public void CreateAndValidateTokens_RoundTripTokens() { JwtSecurityTokenHandler handler = new JwtSecurityTokenHandler(); CreateAndValidateParams createAndValidateParams; string issuer = "issuer"; string originalIssuer = "originalIssuer"; createAndValidateParams = new CreateAndValidateParams { Case = "ClaimSets.DuplicateTypes", Claims = ClaimSets.DuplicateTypes(issuer, originalIssuer), CompareTo = IdentityUtilities.CreateJwtSecurityToken(issuer, originalIssuer, ClaimSets.DuplicateTypes(issuer, originalIssuer), null), ExceptionType = null, TokenValidationParameters = new TokenValidationParameters { RequireSignedTokens = false, ValidateAudience = false, ValidateLifetime = false, ValidateIssuer = false, } }; RunRoundTrip(createAndValidateParams, handler); createAndValidateParams = new CreateAndValidateParams { Case = "ClaimSets.Simple_simpleSigned_Asymmetric", Claims = ClaimSets.Simple(issuer, originalIssuer), CompareTo = IdentityUtilities.CreateJwtSecurityToken(issuer, originalIssuer, ClaimSets.Simple(issuer, originalIssuer), KeyingMaterial.DefaultX509SigningCreds_2048_RsaSha2_Sha2), ExceptionType = null, SigningCredentials = KeyingMaterial.DefaultX509SigningCreds_2048_RsaSha2_Sha2, SigningToken = KeyingMaterial.DefaultX509Token_2048, TokenValidationParameters = new TokenValidationParameters { ValidateAudience = false, IssuerSigningKey = new X509SecurityKey(KeyingMaterial.DefaultCert_2048), ValidIssuer = issuer, } }; RunRoundTrip(createAndValidateParams, handler); createAndValidateParams = new CreateAndValidateParams { Case = "ClaimSets.Simple_simpleSigned_Symmetric", Claims = ClaimSets.Simple(issuer, originalIssuer), CompareTo = IdentityUtilities.CreateJwtSecurityToken(issuer, originalIssuer, ClaimSets.Simple(issuer, originalIssuer), KeyingMaterial.DefaultSymmetricSigningCreds_256_Sha2), ExceptionType = null, SigningCredentials = KeyingMaterial.DefaultSymmetricSigningCreds_256_Sha2, SigningToken = KeyingMaterial.DefaultSymmetricSecurityToken_256, TokenValidationParameters = new TokenValidationParameters { ValidateAudience = false, IssuerSigningKey = KeyingMaterial.DefaultSymmetricSecurityKey_256, ValidIssuer = issuer, } }; RunRoundTrip(createAndValidateParams, handler); }
public void CreateAndValidateTokens_DuplicateClaims() { SecurityToken validatedToken; string encodedJwt = IdentityUtilities.CreateJwtToken( new SecurityTokenDescriptor { AppliesToAddress = IdentityUtilities.DefaultAudience, SigningCredentials = IdentityUtilities.DefaultSymmetricSigningCredentials, Subject = new ClaimsIdentity(ClaimSets.DuplicateTypes(IdentityUtilities.DefaultIssuer, IdentityUtilities.DefaultIssuer)), TokenIssuerName = IdentityUtilities.DefaultIssuer, }); JwtSecurityTokenHandler tokenHandler = new JwtSecurityTokenHandler(); JwtSecurityTokenHandler.InboundClaimFilter.Add("aud"); JwtSecurityTokenHandler.InboundClaimFilter.Add("exp"); JwtSecurityTokenHandler.InboundClaimFilter.Add("iat"); JwtSecurityTokenHandler.InboundClaimFilter.Add("iss"); JwtSecurityTokenHandler.InboundClaimFilter.Add("nbf"); ClaimsPrincipal claimsPrincipal = tokenHandler.ValidateToken(encodedJwt, IdentityUtilities.DefaultSymmetricTokenValidationParameters, out validatedToken); Assert.IsTrue(IdentityComparer.AreEqual <IEnumerable <Claim> >(claimsPrincipal.Claims, ClaimSets.DuplicateTypes(IdentityUtilities.DefaultIssuer, IdentityUtilities.DefaultIssuer), new CompareContext { IgnoreProperties = true, IgnoreSubject = true })); JwtSecurityTokenHandler.InboundClaimFilter.Clear(); }
public void JwtSecurityTokenHandler_Extensibility() { DerivedJwtSecurityTokenHandler handler = new DerivedJwtSecurityTokenHandler() { DerivedTokenType = typeof(DerivedJwtSecurityToken) }; JwtSecurityToken jwt = new JwtSecurityToken ( issuer: Issuers.GotJwt, audience: Audiences.AuthFactors, claims: ClaimSets.Simple(Issuers.GotJwt, Issuers.GotJwt), signingCredentials: KeyingMaterial.DefaultSymmetricSigningCreds_256_Sha2, expires: DateTime.UtcNow + TimeSpan.FromHours(10), notBefore: DateTime.UtcNow ); string encodedJwt = handler.WriteToken(jwt); TokenValidationParameters tvp = new TokenValidationParameters() { IssuerSigningKey = KeyingMaterial.DefaultSymmetricSecurityKey_256, ValidateAudience = false, ValidIssuer = Issuers.GotJwt, }; ValidateDerived(encodedJwt, handler, tvp, ExpectedException.NoExceptionExpected); }
public static JwtSecurityToken Create(string issuer, string originalIssuer, SigningCredentials signingCredentials) { JwtPayload payload = new JwtPayload(issuer, "urn:uri", ClaimSets.Simple(issuer, originalIssuer), new Lifetime(DateTime.UtcNow, DateTime.UtcNow + TimeSpan.FromHours(10))); JwtHeader header = new JwtHeader(signingCredentials); return(new JwtSecurityToken(header, payload, header.Encode() + "." + payload.Encode() + ".")); }
public void JwtSecurityTokenHandler_Extensibility() { DerivedJwtSecurityTokenHandler handler = new DerivedJwtSecurityTokenHandler() { DerivedTokenType = typeof(DerivedJwtSecurityToken) }; JwtSecurityToken jwt = new JwtSecurityToken ( issuer: Issuers.GotJwt, audience: Audiences.AuthFactors, claims: ClaimSets.Simple(Issuers.GotJwt, Issuers.GotJwt), signingCredentials: KeyingMaterial.SymmetricSigningCreds_256_Sha2, lifetime: new Lifetime(DateTime.UtcNow, DateTime.UtcNow + TimeSpan.FromHours(10)) ); string encodedJwt = handler.WriteToken(jwt); JwtSecurityToken jwtReadAsDerived = handler.ReadToken(DerivedJwtSecurityToken.Prefix + encodedJwt) as JwtSecurityToken; DerivedJwtSecurityToken jwtDerivedNotValidated = jwtReadAsDerived as DerivedJwtSecurityToken; TokenValidationParameters tvp = new TokenValidationParameters() { SigningToken = KeyingMaterial.BinarySecretToken_256, AudienceUriMode = Selectors.AudienceUriMode.Never, ValidIssuer = Issuers.GotJwt, }; ValidateDerived(jwtReadAsDerived, null, handler, tvp, ExpectedException.Null); ValidateDerived(null, DerivedJwtSecurityToken.Prefix + encodedJwt, handler, tvp, ExpectedException.Null); handler.Configuration = new SecurityTokenHandlerConfiguration() { IssuerTokenResolver = new SetReturnSecurityTokenResolver(KeyingMaterial.BinarySecretToken_256, KeyingMaterial.SymmetricSecurityKey_256), SaveBootstrapContext = true, CertificateValidator = AlwaysSucceedCertificateValidator.New, IssuerNameRegistry = new SetNameIssuerNameRegistry(Audiences.AuthFactors), AudienceRestriction = new AudienceRestriction(AudienceUriMode.Always), }; handler.Configuration.AudienceRestriction.AllowedAudienceUris.Add(new Uri(Audiences.AuthFactors)); ValidateDerived(null, DerivedJwtSecurityToken.Prefix + encodedJwt, handler, null, ExpectedException.Null); ValidateDerived(handler.ReadToken(DerivedJwtSecurityToken.Prefix + encodedJwt) as JwtSecurityToken, null, handler, null, ExpectedException.Null); handler.DerivedTokenType = typeof(JwtSecurityToken); JwtSecurityToken jwtRead = handler.ReadToken(encodedJwt) as JwtSecurityToken; ValidateDerived(jwtRead, null, handler, tvp, ExpectedException.Null); ValidateDerived(null, encodedJwt, handler, tvp, ExpectedException.Null); ValidateDerived(null, encodedJwt, handler, null, ExpectedException.Null); ValidateDerived(jwtRead as JwtSecurityToken, null, handler, null, ExpectedException.Null); }
public void DuplicateClaims() { Console.WriteLine("Entering: " + MethodBase.GetCurrentMethod()); string issuer = "http://www.dupsRus.com"; string audience = "http://www.contoso.com"; JwtSecurityToken jwt = new JwtSecurityToken(issuer: issuer, audience: audience, claims: ClaimSets.DuplicateTypes(issuer, issuer), signingCredentials: KeyingMaterial.SymmetricSigningCreds_256_Sha2, lifetime: new Lifetime(DateTime.UtcNow, DateTime.UtcNow + TimeSpan.FromHours(10))); JwtSecurityTokenHandler jwtHandler = new JwtSecurityTokenHandler(); string encodedJwt = jwtHandler.WriteToken(jwt); JwtSecurityToken jwtRead = jwtHandler.ReadToken(encodedJwt) as JwtSecurityToken; TokenValidationParameters validationParameters = new TokenValidationParameters() { SigningToken = KeyingMaterial.BinarySecretToken_256, AudienceUriMode = Selectors.AudienceUriMode.Never, ValidIssuer = issuer, }; Console.WriteLine("Comparing jwt.Claims"); IEnumerable <Claim> claims = ClaimSets.ClaimsPlus(claims: ClaimSets.DuplicateTypes(issuer, issuer), lifetime: new Lifetime(jwt.ValidFrom, jwt.ValidTo), issuer: issuer, audience: audience); // ClaimTypes would have been translated outbound, when the jwt was created. // Comparision should take that into account. List <Claim> translatedClaims = new List <Claim>(); foreach (Claim c in claims) { translatedClaims.Add(ClaimSets.OutboundClaim(c)); } if (!IdentityComparer.AreEqual(jwt.Claims, translatedClaims)) { Assert.Fail("Claims are different"); } // ClaimTypes would have been translated inbound, when the identity was created. // Comparision should take that into account. Console.WriteLine("Comparing Claimsprincipal Claims"); var cp = jwtHandler.ValidateToken(jwtRead, validationParameters); translatedClaims.Clear(); foreach (Claim c in claims) { translatedClaims.Add(ClaimSets.InboundClaim(c)); } Assert.IsTrue(IdentityComparer.AreEqual(translatedClaims, cp.Claims), "Claims are different"); }
public void CreateAndValidateTokens_MultipleAudiences() { List <string> errors = new List <string>(); var handler = new JwtSecurityTokenHandler(); var payload = new JwtPayload(); var header = new JwtHeader(); payload.AddClaims(ClaimSets.MultipleAudiences(IdentityUtilities.DefaultIssuer, IdentityUtilities.DefaultIssuer)); var jwtToken = new JwtSecurityToken(header, payload); var jwt = handler.WriteToken(jwtToken); var validationParameters = new TokenValidationParameters { RequireExpirationTime = false, RequireSignedTokens = false, ValidateAudience = false, ValidateIssuer = false, ValidateLifetime = false, }; SecurityToken validatedJwt = null; var cp = handler.ValidateToken(jwt, validationParameters, out validatedJwt); var ci = new ClaimsIdentity(ClaimSets.MultipleAudiences(IdentityUtilities.DefaultIssuer, IdentityUtilities.DefaultIssuer), AuthenticationTypes.Federation); var cpExpected = new ClaimsPrincipal(ci); var compareContext = new CompareContext(); if (!IdentityComparer.AreEqual <ClaimsPrincipal>(cp, cpExpected, compareContext)) { errors.Add("IdentityComparer.AreEqual<ClaimsPrincipal>(cp, cpExpected, compareContext)"); } var audiences = (validatedJwt as JwtSecurityToken).Audiences; var jwtAudiences = jwtToken.Audiences; if (!IdentityComparer.AreEqual <IEnumerable <string> >(audiences, jwtAudiences)) { errors.Add("!IdentityComparer.AreEqual<IEnumerable<string>>(audiences, jwtAudiences)"); } if (!IdentityComparer.AreEqual <IEnumerable <string> >(audiences, IdentityUtilities.DefaultAudiences)) { errors.Add("!IdentityComparer.AreEqual<IEnumerable<string>>(audiences, IdentityUtilities.DefaultAudiences)"); } TestUtilities.AssertFailIfErrors(MethodInfo.GetCurrentMethod().Name, errors); }
private List <JwtSecurityTokenTestVariation> GetJWTTypedConstructorsCases() { string issuer = "GetJWTTypedConstructorsCases"; List <JwtSecurityTokenTestVariation> constructionParams = new List <JwtSecurityTokenTestVariation>() { // ensure format is not format is not checked new JwtSecurityTokenTestVariation { Name = "SimpleJwt", Claims = ClaimSets.Simple(issuer, issuer), ExpectedJwtSecurityToken = JwtTestTokens.Simple(issuer, issuer), }, }; return(constructionParams); }
public void CreateAndValidateTokens_RoleClaims() { JwtSecurityTokenHandler handler = new JwtSecurityTokenHandler(); TokenValidationParameters validationParameters = new TokenValidationParameters { IssuerSigningToken = KeyingMaterial.DefaultX509Token_2048, ValidateAudience = false, ValidateIssuer = false, }; string issuer = "https://gotjwt.com"; DateTime utcNow = DateTime.UtcNow; DateTime expire = utcNow + TimeSpan.FromHours(1); ClaimsIdentity subject = new ClaimsIdentity(claims: ClaimSets.RoleClaimsShortType(issuer, issuer)); JwtSecurityToken jwtToken = handler.CreateToken(issuer: issuer, signingCredentials: KeyingMaterial.DefaultX509SigningCreds_2048_RsaSha2_Sha2, subject: subject) as JwtSecurityToken; SecurityToken securityToken; ClaimsPrincipal principal = handler.ValidateToken(jwtToken.RawData, validationParameters, out securityToken); CheckForRoles(new string[] { "role1", "roles1" }, new string[] { "notrole1", "notrole2" }, principal); ClaimsIdentity expectedIdentity = new ClaimsIdentity( authenticationType: "Federation", claims: ClaimSets.RoleClaimsLongType(issuer, issuer) ); Claim claim = new Claim(type: JwtRegisteredClaimNames.Iss, value: issuer, valueType: ClaimValueTypes.String, issuer: issuer); expectedIdentity.AddClaim(claim); claim = new Claim(JwtRegisteredClaimNames.Exp, EpochTime.GetIntDate(expire).ToString(), valueType: "JSON", issuer: issuer); claim.Properties.Add(JwtSecurityTokenHandler.JsonClaimTypeProperty, "System.Int32"); expectedIdentity.AddClaim(claim); claim = new Claim(JwtRegisteredClaimNames.Nbf, EpochTime.GetIntDate(utcNow).ToString(), valueType: "JSON", issuer: issuer); claim.Properties.Add(JwtSecurityTokenHandler.JsonClaimTypeProperty, "System.Int32"); expectedIdentity.AddClaim(claim); CompareContext context = new CompareContext(); IdentityComparer.AreEqual <IEnumerable <Claim> >(principal.Claims, expectedIdentity.Claims, context); Assert.IsTrue(context.Errors.Count == 0); }
public void CreateAndValidateTokens_MultipleX5C() { List <string> errors = new List <string>(); var handler = new JwtSecurityTokenHandler(); var payload = new JwtPayload(); var header = new JwtHeader(); payload.AddClaims(ClaimSets.MultipleAudiences(IdentityUtilities.DefaultIssuer, IdentityUtilities.DefaultIssuer)); List <string> x5cs = new List <string> { "x5c1", "x5c2" }; header.Add(JwtHeaderParameterNames.X5c, x5cs); var jwtToken = new JwtSecurityToken(header, payload); var jwt = handler.WriteToken(jwtToken); var validationParameters = new TokenValidationParameters { RequireExpirationTime = false, RequireSignedTokens = false, ValidateAudience = false, ValidateIssuer = false, ValidateLifetime = false, }; SecurityToken validatedSecurityToken = null; var cp = handler.ValidateToken(jwt, validationParameters, out validatedSecurityToken); JwtSecurityToken validatedJwt = validatedSecurityToken as JwtSecurityToken; object x5csInHeader = validatedJwt.Header[JwtHeaderParameterNames.X5c]; if (x5csInHeader == null) { errors.Add("1: validatedJwt.Header[JwtHeaderParameterNames.X5c]"); } else { var list = x5csInHeader as IEnumerable <object>; if (list == null) { errors.Add("2: var list = x5csInHeader as IEnumerable<object>; is NULL."); } int num = 0; foreach (var str in list) { num++; if (!(str is string)) { errors.Add("3: str is not string, is:" + str.ToString()); } } if (num != x5cs.Count) { errors.Add("4: num != x5cs.Count. num: " + num.ToString() + "x5cs.Count: " + x5cs.Count.ToString()); } } // make sure we can still validate with existing logic. header = new JwtHeader(KeyingMaterial.DefaultAsymmetricSigningCreds_2048_RsaSha2_Sha2); header.Add(JwtHeaderParameterNames.X5c, x5cs); jwtToken = new JwtSecurityToken(header, payload); jwt = handler.WriteToken(jwtToken); validationParameters.IssuerSigningToken = KeyingMaterial.DefaultAsymmetricX509Token_2048; validationParameters.RequireSignedTokens = true; validatedSecurityToken = null; cp = handler.ValidateToken(jwt, validationParameters, out validatedSecurityToken); TestUtilities.AssertFailIfErrors(MethodInfo.GetCurrentMethod().Name, errors); }
public void CreateAndValidateTokens_JsonClaims() { List <string> errors = new List <string>(); string issuer = "http://www.GotJWT.com"; string claimSources = "_claim_sources"; string claimNames = "_claim_names"; JwtPayload jwtPayloadClaimSources = new JwtPayload(); jwtPayloadClaimSources.Add(claimSources, JsonClaims.ClaimSources); jwtPayloadClaimSources.Add(claimNames, JsonClaims.ClaimNames); JwtSecurityToken jwtClaimSources = new JwtSecurityToken( new JwtHeader(), jwtPayloadClaimSources); JwtSecurityTokenHandler jwtHandler = new JwtSecurityTokenHandler(); string encodedJwt = jwtHandler.WriteToken(jwtClaimSources); var validationParameters = new TokenValidationParameters { IssuerValidator = (s, st, tvp) => { return(issuer); }, RequireSignedTokens = false, ValidateAudience = false, ValidateLifetime = false, }; SecurityToken validatedJwt = null; var claimsPrincipal = jwtHandler.ValidateToken(encodedJwt, validationParameters, out validatedJwt); if (!IdentityComparer.AreEqual (claimsPrincipal.Identity as ClaimsIdentity, JsonClaims.ClaimsIdentityDistributedClaims(issuer, TokenValidationParameters.DefaultAuthenticationType, JsonClaims.ClaimSources, JsonClaims.ClaimNames))) { errors.Add("JsonClaims.ClaimSources, JsonClaims.ClaimNames: test failed"); } ; Claim c = claimsPrincipal.FindFirst(claimSources); if (!c.Properties.ContainsKey(JwtSecurityTokenHandler.JsonClaimTypeProperty)) { errors.Add(claimSources + " claim, did not have json property: " + JwtSecurityTokenHandler.JsonClaimTypeProperty); } else { if (!string.Equals(c.Properties[JwtSecurityTokenHandler.JsonClaimTypeProperty], typeof(IDictionary <string, object>).ToString(), StringComparison.Ordinal)) { errors.Add("!string.Equals(c.Properties[JwtSecurityTokenHandler.JsonClaimTypeProperty], typeof(IDictionary<string, object>).ToString(), StringComparison.Ordinal)" + "value is: " + c.Properties[JwtSecurityTokenHandler.JsonClaimTypeProperty]); } } JwtSecurityToken jwtWithEntity = new JwtSecurityToken( new JwtHeader(), new JwtPayload(claims: ClaimSets.EntityAsJsonClaim(issuer, issuer))); encodedJwt = jwtHandler.WriteToken(jwtWithEntity); JwtSecurityToken jwtRead = jwtHandler.ReadToken(encodedJwt) as JwtSecurityToken; SecurityToken validatedToken; var cp = jwtHandler.ValidateToken(jwtRead.RawData, validationParameters, out validatedToken); Claim jsonClaim = cp.FindFirst(typeof(Entity).ToString()); if (jsonClaim == null) { errors.Add("Did not find Jsonclaims. Looking for claim of type: '" + typeof(Entity).ToString() + "'"); } ; string jsString = JsonExtensions.SerializeToJson(Entity.Default); if (!string.Equals(jsString, jsonClaim.Value, StringComparison.Ordinal)) { errors.Add(string.Format(CultureInfo.InvariantCulture, "Find Jsonclaims of type: '{0}', but they weren't equal.\nExpecting:\n'{1}'.\nReceived:\n'{2}'", typeof(Entity).ToString(), jsString, jsonClaim.Value)); } TestUtilities.AssertFailIfErrors(MethodInfo.GetCurrentMethod().Name, errors); }
public static ClaimsIdentity Simple(string issuer, string originalIssuer) { return(new ClaimsIdentity(ClaimSets.Simple(issuer, originalIssuer))); }
public static JwtSecurityToken Simple(string issuer, string originalIssuer) { return(new JwtSecurityToken(issuer, "http://www.contoso.com", ClaimSets.Simple(issuer, originalIssuer))); }
public void SubClaim() { string issuer = "http://www.GotJWT.com"; string audience = "http://www.contoso.com"; JwtSecurityToken jwt = new JwtSecurityToken(issuer: issuer, audience: audience, claims: ClaimSets.JsonClaims(issuer, issuer), lifetime: new Lifetime(DateTime.UtcNow, DateTime.UtcNow + TimeSpan.FromHours(1))); JwtSecurityTokenHandler jwtHandler = new JwtSecurityTokenHandler(); jwtHandler.RequireSignedTokens = false; string encodedJwt = jwtHandler.WriteToken(jwt); JwtSecurityToken jwtRead = jwtHandler.ReadToken(encodedJwt) as JwtSecurityToken; TokenValidationParameters validationParameters = new TokenValidationParameters() { AudienceUriMode = Selectors.AudienceUriMode.Never, ValidIssuer = issuer, }; var cp = jwtHandler.ValidateToken(jwtRead, validationParameters); Claim jsonClaim = cp.FindFirst(typeof(Entity).ToString()); Assert.IsFalse(jsonClaim == null, string.Format(CultureInfo.InvariantCulture, "Did not find Jsonclaims. Looking for claim of type: '{0}'", typeof(Entity).ToString())); JavaScriptSerializer js = new JavaScriptSerializer(); string jsString = js.Serialize(Entity.Default); Assert.IsFalse(jsString != jsonClaim.Value, string.Format(CultureInfo.InvariantCulture, "Find Jsonclaims of type: '{0}', but they weren't equal.\nExpecting '{1}'.\nReceived '{2}'", typeof(Entity).ToString(), jsString, jsonClaim.Value)); }