public void OnJwksRefreshed()
{
var key128 = SymmetricJwk.GenerateKey(128);
var key192 = SymmetricJwk.GenerateKey(192);
var key256 = SymmetricJwk.GenerateKey(256);
var key384 = SymmetricJwk.GenerateKey(384);
var key512 = SymmetricJwk.GenerateKey(512);
var oldJwks = new Jwks("issuer1")
{
key128,
key192,
key256
};
var newJwks = new Jwks()
{
key128,
key256,
key384,
key512
};
Jwks.OnJwksRefreshed += Jwks_OnJwksRefreshed;
try
{
Jwks.PublishJwksRefreshed(oldJwks, newJwks);
}
finally
{
Jwks.OnJwksRefreshed -= Jwks_OnJwksRefreshed;
}
}
public static JObject Validate(string token, Jwks jwks, string issuer, string audience)
{
var cryptoServiceProvider = new RSACryptoServiceProvider();
cryptoServiceProvider.ImportParameters(new RSAParameters()
{
Modulus = FromBase64Url(jwks.Keys[0].Modulus),
Exponent = FromBase64Url(jwks.Keys[0].Exponent)
});
var validationParameters = new TokenValidationParameters
{
RequireExpirationTime = true,
RequireSignedTokens = true,
ValidateAudience = true,
ValidateIssuer = true,
ValidateLifetime = true,
ValidIssuer = issuer,
ValidAudience = audience,
IssuerSigningKey = new RsaSecurityKey(cryptoServiceProvider)
};
SecurityToken validatedSecurityToken;
var handler = new JwtSecurityTokenHandler();
handler.ValidateToken(token, validationParameters, out validatedSecurityToken);
var validatedJwt = validatedSecurityToken as JwtSecurityToken;
var claims = new JObject();
validatedJwt?.Claims.ToList().ForEach(c => claims.Add(c.Type, c.Value));
return(claims);
}
public void GetKeyFromKid()
{
var key128 = SymmetricJwk.GenerateKey(128);
key128.Kid = JsonEncodedText.Encode("key128");
var key192 = SymmetricJwk.GenerateKey(192);
key192.Kid = JsonEncodedText.Encode("key192");
var key256 = SymmetricJwk.GenerateKey(256);
key256.Kid = JsonEncodedText.Encode("key256");
var jwks = new Jwks("issuer1")
{
key128,
key192,
key256
};
Assert.Null(jwks["XXX"]);
Assert.Null(jwks[JsonEncodedText.Encode("XXX")]);
Assert.Equal(key128, jwks["key128"]);
Assert.Equal(key128, jwks[key128.Kid]);
Assert.Equal(key192, jwks["key192"]);
Assert.Equal(key192, jwks[key192.Kid]);
Assert.Equal(key256, jwks["key256"]);
Assert.Equal(key256, jwks[key256.Kid]);
}
public Metadata(OidcSettings settings)
{
Issuer = settings.Issuer;
MetadataEndpoint = settings.MetadataEndpoint;
Endpoints = settings.Endpoints ?? new OpenidEndpoints();
Jwks = settings.Jwks;
}
private static void OnKeysRefreshed(Jwks added, Jwks removed)
{
Console.WriteLine("This key has been refreshed.");
Console.WriteLine("Removed:");
Console.WriteLine(removed);
Console.WriteLine("Added:");
Console.WriteLine(added);
}
/// <summary>Initializes a new instance of <see cref="StaticKeyProvider"/>.</summary>
public StaticKeyProvider(Jwks jwks)
{
if (jwks is null)
{
ThrowHelper.ThrowArgumentNullException(ExceptionArgument.jwks);
}
_jwks = jwks;
}
private void Jwks_OnJwksRefreshed(Jwks added, Jwks removed)
{
Assert.Equal(2, added.Count);
Assert.Contains(added, k => k.KeySizeInBits == 384);
Assert.Contains(added, k => k.KeySizeInBits == 512);
Assert.Equal(1, removed.Count);
Assert.Contains(removed, k => k.KeySizeInBits == 192);
}
public void Add()
{
var jwks = new Jwks("issuer1");
Assert.Equal(0, jwks.Count);
jwks.Add(SymmetricJwk.GenerateKey(128));
Assert.Equal(1, jwks.Count);
Assert.Throws <ArgumentNullException>(() => jwks.Add(null));
}
public void SuccessfulResourceOwnerAuthentication()
{
TokenClient client = null !;
GrantedTokenResponse result = null !;
"and a properly configured token client".x(
() => client = new TokenClient(
TokenCredentials.FromBasicAuthentication("client", "client"),
Fixture.Client,
new Uri(WellKnownOpenidConfiguration)));
"when requesting token".x(
async() =>
{
var response = await client
.GetToken(TokenRequest.FromPassword("user", "password", new[] { "openid", "offline" }))
.ConfigureAwait(false) as Option <GrantedTokenResponse> .Result;
result = response.Item;
Assert.NotNull(result);
});
"then has valid access token".x(
() =>
{
var tokenHandler = new JwtSecurityTokenHandler();
var validationParameters = new TokenValidationParameters
{
IssuerSigningKeys = Jwks.GetSigningKeys(),
ValidAudience = "client",
ValidIssuer = "https://localhost"
};
tokenHandler.ValidateToken(result.AccessToken, validationParameters, out var token);
Assert.NotEmpty(((JwtSecurityToken)token).Claims);
});
"and has valid id token".x(
() =>
{
var tokenHandler = new JwtSecurityTokenHandler();
var validationParameters = new TokenValidationParameters
{
IssuerSigningKey = TestKeys.SecretKey.CreateJwk(
JsonWebKeyUseNames.Sig,
KeyOperations.Sign,
KeyOperations.Verify),
ValidAudience = "client",
ValidIssuer = "https://localhost"
};
tokenHandler.ValidateToken(result.IdToken, validationParameters, out _);
});
}
public void ReadJwks_Invalid(string json)
{
try
{
Jwks.FromJson(json);
Assert.False(true, "Expected to throw an exception.");
}
catch (Exception e)
{
Assert.IsAssignableFrom <Exception>(e);
}
}
private static void InterceptKeyRefreshedEvent()
{
Jwks.OnJwksRefreshed += OnKeysRefreshed;
var jwks = new Jwks
{
SymmetricJwk.GenerateKey(128),
SymmetricJwk.GenerateKey(128),
SymmetricJwk.GenerateKey(128),
SymmetricJwk.GenerateKey(128)
};
Jwks.PublishJwksRefreshed(new Jwks(), jwks);
}
public void Vakidate()
{
var key128 = SymmetricJwk.GenerateKey(128);
var key192 = SymmetricJwk.GenerateKey(192);
var key256 = SymmetricJwk.GenerateKey(256);
var jwks = new Jwks("issuer1")
{
key128,
key192,
key256
};
jwks.Validate();
}
public void Ctor()
{
Assert.Throws <ArgumentNullException>(() => new Jwks((Jwk)null));
Assert.Throws <ArgumentNullException>(() => new Jwks((IList <Jwk>)null));
Assert.Throws <ArgumentNullException>(() => new Jwks((string)null));
Assert.Throws <ArgumentNullException>(() => new Jwks((string)null, Jwk.None));
Assert.Throws <ArgumentNullException>(() => new Jwks("issuer", (Jwk)null));
Assert.Throws <ArgumentNullException>(() => new Jwks((string)null, new List <Jwk> {
Jwk.None
}));
Assert.Throws <ArgumentNullException>(() => new Jwks("issuer", (IList <Jwk>)null));
var jwks = new Jwks("issuer1");
Assert.Equal("issuer1", jwks.Issuer);
}
public void Contains()
{
var key128 = SymmetricJwk.GenerateKey(128);
var key192 = SymmetricJwk.GenerateKey(192);
var key256 = SymmetricJwk.GenerateKey(256);
var key512 = SymmetricJwk.GenerateKey(512);
var jwks = new Jwks("issuer1")
{
key128,
key192,
key256
};
Assert.Contains(key128, jwks);
Assert.Contains(key192, jwks);
Assert.Contains(key256, jwks);
Assert.DoesNotContain(key512, jwks);
Assert.DoesNotContain(null, jwks);
}
public KeyFixture()
{
Jwks = new Jwks();
SigningKey = CreateSigningKey();
Jwks.Add(SigningKey);
EncryptionKey = CreateEncryptionKey();
Jwks.Add(EncryptionKey);
Jwks.Add(PrivateRsa2048Key);
#if !NET461
Jwks.Add(PrivateEcc256Key);
Jwks.Add(PrivateEcc384Key);
Jwks.Add(PrivateEcc512Key);
#endif
Jwks.Add(Symmetric128Key);
Jwks.Add(Symmetric192Key);
Jwks.Add(Symmetric256Key);
Jwks.Add(Symmetric384Key);
Jwks.Add(Symmetric512Key);
}
public void Remove()
{
var key128 = SymmetricJwk.GenerateKey(128);
var key192 = SymmetricJwk.GenerateKey(192);
var key256 = SymmetricJwk.GenerateKey(256);
var key512 = SymmetricJwk.GenerateKey(512);
var jwks = new Jwks("issuer1")
{
key128,
key192,
key256
};
Assert.Equal(3, jwks.Count);
jwks.Remove(key192);
Assert.Equal(2, jwks.Count);
jwks.Remove(key512);
Assert.Equal(2, jwks.Count);
Assert.Throws <ArgumentNullException>(() => jwks.Remove(null));
}
public static JObject Validate(string token, Jwks jwks, string issuer, string audience)
{
RSACryptoServiceProvider cryptoServiceProvider = new RSACryptoServiceProvider();
cryptoServiceProvider.ImportParameters(new RSAParameters()
{
Modulus = FromBase64Url(jwks.Keys[0].Modulus),
Exponent = FromBase64Url(jwks.Keys[0].Exponent)
});
string json;
try
{
json = JWT.Decode(token, (object)cryptoServiceProvider);
}
catch (Exception ex)
{
throw new TokenValidationException("Invalid signature.", ex);
}
var claims = JObject.Parse(json);
//Ignore other validations in case of refresh token
if (claims["token_type"].ToString().Equals("refresh_token", StringComparison.OrdinalIgnoreCase))
{
return(claims);
}
if (claims["token_type"].ToString().Equals("logout_token", StringComparison.OrdinalIgnoreCase))
{
ValidateLogoutToken(claims, issuer, audience);
}
else //if token type is access_token or id_token
{
ValidateAccessToken(claims, issuer, audience);
}
return(claims);
}
public void SuccessfulClientCredentialsAuthentication()
{
TokenClient client = null !;
GrantedTokenResponse result = null !;
"and a properly configured token client".x(
() => client = new TokenClient(
TokenCredentials.FromClientCredentials("clientCredentials", "clientCredentials"),
Fixture.Client,
new Uri(WellKnownOpenidConfiguration)));
"when requesting token".x(
async() =>
{
var response =
await client.GetToken(TokenRequest.FromScopes("api1")).ConfigureAwait(false) as
Option <GrantedTokenResponse> .Result;
Assert.NotNull(response);
result = response.Item;
});
"then has valid access token".x(
() =>
{
var tokenHandler = new JwtSecurityTokenHandler();
var validationParameters = new TokenValidationParameters
{
IssuerSigningKeys = Jwks.GetSigningKeys(),
ValidAudience = "clientCredentials",
ValidIssuer = "https://localhost"
};
tokenHandler.ValidateToken(result.AccessToken, validationParameters, out _);
});
}
public void ReadJwks_Kid(string issuer, string json)
{
var jwks = Jwks.FromJson(issuer, json);
var unidentifiedKeys = jwks.Where(k => k.Kid.EncodedUtf8Bytes.IsEmpty);
var identifiedKeys = jwks
.GroupBy(k => k.Kid)
.Where(k => !k.Key.EncodedUtf8Bytes.IsEmpty)
.ToDictionary(k => k.Key, k => k.Concat(unidentifiedKeys).ToArray()).ToArray();
Assert.Equal(identifiedKeys.Length, jwks.GetIdentifiedKeys().Length);
foreach (var item in identifiedKeys)
{
Assert.Contains(jwks.GetIdentifiedKeys(), k => k.Key.Equals(item.Key));
var item1 = jwks.GetIdentifiedKeys().First(k => k.Key.Equals(item.Key)).Value;
var item2 = item.Value;
Assert.Equal(item1.Length, item2.Length);
for (int i = 0; i < item1.Length; i++)
{
Assert.Equal(item1[i], item2[i]);
}
}
}
public void ReadJwks_InvalidParameters()
{
Assert.Throws <ArgumentNullException>(() => Jwks.FromJson(null, "{}"));
Assert.Throws <ArgumentNullException>(() => Jwks.FromJson("issuer1", (string)null));
}
public void Dispose()
{
Jwks.Dispose();
}
public void Tostring(Jwks jwks, string json)
{
Assert.Equal(json, jwks.ToString());
}
public void ReadJwks_Invalid(string issuer, string json)
{
Assert.ThrowsAny <Exception>(() => Jwks.FromJson(issuer, json));
}
public static bool IsEmpty(this Jwks keys) => keys?.Keys == null || keys.Keys.Length == 0;
public void ReadJwks_Valid(string json, int count)
{
var jwks = Jwks.FromJson(json);
Assert.Equal(count, jwks.Count);
}
public static bool IsNotEmpty(this Jwks keys) => keys?.Keys != null && keys.Keys.Length > 0;
private static void OnKeysRefreshed(Jwks keys)
{
Console.WriteLine("This key has been refreshed:");
Console.WriteLine(keys);
}
