public async Task VerifyCorrectAuthorityUsedInTokenAcquisition_B2CAuthorityTestsAsync( string authorityInstance, bool withTfp = false) { _microsoftIdentityOptions = new MicrosoftIdentityOptions { SignUpSignInPolicyId = TestConstants.B2CSignUpSignInUserFlow, Domain = TestConstants.B2CTenant, }; if (withTfp) { BuildTheRequiredServices(authorityInstance + "/tfp/"); } else { BuildTheRequiredServices(authorityInstance); } InitializeTokenAcquisitionObjects(); IConfidentialClientApplication app = await _tokenAcquisition.GetOrBuildConfidentialClientApplicationAsync().ConfigureAwait(false); string expectedAuthority = string.Format( CultureInfo.InvariantCulture, "{0}/tfp/{1}/{2}/", authorityInstance, TestConstants.B2CTenant, TestConstants.B2CSignUpSignInUserFlow); Assert.Equal(expectedAuthority, app.Authority); }
public async void OnRedirectToIdentityProvider_CustomUserFlow_UpdatesContext() { var options = new MicrosoftIdentityOptions() { SignUpSignInPolicyId = DefaultUserFlow }; var handler = new AzureADB2COpenIDConnectEventHandlers(OpenIdConnectDefaults.AuthenticationScheme, options); var httpContext = HttpContextUtilities.CreateHttpContext(); var authProperties = new AuthenticationProperties(); authProperties.Items.Add(OidcConstants.PolicyKey, CustomUserFlow); var context = new RedirectContext(httpContext, _authScheme, new OpenIdConnectOptions(), authProperties) { ProtocolMessage = new OpenIdConnectMessage() { IssuerAddress = _defaultIssuer } }; await handler.OnRedirectToIdentityProvider(context).ConfigureAwait(false); Assert.Equal(OpenIdConnectScope.OpenIdProfile, context.ProtocolMessage.Scope); Assert.Equal(OpenIdConnectResponseType.IdToken, context.ProtocolMessage.ResponseType); Assert.Equal(_customIssuer, context.ProtocolMessage.IssuerAddress, true); Assert.False(context.Properties.Items.ContainsKey(OidcConstants.PolicyKey)); }
public void ValidateRequiredMicrosoftIdentityOptions( string clientId, string instance, string tenantid, string signUpSignInPolicyId, string domain, string optionsName, MissingParam missingParam = MissingParam.None) { _microsoftIdentityOptions = new MicrosoftIdentityOptions { ClientId = clientId, Instance = instance, TenantId = tenantid, }; if (optionsName == AzureAdB2C) { _microsoftIdentityOptions.SignUpSignInPolicyId = signUpSignInPolicyId; _microsoftIdentityOptions.Domain = domain; } MicrosoftIdentityOptionsValidation microsoftIdentityOptionsValidation = new MicrosoftIdentityOptionsValidation(); ValidateOptionsResult result = microsoftIdentityOptionsValidation.Validate(optionsName, _microsoftIdentityOptions); CheckReturnValueAgainstExpectedMissingParam(missingParam, result); }
public void BothCredentialTypesDefined_Throw() { // Arrange CertificateDescription certificateDescription = CertificateDescription.FromBase64Encoded("encoded"); MicrosoftIdentityOptions microsoftIdentityOptions = new MicrosoftIdentityOptions { Authority = TestConstants.AuthorityCommonTenant, ClientId = TestConstants.ConfidentialClientId, ClientCertificates = new CertificateDescription[] { certificateDescription }, }; ConfidentialClientApplicationOptions options = new ConfidentialClientApplicationOptions { ClientSecret = "some secret", }; // Act Action credentialAction = () => MicrosoftIdentityOptionsValidation.ValidateEitherClientCertificateOrClientSecret(options.ClientSecret, microsoftIdentityOptions.ClientCertificates); // Assert var exception = Assert.Throws <MsalClientException>(credentialAction); Assert.Equal(IDWebErrorMessage.BothClientSecretAndCertificateProvided, exception.Message); Assert.Equal(ErrorCodes.DuplicateClientCredentials, exception.ErrorCode); }
public void TestAudience() { JwtBearerOptions options = new JwtBearerOptions(); MicrosoftIdentityOptions microsoftIdentityOptions = new MicrosoftIdentityOptions() { ClientId = Guid.NewGuid().ToString() }; // Act and Assert options.Audience = "https://localhost"; WebApiServiceCollectionExtensions.EnsureValidAudiencesContainsApiGuidIfGuidProvided(options, microsoftIdentityOptions); Assert.True(options.TokenValidationParameters.ValidAudiences.Count() == 1); Assert.True(options.TokenValidationParameters.ValidAudiences.First() == "https://localhost"); options.Audience = "api://1EE5A092-0DFD-42B6-88E5-C517C0141321"; WebApiServiceCollectionExtensions.EnsureValidAudiencesContainsApiGuidIfGuidProvided(options, microsoftIdentityOptions); Assert.True(options.TokenValidationParameters.ValidAudiences.Count() == 1); Assert.True(options.TokenValidationParameters.ValidAudiences.First() == "api://1EE5A092-0DFD-42B6-88E5-C517C0141321"); options.Audience = "1EE5A092-0DFD-42B6-88E5-C517C0141321"; WebApiServiceCollectionExtensions.EnsureValidAudiencesContainsApiGuidIfGuidProvided(options, microsoftIdentityOptions); Assert.True(options.TokenValidationParameters.ValidAudiences.Count() == 2); Assert.Contains("api://1EE5A092-0DFD-42B6-88E5-C517C0141321", options.TokenValidationParameters.ValidAudiences); Assert.Contains("1EE5A092-0DFD-42B6-88E5-C517C0141321", options.TokenValidationParameters.ValidAudiences); options.Audience = null; WebApiServiceCollectionExtensions.EnsureValidAudiencesContainsApiGuidIfGuidProvided(options, microsoftIdentityOptions); Assert.True(options.TokenValidationParameters.ValidAudiences.Count() == 2); Assert.Contains($"api://{microsoftIdentityOptions.ClientId}", options.TokenValidationParameters.ValidAudiences); Assert.Contains($"{microsoftIdentityOptions.ClientId}", options.TokenValidationParameters.ValidAudiences); }
public void NoCredentialTypesDefined_Throw() { // Arrange MicrosoftIdentityOptions microsoftIdentityOptions = new MicrosoftIdentityOptions { Authority = TestConstants.AuthorityCommonTenant, ClientId = TestConstants.ConfidentialClientId, }; ConfidentialClientApplicationOptions options = new ConfidentialClientApplicationOptions { ClientSecret = string.Empty, }; // Act MicrosoftIdentityOptionsValidation microsoftIdentityOptionsValidation = new MicrosoftIdentityOptionsValidation(); Action credentialAction = () => microsoftIdentityOptionsValidation.ValidateEitherClientCertificateOrClientSecret(options.ClientSecret, microsoftIdentityOptions.ClientCertificates); // Assert var exception = Assert.Throws <MsalClientException>(credentialAction); Assert.Equal( string.Format(CultureInfo.InvariantCulture, "Both client secret & client certificate cannot be null or whitespace, " + "and ONE, must be included in the configuration of the web app when calling a web API. " + "For instance, in the appsettings.json file. "), exception.Message); Assert.Equal("missing_client_credentials", exception.ErrorCode); }
public void BothCredentialTypesDefined_Throw() { // Arrange CertificateDescription certificateDescription = CertificateDescription.FromBase64Encoded("encoded"); MicrosoftIdentityOptions microsoftIdentityOptions = new MicrosoftIdentityOptions { Authority = TestConstants.AuthorityCommonTenant, ClientId = TestConstants.ConfidentialClientId, ClientCertificates = new CertificateDescription[] { certificateDescription }, }; ConfidentialClientApplicationOptions options = new ConfidentialClientApplicationOptions { ClientSecret = "some secret", }; // Act MicrosoftIdentityOptionsValidation microsoftIdentityOptionsValidation = new MicrosoftIdentityOptionsValidation(); Action credentialAction = () => microsoftIdentityOptionsValidation.ValidateEitherClientCertificateOrClientSecret(options.ClientSecret, microsoftIdentityOptions.ClientCertificates); // Assert var exception = Assert.Throws <MsalClientException>(credentialAction); Assert.Equal( string.Format(CultureInfo.InvariantCulture, "Both Client secret & client certificate, " + "cannot be included in the configuration of the web app when calling a web API. "), exception.Message); Assert.Equal("duplicate_client_credentials", exception.ErrorCode); }
public async Task VerifyCorrectRedirectUriAsync( string redirectUri) { _microsoftIdentityOptions = new MicrosoftIdentityOptions { Authority = TestConstants.AuthorityCommonTenant, ClientId = TestConstants.ConfidentialClientId, CallbackPath = string.Empty, }; BuildTheRequiredServices(); _applicationOptions.RedirectUri = redirectUri; InitializeTokenAcquisitionObjects(); IConfidentialClientApplication app = await _tokenAcquisition.GetOrBuildConfidentialClientApplicationAsync().ConfigureAwait(false); if (!string.IsNullOrEmpty(redirectUri)) { Assert.Equal(redirectUri, app.AppConfig.RedirectUri); } else { Assert.Equal("https://IdentityDotNetSDKAutomation/", app.AppConfig.RedirectUri); } }
public void VerifyCorrectAuthorityUsedInTokenAcquisitionTests(string tenant) { _microsoftIdentityOptions = new MicrosoftIdentityOptions { Authority = TestConstants.AuthorityCommonTenant, ClientId = TestConstants.ConfidentialClientId, CallbackPath = string.Empty, }; BuildTheRequiredServices(); InitializeTokenAcquisitionObjects(); IConfidentialClientApplication app = ConfidentialClientApplicationBuilder .CreateWithApplicationOptions(_applicationOptions) .WithAuthority(TestConstants.AuthorityCommonTenant).Build(); if (!string.IsNullOrEmpty(tenant)) { Assert.Equal( string.Format( CultureInfo.InvariantCulture, "{0}/{1}/", TestConstants.AadInstance, tenant), _tokenAcquisition.CreateAuthorityBasedOnTenantIfProvided( app, tenant)); } else { Assert.Equal(app.Authority, _tokenAcquisition.CreateAuthorityBasedOnTenantIfProvided(app, tenant)); } }
public async Task OnRedirectToIdentityProvider_DefaultUserFlow_DoesntUpdateContext() { var errorAccessor = Substitute.For <ILoginErrorAccessor>(); var options = new MicrosoftIdentityOptions() { SignUpSignInPolicyId = DefaultUserFlow }; var handler = new AzureADB2COpenIDConnectEventHandlers(OpenIdConnectDefaults.AuthenticationScheme, options, errorAccessor); var httpContext = HttpContextUtilities.CreateHttpContext(); var authProperties = new AuthenticationProperties(); authProperties.Items.Add(OidcConstants.PolicyKey, DefaultUserFlow); var context = new RedirectContext(httpContext, _authScheme, new OpenIdConnectOptions(), authProperties) { ProtocolMessage = new OpenIdConnectMessage() { IssuerAddress = _defaultIssuer } }; await handler.OnRedirectToIdentityProvider(context).ConfigureAwait(false); errorAccessor.DidNotReceive().SetMessage(httpContext, Arg.Any <string>()); Assert.Null(context.ProtocolMessage.Scope); Assert.Null(context.ProtocolMessage.ResponseType); Assert.Equal(_defaultIssuer, context.ProtocolMessage.IssuerAddress); Assert.True(context.Properties.Items.ContainsKey(OidcConstants.PolicyKey)); }
public void IsB2C_NotNullOrEmptyUserFlow_ReturnsTrue() { var options = new MicrosoftIdentityOptions() { SignUpSignInPolicyId = TestConstants.B2CSignUpSignInUserFlow }; Assert.True(options.IsB2C); }
public void IsB2C_NullOrEmptyUserFlow_ReturnsFalse() { var options = new MicrosoftIdentityOptions(); Assert.False(options.IsB2C); options.SignUpSignInPolicyId = ""; Assert.False(options.IsB2C); }
public void BuildAuthority_AadEmptyTenantId_ReturnsNull() { MicrosoftIdentityOptions options = new MicrosoftIdentityOptions { TenantId = string.Empty, Instance = TestConstants.AadInstance }; string result = AuthorityHelpers.BuildAuthority(options); Assert.Null(result); }
public void BuildAuthority_EmptyInstance_ReturnsNull() { MicrosoftIdentityOptions options = new MicrosoftIdentityOptions { Domain = TestConstants.Domain, Instance = string.Empty }; string result = AuthorityHelpers.BuildAuthority(options); Assert.Null(result); }
public void BuildAuthority_NullOptions_ReturnsNull() { //Arrange MicrosoftIdentityOptions options = null; string result = null; //Act result = AuthorityHelpers.BuildAuthority(options); //Assert Assert.Null(result); }
public void BuildAuthority_B2CEmptyDomain_ReturnsNull() { MicrosoftIdentityOptions options = new MicrosoftIdentityOptions { Domain = string.Empty, Instance = TestConstants.B2CInstance, SignUpSignInPolicyId = TestConstants.B2CSignUpSignInUserFlow }; string result = AuthorityHelpers.BuildAuthority(options); Assert.Null(result); }
public void BuildAuthority_AadInstanceWithTrailingSlash_ReturnsValidAadAuthority() { MicrosoftIdentityOptions options = new MicrosoftIdentityOptions { TenantId = TestConstants.TenantIdAsGuid, Instance = TestConstants.AadInstance + "/", }; string expectedResult = $"{TestConstants.AadInstance}/{options.TenantId}/v2.0"; string result = AuthorityHelpers.BuildAuthority(options); Assert.NotNull(result); Assert.Equal(expectedResult, result); }
public void RegisterAudienceValidation( TokenValidationParameters validationParameters, MicrosoftIdentityOptions microsoftIdentityOptions) { if (validationParameters == null) { throw new ArgumentNullException(nameof(validationParameters)); } ClientId = microsoftIdentityOptions.ClientId; IsB2C = microsoftIdentityOptions.IsB2C; validationParameters.AudienceValidator = ValidateAudience; }
public void BuildAuthority_AADEmptyTenantId_ReturnsNull() { //Arrange MicrosoftIdentityOptions options = new MicrosoftIdentityOptions(); options.TenantId = ""; options.Instance = "https://login.microsoftonline.com/"; string result = null; //Act result = AuthorityHelpers.BuildAuthority(options); //Assert Assert.Null(result); }
public void BuildAuthority_EmptyInstance_ReturnsNull() { //Arrange MicrosoftIdentityOptions options = new MicrosoftIdentityOptions(); options.Domain = "contoso.onmicrosoft.com"; options.Instance = ""; string result = null; //Act result = AuthorityHelpers.BuildAuthority(options); //Assert Assert.Null(result); }
public MicrosoftIdentityAuthenticationMessageHandlerTests() { _authenticationResult = GetAuthenticationResult(); _mockedMessageHandler = new MockHttpMessageHandler(); _handlerOptions = new MicrosoftIdentityAuthenticationMessageHandlerOptions { AuthenticationScheme = JwtBearerDefaults.AuthenticationScheme, IsProofOfPossessionRequest = false, Scopes = TestConstants.Scopes, Tenant = TestConstants.TenantIdAsGuid, TokenAcquisitionOptions = new TokenAcquisitionOptions(), UserFlow = TestConstants.B2CSignUpSignInUserFlow, }; _identityOptions = new MicrosoftIdentityOptions(); }
public void BuildAuthority_B2CValidOptions_ReturnsValidB2CAuthority() { MicrosoftIdentityOptions options = new MicrosoftIdentityOptions { Domain = TestConstants.B2CTenant, Instance = TestConstants.B2CInstance, SignUpSignInPolicyId = TestConstants.B2CSignUpSignInUserFlow, }; string expectedResult = $"{options.Instance}/{options.Domain}/{options.DefaultUserFlow}/v2.0"; string result = AuthorityHelpers.BuildAuthority(options); Assert.NotNull(result); Assert.Equal(expectedResult, result); }
public void BuildAuthority_B2CEmptyDomain_ReturnsNull() { //Arrange MicrosoftIdentityOptions options = new MicrosoftIdentityOptions(); options.Domain = ""; options.Instance = "https://login.microsoftonline.com/"; options.SignUpSignInPolicyId = "b2c_1_susi"; string result = null; //Act result = AuthorityHelpers.BuildAuthority(options); //Assert Assert.Null(result); }
public void EnsureValidAudiencesContainsApiGuidIfGuidProvided(string initialAudience, string[] expectedAudiences) { JwtBearerOptions jwtOptions = new JwtBearerOptions() { Audience = initialAudience }; MicrosoftIdentityOptions msIdentityOptions = new MicrosoftIdentityOptions() { ClientId = TestConstants.ApiClientId }; WebApiAuthenticationBuilderExtensions.EnsureValidAudiencesContainsApiGuidIfGuidProvided(jwtOptions, msIdentityOptions); Assert.Equal(expectedAudiences.Length, jwtOptions.TokenValidationParameters.ValidAudiences.Count()); Assert.Equal(expectedAudiences.OrderBy(x => x), jwtOptions.TokenValidationParameters.ValidAudiences.OrderBy(x => x)); }
public void BuildAuthority_OptionsInstaceWithTrailing_BuildAadAuthorityWithoutExtraTrailing() { //Arrange MicrosoftIdentityOptions options = new MicrosoftIdentityOptions(); options.TenantId = "da41245a5-11b3-996c-00a8-4d99re19f292"; options.Instance = "https://login.microsoftonline.com/"; string result = null; string expectedResult = $"https://login.microsoftonline.com/{options.TenantId}/v2.0"; //Act result = AuthorityHelpers.BuildAuthority(options); //Assert Assert.NotNull(result); Assert.Equal(result, expectedResult); }
public void ValidateCredentialType() { // Arrange MicrosoftIdentityOptions microsoftIdentityOptions = new MicrosoftIdentityOptions { Authority = TestConstants.AuthorityCommonTenant, ClientId = TestConstants.ConfidentialClientId, }; ConfidentialClientApplicationOptions options = new ConfidentialClientApplicationOptions { ClientSecret = "some secret", }; // Act & Assert // Should not throw MicrosoftIdentityOptionsValidation.ValidateEitherClientCertificateOrClientSecret(options.ClientSecret, microsoftIdentityOptions.ClientCertificates); }
public void BuildAuthority_B2CInstanceDomainAndPolicy_BuildB2CAuthority() { //Arrange MicrosoftIdentityOptions options = new MicrosoftIdentityOptions(); options.Domain = "fabrikamb2c.onmicrosoft.com"; options.Instance = "https://fabrikamb2c.b2clogin.com"; options.SignUpSignInPolicyId = "b2c_1_susi"; string result = null; string expectedResult = $"{options.Instance}/{options.Domain}/{options.DefaultUserFlow}/v2.0"; //Act result = AuthorityHelpers.BuildAuthority(options); //Assert Assert.NotNull(result); Assert.Equal(result, expectedResult); }
public async Task OnRedirectToIdentityProvider_CustomUserFlow_UpdatesContext(bool hasClientCredentials) { var errorAccessor = Substitute.For <ILoginErrorAccessor>(); var options = new MicrosoftIdentityOptions() { SignUpSignInPolicyId = DefaultUserFlow }; if (hasClientCredentials) { options.ClientSecret = TestConstants.ClientSecret; } var handler = new AzureADB2COpenIDConnectEventHandlers(OpenIdConnectDefaults.AuthenticationScheme, options, errorAccessor); var httpContext = HttpContextUtilities.CreateHttpContext(); var authProperties = new AuthenticationProperties(); authProperties.Items.Add(OidcConstants.PolicyKey, CustomUserFlow); var context = new RedirectContext(httpContext, _authScheme, new OpenIdConnectOptions(), authProperties) { ProtocolMessage = new OpenIdConnectMessage() { IssuerAddress = _defaultIssuer, Scope = TestConstants.Scopes, }, }; await handler.OnRedirectToIdentityProvider(context).ConfigureAwait(false); errorAccessor.DidNotReceive().SetMessage(httpContext, Arg.Any <string>()); Assert.Equal(TestConstants.Scopes, context.ProtocolMessage.Scope); Assert.Equal(_customIssuer, context.ProtocolMessage.IssuerAddress, true); Assert.False(context.Properties.Items.ContainsKey(OidcConstants.PolicyKey)); if (hasClientCredentials) { Assert.Equal(OpenIdConnectResponseType.CodeIdToken, context.ProtocolMessage.ResponseType); } else { Assert.Equal(OpenIdConnectResponseType.IdToken, context.ProtocolMessage.ResponseType); } }
public void ValidateCredentialType_Certificate(string base64Encoded) { // Arrange CertificateDescription certificateDescription = CertificateDescription.FromBase64Encoded(base64Encoded); MicrosoftIdentityOptions microsoftIdentityOptions = new MicrosoftIdentityOptions { Authority = TestConstants.AuthorityCommonTenant, ClientId = TestConstants.ConfidentialClientId, ClientCertificates = new CertificateDescription[] { certificateDescription }, }; ConfidentialClientApplicationOptions options = new ConfidentialClientApplicationOptions { ClientSecret = string.Empty, }; // Act & Assert // Should not throw MicrosoftIdentityOptionsValidation.ValidateEitherClientCertificateOrClientSecret(options.ClientSecret, microsoftIdentityOptions.ClientCertificates); }
private void InitializeTests( bool isB2C, string tokenVersion) { _options = new MicrosoftIdentityOptions { ClientId = TestConstants.ClientId, }; if (isB2C) { _options.SignUpSignInPolicyId = TestConstants.B2CSignUpSignInUserFlow; } if (tokenVersion == V2 || isB2C) { _expectedAudience = _options.ClientId; } else { _expectedAudience = $"api://{_options.ClientId}"; } IEnumerable <Claim> claims = new Claim[] { new Claim(Version, tokenVersion), new Claim(Audience, _expectedAudience), }; _token = new JwtSecurityToken(null, null, claims); _validationParams = new TokenValidationParameters(); _registerValidAudience = new RegisterValidAudience(); _registerValidAudience.RegisterAudienceValidation(_validationParams, _options); _validAudiences = new List <string> { _expectedAudience }; }