public void Should_Reject_Id_Token_With_Invalid_ES256_Signature()
{
rpid = "rp-id_token-bad_es256_sig";
// givens
OpenIdRelyingParty rp = new OpenIdRelyingParty();
OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage();
requestMessage.ClientId = clientInformation.ClientId;
requestMessage.Scope = new List <MessageScope>()
{
MessageScope.Openid
};
requestMessage.ResponseType = new List <ResponseType>()
{
ResponseType.Token, ResponseType.IdToken
};
requestMessage.RedirectUri = clientInformation.RedirectUris[1];
requestMessage.Nonce = WebOperations.RandomString();
requestMessage.State = WebOperations.RandomString();
requestMessage.Validate();
// Manipulate keys to make them invalid
List <OIDCKey> manipulatedKeys = new List <OIDCKey>();
foreach (OIDCKey curKey in providerMetadata.Keys)
{
OIDCKey newKey = curKey.Clone() as OIDCKey;
if (curKey.N != null)
{
StringBuilder strBuilder = new StringBuilder(newKey.N);
strBuilder[17] = (char)(newKey.N[17] + 1);
newKey.N = strBuilder.ToString();
}
manipulatedKeys.Add(newKey);
}
rp.Authenticate(GetBaseUrl("/authorization"), requestMessage);
semaphore.WaitOne();
// when
OIDCAuthImplicitResponseMessage response = rp.ParseAuthImplicitResponse(result, requestMessage.Scope, requestMessage.State);
// then
Assert.NotNull(response.IdToken);
OIDCIdToken idToken = response.GetIdToken(manipulatedKeys);
idToken.Validate();
}
public void Should_Reject_Id_Token_With_Invalid_Signature_RS256()
{
rpid = "rp-id_token-bad_asym_sig_rs256";
signalg = "RS256";
// givens
OIDCAuthCodeResponseMessage response = (OIDCAuthCodeResponseMessage)GetAuthResponse(ResponseType.Code);
OIDCTokenRequestMessage tokenRequestMessage = new OIDCTokenRequestMessage();
tokenRequestMessage.Scope = response.Scope;
tokenRequestMessage.State = response.State;
tokenRequestMessage.Code = response.Code;
tokenRequestMessage.ClientId = clientInformation.ClientId;
tokenRequestMessage.ClientSecret = clientInformation.ClientSecret;
tokenRequestMessage.GrantType = "authorization_code";
tokenRequestMessage.RedirectUri = clientInformation.RedirectUris[0];
// Manipulate keys to make them invalid
List <OIDCKey> manipulatedKeys = new List <OIDCKey>();
foreach (OIDCKey curKey in providerMetadata.Keys)
{
OIDCKey newKey = curKey.Clone() as OIDCKey;
if (curKey.N != null)
{
StringBuilder strBuilder = new StringBuilder(newKey.N);
strBuilder[17] = (char)(newKey.N[17] + 1);
newKey.N = strBuilder.ToString();
}
manipulatedKeys.Add(newKey);
}
// when
OpenIdRelyingParty rp = new OpenIdRelyingParty();
OIDCTokenResponseMessage tokenResponse = rp.SubmitTokenRequest(GetBaseUrl("/token"), tokenRequestMessage, clientInformation);
// then
Assert.NotNull(tokenResponse.IdToken);
tokenResponse.GetIdToken(manipulatedKeys);
}
