public void Should_Authenticate_Client_With_Client_Secret_Jwt() { rpid = "rp-token_endpoint-client_secret_jwt"; // given OIDCAuthCodeResponseMessage response = (OIDCAuthCodeResponseMessage)GetAuthResponse(ResponseType.Code); OIDCTokenRequestMessage tokenRequestMessage = new OIDCTokenRequestMessage(); tokenRequestMessage.Scope = response.Scope; tokenRequestMessage.State = response.State; tokenRequestMessage.Code = response.Code; tokenRequestMessage.ClientId = clientInformation.ClientId; tokenRequestMessage.ClientSecret = clientInformation.ClientSecret; tokenRequestMessage.GrantType = "authorization_code"; tokenRequestMessage.RedirectUri = clientInformation.RedirectUris[0]; // when OpenIdRelyingParty rp = new OpenIdRelyingParty(); clientInformation.TokenEndpointAuthMethod = "client_secret_jwt"; OIDCTokenResponseMessage tokenResponse = rp.SubmitTokenRequest(GetBaseUrl("/token"), tokenRequestMessage, clientInformation); // then Assert.NotNull(tokenResponse.IdToken); OIDCIdToken idToken = tokenResponse.GetIdToken(providerMetadata.Keys); idToken.Validate(); }
private Dictionary <string, object> PerformSelfIssuedAuthentication(OIDCAuthorizationRequestMessage requestMessage, X509Certificate2 certificate) { OIDCIdToken idToken = new OIDCIdToken(); idToken.Iss = "https://self-issued.me"; idToken.Sub = Convert.ToBase64String(Encoding.UTF8.GetBytes(certificate.Thumbprint)); idToken.Aud = new List <string>() { requestMessage.RedirectUri }; idToken.Nonce = requestMessage.Nonce; idToken.Exp = DateTime.MaxValue; idToken.Iat = DateTime.MaxValue; idToken.SubJkw = KeyManager.GetOIDCKey(certificate, "RSA", "AQAB", "sig"); if (requestMessage.Scope.Contains(MessageScope.Profile)) { idToken.GivenName = "Myself"; idToken.FamilyName = "User"; idToken.Name = idToken.GivenName + " " + idToken.FamilyName; } if (requestMessage.Scope.Contains(MessageScope.Email)) { idToken.Email = "*****@*****.**"; } if (requestMessage.Scope.Contains(MessageScope.Address)) { idToken.Address = new OIDCAddress(); idToken.Address.Country = "Italy"; idToken.Address.PostalCode = "20100"; idToken.Address.StreetAddress = "Via Test, 1"; idToken.Address.Locality = "Milano"; } if (requestMessage.Scope.Contains(MessageScope.Phone)) { idToken.PhoneNumber = "0"; } idToken.Validate(); Dictionary <string, object> responseMessage = new Dictionary <string, object>(); responseMessage["id_token"] = JWT.Encode(idToken.SerializeToJsonString(), null, JwsAlgorithm.none); responseMessage["state"] = requestMessage.State; return(responseMessage); }
public void Should_Reject_Id_Token_With_Invalid_ES256_Signature() { rpid = "rp-id_token-bad_es256_sig"; // givens OpenIdRelyingParty rp = new OpenIdRelyingParty(); OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage(); requestMessage.ClientId = clientInformation.ClientId; requestMessage.Scope = new List <MessageScope>() { MessageScope.Openid }; requestMessage.ResponseType = new List <ResponseType>() { ResponseType.Token, ResponseType.IdToken }; requestMessage.RedirectUri = clientInformation.RedirectUris[1]; requestMessage.Nonce = WebOperations.RandomString(); requestMessage.State = WebOperations.RandomString(); requestMessage.Validate(); // Manipulate keys to make them invalid List <OIDCKey> manipulatedKeys = new List <OIDCKey>(); foreach (OIDCKey curKey in providerMetadata.Keys) { OIDCKey newKey = curKey.Clone() as OIDCKey; if (curKey.N != null) { StringBuilder strBuilder = new StringBuilder(newKey.N); strBuilder[17] = (char)(newKey.N[17] + 1); newKey.N = strBuilder.ToString(); } manipulatedKeys.Add(newKey); } rp.Authenticate(GetBaseUrl("/authorization"), requestMessage); semaphore.WaitOne(); // when OIDCAuthImplicitResponseMessage response = rp.ParseAuthImplicitResponse(result, requestMessage.Scope, requestMessage.State); // then Assert.NotNull(response.IdToken); OIDCIdToken idToken = response.GetIdToken(manipulatedKeys); idToken.Validate(); }
public void Should_Reject_Id_Token_With_Incorrect_At_Hash() { rpid = "rp-id_token-bad_at_hash"; // given OpenIdRelyingParty rp = new OpenIdRelyingParty(); // when OIDCAuthImplicitResponseMessage response = (OIDCAuthImplicitResponseMessage)GetAuthResponse(ResponseType.IdToken); // then Assert.NotNull(response.IdToken); OIDCIdToken idToken = response.GetIdToken(providerMetadata.Keys); string ExpectedAtHash = response.GetExpectedHash(response.AccessToken, providerMetadata.Keys); idToken.Validate(GetBaseUrl("/"), clientInformation.ClientId, null, ExpectedAtHash); }
public void Should_Reject_Id_Token_Without_Kid_If_Multiple_JWK() { rpid = "rp-id_token-kid_absent_multiple_jwks"; // given // when OIDCAuthImplicitResponseMessage response = (OIDCAuthImplicitResponseMessage)GetAuthResponse(ResponseType.IdToken); // then OpenIdRelyingParty rp = new OpenIdRelyingParty(); // then Assert.NotNull(response.IdToken); OIDCIdToken idToken = response.GetIdToken(providerMetadata.Keys); idToken.Validate(); }
public void Should_Reject_Id_Token_With_Wrong_Iat() { rpid = "rp-id_token-iat"; // given // when OIDCAuthImplicitResponseMessage response = (OIDCAuthImplicitResponseMessage)GetAuthResponse(ResponseType.IdToken); // then OpenIdRelyingParty rp = new OpenIdRelyingParty(); Assert.NotNull(response.IdToken); OIDCIdToken idToken = response.GetIdToken(providerMetadata.Keys); idToken.Iat = DateTime.MinValue; idToken.Validate(); }
public void Should_Reject_Id_Token_With_Wrong_Iss() { rpid = "rp-id_token-mismatching_issuer"; // given // when OIDCAuthImplicitResponseMessage response = (OIDCAuthImplicitResponseMessage)GetAuthResponse(ResponseType.IdToken); // then OpenIdRelyingParty rp = new OpenIdRelyingParty(); Assert.NotNull(response.IdToken); OIDCIdToken idToken = response.GetIdToken(providerMetadata.Keys); idToken.Iss = "ManipulatedIssuer"; string ExpectedAtHash = response.GetExpectedHash(response.AccessToken, providerMetadata.Keys); idToken.Validate(GetBaseUrl("/"), clientInformation.ClientId, null, ExpectedAtHash); }
public void Should_Reject_Id_Token_With_Wrong_Aud() { rpid = "rp-id_token-aud"; // given // when OIDCAuthImplicitResponseMessage response = (OIDCAuthImplicitResponseMessage)GetAuthResponse(ResponseType.IdToken); // then OpenIdRelyingParty rp = new OpenIdRelyingParty(); // then Assert.NotNull(response.IdToken); OIDCIdToken idToken = response.GetIdToken(providerMetadata.Keys); idToken.Aud = new List <string> { "ManipulatedAud" }; idToken.Validate(GetBaseUrl("/"), clientInformation.ClientId); }
public void Should_Reject_Userinfo_With_Invalid_Sub() { rpid = "rp-user_info-bad_sub_claim"; // given OIDClaims requestClaims = new OIDClaims(); requestClaims.IdToken = new Dictionary <string, OIDClaimData>(); requestClaims.IdToken.Add("name", new OIDClaimData()); OIDCAuthImplicitResponseMessage authResponse = (OIDCAuthImplicitResponseMessage)GetAuthResponse(ResponseType.IdToken, null, true, requestClaims); OIDCIdToken idToken = authResponse.GetIdToken(providerMetadata.Keys); idToken.Validate(); // when OIDCUserInfoResponseMessage response = GetUserInfo(authResponse.Scope, authResponse.State, authResponse.AccessToken, idToken.Sub + "Wrong"); // then response.Validate(); Assert.IsNotNullOrEmpty(response.Name); }
public void Should_Nonce_Be_Present_In_Implicit() { rpid = "rp-nonce-unless_code_flow"; // given OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage(); requestMessage.ClientId = clientInformation.ClientId; OIDClaims requestClaims = new OIDClaims(); requestClaims.Userinfo = new Dictionary <string, OIDClaimData>(); requestClaims.Userinfo.Add("name", new OIDClaimData()); requestMessage.Scope = new List <MessageScope>() { MessageScope.Openid }; requestMessage.ResponseType = new List <ResponseType>() { ResponseType.IdToken, ResponseType.Token }; requestMessage.RedirectUri = clientInformation.RedirectUris[0]; requestMessage.Nonce = WebOperations.RandomString(); requestMessage.State = WebOperations.RandomString(); requestMessage.Claims = requestClaims; requestMessage.Validate(); OpenIdRelyingParty rp = new OpenIdRelyingParty(); rp.Authenticate(GetBaseUrl("/authorization"), requestMessage); semaphore.WaitOne(); OIDCAuthImplicitResponseMessage response = rp.ParseAuthImplicitResponse(result, requestMessage.Scope, requestMessage.State); OIDCIdToken idToken = response.GetIdToken(providerMetadata.Keys, clientInformation.ClientSecret); // then idToken.Validate(); }
public void Should_Reject_Id_Token_With_Incorrect_C_Hash() { rpid = "rp-id_token-bad_c_hash"; // givens OpenIdRelyingParty rp = new OpenIdRelyingParty(); OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage(); requestMessage.ClientId = clientInformation.ClientId; requestMessage.Scope = new List <MessageScope>() { MessageScope.Openid }; requestMessage.ResponseType = new List <ResponseType>() { ResponseType.Code, ResponseType.IdToken }; requestMessage.RedirectUri = clientInformation.RedirectUris[0]; requestMessage.Nonce = WebOperations.RandomString(); requestMessage.State = WebOperations.RandomString(); requestMessage.Validate(); rp.Authenticate(GetBaseUrl("/authorization"), requestMessage); semaphore.WaitOne(); // when OIDCAuthCodeResponseMessage response = rp.ParseAuthCodeResponse(result, requestMessage.Scope, requestMessage.State); // then Assert.NotNull(response.IdToken); OIDCIdToken idToken = response.GetIdToken(providerMetadata.Keys); string ExpectedCHash = response.GetExpectedHash(response.Code, providerMetadata.Keys); idToken.Validate(GetBaseUrl("/"), clientInformation.ClientId, ExpectedCHash, null); }
public void Should_Authenticate_Client_With_Private_Key_Jwt() { rpid = "rp-token_endpoint-client_secret_jwt"; // given OIDCAuthCodeResponseMessage response = (OIDCAuthCodeResponseMessage)GetAuthResponse(ResponseType.Code); OIDCTokenRequestMessage tokenRequestMessage = new OIDCTokenRequestMessage(); tokenRequestMessage.Scope = response.Scope; tokenRequestMessage.State = response.State; tokenRequestMessage.Code = response.Code; tokenRequestMessage.ClientId = clientInformation.ClientId; tokenRequestMessage.ClientSecret = clientInformation.ClientSecret; tokenRequestMessage.GrantType = "authorization_code"; tokenRequestMessage.RedirectUri = clientInformation.RedirectUris[0]; RSACryptoServiceProvider privateKey = providerMetadata.Keys.Find( delegate(OIDCKey k) { return(k.Use == "enc" && k.Kty == "RSA"); } ).GetRSA(); // when OpenIdRelyingParty rp = new OpenIdRelyingParty(); clientInformation.TokenEndpointAuthMethod = "private_key_jwt"; OIDCTokenResponseMessage tokenResponse = rp.SubmitTokenRequest(GetBaseUrl("/token"), tokenRequestMessage, clientInformation, privateKey.ExportCspBlob(false)); // then Assert.NotNull(tokenResponse.IdToken); OIDCIdToken idToken = tokenResponse.GetIdToken(providerMetadata.Keys); idToken.Validate(); }
public void Should_Request_And_Use_Unsigned_Id_Token() { rpid = "rp-id_token-sig_none"; // givens OpenIdRelyingParty rp = new OpenIdRelyingParty(); string registrationEndopoint = GetBaseUrl("/registration"); OIDCClientInformation clientMetadata = new OIDCClientInformation(); clientMetadata.ApplicationType = "web"; clientMetadata.RedirectUris = new List <string>() { myBaseUrl + "code_flow_callback" }; clientMetadata.ResponseTypes = new List <ResponseType>() { ResponseType.Code }; clientMetadata.IdTokenSignedResponseAlg = "none"; OIDCClientInformation clientInformation = rp.RegisterClient(registrationEndopoint, clientMetadata); OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage(); requestMessage.ClientId = clientInformation.ClientId; requestMessage.Scope = new List <MessageScope>() { MessageScope.Openid }; requestMessage.ResponseType = new List <ResponseType>() { ResponseType.Code }; requestMessage.RedirectUri = clientInformation.RedirectUris[0]; requestMessage.Nonce = WebOperations.RandomString(); requestMessage.State = WebOperations.RandomString(); requestMessage.Validate(); rp.Authenticate(GetBaseUrl("/authorization"), requestMessage); semaphore.WaitOne(); OIDCAuthCodeResponseMessage response = rp.ParseAuthCodeResponse(result, requestMessage.Scope, requestMessage.State); OIDCTokenRequestMessage tokenRequestMessage = new OIDCTokenRequestMessage(); tokenRequestMessage.Scope = response.Scope; tokenRequestMessage.State = response.State; tokenRequestMessage.Code = response.Code; tokenRequestMessage.ClientId = clientInformation.ClientId; tokenRequestMessage.ClientSecret = clientInformation.ClientSecret; tokenRequestMessage.GrantType = "authorization_code"; tokenRequestMessage.RedirectUri = clientInformation.RedirectUris[0]; // when OIDCTokenResponseMessage tokenResponse = rp.SubmitTokenRequest(GetBaseUrl("/token"), tokenRequestMessage, clientInformation); // then Assert.NotNull(tokenResponse.IdToken); OIDCIdToken idToken = tokenResponse.GetIdToken(); idToken.Validate(); }
public void Should_Request_And_Use_Signed_And_Encrypted_Id_Token() { rpid = "rp-id_token-sig+enc"; signalg = "RS256"; encalg = "RSA1_5:A128CBC-HS256"; // given OpenIdRelyingParty rp = new OpenIdRelyingParty(); string registrationEndopoint = GetBaseUrl("/registration"); OIDCClientInformation clientMetadata = new OIDCClientInformation(); clientMetadata.ApplicationType = "web"; clientMetadata.RedirectUris = new List <string>() { myBaseUrl + "code_flow_callback" }; clientMetadata.ResponseTypes = new List <ResponseType>() { ResponseType.Code }; clientMetadata.IdTokenEncryptedResponseAlg = "RSA1_5"; clientMetadata.IdTokenEncryptedResponseEnc = "A128CBC-HS256"; clientMetadata.JwksUri = myBaseUrl + "my_public_keys.jwks"; OIDCClientInformation clientInformation = rp.RegisterClient(registrationEndopoint, clientMetadata); OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage(); requestMessage.ClientId = clientInformation.ClientId; requestMessage.Scope = new List <MessageScope>() { MessageScope.Openid }; requestMessage.ResponseType = new List <ResponseType>() { ResponseType.Code }; requestMessage.RedirectUri = clientInformation.RedirectUris[0]; requestMessage.Nonce = WebOperations.RandomString(); requestMessage.State = WebOperations.RandomString(); requestMessage.Validate(); rp.Authenticate(GetBaseUrl("/authorization"), requestMessage); semaphore.WaitOne(); OIDCAuthCodeResponseMessage response = rp.ParseAuthCodeResponse(result, requestMessage.Scope, requestMessage.State); OIDCTokenRequestMessage tokenRequestMessage = new OIDCTokenRequestMessage(); tokenRequestMessage.Scope = response.Scope; tokenRequestMessage.State = response.State; tokenRequestMessage.Code = response.Code; tokenRequestMessage.ClientId = clientInformation.ClientId; tokenRequestMessage.ClientSecret = clientInformation.ClientSecret; tokenRequestMessage.GrantType = "authorization_code"; tokenRequestMessage.RedirectUri = clientInformation.RedirectUris[0]; X509Certificate2 signCert = new X509Certificate2("server.pfx", "", X509KeyStorageFlags.Exportable); X509Certificate2 encCert = new X509Certificate2("server.pfx", "", X509KeyStorageFlags.Exportable); List <OIDCKey> myKeys = KeyManager.GetKeysJwkList(signCert, encCert); // when OIDCTokenResponseMessage tokenResponse = rp.SubmitTokenRequest(GetBaseUrl("/token"), tokenRequestMessage, clientInformation); // then Assert.NotNull(tokenResponse.IdToken); OIDCIdToken idToken = tokenResponse.GetIdToken(providerMetadata.Keys, null, myKeys); idToken.Validate(); }