public OIDCClientInformation RegisterClient(string RegistrationEndpoint, OIDCClientInformation clientMetadata, string TokenEndpointAuthMethod = "client_secret_basic")
{
// Make registration request
OIDCClientRegistrationRequest registrationRequest = new OIDCClientRegistrationRequest();
registrationRequest.ApplicationType = clientMetadata.ApplicationType;
registrationRequest.RedirectUris = clientMetadata.RedirectUris;
registrationRequest.ResponseTypes = clientMetadata.ResponseTypes;
registrationRequest.TokenEndpointAuthMethod = TokenEndpointAuthMethod;
// Check error and store client information from OP
WebRequest request = WebRequest.Create(RegistrationEndpoint);
Dictionary <string, object> returnedJson = PostUrlContent(request, registrationRequest, true);
if (returnedJson.Keys.Contains("error"))
{
OIDCResponseError error = new OIDCResponseError();
throw new OIDCException("Error while registering client: " + error.Error + "\n" + error.ErrorDescription);
}
OIDCClientInformation clientInformation = new OIDCClientInformation();
clientInformation.deserializeFromDynamic(returnedJson);
return(clientInformation);
}
public void Should_Accept_Encrypted_UserInfo()
{
rpid = "rp-user_info-enc";
// given
OpenIdRelyingParty rp = new OpenIdRelyingParty();
string registrationEndopoint = GetBaseUrl("/registration");
OIDCClientInformation clientMetadata = new OIDCClientInformation();
clientMetadata.ApplicationType = "web";
clientMetadata.ResponseTypes = new List<ResponseType>() { ResponseType.IdToken };
clientMetadata.RedirectUris = new List<string>() { myBaseUrl + "id_token_flow_callback" };
clientMetadata.UserinfoEncryptedResponseAlg = "RSA1_5";
clientMetadata.UserinfoEncryptedResponseEnc = "A128CBC-HS256";
clientMetadata.JwksUri = myBaseUrl + "my_public_keys.jwks";
OIDCClientInformation clientInformation = rp.RegisterClient(registrationEndopoint, clientMetadata);
OIDClaims requestClaims = new OIDClaims();
requestClaims.IdToken = new Dictionary<string, OIDClaimData>();
requestClaims.IdToken.Add("name", new OIDClaimData());
OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage();
requestMessage.ClientId = clientInformation.ClientId;
requestMessage.Scope = new List<MessageScope>() { MessageScope.Openid, MessageScope.Profile, MessageScope.Address, MessageScope.Phone, MessageScope.Email };
requestMessage.ResponseType = new List<ResponseType>() { ResponseType.IdToken, ResponseType.Token };
requestMessage.RedirectUri = clientInformation.RedirectUris[0];
requestMessage.Nonce = WebOperations.RandomString();
requestMessage.State = WebOperations.RandomString();
requestMessage.Claims = requestClaims;
requestMessage.Validate();
rp.Authenticate(GetBaseUrl("/authorization"), requestMessage);
semaphore.WaitOne();
OIDCAuthImplicitResponseMessage authResponse = rp.ParseAuthImplicitResponse(result, requestMessage.Scope, requestMessage.State);
X509Certificate2 encCert = new X509Certificate2("server.pfx", "", X509KeyStorageFlags.Exportable);
List<OIDCKey> myKeys = KeyManager.GetKeysJwkList(null, encCert);
// when
OIDCUserInfoResponseMessage response = GetUserInfo(authResponse.Scope, authResponse.State, authResponse.AccessToken, null, true, null, myKeys);
// then
response.Validate();
Assert.IsNotNullOrEmpty(response.Name);
}
public void Should_Client_Be_Able_To_Register()
{
rpid = "rp-registration-dynamic";
// given
string registrationEndopoint = GetBaseUrl("/registration");
OIDCClientInformation clientMetadata = new OIDCClientInformation();
clientMetadata.ApplicationType = "web";
clientMetadata.RedirectUris = new List<string>() { myBaseUrl + "code_flow_callback" };
clientMetadata.ResponseTypes = new List<ResponseType>() { ResponseType.Code };
OpenIdRelyingParty rp = new OpenIdRelyingParty();
// when
OIDCClientInformation response = rp.RegisterClient(registrationEndopoint, clientMetadata);
// then
response.Validate();
}
public void Should_Client_Only_Use_Https_Endpoints()
{
rpid = "rp-registration-uses_https_endpoints";
// given
string registrationEndopoint = GetBaseUrl("/registration");
OIDCClientInformation clientMetadata = new OIDCClientInformation();
clientMetadata.ApplicationType = "web";
clientMetadata.RedirectUris = new List<string>() { myBaseUrl + "code_flow_callback" };
clientMetadata.ResponseTypes = new List<ResponseType>() { ResponseType.Code };
clientMetadata.JwksUri = myBaseUrl + "my_public_keys.jwks";
OpenIdRelyingParty rp = new OpenIdRelyingParty();
// when
OIDCClientInformation response = rp.RegisterClient(registrationEndopoint, clientMetadata);
response.JwksUri = clientMetadata.JwksUri.Replace("https", "http");
// then
response.Validate();
}
/// <summary>
/// Method that validates the IdToken with specific rules
/// </summary>
/// <param name="idToken"></param>
/// <param name="clientInformation"></param>
/// <param name="providerMetadata"></param>
/// <param name="nonce"></param>
public void ValidateIdToken(OIDCIdToken idToken, OIDCClientInformation clientInformation, string Issuer, string Nonce)
{
if (idToken.Iss.Trim('/') != Issuer.Trim('/'))
{
throw new OIDCException("Wrong issuer for the token.");
}
if (Issuer != "https://self-issued.me" && !idToken.Aud.Contains(clientInformation.ClientId))
{
throw new OIDCException("Intended audience of the token does not include client_id.");
}
if (idToken.Aud.Count > 1 && idToken.Azp == null)
{
throw new OIDCException("Multiple audience but no authorized party specified.");
}
if (idToken.Azp != null && idToken.Azp != clientInformation.ClientId)
{
throw new OIDCException("The authorized party does not match client_id.");
}
if (idToken.Exp < DateTime.UtcNow - new TimeSpan(0, 10, 0))
{
throw new OIDCException("The token is expired.");
}
if (idToken.Iat < DateTime.Now - new TimeSpan(24, 0, 0))
{
throw new OIDCException("The token has ben issued more than a day ago.");
}
if (Nonce != null && idToken.Nonce != Nonce)
{
throw new OIDCException("Wrong nonce value in token.");
}
}
/// <summary>
/// Method that performs a dynamic client registration with the OP server.
/// </summary>
/// <param name="RegistrationEndpoint">The URL of the OP describing the registration endpoint.</param>
/// <param name="clientMetadata">The OIDCClientInformation object describing the client information to
/// be submitted to the OP for registration.</param>
/// <param name="TokenEndpointAuthMethod">(optional) the endpoint authentication method used to
/// authenticate the client with the OP sever (if not specified using "client_secret_basic".</param>
/// <returns>An oject describing all client information as returned by the OP server after
/// registration.</returns>
/// <exception cref="OpenIDClient.OIDCException">Thrown when an error occurs while registering
/// the client with the OP.</exception>
public OIDCClientInformation RegisterClient(string RegistrationEndpoint, OIDCClientInformation clientMetadata, string TokenEndpointAuthMethod = "client_secret_basic")
{
// Make registration request
Dictionary <string, object> data = clientMetadata.SerializeToDictionary();
OIDCClientRegistrationRequest registrationRequest = new OIDCClientRegistrationRequest();
registrationRequest.DeserializeFromDictionary(data);
// Check error and store client information from OP
WebRequest request = WebRequest.Create(RegistrationEndpoint);
string returnedString = WebOperations.PostUrlContent(request, registrationRequest, true);
Dictionary <string, object> returnedJson = Deserializer.DeserializeFromJson <Dictionary <string, object> >(returnedString);
if (returnedJson.Keys.Contains("error"))
{
OIDCResponseError error = new OIDCResponseError();
throw new OIDCException("Error while registering client: " + error.Error + "\n" + error.ErrorDescription);
}
OIDCClientInformation clientInformation = new OIDCClientInformation();
clientInformation.DeserializeFromDictionary(returnedJson);
return(clientInformation);
}
private OIDCClientSecretJWT AddClientAuthenticatedToRequest(ref WebRequest request, ref OIDCAuthenticatedMessage requestMessage, string grantType, OIDCClientInformation clientInformation, byte[] privateKey)
{
OIDCClientSecretJWT tokenData = null;
byte[] encKey = null;
switch (grantType)
{
case "client_secret_basic":
string basic = clientInformation.ClientId + ":" + clientInformation.ClientSecret;
basic = Encoding.ASCII.GetString(Encoding.ASCII.GetBytes(basic));
request.Headers.Add("Authorization", "Basic " + Convert.ToBase64String(Encoding.UTF8.GetBytes(basic)));
break;
case "client_secret_post":
requestMessage.ClientId = clientInformation.ClientId;
requestMessage.ClientSecret = clientInformation.ClientSecret;
break;
case "client_secret_jwt":
encKey = Encoding.UTF8.GetBytes(clientInformation.ClientSecret);
break;
case "private_key_jwt":
encKey = privateKey;
break;
default: // case "none"
break;
}
// If client_secret_jwt or private_key_jwt pass a JWT bearer token with the
// specified key for encryption.
if (encKey != null)
{
tokenData = new OIDCClientSecretJWT();
tokenData.Iss = clientInformation.ClientId;
tokenData.Sub = clientInformation.ClientId;
tokenData.Aud = request.RequestUri.ToString();
if (tokenData.Aud.Contains("?"))
{
tokenData.Aud = tokenData.Aud.Substring(0, tokenData.Aud.IndexOf("?"));
}
tokenData.Jti = WebOperations.RandomString();
tokenData.Exp = DateTime.Now;
tokenData.Iat = DateTime.Now - new TimeSpan(0, 10, 0);
requestMessage.ClientAssertionType = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer";
requestMessage.ClientAssertion = JWT.Encode(tokenData, encKey, Jose.JwsAlgorithm.HS256);
}
return tokenData;
}
/// <summary>
/// Method that submits a tokn request to the OP.
/// </summary>
/// <param name="url">The URL to be used where to send the request</param>
/// <param name="tokenRequestMessage">The token request message</param>
/// <param name="clientInformation">The client information obtained from the OP</param>
/// <returns>Returns the token response obtained from the OP</returns>
public OIDCTokenResponseMessage SubmitTokenRequest(string url, OIDCTokenRequestMessage tokenRequestMessage, OIDCClientInformation clientInformation, byte[] privateKey = null)
{
WebRequest request = WebRequest.Create(url);
OIDCAuthenticatedMessage message = tokenRequestMessage as OIDCAuthenticatedMessage;
string grantType = clientInformation.TokenEndpointAuthMethod;
AddClientAuthenticatedToRequest(ref request, ref message, grantType, clientInformation, privateKey);
string returnedString = WebOperations.PostUrlContent(request, message);
Dictionary <string, object> returnedJson = Deserializer.DeserializeFromJson <Dictionary <string, object> >(returnedString);
if (returnedJson.Keys.Contains("error"))
{
OIDCResponseError error = new OIDCResponseError();
error.DeserializeFromDictionary(returnedJson);
throw new OIDCException("Error while registering client: " + error.Error + "\n" + error.ErrorDescription);
}
OIDCTokenResponseMessage tokenResponse = new OIDCTokenResponseMessage();
tokenResponse.DeserializeFromDictionary(returnedJson);
return(tokenResponse);
}
private OIDCClientSecretJWT AddClientAuthenticatedToRequest(ref WebRequest request, ref OIDCAuthenticatedMessage requestMessage, string grantType, OIDCClientInformation clientInformation, byte[] privateKey)
{
OIDCClientSecretJWT tokenData = null;
byte[] encKey = null;
switch (grantType)
{
case "client_secret_basic":
string basic = clientInformation.ClientId + ":" + clientInformation.ClientSecret;
basic = Encoding.ASCII.GetString(Encoding.ASCII.GetBytes(basic));
request.Headers.Add("Authorization", "Basic " + Convert.ToBase64String(Encoding.UTF8.GetBytes(basic)));
break;
case "client_secret_post":
requestMessage.ClientId = clientInformation.ClientId;
requestMessage.ClientSecret = clientInformation.ClientSecret;
break;
case "client_secret_jwt":
encKey = Encoding.UTF8.GetBytes(clientInformation.ClientSecret);
break;
case "private_key_jwt":
encKey = privateKey;
break;
default: // case "none"
break;
}
// If client_secret_jwt or private_key_jwt pass a JWT bearer token with the
// specified key for encryption.
if (encKey != null)
{
tokenData = new OIDCClientSecretJWT();
tokenData.Iss = clientInformation.ClientId;
tokenData.Sub = clientInformation.ClientId;
tokenData.Aud = request.RequestUri.ToString();
if (tokenData.Aud.Contains("?"))
{
tokenData.Aud = tokenData.Aud.Substring(0, tokenData.Aud.IndexOf("?"));
}
tokenData.Jti = WebOperations.RandomString();
tokenData.Exp = DateTime.Now;
tokenData.Iat = DateTime.Now - new TimeSpan(0, 10, 0);
requestMessage.ClientAssertionType = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer";
requestMessage.ClientAssertion = JWT.Encode(tokenData, encKey, Jose.JwsAlgorithm.HS256);
}
return(tokenData);
}
public OIDCTokenResponseMessage SubmitTokenRequest(string url, OIDCTokenRequestMessage tokenRequestMessage, OIDCClientInformation clientInformation)
{
WebRequest request = WebRequest.Create(url);
OIDCAuthenticatedMessage message = tokenRequestMessage as OIDCAuthenticatedMessage;
string grantType = clientInformation.TokenEndpointAuthMethod;
OIDCClientSecretJWT tokenData = AddClientAuthenticatedToRequest(ref request, ref message, grantType, clientInformation);
Dictionary <string, object> returnedJson = PostUrlContent(request, message);
if (returnedJson.Keys.Contains("error"))
{
OIDCResponseError error = new OIDCResponseError();
error.deserializeFromDynamic(returnedJson);
throw new OIDCException("Error while registering client: " + error.Error + "\n" + error.ErrorDescription);
}
OIDCTokenResponseMessage tokenResponse = new OIDCTokenResponseMessage();
tokenResponse.deserializeFromDynamic(returnedJson);
return(tokenResponse);
}
public void Should_Keys_Be_Published_As_JWK()
{
rpid = "rp-registration-well_formed_jwk";
// given
string registrationEndopoint = GetBaseUrl("/registration");
OIDCClientInformation clientMetadata = new OIDCClientInformation();
clientMetadata.ApplicationType = "web";
clientMetadata.RedirectUris = new List<string>() { myBaseUrl + "code_flow_callback" };
clientMetadata.ResponseTypes = new List<ResponseType>() { ResponseType.Code };
clientMetadata.JwksUri = myBaseUrl + "my_public_keys.jwks";
OpenIdRelyingParty rp = new OpenIdRelyingParty();
// when
OIDCClientInformation response = rp.RegisterClient(registrationEndopoint, clientMetadata);
// then
response.Validate();
}
public void Should_Registration_Request_Has_RedirectUris()
{
rpid = "rp-registration-redirect_uris";
// given
string registrationEndopoint = GetBaseUrl("/registration");
OIDCClientInformation clientMetadata = new OIDCClientInformation();
clientMetadata.ApplicationType = "web";
clientMetadata.RedirectUris = new List<string>() { myBaseUrl + "code_flow_callback" };
clientMetadata.ResponseTypes = new List<ResponseType>() { ResponseType.Code };
OpenIdRelyingParty rp = new OpenIdRelyingParty();
// when
OIDCClientInformation response = rp.RegisterClient(registrationEndopoint, clientMetadata);
// then
response.Validate();
CollectionAssert.AreEquivalent(clientMetadata.RedirectUris, response.RedirectUris);
}
public void Should_Accept_Signed_UserInfo()
{
rpid = "rp-user_info-sign";
// given
OpenIdRelyingParty rp = new OpenIdRelyingParty();
string registrationEndopoint = GetBaseUrl("/registration");
OIDCClientInformation clientMetadata = new OIDCClientInformation();
clientMetadata.ApplicationType = "web";
clientMetadata.ResponseTypes = new List<ResponseType>() { ResponseType.IdToken };
clientMetadata.RedirectUris = new List<string>() { myBaseUrl + "id_token_flow_callback" };
clientMetadata.UserinfoSignedResponseAlg = "HS256";
clientMetadata.JwksUri = myBaseUrl + "my_public_keys.jwks";
OIDCClientInformation clientInformation = rp.RegisterClient(registrationEndopoint, clientMetadata);
OIDClaims requestClaims = new OIDClaims();
requestClaims.IdToken = new Dictionary<string, OIDClaimData>();
requestClaims.IdToken.Add("name", new OIDClaimData());
OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage();
requestMessage.ClientId = clientInformation.ClientId;
requestMessage.Scope = new List<MessageScope>() { MessageScope.Openid, MessageScope.Profile, MessageScope.Address, MessageScope.Phone, MessageScope.Email };
requestMessage.ResponseType = new List<ResponseType>() { ResponseType.IdToken, ResponseType.Token };
requestMessage.RedirectUri = clientInformation.RedirectUris[0];
requestMessage.Nonce = WebOperations.RandomString();
requestMessage.State = WebOperations.RandomString();
requestMessage.Claims = requestClaims;
requestMessage.Validate();
rp.Authenticate(GetBaseUrl("/authorization"), requestMessage);
semaphore.WaitOne();
OIDCAuthImplicitResponseMessage authResponse = rp.ParseAuthImplicitResponse(result, requestMessage.Scope, requestMessage.State);
// when
OIDCUserInfoResponseMessage response = GetUserInfo(authResponse.Scope, authResponse.State, authResponse.AccessToken, null, true, clientInformation.ClientSecret, null);
// then
response.Validate();
Assert.IsNotNullOrEmpty(response.Name);
}
private OIDCClientSecretJWT AddClientAuthenticatedToRequest(ref WebRequest request, ref OIDCAuthenticatedMessage requestMessage, string grantType, OIDCClientInformation clientInformation)
{
OIDCClientSecretJWT tokenData = null;
switch (grantType)
{
case "client_secret_basic":
string basic = clientInformation.ClientId + ":" + clientInformation.ClientSecret;
request.Headers.Add("Authorization", "Basic " + Convert.ToBase64String(Encoding.UTF8.GetBytes(basic)));
break;
case "client_secret_post":
requestMessage.ClientId = clientInformation.ClientId;
requestMessage.ClientSecret = clientInformation.ClientSecret;
break;
case "client_secret_jwt":
case "private_key_jwt":
// TODO understand how to sign JWT
tokenData = new OIDCClientSecretJWT();
tokenData.Iss = clientInformation.ClientId;
tokenData.Sub = clientInformation.ClientId;
tokenData.Aud = request.RequestUri.ToString();
if (tokenData.Aud.Contains("?"))
{
tokenData.Aud = tokenData.Aud.Substring(0, tokenData.Aud.IndexOf("?"));
}
tokenData.Jti = RandomString();
tokenData.Exp = DateTime.Now;
tokenData.Iat = DateTime.Now - new TimeSpan(0, 10, 0);
requestMessage.ClientAssertionType = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer";
requestMessage.ClientAssertion = JsonWebToken.Encode(tokenData, Encoding.UTF8.GetBytes(clientInformation.ClientSecret), JwtHashAlgorithm.HS256);
break;
default: // case "none"
break;
}
return(tokenData);
}
public void RegisterClient(ResponseType? RespType, bool JWKs = false, bool RequestUri = false, bool InitateLoginUri = false)
{
string registrationEndopoint = GetBaseUrl("/registration");
OIDCClientInformation clientMetadata = new OIDCClientInformation();
clientMetadata.ApplicationType = "web";
if (JWKs)
{
clientMetadata.JwksUri = myBaseUrl + "my_public_keys.jwks";
}
if (RequestUri)
{
clientMetadata.RequestUris = new List<string>() { myBaseUrl + "request.jwt" };
}
if (InitateLoginUri)
{
clientMetadata.InitiateLoginUri = myBaseUrl + "initiated_login";
}
if (ResponseType.IdToken == RespType)
{
clientMetadata.ResponseTypes = new List<ResponseType>() { ResponseType.IdToken };
clientMetadata.RedirectUris = new List<string>() { myBaseUrl + "id_token_flow_callback" };
}
else if(ResponseType.Code == RespType)
{
clientMetadata.ResponseTypes = new List<ResponseType>() { ResponseType.Code };
clientMetadata.RedirectUris = new List<string>() { myBaseUrl + "code_flow_callback" };
}
else
{
clientMetadata.ResponseTypes = new List<ResponseType>() {
ResponseType.Code,
ResponseType.IdToken
};
clientMetadata.RedirectUris = new List<string>() {
myBaseUrl + "code_flow_callback",
myBaseUrl + "id_token_flow_callback"
};
}
OpenIdRelyingParty rp = new OpenIdRelyingParty();
clientInformation = rp.RegisterClient(registrationEndopoint, clientMetadata);
}
/// <summary>
/// Method that validates the IdToken with specific rules
/// </summary>
/// <param name="idToken"></param>
/// <param name="clientInformation"></param>
/// <param name="providerMetadata"></param>
/// <param name="nonce"></param>
public void ValidateIdToken(OIDCIdToken idToken, OIDCClientInformation clientInformation, string Issuer, string Nonce)
{
if (idToken.Iss.Trim('/') != Issuer.Trim('/'))
{
throw new OIDCException("Wrong issuer for the token.");
}
if (Issuer != "https://self-issued.me" && !idToken.Aud.Contains(clientInformation.ClientId))
{
throw new OIDCException("Intended audience of the token does not include client_id.");
}
if (idToken.Aud.Count > 1 && idToken.Azp == null)
{
throw new OIDCException("Multiple audience but no authorized party specified.");
}
if (idToken.Azp != null && idToken.Azp != clientInformation.ClientId)
{
throw new OIDCException("The authorized party does not match client_id.");
}
if (idToken.Exp < DateTime.UtcNow - new TimeSpan(0, 10, 0))
{
throw new OIDCException("The token is expired.");
}
if (idToken.Iat < DateTime.Now - new TimeSpan(24, 0, 0))
{
throw new OIDCException("The token has ben issued more than a day ago.");
}
if (Nonce != null && idToken.Nonce != Nonce)
{
throw new OIDCException("Wrong nonce value in token.");
}
}
/// <summary>
/// Method that submits a tokn request to the OP.
/// </summary>
/// <param name="url">The URL to be used where to send the request</param>
/// <param name="tokenRequestMessage">The token request message</param>
/// <param name="clientInformation">The client information obtained from the OP</param>
/// <returns>Returns the token response obtained from the OP</returns>
public OIDCTokenResponseMessage SubmitTokenRequest(string url, OIDCTokenRequestMessage tokenRequestMessage, OIDCClientInformation clientInformation, byte[] privateKey = null)
{
WebRequest request = WebRequest.Create(url);
OIDCAuthenticatedMessage message = tokenRequestMessage as OIDCAuthenticatedMessage;
string grantType = clientInformation.TokenEndpointAuthMethod;
AddClientAuthenticatedToRequest(ref request, ref message, grantType, clientInformation, privateKey);
string returnedString = WebOperations.PostUrlContent(request, message);
Dictionary<string, object> returnedJson = Deserializer.DeserializeFromJson<Dictionary<string, object>>(returnedString);
if (returnedJson.Keys.Contains("error"))
{
OIDCResponseError error = new OIDCResponseError();
error.DeserializeFromDictionary(returnedJson);
throw new OIDCException("Error while registering client: " + error.Error + "\n" + error.ErrorDescription);
}
OIDCTokenResponseMessage tokenResponse = new OIDCTokenResponseMessage();
tokenResponse.DeserializeFromDictionary(returnedJson);
return tokenResponse;
}
/// <summary>
/// Method that performs a dynamic client registration with the OP server.
/// </summary>
/// <param name="RegistrationEndpoint">The URL of the OP describing the registration endpoint.</param>
/// <param name="clientMetadata">The OIDCClientInformation object describing the client information to
/// be submitted to the OP for registration.</param>
/// <param name="TokenEndpointAuthMethod">(optional) the endpoint authentication method used to
/// authenticate the client with the OP sever (if not specified using "client_secret_basic".</param>
/// <returns>An oject describing all client information as returned by the OP server after
/// registration.</returns>
/// <exception cref="OpenIDClient.OIDCException">Thrown when an error occurs while registering
/// the client with the OP.</exception>
public OIDCClientInformation RegisterClient(string RegistrationEndpoint, OIDCClientInformation clientMetadata, string TokenEndpointAuthMethod = "client_secret_basic")
{
// Make registration request
Dictionary<string, object> data = clientMetadata.SerializeToDictionary();
OIDCClientRegistrationRequest registrationRequest = new OIDCClientRegistrationRequest();
registrationRequest.DeserializeFromDictionary(data);
// Check error and store client information from OP
WebRequest request = WebRequest.Create(RegistrationEndpoint);
string returnedString = WebOperations.PostUrlContent(request, registrationRequest, true);
Dictionary<string, object> returnedJson = Deserializer.DeserializeFromJson<Dictionary<string, object>>(returnedString);
if (returnedJson.Keys.Contains("error"))
{
OIDCResponseError error = new OIDCResponseError();
throw new OIDCException("Error while registering client: " + error.Error + "\n" + error.ErrorDescription);
}
OIDCClientInformation clientInformation = new OIDCClientInformation();
clientInformation.DeserializeFromDictionary(returnedJson);
return clientInformation;
}
public void Should_Request_And_Use_Unsigned_Id_Token()
{
rpid = "rp-id_token-sig_none";
// givens
OpenIdRelyingParty rp = new OpenIdRelyingParty();
string registrationEndopoint = GetBaseUrl("/registration");
OIDCClientInformation clientMetadata = new OIDCClientInformation();
clientMetadata.ApplicationType = "web";
clientMetadata.RedirectUris = new List<string>() { myBaseUrl + "code_flow_callback" };
clientMetadata.ResponseTypes = new List<ResponseType>() { ResponseType.Code };
clientMetadata.IdTokenSignedResponseAlg = "none";
OIDCClientInformation clientInformation = rp.RegisterClient(registrationEndopoint, clientMetadata);
OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage();
requestMessage.ClientId = clientInformation.ClientId;
requestMessage.Scope = new List<MessageScope>() { MessageScope.Openid };
requestMessage.ResponseType = new List<ResponseType>() { ResponseType.Code };
requestMessage.RedirectUri = clientInformation.RedirectUris[0];
requestMessage.Nonce = WebOperations.RandomString();
requestMessage.State = WebOperations.RandomString();
requestMessage.Validate();
rp.Authenticate(GetBaseUrl("/authorization"), requestMessage);
semaphore.WaitOne();
OIDCAuthCodeResponseMessage response = rp.ParseAuthCodeResponse(result, requestMessage.Scope, requestMessage.State);
OIDCTokenRequestMessage tokenRequestMessage = new OIDCTokenRequestMessage();
tokenRequestMessage.Scope = response.Scope;
tokenRequestMessage.State = response.State;
tokenRequestMessage.Code = response.Code;
tokenRequestMessage.ClientId = clientInformation.ClientId;
tokenRequestMessage.ClientSecret = clientInformation.ClientSecret;
tokenRequestMessage.GrantType = "authorization_code";
tokenRequestMessage.RedirectUri = clientInformation.RedirectUris[0];
// when
OIDCTokenResponseMessage tokenResponse = rp.SubmitTokenRequest(GetBaseUrl("/token"), tokenRequestMessage, clientInformation);
// then
Assert.NotNull(tokenResponse.IdToken);
OIDCIdToken idToken = tokenResponse.GetIdToken();
idToken.Validate();
}
public void Should_Request_And_Use_Signed_And_Encrypted_Id_Token()
{
rpid = "rp-id_token-sig+enc";
signalg = "RS256";
encalg = "RSA1_5:A128CBC-HS256";
// given
OpenIdRelyingParty rp = new OpenIdRelyingParty();
string registrationEndopoint = GetBaseUrl("/registration");
OIDCClientInformation clientMetadata = new OIDCClientInformation();
clientMetadata.ApplicationType = "web";
clientMetadata.RedirectUris = new List<string>() { myBaseUrl + "code_flow_callback" };
clientMetadata.ResponseTypes = new List<ResponseType>() { ResponseType.Code };
clientMetadata.IdTokenEncryptedResponseAlg = "RSA1_5";
clientMetadata.IdTokenEncryptedResponseEnc = "A128CBC-HS256";
clientMetadata.JwksUri = myBaseUrl + "my_public_keys.jwks";
OIDCClientInformation clientInformation = rp.RegisterClient(registrationEndopoint, clientMetadata);
OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage();
requestMessage.ClientId = clientInformation.ClientId;
requestMessage.Scope = new List<MessageScope>() { MessageScope.Openid };
requestMessage.ResponseType = new List<ResponseType>() { ResponseType.Code };
requestMessage.RedirectUri = clientInformation.RedirectUris[0];
requestMessage.Nonce = WebOperations.RandomString();
requestMessage.State = WebOperations.RandomString();
requestMessage.Validate();
rp.Authenticate(GetBaseUrl("/authorization"), requestMessage);
semaphore.WaitOne();
OIDCAuthCodeResponseMessage response = rp.ParseAuthCodeResponse(result, requestMessage.Scope, requestMessage.State);
OIDCTokenRequestMessage tokenRequestMessage = new OIDCTokenRequestMessage();
tokenRequestMessage.Scope = response.Scope;
tokenRequestMessage.State = response.State;
tokenRequestMessage.Code = response.Code;
tokenRequestMessage.ClientId = clientInformation.ClientId;
tokenRequestMessage.ClientSecret = clientInformation.ClientSecret;
tokenRequestMessage.GrantType = "authorization_code";
tokenRequestMessage.RedirectUri = clientInformation.RedirectUris[0];
X509Certificate2 signCert = new X509Certificate2("server.pfx", "", X509KeyStorageFlags.Exportable);
X509Certificate2 encCert = new X509Certificate2("server.pfx", "", X509KeyStorageFlags.Exportable);
List<OIDCKey> myKeys = KeyManager.GetKeysJwkList(signCert, encCert);
// when
OIDCTokenResponseMessage tokenResponse = rp.SubmitTokenRequest(GetBaseUrl("/token"), tokenRequestMessage, clientInformation);
// then
Assert.NotNull(tokenResponse.IdToken);
OIDCIdToken idToken = tokenResponse.GetIdToken(providerMetadata.Keys, null, myKeys);
idToken.Validate();
}
