public async Task when_setting_disabled_logout_should_not_revoke_refreshtoken()
{
BffHost.BffOptions.RevokeRefreshTokenOnLogout = false;
await BffHost.InitializeAsync();
await BffHost.BffLoginAsync("alice", "sid");
{
var store = IdentityServerHost.Resolve <IPersistedGrantStore>();
var grants = await store.GetAllAsync(new PersistedGrantFilter
{
SubjectId = "alice"
});
var rt = grants.Single(x => x.Type == "refresh_token");
rt.Should().NotBeNull();
}
await BffHost.BffLogoutAsync("sid");
{
var store = IdentityServerHost.Resolve <IPersistedGrantStore>();
var grants = await store.GetAllAsync(new PersistedGrantFilter
{
SubjectId = "alice"
});
var rt = grants.Single(x => x.Type == "refresh_token");
rt.Should().NotBeNull();
}
}
static IdentityServerHostTests()
{
var apiResources = new[]
{
new ApiResource("identityserverhost")
{
Scopes = new List <Scope> {
new Scope("identityserverhost")
},
ApiSecrets = new List <Secret> {
new Secret("testsecret".Sha256())
}
}
};
var clients = new[]
{
new Client
{
ClientId = "testclient",
ClientSecrets = new[] { new Secret("clientsecret".Sha256()) },
AllowedGrantTypes = GrantTypes.ClientCredentials,
AllowedScopes = new[] { "identityserverhost" }
}
};
var configuration = new IdentityServerHostConfiguration().AddApiResources(apiResources).AddClients(clients);
identityServerHost = new IdentityServerHost(configuration);
identityServerHost.Start();
}
public static TokenClient GetTokenClient(this IdentityServerHost identityServerHost)
{
var discoveryClient = identityServerHost.GetDiscoveryClient();
var doc = discoveryClient.GetAsync().Result;
return(new TokenClient(doc.TokenEndpoint, "testclient", "clientsecret"));
}
public async Task when_BackchannelLogoutAllUserSessions_is_true_backchannel_logout_should_logout_all_sessions()
{
BffHost.BffOptions.BackchannelLogoutAllUserSessions = true;
await BffHost.BffLoginAsync("alice", "sid1");
BffHost.BrowserClient.RemoveCookie("bff");
await BffHost.BffLoginAsync("alice", "sid2");
{
var store = BffHost.Resolve <IUserSessionStore>();
var sessions = await store.GetUserSessionsAsync(new UserSessionsFilter { SubjectId = "alice" });
sessions.Count().Should().Be(2);
}
await IdentityServerHost.RevokeSessionCookieAsync();
{
var store = BffHost.Resolve <IUserSessionStore>();
var sessions = await store.GetUserSessionsAsync(new UserSessionsFilter { SubjectId = "alice" });
sessions.Should().BeEmpty();
}
}
public static IntrospectionClient GetIntroClient(this IdentityServerHost identityServerHost)
{
var discoveryClient = identityServerHost.GetDiscoveryClient();
var doc = discoveryClient.GetAsync().Result;
return(new IntrospectionClient(doc.IntrospectionEndpoint, "identityserverhost", "testsecret"));
}
public async Task backchannel_logout_endpoint_should_revoke_refreshtoken()
{
await BffHost.BffLoginAsync("alice", "sid123");
{
var store = IdentityServerHost.Resolve <IPersistedGrantStore>();
var grants = await store.GetAllAsync(new PersistedGrantFilter
{
SubjectId = "alice"
});
var rt = grants.Single(x => x.Type == "refresh_token");
rt.Should().NotBeNull();
}
await IdentityServerHost.RevokeSessionCookieAsync();
{
var store = IdentityServerHost.Resolve <IPersistedGrantStore>();
var grants = await store.GetAllAsync(new PersistedGrantFilter
{
SubjectId = "alice"
});
var rt = grants.Should().BeEmpty();
}
}
public async Task backchannel_logout_endpoint_should_signout()
{
await BffHost.BffLoginAsync("alice", "sid123");
await IdentityServerHost.RevokeSessionCookieAsync();
(await BffHost.GetIsUserLoggedInAsync()).Should().BeFalse();
}
public async Task login_endpoint_with_existing_session_should_challenge()
{
await BffHost.BffLoginAsync("alice");
var response = await BffHost.BrowserClient.GetAsync(BffHost.Url("/bff/login"));
response.StatusCode.Should().Be(HttpStatusCode.Redirect);
response.Headers.Location.ToString().Should().StartWith(IdentityServerHost.Url("/connect/authorize"));
}
public async Task backchannel_logout_endpoint_for_incorrect_sid_should_not_logout_user()
{
await BffHost.BffLoginAsync("alice", "sid123");
await IdentityServerHost.CreateIdentityServerSessionCookieAsync("alice", "sid999");
await IdentityServerHost.RevokeSessionCookieAsync();
(await BffHost.GetIsUserLoggedInAsync()).Should().BeTrue();
}
public async Task login_endpoint_should_challenge_and_redirect_to_root()
{
var response = await BffHost.BrowserClient.GetAsync(BffHost.Url("/bff/login"));
response.StatusCode.Should().Be(HttpStatusCode.Redirect);
response.Headers.Location.ToString().Should().StartWith(IdentityServerHost.Url("/connect/authorize"));
await IdentityServerHost.IssueSessionCookieAsync("alice");
response = await IdentityServerHost.BrowserClient.GetAsync(response.Headers.Location.ToString());
response.StatusCode.Should().Be(HttpStatusCode.Redirect);
response.Headers.Location.ToString().Should().StartWith(BffHost.Url("/signin-oidc"));
response = await BffHost.BrowserClient.GetAsync(response.Headers.Location.ToString());
response.StatusCode.Should().Be(HttpStatusCode.Redirect);
response.Headers.Location.ToString().Should().Be("/");
}
public async Task login_endpoint_should_challenge_and_redirect_to_root_with_custom_prefix_trailing_slash()
{
BffHost.BffOptions.ManagementBasePath = "/custom/bff/";
await BffHost.InitializeAsync();
var response = await BffHost.BrowserClient.GetAsync(BffHost.Url("/custom/bff/login"));
response.StatusCode.Should().Be(HttpStatusCode.Redirect);
response.Headers.Location.ToString().Should().StartWith(IdentityServerHost.Url("/connect/authorize"));
await IdentityServerHost.IssueSessionCookieAsync("alice");
response = await IdentityServerHost.BrowserClient.GetAsync(response.Headers.Location.ToString());
response.StatusCode.Should().Be(HttpStatusCode.Redirect);
response.Headers.Location.ToString().Should().StartWith(BffHost.Url("/signin-oidc"));
response = await BffHost.BrowserClient.GetAsync(response.Headers.Location.ToString());
response.StatusCode.Should().Be(HttpStatusCode.Redirect);
response.Headers.Location.ToString().Should().Be("/");
}
public static DiscoveryClient GetDiscoveryClient(this IdentityServerHost identityServerHost) => new DiscoveryClient(identityServerHost.BaseAddress.ToString());
public async Task unauthenticated_non_bff_endpoint_should_return_302_for_login()
{
var req = new HttpRequestMessage(HttpMethod.Get, BffHost.Url("/always_fail_authz_non_bff_endpoint"));
req.Headers.Add("x-csrf", "1");
var response = await BffHost.BrowserClient.SendAsync(req);
response.StatusCode.Should().Be(HttpStatusCode.Redirect);
response.Headers.Location.ToString().ToLowerInvariant().Should().StartWith(IdentityServerHost.Url("/connect/authorize"));
}
public async Task logout_endpoint_for_authenticated_user_without_sid_should_succeed()
{
// workaround for RevokeUserRefreshTokenAsync throwing when no RT in session
BffHost.BffOptions.RevokeRefreshTokenOnLogout = false;
await BffHost.InitializeAsync();
await BffHost.IssueSessionCookieAsync("alice");
var response = await BffHost.BrowserClient.GetAsync(BffHost.Url("/bff/logout"));
response.StatusCode.Should().Be(302); // endsession
response.Headers.Location.ToString().ToLowerInvariant().Should().StartWith(IdentityServerHost.Url("/connect/endsession"));
}
public async Task logout_endpoint_should_accept_returnUrl()
{
await BffHost.BffLoginAsync("alice", "sid123");
var response = await BffHost.BrowserClient.GetAsync(BffHost.Url("/bff/logout") + "?sid=sid123&returnUrl=/foo");
response.StatusCode.Should().Be(302); // endsession
response.Headers.Location.ToString().ToLowerInvariant().Should().StartWith(IdentityServerHost.Url("/connect/endsession"));
response = await IdentityServerHost.BrowserClient.GetAsync(response.Headers.Location.ToString());
response.StatusCode.Should().Be(302); // logout
response.Headers.Location.ToString().ToLowerInvariant().Should().StartWith(IdentityServerHost.Url("/account/logout"));
response = await IdentityServerHost.BrowserClient.GetAsync(response.Headers.Location.ToString());
response.StatusCode.Should().Be(302); // post logout redirect uri
response.Headers.Location.ToString().ToLowerInvariant().Should().StartWith(BffHost.Url("/signout-callback-oidc"));
response = await BffHost.BrowserClient.GetAsync(response.Headers.Location.ToString());
response.StatusCode.Should().Be(302); // root
response.Headers.Location.ToString().ToLowerInvariant().Should().Be("/foo");
}
public async Task logout_endpoint_for_anonymous_user_without_sid_should_succeed()
{
var response = await BffHost.BrowserClient.GetAsync(BffHost.Url("/bff/logout"));
response.StatusCode.Should().Be(302); // endsession
response.Headers.Location.ToString().ToLowerInvariant().Should().StartWith(IdentityServerHost.Url("/connect/endsession"));
}
public async Task logout_endpoint_for_authenticated_when_require_otpion_is_false_should_not_require_sid()
{
await BffHost.BffLoginAsync("alice", "sid123");
BffHost.BffOptions.RequireLogoutSessionId = false;
var response = await BffHost.BrowserClient.GetAsync(BffHost.Url("/bff/logout"));
response.StatusCode.Should().Be(302); // endsession
response.Headers.Location.ToString().ToLowerInvariant().Should().StartWith(IdentityServerHost.Url("/connect/endsession"));
}
