public void RejectExpiredToken() { var fakeIssuer = "example.okta.com"; var fakeAudience = "aud://default"; var credentials = new SigningCredentials( new SymmetricSecurityKey(Encoding.UTF8.GetBytes("fakesigningsecret!")), SecurityAlgorithms.HmacSha256); // Create the JWT and write it to a string var jwtContents = new JwtSecurityToken( issuer: fakeIssuer, audience: fakeAudience, expires: DateTime.UtcNow.Subtract(TimeSpan.FromMinutes(3)), // Default clock skew of 2 minutes signingCredentials: credentials); var jwtHandler = new JwtSecurityTokenHandler(); var jwt = jwtHandler.WriteToken(jwtContents); var fakeOktaWebOptions = new OktaWebOptions { OktaDomain = fakeIssuer, }; var validationParameters = new DefaultTokenValidationParameters(fakeOktaWebOptions, fakeIssuer) { IssuerSigningKey = credentials.Key, ValidAudience = fakeAudience, }; Action act = () => jwtHandler.ValidateToken(jwt, validationParameters, out _); act.Should().Throw <SecurityTokenExpiredException>(); }
public void AllowGoodToken() { var fakeIssuer = "example.okta.com"; var fakeAudience = "aud://default"; var credentials = new SigningCredentials( new SymmetricSecurityKey(Encoding.UTF8.GetBytes("fakesigningsecret!")), SecurityAlgorithms.HmacSha256); // Create the JWT and write it to a string var jwtContents = new JwtSecurityToken( issuer: fakeIssuer, audience: fakeAudience, expires: DateTime.UtcNow.Add(TimeSpan.FromMinutes(1)), signingCredentials: credentials); var jwtHandler = new JwtSecurityTokenHandler(); var jwt = jwtHandler.WriteToken(jwtContents); var fakeOktaWebOptions = new OktaWebOptions { OktaDomain = fakeIssuer, }; var validationParameters = new DefaultTokenValidationParameters(fakeOktaWebOptions, fakeIssuer) { IssuerSigningKey = credentials.Key, ValidAudience = fakeAudience, }; jwtHandler.ValidateToken(jwt, validationParameters, out _); }
public void RejectUnsignedToken() { var fakeIssuer = "example.okta.com"; var fakeAudience = "aud://default"; // Create the JWT and write it to a string var jwtContents = new JwtSecurityToken( issuer: fakeIssuer, audience: fakeAudience, expires: DateTime.UtcNow.Add(TimeSpan.FromMinutes(1))); // No signing credentials! var jwtHandler = new JwtSecurityTokenHandler(); var jwt = jwtHandler.WriteToken(jwtContents); var fakeOktaWebOptions = new OktaWebOptions { OktaDomain = fakeIssuer, }; var validationParameters = new DefaultTokenValidationParameters(fakeOktaWebOptions, fakeIssuer) { ValidAudience = fakeAudience, }; Action act = () => jwtHandler.ValidateToken(jwt, validationParameters, out _); act.Should().Throw <SecurityTokenInvalidSignatureException>(); }
public void FailIfOktaDomainHasTypo(string oktaDomain) { var options = new OktaWebOptions() { OktaDomain = oktaDomain, }; Action action = () => new OktaWebOptionsValidator <OktaWebOptions>().Validate(options); action.Should().Throw <ArgumentException>().Where(e => e.ParamName == nameof(OktaWebOptions.OktaDomain)); }
public void FailIfOktaDomainIsNotStartingWithHttps(string oktaDomain) { var options = new OktaWebOptions() { OktaDomain = oktaDomain, ClientId = "ClientId", }; Action action = () => new OktaWebOptionsValidator <OktaWebOptions>().Validate(options); action.Should().Throw <ArgumentException>().Where(e => e.ParamName == nameof(OktaWebOptions.OktaDomain)); }
public void FailWhenClientIdIsNullOrEmpty(string clientId) { var options = new OktaWebOptions() { OktaDomain = ValidOktaDomain, ClientId = clientId, }; Action action = () => new OktaWebOptionsValidator <OktaWebOptions>().Validate(options); action.Should().Throw <ArgumentNullException>().Where(e => e.ParamName == nameof(OktaWebOptions.ClientId)); }
public void RejectBadToken(string badToken) { var fakeOktaWebOptions = new OktaWebOptions { OktaDomain = "example.okta.com", }; var fakeIssuer = "example.okta.com"; Action act = () => new JwtSecurityTokenHandler().ValidateToken( badToken, new DefaultTokenValidationParameters(fakeOktaWebOptions, fakeIssuer), out _); act.Should().Throw <ArgumentException>(); }
public void RejectWrongAudience() { var fakeIssuer = "example.okta.com"; var fakeAudience = "aud://default"; var fakeClient = "fakeClient"; var claims = new Claim[] { new Claim("cid", fakeClient), }; using (RSACryptoServiceProvider rsaCryptoServiceProvider = new RSACryptoServiceProvider(2048)) { RSAParameters rsaKeyInfo = rsaCryptoServiceProvider.ExportParameters(true); var rsaSecurityKey = new RsaSecurityKey(rsaKeyInfo); var signingCredentials = new SigningCredentials(rsaSecurityKey, SecurityAlgorithms.RsaSha256); // Create the JWT and write it to a string var jwtContents = new JwtSecurityToken( issuer: fakeIssuer, audience: "http://myapi", claims: claims, expires: DateTime.UtcNow.Add(TimeSpan.FromMinutes(1)), signingCredentials: signingCredentials); var jwt = new JwtSecurityTokenHandler().WriteToken(jwtContents); var fakeOktaWebOptions = new OktaWebOptions { OktaDomain = fakeIssuer, }; var handler = new StrictTokenHandler(); var validationParameters = new DefaultTokenValidationParameters(fakeOktaWebOptions, fakeIssuer) { IssuerSigningKey = signingCredentials.Key, ValidAudience = fakeAudience, }; Action act = () => handler.ValidateToken(jwt, validationParameters, out _); act.Should().Throw <SecurityTokenInvalidAudienceException>(); } }
public void RejectBadToken(string badToken) { var fakeOktaWebOptions = new OktaWebOptions { ClientId = "fake", OktaDomain = "example.okta.com", }; var fakeIssuer = "example.okta.com"; var handler = new StrictTokenHandler(fakeOktaWebOptions); Action act = () => handler.ValidateToken( badToken, new DefaultTokenValidationParameters(fakeOktaWebOptions, fakeIssuer), out _); act.Should().Throw <ArgumentException>(); }
public void RejectWrongAudience() { var fakeIssuer = "example.okta.com"; var fakeAudience = "aud://default"; var fakeClient = "fakeClient"; var claims = new Claim[] { new Claim("cid", fakeClient), }; var credentials = new SigningCredentials( new SymmetricSecurityKey(Encoding.UTF8.GetBytes("fakesigningsecret!")), SecurityAlgorithms.HmacSha256); // Create the JWT and write it to a string var jwtContents = new JwtSecurityToken( issuer: fakeIssuer, audience: "http://myapi", claims: claims, expires: DateTime.UtcNow.Add(TimeSpan.FromMinutes(1)), signingCredentials: credentials); var jwt = new JwtSecurityTokenHandler().WriteToken(jwtContents); var fakeOktaWebOptions = new OktaWebOptions { ClientId = fakeClient, OktaDomain = fakeIssuer, }; var handler = new StrictTokenHandler(fakeOktaWebOptions); var validationParameters = new DefaultTokenValidationParameters(fakeOktaWebOptions, fakeIssuer) { IssuerSigningKey = credentials.Key, ValidAudience = fakeAudience, }; Action act = () => handler.ValidateToken(jwt, validationParameters, out _); act.Should().Throw <SecurityTokenInvalidAudienceException>(); }
public void AllowGoodToken() { var fakeIssuer = "example.okta.com"; var fakeAudience = "aud://default"; using (RSACryptoServiceProvider rsaCryptoServiceProvider = new RSACryptoServiceProvider(2048)) { RSAParameters rsaKeyInfo = rsaCryptoServiceProvider.ExportParameters(true); var rsaSecurityKey = new RsaSecurityKey(rsaKeyInfo); var signingCredentials = new SigningCredentials(rsaSecurityKey, SecurityAlgorithms.RsaSha256); var jwtContents = new JwtSecurityToken( issuer: fakeIssuer, audience: fakeAudience, expires: DateTime.UtcNow.Add(TimeSpan.FromMinutes(1)), signingCredentials: signingCredentials); var jwt = new JwtSecurityTokenHandler().WriteToken(jwtContents); var fakeOktaWebOptions = new OktaWebOptions { OktaDomain = fakeIssuer, }; var handler = new StrictTokenHandler(); var validationParameters = new DefaultTokenValidationParameters(fakeOktaWebOptions, fakeIssuer) { IssuerSigningKey = signingCredentials.Key, ValidAudience = fakeAudience, }; handler.ValidateToken(jwt, validationParameters, out _); } }