public async Task Passes_Token_Validation_HS256() { var authUrl = GetVariable("AUTH0_AUTHENTICATION_API_URL"); var clientId = GetVariable("AUTH0_HS256_CLIENT_ID"); var clientSecret = GetVariable("AUTH0_HS256_CLIENT_SECRET"); // Arrange using (var authenticationApiClient = new AuthenticationApiClient(authUrl)) { // Act var authenticationResponse = await authenticationApiClient.GetTokenAsync(new ResourceOwnerTokenRequest { ClientId = clientId, ClientSecret = clientSecret, Realm = _connection.Name, SigningAlgorithm = JwtSignatureAlgorithm.HS256, Scope = "openid", Username = _user.Email, Password = Password }); var issuer = $"https://{authUrl}/"; var requirements = new IdTokenRequirements(JwtSignatureAlgorithm.HS256, issuer, clientId, TimeSpan.FromMinutes(1)); await new IdTokenValidator().Assert(requirements, authenticationResponse.IdToken, clientSecret); } }
public async void SucceedsWhenNonceShouldBeIgnored() { var token = "eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczovL3Rva2Vucy10ZXN0LmF1dGgwLmNvbS8iLCJzdWIiOiJhdXRoMHwxMjM0NTY3ODkiLCJhdWQiOlsidG9rZW5zLXRlc3QtMTIzIiwiZXh0ZXJuYWwtdGVzdC05OTkiXSwiZXhwIjoxNTY4MTgwODk0LjIyNCwiaWF0IjoxNTY4MDA4MDk0LjIyNCwibm9uY2UiOiJhMWIyYzNkNGU1IiwiYXpwIjoidG9rZW5zLXRlc3QtMTIzIiwiYXV0aF90aW1lIjoxNTY4MDk0NDk0LjIyNH0.IfreWGZM2PVjgYG1E0WLIJ0f9-omYlq6v3FSn3ruu3a9gpTzhN-VB4ZKJRYmqkNLz_0F1mMFJgfpcCZ-ra5KW0aviiIAZHadYPoYLHsQsIVdOQmxkpwzaIoOwtgwvvg8QCKa3DTTPERRriUTYBfSgc5_4qg4bTxulZ7R3whygRMhVBI1uzjTHWMGXeu2PMezo1NtlFTVc3859UpDhGOUAYwBP3oC5JD1B2K15B9qpCtMq8AaAX1bieM8kX4Jez8r_ZwS1NTPMsCWOa2tpGFGhgu7ic9dlQpDjmxQdG8zXTgGJfejzSi0oHHAEtHxD-znTsyRVqu5psq_LEKBnWi6HA"; var reqs = new IdTokenRequirements("https://tokens-test.auth0.com/", "tokens-test-123", TimeSpan.FromMinutes(5)) { MaxAge = TimeSpan.FromSeconds(100) }; await ValidateToken(token, reqs); }
public async Task Assert(IdTokenRequirements requirements, string idToken, string clientSecret, DateTime?pointInTime = null) { if (string.IsNullOrWhiteSpace(idToken)) { throw new IdTokenValidationException("ID token is required but missing."); } var verifiedToken = await DecodeSignedToken(requirements, idToken, clientSecret).ConfigureAwait(false); IdTokenClaimValidator.AssertClaimsMeetRequirements(requirements, verifiedToken, pointInTime ?? DateTime.Now); }
public async Task Passes_Token_Validation() { // Arrange var authenticationApiClient = new AuthenticationApiClient(GetVariable("AUTH0_AUTHENTICATION_API_URL")); // Act var authenticationResponse = await authenticationApiClient.GetTokenAsync(new ResourceOwnerTokenRequest { ClientId = GetVariable("AUTH0_CLIENT_ID"), ClientSecret = GetVariable("AUTH0_CLIENT_SECRET"), Realm = _connection.Name, Scope = "openid", Username = _user.Email, Password = Password }); var idTokenValidation = new IdTokenRequirements($"https://{GetVariable("AUTH0_AUTHENTICATION_API_URL")}/", GetVariable("AUTH0_CLIENT_ID"), TimeSpan.FromMinutes(1)); await idTokenValidation.AssertTokenMeetsRequirements(authenticationResponse.IdToken); }
public async Task Passes_Token_Validation_With_CNAME() { // Arrange var authenticationApiClient = new AuthenticationApiClient(GetVariable("BRUCKE_AUTHENTICATION_API_URL")); // Act var authenticationResponse = await authenticationApiClient.GetTokenAsync(new ResourceOwnerTokenRequest { ClientId = GetVariable("BRUCKE_CLIENT_ID"), ClientSecret = GetVariable("BRUCKE_CLIENT_SECRET"), Realm = GetVariable("BRUCKE_CONNECTION_NAME"), Scope = "openid", Username = GetVariable("BRUCKE_USERNAME"), Password = GetVariable("BRUCKE_PASSWORD") }); var idTokenValidation = new IdTokenRequirements($"https://{GetVariable("BRUCKE_AUTHENTICATION_API_URL")}/", GetVariable("BRUCKE_CLIENT_ID"), TimeSpan.FromMinutes(1)); await idTokenValidation.AssertTokenMeetsRequirements(authenticationResponse.IdToken); }
private Task <JwtSecurityToken> DecodeSignedToken(IdTokenRequirements requirements, string idToken, string clientSecret) { switch (requirements.SignatureAlgorithm) { case JwtSignatureAlgorithm.HS256: return(Task.FromResult(new SymmetricSignedDecoder(clientSecret).DecodeSignedToken(idToken))); case JwtSignatureAlgorithm.RS256: try { return(AssertRS256IdTokenValid(idToken, requirements.Issuer, maxJwksKeySetValidFor)); } catch (IdTokenValidationKeyMissingException) { return(AssertRS256IdTokenValid(idToken, requirements.Issuer, minJwksRefreshInterval)); } default: throw new ArgumentOutOfRangeException($"SignatureAlgorithm '{requirements.SignatureAlgorithm}' not supported.", nameof(requirements)); } }
public async Task Passes_Token_Validation_With_CNAME() { // Arrange using (var authenticationApiClient = new AuthenticationApiClient(GetVariable("BRUCKE_AUTHENTICATION_API_URL"))) { // Act var authenticationResponse = await authenticationApiClient.GetTokenAsync(new ResourceOwnerTokenRequest { ClientId = GetVariable("BRUCKE_CLIENT_ID"), ClientSecret = GetVariable("BRUCKE_CLIENT_SECRET"), Realm = GetVariable("BRUCKE_CONNECTION_NAME"), Scope = "openid", Username = GetVariable("BRUCKE_USERNAME"), Password = GetVariable("BRUCKE_PASSWORD") }); var issuer = $"https://{GetVariable("BRUCKE_AUTHENTICATION_API_URL")}/"; var requirements = new IdTokenRequirements(JwtSignatureAlgorithm.RS256, issuer, GetVariable("BRUCKE_CLIENT_ID"), TimeSpan.FromMinutes(1)); await new IdTokenValidator().Assert(requirements, authenticationResponse.IdToken, GetVariable("BRUCKE_CLIENT_SECRET")); } }
public async Task Fails_Token_Validation_With_Incorrect_Audience() { // Arrange var authenticationApiClient = new AuthenticationApiClient(GetVariable("AUTH0_AUTHENTICATION_API_URL")); // Act var authenticationResponse = await authenticationApiClient.GetTokenAsync(new ResourceOwnerTokenRequest { ClientId = GetVariable("AUTH0_CLIENT_ID"), ClientSecret = GetVariable("AUTH0_CLIENT_SECRET"), Realm = _connection.Name, Scope = "openid", Username = _user.Email, Password = Password }); var idTokenValidation = new IdTokenRequirements($"https://{GetVariable("AUTH0_AUTHENTICATION_API_URL")}/", "invalid_audience", TimeSpan.FromMinutes(1)); // Assert authenticationResponse.IdToken.Should().NotBeNull(); await Assert.ThrowsAsync <IdTokenValidationException>(() => idTokenValidation.AssertTokenMeetsRequirements(authenticationResponse.IdToken)); }
public async Task Fails_Token_Validation_With_Incorrect_Domain() { // Arrange using (var authenticationApiClient = new AuthenticationApiClient(GetVariable("AUTH0_AUTHENTICATION_API_URL"))) { // Act var authenticationResponse = await authenticationApiClient.GetTokenAsync(new ResourceOwnerTokenRequest { ClientId = GetVariable("AUTH0_CLIENT_ID"), ClientSecret = GetVariable("AUTH0_CLIENT_SECRET"), Realm = _connection.Name, Scope = "openid", Username = _user.Email, Password = Password }); var requirements = new IdTokenRequirements(JwtSignatureAlgorithm.RS256, "https://auth0.auth0.com/", GetVariable("AUTH0_CLIENT_ID"), TimeSpan.FromMinutes(1)); // Assert authenticationResponse.IdToken.Should().NotBeNull(); await Assert.ThrowsAsync <IdTokenValidationKeyMissingException>(() => new IdTokenValidator().Assert(requirements, authenticationResponse.IdToken, GetVariable("AUTH0_CLIENT_SECRET"))); } }
private Task AssertIdTokenValid(string idToken, string audience, JwtSignatureAlgorithm algorithm, string clientSecret, string organization = null) { var requirements = new IdTokenRequirements(algorithm, BaseUri.AbsoluteUri, audience, idTokenValidationLeeway, null, organization); return(idTokenValidator.Assert(requirements, idToken, clientSecret)); }
private Task ValidateToken(string token, IdTokenRequirements reqs = null, DateTime?when = null, ISignatureVerifier signatureVerifier = null) { return(IdTokenValidator.AssertTokenMeetsRequirements(reqs ?? defaultReqs, token, when ?? tokensWereValid, signatureVerifier ?? rs256NoSignature)); }
/// <summary> /// Create a new instance of <see cref="Auth0ClientBase"/>. /// </summary> /// <param name="options"><see cref="Auth0ClientOptions"/> specifying the configuration options for this client.</param> /// <param name="platformName">Platform name that forms part of the user-agent when communicating with Auth0 servers.</param> protected Auth0ClientBase(Auth0ClientOptions options, string platformName) { _options = options; _idTokenRequirements = new IdTokenRequirements($"https://{_options.Domain}/", _options.ClientId, options.Leeway, options.MaxAge); _userAgent = CreateAgentString(platformName); }
private void ValidateToken(string token, IdTokenRequirements reqs = null) { var decodedToken = securityTokenHandler.ReadJwtToken(token); IdTokenClaimValidator.AssertClaimsMeetRequirements(reqs ?? defaultReqs, decodedToken, tokensWereValid); }
private async Task AssertIdTokenValid(string idToken, string issuer) { var requirements = new IdTokenRequirements(_baseUri.AbsoluteUri, issuer, TimeSpan.FromMinutes(1)); await requirements.AssertTokenMeetsRequirements(idToken); }