OIDCIdToken.Validate C# (CSharp) 코드 예제들

예제 #1

0

파일 보기

파일: ClientAuthenticationTests.cs 프로젝트: RetiSpA/OpenIDConnect-Csharp-Client

        public void Should_Authenticate_Client_With_Client_Secret_Jwt()
        {
            rpid = "rp-token_endpoint-client_secret_jwt";

            // given
            OIDCAuthCodeResponseMessage response = (OIDCAuthCodeResponseMessage)GetAuthResponse(ResponseType.Code);

            OIDCTokenRequestMessage tokenRequestMessage = new OIDCTokenRequestMessage();

            tokenRequestMessage.Scope        = response.Scope;
            tokenRequestMessage.State        = response.State;
            tokenRequestMessage.Code         = response.Code;
            tokenRequestMessage.ClientId     = clientInformation.ClientId;
            tokenRequestMessage.ClientSecret = clientInformation.ClientSecret;
            tokenRequestMessage.GrantType    = "authorization_code";
            tokenRequestMessage.RedirectUri  = clientInformation.RedirectUris[0];

            // when
            OpenIdRelyingParty rp = new OpenIdRelyingParty();

            clientInformation.TokenEndpointAuthMethod = "client_secret_jwt";
            OIDCTokenResponseMessage tokenResponse = rp.SubmitTokenRequest(GetBaseUrl("/token"), tokenRequestMessage, clientInformation);

            // then
            Assert.NotNull(tokenResponse.IdToken);
            OIDCIdToken idToken = tokenResponse.GetIdToken(providerMetadata.Keys);

            idToken.Validate();
        }

예제 #2

0

파일 보기

파일: OpenIdRelyingParty.cs 프로젝트: RetiSpA/OpenIDConnect-Csharp-Client

        private Dictionary <string, object> PerformSelfIssuedAuthentication(OIDCAuthorizationRequestMessage requestMessage, X509Certificate2 certificate)
        {
            OIDCIdToken idToken = new OIDCIdToken();

            idToken.Iss = "https://self-issued.me";
            idToken.Sub = Convert.ToBase64String(Encoding.UTF8.GetBytes(certificate.Thumbprint));
            idToken.Aud = new List <string>()
            {
                requestMessage.RedirectUri
            };
            idToken.Nonce  = requestMessage.Nonce;
            idToken.Exp    = DateTime.MaxValue;
            idToken.Iat    = DateTime.MaxValue;
            idToken.SubJkw = KeyManager.GetOIDCKey(certificate, "RSA", "AQAB", "sig");

            if (requestMessage.Scope.Contains(MessageScope.Profile))
            {
                idToken.GivenName  = "Myself";
                idToken.FamilyName = "User";
                idToken.Name       = idToken.GivenName + " " + idToken.FamilyName;
            }

            if (requestMessage.Scope.Contains(MessageScope.Email))
            {
                idToken.Email = "*****@*****.**";
            }

            if (requestMessage.Scope.Contains(MessageScope.Address))
            {
                idToken.Address               = new OIDCAddress();
                idToken.Address.Country       = "Italy";
                idToken.Address.PostalCode    = "20100";
                idToken.Address.StreetAddress = "Via Test, 1";
                idToken.Address.Locality      = "Milano";
            }

            if (requestMessage.Scope.Contains(MessageScope.Phone))
            {
                idToken.PhoneNumber = "0";
            }

            idToken.Validate();

            Dictionary <string, object> responseMessage = new Dictionary <string, object>();

            responseMessage["id_token"] = JWT.Encode(idToken.SerializeToJsonString(), null, JwsAlgorithm.none);
            responseMessage["state"]    = requestMessage.State;

            return(responseMessage);
        }

예제 #3

0

파일 보기

        public void Should_Reject_Id_Token_With_Invalid_ES256_Signature()
        {
            rpid = "rp-id_token-bad_es256_sig";

            // givens
            OpenIdRelyingParty rp = new OpenIdRelyingParty();

            OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage();

            requestMessage.ClientId = clientInformation.ClientId;
            requestMessage.Scope    = new List <MessageScope>()
            {
                MessageScope.Openid
            };
            requestMessage.ResponseType = new List <ResponseType>()
            {
                ResponseType.Token, ResponseType.IdToken
            };
            requestMessage.RedirectUri = clientInformation.RedirectUris[1];
            requestMessage.Nonce       = WebOperations.RandomString();
            requestMessage.State       = WebOperations.RandomString();
            requestMessage.Validate();

            // Manipulate keys to make them invalid
            List <OIDCKey> manipulatedKeys = new List <OIDCKey>();

            foreach (OIDCKey curKey in providerMetadata.Keys)
            {
                OIDCKey newKey = curKey.Clone() as OIDCKey;
                if (curKey.N != null)
                {
                    StringBuilder strBuilder = new StringBuilder(newKey.N);
                    strBuilder[17] = (char)(newKey.N[17] + 1);
                    newKey.N       = strBuilder.ToString();
                }
                manipulatedKeys.Add(newKey);
            }

            rp.Authenticate(GetBaseUrl("/authorization"), requestMessage);
            semaphore.WaitOne();

            // when
            OIDCAuthImplicitResponseMessage response = rp.ParseAuthImplicitResponse(result, requestMessage.Scope, requestMessage.State);

            // then
            Assert.NotNull(response.IdToken);
            OIDCIdToken idToken = response.GetIdToken(manipulatedKeys);

            idToken.Validate();
        }

예제 #4

0

파일 보기

        public void Should_Reject_Id_Token_With_Incorrect_At_Hash()
        {
            rpid = "rp-id_token-bad_at_hash";

            // given
            OpenIdRelyingParty rp = new OpenIdRelyingParty();

            // when
            OIDCAuthImplicitResponseMessage response = (OIDCAuthImplicitResponseMessage)GetAuthResponse(ResponseType.IdToken);

            // then
            Assert.NotNull(response.IdToken);
            OIDCIdToken idToken        = response.GetIdToken(providerMetadata.Keys);
            string      ExpectedAtHash = response.GetExpectedHash(response.AccessToken, providerMetadata.Keys);

            idToken.Validate(GetBaseUrl("/"), clientInformation.ClientId, null, ExpectedAtHash);
        }

예제 #5

0

파일 보기

        public void Should_Reject_Id_Token_Without_Kid_If_Multiple_JWK()
        {
            rpid = "rp-id_token-kid_absent_multiple_jwks";

            // given

            // when
            OIDCAuthImplicitResponseMessage response = (OIDCAuthImplicitResponseMessage)GetAuthResponse(ResponseType.IdToken);

            // then
            OpenIdRelyingParty rp = new OpenIdRelyingParty();

            // then
            Assert.NotNull(response.IdToken);
            OIDCIdToken idToken = response.GetIdToken(providerMetadata.Keys);

            idToken.Validate();
        }

예제 #6

0

파일 보기

        public void Should_Reject_Id_Token_With_Wrong_Iat()
        {
            rpid = "rp-id_token-iat";

            // given

            // when
            OIDCAuthImplicitResponseMessage response = (OIDCAuthImplicitResponseMessage)GetAuthResponse(ResponseType.IdToken);

            // then
            OpenIdRelyingParty rp = new OpenIdRelyingParty();

            Assert.NotNull(response.IdToken);
            OIDCIdToken idToken = response.GetIdToken(providerMetadata.Keys);

            idToken.Iat = DateTime.MinValue;
            idToken.Validate();
        }

예제 #7

0

파일 보기

        public void Should_Reject_Id_Token_With_Wrong_Iss()
        {
            rpid = "rp-id_token-mismatching_issuer";

            // given

            // when
            OIDCAuthImplicitResponseMessage response = (OIDCAuthImplicitResponseMessage)GetAuthResponse(ResponseType.IdToken);

            // then
            OpenIdRelyingParty rp = new OpenIdRelyingParty();

            Assert.NotNull(response.IdToken);
            OIDCIdToken idToken = response.GetIdToken(providerMetadata.Keys);

            idToken.Iss = "ManipulatedIssuer";
            string ExpectedAtHash = response.GetExpectedHash(response.AccessToken, providerMetadata.Keys);

            idToken.Validate(GetBaseUrl("/"), clientInformation.ClientId, null, ExpectedAtHash);
        }

예제 #8

0

파일 보기

        public void Should_Reject_Id_Token_With_Wrong_Aud()
        {
            rpid = "rp-id_token-aud";

            // given

            // when
            OIDCAuthImplicitResponseMessage response = (OIDCAuthImplicitResponseMessage)GetAuthResponse(ResponseType.IdToken);

            // then
            OpenIdRelyingParty rp = new OpenIdRelyingParty();

            // then
            Assert.NotNull(response.IdToken);
            OIDCIdToken idToken = response.GetIdToken(providerMetadata.Keys);

            idToken.Aud = new List <string> {
                "ManipulatedAud"
            };
            idToken.Validate(GetBaseUrl("/"), clientInformation.ClientId);
        }

예제 #9

0

파일 보기

파일: UserInfoEndpointTests.cs 프로젝트: RetiSpA/OpenIDConnect-Csharp-Client

        public void Should_Reject_Userinfo_With_Invalid_Sub()
        {
            rpid = "rp-user_info-bad_sub_claim";

            // given
            OIDClaims requestClaims = new OIDClaims();

            requestClaims.IdToken = new Dictionary <string, OIDClaimData>();
            requestClaims.IdToken.Add("name", new OIDClaimData());

            OIDCAuthImplicitResponseMessage authResponse = (OIDCAuthImplicitResponseMessage)GetAuthResponse(ResponseType.IdToken, null, true, requestClaims);
            OIDCIdToken idToken = authResponse.GetIdToken(providerMetadata.Keys);

            idToken.Validate();

            // when
            OIDCUserInfoResponseMessage response = GetUserInfo(authResponse.Scope, authResponse.State, authResponse.AccessToken, idToken.Sub + "Wrong");

            // then
            response.Validate();
            Assert.IsNotNullOrEmpty(response.Name);
        }

예제 #10

0

파일 보기

        public void Should_Nonce_Be_Present_In_Implicit()
        {
            rpid = "rp-nonce-unless_code_flow";

            // given
            OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage();

            requestMessage.ClientId = clientInformation.ClientId;

            OIDClaims requestClaims = new OIDClaims();

            requestClaims.Userinfo = new Dictionary <string, OIDClaimData>();
            requestClaims.Userinfo.Add("name", new OIDClaimData());

            requestMessage.Scope = new List <MessageScope>()
            {
                MessageScope.Openid
            };
            requestMessage.ResponseType = new List <ResponseType>()
            {
                ResponseType.IdToken, ResponseType.Token
            };
            requestMessage.RedirectUri = clientInformation.RedirectUris[0];
            requestMessage.Nonce       = WebOperations.RandomString();
            requestMessage.State       = WebOperations.RandomString();
            requestMessage.Claims      = requestClaims;
            requestMessage.Validate();

            OpenIdRelyingParty rp = new OpenIdRelyingParty();

            rp.Authenticate(GetBaseUrl("/authorization"), requestMessage);
            semaphore.WaitOne();
            OIDCAuthImplicitResponseMessage response = rp.ParseAuthImplicitResponse(result, requestMessage.Scope, requestMessage.State);
            OIDCIdToken idToken = response.GetIdToken(providerMetadata.Keys, clientInformation.ClientSecret);

            // then
            idToken.Validate();
        }

예제 #11

0

파일 보기

        public void Should_Reject_Id_Token_With_Incorrect_C_Hash()
        {
            rpid = "rp-id_token-bad_c_hash";

            // givens
            OpenIdRelyingParty rp = new OpenIdRelyingParty();

            OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage();

            requestMessage.ClientId = clientInformation.ClientId;
            requestMessage.Scope    = new List <MessageScope>()
            {
                MessageScope.Openid
            };
            requestMessage.ResponseType = new List <ResponseType>()
            {
                ResponseType.Code, ResponseType.IdToken
            };
            requestMessage.RedirectUri = clientInformation.RedirectUris[0];
            requestMessage.Nonce       = WebOperations.RandomString();
            requestMessage.State       = WebOperations.RandomString();
            requestMessage.Validate();

            rp.Authenticate(GetBaseUrl("/authorization"), requestMessage);
            semaphore.WaitOne();

            // when
            OIDCAuthCodeResponseMessage response = rp.ParseAuthCodeResponse(result, requestMessage.Scope, requestMessage.State);

            // then
            Assert.NotNull(response.IdToken);
            OIDCIdToken idToken       = response.GetIdToken(providerMetadata.Keys);
            string      ExpectedCHash = response.GetExpectedHash(response.Code, providerMetadata.Keys);

            idToken.Validate(GetBaseUrl("/"), clientInformation.ClientId, ExpectedCHash, null);
        }

예제 #12

0

파일 보기

파일: ClientAuthenticationTests.cs 프로젝트: RetiSpA/OpenIDConnect-Csharp-Client

        public void Should_Authenticate_Client_With_Private_Key_Jwt()
        {
            rpid = "rp-token_endpoint-client_secret_jwt";

            // given
            OIDCAuthCodeResponseMessage response = (OIDCAuthCodeResponseMessage)GetAuthResponse(ResponseType.Code);

            OIDCTokenRequestMessage tokenRequestMessage = new OIDCTokenRequestMessage();

            tokenRequestMessage.Scope        = response.Scope;
            tokenRequestMessage.State        = response.State;
            tokenRequestMessage.Code         = response.Code;
            tokenRequestMessage.ClientId     = clientInformation.ClientId;
            tokenRequestMessage.ClientSecret = clientInformation.ClientSecret;
            tokenRequestMessage.GrantType    = "authorization_code";
            tokenRequestMessage.RedirectUri  = clientInformation.RedirectUris[0];

            RSACryptoServiceProvider privateKey = providerMetadata.Keys.Find(
                delegate(OIDCKey k)
            {
                return(k.Use == "enc" && k.Kty == "RSA");
            }
                ).GetRSA();

            // when
            OpenIdRelyingParty rp = new OpenIdRelyingParty();

            clientInformation.TokenEndpointAuthMethod = "private_key_jwt";
            OIDCTokenResponseMessage tokenResponse = rp.SubmitTokenRequest(GetBaseUrl("/token"), tokenRequestMessage, clientInformation, privateKey.ExportCspBlob(false));

            // then
            Assert.NotNull(tokenResponse.IdToken);
            OIDCIdToken idToken = tokenResponse.GetIdToken(providerMetadata.Keys);

            idToken.Validate();
        }

예제 #13

0

파일 보기

        public void Should_Request_And_Use_Unsigned_Id_Token()
        {
            rpid = "rp-id_token-sig_none";

            // givens
            OpenIdRelyingParty rp = new OpenIdRelyingParty();

            string registrationEndopoint         = GetBaseUrl("/registration");
            OIDCClientInformation clientMetadata = new OIDCClientInformation();

            clientMetadata.ApplicationType = "web";
            clientMetadata.RedirectUris    = new List <string>()
            {
                myBaseUrl + "code_flow_callback"
            };
            clientMetadata.ResponseTypes = new List <ResponseType>()
            {
                ResponseType.Code
            };
            clientMetadata.IdTokenSignedResponseAlg = "none";
            OIDCClientInformation clientInformation = rp.RegisterClient(registrationEndopoint, clientMetadata);

            OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage();

            requestMessage.ClientId = clientInformation.ClientId;
            requestMessage.Scope    = new List <MessageScope>()
            {
                MessageScope.Openid
            };
            requestMessage.ResponseType = new List <ResponseType>()
            {
                ResponseType.Code
            };
            requestMessage.RedirectUri = clientInformation.RedirectUris[0];
            requestMessage.Nonce       = WebOperations.RandomString();
            requestMessage.State       = WebOperations.RandomString();
            requestMessage.Validate();

            rp.Authenticate(GetBaseUrl("/authorization"), requestMessage);
            semaphore.WaitOne();
            OIDCAuthCodeResponseMessage response = rp.ParseAuthCodeResponse(result, requestMessage.Scope, requestMessage.State);

            OIDCTokenRequestMessage tokenRequestMessage = new OIDCTokenRequestMessage();

            tokenRequestMessage.Scope        = response.Scope;
            tokenRequestMessage.State        = response.State;
            tokenRequestMessage.Code         = response.Code;
            tokenRequestMessage.ClientId     = clientInformation.ClientId;
            tokenRequestMessage.ClientSecret = clientInformation.ClientSecret;
            tokenRequestMessage.GrantType    = "authorization_code";
            tokenRequestMessage.RedirectUri  = clientInformation.RedirectUris[0];

            // when
            OIDCTokenResponseMessage tokenResponse = rp.SubmitTokenRequest(GetBaseUrl("/token"), tokenRequestMessage, clientInformation);

            // then
            Assert.NotNull(tokenResponse.IdToken);
            OIDCIdToken idToken = tokenResponse.GetIdToken();

            idToken.Validate();
        }

예제 #14

0

파일 보기

        public void Should_Request_And_Use_Signed_And_Encrypted_Id_Token()
        {
            rpid    = "rp-id_token-sig+enc";
            signalg = "RS256";
            encalg  = "RSA1_5:A128CBC-HS256";

            // given
            OpenIdRelyingParty rp = new OpenIdRelyingParty();

            string registrationEndopoint         = GetBaseUrl("/registration");
            OIDCClientInformation clientMetadata = new OIDCClientInformation();

            clientMetadata.ApplicationType = "web";
            clientMetadata.RedirectUris    = new List <string>()
            {
                myBaseUrl + "code_flow_callback"
            };
            clientMetadata.ResponseTypes = new List <ResponseType>()
            {
                ResponseType.Code
            };
            clientMetadata.IdTokenEncryptedResponseAlg = "RSA1_5";
            clientMetadata.IdTokenEncryptedResponseEnc = "A128CBC-HS256";
            clientMetadata.JwksUri = myBaseUrl + "my_public_keys.jwks";
            OIDCClientInformation clientInformation = rp.RegisterClient(registrationEndopoint, clientMetadata);

            OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage();

            requestMessage.ClientId = clientInformation.ClientId;
            requestMessage.Scope    = new List <MessageScope>()
            {
                MessageScope.Openid
            };
            requestMessage.ResponseType = new List <ResponseType>()
            {
                ResponseType.Code
            };
            requestMessage.RedirectUri = clientInformation.RedirectUris[0];
            requestMessage.Nonce       = WebOperations.RandomString();
            requestMessage.State       = WebOperations.RandomString();
            requestMessage.Validate();

            rp.Authenticate(GetBaseUrl("/authorization"), requestMessage);
            semaphore.WaitOne();
            OIDCAuthCodeResponseMessage response = rp.ParseAuthCodeResponse(result, requestMessage.Scope, requestMessage.State);

            OIDCTokenRequestMessage tokenRequestMessage = new OIDCTokenRequestMessage();

            tokenRequestMessage.Scope        = response.Scope;
            tokenRequestMessage.State        = response.State;
            tokenRequestMessage.Code         = response.Code;
            tokenRequestMessage.ClientId     = clientInformation.ClientId;
            tokenRequestMessage.ClientSecret = clientInformation.ClientSecret;
            tokenRequestMessage.GrantType    = "authorization_code";
            tokenRequestMessage.RedirectUri  = clientInformation.RedirectUris[0];

            X509Certificate2 signCert = new X509Certificate2("server.pfx", "", X509KeyStorageFlags.Exportable);
            X509Certificate2 encCert  = new X509Certificate2("server.pfx", "", X509KeyStorageFlags.Exportable);
            List <OIDCKey>   myKeys   = KeyManager.GetKeysJwkList(signCert, encCert);

            // when
            OIDCTokenResponseMessage tokenResponse = rp.SubmitTokenRequest(GetBaseUrl("/token"), tokenRequestMessage, clientInformation);

            // then
            Assert.NotNull(tokenResponse.IdToken);
            OIDCIdToken idToken = tokenResponse.GetIdToken(providerMetadata.Keys, null, myKeys);

            idToken.Validate();
        }

C# (CSharp) OIDCIdToken.Validate 예제들