public void CreateKeyAcceptsAKeySize()
{
var keySize = 1024;
var key = JwkNetExtensions.CreateKey(keySize);
Assert.That(key.KeySize, Is.EqualTo(keySize));
}
public async static Task <LoginResult> RefreshTokenAsync(OidcSettings settings, string refreshToken)
{
var config = await LoadOpenIdConnectConfigurationAsync(settings);
var tokenClient = new TokenClient(
config.TokenEndpoint,
settings.ClientId,
settings.ClientSecret);
var provider = JwkNetExtensions.CreateProvider();
var jwk = provider.ToJsonWebKey();
var tokenResponse = await tokenClient.RequestRefreshTokenPopAsync(
refreshToken : refreshToken,
algorithm : jwk.Alg,
key : jwk.ToJwkString());
if (tokenResponse.IsError)
{
return(new LoginResult {
ErrorMessage = tokenResponse.Error
});
}
else
{
return(new LoginResult
{
Success = true,
AccessToken = tokenResponse.AccessToken,
RefreshToken = tokenResponse.RefreshToken,
IdentityToken = tokenResponse.IdentityToken,
AccessTokenExpiration = DateTime.Now.AddSeconds(tokenResponse.ExpiresIn)
});
}
}
public void CanSpecifyAlgorithm()
{
var alg = "RS512";
var key = JwkNetExtensions.CreateKey();
var jwt = key.ToJsonWebKey(alg);
Assert.That(jwt.Alg, Is.EqualTo(alg));
}
public void CanSpecifyKeyId()
{
var keyId = "myKeyId";
var key = JwkNetExtensions.CreateKey();
var jwt = key.ToJsonWebKey(kid: keyId);
Assert.That(jwt.Kid, Is.EqualTo(keyId));
}
public void CanConvertKeyToJwkWithPublicParametersAndDefaultValues()
{
var key = JwkNetExtensions.CreateKey();
var jwt = key.ToJsonWebKey();
Assert.That(jwt.HasPrivateKey, Is.False);
Assert.That(jwt.Kid.Length, Is.EqualTo(32));
var e = Base64Url.Decode(jwt.E);
Assert.That(e.Length, Is.EqualTo(3)); // Always 65537, which needs 3 bytes (2^16 + 1)
Assert.That(e[0], Is.EqualTo(1)); // 1 x 2^0 = 1
Assert.That(e[1], Is.EqualTo(0)); // 0 x 2^8 = 0
Assert.That(e[2], Is.EqualTo(1)); // 1 x 2^16 = 65536
var n = Base64Url.Decode(jwt.N);
Assert.That(n.Length, Is.EqualTo(key.KeySize / 8)); // KeySize is in bits, so / 8 for bytes
Assert.That(jwt.Kty, Is.EqualTo("RSA"));
Assert.That(jwt.Alg, Is.EqualTo("RS256"));
}
private async void refresh_Click(object sender, RoutedEventArgs e)
{
if (_config == null)
{
await LoadOpenIdConnectConfigurationAsync();
}
var tokenClient = new TokenClient(
_config.TokenEndpoint,
_settings.ClientId,
_settings.ClientSecret);
_provider = JwkNetExtensions.CreateProvider();
var jwk = _provider.ToJsonWebKey();
var tokenResponse = await tokenClient.RequestRefreshTokenPopAsync(
refreshToken : _result?.RefreshToken,
algorithm : jwk.Alg,
key : jwk.ToJwkString());
if (tokenResponse.IsError)
{
_result = new LoginResult {
ErrorMessage = tokenResponse.Error
};
}
else
{
_result = new LoginResult
{
Success = true,
AccessToken = tokenResponse.AccessToken,
RefreshToken = tokenResponse.RefreshToken,
IdentityToken = tokenResponse.IdentityToken,
AccessTokenExpiration = DateTime.Now.AddSeconds(tokenResponse.ExpiresIn)
};
}
ShowTokenResult();
}
public void CreateKeyDefaultsTo2048Bits()
{
var key = JwkNetExtensions.CreateKey();
Assert.That(key.KeySize, Is.EqualTo(2048));
}
private async static Task <LoginResult> ValidateResponseAsync(AuthorizeResponse response, OidcSettings settings, OpenIdConnectConfiguration config, string expectedNonce, string verifier)
{
var tokenClaims = ValidateIdentityToken(response.IdentityToken, settings, config);
if (tokenClaims == null)
{
return(new LoginResult {
ErrorMessage = "Invalid identity token."
});
}
var nonce = tokenClaims.FirstOrDefault(c => c.Type == JwtClaimTypes.Nonce);
if (nonce == null || !string.Equals(nonce.Value, expectedNonce, StringComparison.Ordinal))
{
return(new LoginResult {
ErrorMessage = "Inalid nonce."
});
}
var codeHash = tokenClaims.FirstOrDefault(c => c.Type == JwtClaimTypes.AuthorizationCodeHash);
if (codeHash == null || ValidateCodeHash(codeHash.Value, response.Code) == false)
{
return(new LoginResult {
ErrorMessage = "Invalid code."
});
}
var provider = JwkNetExtensions.CreateProvider();
var jwk = provider.ToJsonWebKey();
var tokenClient = new TokenClient(
config.TokenEndpoint,
settings.ClientId,
settings.ClientSecret);
var tokenResponse = await tokenClient.RequestAuthorizationCodePopAsync(
code : response.Code,
redirectUri : settings.RedirectUri,
codeVerifier : settings.UsePkce?verifier : null,
algorithm : jwk.Alg,
key : jwk.ToJwkString());
if (tokenResponse.IsError)
{
return(new LoginResult {
ErrorMessage = tokenResponse.Error
});
}
var profileClaims = new List <Claim>();
if (settings.LoadUserProfile)
{
var userInfoClient = new UserInfoClient(
new Uri(config.UserInfoEndpoint),
tokenResponse.AccessToken);
var userInfoResponse = await userInfoClient.GetAsync();
profileClaims = userInfoResponse.GetClaimsIdentity().Claims.ToList();
}
var principal = CreatePrincipal(tokenClaims, profileClaims, settings);
return(new LoginResult
{
Success = true,
User = principal,
IdentityToken = response.IdentityToken,
AccessToken = tokenResponse.AccessToken,
RefreshToken = tokenResponse.RefreshToken,
AccessTokenExpiration = DateTime.Now.AddSeconds(tokenResponse.ExpiresIn)
});
}
private async Task <LoginResult> ValidateResponseAsync(AuthorizeResponse response)
{
// id_token validieren
var tokenClaims = ValidateIdentityToken(response.IdentityToken);
if (tokenClaims == null)
{
return(new LoginResult {
ErrorMessage = "Invalid identity token."
});
}
// nonce validieren
var nonce = tokenClaims.FirstOrDefault(c => c.Type == JwtClaimTypes.Nonce);
if (nonce == null || !string.Equals(nonce.Value, _nonce, StringComparison.Ordinal))
{
return(new LoginResult {
ErrorMessage = "Inalid nonce."
});
}
// c_hash validieren
var c_hash = tokenClaims.FirstOrDefault(c => c.Type == JwtClaimTypes.AuthorizationCodeHash);
if (c_hash == null || ValidateCodeHash(c_hash.Value, response.Code) == false)
{
return(new LoginResult {
ErrorMessage = "Invalid code."
});
}
_provider = JwkNetExtensions.CreateProvider();
var jwk = _provider.ToJsonWebKey();
// code eintauschen gegen tokens
var tokenClient = new TokenClient(
_config.TokenEndpoint,
_settings.ClientId,
_settings.ClientSecret);
var tokenResponse = await tokenClient.RequestAuthorizationCodePopAsync(
code : response.Code,
redirectUri : _settings.RedirectUri,
codeVerifier : _verifier,
algorithm : jwk.Alg,
key : jwk.ToJwkString());
if (tokenResponse.IsError)
{
return(new LoginResult {
ErrorMessage = tokenResponse.Error
});
}
// optional userinfo aufrufen
var profileClaims = new List <Claim>();
if (_settings.LoadUserProfile)
{
var userInfoClient = new UserInfoClient(
new Uri(_config.UserInfoEndpoint),
tokenResponse.AccessToken);
var userInfoResponse = await userInfoClient.GetAsync();
profileClaims = userInfoResponse.GetClaimsIdentity().Claims.ToList();
}
var principal = CreatePrincipal(tokenClaims, profileClaims);
return(new LoginResult
{
Success = true,
User = principal,
IdentityToken = response.IdentityToken,
AccessToken = tokenResponse.AccessToken,
RefreshToken = tokenResponse.RefreshToken,
AccessTokenExpiration = DateTime.Now.AddSeconds(tokenResponse.ExpiresIn)
});
}
