Esempio n. 1
0
        public void Should_Reject_Id_Token_With_Incorrect_At_Hash()
        {
            rpid = "rp-id_token-bad_at_hash";

            // given
            OpenIdRelyingParty rp = new OpenIdRelyingParty();

            // when
            OIDCAuthImplicitResponseMessage response = (OIDCAuthImplicitResponseMessage)GetAuthResponse(ResponseType.IdToken);

            // then
            Assert.NotNull(response.IdToken);
            OIDCIdToken idToken        = response.GetIdToken(providerMetadata.Keys);
            string      ExpectedAtHash = response.GetExpectedHash(response.AccessToken, providerMetadata.Keys);

            idToken.Validate(GetBaseUrl("/"), clientInformation.ClientId, null, ExpectedAtHash);
        }
Esempio n. 2
0
        public void Should_Reject_Id_Token_With_Wrong_Iss()
        {
            rpid = "rp-id_token-mismatching_issuer";

            // given

            // when
            OIDCAuthImplicitResponseMessage response = (OIDCAuthImplicitResponseMessage)GetAuthResponse(ResponseType.IdToken);

            // then
            OpenIdRelyingParty rp = new OpenIdRelyingParty();

            Assert.NotNull(response.IdToken);
            OIDCIdToken idToken = response.GetIdToken(providerMetadata.Keys);

            idToken.Iss = "ManipulatedIssuer";
            string ExpectedAtHash = response.GetExpectedHash(response.AccessToken, providerMetadata.Keys);

            idToken.Validate(GetBaseUrl("/"), clientInformation.ClientId, null, ExpectedAtHash);
        }