public void ToJwtPayload_WhenIssuedAtNotSet_ExpectIssuedAtSetToNow()
{
var descriptor = new SecurityTokenDescriptor();
var jwtPayload = descriptor.ToJwtPayload();
var issuedAt = JObject.Parse(jwtPayload)["iat"];
issuedAt.Value <long>().Should().BeCloseTo(EpochTime.GetIntDate(DateTime.UtcNow), 10);
}
public void ToJwtPayload_WhenNotBeforeNotSet_ExpectNotBeforeSetToNow()
{
var descriptor = new SecurityTokenDescriptor();
var jwtPayload = descriptor.ToJwtPayload();
var notBefore = JObject.Parse(jwtPayload)["nbf"];
notBefore.Value <long>().Should().BeCloseTo(EpochTime.GetIntDate(DateTime.UtcNow), 10);
}
public void ToJwtPayload_WhenAudienceSet_ExpectAudienceClaim()
{
var descriptor = new SecurityTokenDescriptor();
descriptor.Audience = "you";
var jwtPayload = descriptor.ToJwtPayload();
var audience = JObject.Parse(jwtPayload)["aud"];
audience.Value <string>().Should().Be(descriptor.Audience);
}
public void ToJwtPayload_WhenExpiryNotSet_ExpectExpirySetToOneHour()
{
var descriptor = new SecurityTokenDescriptor();
var jwtPayload = descriptor.ToJwtPayload();
var expiry = JObject.Parse(jwtPayload)["exp"];
expiry.Value <long>().Should().BeCloseTo(
(long)(EpochTime.GetIntDate(DateTime.UtcNow) + TimeSpan.FromMinutes(60).TotalSeconds),
10);
}
public void ToJwtPayload_WhenIssuerSet_ExpectIssuerClaim()
{
var descriptor = new SecurityTokenDescriptor();
descriptor.Issuer = "me";
var jwtPayload = descriptor.ToJwtPayload();
var issuer = JObject.Parse(jwtPayload)["iss"];
issuer.Value <string>().Should().Be(descriptor.Issuer);
}
public void ToJwtPayload_WhenNotBeforeSet_ExpectNotBeforeClaim()
{
var expectedNotBefore = DateTime.UtcNow.AddMinutes(5);
var descriptor = new SecurityTokenDescriptor();
descriptor.NotBefore = expectedNotBefore;
var jwtPayload = descriptor.ToJwtPayload();
var notBefore = JObject.Parse(jwtPayload)["nbf"];
notBefore.Value <long>().Should().Be(EpochTime.GetIntDate(expectedNotBefore));
}
public void ToJwtPayload_WhenExpirySet_ExpectExpiryClaim()
{
var expectedExpiry = DateTime.UtcNow.AddMinutes(5);
var descriptor = new SecurityTokenDescriptor();
descriptor.Expires = expectedExpiry;
var jwtPayload = descriptor.ToJwtPayload();
var expiry = JObject.Parse(jwtPayload)["exp"];
expiry.Value <long>().Should().Be(EpochTime.GetIntDate(expectedExpiry));
}
public void ToJwtPayload_WhenIssuedAtSet_ExpectIssuedAtClaim()
{
var expectedIssuedAt = DateTime.UtcNow.AddMinutes(5);
var descriptor = new SecurityTokenDescriptor();
descriptor.IssuedAt = expectedIssuedAt;
var jwtPayload = descriptor.ToJwtPayload();
var issuedAt = JObject.Parse(jwtPayload)["iat"];
issuedAt.Value <long>().Should().Be(EpochTime.GetIntDate(expectedIssuedAt));
}
public void ToJwtPayload_WhenIssuedAtSetInClaims_ExpectClaimsIssuedAtClaim()
{
var expectedIssuedAt = EpochTime.GetIntDate(DateTime.UtcNow.AddMinutes(5));
var descriptor = new SecurityTokenDescriptor();
descriptor.Claims = new Dictionary <string, object> {
{ "iat", expectedIssuedAt }
};
descriptor.IssuedAt = DateTime.UtcNow.AddHours(42);
var jwtPayload = descriptor.ToJwtPayload();
var issuedAt = JObject.Parse(jwtPayload)["iat"];
issuedAt.Value <long>().Should().Be(expectedIssuedAt);
}
public void ToJwtPayload_WhenExpirySetInClaims_ExpectClaimsExpiryClaim()
{
var expectedExpiry = EpochTime.GetIntDate(DateTime.UtcNow.AddMinutes(5));
var descriptor = new SecurityTokenDescriptor();
descriptor.Claims = new Dictionary <string, object> {
{ "exp", expectedExpiry }
};
descriptor.Expires = DateTime.UtcNow.AddHours(42);
var jwtPayload = descriptor.ToJwtPayload();
var expiry = JObject.Parse(jwtPayload)["exp"];
expiry.Value <long>().Should().Be(expectedExpiry);
}
public void ToJwtPayload_WhenAudienceSetInClaims_ExpectClaimsAudienceClaim()
{
var expectedAudience = Guid.NewGuid().ToString();
var descriptor = new SecurityTokenDescriptor();
descriptor.Claims = new Dictionary <string, object> {
{ "aud", expectedAudience }
};
descriptor.Audience = Guid.NewGuid().ToString();
var jwtPayload = descriptor.ToJwtPayload();
var audience = JObject.Parse(jwtPayload)["aud"];
audience.Value <string>().Should().Be(expectedAudience);
}
public void ToJwtPayload_WhenAudienceSetInSubject_ExpectSubjectAudienceClaim()
{
var expectedAudience = Guid.NewGuid().ToString();
var descriptor = new SecurityTokenDescriptor();
descriptor.Subject = new ClaimsIdentity(new List <Claim> {
new Claim("aud", expectedAudience)
});
descriptor.Audience = Guid.NewGuid().ToString();
var jwtPayload = descriptor.ToJwtPayload();
var audience = JObject.Parse(jwtPayload)["aud"];
audience.Value <string>().Should().Be(expectedAudience);
}
public void ToJwtPayload_WhenIssuerSetInClaims_ExpectClaimsIssuerClaim()
{
var expectedIssuer = Guid.NewGuid().ToString();
var descriptor = new SecurityTokenDescriptor();
descriptor.Claims = new Dictionary <string, object> {
{ "iss", expectedIssuer }
};
descriptor.Issuer = Guid.NewGuid().ToString();
var jwtPayload = descriptor.ToJwtPayload();
var issuer = JObject.Parse(jwtPayload)["iss"];
issuer.Value <string>().Should().Be(expectedIssuer);
}
public void ToJwtPayload_WhenIssuerSetInSubject_ExpectSubjectIssuerClaim()
{
var expectedIssuer = Guid.NewGuid().ToString();
var descriptor = new SecurityTokenDescriptor();
descriptor.Subject = new ClaimsIdentity(new List <Claim> {
new Claim("iss", expectedIssuer)
});
descriptor.Issuer = Guid.NewGuid().ToString();
var jwtPayload = descriptor.ToJwtPayload();
var issuer = JObject.Parse(jwtPayload)["iss"];
issuer.Value <string>().Should().Be(expectedIssuer);
}
public void ToJwtPayload_WhenNotBeforeSetInClaims_ExpectClaimsNotBeforeClaim()
{
var expectedNotBefore = EpochTime.GetIntDate(DateTime.UtcNow.AddMinutes(5));
var descriptor = new SecurityTokenDescriptor();
descriptor.Claims = new Dictionary <string, object> {
{ "nbf", expectedNotBefore }
};
descriptor.NotBefore = DateTime.UtcNow.AddHours(42);
var jwtPayload = descriptor.ToJwtPayload();
var notBefore = JObject.Parse(jwtPayload)["nbf"];
notBefore.Value <long>().Should().Be(expectedNotBefore);
}
public void ToJwtPayload_WhenMultipleClaimsOfSameType_ExpectJsonArray()
{
const string claimType = "email";
var claimValues = new[] { "bob@test", "alice@test" };
var descriptor = new SecurityTokenDescriptor();
descriptor.Claims = new Dictionary <string, object>
{
{ claimType, claimValues }
};
var jwtPayload = descriptor.ToJwtPayload();
var claims = JObject.Parse(jwtPayload)[claimType];
claims.Values <string>().Should().Contain(claimValues);
}
public void ToJwtPayload_WhenMultipleSubjectClaimsOfSameType_ExpectJsonArray()
{
const string claimType = "email";
var claimValues = new[] { "bob@test", "alice@test" };
var descriptor = new SecurityTokenDescriptor();
descriptor.Subject = new ClaimsIdentity(new List <Claim>
{
new Claim(claimType, claimValues[0]),
new Claim(claimType, claimValues[1])
}, "test");
var jwtPayload = descriptor.ToJwtPayload();
var claims = JObject.Parse(jwtPayload)[claimType];
claims.Values <string>().Should().Contain(claimValues);
}
public void ToJwtPayload_WhenSubjectAndClaimsContainDuplicateTypes_ExpecSubjectClaimsReplaced()
{
var claimType = Guid.NewGuid().ToString();
var expectedClaimValue = Guid.NewGuid().ToString();
var descriptor = new SecurityTokenDescriptor();
descriptor.Subject = new ClaimsIdentity(new List <Claim> {
new Claim(claimType, Guid.NewGuid().ToString())
});
descriptor.Claims = new Dictionary <string, object> {
{ claimType, expectedClaimValue }
};
var jwtPayload = descriptor.ToJwtPayload();
var claims = JObject.Parse(jwtPayload)[claimType];
claims.Value <string>().Should().Contain(expectedClaimValue);
}
public IActionResult EdDsaJwt()
{
var handler = new JsonWebTokenHandler();
var descriptor = new SecurityTokenDescriptor
{
Issuer = "me",
Audience = "you",
SigningCredentials = new SigningCredentials(options.PasetoV2PrivateKey, ExtendedSecurityAlgorithms.EdDsa)
};
var token = handler.CreateToken(descriptor);
var payload = descriptor.ToJwtPayload(JwtDateTimeFormat.Iso);
return(View("Index", new TokenModel
{
Type = "EdDSA JWT",
Token = token,
Payload = payload
}));
}
/// <summary>
/// Creates Branca token using JWT rules
/// </summary>
/// <param name="tokenDescriptor">Token descriptor</param>
/// <returns>Base62 encoded Branca Token</returns>
public virtual string CreateToken(SecurityTokenDescriptor tokenDescriptor)
{
if (tokenDescriptor == null)
{
throw new ArgumentNullException(nameof(tokenDescriptor));
}
if (!IsValidKey(tokenDescriptor.EncryptingCredentials))
{
throw new SecurityTokenEncryptionFailedException(
"Invalid encrypting credentials. Branca tokens require a symmetric key using the XC20P algorithm and no key wrapping");
}
var jwtStylePayload = tokenDescriptor.ToJwtPayload();
// Remove iat claim in favour of timestamp
var jObject = JObject.Parse(jwtStylePayload);
jObject.Remove(JwtRegisteredClaimNames.Iat);
var symmetricKey = (SymmetricSecurityKey)tokenDescriptor.EncryptingCredentials.Key;
return(CreateToken(jObject.ToString(Formatting.None), symmetricKey.Key));
}
public void ToJwtPayload_WhenTokenDescriptorIsNull_ExpectArgumentNullException()
{
SecurityTokenDescriptor descriptor = null;
Assert.Throws <ArgumentNullException>(() => descriptor.ToJwtPayload());
}
