public async Task OnGeneratingClaims_AddsRedirectUriIfPresentOnTheRequest() { // Arrange var expectedRedirectUri = "http://wwww.example.com/callback"; var context = new TokenGeneratingContext( new ClaimsPrincipal(), new ClaimsPrincipal(), new OpenIdConnectMessage() { RedirectUri = expectedRedirectUri }, new RequestGrants()); var options = new IdentityServiceOptions() { Issuer = "http://www.example.com/Identity" }; var claimsProvider = new DefaultTokenClaimsProvider(Options.Create(options)); context.InitializeForToken(TokenTypes.AuthorizationCode); // Act await claimsProvider.OnGeneratingClaims(context); // Assert Assert.Single( context.CurrentClaims, c => c.Type.Equals(IdentityServiceClaimTypes.RedirectUri, StringComparison.Ordinal) && c.Value.Equals(expectedRedirectUri)); }
public async Task OnGeneratingClaims_AddsIssuerForAccessTokenAndIdToken(string tokenType) { // Arrange var context = new TokenGeneratingContext( new ClaimsPrincipal(), new ClaimsPrincipal(), new OpenIdConnectMessage(), new RequestGrants()); var options = new IdentityServiceOptions() { Issuer = "http://www.example.com/Identity" }; var claimsProvider = new DefaultTokenClaimsProvider(Options.Create(options)); context.InitializeForToken(tokenType); // Act await claimsProvider.OnGeneratingClaims(context); // Assert Assert.Single( context.CurrentClaims, c => c.Type.Equals(IdentityServiceClaimTypes.Issuer, StringComparison.Ordinal)); }
public async Task OnGeneratingClaims_AddsCustomScopesFromRequest_ToAccessTokenOnTokenRequest() { // Arrange var applicationScopes = new List <ApplicationScope> { ApplicationScope.OpenId, new ApplicationScope("resourceId", "custom"), new ApplicationScope("resourceId", "custom2") }; var expectedResourceValue = applicationScopes.FirstOrDefault(s => s.ClientId != null)?.ClientId; var context = new TokenGeneratingContext( new ClaimsPrincipal(), new ClaimsPrincipal(), new OpenIdConnectMessage() { ClientId = "clientId" }, new RequestGrants() { Scopes = applicationScopes.ToList(), // This is just to prove that we always pick the values for the scope related claims // from the set of granted scopes (for access tokens). Claims = new List <Claim> { new Claim(IdentityServiceClaimTypes.Resource, "ridClaim"), new Claim(IdentityServiceClaimTypes.Scope, "custom3") } }); var claimsProvider = new ScopesTokenClaimsProvider(); context.InitializeForToken(TokenTypes.AccessToken); // Act await claimsProvider.OnGeneratingClaims(context); var claims = context.CurrentClaims; // Assert Assert.Single(claims, c => c.Type.Equals(IdentityServiceClaimTypes.Scope) && c.Value.Equals("custom custom2")); Assert.Single(claims, c => c.Type.Equals(IdentityServiceClaimTypes.Audience) && c.Value.Equals("resourceId")); Assert.Single(claims, c => c.Type.Equals(IdentityServiceClaimTypes.AuthorizedParty) && c.Value.Equals("clientId")); }
public async Task OnGeneratingClaims_AddsAllScopesFromGrantClaims_ToRefreshTokenOnTokenRequest() { // Arrange // This is just to prove that we always transfer the scope and resource claims from the grant // into the refresh token untouched. var applicationScopes = new List <ApplicationScope> { ApplicationScope.OpenId, new ApplicationScope("resourceId", "custom"), new ApplicationScope("resourceId", "custom2") }; var expectedResourceValue = applicationScopes.FirstOrDefault(s => s.ClientId != null)?.ClientId; var context = new TokenGeneratingContext( new ClaimsPrincipal(), new ClaimsPrincipal(), new OpenIdConnectMessage() { ClientId = "clientId" }, new RequestGrants() { Scopes = applicationScopes.ToList(), Claims = new List <Claim> { new Claim(IdentityServiceClaimTypes.Resource, "ridClaim"), new Claim(IdentityServiceClaimTypes.Scope, "openid custom3") } }); var claimsProvider = new ScopesTokenClaimsProvider(); context.InitializeForToken(TokenTypes.RefreshToken); // Act await claimsProvider.OnGeneratingClaims(context); var claims = context.CurrentClaims; // Assert Assert.Single(claims, c => c.Type.Equals(IdentityServiceClaimTypes.Scope) && c.Value.Equals("openid custom3")); Assert.Single(claims, c => c.Type.Equals(IdentityServiceClaimTypes.Resource) && c.Value.Equals("ridClaim")); }
public async Task OnGeneratingClaims_AddsGrantedTokensForRefreshToken() { // Arrange var context = new TokenGeneratingContext( new ClaimsPrincipal(), new ClaimsPrincipal(), new OpenIdConnectMessage(), new RequestGrants() { Tokens = new List <string> { TokenTypes.AccessToken, TokenTypes.IdToken, TokenTypes.RefreshToken } }); var expectedTokens = new[] { TokenTypes.AccessToken, TokenTypes.IdToken, TokenTypes.RefreshToken }; var claimsProvider = new GrantedTokensTokenClaimsProvider(); context.InitializeForToken(TokenTypes.RefreshToken); // Act await claimsProvider.OnGeneratingClaims(context); var granted = context.CurrentClaims .Where(c => c.Type.Equals(IdentityServiceClaimTypes.GrantedToken)) .OrderBy(c => c.Value) .Select(c => c.Value) .ToArray(); // Assert Assert.Equal(expectedTokens, granted); }
public async Task OnGeneratingClaims_AddsIssuedAtNotBeforeAndExpires_ForAllTokenTypes( string tokenType, string issuedAt, string notBefore, string expires) { // Arrange var context = new TokenGeneratingContext( new ClaimsPrincipal(), new ClaimsPrincipal(), new OpenIdConnectMessage { }, new RequestGrants { }); // Reference time var reference = new DateTimeOffset(2000, 01, 01, 0, 0, 0, TimeSpan.Zero); var timestampManager = new TestTimeStampManager(reference); var options = new IdentityServiceOptions(); SetTimeStampOptions(options.AuthorizationCodeOptions, 1); SetTimeStampOptions(options.AccessTokenOptions, 2); SetTimeStampOptions(options.IdTokenOptions, 3); SetTimeStampOptions(options.RefreshTokenOptions, 4); var claimsProvider = new TimestampsTokenClaimsProvider(timestampManager, Options.Create(options)); context.InitializeForToken(tokenType); // Act await claimsProvider.OnGeneratingClaims(context); var claims = context.CurrentClaims; // Assert Assert.Single(claims, c => c.Type.Equals(IdentityServiceClaimTypes.IssuedAt) && c.Value.Equals(issuedAt)); Assert.Single(claims, c => c.Type.Equals(IdentityServiceClaimTypes.NotBefore) && c.Value.Equals(notBefore)); Assert.Single(claims, c => c.Type.Equals(IdentityServiceClaimTypes.Expires) && c.Value.Equals(expires)); }
public async Task OnGeneratingClaims_DoesNothing_IfChallengeNotPresent() { // Arrange var context = new TokenGeneratingContext( new ClaimsPrincipal(), new ClaimsPrincipal(), new OpenIdConnectMessage(new Dictionary <string, string[]> { [ProofOfKeyForCodeExchangeParameterNames.CodeChallengeMethod] = new[] { "S256" }, }), new RequestGrants()); context.InitializeForToken(TokenTypes.AuthorizationCode); var provider = new ProofOfKeyForCodeExchangeTokenClaimsProvider(); // Act await provider.OnGeneratingClaims(context); // Assert Assert.Empty(context.CurrentClaims); }
public async Task OnGeneratingClaims_AddsCodeChallengeAndChallengeMethod_ToTheAuthorizationCode() { // Arrange var context = new TokenGeneratingContext( new ClaimsPrincipal(), new ClaimsPrincipal(), new OpenIdConnectMessage(new Dictionary <string, string[]> { [ProofOfKeyForCodeExchangeParameterNames.CodeChallenge] = new[] { "challenge" }, [ProofOfKeyForCodeExchangeParameterNames.CodeChallengeMethod] = new[] { "S256" }, }), new RequestGrants()); context.InitializeForToken(TokenTypes.AuthorizationCode); var provider = new ProofOfKeyForCodeExchangeTokenClaimsProvider(); // Act await provider.OnGeneratingClaims(context); // Assert Assert.Contains(context.CurrentClaims, c => c.Type == IdentityServiceClaimTypes.CodeChallenge && c.Value == "challenge"); Assert.Contains(context.CurrentClaims, c => c.Type == IdentityServiceClaimTypes.CodeChallengeMethod && c.Value == "S256"); }
public async Task OnGeneratingClaims_MapsClaimsFromUsersApplicationsAndAmbient(string tokenType) { // Arrange var expectedClaims = new List <Claim> { new Claim("user-single", "us"), new Claim("user-single-claim", "usa"), new Claim("user-multiple", "um1"), new Claim("user-multiple", "um2"), new Claim("user-multiple-claim", "uma1"), new Claim("user-multiple-claim", "uma2"), new Claim("application-single", "as"), new Claim("application-single-claim", "asa"), new Claim("application-multiple", "am1"), new Claim("application-multiple", "am2"), new Claim("application-multiple-claim", "ama1"), new Claim("application-multiple-claim", "ama2"), new Claim("context-single", "cs"), new Claim("context-single-claim", "csa"), new Claim("context-multiple", "cm1"), new Claim("context-multiple", "cm2"), new Claim("context-multiple-claim", "cma1"), new Claim("context-multiple-claim", "cma2"), }; var user = new ClaimsPrincipal(new ClaimsIdentity(new List <Claim> { new Claim("user-single", "us"), new Claim("user-single-aliased", "usa"), new Claim("user-multiple", "um1"), new Claim("user-multiple", "um2"), new Claim("user-multiple-aliased", "uma1"), new Claim("user-multiple-aliased", "uma2"), })); var application = new ClaimsPrincipal(new ClaimsIdentity(new List <Claim> { new Claim("application-single", "as"), new Claim("application-single-aliased", "asa"), new Claim("application-multiple", "am1"), new Claim("application-multiple", "am2"), new Claim("application-multiple-aliased", "ama1"), new Claim("application-multiple-aliased", "ama2"), })); var context = new TokenGeneratingContext( user, application, new OpenIdConnectMessage(), new RequestGrants()); context.AmbientClaims.Add(new Claim("context-single", "cs")); context.AmbientClaims.Add(new Claim("context-single-aliased", "csa")); context.AmbientClaims.Add(new Claim("context-multiple", "cm1")); context.AmbientClaims.Add(new Claim("context-multiple", "cm2")); context.AmbientClaims.Add(new Claim("context-multiple-aliased", "cma1")); context.AmbientClaims.Add(new Claim("context-multiple-aliased", "cma2")); var options = new IdentityServiceOptions() { Issuer = "http://www.example.com/Identity" }; CreateTestMapping(options.AuthorizationCodeOptions); CreateTestMapping(options.AccessTokenOptions); CreateTestMapping(options.IdTokenOptions); CreateTestMapping(options.RefreshTokenOptions); var claimsProvider = new DefaultTokenClaimsProvider(Options.Create(options)); context.InitializeForToken(tokenType); // Act await claimsProvider.OnGeneratingClaims(context); var claims = context.CurrentClaims.Where(c => c.Type != IdentityServiceClaimTypes.Issuer && c.Type != IdentityServiceClaimTypes.TokenUniqueId).ToList(); // Assert Assert.Equal(expectedClaims.Count, claims.Count); foreach (var claim in expectedClaims) { Assert.Contains(claims, c => c.Type.Equals(claim.Type) && c.Value.Equals(claim.Value)); } }