public void Should_Request_And_Use_Claims_Id_Token() { rpid = "rp-response_type-id_token+token"; signalg = "RS256"; GetProviderMetadata(); // given string Nonce = WebOperations.RandomString(); OIDClaims requestClaims = new OIDClaims(); requestClaims.IdToken = new Dictionary <string, OIDClaimData>(); requestClaims.IdToken.Add("name", new OIDClaimData()); // when OIDCAuthImplicitResponseMessage response = (OIDCAuthImplicitResponseMessage)GetAuthResponse(ResponseType.IdToken, Nonce, true, requestClaims); // then response.Validate(); Assert.NotNull(response.AccessToken); OpenIdRelyingParty rp = new OpenIdRelyingParty(); OIDCIdToken idToken = response.GetIdToken(providerMetadata.Keys, clientInformation.ClientSecret); rp.ValidateIdToken(idToken, clientInformation, providerMetadata.Issuer, Nonce); Assert.IsNotNullOrEmpty(idToken.Name); }
public void Should_Accept_Encrypted_UserInfo() { rpid = "rp-user_info-enc"; // given OpenIdRelyingParty rp = new OpenIdRelyingParty(); string registrationEndopoint = GetBaseUrl("/registration"); OIDCClientInformation clientMetadata = new OIDCClientInformation(); clientMetadata.ApplicationType = "web"; clientMetadata.ResponseTypes = new List <ResponseType>() { ResponseType.IdToken }; clientMetadata.RedirectUris = new List <string>() { myBaseUrl + "id_token_flow_callback" }; clientMetadata.UserinfoEncryptedResponseAlg = "RSA1_5"; clientMetadata.UserinfoEncryptedResponseEnc = "A128CBC-HS256"; clientMetadata.JwksUri = myBaseUrl + "my_public_keys.jwks"; OIDCClientInformation clientInformation = rp.RegisterClient(registrationEndopoint, clientMetadata); OIDClaims requestClaims = new OIDClaims(); requestClaims.IdToken = new Dictionary <string, OIDClaimData>(); requestClaims.IdToken.Add("name", new OIDClaimData()); OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage(); requestMessage.ClientId = clientInformation.ClientId; requestMessage.Scope = new List <MessageScope>() { MessageScope.Openid, MessageScope.Profile, MessageScope.Address, MessageScope.Phone, MessageScope.Email }; requestMessage.ResponseType = new List <ResponseType>() { ResponseType.IdToken, ResponseType.Token }; requestMessage.RedirectUri = clientInformation.RedirectUris[0]; requestMessage.Nonce = WebOperations.RandomString(); requestMessage.State = WebOperations.RandomString(); requestMessage.Claims = requestClaims; requestMessage.Validate(); rp.Authenticate(GetBaseUrl("/authorization"), requestMessage); semaphore.WaitOne(); OIDCAuthImplicitResponseMessage authResponse = rp.ParseAuthImplicitResponse(result, requestMessage.Scope, requestMessage.State); X509Certificate2 encCert = new X509Certificate2("server.pfx", "", X509KeyStorageFlags.Exportable); List <OIDCKey> myKeys = KeyManager.GetKeysJwkList(null, encCert); // when OIDCUserInfoResponseMessage response = GetUserInfo(authResponse.Scope, authResponse.State, authResponse.AccessToken, null, true, null, myKeys); // then response.Validate(); Assert.IsNotNullOrEmpty(response.Name); }
public void Should_Accept_Signed_UserInfo() { rpid = "rp-user_info-sign"; // given OpenIdRelyingParty rp = new OpenIdRelyingParty(); string registrationEndopoint = GetBaseUrl("/registration"); OIDCClientInformation clientMetadata = new OIDCClientInformation(); clientMetadata.ApplicationType = "web"; clientMetadata.ResponseTypes = new List <ResponseType>() { ResponseType.IdToken }; clientMetadata.RedirectUris = new List <string>() { myBaseUrl + "id_token_flow_callback" }; clientMetadata.UserinfoSignedResponseAlg = "HS256"; clientMetadata.JwksUri = myBaseUrl + "my_public_keys.jwks"; OIDCClientInformation clientInformation = rp.RegisterClient(registrationEndopoint, clientMetadata); OIDClaims requestClaims = new OIDClaims(); requestClaims.IdToken = new Dictionary <string, OIDClaimData>(); requestClaims.IdToken.Add("name", new OIDClaimData()); OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage(); requestMessage.ClientId = clientInformation.ClientId; requestMessage.Scope = new List <MessageScope>() { MessageScope.Openid, MessageScope.Profile, MessageScope.Address, MessageScope.Phone, MessageScope.Email }; requestMessage.ResponseType = new List <ResponseType>() { ResponseType.IdToken, ResponseType.Token }; requestMessage.RedirectUri = clientInformation.RedirectUris[0]; requestMessage.Nonce = WebOperations.RandomString(); requestMessage.State = WebOperations.RandomString(); requestMessage.Claims = requestClaims; requestMessage.Validate(); rp.Authenticate(GetBaseUrl("/authorization"), requestMessage); semaphore.WaitOne(); OIDCAuthImplicitResponseMessage authResponse = rp.ParseAuthImplicitResponse(result, requestMessage.Scope, requestMessage.State); // when OIDCUserInfoResponseMessage response = GetUserInfo(authResponse.Scope, authResponse.State, authResponse.AccessToken, null, true, clientInformation.ClientSecret, null); // then response.Validate(); Assert.IsNotNullOrEmpty(response.Name); }
public void Should_Authenticate_With_Claims_In_Scope_Basic() { rpid = "rp-scope-userinfo_claims"; // given OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage(); requestMessage.ClientId = clientInformation.ClientId; OIDClaims requestClaims = new OIDClaims(); requestClaims.Userinfo = new Dictionary <string, OIDClaimData>(); requestClaims.Userinfo.Add("name", new OIDClaimData()); requestMessage.Scope = new List <MessageScope>() { MessageScope.Openid, MessageScope.Profile, MessageScope.Email, MessageScope.Address, MessageScope.Phone }; requestMessage.ResponseType = new List <ResponseType>() { ResponseType.IdToken, ResponseType.Token }; requestMessage.RedirectUri = clientInformation.RedirectUris[0]; requestMessage.Nonce = WebOperations.RandomString(); requestMessage.State = WebOperations.RandomString(); requestMessage.Claims = requestClaims; requestMessage.Validate(); OpenIdRelyingParty rp = new OpenIdRelyingParty(); rp.Authenticate(GetBaseUrl("/authorization"), requestMessage); semaphore.WaitOne(); OIDCAuthImplicitResponseMessage authResponse = rp.ParseAuthImplicitResponse(result, requestMessage.Scope, requestMessage.State); OIDCUserInfoRequestMessage userInfoRequestMessage = new OIDCUserInfoRequestMessage(); userInfoRequestMessage.Scope = authResponse.Scope; userInfoRequestMessage.State = authResponse.State; // when OIDCUserInfoResponseMessage response = rp.GetUserInfo(GetBaseUrl("/userinfo"), userInfoRequestMessage, authResponse.AccessToken); // then response.Validate(); Assert.IsNotNullOrEmpty(response.Name); Assert.IsNotNullOrEmpty(response.GivenName); Assert.IsNotNullOrEmpty(response.FamilyName); Assert.IsNotNullOrEmpty(response.Email); Assert.IsNotNull(response.Address); Assert.IsNotNullOrEmpty(response.Address.StreetAddress); Assert.IsNotNullOrEmpty(response.Address.PostalCode); Assert.IsNotNullOrEmpty(response.Address.Locality); Assert.IsNotNullOrEmpty(response.Address.Country); Assert.IsNotNullOrEmpty(response.PhoneNumber); }
public void Should_Not_Send_AccessToken() { rpid = "rp-user_info-not_query"; // given OIDClaims requestClaims = new OIDClaims(); requestClaims.IdToken = new Dictionary <string, OIDClaimData>(); requestClaims.IdToken.Add("name", new OIDClaimData()); OIDCAuthImplicitResponseMessage authResponse = (OIDCAuthImplicitResponseMessage)GetAuthResponse(ResponseType.IdToken, null, true, requestClaims); // when OIDCUserInfoResponseMessage response = GetUserInfo(authResponse.Scope, authResponse.State, authResponse.AccessToken); // then response.Validate(); Assert.IsNotNullOrEmpty(response.Name); }
public void Should_Request_And_Use_Claims_Userinfo() { rpid = "rp-claims_request-userinfo_claims"; GetProviderMetadata(); // given OIDClaims requestClaims = new OIDClaims(); requestClaims.IdToken = new Dictionary <string, OIDClaimData>(); requestClaims.IdToken.Add("name", new OIDClaimData()); OIDCAuthImplicitResponseMessage authResponse = (OIDCAuthImplicitResponseMessage)GetAuthResponse(ResponseType.IdToken, null, true, requestClaims); // when OIDCUserInfoResponseMessage response = GetUserInfo(authResponse.Scope, authResponse.State, authResponse.AccessToken); // then response.Validate(); Assert.IsNotNullOrEmpty(response.Name); }
public void Should_Reject_Userinfo_With_Invalid_Sub() { rpid = "rp-user_info-bad_sub_claim"; // given OIDClaims requestClaims = new OIDClaims(); requestClaims.IdToken = new Dictionary <string, OIDClaimData>(); requestClaims.IdToken.Add("name", new OIDClaimData()); OIDCAuthImplicitResponseMessage authResponse = (OIDCAuthImplicitResponseMessage)GetAuthResponse(ResponseType.IdToken, null, true, requestClaims); OIDCIdToken idToken = authResponse.GetIdToken(providerMetadata.Keys); idToken.Validate(); // when OIDCUserInfoResponseMessage response = GetUserInfo(authResponse.Scope, authResponse.State, authResponse.AccessToken, idToken.Sub + "Wrong"); // then response.Validate(); Assert.IsNotNullOrEmpty(response.Name); }
public void Should_Nonce_Be_Present_In_Implicit() { rpid = "rp-nonce-unless_code_flow"; // given OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage(); requestMessage.ClientId = clientInformation.ClientId; OIDClaims requestClaims = new OIDClaims(); requestClaims.Userinfo = new Dictionary <string, OIDClaimData>(); requestClaims.Userinfo.Add("name", new OIDClaimData()); requestMessage.Scope = new List <MessageScope>() { MessageScope.Openid }; requestMessage.ResponseType = new List <ResponseType>() { ResponseType.IdToken, ResponseType.Token }; requestMessage.RedirectUri = clientInformation.RedirectUris[0]; requestMessage.Nonce = WebOperations.RandomString(); requestMessage.State = WebOperations.RandomString(); requestMessage.Claims = requestClaims; requestMessage.Validate(); OpenIdRelyingParty rp = new OpenIdRelyingParty(); rp.Authenticate(GetBaseUrl("/authorization"), requestMessage); semaphore.WaitOne(); OIDCAuthImplicitResponseMessage response = rp.ParseAuthImplicitResponse(result, requestMessage.Scope, requestMessage.State); OIDCIdToken idToken = response.GetIdToken(providerMetadata.Keys, clientInformation.ClientSecret); // then idToken.Validate(); }
private OIDCUserInfoResponseMessage GetUserInfo(OIDCAuthCodeResponseMessage authResponse, IOptions options, HttpSessionState session, string accessToken) { OpenIDProviderData providerData = options.OpenIDProviders[session["op"] as string]; OpenIdRelyingParty rp = new OpenIdRelyingParty(); OIDClaims requestClaims = new OIDClaims(); requestClaims.IdToken = new Dictionary <string, OIDClaimData>(); requestClaims.IdToken.Add("name", new OIDClaimData()); requestClaims.IdToken.Add("family_name", new OIDClaimData()); requestClaims.IdToken.Add("given_name", new OIDClaimData()); requestClaims.IdToken.Add("email", new OIDClaimData()); requestClaims.IdToken.Add("gender", new OIDClaimData()); OIDCUserInfoRequestMessage userInfoRequestMessage = new OIDCUserInfoRequestMessage(); userInfoRequestMessage.Scope = authResponse.Scope; userInfoRequestMessage.State = authResponse.State; userInfoRequestMessage.Claims = requestClaims; var urlInfoUrl = providerData.ProviderMatadata.UserinfoEndpoint; return(rp.GetUserInfo(urlInfoUrl, userInfoRequestMessage, accessToken)); }
public OIDClientSerializableMessage GetAuthResponse(ResponseType RespType, string Nonce = null, bool Profile = false, OIDClaims Claims = null) { OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage(); requestMessage.ClientId = clientInformation.ClientId; requestMessage.Scope = new List <MessageScope>() { MessageScope.Openid }; requestMessage.RedirectUri = clientInformation.RedirectUris[0]; requestMessage.Nonce = (Nonce == null) ? WebOperations.RandomString() : Nonce; requestMessage.State = WebOperations.RandomString(); requestMessage.Claims = Claims; if (Profile) { requestMessage.Scope.Add(MessageScope.Profile); requestMessage.Scope.Add(MessageScope.Address); requestMessage.Scope.Add(MessageScope.Phone); requestMessage.Scope.Add(MessageScope.Email); } if (ResponseType.Code == RespType) { requestMessage.ResponseType = new List <ResponseType>() { ResponseType.Code }; } else if (ResponseType.IdToken == RespType) { requestMessage.ResponseType = new List <ResponseType>() { ResponseType.IdToken, ResponseType.Token }; } requestMessage.Validate(); OpenIdRelyingParty rp = new OpenIdRelyingParty(); rp.Authenticate(GetBaseUrl("/authorization"), requestMessage); semaphore.WaitOne(); if (ResponseType.Code == RespType) { return(rp.ParseAuthCodeResponse(result, requestMessage.Scope, requestMessage.State)); } else if (ResponseType.IdToken == RespType) { return(rp.ParseAuthImplicitResponse(result, requestMessage.Scope, requestMessage.State)); } throw new Exception("Error in parameter passed"); }