public void Should_Accept_Encrypted_UserInfo()
        {
            rpid = "rp-user_info-enc";

            // given
            OpenIdRelyingParty rp = new OpenIdRelyingParty();

            string registrationEndopoint         = GetBaseUrl("/registration");
            OIDCClientInformation clientMetadata = new OIDCClientInformation();

            clientMetadata.ApplicationType = "web";
            clientMetadata.ResponseTypes   = new List <ResponseType>()
            {
                ResponseType.IdToken
            };
            clientMetadata.RedirectUris = new List <string>()
            {
                myBaseUrl + "id_token_flow_callback"
            };
            clientMetadata.UserinfoEncryptedResponseAlg = "RSA1_5";
            clientMetadata.UserinfoEncryptedResponseEnc = "A128CBC-HS256";
            clientMetadata.JwksUri = myBaseUrl + "my_public_keys.jwks";
            OIDCClientInformation clientInformation = rp.RegisterClient(registrationEndopoint, clientMetadata);

            OIDClaims requestClaims = new OIDClaims();

            requestClaims.IdToken = new Dictionary <string, OIDClaimData>();
            requestClaims.IdToken.Add("name", new OIDClaimData());

            OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage();

            requestMessage.ClientId = clientInformation.ClientId;
            requestMessage.Scope    = new List <MessageScope>()
            {
                MessageScope.Openid, MessageScope.Profile, MessageScope.Address, MessageScope.Phone, MessageScope.Email
            };
            requestMessage.ResponseType = new List <ResponseType>()
            {
                ResponseType.IdToken, ResponseType.Token
            };
            requestMessage.RedirectUri = clientInformation.RedirectUris[0];
            requestMessage.Nonce       = WebOperations.RandomString();
            requestMessage.State       = WebOperations.RandomString();
            requestMessage.Claims      = requestClaims;
            requestMessage.Validate();

            rp.Authenticate(GetBaseUrl("/authorization"), requestMessage);
            semaphore.WaitOne();
            OIDCAuthImplicitResponseMessage authResponse = rp.ParseAuthImplicitResponse(result, requestMessage.Scope, requestMessage.State);

            X509Certificate2 encCert = new X509Certificate2("server.pfx", "", X509KeyStorageFlags.Exportable);
            List <OIDCKey>   myKeys  = KeyManager.GetKeysJwkList(null, encCert);

            // when
            OIDCUserInfoResponseMessage response = GetUserInfo(authResponse.Scope, authResponse.State, authResponse.AccessToken, null, true, null, myKeys);

            // then
            response.Validate();
            Assert.IsNotNullOrEmpty(response.Name);
        }
Exemple #2
0
        public void Should_Authenticate_With_IdToken_Response_Type()
        {
            rpid = "rp-response_type-id_token";

            // given
            OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage();

            requestMessage.ClientId = clientInformation.ClientId;
            requestMessage.Scope    = new List <MessageScope>()
            {
                MessageScope.Openid
            };
            requestMessage.ResponseType = new List <ResponseType>()
            {
                ResponseType.IdToken
            };
            requestMessage.RedirectUri = clientInformation.RedirectUris[1];
            requestMessage.Nonce       = WebOperations.RandomString();
            requestMessage.State       = WebOperations.RandomString();
            requestMessage.Validate();

            OpenIdRelyingParty rp = new OpenIdRelyingParty();

            // when
            rp.Authenticate(GetBaseUrl("/authorization"), requestMessage);
            semaphore.WaitOne();
            OIDCAuthImplicitResponseMessage response = rp.ParseAuthImplicitResponse(result, requestMessage.Scope, requestMessage.State);

            // then
            response.Validate();
        }
        public void Should_Accept_Signed_UserInfo()
        {
            rpid = "rp-user_info-sign";

            // given
            OpenIdRelyingParty rp = new OpenIdRelyingParty();

            string registrationEndopoint         = GetBaseUrl("/registration");
            OIDCClientInformation clientMetadata = new OIDCClientInformation();

            clientMetadata.ApplicationType = "web";
            clientMetadata.ResponseTypes   = new List <ResponseType>()
            {
                ResponseType.IdToken
            };
            clientMetadata.RedirectUris = new List <string>()
            {
                myBaseUrl + "id_token_flow_callback"
            };
            clientMetadata.UserinfoSignedResponseAlg = "HS256";
            clientMetadata.JwksUri = myBaseUrl + "my_public_keys.jwks";
            OIDCClientInformation clientInformation = rp.RegisterClient(registrationEndopoint, clientMetadata);

            OIDClaims requestClaims = new OIDClaims();

            requestClaims.IdToken = new Dictionary <string, OIDClaimData>();
            requestClaims.IdToken.Add("name", new OIDClaimData());

            OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage();

            requestMessage.ClientId = clientInformation.ClientId;
            requestMessage.Scope    = new List <MessageScope>()
            {
                MessageScope.Openid, MessageScope.Profile, MessageScope.Address, MessageScope.Phone, MessageScope.Email
            };
            requestMessage.ResponseType = new List <ResponseType>()
            {
                ResponseType.IdToken, ResponseType.Token
            };
            requestMessage.RedirectUri = clientInformation.RedirectUris[0];
            requestMessage.Nonce       = WebOperations.RandomString();
            requestMessage.State       = WebOperations.RandomString();
            requestMessage.Claims      = requestClaims;
            requestMessage.Validate();

            rp.Authenticate(GetBaseUrl("/authorization"), requestMessage);
            semaphore.WaitOne();
            OIDCAuthImplicitResponseMessage authResponse = rp.ParseAuthImplicitResponse(result, requestMessage.Scope, requestMessage.State);

            // when
            OIDCUserInfoResponseMessage response = GetUserInfo(authResponse.Scope, authResponse.State, authResponse.AccessToken, null, true, clientInformation.ClientSecret, null);

            // then
            response.Validate();
            Assert.IsNotNullOrEmpty(response.Name);
        }
Exemple #4
0
        public void Should_Authenticate_With_Claims_In_Scope_Basic()
        {
            rpid = "rp-scope-userinfo_claims";

            // given
            OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage();

            requestMessage.ClientId = clientInformation.ClientId;

            OIDClaims requestClaims = new OIDClaims();

            requestClaims.Userinfo = new Dictionary <string, OIDClaimData>();
            requestClaims.Userinfo.Add("name", new OIDClaimData());

            requestMessage.Scope = new List <MessageScope>()
            {
                MessageScope.Openid, MessageScope.Profile, MessageScope.Email, MessageScope.Address, MessageScope.Phone
            };
            requestMessage.ResponseType = new List <ResponseType>()
            {
                ResponseType.IdToken, ResponseType.Token
            };
            requestMessage.RedirectUri = clientInformation.RedirectUris[0];
            requestMessage.Nonce       = WebOperations.RandomString();
            requestMessage.State       = WebOperations.RandomString();
            requestMessage.Claims      = requestClaims;
            requestMessage.Validate();

            OpenIdRelyingParty rp = new OpenIdRelyingParty();

            rp.Authenticate(GetBaseUrl("/authorization"), requestMessage);
            semaphore.WaitOne();
            OIDCAuthImplicitResponseMessage authResponse = rp.ParseAuthImplicitResponse(result, requestMessage.Scope, requestMessage.State);

            OIDCUserInfoRequestMessage userInfoRequestMessage = new OIDCUserInfoRequestMessage();

            userInfoRequestMessage.Scope = authResponse.Scope;
            userInfoRequestMessage.State = authResponse.State;

            // when
            OIDCUserInfoResponseMessage response = rp.GetUserInfo(GetBaseUrl("/userinfo"), userInfoRequestMessage, authResponse.AccessToken);

            // then
            response.Validate();
            Assert.IsNotNullOrEmpty(response.Name);
            Assert.IsNotNullOrEmpty(response.GivenName);
            Assert.IsNotNullOrEmpty(response.FamilyName);
            Assert.IsNotNullOrEmpty(response.Email);
            Assert.IsNotNull(response.Address);
            Assert.IsNotNullOrEmpty(response.Address.StreetAddress);
            Assert.IsNotNullOrEmpty(response.Address.PostalCode);
            Assert.IsNotNullOrEmpty(response.Address.Locality);
            Assert.IsNotNullOrEmpty(response.Address.Country);
            Assert.IsNotNullOrEmpty(response.PhoneNumber);
        }
        public OIDClientSerializableMessage GetAuthResponse(ResponseType RespType, string Nonce = null, bool Profile = false, OIDClaims Claims = null)
        {
            OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage();

            requestMessage.ClientId = clientInformation.ClientId;
            requestMessage.Scope    = new List <MessageScope>()
            {
                MessageScope.Openid
            };
            requestMessage.RedirectUri = clientInformation.RedirectUris[0];
            requestMessage.Nonce       = (Nonce == null) ? WebOperations.RandomString() : Nonce;
            requestMessage.State       = WebOperations.RandomString();
            requestMessage.Claims      = Claims;

            if (Profile)
            {
                requestMessage.Scope.Add(MessageScope.Profile);
                requestMessage.Scope.Add(MessageScope.Address);
                requestMessage.Scope.Add(MessageScope.Phone);
                requestMessage.Scope.Add(MessageScope.Email);
            }

            if (ResponseType.Code == RespType)
            {
                requestMessage.ResponseType = new List <ResponseType>()
                {
                    ResponseType.Code
                };
            }
            else if (ResponseType.IdToken == RespType)
            {
                requestMessage.ResponseType = new List <ResponseType>()
                {
                    ResponseType.IdToken, ResponseType.Token
                };
            }

            requestMessage.Validate();

            OpenIdRelyingParty rp = new OpenIdRelyingParty();

            rp.Authenticate(GetBaseUrl("/authorization"), requestMessage);
            semaphore.WaitOne();
            if (ResponseType.Code == RespType)
            {
                return(rp.ParseAuthCodeResponse(result, requestMessage.Scope, requestMessage.State));
            }
            else if (ResponseType.IdToken == RespType)
            {
                return(rp.ParseAuthImplicitResponse(result, requestMessage.Scope, requestMessage.State));
            }

            throw new Exception("Error in parameter passed");
        }
Exemple #6
0
        public void Should_Reject_Id_Token_With_Invalid_ES256_Signature()
        {
            rpid = "rp-id_token-bad_es256_sig";

            // givens
            OpenIdRelyingParty rp = new OpenIdRelyingParty();

            OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage();

            requestMessage.ClientId = clientInformation.ClientId;
            requestMessage.Scope    = new List <MessageScope>()
            {
                MessageScope.Openid
            };
            requestMessage.ResponseType = new List <ResponseType>()
            {
                ResponseType.Token, ResponseType.IdToken
            };
            requestMessage.RedirectUri = clientInformation.RedirectUris[1];
            requestMessage.Nonce       = WebOperations.RandomString();
            requestMessage.State       = WebOperations.RandomString();
            requestMessage.Validate();

            // Manipulate keys to make them invalid
            List <OIDCKey> manipulatedKeys = new List <OIDCKey>();

            foreach (OIDCKey curKey in providerMetadata.Keys)
            {
                OIDCKey newKey = curKey.Clone() as OIDCKey;
                if (curKey.N != null)
                {
                    StringBuilder strBuilder = new StringBuilder(newKey.N);
                    strBuilder[17] = (char)(newKey.N[17] + 1);
                    newKey.N       = strBuilder.ToString();
                }
                manipulatedKeys.Add(newKey);
            }

            rp.Authenticate(GetBaseUrl("/authorization"), requestMessage);
            semaphore.WaitOne();

            // when
            OIDCAuthImplicitResponseMessage response = rp.ParseAuthImplicitResponse(result, requestMessage.Scope, requestMessage.State);

            // then
            Assert.NotNull(response.IdToken);
            OIDCIdToken idToken = response.GetIdToken(manipulatedKeys);

            idToken.Validate();
        }
Exemple #7
0
        public void Should_Nonce_Be_Present_In_Implicit()
        {
            rpid = "rp-nonce-unless_code_flow";

            // given
            OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage();

            requestMessage.ClientId = clientInformation.ClientId;

            OIDClaims requestClaims = new OIDClaims();

            requestClaims.Userinfo = new Dictionary <string, OIDClaimData>();
            requestClaims.Userinfo.Add("name", new OIDClaimData());

            requestMessage.Scope = new List <MessageScope>()
            {
                MessageScope.Openid
            };
            requestMessage.ResponseType = new List <ResponseType>()
            {
                ResponseType.IdToken, ResponseType.Token
            };
            requestMessage.RedirectUri = clientInformation.RedirectUris[0];
            requestMessage.Nonce       = WebOperations.RandomString();
            requestMessage.State       = WebOperations.RandomString();
            requestMessage.Claims      = requestClaims;
            requestMessage.Validate();

            OpenIdRelyingParty rp = new OpenIdRelyingParty();

            rp.Authenticate(GetBaseUrl("/authorization"), requestMessage);
            semaphore.WaitOne();
            OIDCAuthImplicitResponseMessage response = rp.ParseAuthImplicitResponse(result, requestMessage.Scope, requestMessage.State);
            OIDCIdToken idToken = response.GetIdToken(providerMetadata.Keys, clientInformation.ClientSecret);

            // then
            idToken.Validate();
        }