public void Should_Reject_Id_Token_With_Incorrect_At_Hash() { rpid = "rp-id_token-bad_at_hash"; // given OpenIdRelyingParty rp = new OpenIdRelyingParty(); // when OIDCAuthImplicitResponseMessage response = (OIDCAuthImplicitResponseMessage)GetAuthResponse(ResponseType.IdToken); // then Assert.NotNull(response.IdToken); OIDCIdToken idToken = response.GetIdToken(providerMetadata.Keys); string ExpectedAtHash = response.GetExpectedHash(response.AccessToken, providerMetadata.Keys); idToken.Validate(GetBaseUrl("/"), clientInformation.ClientId, null, ExpectedAtHash); }
public void Should_Reject_Id_Token_With_Wrong_Iss() { rpid = "rp-id_token-mismatching_issuer"; // given // when OIDCAuthImplicitResponseMessage response = (OIDCAuthImplicitResponseMessage)GetAuthResponse(ResponseType.IdToken); // then OpenIdRelyingParty rp = new OpenIdRelyingParty(); Assert.NotNull(response.IdToken); OIDCIdToken idToken = response.GetIdToken(providerMetadata.Keys); idToken.Iss = "ManipulatedIssuer"; string ExpectedAtHash = response.GetExpectedHash(response.AccessToken, providerMetadata.Keys); idToken.Validate(GetBaseUrl("/"), clientInformation.ClientId, null, ExpectedAtHash); }