internal static void SwitchUserTest(Sts sts)
{
Log.Comment("Acquire token for user1 interactively");
AuthenticationContextProxy.SetCredentials(null, sts.ValidPassword);
var context = new AuthenticationContextProxy(sts.Authority, sts.ValidateAuthority);
AuthenticationResultProxy result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId);
VerifySuccessResultAndTokenContent(sts, result);
Verify.AreEqual(sts.ValidUserName, result.UserInfo.DisplayableId);
Log.Comment("Acquire token via cookie for user1 without user");
AuthenticationResultProxy result2 = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri);
VerifySuccessResultAndTokenContent(sts, result);
Verify.AreEqual(sts.ValidUserName, result.UserInfo.DisplayableId);
Log.Comment("Acquire token for user2 via force prompt and user");
AuthenticationContextProxy.SetCredentials(sts.ValidUserName2, sts.ValidPassword2);
result2 = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Always, sts.ValidRequiredUserId2);
VerifySuccessResultAndTokenContent(sts, result2);
Verify.AreEqual(sts.ValidUserName2, result2.UserInfo.DisplayableId);
Log.Comment("Acquire token for user2 via force prompt");
AuthenticationContextProxy.SetCredentials(sts.ValidUserName2, sts.ValidPassword2);
result2 = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Always);
VerifySuccessResultAndTokenContent(sts, result2);
Verify.AreEqual(sts.ValidUserName2, result2.UserInfo.DisplayableId);
Log.Comment("Fail to acquire token without user while tokens for two users in the cache");
result2 = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri);
VerifyErrorResult(result2, "multiple_matching_tokens_detected", null);
}
public static async Task MultiResourceRefreshTokenTestAsync(Sts sts)
{
SetCredential(sts);
var context = new AuthenticationContextProxy(sts.Authority, sts.ValidateAuthority);
AuthenticationResultProxy result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId);
VerifySuccessResult(sts, result);
AuthenticationResultProxy result2 = await context.AcquireTokenByRefreshTokenAsync(result.RefreshToken, sts.ValidClientId, sts.ValidResource2);
if (sts.Type == StsType.AAD)
{
VerifySuccessResult(sts, result2, true, false);
Verify.IsTrue(result.IsMultipleResourceRefreshToken);
Verify.IsTrue(result2.IsMultipleResourceRefreshToken);
}
result2 = context.AcquireToken(sts.ValidResource2, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId);
VerifySuccessResult(sts, result2);
if (sts.Type == StsType.ADFS)
{
Verify.IsFalse(result.IsMultipleResourceRefreshToken);
}
else
{
Verify.IsTrue(result.IsMultipleResourceRefreshToken);
}
if (sts.Type == StsType.AAD)
{
result2 = context.AcquireToken(sts.ValidResource3, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId);
VerifySuccessResult(sts, result2);
Verify.IsTrue(result.IsMultipleResourceRefreshToken);
}
}
internal static void CacheExpirationMarginTest(Sts sts)
{
SetCredential(sts);
var context = new AuthenticationContextProxy(sts.Authority, sts.ValidateAuthority);
AuthenticationResultProxy result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId);
VerifySuccessResult(sts, result);
AuthenticationContextProxy.Delay(2000); // 2 seconds delay
AuthenticationContextProxy.SetCredentials(null, null);
var userId = (result.UserInfo != null) ? new UserIdentifier(result.UserInfo.DisplayableId, UserIdentifierType.OptionalDisplayableId) : UserIdentifier.AnyUser;
AuthenticationResultProxy result2 = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, userId, SecondCallExtraQueryParameter);
VerifySuccessResult(sts, result2);
VerifyExpiresOnAreEqual(result, result2);
var dummyContext = new AuthenticationContext("https://dummy/dummy", false);
AdalFriend.UpdateTokenExpiryOnTokenCache(dummyContext.TokenCache, DateTime.UtcNow + TimeSpan.FromSeconds(4 * 60 + 50));
result2 = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, userId);
VerifySuccessResult(sts, result2);
Verify.AreNotEqual(result.AccessToken, result2.AccessToken);
}
public static List <AuthenticationResultProxy> AcquireTokenPositiveWithCache(Sts sts, AuthenticationContextProxy context)
{
AuthenticationResultProxy result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId);
VerifySuccessResult(sts, result);
Log.Comment("Waiting 2 seconds before next token request...");
AuthenticationContextProxy.Delay(2000); // 2 seconds delay
AuthenticationResultProxy result2;
if (result.UserInfo != null)
{
result2 = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, new UserIdentifier(result.UserInfo.DisplayableId, UserIdentifierType.OptionalDisplayableId), SecondCallExtraQueryParameter);
}
else
{
result2 = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri);
}
VerifySuccessResult(sts, result2);
return(new List <AuthenticationResultProxy> {
result, result2
});
}
internal static void AcquireTokenWithPromptBehaviorNeverTest(Sts sts)
{
// Should not be able to get a token silently on first try.
var context = new AuthenticationContextProxy(sts.Authority, sts.ValidateAuthority);
AuthenticationResultProxy result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Never);
VerifyErrorResult(result, Sts.UserInteractionRequired, null);
AuthenticationContextProxy.SetCredentials(sts.ValidUserName, sts.ValidPassword);
// Obtain a token interactively.
result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId);
VerifySuccessResult(sts, result);
AuthenticationContextProxy.SetCredentials(null, null);
// Now there should be a token available in the cache so token should be available silently.
result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Never);
VerifySuccessResult(sts, result);
// Clear the cache and silent auth should work via session cookies.
AuthenticationContextProxy.ClearDefaultCache();
result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Never);
VerifySuccessResult(sts, result);
// Clear the cache and cookies and silent auth should fail.
AuthenticationContextProxy.ClearDefaultCache();
EndBrowserDialogSession();
result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Never);
VerifyErrorResult(result, Sts.UserInteractionRequired, null);
}
public static void AcquireTokenPositiveWithFederatedTenantTest(Sts sts)
{
var userId = sts.ValidUserId;
AuthenticationContextProxy.SetCredentials(userId.Id, sts.ValidPassword);
var context = new AuthenticationContextProxy(sts.Authority, false, TokenCacheType.Null);
AuthenticationResultProxy result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, userId);
VerifySuccessResult(sts, result);
result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, UserIdentifier.AnyUser);
VerifySuccessResult(sts, result);
}
public static void UserInfoTest(Sts sts)
{
SetCredential(sts);
var context = new AuthenticationContextProxy(sts.Authority, sts.ValidateAuthority);
AuthenticationResultProxy result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId);
VerifySuccessResult(sts, result);
AuthenticationResultProxy result2;
if (sts.Type == StsType.AAD)
{
Verify.AreEqual(sts.ValidUserName, result.UserInfo.DisplayableId);
Verify.IsNotNullOrEmptyString(result.UserInfo.UniqueId);
Verify.IsNotNullOrEmptyString(result.UserInfo.GivenName);
Verify.IsNotNullOrEmptyString(result.UserInfo.FamilyName);
EndBrowserDialogSession();
Log.Comment("Waiting 2 seconds before next token request...");
AuthenticationContextProxy.Delay(2000); // 2 seconds delay
AuthenticationContextProxy.SetCredentials(null, null);
result2 = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto,
new UserIdentifier(result.UserInfo.DisplayableId, UserIdentifierType.OptionalDisplayableId),
SecondCallExtraQueryParameter);
ValidateAuthenticationResultsAreEqual(result, result2);
}
AuthenticationContextProxy.SetCredentials(null, null);
result2 = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri);
Verify.AreEqual(result.AccessToken, result2.AccessToken);
SetCredential(sts);
result2 = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId, ThirdCallExtraQueryParameter);
VerifySuccessResult(sts, result2);
if (result.UserInfo != null)
{
ValidateAuthenticationResultsAreEqual(result, result2);
}
else
{
VerifyExpiresOnAreNotEqual(result, result2);
}
EndBrowserDialogSession();
Log.Comment("Waiting 2 seconds before next token request...");
AuthenticationContextProxy.Delay(2000); // 2 seconds delay
AuthenticationContextProxy.SetCredentials(sts.ValidUserName, sts.ValidPassword);
result2 = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.InvalidRequiredUserId, SecondCallExtraQueryParameter);
VerifyErrorResult(result2, "user_mismatch", null);
}
public static void ExtraQueryParametersTest(Sts sts)
{
SetCredential(sts);
var context = new AuthenticationContextProxy(sts.Authority, sts.ValidateAuthority, TokenCacheType.Null);
AuthenticationResultProxy result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId, null);
VerifySuccessResult(sts, result);
result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId, "redirect_uri=123");
VerifyErrorResult(result, "duplicate_query_parameter", "redirect_uri");
result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId, "resource=123&dummy=dummy_value#$%^@%^^%");
VerifyErrorResult(result, "duplicate_query_parameter", "resource");
result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId, "client_id=123");
VerifyErrorResult(result, "duplicate_query_parameter", "client_id");
EndBrowserDialogSession();
result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId, "login_hint=123");
VerifyErrorResult(result, "duplicate_query_parameter", "login_hint");
EndBrowserDialogSession();
result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId, "login_hintx=123");
VerifySuccessResult(sts, result);
EndBrowserDialogSession();
result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, UserIdentifier.AnyUser, "login_hint=" + sts.ValidUserName);
VerifySuccessResult(sts, result);
result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId, string.Empty);
VerifySuccessResult(sts, result);
}
public static void AcquireTokenAndRefreshSessionTest(Sts sts)
{
var userId = sts.ValidUserId;
AuthenticationContextProxy.SetCredentials(userId.Id, sts.ValidPassword);
var context = new AuthenticationContextProxy(sts.Authority, false, TokenCacheType.InMemory);
AuthenticationResultProxy result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, userId);
VerifySuccessResult(sts, result);
AuthenticationContextProxy.Delay(2000);
AuthenticationResultProxy result2 = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.RefreshSession, userId);
VerifySuccessResult(sts, result2);
Verify.AreNotEqual(result.AccessToken, result2.AccessToken);
}
public static void AcquireTokenPositiveWithoutRedirectUriOrUserIdTest(Sts sts)
{
AuthenticationContextProxy.SetCredentials(sts.ValidUserName, sts.ValidPassword);
var context = new AuthenticationContextProxy(sts.Authority, sts.ValidateAuthority);
AuthenticationResultProxy result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri);
VerifySuccessResult(sts, result);
result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, null);
VerifyErrorResult(result, Sts.InvalidArgumentError, "userId");
VerifyErrorResult(result, Sts.InvalidArgumentError, "UserIdentifier.AnyUser");
result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, UserIdentifier.AnyUser);
VerifySuccessResult(sts, result);
}
public static async Task AcquireTokenFromCacheTestAsync(Sts sts)
{
AuthenticationContext context = new AuthenticationContext(sts.Authority, sts.ValidateAuthority);
try
{
await context.AcquireTokenSilentAsync(sts.ValidResource, sts.ValidClientId, sts.ValidUserId);
Verify.Fail("AdalSilentTokenAcquisitionException was expected");
}
catch (AdalSilentTokenAcquisitionException ex)
{
Verify.AreEqual(AdalError.FailedToAcquireTokenSilently, ex.ErrorCode);
}
catch
{
Verify.Fail("AdalSilentTokenAcquisitionException was expected");
}
AuthenticationContextProxy.SetCredentials(sts.Type == StsType.ADFS ? sts.ValidUserName : null, sts.ValidPassword);
var contextProxy = new AuthenticationContextProxy(sts.Authority, sts.ValidateAuthority);
AuthenticationResultProxy resultProxy = contextProxy.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId);
VerifySuccessResult(sts, resultProxy);
AuthenticationResult result = await context.AcquireTokenSilentAsync(sts.ValidResource, sts.ValidClientId, (sts.Type == StsType.ADFS)?UserIdentifier.AnyUser : sts.ValidUserId);
VerifySuccessResult(result);
result = await context.AcquireTokenSilentAsync(sts.ValidResource, sts.ValidClientId);
VerifySuccessResult(result);
}
public static async Task CorrelationIdTestAsync(Sts sts)
{
SetCredential(sts);
var context = new AuthenticationContextProxy(sts.Authority, sts.ValidateAuthority);
Guid correlationId = Guid.NewGuid();
AuthenticationResultProxy result = null;
MemoryStream stream = new MemoryStream();
using (var listener = new TextWriterTraceListener(stream))
{
Trace.Listeners.Add(listener);
context.SetCorrelationId(correlationId);
result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId);
VerifySuccessResult(sts, result);
listener.Flush();
string trace = Encoding.UTF8.GetString(stream.ToArray(), 0, (int)stream.Position);
Verify.IsTrue(trace.Contains(correlationId.ToString()));
Trace.Listeners.Remove(listener);
}
stream = new MemoryStream();
using (var listener = new TextWriterTraceListener(stream))
{
Trace.Listeners.Add(listener);
context.SetCorrelationId(Guid.Empty);
AuthenticationResultProxy result2 = await context.AcquireTokenByRefreshTokenAsync(result.RefreshToken, sts.ValidClientId);
Verify.IsNotNull(result2.AccessToken);
listener.Flush();
string trace = Encoding.UTF8.GetString(stream.ToArray(), 0, (int)stream.Position);
Verify.IsFalse(trace.Contains(correlationId.ToString()));
Verify.IsTrue(trace.Contains("Correlation ID"));
Trace.Listeners.Remove(listener);
}
}
public static void AcquireTokenPositiveTest(Sts sts)
{
SetCredential(sts);
var context = new AuthenticationContextProxy(sts.Authority, sts.ValidateAuthority);
AuthenticationResultProxy result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId);
VerifySuccessResult(sts, result);
}
public static void AcquireTokenPositiveWithoutRedirectUriOrUserIdTest(Sts sts)
{
AuthenticationContextProxy.SetCredentials(sts.ValidUserName, sts.ValidPassword);
var context = new AuthenticationContextProxy(sts.Authority, sts.ValidateAuthority);
AuthenticationResultProxy result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri);
VerifySuccessResult(sts, result);
result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, null);
VerifyErrorResult(result, Sts.InvalidArgumentError, "userId");
VerifyErrorResult(result, Sts.InvalidArgumentError, "UserIdentifier.AnyUser");
result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, UserIdentifier.AnyUser);
VerifySuccessResult(sts, result);
}
public static async Task AcquireTokenPositiveByRefreshTokenTestAsync(Sts sts)
{
SetCredential(sts);
var context = new AuthenticationContextProxy(sts.Authority, sts.ValidateAuthority);
AuthenticationResultProxy result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId);
VerifySuccessResult(sts, result);
result = await context.AcquireTokenByRefreshTokenAsync(result.RefreshToken, sts.ValidClientId, (string)null);
VerifySuccessResult(sts, result, true, false);
AuthenticationResultProxy result2 = await context.AcquireTokenByRefreshTokenAsync(result.RefreshToken + "x", sts.ValidClientId, (string)null);
VerifyErrorResult(result2, "invalid_grant", "Refresh Token", 400);
result = await context.AcquireTokenByRefreshTokenAsync(result.RefreshToken, sts.ValidClientId, sts.ValidResource);
if (sts.Type == StsType.ADFS)
{
VerifyErrorResult(result, Sts.InvalidArgumentError, "multiple resource");
}
else
{
VerifySuccessResult(sts, result, true, false);
}
}
public static async Task InstanceDiscoveryTestAsync(Sts sts)
{
SetCredential(sts);
var context = new AuthenticationContextProxy(sts.Authority, sts.ValidateAuthority);
AuthenticationResultProxy result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId);
VerifySuccessResult(sts, result);
AuthenticationContextProxy.SetEnvironmentVariable("ExtraQueryParameter", string.Empty);
// PROD discovery endpoint knows about PPE as well, so this passes discovery and fails later as refresh token is invalid for PPE.
context = new AuthenticationContextProxy(sts.Authority.Replace("windows.net", "windows-ppe.net"), sts.ValidateAuthority);
result = await context.AcquireTokenByRefreshTokenAsync(result.RefreshToken, sts.ValidClientId, sts.ValidResource);
VerifyErrorResult(result, "invalid_grant", "Refresh Token");
try
{
context = new AuthenticationContextProxy(sts.Authority.Replace("windows.net", "windows.unknown"), sts.ValidateAuthority);
result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId);
VerifyErrorResult(result, "authority_not_in_valid_list", "authority");
}
#if TEST_ADAL_WINPHONE_UNIT
catch (AdalServiceException ex)
{
Verify.AreNotEqual(sts.Type, StsType.ADFS);
Verify.AreEqual(ex.ErrorCode, Sts.AuthorityNotInValidList);
Verify.IsTrue(ex.Message.Contains("authority"));
}
#endif
finally
{
}
}
public static void AcquireTokenPositiveTest(Sts sts)
{
SetCredential(sts);
var context = new AuthenticationContextProxy(sts.Authority, sts.ValidateAuthority);
AuthenticationResultProxy result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId);
VerifySuccessResult(sts, result);
}
public static void AcquireTokenWithInvalidClientIdTest(Sts sts)
{
SetCredential(sts);
var context = new AuthenticationContextProxy(sts.Authority, sts.ValidateAuthority);
AuthenticationResultProxy result = context.AcquireToken(sts.ValidResource, sts.InvalidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId);
VerifyErrorResult(result, Sts.AuthenticationCanceledError, null);
}
public static void AcquireTokenWithIncorrectUserCredentialTest(Sts sts)
{
AuthenticationContextProxy.SetCredentials(sts.InvalidUserName, "invalid_password");
var context = new AuthenticationContextProxy(sts.Authority, sts.ValidateAuthority);
AuthenticationResultProxy result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, UserIdentifier.AnyUser, "incorrect_user");
VerifyErrorResult(result, Sts.AuthenticationCanceledError, "canceled");
}
public static void AcquireTokenWithAuthenticationCanceledTest(Sts sts)
{
AuthenticationContextProxy.SetCredentials(null, null);
var context = new AuthenticationContextProxy(sts.Authority, sts.ValidateAuthority);
AuthenticationResultProxy result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, new UserIdentifier("*****@*****.**", UserIdentifierType.OptionalDisplayableId));
VerifyErrorResult(result, Sts.AuthenticationCanceledError, "canceled");
}
public static void AcquireTokenWithInvalidResourceTest(Sts sts)
{
SetCredential(sts);
var context = new AuthenticationContextProxy(sts.Authority, sts.ValidateAuthority);
AuthenticationResultProxy result = context.AcquireToken(sts.InvalidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId);
VerifyErrorResult(result, Sts.InvalidResourceError, "resource");
result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId);
VerifySuccessResult(sts, result);
result = context.AcquireToken(sts.ValidResource.ToUpper(), sts.ValidClientId.ToUpper(), sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto,
(sts.Type == StsType.AAD) ? new UserIdentifier(sts.ValidUserName, UserIdentifierType.RequiredDisplayableId) : UserIdentifier.AnyUser);
VerifySuccessResult(sts, result);
result = context.AcquireToken(sts.ValidResource.ToUpper(), sts.ValidClientId.ToUpper(), sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto,
(result.UserInfo != null) ? new UserIdentifier(result.UserInfo.UniqueId, UserIdentifierType.UniqueId) : UserIdentifier.AnyUser);
VerifySuccessResult(sts, result);
}
public static void NonHttpsURLNegativeTest(Sts sts)
{
AuthenticationContextProxy.SetCredentials(sts.ValidUserName, sts.ValidPassword);
var context = new AuthenticationContextProxy(sts.Authority, sts.ValidateAuthority);
// Obtain a token interactively.
AuthenticationResultProxy result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId);
VerifyErrorDescriptionContains(result.ErrorDescription, "Non-HTTPS url redirect is not supported in webview");
}
public static void ForcePromptTest(Sts sts)
{
SetCredential(sts);
var context = new AuthenticationContextProxy(sts.Authority, sts.ValidateAuthority);
AuthenticationResultProxy result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId);
VerifySuccessResult(sts, result);
AuthenticationContextProxy.SetCredentials(null, null);
AuthenticationResultProxy result2 = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto,
(sts.Type == StsType.ADFS) ? null : sts.ValidUserId);
VerifySuccessResult(sts, result2);
Verify.AreEqual(result2.AccessToken, result.AccessToken);
AuthenticationContextProxy.SetCredentials(sts.ValidUserName, sts.ValidPassword);
result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Always);
VerifySuccessResult(sts, result);
Verify.AreNotEqual(result2.AccessToken, result.AccessToken);
}
internal static async Task AcquireTokenOnBehalfAndClientAssertionTestAsync(Sts sts)
{
SetCredential(sts);
var context = new AuthenticationContextProxy(sts.Authority, sts.ValidateAuthority);
AuthenticationResultProxy result = context.AcquireToken(sts.ValidConfidentialClientId, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId);
VerifySuccessResult(sts, result);
RecorderJwtId.JwtIdIndex = 13;
ClientAssertion clientAssertion = CreateClientAssertion(sts.Authority, sts.ValidConfidentialClientId, sts.ConfidentialClientCertificateName, sts.ConfidentialClientCertificatePassword);
AuthenticationResultProxy result2 = await context.AcquireTokenAsync(null, clientAssertion, result.AccessToken);
VerifyErrorResult(result2, Sts.InvalidArgumentError, "resource");
result2 = await context.AcquireTokenAsync(sts.ValidResource, clientAssertion, null);
VerifyErrorResult(result2, Sts.InvalidArgumentError, "userAssertion");
result2 = await context.AcquireTokenAsync(sts.ValidResource, (ClientAssertion)null, result.AccessToken);
VerifyErrorResult(result2, Sts.InvalidArgumentError, "clientAssertion");
result2 = await context.AcquireTokenAsync(sts.ValidResource, clientAssertion, result.AccessToken);
VerifySuccessResult(sts, result2, true, false);
// Testing cache
AuthenticationContextProxy.Delay(2000); // 2 seconds delay
AuthenticationResultProxy result3 = await context.AcquireTokenAsync(sts.ValidResource, clientAssertion, result.AccessToken);
VerifySuccessResult(sts, result3, true, false);
VerifyExpiresOnAreEqual(result2, result3);
// Using MRRT in cached token to acquire token for a different resource
AuthenticationResultProxy result4 = await context.AcquireTokenAsync(sts.ValidResource2, clientAssertion, result.AccessToken);
VerifySuccessResult(sts, result4, true, false);
AuthenticationContextProxy.ClearDefaultCache();
result2 = await context.AcquireTokenAsync(sts.ValidResource, clientAssertion, result.AccessToken);
VerifySuccessResult(sts, result2, true, false);
// Using MRRT in cached token to acquire token for a different resource
result3 = await context.AcquireTokenSilentAsync(sts.ValidResource2, clientAssertion, UserIdentifier.AnyUser);
VerifySuccessResult(sts, result3, true, false);
}
public static void TenantlessTest(Sts sts)
{
SetCredential(sts);
var context = new AuthenticationContextProxy(sts.TenantlessAuthority, sts.ValidateAuthority);
AuthenticationResultProxy result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId);
VerifySuccessResult(sts, result);
Verify.IsNotNullOrEmptyString(result.TenantId);
AuthenticationContextProxy.SetCredentials(null, null);
AuthenticationResultProxy result2 = context.AcquireToken(
sts.ValidResource,
sts.ValidClientId,
sts.ValidDefaultRedirectUri,
PromptBehaviorProxy.Auto,
sts.ValidUserId);
ValidateAuthenticationResultsAreEqual(result, result2);
SetCredential(sts);
context = new AuthenticationContextProxy(sts.TenantlessAuthority.Replace("Common", result.TenantId), sts.ValidateAuthority, TokenCacheType.Null);
result2 = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId);
VerifySuccessResult(sts, result2);
}
internal static void MultiUserCacheTest(Sts sts)
{
Log.Comment("Acquire token for user1 interactively");
AuthenticationContextProxy.SetCredentials(null, sts.ValidPassword);
var context = new AuthenticationContextProxy(sts.Authority, sts.ValidateAuthority);
AuthenticationResultProxy result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId);
VerifySuccessResultAndTokenContent(sts, result);
Verify.AreEqual(sts.ValidUserName, result.UserInfo.DisplayableId);
Log.Comment("Acquire token for user1 returning cached token");
AuthenticationContextProxy.SetCredentials(null, null);
result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId);
VerifySuccessResultAndTokenContent(sts, result);
Verify.AreEqual(sts.ValidUserName, result.UserInfo.DisplayableId);
Log.Comment("Clear cookie and acquire token for user2 interactively");
EndBrowserDialogSession();
AuthenticationContextProxy.SetCredentials(null, sts.ValidPassword2);
AuthenticationResultProxy result2 = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidRequiredUserId2);
VerifySuccessResultAndTokenContent(sts, result2);
Verify.AreEqual(sts.ValidUserName2, result2.UserInfo.DisplayableId);
Log.Comment("Acquire token for user1 returning cached token");
AuthenticationContextProxy.SetCredentials(null, null);
result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId);
VerifySuccessResultAndTokenContent(sts, result);
Verify.AreEqual(sts.ValidUserName, result.UserInfo.DisplayableId);
Log.Comment("Acquire token for user2 returning cached token");
AuthenticationContextProxy.SetCredentials(null, null);
result2 = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidRequiredUserId2);
VerifySuccessResultAndTokenContent(sts, result2);
Verify.AreEqual(sts.ValidUserName2, result2.UserInfo.DisplayableId);
Log.Comment("Acquire token for user1 and resource2 using cached multi resource refresh token");
AuthenticationContextProxy.SetCredentials(null, null);
result = context.AcquireToken(sts.ValidResource2, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId);
VerifySuccessResultAndTokenContent(sts, result);
Verify.AreEqual(sts.ValidUserName, result.UserInfo.DisplayableId);
Log.Comment("Acquire token for user2 and resource2 using cached multi resource refresh token");
AuthenticationContextProxy.SetCredentials(null, null);
result2 = context.AcquireToken(sts.ValidResource2, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidRequiredUserId2);
VerifySuccessResultAndTokenContent(sts, result2);
Verify.AreEqual(sts.ValidUserName2, result2.UserInfo.DisplayableId);
}
public static async Task WebExceptionAccessTestAsync(Sts sts)
{
SetCredential(sts);
var context = new AuthenticationContextProxy(sts.Authority, sts.ValidateAuthority);
AuthenticationResultProxy result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId);
VerifySuccessResult(sts, result);
result = await context.AcquireTokenByRefreshTokenAsync(result.RefreshToken, sts.InvalidClientId);
VerifyErrorResult(result, "unauthorized_client", "AADSTS70001");
Verify.IsNotNull(result.Exception);
Verify.IsNotNull(result.Exception.InnerException);
Verify.IsTrue(result.Exception.InnerException is WebException);
using (StreamReader sr = new StreamReader(((WebException)(result.Exception.InnerException)).Response.GetResponseStream()))
{
string streamBody = sr.ReadToEnd();
Verify.IsTrue(streamBody.Contains("AADSTS70001"));
}
}
public static void AcquireTokenPositiveWithDefaultCacheTest(Sts sts)
{
AuthenticationContextProxy.ClearDefaultCache();
SetCredential(sts);
var context = new AuthenticationContextProxy(sts.Authority, sts.ValidateAuthority);
List <AuthenticationResultProxy> results = AcquireTokenPositiveWithCache(sts, context);
VerifyExpiresOnAreEqual(results[0], results[1]);
EndBrowserDialogSession();
Log.Comment("Waiting 2 seconds before next token request...");
AuthenticationContextProxy.Delay(2000); // 2 seconds delay
AuthenticationResultProxy resultWithoutUser = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, UserIdentifier.AnyUser, SecondCallExtraQueryParameter);
VerifyExpiresOnAreEqual(results[0], resultWithoutUser);
context.VerifySingleItemInCache(results[0], sts.Type);
}
public static void AcquireTokenWithInvalidAuthorityTest(Sts sts)
{
SetCredential(sts);
var context = new AuthenticationContextProxy("https://www.live.com/login", false);
AuthenticationResultProxy result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId);
VerifyErrorResult(result, Sts.AuthenticationCanceledError, null);
context = new AuthenticationContextProxy(sts.InvalidAuthority, false);
result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId);
VerifyErrorResult(result, Sts.AuthenticationUiFailedError, null);
if (sts.Type != StsType.ADFS)
{
Uri uri = new Uri(sts.Authority);
context = new AuthenticationContextProxy(string.Format("{0}://{1}/non_existing_tenant", uri.Scheme, uri.Authority));
result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId);
VerifyErrorResult(result, Sts.AuthenticationCanceledError, null);
}
}
public static void AcquireTokenWithCallbackTest(Sts sts)
{
SetCredential(sts);
var context = new AuthenticationContextProxy(sts.Authority, sts.ValidateAuthority)
{
AuthenticationContextDelegate = AuthenticationContextPositiveDelegate
};
positiveCalled = false;
AuthenticationResultProxy result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId);
Verify.IsTrue(positiveCalled);
VerifySuccessResult(sts, result);
context = new AuthenticationContextProxy(sts.Authority, sts.ValidateAuthority)
{
AuthenticationContextDelegate = AuthenticationContextNegativeDelegate
};
negativeCalled = false;
result = context.AcquireToken(sts.ValidResource, sts.InvalidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId);
Verify.IsTrue(negativeCalled);
VerifyErrorResult(result, Sts.AuthenticationCanceledError, null);
}
public static async Task CorrelationIdTestAsync(Sts sts)
{
SetCredential(sts);
var context = new AuthenticationContextProxy(sts.Authority, sts.ValidateAuthority);
Guid correlationId = Guid.NewGuid();
AuthenticationResultProxy result = null;
MemoryStream stream = new MemoryStream();
using (var listener = new TextWriterTraceListener(stream))
{
Trace.Listeners.Add(listener);
context.SetCorrelationId(correlationId);
result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId);
VerifySuccessResult(sts, result);
listener.Flush();
string trace = Encoding.UTF8.GetString(stream.ToArray(), 0, (int)stream.Position);
Verify.IsTrue(trace.Contains(correlationId.ToString()));
Trace.Listeners.Remove(listener);
}
stream = new MemoryStream();
using (var listener = new TextWriterTraceListener(stream))
{
Trace.Listeners.Add(listener);
context.SetCorrelationId(Guid.Empty);
AuthenticationResultProxy result2 = await context.AcquireTokenByRefreshTokenAsync(result.RefreshToken, sts.ValidClientId);
Verify.IsNotNullOrEmptyString(result2.AccessToken);
listener.Flush();
string trace = Encoding.UTF8.GetString(stream.ToArray(), 0, (int)stream.Position);
Verify.IsFalse(trace.Contains(correlationId.ToString()));
Verify.IsTrue(trace.Contains("Correlation ID"));
Trace.Listeners.Remove(listener);
}
}
public static void AcquireTokenWithCallbackTest(Sts sts)
{
SetCredential(sts);
var context = new AuthenticationContextProxy(sts.Authority, sts.ValidateAuthority)
{
AuthenticationContextDelegate = AuthenticationContextPositiveDelegate
};
positiveCalled = false;
AuthenticationResultProxy result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId);
Verify.IsTrue(positiveCalled);
VerifySuccessResult(sts, result);
context = new AuthenticationContextProxy(sts.Authority, sts.ValidateAuthority)
{
AuthenticationContextDelegate = AuthenticationContextNegativeDelegate
};
negativeCalled = false;
result = context.AcquireToken(sts.ValidResource, sts.InvalidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId);
Verify.IsTrue(negativeCalled);
VerifyErrorResult(result, Sts.AuthenticationCanceledError, null);
}
public static async Task AcquireTokenPositiveByRefreshTokenTestAsync(Sts sts)
{
SetCredential(sts);
var context = new AuthenticationContextProxy(sts.Authority, sts.ValidateAuthority);
AuthenticationResultProxy result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId);
VerifySuccessResult(sts, result);
result = await context.AcquireTokenByRefreshTokenAsync(result.RefreshToken, sts.ValidClientId, (string)null);
VerifySuccessResult(sts, result, true, false);
AuthenticationResultProxy result2 = await context.AcquireTokenByRefreshTokenAsync(result.RefreshToken + "x", sts.ValidClientId, (string)null);
VerifyErrorResult(result2, "invalid_grant", "Refresh Token", 400);
result = await context.AcquireTokenByRefreshTokenAsync(result.RefreshToken, sts.ValidClientId, sts.ValidResource);
if (sts.Type == StsType.ADFS)
{
VerifyErrorResult(result, Sts.InvalidArgumentError, "multiple resource");
}
else
{
VerifySuccessResult(sts, result, true, false);
}
}
public static void AcquireTokenWithRedirectUriTest(Sts sts)
{
SetCredential(sts);
var context = new AuthenticationContextProxy(sts.Authority, sts.ValidateAuthority);
AuthenticationResultProxy result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.InvalidExistingRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId);
VerifyErrorResult(result, Sts.AuthenticationCanceledError, null);
result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.InvalidNonExistingRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId);
VerifyErrorResult(result, Sts.AuthenticationCanceledError, null);
result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, new Uri(sts.ValidNonExistingRedirectUri.AbsoluteUri + "#fragment"), PromptBehaviorProxy.Auto, sts.ValidUserId);
VerifyErrorResult(result, Sts.InvalidArgumentError, "redirectUri");
VerifyErrorResult(result, Sts.InvalidArgumentError, "fragment");
result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, null, PromptBehaviorProxy.Auto, sts.ValidUserId);
if (TestType != TestType.WinRT)
{
VerifyErrorResult(result, Sts.InvalidArgumentError, "redirectUri");
}
else
{
// Winrt can send null redirecturi
VerifySuccessResult(sts, result);
}
AuthenticationContextProxy.ClearDefaultCache();
EndBrowserDialogSession();
result = context.AcquireToken(sts.ValidResource, sts.ValidClientIdWithExistingRedirectUri, sts.ValidExistingRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId);
VerifySuccessResult(sts, result);
AuthenticationContextProxy.ClearDefaultCache();
result = context.AcquireToken(sts.ValidResource, sts.ValidNonExistentRedirectUriClientId, sts.ValidNonExistingRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId);
VerifySuccessResult(sts, result);
}
public static void ForcePromptTest(Sts sts)
{
SetCredential(sts);
var context = new AuthenticationContextProxy(sts.Authority, sts.ValidateAuthority);
AuthenticationResultProxy result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId);
VerifySuccessResult(sts, result);
AuthenticationContextProxy.SetCredentials(null, null);
AuthenticationResultProxy result2 = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto,
(sts.Type == StsType.ADFS) ? null : sts.ValidUserId);
VerifySuccessResult(sts, result2);
Verify.AreEqual(result2.AccessToken, result.AccessToken);
AuthenticationContextProxy.SetCredentials(sts.ValidUserName, sts.ValidPassword);
result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Always);
VerifySuccessResult(sts, result);
Verify.AreNotEqual(result2.AccessToken, result.AccessToken);
}
public static async Task InstanceDiscoveryTestAsync(Sts sts)
{
SetCredential(sts);
var context = new AuthenticationContextProxy(sts.Authority, sts.ValidateAuthority);
AuthenticationResultProxy result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId);
VerifySuccessResult(sts, result);
AuthenticationContextProxy.SetEnvironmentVariable("ExtraQueryParameter", string.Empty);
// PROD discovery endpoint knows about PPE as well, so this passes discovery and fails later as refresh token is invalid for PPE.
context = new AuthenticationContextProxy(sts.Authority.Replace("windows.net", "windows-ppe.net"), sts.ValidateAuthority);
result = await context.AcquireTokenByRefreshTokenAsync(result.RefreshToken, sts.ValidClientId, sts.ValidResource);
VerifyErrorResult(result, "invalid_grant", "Refresh Token");
try
{
context = new AuthenticationContextProxy(sts.Authority.Replace("windows.net", "windows.unknown"), sts.ValidateAuthority);
result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId);
VerifyErrorResult(result, "authority_not_in_valid_list", "authority");
}
#if TEST_ADAL_WINPHONE_UNIT
catch (AdalServiceException ex)
{
Verify.AreNotEqual(sts.Type, StsType.ADFS);
Verify.AreEqual(ex.ErrorCode, Sts.AuthorityNotInValidList);
Verify.IsTrue(ex.Message.Contains("authority"));
}
#endif
finally
{
}
}
internal static async Task AcquireTokenOnBehalfAndClientCertificateTestAsync(Sts sts)
{
SetCredential(sts);
var context = new AuthenticationContextProxy(sts.Authority, sts.ValidateAuthority);
AuthenticationResultProxy result = context.AcquireToken(sts.ValidConfidentialClientId, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId);
VerifySuccessResult(sts, result);
var clientCertificate = new ClientAssertionCertificate(sts.ValidConfidentialClientId, new X509Certificate2(sts.ConfidentialClientCertificateName, sts.ConfidentialClientCertificatePassword));
RecorderJwtId.JwtIdIndex = 5;
AuthenticationResultProxy result2 = await context.AcquireTokenAsync(null, clientCertificate, result.AccessToken);
VerifyErrorResult(result2, Sts.InvalidArgumentError, "resource");
result2 = await context.AcquireTokenAsync(sts.ValidResource, clientCertificate, null);
VerifyErrorResult(result2, Sts.InvalidArgumentError, "userAssertion");
result2 = await context.AcquireTokenAsync(sts.ValidResource, (ClientAssertionCertificate)null, result.AccessToken);
RecorderJwtId.JwtIdIndex = 6;
VerifyErrorResult(result2, Sts.InvalidArgumentError, "clientCertificate");
result2 = await context.AcquireTokenAsync(sts.ValidResource, clientCertificate, result.AccessToken);
VerifySuccessResult(sts, result2, true, false);
// Testing cache
AuthenticationContextProxy.Delay(2000); // 2 seconds delay
AuthenticationResultProxy result3 = await context.AcquireTokenAsync(sts.ValidResource, clientCertificate, result.AccessToken);
VerifySuccessResult(sts, result3, true, false);
VerifyExpiresOnAreEqual(result2, result3);
// Using MRRT in cached token to acquire token for a different resource
AuthenticationResultProxy result4 = await context.AcquireTokenAsync(sts.ValidResource2, clientCertificate, result.AccessToken + "x");
VerifySuccessResult(sts, result4, true, false);
AuthenticationContextProxy.ClearDefaultCache();
result2 = await context.AcquireTokenAsync(sts.ValidResource + "x", clientCertificate, result.AccessToken);
VerifyErrorResult(result2, Sts.InvalidResourceError, null);
result2 = await context.AcquireTokenAsync(sts.ValidResource, clientCertificate, result.AccessToken + "x");
VerifyErrorResult(result2, "invalid_grant", "invalid signature");
var invalidClientCredential = new ClientAssertionCertificate(sts.ValidConfidentialClientId.Replace('1', '2'), new X509Certificate2(sts.ConfidentialClientCertificateName, sts.ConfidentialClientCertificatePassword));
RecorderJwtId.JwtIdIndex = 7;
result2 = await context.AcquireTokenAsync(sts.ValidResource, invalidClientCredential, result.AccessToken);
VerifyErrorResult(result2, Sts.UnauthorizedClient, "not found");
result2 = await context.AcquireTokenAsync(sts.ValidResource, clientCertificate, result.AccessToken);
VerifySuccessResult(sts, result2, true, false);
// Using MRRT in cached token to acquire token for a different resource
result3 = await context.AcquireTokenSilentAsync(sts.ValidResource2, sts.ValidConfidentialClientId);
VerifyErrorResult(result3, AdalError.FailedToAcquireTokenSilently, null);
// Using MRRT in cached token to acquire token for a different resource
result3 = await context.AcquireTokenSilentAsync(sts.ValidResource2, clientCertificate, UserIdentifier.AnyUser);
VerifySuccessResult(sts, result3, true, false);
}
public static List<AuthenticationResultProxy> AcquireTokenPositiveWithCache(Sts sts, AuthenticationContextProxy context)
{
AuthenticationResultProxy result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId);
VerifySuccessResult(sts, result);
Log.Comment("Waiting 2 seconds before next token request...");
AuthenticationContextProxy.Delay(2000); // 2 seconds delay
AuthenticationResultProxy result2;
if (result.UserInfo != null)
result2 = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, new UserIdentifier(result.UserInfo.DisplayableId, UserIdentifierType.OptionalDisplayableId), SecondCallExtraQueryParameter);
else
result2 = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri);
VerifySuccessResult(sts, result2);
return new List<AuthenticationResultProxy> { result, result2 };
}
internal static void MultiUserCacheTest(Sts sts)
{
Log.Comment("Acquire token for user1 interactively");
AuthenticationContextProxy.SetCredentials(null, sts.ValidPassword);
var context = new AuthenticationContextProxy(sts.Authority, sts.ValidateAuthority);
AuthenticationResultProxy result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId);
VerifySuccessResultAndTokenContent(sts, result);
Verify.AreEqual(sts.ValidUserName, result.UserInfo.DisplayableId);
Log.Comment("Acquire token for user1 returning cached token");
AuthenticationContextProxy.SetCredentials(null, null);
result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId);
VerifySuccessResultAndTokenContent(sts, result);
Verify.AreEqual(sts.ValidUserName, result.UserInfo.DisplayableId);
Log.Comment("Clear cookie and acquire token for user2 interactively");
EndBrowserDialogSession();
AuthenticationContextProxy.SetCredentials(null, sts.ValidPassword2);
AuthenticationResultProxy result2 = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidRequiredUserId2);
VerifySuccessResultAndTokenContent(sts, result2);
Verify.AreEqual(sts.ValidUserName2, result2.UserInfo.DisplayableId);
Log.Comment("Acquire token for user1 returning cached token");
AuthenticationContextProxy.SetCredentials(null, null);
result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId);
VerifySuccessResultAndTokenContent(sts, result);
Verify.AreEqual(sts.ValidUserName, result.UserInfo.DisplayableId);
Log.Comment("Acquire token for user2 returning cached token");
AuthenticationContextProxy.SetCredentials(null, null);
result2 = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidRequiredUserId2);
VerifySuccessResultAndTokenContent(sts, result2);
Verify.AreEqual(sts.ValidUserName2, result2.UserInfo.DisplayableId);
Log.Comment("Acquire token for user1 and resource2 using cached multi resource refresh token");
AuthenticationContextProxy.SetCredentials(null, null);
result = context.AcquireToken(sts.ValidResource2, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId);
VerifySuccessResultAndTokenContent(sts, result);
Verify.AreEqual(sts.ValidUserName, result.UserInfo.DisplayableId);
Log.Comment("Acquire token for user2 and resource2 using cached multi resource refresh token");
AuthenticationContextProxy.SetCredentials(null, null);
result2 = context.AcquireToken(sts.ValidResource2, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidRequiredUserId2);
VerifySuccessResultAndTokenContent(sts, result2);
Verify.AreEqual(sts.ValidUserName2, result2.UserInfo.DisplayableId);
}
internal static void AcquireTokenWithPromptBehaviorNeverTest(Sts sts)
{
// Should not be able to get a token silently on first try.
var context = new AuthenticationContextProxy(sts.Authority, sts.ValidateAuthority);
AuthenticationResultProxy result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Never);
VerifyErrorResult(result, Sts.UserInteractionRequired, null);
AuthenticationContextProxy.SetCredentials(sts.ValidUserName, sts.ValidPassword);
// Obtain a token interactively.
result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId);
VerifySuccessResult(sts, result);
AuthenticationContextProxy.SetCredentials(null, null);
// Now there should be a token available in the cache so token should be available silently.
result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Never);
VerifySuccessResult(sts, result);
// Clear the cache and silent auth should work via session cookies.
AuthenticationContextProxy.ClearDefaultCache();
result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Never);
VerifySuccessResult(sts, result);
// Clear the cache and cookies and silent auth should fail.
AuthenticationContextProxy.ClearDefaultCache();
EndBrowserDialogSession();
result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Never);
VerifyErrorResult(result, Sts.UserInteractionRequired, null);
}
public static async Task WebExceptionAccessTestAsync(Sts sts)
{
SetCredential(sts);
var context = new AuthenticationContextProxy(sts.Authority, sts.ValidateAuthority);
AuthenticationResultProxy result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId);
VerifySuccessResult(sts, result);
result = await context.AcquireTokenByRefreshTokenAsync(result.RefreshToken, sts.InvalidClientId);
VerifyErrorResult(result, "unauthorized_client", "AADSTS70001");
Verify.IsNotNull(result.Exception);
Verify.IsNotNull(result.Exception.InnerException);
Verify.IsTrue(result.Exception.InnerException is WebException);
using (StreamReader sr = new StreamReader(((WebException)(result.Exception.InnerException)).Response.GetResponseStream()))
{
string streamBody = sr.ReadToEnd();
Verify.IsTrue(streamBody.Contains("AADSTS70001"));
}
}
public static void AcquireTokenAndRefreshSessionTest(Sts sts)
{
var userId = sts.ValidUserId;
AuthenticationContextProxy.SetCredentials(userId.Id, sts.ValidPassword);
var context = new AuthenticationContextProxy(sts.Authority, false, TokenCacheType.InMemory);
AuthenticationResultProxy result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, userId);
VerifySuccessResult(sts, result);
AuthenticationContextProxy.Delay(2000);
AuthenticationResultProxy result2 = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.RefreshSession, userId);
VerifySuccessResult(sts, result2);
Verify.AreNotEqual(result.AccessToken, result2.AccessToken);
}
public static void AcquireTokenWithInvalidClientIdTest(Sts sts)
{
SetCredential(sts);
var context = new AuthenticationContextProxy(sts.Authority, sts.ValidateAuthority);
AuthenticationResultProxy result = context.AcquireToken(sts.ValidResource, sts.InvalidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId);
VerifyErrorResult(result, Sts.AuthenticationCanceledError, null);
}
public static void AcquireTokenWithInvalidResourceTest(Sts sts)
{
SetCredential(sts);
var context = new AuthenticationContextProxy(sts.Authority, sts.ValidateAuthority);
AuthenticationResultProxy result = context.AcquireToken(sts.InvalidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId);
VerifyErrorResult(result, Sts.InvalidResourceError, "resource");
result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId);
VerifySuccessResult(sts, result);
result = context.AcquireToken(sts.ValidResource.ToUpper(), sts.ValidClientId.ToUpper(), sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto,
(sts.Type == StsType.AAD) ? new UserIdentifier(sts.ValidUserName, UserIdentifierType.RequiredDisplayableId) : UserIdentifier.AnyUser);
VerifySuccessResult(sts, result);
result = context.AcquireToken(sts.ValidResource.ToUpper(), sts.ValidClientId.ToUpper(), sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto,
(result.UserInfo != null) ? new UserIdentifier(result.UserInfo.UniqueId, UserIdentifierType.UniqueId) : UserIdentifier.AnyUser);
VerifySuccessResult(sts, result);
}
public static void AcquireTokenWithInvalidAuthorityTest(Sts sts)
{
SetCredential(sts);
var context = new AuthenticationContextProxy("https://www.live.com/login", false);
AuthenticationResultProxy result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId);
VerifyErrorResult(result, Sts.AuthenticationCanceledError, null);
context = new AuthenticationContextProxy(sts.InvalidAuthority, false);
result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId);
VerifyErrorResult(result, Sts.AuthenticationUiFailedError, null);
if (sts.Type != StsType.ADFS)
{
Uri uri = new Uri(sts.Authority);
context = new AuthenticationContextProxy(string.Format("{0}://{1}/non_existing_tenant", uri.Scheme, uri.Authority));
result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId);
VerifyErrorResult(result, Sts.AuthenticationCanceledError, null);
}
}
public static void AcquireTokenWithRedirectUriTest(Sts sts)
{
SetCredential(sts);
var context = new AuthenticationContextProxy(sts.Authority, sts.ValidateAuthority);
AuthenticationResultProxy result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.InvalidExistingRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId);
VerifyErrorResult(result, Sts.AuthenticationCanceledError, null);
result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.InvalidNonExistingRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId);
VerifyErrorResult(result, Sts.AuthenticationCanceledError, null);
result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, new Uri(sts.ValidNonExistingRedirectUri.AbsoluteUri + "#fragment"), PromptBehaviorProxy.Auto, sts.ValidUserId);
VerifyErrorResult(result, Sts.InvalidArgumentError, "redirectUri");
VerifyErrorResult(result, Sts.InvalidArgumentError, "fragment");
result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, null, PromptBehaviorProxy.Auto, sts.ValidUserId);
if (TestType != TestType.WinRT)
{
VerifyErrorResult(result, Sts.InvalidArgumentError, "redirectUri");
}
else
{
// Winrt can send null redirecturi
VerifySuccessResult(sts, result);
}
AuthenticationContextProxy.ClearDefaultCache();
EndBrowserDialogSession();
result = context.AcquireToken(sts.ValidResource, sts.ValidClientIdWithExistingRedirectUri, sts.ValidExistingRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId);
VerifySuccessResult(sts, result);
AuthenticationContextProxy.ClearDefaultCache();
result = context.AcquireToken(sts.ValidResource, sts.ValidNonExistentRedirectUriClientId, sts.ValidNonExistingRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId);
VerifySuccessResult(sts, result);
}
public void AcquireTokenWithPromptBehaviorNeverTestAsync()
{
// TODO: Not fully working at this point due to session cookies being deleted between WAB calls.
Sts sts = Sts;
// Should not be able to get a token silently passing redirectUri.
var context = new AuthenticationContextProxy(sts.Authority, sts.ValidateAuthority);
AuthenticationResultProxy result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Never);
AdalTests.VerifyErrorResult(result, Sts.InvalidArgumentError, "SSO");
AuthenticationContextProxy.SetCredentials(sts.ValidUserName, sts.ValidPassword);
result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri);
AdalTests.VerifySuccessResult(sts, result);
AuthenticationContextProxy.ClearDefaultCache();
result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri);
AdalTests.VerifySuccessResult(sts, result);
// Should not be able to get a token silently on first try.
result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, null, PromptBehaviorProxy.Never);
AdalTests.VerifyErrorResult(result, Sts.UserInteractionRequired, null);
AuthenticationContextProxy.SetCredentials(sts.ValidUserName, sts.ValidPassword);
// Obtain a token interactively.
result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, null);
AdalTests.VerifySuccessResult(sts, result);
// Obtain a token interactively.
AuthenticationContextProxy.ClearDefaultCache();
result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, null);
AdalTests.VerifySuccessResult(sts, result);
AuthenticationContextProxy.SetCredentials(null, null);
// Now there should be a token available in the cache so token should be available silently.
result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, null, PromptBehaviorProxy.Never);
AdalTests.VerifySuccessResult(sts, result);
// Clear the cache and silent auth should work via session cookies.
AuthenticationContextProxy.ClearDefaultCache();
result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, null, PromptBehaviorProxy.Never);
AdalTests.VerifySuccessResult(sts, result);
// Clear the cache and cookies and silent auth should fail.
AuthenticationContextProxy.ClearDefaultCache();
AdalTests.EndBrowserDialogSession();
result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, null, PromptBehaviorProxy.Never);
AdalTests.VerifyErrorResult(result, Sts.UserInteractionRequired, null);
}
public static void AcquireTokenPositiveWithFederatedTenantTest(Sts sts)
{
var userId = sts.ValidUserId;
AuthenticationContextProxy.SetCredentials(userId.Id, sts.ValidPassword);
var context = new AuthenticationContextProxy(sts.Authority, false, TokenCacheType.Null);
AuthenticationResultProxy result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, userId);
VerifySuccessResult(sts, result);
result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, UserIdentifier.AnyUser);
VerifySuccessResult(sts, result);
}
public void SSOModeTest()
{
AuthenticationContextProxy.SetCredentials(null, Sts.ValidPassword);
var context = new AuthenticationContextProxy(Sts.Authority, Sts.ValidateAuthority);
AuthenticationResultProxy result = context.AcquireToken(Sts.ValidResource, Sts.ValidClientId, Sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, Sts.ValidUserId);
AdalTests.VerifySuccessResult(Sts, result);
AuthenticationContextProxy.ClearDefaultCache();
AuthenticationContextProxy.SetCredentials(Sts.ValidUserName, Sts.ValidPassword);
result = context.AcquireToken(Sts.ValidResource, Sts.ValidClientId, null);
AdalTests.VerifySuccessResult(Sts, result);
AuthenticationContextProxy.ClearDefaultCache();
result = context.AcquireToken(Sts.ValidResource, Sts.ValidClientId, null);
AdalTests.VerifySuccessResult(Sts, result);
AuthenticationContextProxy.ClearDefaultCache();
result = context.AcquireToken(Sts.ValidResource, Sts.ValidClientId,
new Uri("ms-app://s-1-15-2-2097830667-3131301884-2920402518-3338703368-1480782779-4157212157-3811015497/"));
AdalTests.VerifyErrorResult(result, Sts.InvalidArgumentError, "return URI");
}
internal static async Task AcquireTokenOnBehalfAndClientAssertionTestAsync(Sts sts)
{
SetCredential(sts);
var context = new AuthenticationContextProxy(sts.Authority, sts.ValidateAuthority);
AuthenticationResultProxy result = context.AcquireToken(sts.ValidConfidentialClientId, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId);
VerifySuccessResult(sts, result);
RecorderJwtId.JwtIdIndex = 13;
ClientAssertion clientAssertion = CreateClientAssertion(sts.Authority, sts.ValidConfidentialClientId, sts.ConfidentialClientCertificateName, sts.ConfidentialClientCertificatePassword);
AuthenticationResultProxy result2 = await context.AcquireTokenAsync(null, clientAssertion, result.AccessToken);
VerifyErrorResult(result2, Sts.InvalidArgumentError, "resource");
result2 = await context.AcquireTokenAsync(sts.ValidResource, clientAssertion, null);
VerifyErrorResult(result2, Sts.InvalidArgumentError, "userAssertion");
result2 = await context.AcquireTokenAsync(sts.ValidResource, (ClientAssertion)null, result.AccessToken);
VerifyErrorResult(result2, Sts.InvalidArgumentError, "clientAssertion");
result2 = await context.AcquireTokenAsync(sts.ValidResource, clientAssertion, result.AccessToken);
VerifySuccessResult(sts, result2, true, false);
// Testing cache
AuthenticationContextProxy.Delay(2000); // 2 seconds delay
AuthenticationResultProxy result3 = await context.AcquireTokenAsync(sts.ValidResource, clientAssertion, result.AccessToken);
VerifySuccessResult(sts, result3, true, false);
VerifyExpiresOnAreEqual(result2, result3);
// Using MRRT in cached token to acquire token for a different resource
AuthenticationResultProxy result4 = await context.AcquireTokenAsync(sts.ValidResource2, clientAssertion, result.AccessToken);
VerifySuccessResult(sts, result4, true, false);
AuthenticationContextProxy.ClearDefaultCache();
result2 = await context.AcquireTokenAsync(sts.ValidResource, clientAssertion, result.AccessToken);
VerifySuccessResult(sts, result2, true, false);
// Using MRRT in cached token to acquire token for a different resource
result3 = await context.AcquireTokenSilentAsync(sts.ValidResource2, clientAssertion, UserIdentifier.AnyUser);
VerifySuccessResult(sts, result3, true, false);
}
public static void ExtraQueryParametersTest(Sts sts)
{
SetCredential(sts);
var context = new AuthenticationContextProxy(sts.Authority, sts.ValidateAuthority, TokenCacheType.Null);
AuthenticationResultProxy result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId, null);
VerifySuccessResult(sts, result);
result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId, "redirect_uri=123");
VerifyErrorResult(result, "duplicate_query_parameter", "redirect_uri");
result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId, "resource=123&dummy=dummy_value#$%^@%^^%");
VerifyErrorResult(result, "duplicate_query_parameter", "resource");
result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId, "client_id=123");
VerifyErrorResult(result, "duplicate_query_parameter", "client_id");
EndBrowserDialogSession();
result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId, "login_hint=123");
VerifyErrorResult(result, "duplicate_query_parameter", "login_hint");
EndBrowserDialogSession();
result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId, "login_hintx=123");
VerifySuccessResult(sts, result);
EndBrowserDialogSession();
result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, UserIdentifier.AnyUser, "login_hint=" + sts.ValidUserName);
VerifySuccessResult(sts, result);
result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId, string.Empty);
VerifySuccessResult(sts, result);
}
public static void AcquireTokenPositiveWithDefaultCacheTest(Sts sts)
{
AuthenticationContextProxy.ClearDefaultCache();
SetCredential(sts);
var context = new AuthenticationContextProxy(sts.Authority, sts.ValidateAuthority);
List<AuthenticationResultProxy> results = AcquireTokenPositiveWithCache(sts, context);
VerifyExpiresOnAreEqual(results[0], results[1]);
EndBrowserDialogSession();
Log.Comment("Waiting 2 seconds before next token request...");
AuthenticationContextProxy.Delay(2000); // 2 seconds delay
AuthenticationResultProxy resultWithoutUser = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, UserIdentifier.AnyUser, SecondCallExtraQueryParameter);
VerifyExpiresOnAreEqual(results[0], resultWithoutUser);
context.VerifySingleItemInCache(results[0], sts.Type);
}
public static void UserInfoTest(Sts sts)
{
SetCredential(sts);
var context = new AuthenticationContextProxy(sts.Authority, sts.ValidateAuthority);
AuthenticationResultProxy result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId);
VerifySuccessResult(sts, result);
AuthenticationResultProxy result2;
if (sts.Type == StsType.AAD)
{
Verify.AreEqual(sts.ValidUserName, result.UserInfo.DisplayableId);
Verify.IsNotNullOrEmptyString(result.UserInfo.UniqueId);
Verify.IsNotNullOrEmptyString(result.UserInfo.GivenName);
Verify.IsNotNullOrEmptyString(result.UserInfo.FamilyName);
EndBrowserDialogSession();
Log.Comment("Waiting 2 seconds before next token request...");
AuthenticationContextProxy.Delay(2000); // 2 seconds delay
AuthenticationContextProxy.SetCredentials(null, null);
result2 = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto,
new UserIdentifier(result.UserInfo.DisplayableId, UserIdentifierType.OptionalDisplayableId),
SecondCallExtraQueryParameter);
ValidateAuthenticationResultsAreEqual(result, result2);
}
AuthenticationContextProxy.SetCredentials(null, null);
result2 = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri);
Verify.AreEqual(result.AccessToken, result2.AccessToken);
SetCredential(sts);
result2 = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId, ThirdCallExtraQueryParameter);
VerifySuccessResult(sts, result2);
if (result.UserInfo != null)
{
ValidateAuthenticationResultsAreEqual(result, result2);
}
else
{
VerifyExpiresOnAreNotEqual(result, result2);
}
EndBrowserDialogSession();
Log.Comment("Waiting 2 seconds before next token request...");
AuthenticationContextProxy.Delay(2000); // 2 seconds delay
AuthenticationContextProxy.SetCredentials(sts.ValidUserName, sts.ValidPassword);
result2 = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.InvalidRequiredUserId, SecondCallExtraQueryParameter);
VerifyErrorResult(result2, "user_mismatch", null);
}
public static async Task MultiResourceRefreshTokenTestAsync(Sts sts)
{
SetCredential(sts);
var context = new AuthenticationContextProxy(sts.Authority, sts.ValidateAuthority);
AuthenticationResultProxy result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId);
VerifySuccessResult(sts, result);
AuthenticationResultProxy result2 = await context.AcquireTokenByRefreshTokenAsync(result.RefreshToken, sts.ValidClientId, sts.ValidResource2);
if (sts.Type == StsType.AAD)
{
VerifySuccessResult(sts, result2, true, false);
Verify.IsTrue(result.IsMultipleResourceRefreshToken);
Verify.IsTrue(result2.IsMultipleResourceRefreshToken);
}
result2 = context.AcquireToken(sts.ValidResource2, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId);
VerifySuccessResult(sts, result2);
if (sts.Type == StsType.ADFS)
{
Verify.IsFalse(result.IsMultipleResourceRefreshToken);
}
else
{
Verify.IsTrue(result.IsMultipleResourceRefreshToken);
}
if (sts.Type == StsType.AAD)
{
result2 = context.AcquireToken(sts.ValidResource3, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId);
VerifySuccessResult(sts, result2);
Verify.IsTrue(result.IsMultipleResourceRefreshToken);
}
}
internal static void SwitchUserTest(Sts sts)
{
Log.Comment("Acquire token for user1 interactively");
AuthenticationContextProxy.SetCredentials(null, sts.ValidPassword);
var context = new AuthenticationContextProxy(sts.Authority, sts.ValidateAuthority);
AuthenticationResultProxy result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId);
VerifySuccessResultAndTokenContent(sts, result);
Verify.AreEqual(sts.ValidUserName, result.UserInfo.DisplayableId);
Log.Comment("Acquire token via cookie for user1 without user");
AuthenticationResultProxy result2 = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri);
VerifySuccessResultAndTokenContent(sts, result);
Verify.AreEqual(sts.ValidUserName, result.UserInfo.DisplayableId);
Log.Comment("Acquire token for user2 via force prompt and user");
AuthenticationContextProxy.SetCredentials(sts.ValidUserName2, sts.ValidPassword2);
result2 = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Always, sts.ValidRequiredUserId2);
VerifySuccessResultAndTokenContent(sts, result2);
Verify.AreEqual(sts.ValidUserName2, result2.UserInfo.DisplayableId);
Log.Comment("Acquire token for user2 via force prompt");
AuthenticationContextProxy.SetCredentials(sts.ValidUserName2, sts.ValidPassword2);
result2 = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Always);
VerifySuccessResultAndTokenContent(sts, result2);
Verify.AreEqual(sts.ValidUserName2, result2.UserInfo.DisplayableId);
Log.Comment("Fail to acquire token without user while tokens for two users in the cache");
result2 = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri);
VerifyErrorResult(result2, "multiple_matching_tokens_detected", null);
}
public static void TenantlessTest(Sts sts)
{
SetCredential(sts);
var context = new AuthenticationContextProxy(sts.TenantlessAuthority, sts.ValidateAuthority);
AuthenticationResultProxy result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId);
VerifySuccessResult(sts, result);
Verify.IsNotNullOrEmptyString(result.TenantId);
AuthenticationContextProxy.SetCredentials(null, null);
AuthenticationResultProxy result2 = context.AcquireToken(
sts.ValidResource,
sts.ValidClientId,
sts.ValidDefaultRedirectUri,
PromptBehaviorProxy.Auto,
sts.ValidUserId);
ValidateAuthenticationResultsAreEqual(result, result2);
SetCredential(sts);
context = new AuthenticationContextProxy(sts.TenantlessAuthority.Replace("Common", result.TenantId), sts.ValidateAuthority, TokenCacheType.Null);
result2 = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId);
VerifySuccessResult(sts, result2);
}
public static void AcquireTokenWithIncorrectUserCredentialTest(Sts sts)
{
AuthenticationContextProxy.SetCredentials(sts.InvalidUserName, "invalid_password");
var context = new AuthenticationContextProxy(sts.Authority, sts.ValidateAuthority);
AuthenticationResultProxy result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, UserIdentifier.AnyUser, "incorrect_user");
VerifyErrorResult(result, Sts.AuthenticationCanceledError, "canceled");
}
public static async Task AuthenticationParametersDiscoveryTestAsync(Sts sts)
{
const string RelyingPartyWithDiscoveryUrl = "http://localhost:8080";
using (Microsoft.Owin.Hosting.WebApp.Start<RelyingParty>(RelyingPartyWithDiscoveryUrl))
{
Log.Comment("Relying Party Started");
HttpWebResponse response = null;
AuthenticationParametersProxy authParams = null;
try
{
HttpWebRequest request = (HttpWebRequest)WebRequest.Create(RelyingPartyWithDiscoveryUrl);
request.ContentType = "application/x-www-form-urlencoded";
response = (HttpWebResponse)request.GetResponse();
}
catch (WebException ex)
{
response = (HttpWebResponse)ex.Response;
if (response.StatusCode == HttpStatusCode.Unauthorized)
{
authParams = AuthenticationParametersProxy.CreateFromResponseAuthenticateHeader(response.Headers["WWW-authenticate"]);
}
}
finally
{
response.Close();
}
SetCredential(sts);
var context = new AuthenticationContextProxy(authParams.Authority, sts.ValidateAuthority, TokenCacheType.Null);
var result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId);
AdalTests.VerifySuccessResult(sts, result);
// ADAL WinRT does not support AuthenticationParameters.CreateFromUnauthorizedResponse API
if (TestType != Common.TestType.WinRT)
{
try
{
HttpWebRequest request = (HttpWebRequest)WebRequest.Create(RelyingPartyWithDiscoveryUrl);
request.ContentType = "application/x-www-form-urlencoded";
response = (HttpWebResponse)request.GetResponse();
}
catch (WebException ex)
{
response = (HttpWebResponse)ex.Response;
authParams = AuthenticationParametersProxy.CreateFromUnauthorizedResponse(response);
}
finally
{
response.Close();
}
context = new AuthenticationContextProxy(authParams.Authority, sts.ValidateAuthority, TokenCacheType.Null);
result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId);
AdalTests.VerifySuccessResult(sts, result);
}
authParams = await AuthenticationParametersProxy.CreateFromResourceUrlAsync(new Uri(RelyingPartyWithDiscoveryUrl));
context = new AuthenticationContextProxy(authParams.Authority, sts.ValidateAuthority, TokenCacheType.Null);
result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId);
AdalTests.VerifySuccessResult(sts, result);
Log.Comment("Relying Party Terminating...");
}
}
public static void AuthenticationContextAuthorityValidationTest(Sts sts)
{
SetCredential(sts);
AuthenticationContextProxy context = null;
AuthenticationResultProxy result = null;
try
{
context = new AuthenticationContextProxy(sts.InvalidAuthority, true);
Verify.AreNotEqual(sts.Type, StsType.ADFS);
result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId);
VerifyErrorResult(result, Sts.AuthorityNotInValidList, "authority");
}
catch (ArgumentException ex)
{
Verify.AreEqual(sts.Type, StsType.ADFS);
Verify.AreEqual(ex.ParamName, "validateAuthority");
}
#if TEST_ADAL_WINPHONE_UNIT
catch (AdalServiceException ex)
{
Verify.AreNotEqual(sts.Type, StsType.ADFS);
Verify.AreEqual(ex.ErrorCode, Sts.AuthorityNotInValidList);
Verify.IsTrue(ex.Message.Contains("authority"));
}
#endif
context = new AuthenticationContextProxy(sts.InvalidAuthority, false);
result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId);
VerifyErrorResult(result, Sts.AuthenticationUiFailedError, "authentication dialog");
context = new AuthenticationContextProxy(sts.Authority, false);
result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId);
VerifySuccessResult(sts, result);
if (sts.Type != StsType.ADFS)
{
context = new AuthenticationContextProxy(sts.Authority, true);
result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId);
VerifySuccessResult(sts, result);
}
try
{
context = new AuthenticationContextProxy(sts.InvalidAuthority);
Verify.AreNotEqual(sts.Type, StsType.ADFS);
result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId);
VerifyErrorResult(result, Sts.AuthorityNotInValidList, "authority");
}
catch (ArgumentException ex)
{
Verify.AreEqual(sts.Type, StsType.ADFS);
Verify.AreEqual(ex.ParamName, "validateAuthority");
}
#if TEST_ADAL_WINPHONE_UNIT
catch (AdalServiceException ex)
{
Verify.AreNotEqual(sts.Type, StsType.ADFS);
Verify.AreEqual(ex.ErrorCode, Sts.AuthorityNotInValidList);
Verify.IsTrue(ex.Message.Contains("authority"));
}
#endif
context = new AuthenticationContextProxy(sts.Authority + "/extraPath1/extraPath2", sts.ValidateAuthority);
result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, sts.ValidUserId);
VerifySuccessResult(sts, result);
}
public static void AcquireTokenWithAuthenticationCanceledTest(Sts sts)
{
AuthenticationContextProxy.SetCredentials(null, null);
var context = new AuthenticationContextProxy(sts.Authority, sts.ValidateAuthority);
AuthenticationResultProxy result = context.AcquireToken(sts.ValidResource, sts.ValidClientId, sts.ValidDefaultRedirectUri, PromptBehaviorProxy.Auto, new UserIdentifier("*****@*****.**", UserIdentifierType.OptionalDisplayableId));
VerifyErrorResult(result, Sts.AuthenticationCanceledError, "canceled");
}