public async Task IsValidToken_WithTokenValidationParameters_NullClaims_ValidToken()
{
// Arrange
string authority = $"http://{Util.GetRandomString(10).ToLower()}.com";
string issuer = $"http://{Util.GetRandomString(10).ToLower()}.com";
IdentityModelEventSource.ShowPII = true;
int daysValid = 7;
RSA rsa = new RSACryptoServiceProvider(512);
string privateKey = rsa.ToCustomXmlString(true);
TokenValidationParameters tokenValidationParameters = new TokenValidationParameters
{
ValidateIssuerSigningKey = true,
ValidateIssuer = true,
ValidateAudience = true,
ValidIssuer = issuer,
ValidAudience = authority,
IssuerSigningKey = new SymmetricSecurityKey(Encoding.ASCII.GetBytes(privateKey))
};
string token = CreateJwt(issuer, authority, privateKey, daysValid);
// Act
JwtTokenReader jwtTokenReader = new JwtTokenReader(tokenValidationParameters);
bool isTokenValid = await jwtTokenReader.IsValidTokenAsync(token);
// Assert
Assert.True(isTokenValid);
}
public void Constructor_ValidateClaimCheck_Not_In_Jwt_Claims()
{
// Arrange
string issuer = $"http://{Util.GetRandomString(10).ToLower()}.com";
string oid = Util.GetRandomString(10);
string aad = Util.GetRandomString(10);
string authority = $"http://{Util.GetRandomString(10).ToLower()}.com";
int daysValid = 7;
RSA rsa = new RSACryptoServiceProvider(512);
string privateKey = rsa.ToCustomXmlString(true);
Dictionary <string, string> claimCheck = new Dictionary <string, string>
{
{ JwtClaimTypes.Audience, authority },
{ "oid", oid },
{ "uud", Guid.NewGuid().ToString() },
{ "aad", aad }
};
string token = CreateJwt(issuer, authority, privateKey, daysValid, claimCheck);
JwtSecurityTokenHandler handler = new JwtSecurityTokenHandler();
JwtSecurityToken securityToken = handler.ReadJwtToken(token);
// Act
JwtTokenReader jwtTokenReader = new JwtTokenReader(claimCheck);
bool isValid = jwtTokenReader.ValidateClaimCheck(securityToken);
// Assert
Assert.False(isValid);
}
public async Task IsValidToken_WithTokenValidationParametersAndClaimCheck_InvalidToken_WithException()
{
// Arrange
TokenValidationParameters tokenValidationParameters = new TokenValidationParameters();
string issuer = Util.GetRandomString(10);
string authority = Util.GetRandomString(10);
int daysValid = 7;
RSA rsa = new RSACryptoServiceProvider(512);
string privateKey = rsa.ToCustomXmlString(true);
Dictionary <string, string> claimCheck = new Dictionary <string, string>
{
{ JwtClaimTypes.Audience, authority }
};
string token = CreateJwt(issuer, authority, privateKey, daysValid, claimCheck);
// Act
JwtTokenReader jwtTokenReader = new JwtTokenReader(tokenValidationParameters, claimCheck);
bool isTokenValid = await jwtTokenReader.IsValidTokenAsync(token);
// Assert
Assert.False(isTokenValid);
}
public async Task GetHealthWithIncorrectBearerToken_WithAzureManagedIdentityAuthorization_ReturnsUnauthorized()
{
// Arrange
string issuer = GenerateRandomUri();
string authority = GenerateRandomUri();
string privateKey = GenerateRandomPrivateKey();
using (var testOpenIdServer = await TestOpenIdServer.StartNewAsync(_outputWriter))
{
TokenValidationParameters validationParameters = testOpenIdServer.GenerateTokenValidationParametersWithValidAudience(issuer, authority, privateKey);
var reader = new JwtTokenReader(validationParameters, testOpenIdServer.OpenIdAddressConfiguration);
_testServer.AddFilter(filters => filters.AddJwtTokenAuthorization(options => options.JwtTokenReader = reader));
using (HttpClient client = _testServer.CreateClient())
using (var request = new HttpRequestMessage(HttpMethod.Get, HealthController.Route))
{
var accessToken = $"Bearer {_bogusGenerator.Random.AlphaNumeric(10)}.{_bogusGenerator.Random.AlphaNumeric(50)}.{_bogusGenerator.Random.AlphaNumeric(40)}";
request.Headers.Add(JwtTokenAuthorizationOptions.DefaultHeaderName, accessToken);
// Act
using (HttpResponseMessage response = await client.SendAsync(request))
{
// Assert
Assert.Equal(HttpStatusCode.Unauthorized, response.StatusCode);
}
}
}
}
public async Task GetHealthWithoutBearerToken_WithIncorrectAzureManagedIdentityAuthorization_ReturnsUnauthorized()
{
// Arrange
using (var testOpenIdServer = await TestOpenIdServer.StartNewAsync(_outputWriter))
{
var validationParameters = new TokenValidationParameters
{
ValidateAudience = false,
ValidateIssuer = false,
ValidateIssuerSigningKey = true,
ValidateLifetime = true
};
var reader = new JwtTokenReader(validationParameters, testOpenIdServer.OpenIdAddressConfiguration);
_testServer.AddFilter(filters => filters.AddJwtTokenAuthorization(options => options.JwtTokenReader = reader));
using (HttpClient client = _testServer.CreateClient())
using (var request = new HttpRequestMessage(HttpMethod.Get, HealthController.Route))
{
// Act
using (HttpResponseMessage response = await client.SendAsync(request))
{
// Assert
Assert.Equal(HttpStatusCode.Unauthorized, response.StatusCode);
}
}
}
}
public async Task GetHealthWithCorrectBearerToken_WithLazyAzureManagedIdentityAuthorization_ReturnsOk()
{
// Arrange
string issuer = GenerateRandomUri();
string authority = GenerateRandomUri();
string privateKey = GenerateRandomPrivateKey();
using (var testOpenIdServer = await TestOpenIdServer.StartNewAsync(_outputWriter))
{
TokenValidationParameters validationParameters = testOpenIdServer.GenerateTokenValidationParametersWithValidAudience(issuer, authority, privateKey);
var reader = new JwtTokenReader(validationParameters, testOpenIdServer.OpenIdAddressConfiguration);
_testServer.AddFilter(filters => filters.AddJwtTokenAuthorization(options => options.AddJwtTokenReader(serviceProvider => reader)));
using (HttpClient client = _testServer.CreateClient())
using (var request = new HttpRequestMessage(HttpMethod.Get, HealthController.Route))
{
string accessToken = testOpenIdServer.RequestSecretToken(issuer, authority, privateKey, daysValid: 7);
request.Headers.Add(JwtTokenAuthorizationOptions.DefaultHeaderName, accessToken);
// Act
using (HttpResponseMessage response = await client.SendAsync(request))
{
// Assert
Assert.Equal(HttpStatusCode.OK, response.StatusCode);
}
}
}
}
public async Task GetHealthWithCorrectBearerToken_WithAzureManagedIdentityAuthorization_ReturnsOk()
{
// Arrange
using (var testServer = new TestApiServer())
using (var testOpenIdServer = await TestOpenIdServer.StartNewAsync(_outputWriter))
{
TokenValidationParameters validationParameters = await testOpenIdServer.GenerateTokenValidationParametersAsync();
var reader = new JwtTokenReader(validationParameters, testOpenIdServer.OpenIdAddressConfiguration);
testServer.AddFilter(filters => filters.AddJwtTokenAuthorization(options => options.JwtTokenReader = reader));
using (HttpClient client = testServer.CreateClient())
using (var request = new HttpRequestMessage(HttpMethod.Get, HealthController.Route))
{
string accessToken = await testOpenIdServer.RequestAccessTokenAsync();
request.Headers.Add(JwtTokenAuthorizationOptions.DefaultHeaderName, accessToken);
// Act
using (HttpResponseMessage response = await client.SendAsync(request))
{
// Assert
Assert.Equal(HttpStatusCode.OK, response.StatusCode);
}
}
}
}
public async Task GetHealthWithCorrectBearerToken_WithAzureManagedIdentityAuthorizationAndCustomClaims_ReturnsOk()
{
// Arrange
string issuer = $"http://{Util.GetRandomString(10).ToLower()}.com";
string authority = $"http://{Util.GetRandomString(10).ToLower()}.com";
RSA rsa = new RSACryptoServiceProvider(512);
string privateKey = rsa.ToCustomXmlString(true);
using (var testServer = new TestApiServer())
using (var testOpenIdServer = await TestOpenIdServer.StartNewAsync(_outputWriter))
{
TokenValidationParameters tokenValidationParameters = testOpenIdServer.GenerateTokenValidationParametersWithValidAudience(issuer, authority, privateKey);
var reader = new JwtTokenReader(tokenValidationParameters, testOpenIdServer.OpenIdAddressConfiguration);
Dictionary <string, string> claimCheck = new Dictionary <string, string> {
{ JwtClaimTypes.Audience, Guid.NewGuid().ToString() }
};
testServer.AddFilter(filters => filters.AddJwtTokenAuthorization(options => options.JwtTokenReader = reader, claimCheck));
using (HttpClient client = testServer.CreateClient())
using (var request = new HttpRequestMessage(HttpMethod.Get, HealthController.Route))
{
string accessToken = testOpenIdServer.RequestSecretToken(issuer, authority, privateKey, 7, claimCheck);
request.Headers.Add(JwtTokenAuthorizationOptions.DefaultHeaderName, accessToken);
// Act
using (HttpResponseMessage response = await client.SendAsync(request))
{
// Assert
Assert.Equal(HttpStatusCode.OK, response.StatusCode);
}
}
}
}
public async Task GetHealthWithCorrectBearerToken_WithAzureManagedIdentityAuthorization_ReturnsOk()
{
// Arrange
string issuer = _bogusGenerator.Internet.Url();
string authority = _bogusGenerator.Internet.Url();
string privateKey = GenerateRandomPrivateKey();
await using (var testOpenIdServer = await TestOpenIdServer.StartNewAsync(_logger))
{
var options = new TestApiServerOptions()
.ConfigureServices(services =>
{
TokenValidationParameters tokenValidationParameters = testOpenIdServer.GenerateTokenValidationParametersWithValidAudience(issuer, authority, privateKey);
var reader = new JwtTokenReader(tokenValidationParameters, testOpenIdServer.OpenIdAddressConfiguration);
services.AddMvc(opt => opt.Filters.AddJwtTokenAuthorization(jwt => jwt.JwtTokenReader = reader));
});
await using (var testApiServer = await TestApiServer.StartNewAsync(options, _logger))
{
string accessToken = testOpenIdServer.RequestSecretToken(issuer, authority, privateKey, daysValid: 7);
var request = HttpRequestBuilder
.Get(HealthController.GetRoute)
.WithHeader(JwtTokenAuthorizationOptions.DefaultHeaderName, accessToken);
// Act
using (HttpResponseMessage response = await testApiServer.SendAsync(request))
{
// Assert
Assert.Equal(HttpStatusCode.OK, response.StatusCode);
}
}
}
}
public void Constructor_WithTokenValidationParametersAndDiscoveryEndpoint_Succeeds()
{
// Arrange
TokenValidationParameters tokenValidationParameters = new TokenValidationParameters();
// Act
var jwtTokenReader = new JwtTokenReader(tokenValidationParameters, MicrosoftDiscoveryEndpoint);
// Assert
Assert.NotNull(jwtTokenReader);
}
public void Constructor_WithTokenValidationParameters_Succeeds()
{
// Arrange
var tokenValidationParameters = new TokenValidationParameters();
// Act
var jwtTokenReader = new JwtTokenReader(tokenValidationParameters);
// Assert
Assert.NotNull(jwtTokenReader);
}
public void Constructor_WithTokenValidationParametersButWithoutClaimCheck_Succeeds()
{
// Arrange
TokenValidationParameters tokenValidationParameters = new TokenValidationParameters();
// Act
JwtTokenReader jwtTokenReader = new JwtTokenReader(tokenValidationParameters);
// Assert
Assert.NotNull(jwtTokenReader);
}
public void Constructor_WithApplicationId_Succeeds()
{
// Arrange
string applicationId = Guid.NewGuid().ToString();
// Act
var jwtTokenReader = new JwtTokenReader(applicationId);
// Assert
Assert.NotNull(jwtTokenReader);
}
public void Constructor_WithTokenValidationParametersAndDiscoveryEndpoint_Succeeds()
{
// Arrange
var tokenValidationParameters = new TokenValidationParameters();
string openIdConnectDiscoveryUri = "https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration";
// Act
var jwtTokenReader = new JwtTokenReader(tokenValidationParameters, openIdConnectDiscoveryUri);
// Assert
Assert.NotNull(jwtTokenReader);
}
public void Constructor_WithApplicationIdInClaimCheck_Succeeds()
{
// Arrange
Dictionary <string, string> claimCheck = new Dictionary <string, string>
{
{ JwtClaimTypes.Audience, Guid.NewGuid().ToString() }
};
// Act
JwtTokenReader jwtTokenReader = new JwtTokenReader(claimCheck);
// Assert
Assert.NotNull(jwtTokenReader);
}
public void Constructor_WithTokenValidationParametersAndClaimCheck_Succeeds()
{
// Arrange
TokenValidationParameters tokenValidationParameters = new TokenValidationParameters();
Dictionary <string, string> claimCheck = new Dictionary <string, string>
{
{ JwtClaimTypes.Audience, Guid.NewGuid().ToString() }
};
// Act
JwtTokenReader jwtTokenReader = new JwtTokenReader(tokenValidationParameters, claimCheck);
// Assert
Assert.NotNull(jwtTokenReader);
}
public async Task IsValidToken_WithTokenValidationParametersAndClaimCheck_InvalidClaims()
{
// Arrange
string authority = $"http://{Util.GetRandomString(10).ToLower()}.com";
string issuer = $"http://{Util.GetRandomString(10).ToLower()}.com";
string oid = Util.GetRandomString(10);
IdentityModelEventSource.ShowPII = true;
int daysValid = 7;
RSA rsa = new RSACryptoServiceProvider(512);
string privateKey = rsa.ToCustomXmlString(true);
Dictionary <string, string> claimCheck = new Dictionary <string, string>
{
{ JwtClaimTypes.Audience, authority },
{ "oid", oid },
{ "uud", Guid.NewGuid().ToString() }
};
TokenValidationParameters tokenValidationParameters = new TokenValidationParameters
{
ValidateIssuerSigningKey = true,
ValidateIssuer = true,
ValidateAudience = true,
ValidIssuer = issuer,
ValidAudience = authority,
IssuerSigningKey = new SymmetricSecurityKey(Encoding.ASCII.GetBytes(privateKey))
};
string token = CreateJwt(issuer, authority, privateKey, daysValid, claimCheck);
// Act
JwtTokenReader jwtTokenReader = new JwtTokenReader(tokenValidationParameters, claimCheck);
bool isTokenValid = await jwtTokenReader.IsValidTokenAsync(token);
// Assert
Assert.False(isTokenValid);
}
public void Constructor_WithClaimCheck_Succeeds()
{
// Arrange
string authority = $"http://{Util.GetRandomString(10).ToLower()}.com";
string oid = Util.GetRandomString(10);
string aad = Util.GetRandomString(10);
TokenValidationParameters tokenValidationParameters = new TokenValidationParameters();
Dictionary <string, string> claimCheck = new Dictionary <string, string>
{
{ JwtClaimTypes.Audience, authority },
{ "oid", oid },
{ "aad", aad }
};
// Act
var jwtTokenReader = new JwtTokenReader(tokenValidationParameters, MicrosoftDiscoveryEndpoint, claimCheck);
// Assert
Assert.NotNull(jwtTokenReader);
}
public async Task GetHealthWithCorrectBearerToken_WithIncorrectAzureManagedIdentityAuthorization_ReturnsUnauthorized()
{
// Arrange
string issuer = $"http://{Util.GetRandomString(10).ToLower()}.com";
string authority = $"http://{Util.GetRandomString(10).ToLower()}.com";
RSA rsa = new RSACryptoServiceProvider(512);
string privateKey = rsa.ToCustomXmlString(true);
using (var testServer = new TestApiServer())
using (var testOpenIdServer = await TestOpenIdServer.StartNewAsync(_outputWriter))
{
var validationParameters = new TokenValidationParameters
{
ValidateAudience = false,
ValidateIssuer = false,
ValidateIssuerSigningKey = true,
ValidateLifetime = true
};
var reader = new JwtTokenReader(validationParameters, testOpenIdServer.OpenIdAddressConfiguration);
testServer.AddFilter(filters => filters.AddJwtTokenAuthorization(options => options.JwtTokenReader = reader));
using (HttpClient client = testServer.CreateClient())
using (var request = new HttpRequestMessage(HttpMethod.Get, HealthController.Route))
{
string accessToken = testOpenIdServer.RequestSecretToken(issuer, authority, privateKey, 7);
request.Headers.Add(JwtTokenAuthorizationOptions.DefaultHeaderName, accessToken);
// Act
using (HttpResponseMessage response = await client.SendAsync(request))
{
// Assert
Assert.Equal(HttpStatusCode.Unauthorized, response.StatusCode);
}
}
}
}
public async Task GetHealthWithoutBearerToken_WithIncorrectAzureManagedIdentityAuthorization_ReturnsUnauthorized()
{
// Arrange
await using (var testOpenIdServer = await TestOpenIdServer.StartNewAsync(_logger))
{
var validationParameters = new TokenValidationParameters
{
ValidateAudience = false,
ValidateIssuer = false,
ValidateIssuerSigningKey = true,
ValidateLifetime = true
};
var reader = new JwtTokenReader(validationParameters, testOpenIdServer.OpenIdAddressConfiguration);
var options = new TestApiServerOptions()
.ConfigureServices(services =>
{
services.AddMvc(opt =>
{
opt.Filters.AddJwtTokenAuthorization(jwt => jwt.JwtTokenReader = reader);
});
});
await using (var testApiServer = await TestApiServer.StartNewAsync(options, _logger))
{
var request = HttpRequestBuilder.Get(HealthController.GetRoute);
// Act
using (HttpResponseMessage response = await testApiServer.SendAsync(request))
{
// Assert
Assert.Equal(HttpStatusCode.Unauthorized, response.StatusCode);
}
}
}
}