public async Task OnGeneratingClaims_AddsRedirectUriIfPresentOnTheRequest()
{
// Arrange
var expectedRedirectUri = "http://wwww.example.com/callback";
var context = new TokenGeneratingContext(
new ClaimsPrincipal(),
new ClaimsPrincipal(),
new OpenIdConnectMessage()
{
RedirectUri = expectedRedirectUri
},
new RequestGrants());
var options = new IdentityServiceOptions()
{
Issuer = "http://www.example.com/Identity"
};
var claimsProvider = new DefaultTokenClaimsProvider(Options.Create(options));
context.InitializeForToken(TokenTypes.AuthorizationCode);
// Act
await claimsProvider.OnGeneratingClaims(context);
// Assert
Assert.Single(
context.CurrentClaims,
c => c.Type.Equals(IdentityServiceClaimTypes.RedirectUri, StringComparison.Ordinal) &&
c.Value.Equals(expectedRedirectUri));
}
public async Task OnGeneratingClaims_AddsIssuerForAccessTokenAndIdToken(string tokenType)
{
// Arrange
var context = new TokenGeneratingContext(
new ClaimsPrincipal(),
new ClaimsPrincipal(),
new OpenIdConnectMessage(),
new RequestGrants());
var options = new IdentityServiceOptions()
{
Issuer = "http://www.example.com/Identity"
};
var claimsProvider = new DefaultTokenClaimsProvider(Options.Create(options));
context.InitializeForToken(tokenType);
// Act
await claimsProvider.OnGeneratingClaims(context);
// Assert
Assert.Single(
context.CurrentClaims,
c => c.Type.Equals(IdentityServiceClaimTypes.Issuer, StringComparison.Ordinal));
}
public async Task OnGeneratingClaims_AddsCustomScopesFromRequest_ToAccessTokenOnTokenRequest()
{
// Arrange
var applicationScopes = new List <ApplicationScope> {
ApplicationScope.OpenId,
new ApplicationScope("resourceId", "custom"),
new ApplicationScope("resourceId", "custom2")
};
var expectedResourceValue = applicationScopes.FirstOrDefault(s => s.ClientId != null)?.ClientId;
var context = new TokenGeneratingContext(
new ClaimsPrincipal(),
new ClaimsPrincipal(),
new OpenIdConnectMessage()
{
ClientId = "clientId"
},
new RequestGrants()
{
Scopes = applicationScopes.ToList(),
// This is just to prove that we always pick the values for the scope related claims
// from the set of granted scopes (for access tokens).
Claims = new List <Claim>
{
new Claim(IdentityServiceClaimTypes.Resource, "ridClaim"),
new Claim(IdentityServiceClaimTypes.Scope, "custom3")
}
});
var claimsProvider = new ScopesTokenClaimsProvider();
context.InitializeForToken(TokenTypes.AccessToken);
// Act
await claimsProvider.OnGeneratingClaims(context);
var claims = context.CurrentClaims;
// Assert
Assert.Single(claims, c => c.Type.Equals(IdentityServiceClaimTypes.Scope) && c.Value.Equals("custom custom2"));
Assert.Single(claims, c => c.Type.Equals(IdentityServiceClaimTypes.Audience) && c.Value.Equals("resourceId"));
Assert.Single(claims, c => c.Type.Equals(IdentityServiceClaimTypes.AuthorizedParty) && c.Value.Equals("clientId"));
}
public async Task OnGeneratingClaims_AddsAllScopesFromGrantClaims_ToRefreshTokenOnTokenRequest()
{
// Arrange
// This is just to prove that we always transfer the scope and resource claims from the grant
// into the refresh token untouched.
var applicationScopes = new List <ApplicationScope>
{
ApplicationScope.OpenId,
new ApplicationScope("resourceId", "custom"),
new ApplicationScope("resourceId", "custom2")
};
var expectedResourceValue = applicationScopes.FirstOrDefault(s => s.ClientId != null)?.ClientId;
var context = new TokenGeneratingContext(
new ClaimsPrincipal(),
new ClaimsPrincipal(),
new OpenIdConnectMessage()
{
ClientId = "clientId"
},
new RequestGrants()
{
Scopes = applicationScopes.ToList(),
Claims = new List <Claim>
{
new Claim(IdentityServiceClaimTypes.Resource, "ridClaim"),
new Claim(IdentityServiceClaimTypes.Scope, "openid custom3")
}
});
var claimsProvider = new ScopesTokenClaimsProvider();
context.InitializeForToken(TokenTypes.RefreshToken);
// Act
await claimsProvider.OnGeneratingClaims(context);
var claims = context.CurrentClaims;
// Assert
Assert.Single(claims, c => c.Type.Equals(IdentityServiceClaimTypes.Scope) && c.Value.Equals("openid custom3"));
Assert.Single(claims, c => c.Type.Equals(IdentityServiceClaimTypes.Resource) && c.Value.Equals("ridClaim"));
}
public async Task OnGeneratingClaims_AddsGrantedTokensForRefreshToken()
{
// Arrange
var context = new TokenGeneratingContext(
new ClaimsPrincipal(),
new ClaimsPrincipal(),
new OpenIdConnectMessage(),
new RequestGrants()
{
Tokens = new List <string>
{
TokenTypes.AccessToken,
TokenTypes.IdToken,
TokenTypes.RefreshToken
}
});
var expectedTokens = new[]
{
TokenTypes.AccessToken,
TokenTypes.IdToken,
TokenTypes.RefreshToken
};
var claimsProvider = new GrantedTokensTokenClaimsProvider();
context.InitializeForToken(TokenTypes.RefreshToken);
// Act
await claimsProvider.OnGeneratingClaims(context);
var granted = context.CurrentClaims
.Where(c => c.Type.Equals(IdentityServiceClaimTypes.GrantedToken))
.OrderBy(c => c.Value)
.Select(c => c.Value)
.ToArray();
// Assert
Assert.Equal(expectedTokens, granted);
}
public async Task OnGeneratingClaims_AddsIssuedAtNotBeforeAndExpires_ForAllTokenTypes(
string tokenType,
string issuedAt,
string notBefore,
string expires)
{
// Arrange
var context = new TokenGeneratingContext(
new ClaimsPrincipal(),
new ClaimsPrincipal(),
new OpenIdConnectMessage {
},
new RequestGrants {
});
// Reference time
var reference = new DateTimeOffset(2000, 01, 01, 0, 0, 0, TimeSpan.Zero);
var timestampManager = new TestTimeStampManager(reference);
var options = new IdentityServiceOptions();
SetTimeStampOptions(options.AuthorizationCodeOptions, 1);
SetTimeStampOptions(options.AccessTokenOptions, 2);
SetTimeStampOptions(options.IdTokenOptions, 3);
SetTimeStampOptions(options.RefreshTokenOptions, 4);
var claimsProvider = new TimestampsTokenClaimsProvider(timestampManager, Options.Create(options));
context.InitializeForToken(tokenType);
// Act
await claimsProvider.OnGeneratingClaims(context);
var claims = context.CurrentClaims;
// Assert
Assert.Single(claims, c => c.Type.Equals(IdentityServiceClaimTypes.IssuedAt) && c.Value.Equals(issuedAt));
Assert.Single(claims, c => c.Type.Equals(IdentityServiceClaimTypes.NotBefore) && c.Value.Equals(notBefore));
Assert.Single(claims, c => c.Type.Equals(IdentityServiceClaimTypes.Expires) && c.Value.Equals(expires));
}
public async Task OnGeneratingClaims_DoesNothing_IfChallengeNotPresent()
{
// Arrange
var context = new TokenGeneratingContext(
new ClaimsPrincipal(),
new ClaimsPrincipal(),
new OpenIdConnectMessage(new Dictionary <string, string[]>
{
[ProofOfKeyForCodeExchangeParameterNames.CodeChallengeMethod] = new[] { "S256" },
}),
new RequestGrants());
context.InitializeForToken(TokenTypes.AuthorizationCode);
var provider = new ProofOfKeyForCodeExchangeTokenClaimsProvider();
// Act
await provider.OnGeneratingClaims(context);
// Assert
Assert.Empty(context.CurrentClaims);
}
public async Task OnGeneratingClaims_AddsCodeChallengeAndChallengeMethod_ToTheAuthorizationCode()
{
// Arrange
var context = new TokenGeneratingContext(
new ClaimsPrincipal(),
new ClaimsPrincipal(),
new OpenIdConnectMessage(new Dictionary <string, string[]>
{
[ProofOfKeyForCodeExchangeParameterNames.CodeChallenge] = new[] { "challenge" },
[ProofOfKeyForCodeExchangeParameterNames.CodeChallengeMethod] = new[] { "S256" },
}),
new RequestGrants());
context.InitializeForToken(TokenTypes.AuthorizationCode);
var provider = new ProofOfKeyForCodeExchangeTokenClaimsProvider();
// Act
await provider.OnGeneratingClaims(context);
// Assert
Assert.Contains(context.CurrentClaims, c => c.Type == IdentityServiceClaimTypes.CodeChallenge && c.Value == "challenge");
Assert.Contains(context.CurrentClaims, c => c.Type == IdentityServiceClaimTypes.CodeChallengeMethod && c.Value == "S256");
}
public async Task OnGeneratingClaims_MapsClaimsFromUsersApplicationsAndAmbient(string tokenType)
{
// Arrange
var expectedClaims = new List <Claim>
{
new Claim("user-single", "us"),
new Claim("user-single-claim", "usa"),
new Claim("user-multiple", "um1"),
new Claim("user-multiple", "um2"),
new Claim("user-multiple-claim", "uma1"),
new Claim("user-multiple-claim", "uma2"),
new Claim("application-single", "as"),
new Claim("application-single-claim", "asa"),
new Claim("application-multiple", "am1"),
new Claim("application-multiple", "am2"),
new Claim("application-multiple-claim", "ama1"),
new Claim("application-multiple-claim", "ama2"),
new Claim("context-single", "cs"),
new Claim("context-single-claim", "csa"),
new Claim("context-multiple", "cm1"),
new Claim("context-multiple", "cm2"),
new Claim("context-multiple-claim", "cma1"),
new Claim("context-multiple-claim", "cma2"),
};
var user = new ClaimsPrincipal(new ClaimsIdentity(new List <Claim>
{
new Claim("user-single", "us"),
new Claim("user-single-aliased", "usa"),
new Claim("user-multiple", "um1"),
new Claim("user-multiple", "um2"),
new Claim("user-multiple-aliased", "uma1"),
new Claim("user-multiple-aliased", "uma2"),
}));
var application = new ClaimsPrincipal(new ClaimsIdentity(new List <Claim>
{
new Claim("application-single", "as"),
new Claim("application-single-aliased", "asa"),
new Claim("application-multiple", "am1"),
new Claim("application-multiple", "am2"),
new Claim("application-multiple-aliased", "ama1"),
new Claim("application-multiple-aliased", "ama2"),
}));
var context = new TokenGeneratingContext(
user,
application,
new OpenIdConnectMessage(),
new RequestGrants());
context.AmbientClaims.Add(new Claim("context-single", "cs"));
context.AmbientClaims.Add(new Claim("context-single-aliased", "csa"));
context.AmbientClaims.Add(new Claim("context-multiple", "cm1"));
context.AmbientClaims.Add(new Claim("context-multiple", "cm2"));
context.AmbientClaims.Add(new Claim("context-multiple-aliased", "cma1"));
context.AmbientClaims.Add(new Claim("context-multiple-aliased", "cma2"));
var options = new IdentityServiceOptions()
{
Issuer = "http://www.example.com/Identity"
};
CreateTestMapping(options.AuthorizationCodeOptions);
CreateTestMapping(options.AccessTokenOptions);
CreateTestMapping(options.IdTokenOptions);
CreateTestMapping(options.RefreshTokenOptions);
var claimsProvider = new DefaultTokenClaimsProvider(Options.Create(options));
context.InitializeForToken(tokenType);
// Act
await claimsProvider.OnGeneratingClaims(context);
var claims = context.CurrentClaims.Where(c =>
c.Type != IdentityServiceClaimTypes.Issuer &&
c.Type != IdentityServiceClaimTypes.TokenUniqueId).ToList();
// Assert
Assert.Equal(expectedClaims.Count, claims.Count);
foreach (var claim in expectedClaims)
{
Assert.Contains(claims, c => c.Type.Equals(claim.Type) && c.Value.Equals(claim.Value));
}
}