/// <summary> /// Signs JWT token using the private key and returns the serialized assertion. /// </summary> /// <param name="payload">the JWT payload to sign.</param> private string CreateAssertionFromPayload(JsonWebSignature.Payload payload) { string serializedHeader = CreateSerializedHeader(); string serializedPayload = NewtonsoftJsonSerializer.Instance.Serialize(payload); var assertion = new StringBuilder(); assertion.Append(TokenEncodingHelpers.UrlSafeBase64Encode(serializedHeader)) .Append('.') .Append(TokenEncodingHelpers.UrlSafeBase64Encode(serializedPayload)); var signature = CreateSignature(Encoding.ASCII.GetBytes(assertion.ToString())); assertion.Append('.').Append(TokenEncodingHelpers.UrlSafeEncode(signature)); return(assertion.ToString()); }
public async Task JwtScopes_UseAud(bool useJwtAccessWithScopes) { var clock = new MockClock(new DateTime(2016, 1, 1, 0, 0, 0, DateTimeKind.Utc)); var initializer = new ServiceAccountCredential.Initializer("some-id") { UseJwtAccessWithScopes = useJwtAccessWithScopes, Clock = clock }.FromPrivateKey(PrivateKey); var cred = new ServiceAccountCredential(initializer); Assert.False(cred.HasExplicitScopes); // Must be false for the remainder of this test to be valid. var jwt0 = await cred.GetAccessTokenForRequestAsync("uri0"); byte[] decoded = TokenEncodingHelpers.Base64UrlDecode(jwt0.Split(new char[] { '.' })[1]); string payload = System.Text.Encoding.UTF8.GetString(decoded); Assert.Contains("\"aud\":\"uri0\"", payload); Assert.DoesNotContain("scope", payload); }
public async Task FetchesOidcToken_CorrectPayloadSent() { // A little bit after the tokens returned from OidcTokenFakes were issued. var clock = new MockClock(new DateTime(2020, 5, 13, 15, 0, 0, 0, DateTimeKind.Utc)); var messageHandler = new OidcTokenResponseSuccessMessageHandler(); var initializer = new ServiceAccountCredential.Initializer("MyId", "http://will.be.ignored") { Clock = clock, ProjectId = "a_project_id", HttpClientFactory = new MockHttpClientFactory(messageHandler) }; var credential = new ServiceAccountCredential(initializer.FromPrivateKey(PrivateKey)); var expectedPayload = new JsonWebSignature.Payload { Issuer = "MyId", Subject = "MyId", Audience = GoogleAuthConsts.OidcTokenUrl, IssuedAtTimeSeconds = (long)(clock.UtcNow - UnixEpoch).TotalSeconds, ExpirationTimeSeconds = (long)(clock.UtcNow.Add(JwtLifetime) - UnixEpoch).TotalSeconds, TargetAudience = "any_audience" }; var serializedExpectedPayload = NewtonsoftJsonSerializer.Instance.Serialize(expectedPayload); var urlSafeEncodedExpectedPayload = TokenEncodingHelpers.UrlSafeBase64Encode(serializedExpectedPayload); var oidcToken = await credential.GetOidcTokenAsync(OidcTokenOptions.FromTargetAudience("any_audience")); await oidcToken.GetAccessTokenAsync(); var requestFormDict = messageHandler.LatestRequestContent.Split('&') .ToDictionary(entry => entry.Split('=')[0], entry => entry.Split('=')[1]); var assertion = requestFormDict["assertion"]; // Assertion format shoould be headers.payload.signature var encodedPayload = assertion.Split('.')[1]; Assert.Contains(urlSafeEncodedExpectedPayload, encodedPayload); }
public async Task FromStream_ServiceAccountCredential_GetJwtAccessToken() { var stream = new MemoryStream(Encoding.UTF8.GetBytes(DummyServiceAccountCredentialFileContents)); var credential = GoogleCredential.FromStream(stream); // Without adding scopes, the credential should be generating JWT scopes. string accessToken = await(credential as ITokenAccess).GetAccessTokenForRequestAsync(DummyAuthUri); var parts = accessToken.Split(new[] { '.' }); Assert.Equal(3, parts.Length); var header = NewtonsoftJsonSerializer.Instance.Deserialize <JsonWebSignature.Header>(TokenEncodingHelpers.Base64UrlToString(parts[0])); Assert.Equal("JWT", header.Type); Assert.Equal("RS256", header.Algorithm); var payload = NewtonsoftJsonSerializer.Instance.Deserialize <JsonWebSignature.Payload>(TokenEncodingHelpers.Base64UrlToString(parts[1])); Assert.Equal("CLIENT_EMAIL", payload.Issuer); Assert.Equal("CLIENT_EMAIL", payload.Subject); Assert.Equal(DummyAuthUri, payload.Audience); Assert.Equal(3600, payload.ExpirationTimeSeconds - payload.IssuedAtTimeSeconds); }