public void RejectExpiredToken()
{
var fakeIssuer = "example.okta.com";
var fakeAudience = "aud://default";
var credentials = new SigningCredentials(
new SymmetricSecurityKey(Encoding.UTF8.GetBytes("fakesigningsecret!")),
SecurityAlgorithms.HmacSha256);
// Create the JWT and write it to a string
var jwtContents = new JwtSecurityToken(
issuer: fakeIssuer,
audience: fakeAudience,
expires: DateTime.UtcNow.Subtract(TimeSpan.FromMinutes(3)), // Default clock skew of 2 minutes
signingCredentials: credentials);
var jwtHandler = new JwtSecurityTokenHandler();
var jwt = jwtHandler.WriteToken(jwtContents);
var fakeOktaWebOptions = new OktaWebOptions
{
OktaDomain = fakeIssuer,
};
var validationParameters = new DefaultTokenValidationParameters(fakeOktaWebOptions, fakeIssuer)
{
IssuerSigningKey = credentials.Key,
ValidAudience = fakeAudience,
};
Action act = () => jwtHandler.ValidateToken(jwt, validationParameters, out _);
act.Should().Throw <SecurityTokenExpiredException>();
}
public void AllowGoodToken()
{
var fakeIssuer = "example.okta.com";
var fakeAudience = "aud://default";
var credentials = new SigningCredentials(
new SymmetricSecurityKey(Encoding.UTF8.GetBytes("fakesigningsecret!")),
SecurityAlgorithms.HmacSha256);
// Create the JWT and write it to a string
var jwtContents = new JwtSecurityToken(
issuer: fakeIssuer,
audience: fakeAudience,
expires: DateTime.UtcNow.Add(TimeSpan.FromMinutes(1)),
signingCredentials: credentials);
var jwtHandler = new JwtSecurityTokenHandler();
var jwt = jwtHandler.WriteToken(jwtContents);
var fakeOktaWebOptions = new OktaWebOptions
{
OktaDomain = fakeIssuer,
};
var validationParameters = new DefaultTokenValidationParameters(fakeOktaWebOptions, fakeIssuer)
{
IssuerSigningKey = credentials.Key,
ValidAudience = fakeAudience,
};
jwtHandler.ValidateToken(jwt, validationParameters, out _);
}
public void RejectUnsignedToken()
{
var fakeIssuer = "example.okta.com";
var fakeAudience = "aud://default";
// Create the JWT and write it to a string
var jwtContents = new JwtSecurityToken(
issuer: fakeIssuer,
audience: fakeAudience,
expires: DateTime.UtcNow.Add(TimeSpan.FromMinutes(1)));
// No signing credentials!
var jwtHandler = new JwtSecurityTokenHandler();
var jwt = jwtHandler.WriteToken(jwtContents);
var fakeOktaWebOptions = new OktaWebOptions
{
OktaDomain = fakeIssuer,
};
var validationParameters = new DefaultTokenValidationParameters(fakeOktaWebOptions, fakeIssuer)
{
ValidAudience = fakeAudience,
};
Action act = () => jwtHandler.ValidateToken(jwt, validationParameters, out _);
act.Should().Throw <SecurityTokenInvalidSignatureException>();
}
public void FailIfOktaDomainHasTypo(string oktaDomain)
{
var options = new OktaWebOptions()
{
OktaDomain = oktaDomain,
};
Action action = () => new OktaWebOptionsValidator <OktaWebOptions>().Validate(options);
action.Should().Throw <ArgumentException>().Where(e => e.ParamName == nameof(OktaWebOptions.OktaDomain));
}
public void FailIfOktaDomainIsNotStartingWithHttps(string oktaDomain)
{
var options = new OktaWebOptions()
{
OktaDomain = oktaDomain,
ClientId = "ClientId",
};
Action action = () => new OktaWebOptionsValidator <OktaWebOptions>().Validate(options);
action.Should().Throw <ArgumentException>().Where(e => e.ParamName == nameof(OktaWebOptions.OktaDomain));
}
public void FailWhenClientIdIsNullOrEmpty(string clientId)
{
var options = new OktaWebOptions()
{
OktaDomain = ValidOktaDomain,
ClientId = clientId,
};
Action action = () => new OktaWebOptionsValidator <OktaWebOptions>().Validate(options);
action.Should().Throw <ArgumentNullException>().Where(e => e.ParamName == nameof(OktaWebOptions.ClientId));
}
public void RejectBadToken(string badToken)
{
var fakeOktaWebOptions = new OktaWebOptions
{
OktaDomain = "example.okta.com",
};
var fakeIssuer = "example.okta.com";
Action act = () => new JwtSecurityTokenHandler().ValidateToken(
badToken,
new DefaultTokenValidationParameters(fakeOktaWebOptions, fakeIssuer),
out _);
act.Should().Throw <ArgumentException>();
}
public void RejectWrongAudience()
{
var fakeIssuer = "example.okta.com";
var fakeAudience = "aud://default";
var fakeClient = "fakeClient";
var claims = new Claim[]
{
new Claim("cid", fakeClient),
};
using (RSACryptoServiceProvider rsaCryptoServiceProvider = new RSACryptoServiceProvider(2048))
{
RSAParameters rsaKeyInfo = rsaCryptoServiceProvider.ExportParameters(true);
var rsaSecurityKey = new RsaSecurityKey(rsaKeyInfo);
var signingCredentials = new SigningCredentials(rsaSecurityKey, SecurityAlgorithms.RsaSha256);
// Create the JWT and write it to a string
var jwtContents = new JwtSecurityToken(
issuer: fakeIssuer,
audience: "http://myapi",
claims: claims,
expires: DateTime.UtcNow.Add(TimeSpan.FromMinutes(1)),
signingCredentials: signingCredentials);
var jwt = new JwtSecurityTokenHandler().WriteToken(jwtContents);
var fakeOktaWebOptions = new OktaWebOptions
{
OktaDomain = fakeIssuer,
};
var handler = new StrictTokenHandler();
var validationParameters = new DefaultTokenValidationParameters(fakeOktaWebOptions, fakeIssuer)
{
IssuerSigningKey = signingCredentials.Key,
ValidAudience = fakeAudience,
};
Action act = () => handler.ValidateToken(jwt, validationParameters, out _);
act.Should().Throw <SecurityTokenInvalidAudienceException>();
}
}
public void RejectBadToken(string badToken)
{
var fakeOktaWebOptions = new OktaWebOptions
{
ClientId = "fake",
OktaDomain = "example.okta.com",
};
var fakeIssuer = "example.okta.com";
var handler = new StrictTokenHandler(fakeOktaWebOptions);
Action act = () => handler.ValidateToken(
badToken,
new DefaultTokenValidationParameters(fakeOktaWebOptions, fakeIssuer),
out _);
act.Should().Throw <ArgumentException>();
}
public void RejectWrongAudience()
{
var fakeIssuer = "example.okta.com";
var fakeAudience = "aud://default";
var fakeClient = "fakeClient";
var claims = new Claim[]
{
new Claim("cid", fakeClient),
};
var credentials = new SigningCredentials(
new SymmetricSecurityKey(Encoding.UTF8.GetBytes("fakesigningsecret!")),
SecurityAlgorithms.HmacSha256);
// Create the JWT and write it to a string
var jwtContents = new JwtSecurityToken(
issuer: fakeIssuer,
audience: "http://myapi",
claims: claims,
expires: DateTime.UtcNow.Add(TimeSpan.FromMinutes(1)),
signingCredentials: credentials);
var jwt = new JwtSecurityTokenHandler().WriteToken(jwtContents);
var fakeOktaWebOptions = new OktaWebOptions
{
ClientId = fakeClient,
OktaDomain = fakeIssuer,
};
var handler = new StrictTokenHandler(fakeOktaWebOptions);
var validationParameters = new DefaultTokenValidationParameters(fakeOktaWebOptions, fakeIssuer)
{
IssuerSigningKey = credentials.Key,
ValidAudience = fakeAudience,
};
Action act = () => handler.ValidateToken(jwt, validationParameters, out _);
act.Should().Throw <SecurityTokenInvalidAudienceException>();
}
public void AllowGoodToken()
{
var fakeIssuer = "example.okta.com";
var fakeAudience = "aud://default";
using (RSACryptoServiceProvider rsaCryptoServiceProvider = new RSACryptoServiceProvider(2048))
{
RSAParameters rsaKeyInfo = rsaCryptoServiceProvider.ExportParameters(true);
var rsaSecurityKey = new RsaSecurityKey(rsaKeyInfo);
var signingCredentials = new SigningCredentials(rsaSecurityKey, SecurityAlgorithms.RsaSha256);
var jwtContents = new JwtSecurityToken(
issuer: fakeIssuer,
audience: fakeAudience,
expires: DateTime.UtcNow.Add(TimeSpan.FromMinutes(1)),
signingCredentials: signingCredentials);
var jwt = new JwtSecurityTokenHandler().WriteToken(jwtContents);
var fakeOktaWebOptions = new OktaWebOptions
{
OktaDomain = fakeIssuer,
};
var handler = new StrictTokenHandler();
var validationParameters = new DefaultTokenValidationParameters(fakeOktaWebOptions, fakeIssuer)
{
IssuerSigningKey = signingCredentials.Key,
ValidAudience = fakeAudience,
};
handler.ValidateToken(jwt, validationParameters, out _);
}
}
