public void Should_Authenticate_Client_With_Client_Secret_Jwt()
{
rpid = "rp-token_endpoint-client_secret_jwt";
// given
OIDCAuthCodeResponseMessage response = (OIDCAuthCodeResponseMessage)GetAuthResponse(ResponseType.Code);
OIDCTokenRequestMessage tokenRequestMessage = new OIDCTokenRequestMessage();
tokenRequestMessage.Scope = response.Scope;
tokenRequestMessage.State = response.State;
tokenRequestMessage.Code = response.Code;
tokenRequestMessage.ClientId = clientInformation.ClientId;
tokenRequestMessage.ClientSecret = clientInformation.ClientSecret;
tokenRequestMessage.GrantType = "authorization_code";
tokenRequestMessage.RedirectUri = clientInformation.RedirectUris[0];
// when
OpenIdRelyingParty rp = new OpenIdRelyingParty();
clientInformation.TokenEndpointAuthMethod = "client_secret_jwt";
OIDCTokenResponseMessage tokenResponse = rp.SubmitTokenRequest(GetBaseUrl("/token"), tokenRequestMessage, clientInformation);
// then
Assert.NotNull(tokenResponse.IdToken);
OIDCIdToken idToken = tokenResponse.GetIdToken(providerMetadata.Keys);
idToken.Validate();
}
private OIDCTokenResponseMessage GetToken(OIDCAuthCodeResponseMessage authResponse, IOptions options, HttpSessionState session, string redirectUri)
{
OpenIDProviderData providerData = options.OpenIDProviders[session["op"] as string];
OIDCTokenRequestMessage tokenRequestMessage = new OIDCTokenRequestMessage();
tokenRequestMessage.Scope = authResponse.Scope;
tokenRequestMessage.State = authResponse.State;
tokenRequestMessage.Code = authResponse.Code;
tokenRequestMessage.ClientId = providerData.ClientInformation.ClientId;
tokenRequestMessage.ClientSecret = providerData.ClientInformation.ClientSecret;
tokenRequestMessage.RedirectUri = redirectUri;
tokenRequestMessage.GrantType = "authorization_code";
OIDCTokenResponseMessage response = rp.SubmitTokenRequest(providerData.ProviderMatadata.TokenEndpoint, tokenRequestMessage, providerData.ClientInformation);
OIDCIdToken idToken = response.GetIdToken(providerData.ProviderMatadata.Keys, tokenRequestMessage.ClientSecret);
rp.ValidateIdToken(idToken, providerData.ClientInformation, providerData.ProviderMatadata.Issuer, null);
return response;
}
public void Should_Authenticate_Client_With_Private_Key_Jwt()
{
rpid = "rp-token_endpoint-client_secret_jwt";
// given
OIDCAuthCodeResponseMessage response = (OIDCAuthCodeResponseMessage)GetAuthResponse(ResponseType.Code);
OIDCTokenRequestMessage tokenRequestMessage = new OIDCTokenRequestMessage();
tokenRequestMessage.Scope = response.Scope;
tokenRequestMessage.State = response.State;
tokenRequestMessage.Code = response.Code;
tokenRequestMessage.ClientId = clientInformation.ClientId;
tokenRequestMessage.ClientSecret = clientInformation.ClientSecret;
tokenRequestMessage.GrantType = "authorization_code";
tokenRequestMessage.RedirectUri = clientInformation.RedirectUris[0];
RSACryptoServiceProvider privateKey = providerMetadata.Keys.Find(
delegate(OIDCKey k)
{
return k.Use == "enc" && k.Kty == "RSA";
}
).GetRSA();
// when
OpenIdRelyingParty rp = new OpenIdRelyingParty();
clientInformation.TokenEndpointAuthMethod = "private_key_jwt";
OIDCTokenResponseMessage tokenResponse = rp.SubmitTokenRequest(GetBaseUrl("/token"), tokenRequestMessage, clientInformation, privateKey.ExportCspBlob(false));
// then
Assert.NotNull(tokenResponse.IdToken);
OIDCIdToken idToken = tokenResponse.GetIdToken(providerMetadata.Keys);
idToken.Validate();
}
public OIDCTokenResponseMessage GetToken(OIDCAuthCodeResponseMessage authResponse)
{
OIDCTokenRequestMessage tokenRequestMessage = new OIDCTokenRequestMessage();
tokenRequestMessage.Scope = authResponse.Scope;
tokenRequestMessage.State = authResponse.State;
tokenRequestMessage.Code = authResponse.Code;
tokenRequestMessage.ClientId = clientInformation.ClientId;
tokenRequestMessage.ClientSecret = clientInformation.ClientSecret;
tokenRequestMessage.RedirectUri = clientInformation.RedirectUris[0];
tokenRequestMessage.GrantType = "authorization_code";
OpenIdRelyingParty rp = new OpenIdRelyingParty();
OIDCTokenResponseMessage response = rp.SubmitTokenRequest(providerMetadata.TokenEndpoint, tokenRequestMessage, clientInformation);
OIDCIdToken idToken = response.GetIdToken(providerMetadata.Keys, tokenRequestMessage.ClientSecret);
rp.ValidateIdToken(idToken, clientInformation, providerMetadata.Issuer, null);
return response;
}
private OIDCTokenResponseMessage AuthenticateAndRetrieveIdToken()
{
OIDCAuthorizationRequestMessage requestMessage = generateRequestMessage();
OpenIdRelyingParty rp = new OpenIdRelyingParty();
rp.Authenticate(GetBaseUrl("/authorization"), requestMessage);
semaphore.WaitOne();
OIDCAuthCodeResponseMessage response = rp.ParseAuthCodeResponse(result, requestMessage.Scope, requestMessage.State);
OIDCTokenRequestMessage tokenRequestMessage = new OIDCTokenRequestMessage();
tokenRequestMessage.Scope = response.Scope;
tokenRequestMessage.Code = response.Code;
tokenRequestMessage.ClientId = clientInformation.ClientId;
tokenRequestMessage.ClientSecret = clientInformation.ClientSecret;
tokenRequestMessage.GrantType = "authorization_code";
tokenRequestMessage.RedirectUri = clientInformation.RedirectUris[0];
return rp.SubmitTokenRequest(GetBaseUrl("/token"), tokenRequestMessage, clientInformation);
}
/// <summary>
/// Method that submits a tokn request to the OP.
/// </summary>
/// <param name="url">The URL to be used where to send the request</param>
/// <param name="tokenRequestMessage">The token request message</param>
/// <param name="clientInformation">The client information obtained from the OP</param>
/// <returns>Returns the token response obtained from the OP</returns>
public OIDCTokenResponseMessage SubmitTokenRequest(string url, OIDCTokenRequestMessage tokenRequestMessage, OIDCClientInformation clientInformation, byte[] privateKey = null)
{
WebRequest request = WebRequest.Create(url);
OIDCAuthenticatedMessage message = tokenRequestMessage as OIDCAuthenticatedMessage;
string grantType = clientInformation.TokenEndpointAuthMethod;
AddClientAuthenticatedToRequest(ref request, ref message, grantType, clientInformation, privateKey);
string returnedString = WebOperations.PostUrlContent(request, message);
Dictionary<string, object> returnedJson = Deserializer.DeserializeFromJson<Dictionary<string, object>>(returnedString);
if (returnedJson.Keys.Contains("error"))
{
OIDCResponseError error = new OIDCResponseError();
error.DeserializeFromDictionary(returnedJson);
throw new OIDCException("Error while registering client: " + error.Error + "\n" + error.ErrorDescription);
}
OIDCTokenResponseMessage tokenResponse = new OIDCTokenResponseMessage();
tokenResponse.DeserializeFromDictionary(returnedJson);
return tokenResponse;
}
public void Should_Request_And_Use_Unsigned_Id_Token()
{
rpid = "rp-id_token-sig_none";
// givens
OpenIdRelyingParty rp = new OpenIdRelyingParty();
string registrationEndopoint = GetBaseUrl("/registration");
OIDCClientInformation clientMetadata = new OIDCClientInformation();
clientMetadata.ApplicationType = "web";
clientMetadata.RedirectUris = new List<string>() { myBaseUrl + "code_flow_callback" };
clientMetadata.ResponseTypes = new List<ResponseType>() { ResponseType.Code };
clientMetadata.IdTokenSignedResponseAlg = "none";
OIDCClientInformation clientInformation = rp.RegisterClient(registrationEndopoint, clientMetadata);
OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage();
requestMessage.ClientId = clientInformation.ClientId;
requestMessage.Scope = new List<MessageScope>() { MessageScope.Openid };
requestMessage.ResponseType = new List<ResponseType>() { ResponseType.Code };
requestMessage.RedirectUri = clientInformation.RedirectUris[0];
requestMessage.Nonce = WebOperations.RandomString();
requestMessage.State = WebOperations.RandomString();
requestMessage.Validate();
rp.Authenticate(GetBaseUrl("/authorization"), requestMessage);
semaphore.WaitOne();
OIDCAuthCodeResponseMessage response = rp.ParseAuthCodeResponse(result, requestMessage.Scope, requestMessage.State);
OIDCTokenRequestMessage tokenRequestMessage = new OIDCTokenRequestMessage();
tokenRequestMessage.Scope = response.Scope;
tokenRequestMessage.State = response.State;
tokenRequestMessage.Code = response.Code;
tokenRequestMessage.ClientId = clientInformation.ClientId;
tokenRequestMessage.ClientSecret = clientInformation.ClientSecret;
tokenRequestMessage.GrantType = "authorization_code";
tokenRequestMessage.RedirectUri = clientInformation.RedirectUris[0];
// when
OIDCTokenResponseMessage tokenResponse = rp.SubmitTokenRequest(GetBaseUrl("/token"), tokenRequestMessage, clientInformation);
// then
Assert.NotNull(tokenResponse.IdToken);
OIDCIdToken idToken = tokenResponse.GetIdToken();
idToken.Validate();
}
public void Should_Request_And_Use_Signed_And_Encrypted_Id_Token()
{
rpid = "rp-id_token-sig+enc";
signalg = "RS256";
encalg = "RSA1_5:A128CBC-HS256";
// given
OpenIdRelyingParty rp = new OpenIdRelyingParty();
string registrationEndopoint = GetBaseUrl("/registration");
OIDCClientInformation clientMetadata = new OIDCClientInformation();
clientMetadata.ApplicationType = "web";
clientMetadata.RedirectUris = new List<string>() { myBaseUrl + "code_flow_callback" };
clientMetadata.ResponseTypes = new List<ResponseType>() { ResponseType.Code };
clientMetadata.IdTokenEncryptedResponseAlg = "RSA1_5";
clientMetadata.IdTokenEncryptedResponseEnc = "A128CBC-HS256";
clientMetadata.JwksUri = myBaseUrl + "my_public_keys.jwks";
OIDCClientInformation clientInformation = rp.RegisterClient(registrationEndopoint, clientMetadata);
OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage();
requestMessage.ClientId = clientInformation.ClientId;
requestMessage.Scope = new List<MessageScope>() { MessageScope.Openid };
requestMessage.ResponseType = new List<ResponseType>() { ResponseType.Code };
requestMessage.RedirectUri = clientInformation.RedirectUris[0];
requestMessage.Nonce = WebOperations.RandomString();
requestMessage.State = WebOperations.RandomString();
requestMessage.Validate();
rp.Authenticate(GetBaseUrl("/authorization"), requestMessage);
semaphore.WaitOne();
OIDCAuthCodeResponseMessage response = rp.ParseAuthCodeResponse(result, requestMessage.Scope, requestMessage.State);
OIDCTokenRequestMessage tokenRequestMessage = new OIDCTokenRequestMessage();
tokenRequestMessage.Scope = response.Scope;
tokenRequestMessage.State = response.State;
tokenRequestMessage.Code = response.Code;
tokenRequestMessage.ClientId = clientInformation.ClientId;
tokenRequestMessage.ClientSecret = clientInformation.ClientSecret;
tokenRequestMessage.GrantType = "authorization_code";
tokenRequestMessage.RedirectUri = clientInformation.RedirectUris[0];
X509Certificate2 signCert = new X509Certificate2("server.pfx", "", X509KeyStorageFlags.Exportable);
X509Certificate2 encCert = new X509Certificate2("server.pfx", "", X509KeyStorageFlags.Exportable);
List<OIDCKey> myKeys = KeyManager.GetKeysJwkList(signCert, encCert);
// when
OIDCTokenResponseMessage tokenResponse = rp.SubmitTokenRequest(GetBaseUrl("/token"), tokenRequestMessage, clientInformation);
// then
Assert.NotNull(tokenResponse.IdToken);
OIDCIdToken idToken = tokenResponse.GetIdToken(providerMetadata.Keys, null, myKeys);
idToken.Validate();
}
public void Should_Reject_Id_Token_With_Invalid_Signature_RS256()
{
rpid = "rp-id_token-bad_asym_sig_rs256";
signalg = "RS256";
// givens
OIDCAuthCodeResponseMessage response = (OIDCAuthCodeResponseMessage)GetAuthResponse(ResponseType.Code);
OIDCTokenRequestMessage tokenRequestMessage = new OIDCTokenRequestMessage();
tokenRequestMessage.Scope = response.Scope;
tokenRequestMessage.State = response.State;
tokenRequestMessage.Code = response.Code;
tokenRequestMessage.ClientId = clientInformation.ClientId;
tokenRequestMessage.ClientSecret = clientInformation.ClientSecret;
tokenRequestMessage.GrantType = "authorization_code";
tokenRequestMessage.RedirectUri = clientInformation.RedirectUris[0];
// Manipulate keys to make them invalid
List<OIDCKey> manipulatedKeys = new List<OIDCKey>();
foreach (OIDCKey curKey in providerMetadata.Keys)
{
OIDCKey newKey = curKey.Clone() as OIDCKey;
if (curKey.N != null)
{
StringBuilder strBuilder = new StringBuilder(newKey.N);
strBuilder[17] = (char)(newKey.N[17] + 1);
newKey.N = strBuilder.ToString();
}
manipulatedKeys.Add(newKey);
}
// when
OpenIdRelyingParty rp = new OpenIdRelyingParty();
OIDCTokenResponseMessage tokenResponse = rp.SubmitTokenRequest(GetBaseUrl("/token"), tokenRequestMessage, clientInformation);
// then
Assert.NotNull(tokenResponse.IdToken);
tokenResponse.GetIdToken(manipulatedKeys);
}
public void Should_Reject_Id_Token_With_Invalid_Signature_HS256()
{
rpid = "rp-id_token-bad_asym_sig_hs256";
signalg = "HS256";
// givens
OIDCAuthCodeResponseMessage response = (OIDCAuthCodeResponseMessage)GetAuthResponse(ResponseType.Code);
OIDCTokenRequestMessage tokenRequestMessage = new OIDCTokenRequestMessage();
tokenRequestMessage.Scope = response.Scope;
tokenRequestMessage.State = response.State;
tokenRequestMessage.Code = response.Code;
tokenRequestMessage.ClientId = clientInformation.ClientId;
tokenRequestMessage.ClientSecret = clientInformation.ClientSecret;
tokenRequestMessage.GrantType = "authorization_code";
tokenRequestMessage.RedirectUri = clientInformation.RedirectUris[0];
// Manipulate keys to make them invalid
StringBuilder strBuilder = new StringBuilder(clientInformation.ClientSecret);
strBuilder[17] = (char)(clientInformation.ClientSecret[17] + 1);
string manipulatedClientSecret = strBuilder.ToString();
// when
OpenIdRelyingParty rp = new OpenIdRelyingParty();
OIDCTokenResponseMessage tokenResponse = rp.SubmitTokenRequest(GetBaseUrl("/token"), tokenRequestMessage, clientInformation);
// then
Assert.NotNull(tokenResponse.IdToken);
tokenResponse.GetIdToken(null, manipulatedClientSecret);
}
