コード例 #1
0
        public void Should_Support_Provider_Crypt_Key_Rotation()
        {
            rpid = "rp-key_rotation-op_enc_key";

            // given
            OIDCAuthorizationRequestMessage requestMessage1 = generateRequestMessage(true);
            OIDCAuthorizationRequestMessage requestObject1  = generateRequestMessage(false, requestMessage1.State, requestMessage1.Nonce);
            RSACryptoServiceProvider        encKey1         = getEncKey();

            OIDCAuthorizationRequestMessage requestMessage2 = generateRequestMessage(true);
            OIDCAuthorizationRequestMessage requestObject2  = generateRequestMessage(false, requestMessage2.State, requestMessage2.Nonce);
            RSACryptoServiceProvider        encKey2         = getEncKey();

            OpenIdRelyingParty rp = new OpenIdRelyingParty();

            // when
            request = JWT.Encode(requestObject1.SerializeToJsonString(), encKey1, JweAlgorithm.RSA1_5, JweEncryption.A128CBC_HS256);
            rp.Authenticate(GetBaseUrl("/authorization"), requestMessage1);
            semaphore.WaitOne();
            OIDCAuthCodeResponseMessage response1 = rp.ParseAuthCodeResponse(result, requestMessage1.Scope);

            request = JWT.Encode(requestObject2.SerializeToJsonString(), encKey2, JweAlgorithm.RSA1_5, JweEncryption.A128CBC_HS256);
            rp.Authenticate(GetBaseUrl("/authorization"), requestMessage2);
            semaphore.WaitOne();
            OIDCAuthCodeResponseMessage response2 = rp.ParseAuthCodeResponse(result, requestMessage2.Scope);

            // then
            response1.Validate();
            response2.Validate();
        }
コード例 #2
0
        public void Should_Support_Signing_Key_Rotation()
        {
            rpid = "rp-key_rotation-rp_sign_key";

            // given
            RSACryptoServiceProvider        signKey1        = getSignKey("server.pfx");
            OIDCAuthorizationRequestMessage requestMessage1 = generateRequestMessage(true);
            OIDCAuthorizationRequestMessage requestObject1  = generateRequestMessage(false, requestMessage1.State, requestMessage1.Nonce);

            RSACryptoServiceProvider        signKey2        = getSignKey("server2.pfx");
            OIDCAuthorizationRequestMessage requestMessage2 = generateRequestMessage(true);
            OIDCAuthorizationRequestMessage requestObject2  = generateRequestMessage(false, requestMessage1.State, requestMessage1.Nonce);

            OpenIdRelyingParty rp = new OpenIdRelyingParty();

            // when
            request = JWT.Encode(requestObject1.SerializeToJsonString(), signKey1, JwsAlgorithm.RS256);
            rp.Authenticate(GetBaseUrl("/authorization"), requestMessage1);
            semaphore.WaitOne();
            OIDCAuthCodeResponseMessage response1 = rp.ParseAuthCodeResponse(result, requestMessage1.Scope, requestMessage1.State);

            request = JWT.Encode(requestObject2.SerializeToJsonString(), signKey1, JwsAlgorithm.RS256);
            rp.Authenticate(GetBaseUrl("/authorization"), requestMessage2);
            semaphore.WaitOne();
            OIDCAuthCodeResponseMessage response2 = rp.ParseAuthCodeResponse(result, requestMessage2.Scope, requestMessage2.State);

            // then
            response1.Validate();
            response2.Validate();
        }
コード例 #3
0
        public void Should_Use_Request_Uri_Parameter_Signed_And_Encrypted()
        {
            rpid = "rp-request_uri-sig+enc";

            // given
            OIDCAuthorizationRequestMessage requestMessage = generateRequestMessage();
            OIDCAuthorizationRequestMessage requestObject  = generateRequestObject(requestMessage.State, requestMessage.Nonce);

            X509Certificate2         certificate = new X509Certificate2("server.pfx", "", X509KeyStorageFlags.Exportable);
            RSACryptoServiceProvider signKey     = getSignKey();
            RSACryptoServiceProvider encKey      = getEncKey();

            request = JWT.Encode(requestObject.SerializeToJsonString(), signKey, JwsAlgorithm.RS256);
            request = JWT.Encode(request, encKey, JweAlgorithm.RSA1_5, JweEncryption.A128CBC_HS256);

            OpenIdRelyingParty rp = new OpenIdRelyingParty();

            // when
            rp.Authenticate(GetBaseUrl("/authorization"), requestMessage);
            semaphore.WaitOne();
            OIDCAuthCodeResponseMessage response = rp.ParseAuthCodeResponse(result, requestMessage.Scope);

            // then
            response.Validate();
        }
コード例 #4
0
        public void Should_Authenticate_With_Code_Response_Type()
        {
            rpid = "rp-response_type-code";

            // given
            OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage();

            requestMessage.ClientId = clientInformation.ClientId;
            requestMessage.Scope    = new List <MessageScope>()
            {
                MessageScope.Openid
            };
            requestMessage.ResponseType = new List <ResponseType>()
            {
                ResponseType.Code
            };
            requestMessage.RedirectUri = clientInformation.RedirectUris[0];
            requestMessage.Validate();

            OpenIdRelyingParty rp = new OpenIdRelyingParty();

            // when
            rp.Authenticate(GetBaseUrl("/authorization"), requestMessage);
            semaphore.WaitOne();
            OIDCAuthCodeResponseMessage response = rp.ParseAuthCodeResponse(result, requestMessage.Scope);

            // then
            response.Validate();
        }
コード例 #5
0
        private OIDCAuthCodeResponseMessage GetAuthResponse(HttpRequestData request, HttpSessionState session)
        {
            var scope = new List <MessageScope>()
            {
                MessageScope.Openid, MessageScope.Profile
            };
            var state = session["state"];

            return(rp.ParseAuthCodeResponse(request.Url.Query, scope));
        }
コード例 #6
0
        public OIDClientSerializableMessage GetAuthResponse(ResponseType RespType, string Nonce = null, bool Profile = false, OIDClaims Claims = null)
        {
            OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage();

            requestMessage.ClientId = clientInformation.ClientId;
            requestMessage.Scope    = new List <MessageScope>()
            {
                MessageScope.Openid
            };
            requestMessage.RedirectUri = clientInformation.RedirectUris[0];
            requestMessage.Nonce       = (Nonce == null) ? WebOperations.RandomString() : Nonce;
            requestMessage.State       = WebOperations.RandomString();
            requestMessage.Claims      = Claims;

            if (Profile)
            {
                requestMessage.Scope.Add(MessageScope.Profile);
                requestMessage.Scope.Add(MessageScope.Address);
                requestMessage.Scope.Add(MessageScope.Phone);
                requestMessage.Scope.Add(MessageScope.Email);
            }

            if (ResponseType.Code == RespType)
            {
                requestMessage.ResponseType = new List <ResponseType>()
                {
                    ResponseType.Code
                };
            }
            else if (ResponseType.IdToken == RespType)
            {
                requestMessage.ResponseType = new List <ResponseType>()
                {
                    ResponseType.IdToken, ResponseType.Token
                };
            }

            requestMessage.Validate();

            OpenIdRelyingParty rp = new OpenIdRelyingParty();

            rp.Authenticate(GetBaseUrl("/authorization"), requestMessage);
            semaphore.WaitOne();
            if (ResponseType.Code == RespType)
            {
                return(rp.ParseAuthCodeResponse(result, requestMessage.Scope, requestMessage.State));
            }
            else if (ResponseType.IdToken == RespType)
            {
                return(rp.ParseAuthImplicitResponse(result, requestMessage.Scope, requestMessage.State));
            }

            throw new Exception("Error in parameter passed");
        }
コード例 #7
0
        public void Should_Use_Request_Uri_Parameter_Unsigned()
        {
            rpid = "rp-request_uri-unsigned";

            // given
            OIDCAuthorizationRequestMessage requestMessage = generateRequestMessage();
            OIDCAuthorizationRequestMessage requestObject  = generateRequestObject(requestMessage.State, requestMessage.Nonce);

            request = JWT.Encode(requestObject.SerializeToJsonString(), null, JwsAlgorithm.none);

            OpenIdRelyingParty rp = new OpenIdRelyingParty();

            // when
            rp.Authenticate(GetBaseUrl("/authorization"), requestMessage);
            semaphore.WaitOne();
            OIDCAuthCodeResponseMessage response = rp.ParseAuthCodeResponse(result, requestMessage.Scope);

            // then
            response.Validate();
        }
コード例 #8
0
        private OIDCTokenResponseMessage AuthenticateAndRetrieveIdToken()
        {
            OIDCAuthorizationRequestMessage requestMessage = generateRequestMessage();
            OpenIdRelyingParty rp = new OpenIdRelyingParty();

            rp.Authenticate(GetBaseUrl("/authorization"), requestMessage);
            semaphore.WaitOne();
            OIDCAuthCodeResponseMessage response = rp.ParseAuthCodeResponse(result, requestMessage.Scope, requestMessage.State);

            OIDCTokenRequestMessage tokenRequestMessage = new OIDCTokenRequestMessage();

            tokenRequestMessage.Scope        = response.Scope;
            tokenRequestMessage.Code         = response.Code;
            tokenRequestMessage.ClientId     = clientInformation.ClientId;
            tokenRequestMessage.ClientSecret = clientInformation.ClientSecret;
            tokenRequestMessage.GrantType    = "authorization_code";
            tokenRequestMessage.RedirectUri  = clientInformation.RedirectUris[0];

            return(rp.SubmitTokenRequest(GetBaseUrl("/token"), tokenRequestMessage, clientInformation));
        }
コード例 #9
0
        public void Should_Use_Request_Uri_Parameter_Encrypted()
        {
            rpid = "rp-request_uri-enc";

            // given
            OIDCAuthorizationRequestMessage requestMessage = generateRequestMessage();
            OIDCAuthorizationRequestMessage requestObject  = generateRequestObject(requestMessage.State, requestMessage.Nonce);
            RSACryptoServiceProvider        encKey         = getEncKey();

            request = JWT.Encode(requestObject.SerializeToJsonString(), encKey, JweAlgorithm.RSA1_5, JweEncryption.A128CBC_HS256);

            OpenIdRelyingParty rp = new OpenIdRelyingParty();

            // when
            rp.Authenticate(GetBaseUrl("/authorization"), requestMessage);
            semaphore.WaitOne();
            OIDCAuthCodeResponseMessage response = rp.ParseAuthCodeResponse(result, requestMessage.Scope);

            // then
            response.Validate();
        }
        public void Should_Spport_Third_Party_Initiated_Login()
        {
            rpid = "rp-support_3rd_party_init_login";

            // given
            OIDCThirdPartyLoginRequest thirdPartyRequest = new OIDCThirdPartyLoginRequest();

            thirdPartyRequest.Iss = GetBaseUrl("/");
            WebRequest webRequest = WebRequest.Create(clientInformation.InitiateLoginUri + "?" + thirdPartyRequest.SerializeToQueryString());

            OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage();

            requestMessage.ClientId = clientInformation.ClientId;
            requestMessage.Scope    = new List <MessageScope> {
                MessageScope.Openid
            };
            requestMessage.ResponseType = new List <ResponseType>()
            {
                ResponseType.Code
            };
            requestMessage.RedirectUri = clientInformation.RedirectUris[0];
            requestMessage.Validate();
            request = requestMessage.SerializeToQueryString();

            param = providerMetadata.AuthorizationEndpoint;

            OpenIdRelyingParty rp = new OpenIdRelyingParty();

            // when
            WebOperations.GetUrlContent(webRequest);
            semaphore.WaitOne();
            OIDCAuthCodeResponseMessage response = rp.ParseAuthCodeResponse(result);

            // then
            response.Validate();
        }
コード例 #11
0
        public void Should_Reject_Id_Token_With_Incorrect_C_Hash()
        {
            rpid = "rp-id_token-bad_c_hash";

            // givens
            OpenIdRelyingParty rp = new OpenIdRelyingParty();

            OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage();

            requestMessage.ClientId = clientInformation.ClientId;
            requestMessage.Scope    = new List <MessageScope>()
            {
                MessageScope.Openid
            };
            requestMessage.ResponseType = new List <ResponseType>()
            {
                ResponseType.Code, ResponseType.IdToken
            };
            requestMessage.RedirectUri = clientInformation.RedirectUris[0];
            requestMessage.Nonce       = WebOperations.RandomString();
            requestMessage.State       = WebOperations.RandomString();
            requestMessage.Validate();

            rp.Authenticate(GetBaseUrl("/authorization"), requestMessage);
            semaphore.WaitOne();

            // when
            OIDCAuthCodeResponseMessage response = rp.ParseAuthCodeResponse(result, requestMessage.Scope, requestMessage.State);

            // then
            Assert.NotNull(response.IdToken);
            OIDCIdToken idToken       = response.GetIdToken(providerMetadata.Keys);
            string      ExpectedCHash = response.GetExpectedHash(response.Code, providerMetadata.Keys);

            idToken.Validate(GetBaseUrl("/"), clientInformation.ClientId, ExpectedCHash, null);
        }
コード例 #12
0
        public void Should_Request_And_Use_Unsigned_Id_Token()
        {
            rpid = "rp-id_token-sig_none";

            // givens
            OpenIdRelyingParty rp = new OpenIdRelyingParty();

            string registrationEndopoint         = GetBaseUrl("/registration");
            OIDCClientInformation clientMetadata = new OIDCClientInformation();

            clientMetadata.ApplicationType = "web";
            clientMetadata.RedirectUris    = new List <string>()
            {
                myBaseUrl + "code_flow_callback"
            };
            clientMetadata.ResponseTypes = new List <ResponseType>()
            {
                ResponseType.Code
            };
            clientMetadata.IdTokenSignedResponseAlg = "none";
            OIDCClientInformation clientInformation = rp.RegisterClient(registrationEndopoint, clientMetadata);

            OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage();

            requestMessage.ClientId = clientInformation.ClientId;
            requestMessage.Scope    = new List <MessageScope>()
            {
                MessageScope.Openid
            };
            requestMessage.ResponseType = new List <ResponseType>()
            {
                ResponseType.Code
            };
            requestMessage.RedirectUri = clientInformation.RedirectUris[0];
            requestMessage.Nonce       = WebOperations.RandomString();
            requestMessage.State       = WebOperations.RandomString();
            requestMessage.Validate();

            rp.Authenticate(GetBaseUrl("/authorization"), requestMessage);
            semaphore.WaitOne();
            OIDCAuthCodeResponseMessage response = rp.ParseAuthCodeResponse(result, requestMessage.Scope, requestMessage.State);

            OIDCTokenRequestMessage tokenRequestMessage = new OIDCTokenRequestMessage();

            tokenRequestMessage.Scope        = response.Scope;
            tokenRequestMessage.State        = response.State;
            tokenRequestMessage.Code         = response.Code;
            tokenRequestMessage.ClientId     = clientInformation.ClientId;
            tokenRequestMessage.ClientSecret = clientInformation.ClientSecret;
            tokenRequestMessage.GrantType    = "authorization_code";
            tokenRequestMessage.RedirectUri  = clientInformation.RedirectUris[0];

            // when
            OIDCTokenResponseMessage tokenResponse = rp.SubmitTokenRequest(GetBaseUrl("/token"), tokenRequestMessage, clientInformation);

            // then
            Assert.NotNull(tokenResponse.IdToken);
            OIDCIdToken idToken = tokenResponse.GetIdToken();

            idToken.Validate();
        }
コード例 #13
0
        public void Should_Request_And_Use_Signed_And_Encrypted_Id_Token()
        {
            rpid    = "rp-id_token-sig+enc";
            signalg = "RS256";
            encalg  = "RSA1_5:A128CBC-HS256";

            // given
            OpenIdRelyingParty rp = new OpenIdRelyingParty();

            string registrationEndopoint         = GetBaseUrl("/registration");
            OIDCClientInformation clientMetadata = new OIDCClientInformation();

            clientMetadata.ApplicationType = "web";
            clientMetadata.RedirectUris    = new List <string>()
            {
                myBaseUrl + "code_flow_callback"
            };
            clientMetadata.ResponseTypes = new List <ResponseType>()
            {
                ResponseType.Code
            };
            clientMetadata.IdTokenEncryptedResponseAlg = "RSA1_5";
            clientMetadata.IdTokenEncryptedResponseEnc = "A128CBC-HS256";
            clientMetadata.JwksUri = myBaseUrl + "my_public_keys.jwks";
            OIDCClientInformation clientInformation = rp.RegisterClient(registrationEndopoint, clientMetadata);

            OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage();

            requestMessage.ClientId = clientInformation.ClientId;
            requestMessage.Scope    = new List <MessageScope>()
            {
                MessageScope.Openid
            };
            requestMessage.ResponseType = new List <ResponseType>()
            {
                ResponseType.Code
            };
            requestMessage.RedirectUri = clientInformation.RedirectUris[0];
            requestMessage.Nonce       = WebOperations.RandomString();
            requestMessage.State       = WebOperations.RandomString();
            requestMessage.Validate();

            rp.Authenticate(GetBaseUrl("/authorization"), requestMessage);
            semaphore.WaitOne();
            OIDCAuthCodeResponseMessage response = rp.ParseAuthCodeResponse(result, requestMessage.Scope, requestMessage.State);

            OIDCTokenRequestMessage tokenRequestMessage = new OIDCTokenRequestMessage();

            tokenRequestMessage.Scope        = response.Scope;
            tokenRequestMessage.State        = response.State;
            tokenRequestMessage.Code         = response.Code;
            tokenRequestMessage.ClientId     = clientInformation.ClientId;
            tokenRequestMessage.ClientSecret = clientInformation.ClientSecret;
            tokenRequestMessage.GrantType    = "authorization_code";
            tokenRequestMessage.RedirectUri  = clientInformation.RedirectUris[0];

            X509Certificate2 signCert = new X509Certificate2("server.pfx", "", X509KeyStorageFlags.Exportable);
            X509Certificate2 encCert  = new X509Certificate2("server.pfx", "", X509KeyStorageFlags.Exportable);
            List <OIDCKey>   myKeys   = KeyManager.GetKeysJwkList(signCert, encCert);

            // when
            OIDCTokenResponseMessage tokenResponse = rp.SubmitTokenRequest(GetBaseUrl("/token"), tokenRequestMessage, clientInformation);

            // then
            Assert.NotNull(tokenResponse.IdToken);
            OIDCIdToken idToken = tokenResponse.GetIdToken(providerMetadata.Keys, null, myKeys);

            idToken.Validate();
        }