public async Task OidcTokenProvider_ComputeCredential() { // This test only executes on GCE so we are certain to have a ComputeCredential. GoogleCredential credential = GoogleCredential.FromComputeCredential(); OidcToken token = await credential.GetOidcTokenAsync( OidcTokenOptions.FromTargetAudience("https://this.is.a.test")); // Check an access token (really id_token) is available. Assert.NotNull(await token.GetAccessTokenAsync()); // If IdToken is set and AccessToken is not, AccessToken is set to // IdToken, so we can always check here that AccessToken is not null. Assert.NotNull(token.TokenResponse.AccessToken); // The enpoint does not send an expiry, bu we set it to the id_token // expiry. Assert.NotNull(token.TokenResponse.ExpiresInSeconds); var verificationOptions = new SignedTokenVerificationOptions(); verificationOptions.TrustedAudiences.Add("https://this.is.a.test"); var payload = await JsonWebSignature.VerifySignedTokenAsync(await token.GetAccessTokenAsync(), verificationOptions); Assert.NotNull(payload); Assert.Contains("https://this.is.a.test", payload.AudienceAsList); }
private SignedTokenVerificationOptions BuildOptions( IClock clock = null, string[] trustedIssuers = null, string[] trustedAudiences = null, TimeSpan?clockTolerance = null) { var options = new SignedTokenVerificationOptions { CertificateCache = new FakeCertificateCache(), Clock = clock ?? new MockClock(FakeCertificateCache.ValidJwtGoogleSigned) }; foreach (var issuer in trustedIssuers ?? Enumerable.Empty <string>()) { options.TrustedIssuers.Add(issuer); } foreach (var audience in trustedAudiences ?? Enumerable.Empty <string>()) { options.TrustedAudiences.Add(audience); } if (clockTolerance.HasValue) { options.IssuedAtClockTolerance = clockTolerance.Value; options.ExpiryClockTolerance = clockTolerance.Value; } return(options); }
public void FromAnother_DifferentValueAfterModification() { var options1 = new SignedTokenVerificationOptions { CertificatesUrl = "http://dummy.url", ForceCertificateRefresh = true, IssuedAtClockTolerance = TimeSpan.FromSeconds(5), ExpiryClockTolerance = TimeSpan.FromSeconds(10), CertificateCache = new FakeCertificateCache(), Clock = new MockClock(DateTime.UtcNow), TrustedAudiences = { "audience" }, TrustedIssuers = { "issuers" } }; var options2 = new SignedTokenVerificationOptions(options1); options1.CertificatesUrl = ""; options1.ForceCertificateRefresh = false; options1.IssuedAtClockTolerance = TimeSpan.Zero; options1.ExpiryClockTolerance = TimeSpan.Zero; options1.CertificateCache = new FakeCertificateCache(); options1.Clock = new MockClock(DateTime.UtcNow); options1.TrustedAudiences.Add("another"); options1.TrustedIssuers.Add("another"); Assert.Equal("http://dummy.url", options2.CertificatesUrl); Assert.Single(options2.TrustedAudiences, "audience"); Assert.Single(options2.TrustedIssuers, "issuers"); Assert.True(options2.ForceCertificateRefresh); Assert.Equal(TimeSpan.FromSeconds(5), options2.IssuedAtClockTolerance); Assert.Equal(TimeSpan.FromSeconds(10), options2.ExpiryClockTolerance); Assert.NotSame(options1.CertificateCache, options2.CertificateCache); Assert.NotSame(options1.Clock, options2.Clock); }
public void FromAnother_EqualValuesAfterCreation() { var options1 = new SignedTokenVerificationOptions { CertificatesUrl = "http://dummy.url", ForceCertificateRefresh = true, IssuedAtClockTolerance = TimeSpan.FromSeconds(5), ExpiryClockTolerance = TimeSpan.FromSeconds(10), CertificateCache = new FakeCertificateCache(), Clock = new MockClock(DateTime.UtcNow), TrustedAudiences = { "audience" }, TrustedIssuers = { "issuers" } }; var options2 = new SignedTokenVerificationOptions(options1); Assert.Equal("http://dummy.url", options2.CertificatesUrl); Assert.Single(options2.TrustedAudiences, "audience"); Assert.Single(options2.TrustedIssuers, "issuers"); Assert.True(options2.ForceCertificateRefresh); Assert.Equal(TimeSpan.FromSeconds(5), options2.IssuedAtClockTolerance); Assert.Equal(TimeSpan.FromSeconds(10), options2.ExpiryClockTolerance); Assert.IsType <FakeCertificateCache>(options2.CertificateCache); Assert.IsType <MockClock>(options2.Clock); }
public void Default() { var options = new SignedTokenVerificationOptions(); Assert.Null(options.CertificatesUrl); Assert.Null(options.CertificateCache); Assert.Empty(options.TrustedAudiences); Assert.Empty(options.TrustedIssuers); Assert.False(options.ForceCertificateRefresh); Assert.Equal(TimeSpan.Zero, options.IssuedAtClockTolerance); Assert.Equal(TimeSpan.Zero, options.ExpiryClockTolerance); Assert.Same(SystemClock.Default, options.Clock); }
/// <summary> /// Verifies a signed jwt token and returns its payload. /// </summary> /// <param name="signedJwt">The token to verify.</param> /// <param name="expectedAudience">The audience that the token should be meant for. /// Validation will fail if that's not the case.</param> /// <param name="cancellationToken">The cancellation token to propagate cancellation requests.</param> /// <returns>A task that when completed will have as its result the payload of the verified token.</returns> /// <exception cref="InvalidJwtException">If verification failed. The message of the exception will contain /// information as to why the token failed.</exception> public async Task <JsonWebSignature.Payload> VerifyTokenAsync( string signedJwt, string expectedAudience, CancellationToken cancellationToken = default) { SignedTokenVerificationOptions options = new SignedTokenVerificationOptions { // Use clock tolerance to account for possible clock differences // between the issuer and the verifier. IssuedAtClockTolerance = TimeSpan.FromMinutes(1), ExpiryClockTolerance = TimeSpan.FromMinutes(1), TrustedAudiences = { expectedAudience } }; return(await JsonWebSignature.VerifySignedTokenAsync(signedJwt, options, cancellationToken : cancellationToken)); }
public async Task <string> Run(string targetAudience, string credentialsFilePath, string uri) { ServiceAccountCredential saCredential; using (var fs = new FileStream(credentialsFilePath, FileMode.Open, FileAccess.Read)) { saCredential = ServiceAccountCredential.FromServiceAccountData(fs); } OidcToken oidcToken = await saCredential.GetOidcTokenAsync(OidcTokenOptions.FromTargetAudience(targetAudience).WithTokenFormat(OidcTokenFormat.Standard)).ConfigureAwait(false); string token = await oidcToken.GetAccessTokenAsync().ConfigureAwait(false); // the following snippet verifies an id token. // this step is done on the receiving end of the oidc endpoint // adding this step in here as just as a demo on how to do this //var options = SignedTokenVerificationOptions.Default; SignedTokenVerificationOptions options = new SignedTokenVerificationOptions { IssuedAtClockTolerance = TimeSpan.FromMinutes(1), ExpiryClockTolerance = TimeSpan.FromMinutes(1), TrustedAudiences = { targetAudience }, CertificatesUrl = "https://www.googleapis.com/oauth2/v3/certs" // default value }; var payload = await JsonWebSignature.VerifySignedTokenAsync(token, options); Console.WriteLine("Verified with audience " + payload.Audience); // end verification // use the token using (var httpClient = new HttpClient()) { httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", token); string response = await httpClient.GetStringAsync(uri).ConfigureAwait(false); Console.WriteLine(response); return(response); } }