public void Should_Reject_Id_Token_With_Incorrect_At_Hash()
{
rpid = "rp-id_token-bad_at_hash";
// given
OpenIdRelyingParty rp = new OpenIdRelyingParty();
// when
OIDCAuthImplicitResponseMessage response = (OIDCAuthImplicitResponseMessage)GetAuthResponse(ResponseType.IdToken);
// then
Assert.NotNull(response.IdToken);
OIDCIdToken idToken = response.GetIdToken(providerMetadata.Keys);
string ExpectedAtHash = response.GetExpectedHash(response.AccessToken, providerMetadata.Keys);
idToken.Validate(GetBaseUrl("/"), clientInformation.ClientId, null, ExpectedAtHash);
}
public void Should_Reject_Id_Token_With_Wrong_Iss()
{
rpid = "rp-id_token-mismatching_issuer";
// given
// when
OIDCAuthImplicitResponseMessage response = (OIDCAuthImplicitResponseMessage)GetAuthResponse(ResponseType.IdToken);
// then
OpenIdRelyingParty rp = new OpenIdRelyingParty();
Assert.NotNull(response.IdToken);
OIDCIdToken idToken = response.GetIdToken(providerMetadata.Keys);
idToken.Iss = "ManipulatedIssuer";
string ExpectedAtHash = response.GetExpectedHash(response.AccessToken, providerMetadata.Keys);
idToken.Validate(GetBaseUrl("/"), clientInformation.ClientId, null, ExpectedAtHash);
}