetDigest(digest)
.SetExpires(DateTime.Now.AddDays(10))
.SetIssuedAt(DateTime.Now)
.SetPrincipleSignature(principle)
.Build();
token.Should().NotBeNullOrEmpty();
JwtTokenDetails tokenDetails = new JwtTokenParserBuilder()
.SetPrincipleSignature(principle)
.Build()
.Parse(token);
tokenDetails.JwtSecurityToken.Header.Kid.Should().Be(kid);
tokenDetails.JwtSecurityToken.Subject.Should().Be(subject);
}
public void JwtSecurityTokenBuilderTest()
{
const string userId = "*****@*****.**";
const string emailText = "Email";
const string emailId = "*****@*****.**";
string token = new JwtTokenBuilder()
.SetAudience(new Uri("http://localhost/audience").ToString())
.SetIssuer(new Uri("http://localhost/Issuer").ToString())
.SetExpires(DateTime.Now.AddDays(10))
.SetIssuedAt(DateTime.Now)
.SetClaim(new Claim(emailText, emailId))
.AddSubject(userId)
.SetCertificate(_jwtVaultTest.GetCertificate(_workContext))
.Build();
token.Should().NotBeNullOrEmpty();
JwtTokenDetails tokenDetails = new JwtTokenParserBuilder()
.AddCertificate(_jwtVaultTest.GetCertificate(_workContext))
.Build()
.Parse(_workContext, token);
tokenDetails.JwtSecurityToken.Header.Kid.Should().Be(_jwtVaultTest.LocalCertificateKey.Thumbprint);
tokenDetails.JwtSecurityToken.Subject.Should().Be(userId);
tokenDetails.JwtSecurityToken.Claims.Any(x => x.Type == emailText && x.Value == emailId).Should().BeTrue();
}
public async Task <bool> Validate(ValidateRequest validateRequest, CancellationToken token)
{
_logger.LogTrace($"Validate for id={validateRequest.Id}");
foreach (var request in validateRequest.PrincipleDigests)
{
IdentityEntry?identityEntry = await GetIdentity(request.PrincipleId, token);
if (identityEntry == null || request.JwtSignature.IsEmpty())
{
_logger.LogError($"Cannot find signing data for PrincipleId={request.PrincipleId}");
return(false);
}
IPrincipalSignature principleSignature = new PrincipalSignature(request.PrincipleId, _issuer, _audience, identityEntry.Subject, identityEntry.GetRsaParameters());
try
{
JwtTokenDetails tokenDetails = new JwtTokenParserBuilder()
.SetPrincipleSignature(principleSignature)
.Build()
.Parse(request.JwtSignature);
_logger.LogTrace($"JWT validated for PrincipleId={request.PrincipleId}");
}
catch (Exception ex)
{
_logger.LogError(ex, $"Failed validation for PrincipleId={request.PrincipleId}");
return(false);
}
}
return(true);
}
public void GivenJwtSigned_ShouldValidate()
{
string kid = Guid.NewGuid().ToString();
string subject = "*****@*****.**";
string digest = Guid.NewGuid().ToString();
IPrincipalSignature principle = new PrincipalSignature(kid, "test.com", "spin.com", subject);
string token = new JwtTokenBuilder()
.SetDigest(digest)
.SetExpires(DateTime.Now.AddDays(10))
.SetIssuedAt(DateTime.Now)
.SetPrincipleSignature(principle)
.Build();
token.Should().NotBeNullOrEmpty();
JwtTokenDetails tokenDetails = new JwtTokenParserBuilder()
.SetPrincipleSignature(principle)
.Build()
.Parse(token);
tokenDetails.JwtSecurityToken.Header.Kid.Should().Be(kid);
tokenDetails.JwtSecurityToken.Subject.Should().Be(subject);
}
public void JwtSecurityTokenBuilderTest()
{
const string userId = "*****@*****.**";
const string emailText = "Email";
const string emailId = "*****@*****.**";
IPrincipalSignature principle = _jwtPrincipleSignature.WithSubject(userId);
string token = new JwtTokenBuilder()
.SetExpires(DateTime.Now.AddDays(10))
.SetIssuedAt(DateTime.Now)
.AddClaim(new Claim(emailText, emailId))
.SetPrincipleSignature(principle)
.Build();
token.Should().NotBeNullOrEmpty();
JwtTokenDetails tokenDetails = new JwtTokenParserBuilder()
.SetPrincipleSignature(_jwtPrincipleSignature)
.Build()
.Parse(token);
tokenDetails.JwtSecurityToken.Header.Kid.Should().Be(jwtKeyId);
tokenDetails.JwtSecurityToken.Subject.Should().Be(userId);
tokenDetails.JwtSecurityToken.Claims.Any(x => x.Type == emailText && x.Value == emailId).Should().BeTrue();
}
public void JwtSecurityFailureTest()
{
string token = new JwtTokenBuilder()
.SetExpires(DateTime.Now.AddDays(10))
.SetIssuedAt(DateTime.Now)
.AddClaim(new Claim("Email", "*****@*****.**"))
.SetPrincipleSignature(_jwtPrincipleSignature)
.Build();
token.Should().NotBeNullOrEmpty();
IPrincipalSignature principle = _vaultPrincipleSignature.WithIssuer("bad issuer");
Action act = () => new JwtTokenParserBuilder()
.SetPrincipleSignature(principle)
.Build()
.Parse(token);
// Failure
act.Should().Throw <SecurityTokenUnableToValidateException>();
JwtTokenDetails tokenDetails = new JwtTokenParserBuilder()
.SetPrincipleSignature(_jwtPrincipleSignature)
.Build()
.Parse(token);
tokenDetails.Should().NotBeNull();
tokenDetails.JwtSecurityToken.Header.Kid.Should().Be(_jwtVaultTest.LocalCertificateKey.Thumbprint);
}
/// <summary>
/// Parse authorization token received from the server and return details.
/// </summary>
/// <param name="context">context</param>
/// <param name="authorizationToken">authorization token to parse</param>
/// <param name="issuer">validate against issuer</param>
/// <returns>JWT details and client identity (client identity can be null if not found in repository)</returns>
public async Task <JwtTokenDetails> ParseAuthorizationToken(IWorkContext context, string authorizationToken)
{
Verify.IsNotNull(nameof(context), context);
Verify.IsNotEmpty(nameof(authorizationToken), authorizationToken);
context = context.WithTag(_tag);
List <X509Certificate2> certificates = new List <X509Certificate2>();
foreach (var item in _clientTokenManagerConfiguration.ServerSigningCertificateKeys)
{
certificates.Add(await _certificateRepository.GetCertificate(context, item, throwOnNotFound: true));
}
try
{
JwtTokenDetails details = new JwtTokenParserBuilder()
.AddCertificates(certificates)
.AddValidIssuer(_clientTokenManagerConfiguration.TokenKey.AuthorizationIssuer)
.Build()
.Parse(context, authorizationToken);
return(details);
}
catch (Exception ex)
{
NetEventSource.Log.Warning(context, "Exception processing JWT token", ex);
throw;
}
}
public void JwtSecurityTokenIssuerTest()
{
string issuer = "http://localhost/Issuer";
IPrincipalSignature principle = _jwtPrincipleSignature.WithIssuer(issuer);
string token = new JwtTokenBuilder()
.SetExpires(DateTime.Now.AddDays(10))
.SetIssuedAt(DateTime.Now)
.AddClaim(new Claim("Email", "*****@*****.**"))
.SetPrincipleSignature(_jwtPrincipleSignature)
.Build();
token.Should().NotBeNullOrEmpty();
JwtTokenDetails tokenDetails = new JwtTokenParserBuilder()
.SetPrincipleSignature(_jwtPrincipleSignature)
.Build()
.Parse(token);
}
/// <summary>
/// Create JWT token for access to server
/// </summary>
/// <param name="context">context</param>
/// <param name="requestToken"></param>
/// <returns></returns>
public async Task <string> CreateAutorizationToken(IWorkContext context, string requestToken)
{
Verify.IsNotNull(nameof(context), context);
Verify.IsNotEmpty(nameof(requestToken), requestToken);
context = context.WithTag(_tag);
var certificateList = new List <X509Certificate2>();
foreach (var item in _configuration.TokenAuthorizationRequestCertificateKeys)
{
certificateList.Add(await _certificateRepository.GetCertificate(context, item, true));
}
JwtTokenParser requestTokenParser = new JwtTokenParserBuilder()
.AddCertificates(certificateList)
.AddValidIssuers(_configuration.ValidIssuers)
.Build();
JwtTokenDetails details = requestTokenParser.Parse(context, requestToken);
if (details == null || details.JwtSecurityToken.Payload.Sub.IsEmpty())
{
NetEventSource.Log.Verbose(context, "Payload.Sub is empty");
return(null);
}
IdentityPrincipal identity = await _identityRepository.GetAsync(context, new PrincipalId(details.JwtSecurityToken.Payload.Sub));
// If JWT subject is a valid issuer, then this should be a service principal
if (_configuration.ValidIssuers.Any(x => x == details.JwtSecurityToken.Payload.Sub))
{
if (identity == null)
{
identity = new IdentityPrincipal(new PrincipalId(details.JwtSecurityToken.Payload.Sub), IdentityPrincipalType.Service);
}
else
{
if (identity.PrincipalType != IdentityPrincipalType.Service)
{
NetEventSource.Log.Verbose(context, $"Identity {details.JwtSecurityToken.Payload.Sub} is not a service principal");
return(null);
}
}
}
else
{
// Identity principal does not exist
if (identity == null)
{
NetEventSource.Log.Verbose(context, $"Identity {details.JwtSecurityToken.Payload.Sub} does not exist");
return(null);
}
}
DateTime expires = DateTime.UtcNow + _configuration.TokenAuthorization.GoodFor;
identity = identity.With(ApiKey.CreateApiKey(expires));
await _identityRepository.SetAsync(context, identity);
X509Certificate2 certificate = await _certificateRepository.GetCertificate(
context,
_configuration.TokenAuthorization.AuthorizationSigningCertificateKey,
throwOnNotFound : true);
string token = new JwtTokenBuilder()
.AddSubject(identity.PrincipalId)
.SetAudience(_configuration.TokenAuthorization.Audience)
.SetIssuer(_configuration.TokenAuthorization.Issuer)
.SetExpires(expires)
.SetIssuedAt(DateTime.Now)
.SetWebKey(identity.ApiKey.Value)
.SetCertificate(certificate)
.Build();
return(token);
}
