public async Task Algorithms_supported_should_match_signing_key()
{
var key = CryptoHelper.CreateECDsaSecurityKey(JsonWebKeyECTypes.P256);
var expectedAlgorithm = SecurityAlgorithms.EcdsaSha256;
IdentityServerPipeline pipeline = new IdentityServerPipeline();
pipeline.OnPostConfigureServices += services =>
{
// add key to standard RSA key
services.AddIdentityServerBuilder()
.AddSigningCredential(key, expectedAlgorithm);
};
pipeline.Initialize("/ROOT");
var result = await pipeline.BackChannelClient.GetAsync("https://server/root/.well-known/openid-configuration");
var json = await result.Content.ReadAsStringAsync();
var data = JObject.Parse(json);
var algorithmsSupported = data["id_token_signing_alg_values_supported"];
algorithmsSupported.Count().Should().Be(2);
algorithmsSupported.Values().Should().Contain(SecurityAlgorithms.RsaSha256);
algorithmsSupported.Values().Should().Contain(SecurityAlgorithms.EcdsaSha256);
}
public async Task Jwks_entries_should_contain_alg()
{
IdentityServerPipeline pipeline = new IdentityServerPipeline();
pipeline.Initialize("/ROOT");
var result = await pipeline.BackChannelClient.GetAsync("https://server/root/.well-known/openid-configuration/jwks");
var json = await result.Content.ReadAsStringAsync();
var data = JObject.Parse(json);
var keys = data["keys"];
keys.Should().NotBeNull();
var key = keys[0];
key.Should().NotBeNull();
var alg = key["alg"];
alg.Should().NotBeNull();
alg.Value <string>().Should().Be(Constants.SigningAlgorithms.RSA_SHA_256);
}
public async Task Jwks_with_ecdsa_should_have_parsable_key(string crv, string alg)
{
var key = CryptoHelper.CreateECDsaSecurityKey(crv);
IdentityServerPipeline pipeline = new IdentityServerPipeline();
pipeline.OnPostConfigureServices += services =>
{
services.AddIdentityServerBuilder()
.AddSigningCredential(key, alg);
};
pipeline.Initialize("/ROOT");
var result = await pipeline.BackChannelClient.GetAsync("https://server/root/.well-known/openid-configuration/jwks");
var json = await result.Content.ReadAsStringAsync();
var jwks = new JsonWebKeySet(json);
var parsedKeys = jwks.GetSigningKeys();
var matchingKey = parsedKeys.FirstOrDefault(x => x.KeyId == key.KeyId);
matchingKey.Should().NotBeNull();
matchingKey.Should().BeOfType <ECDsaSecurityKey>();
}
public async Task Jwks_with_two_key_using_different_algs_expect_different_alg_values()
{
var ecdsaKey = CryptoHelper.CreateECDsaSecurityKey();
var rsaKey = CryptoHelper.CreateRsaSecurityKey();
IdentityServerPipeline pipeline = new IdentityServerPipeline();
pipeline.OnPostConfigureServices += services =>
{
services.AddIdentityServerBuilder()
.AddSigningCredential(ecdsaKey, "ES256")
.AddValidationKey(new SecurityKeyInfo {
Key = rsaKey, SigningAlgorithm = "RS256"
});
};
pipeline.Initialize("/ROOT");
var result = await pipeline.BackChannelClient.GetAsync("https://server/root/.well-known/openid-configuration/jwks");
var json = await result.Content.ReadAsStringAsync();
var jwks = new JsonWebKeySet(json);
jwks.Keys.Should().Contain(x => x.KeyId == ecdsaKey.KeyId && x.Alg == "ES256");
jwks.Keys.Should().Contain(x => x.KeyId == rsaKey.KeyId && x.Alg == "RS256");
}
public async Task Issuer_uri_should_be_lowercase()
{
IdentityServerPipeline pipeline = new IdentityServerPipeline();
pipeline.Initialize("/ROOT");
var result = await pipeline.BackChannelClient.GetAsync("HTTPS://SERVER/ROOT/.WELL-KNOWN/OPENID-CONFIGURATION");
var json = await result.Content.ReadAsStringAsync();
var data = JsonSerializer.Deserialize <Dictionary <string, JsonElement> >(json);
data["issuer"].GetString().Should().Be("https://server/root");
}
public async Task Jwks_entries_should_countain_crv()
{
var ecdsaKey = CryptoHelper.CreateECDsaSecurityKey(JsonWebKeyECTypes.P256);
var parameters = ecdsaKey.ECDsa.ExportParameters(true);
IdentityServerPipeline pipeline = new IdentityServerPipeline();
var jsonWebKeyFromECDsa = new JsonWebKey()
{
Kty = JsonWebAlgorithmsKeyTypes.EllipticCurve,
Use = "sig",
Kid = ecdsaKey.KeyId,
KeyId = ecdsaKey.KeyId,
X = Base64UrlEncoder.Encode(parameters.Q.X),
Y = Base64UrlEncoder.Encode(parameters.Q.Y),
D = Base64UrlEncoder.Encode(parameters.D),
Crv = JsonWebKeyECTypes.P256,
Alg = SecurityAlgorithms.EcdsaSha256
};
pipeline.OnPostConfigureServices += services =>
{
// add ECDsa as JsonWebKey
services.AddIdentityServerBuilder()
.AddSigningCredential(jsonWebKeyFromECDsa, SecurityAlgorithms.EcdsaSha256);
};
pipeline.Initialize("/ROOT");
var result = await pipeline.BackChannelClient.GetAsync("https://server/root/.well-known/openid-configuration/jwks");
var json = await result.Content.ReadAsStringAsync();
var data = JObject.Parse(json);
var keys = data["keys"];
keys.Should().NotBeNull();
var key = keys[1];
key.Should().NotBeNull();
var crv = key["crv"];
crv.Should().NotBeNull();
crv.Value <string>().Should().Be(JsonWebKeyECTypes.P256);
}
public async Task Issuer_uri_should_be_lowercase()
{
IdentityServerPipeline pipeline = new IdentityServerPipeline();
pipeline.Initialize("/ROOT");
var result = await pipeline.BackChannelClient.GetAsync("HTTPS://SERVER/ROOT/.WELL-KNOWN/OPENID-CONFIGURATION");
var json = await result.Content.ReadAsStringAsync();
var data = JObject.Parse(json);
var issuer = data["issuer"].ToString();
issuer.Should().Be("https://server/root");
}
public async Task unicode_values_in_url_should_be_processed_correctly()
{
var pipeline = new IdentityServerPipeline();
pipeline.Initialize();
var discoClient = new DiscoveryClient("https://грант.рф", pipeline.Handler);
discoClient.Policy.ValidateIssuerName = false;
discoClient.Policy.ValidateEndpoints = false;
discoClient.Policy.RequireHttps = false;
discoClient.Policy.RequireKeySet = false;
var result = await discoClient.GetAsync();
result.Issuer.Should().Be("https://грант.рф");
}
public FederatedSignoutTests()
{
_user = new IdentityServerUser("bob")
{
AdditionalClaims = { new Claim(JwtClaimTypes.SessionId, "123") }
}.CreatePrincipal();
_pipeline = new IdentityServerPipeline();
_pipeline.IdentityScopes.AddRange(new IdentityResource[] {
new IdentityResources.OpenId()
});
_pipeline.Clients.Add(new Client
{
ClientId = "client1",
AllowedGrantTypes = GrantTypes.Implicit,
RequireConsent = false,
AllowedScopes = new List <string> {
"openid"
},
RedirectUris = new List <string> {
"https://client1/callback"
},
FrontChannelLogoutUri = "https://client1/signout",
PostLogoutRedirectUris = new List <string> {
"https://client1/signout-callback"
},
AllowAccessTokensViaBrowser = true
});
_pipeline.Users.Add(new TestUser
{
SubjectId = "bob",
Username = "******",
Claims = new Claim[]
{
new Claim("name", "Bob Loblaw"),
new Claim("email", "*****@*****.**"),
new Claim("role", "Attorney")
}
});
_pipeline.Initialize();
}
public async Task Unicode_values_in_url_should_be_processed_correctly()
{
var pipeline = new IdentityServerPipeline();
pipeline.Initialize();
var result = await pipeline.BackChannelClient.GetDiscoveryDocumentAsync(new DiscoveryDocumentRequest
{
Address = "https://грант.рф",
Policy =
{
ValidateIssuerName = false,
ValidateEndpoints = false,
RequireHttps = false,
RequireKeySet = false
}
});
result.Issuer.Should().Be("https://грант.рф");
}
public void Init()
{
_mockPipeline = new IdentityServerPipeline();
_mockPipeline.Clients.AddRange(new Client[] {
new Client
{
ClientId = "client1",
AllowedGrantTypes = GrantTypes.Implicit,
RequireConsent = false,
AllowedScopes = new List <string> {
"openid", "profile", "aid"
},
RedirectUris = new List <string> {
"https://client1/callback"
},
AllowAccessTokensViaBrowser = true,
AccessTokenLifetime = 3600,
IdentityTokenLifetime = 500
},
new Client
{
ClientId = "client2",
AllowedGrantTypes = GrantTypes.Implicit,
RequireConsent = true,
AllowedScopes = new List <string> {
"openid", "profile", "api1", "api2", "aid", "aid_idResource"
},
RedirectUris = new List <string> {
"https://client2/callback"
},
AllowAccessTokensViaBrowser = true,
AlwaysIncludeUserClaimsInIdToken = true
}
});
_mockPipeline.Users.Add(new TestUser
{
SubjectId = "bob",
Username = "******",
Claims = new Claim[]
{
new Claim("name", "Bob Loblaw"),
new Claim("email", "*****@*****.**"),
new Claim("role", "Attorney")
}
});
_mockPipeline.IdentityScopes.AddRange(new IdentityResource[] {
new IdentityResources.OpenId(),
new IdentityResources.Profile(),
new IdentityResources.Email(),
new IdentityResource("aid_idResource", new [] { "aid" })
});
_mockPipeline.ApiScopes.AddRange(new ApiResource[] {
new ApiResource
{
Name = "api",
Scopes =
{
new Scope
{
Name = "api1"
},
new Scope
{
Name = "api2"
},
new Scope
{
Name = "aid",
UserClaims = new List <string>()
{
"aid"
}
}
}
}
});
_mockPipeline.Initialize();
}
public void Init()
{
_mockPipeline = new IdentityServerPipeline();
_mockPipeline.Initialize();
}
public void Init()
{
_mockPipeline = new IdentityServerPipeline();
_mockPipeline.Clients.AddRange(new Client[] {
_client1 = new Client
{
ClientId = "client1",
AllowedGrantTypes = GrantTypes.Implicit,
RequireConsent = false,
AllowedScopes = new List <string> {
"openid", "profile"
},
RedirectUris = new List <string> {
"https://client1/callback"
},
AllowAccessTokensViaBrowser = true,
AccessTokenLifetime = 3600
},
new Client
{
ClientId = "client2",
AllowedGrantTypes = GrantTypes.Implicit,
RequireConsent = true,
AllowedScopes = new List <string> {
"openid", "profile", "api1", "api2"
},
RedirectUris = new List <string> {
"https://client2/callback"
},
AllowAccessTokensViaBrowser = true
},
new Client
{
ClientId = "client3",
AllowedGrantTypes = GrantTypes.Implicit,
RequireConsent = false,
AllowedScopes = new List <string> {
"openid", "profile", "api1", "api2"
},
RedirectUris = new List <string> {
"https://client3/callback"
},
AllowAccessTokensViaBrowser = true,
EnableLocalLogin = false,
IdentityProviderRestrictions = new List <string> {
"google"
}
},
new Client
{
ClientId = "client4",
AllowedGrantTypes = GrantTypes.Code,
RequireClientSecret = false,
RequireConsent = false,
AllowedScopes = new List <string> {
"openid", "profile", "api1", "api2"
},
RedirectUris = new List <string> {
"https://client4/callback"
},
AccessTokenLifetime = 3600
},
new Client
{
ClientId = client_id,
ClientSecrets = new List <Secret> {
new Secret(client_secret.Sha256())
},
AllowedGrantTypes = { GrantType.ClientCredentials, GrantType.ResourceOwnerPassword },
AllowedScopes = new List <string> {
"api3"
},
AccessTokenLifetime = 3600
}
});
_mockPipeline.Users.Add(new TestUser
{
SubjectId = "bob",
Username = "******",
Password = "******",
Claims = new Claim[]
{
new Claim("name", "Bob Loblaw"),
new Claim("email", "*****@*****.**"),
new Claim("role", "Attorney")
}
});
_mockPipeline.IdentityScopes.AddRange(new IdentityResource[] {
new IdentityResources.OpenId(),
new IdentityResources.Profile(),
new IdentityResources.Email()
});
_mockPipeline.ApiScopes.AddRange(new ApiResource[] {
new ApiResource
{
Name = "api",
Scopes =
{
new Scope
{
Name = "api1"
},
new Scope
{
Name = "api2"
}
}
},
new ApiResource
{
Name = "api1",
ApiSecrets = new List <Secret> {
new Secret(scope_secret.Sha256())
},
Scopes =
{
new Scope
{
Name = scope_name
}
}
}
});
_mockPipeline.Initialize();
}
