public void SecurityTokenHandlerCollectionExtensions_Publics()
{
SecurityTokenHandlerCollection securityTokenValidators = new SecurityTokenHandlerCollection();
string defaultSamlToken = IdentityUtilities.CreateSamlToken();
string defaultSaml2Token = IdentityUtilities.CreateSaml2Token();
string defaultJwt = IdentityUtilities.DefaultAsymmetricJwt;
ExpectedException expectedException = ExpectedException.ArgumentNullException("Parameter name: securityToken");
ValidateToken(null, null, securityTokenValidators, expectedException);
expectedException = ExpectedException.ArgumentNullException("Parameter name: validationParameters");
ValidateToken(defaultSamlToken, null, securityTokenValidators, expectedException);
TokenValidationParameters tokenValidationParameters = new TokenValidationParameters();
expectedException = ExpectedException.SecurityTokenValidationException("IDX10201");
ValidateToken(defaultSamlToken, tokenValidationParameters, securityTokenValidators, expectedException);
securityTokenValidators = SecurityTokenHandlerCollectionExtensions.GetDefaultHandlers();
expectedException = ExpectedException.SignatureVerificationFailedException(substringExpected: "ID4037:");
ValidateToken(defaultSamlToken, tokenValidationParameters, securityTokenValidators, expectedException);
securityTokenValidators.Clear();
securityTokenValidators.Add(new IMSamlTokenHandler());
ValidateToken(defaultSamlToken, tokenValidationParameters, securityTokenValidators, ExpectedException.SignatureVerificationFailedException(substringExpected: "ID4037:"));
ValidateToken(defaultSamlToken, IdentityUtilities.DefaultAsymmetricTokenValidationParameters, securityTokenValidators, ExpectedException.NoExceptionExpected);
ValidateToken(defaultSaml2Token, IdentityUtilities.DefaultAsymmetricTokenValidationParameters, securityTokenValidators, ExpectedException.SecurityTokenValidationException(substringExpected: "IDX10201:"));
securityTokenValidators.Add(new IMSaml2TokenHandler());
securityTokenValidators.Add(new System.IdentityModel.Tokens.JwtSecurityTokenHandler());
ValidateToken(defaultSaml2Token, IdentityUtilities.DefaultAsymmetricTokenValidationParameters, securityTokenValidators, ExpectedException.NoExceptionExpected);
ValidateToken(defaultJwt, IdentityUtilities.DefaultAsymmetricTokenValidationParameters, securityTokenValidators, ExpectedException.NoExceptionExpected);
}
private void ValidateToken()
{
// parameter validation
SamlSecurityTokenHandler tokenHandler = new SamlSecurityTokenHandler();
ExpectedException expectedException = ExpectedException.ArgumentNullException(substringExpected: "name: securityToken");
TestUtilities.ValidateToken(securityToken: null, validationParameters: new TokenValidationParameters(), tokenValidator: tokenHandler, expectedException: expectedException);
expectedException = ExpectedException.ArgumentNullException(substringExpected: "name: validationParameters");
TestUtilities.ValidateToken(securityToken: "s", validationParameters: null, tokenValidator: tokenHandler, expectedException: expectedException);
expectedException = ExpectedException.ArgumentException(substringExpected: "IDX10209");
tokenHandler.MaximumTokenSizeInBytes = 1;
TestUtilities.ValidateToken(securityToken: "ss", validationParameters: new TokenValidationParameters(), tokenValidator: tokenHandler, expectedException: expectedException);
tokenHandler.MaximumTokenSizeInBytes = TokenValidationParameters.DefaultMaximumTokenSizeInBytes;
string samlToken = IdentityUtilities.CreateSamlToken();
ValidateAudience();
SecurityTokenDescriptor tokenDescriptor =
new SecurityTokenDescriptor
{
AppliesToAddress = IdentityUtilities.DefaultAudience,
Lifetime = new Lifetime(DateTime.UtcNow, DateTime.UtcNow + TimeSpan.FromHours(1)),
SigningCredentials = KeyingMaterial.DefaultAsymmetricSigningCreds_2048_RsaSha2_Sha2,
Subject = IdentityUtilities.DefaultClaimsIdentity,
TokenIssuerName = IdentityUtilities.DefaultIssuer,
};
samlToken = IdentityUtilities.CreateSamlToken(tokenDescriptor);
TokenValidationParameters validationParameters =
new TokenValidationParameters
{
IssuerSigningToken = KeyingMaterial.DefaultAsymmetricX509Token_2048,
ValidAudience = IdentityUtilities.DefaultAudience,
ValidIssuer = IdentityUtilities.DefaultIssuer,
};
TestUtilities.ValidateTokenReplay(samlToken, tokenHandler, validationParameters);
TestUtilities.ValidateToken(samlToken, validationParameters, tokenHandler, ExpectedException.NoExceptionExpected);
validationParameters.LifetimeValidator =
(nb, exp, st, tvp) =>
{
return(false);
};
TestUtilities.ValidateToken(samlToken, validationParameters, tokenHandler, new ExpectedException(typeExpected: typeof(SecurityTokenInvalidLifetimeException), substringExpected: "IDX10230:"));
validationParameters.ValidateLifetime = false;
validationParameters.LifetimeValidator = IdentityUtilities.LifetimeValidatorThrows;
TestUtilities.ValidateToken(securityToken: samlToken, validationParameters: validationParameters, tokenValidator: tokenHandler, expectedException: ExpectedException.NoExceptionExpected);
}
public void Saml2SecurityTokenHandler_ValidateToken()
{
// parameter validation
Saml2SecurityTokenHandler tokenHandler = new Saml2SecurityTokenHandler();
TestUtilities.ValidateToken(securityToken: null, validationParameters: new TokenValidationParameters(), tokenValidator: tokenHandler, expectedException: ExpectedException.ArgumentNullException(substringExpected: "name: securityToken"));
TestUtilities.ValidateToken(securityToken: "s", validationParameters: null, tokenValidator: tokenHandler, expectedException: ExpectedException.ArgumentNullException(substringExpected: "name: validationParameters"));
tokenHandler.MaximumTokenSizeInBytes = 1;
TestUtilities.ValidateToken(securityToken: "ss", validationParameters: new TokenValidationParameters(), tokenValidator: tokenHandler, expectedException: ExpectedException.ArgumentException(substringExpected: "IDX10209"));
tokenHandler.MaximumTokenSizeInBytes = TokenValidationParameters.DefaultMaximumTokenSizeInBytes;
string samlToken = IdentityUtilities.CreateSaml2Token();
TestUtilities.ValidateToken(samlToken, IdentityUtilities.DefaultAsymmetricTokenValidationParameters, tokenHandler, ExpectedException.NoExceptionExpected);
// EncryptedAssertion
SecurityTokenDescriptor tokenDescriptor =
new SecurityTokenDescriptor
{
AppliesToAddress = IdentityUtilities.DefaultAudience,
EncryptingCredentials = new EncryptedKeyEncryptingCredentials(KeyingMaterial.DefaultAsymmetricCert_2048),
Lifetime = new Lifetime(DateTime.UtcNow, DateTime.UtcNow + TimeSpan.FromHours(1)),
SigningCredentials = KeyingMaterial.DefaultAsymmetricSigningCreds_2048_RsaSha2_Sha2,
Subject = IdentityUtilities.DefaultClaimsIdentity,
TokenIssuerName = IdentityUtilities.DefaultIssuer,
};
samlToken = IdentityUtilities.CreateSaml2Token(tokenDescriptor);
TestUtilities.ValidateToken(samlToken, IdentityUtilities.DefaultAsymmetricTokenValidationParameters, tokenHandler, new ExpectedException(typeExpected: typeof(EncryptedTokenDecryptionFailedException), substringExpected: "ID4022"));
TokenValidationParameters validationParameters = IdentityUtilities.DefaultAsymmetricTokenValidationParameters;
validationParameters.ClientDecryptionTokens = new List <SecurityToken> {
KeyingMaterial.DefaultX509Token_2048
}.AsReadOnly();
TestUtilities.ValidateToken(samlToken, validationParameters, tokenHandler, ExpectedException.NoExceptionExpected);
TestUtilities.ValidateTokenReplay(samlToken, tokenHandler, validationParameters);
TestUtilities.ValidateToken(samlToken, validationParameters, tokenHandler, ExpectedException.NoExceptionExpected);
validationParameters.LifetimeValidator =
(nb, exp, st, tvp) =>
{
return(false);
};
TestUtilities.ValidateToken(samlToken, validationParameters, tokenHandler, new ExpectedException(typeExpected: typeof(SecurityTokenInvalidLifetimeException), substringExpected: "IDX10230:"));
validationParameters.ValidateLifetime = false;
validationParameters.LifetimeValidator = IdentityUtilities.LifetimeValidatorThrows;
TestUtilities.ValidateToken(securityToken: samlToken, validationParameters: validationParameters, tokenValidator: tokenHandler, expectedException: ExpectedException.NoExceptionExpected);
}
public void CrossToken_ValidateToken()
{
JwtSecurityTokenHandler jwtHandler = new JwtSecurityTokenHandler();
IMSaml2TokenHandler imSaml2Handler = new IMSaml2TokenHandler();
IMSamlTokenHandler imSamlHandler = new IMSamlTokenHandler();
SMSaml2TokenHandler smSaml2Handler = new SMSaml2TokenHandler();
SMSamlTokenHandler smSamlHandler = new SMSamlTokenHandler();
JwtSecurityTokenHandler.InboundClaimFilter.Add("aud");
JwtSecurityTokenHandler.InboundClaimFilter.Add("exp");
JwtSecurityTokenHandler.InboundClaimFilter.Add("iat");
JwtSecurityTokenHandler.InboundClaimFilter.Add("iss");
JwtSecurityTokenHandler.InboundClaimFilter.Add("nbf");
string jwtToken = IdentityUtilities.CreateJwtToken(IdentityUtilities.DefaultAsymmetricSecurityTokenDescriptor, jwtHandler);
// saml tokens created using Microsoft.IdentityModel.Extensions
string imSaml2Token = IdentityUtilities.CreateSaml2Token(IdentityUtilities.DefaultAsymmetricSecurityTokenDescriptor, imSaml2Handler);
string imSamlToken = IdentityUtilities.CreateSamlToken(IdentityUtilities.DefaultAsymmetricSecurityTokenDescriptor, imSamlHandler);
// saml tokens created using System.IdentityModel.Tokens
string smSaml2Token = IdentityUtilities.CreateSaml2Token(IdentityUtilities.DefaultAsymmetricSecurityTokenDescriptor, smSaml2Handler);
string smSamlToken = IdentityUtilities.CreateSamlToken(IdentityUtilities.DefaultAsymmetricSecurityTokenDescriptor, smSamlHandler);
ClaimsPrincipal jwtPrincipal = ValidateToken(jwtToken, IdentityUtilities.DefaultAsymmetricTokenValidationParameters, jwtHandler, ExpectedException.NoExceptionExpected);
ClaimsPrincipal imSaml2Principal = ValidateToken(imSaml2Token, IdentityUtilities.DefaultAsymmetricTokenValidationParameters, imSaml2Handler, ExpectedException.NoExceptionExpected);
ClaimsPrincipal imSamlPrincipal = ValidateToken(imSamlToken, IdentityUtilities.DefaultAsymmetricTokenValidationParameters, imSamlHandler, ExpectedException.NoExceptionExpected);
ClaimsPrincipal smSaml2Principal = ValidateToken(smSaml2Token, IdentityUtilities.DefaultAsymmetricTokenValidationParameters, imSaml2Handler, ExpectedException.NoExceptionExpected);
ClaimsPrincipal smSamlPrincipal = ValidateToken(smSamlToken, IdentityUtilities.DefaultAsymmetricTokenValidationParameters, imSamlHandler, ExpectedException.NoExceptionExpected);
Assert.IsTrue(IdentityComparer.AreEqual <ClaimsPrincipal>(imSamlPrincipal, imSaml2Principal, new CompareContext {
IgnoreSubject = true
}));
Assert.IsTrue(IdentityComparer.AreEqual <ClaimsPrincipal>(smSamlPrincipal, imSaml2Principal, new CompareContext {
IgnoreSubject = true
}));
Assert.IsTrue(IdentityComparer.AreEqual <ClaimsPrincipal>(smSaml2Principal, imSaml2Principal, new CompareContext {
IgnoreSubject = true
}));
// false = ignore type of objects, we expect all objects in the principal to be of same type (no derived types)
// true = ignore subject, claims have a backpointer to their ClaimsIdentity. Most of the time this will be different as we are comparing two different ClaimsIdentities.
// true = ignore properties of claims, any mapped claims short to long for JWT's will have a property that represents the short type.
Assert.IsTrue(IdentityComparer.AreEqual <ClaimsPrincipal>(jwtPrincipal, imSaml2Principal, new CompareContext {
IgnoreType = false, IgnoreSubject = true, IgnoreProperties = true
}));
JwtSecurityTokenHandler.InboundClaimFilter.Clear();
}
private void ValidateIssuer()
{
PublicSamlSecurityTokenHandler samlSecurityTokenHandler = new PublicSamlSecurityTokenHandler();
SamlSecurityToken samlToken = IdentityUtilities.CreateSamlSecurityToken();
ValidateIssuer(IdentityUtilities.DefaultIssuer, null, samlToken, samlSecurityTokenHandler, ExpectedException.ArgumentNullException(substringExpected: "name: validationParameters"));
ValidateIssuer("bob", null, samlToken, samlSecurityTokenHandler, ExpectedException.ArgumentNullException(substringExpected: "name: validationParameters"));
ValidateIssuer("bob", new TokenValidationParameters {
ValidateIssuer = false
}, samlToken, samlSecurityTokenHandler, ExpectedException.NoExceptionExpected);
ValidateIssuer("bob", new TokenValidationParameters {
}, samlToken, samlSecurityTokenHandler, ExpectedException.SecurityTokenInvalidIssuerException(substringExpected: "IDX10204"));
ValidateIssuer(IdentityUtilities.DefaultIssuer, new TokenValidationParameters {
ValidIssuer = IdentityUtilities.DefaultIssuer
}, samlToken, samlSecurityTokenHandler, ExpectedException.NoExceptionExpected);
ValidateIssuer("bob", new TokenValidationParameters {
ValidIssuer = "frank"
}, samlToken, samlSecurityTokenHandler, ExpectedException.SecurityTokenInvalidIssuerException(substringExpected: "IDX10205"));
List <string> validIssuers = new List <string> {
"john", "paul", "george", "ringo"
};
ValidateIssuer("bob", new TokenValidationParameters {
ValidIssuers = validIssuers
}, samlToken, samlSecurityTokenHandler, ExpectedException.SecurityTokenInvalidIssuerException(substringExpected: "IDX10205"));
ValidateIssuer("bob", new TokenValidationParameters {
ValidateIssuer = false
}, samlToken, samlSecurityTokenHandler, ExpectedException.NoExceptionExpected);
validIssuers.Add(IdentityUtilities.DefaultIssuer);
string issuer = ValidateIssuer(IdentityUtilities.DefaultIssuer, new TokenValidationParameters {
ValidIssuers = validIssuers
}, samlToken, samlSecurityTokenHandler, ExpectedException.NoExceptionExpected);
Assert.IsTrue(issuer == IdentityUtilities.DefaultIssuer, "issuer mismatch");
TokenValidationParameters validationParameters = new TokenValidationParameters
{
ValidateAudience = false,
IssuerValidator = IdentityUtilities.IssuerValidatorEcho,
};
ValidateIssuer("bob", validationParameters, samlToken, samlSecurityTokenHandler, ExpectedException.SecurityTokenInvalidIssuerException(substringExpected: "IDX10204"));
validationParameters.ValidateIssuer = false;
validationParameters.IssuerValidator = IdentityUtilities.IssuerValidatorThrows;
ValidateIssuer("bob", validationParameters, samlToken, samlSecurityTokenHandler, ExpectedException.NoExceptionExpected);
}
private void CanReadToken()
{
// CanReadToken
SamlSecurityTokenHandler samlSecurityTokenHandler = new SamlSecurityTokenHandler();
Assert.IsFalse(CanReadToken(securityToken: null, samlSecurityTokenHandler: samlSecurityTokenHandler, expectedException: ExpectedException.NoExceptionExpected));
string samlString = new string('S', TokenValidationParameters.DefaultMaximumTokenSizeInBytes + 1);
Assert.IsFalse(CanReadToken(securityToken: samlString, samlSecurityTokenHandler: samlSecurityTokenHandler, expectedException: ExpectedException.NoExceptionExpected));
samlString = new string('S', TokenValidationParameters.DefaultMaximumTokenSizeInBytes);
Assert.IsFalse(CanReadToken(securityToken: samlString, samlSecurityTokenHandler: samlSecurityTokenHandler, expectedException: ExpectedException.NoExceptionExpected));
samlString = IdentityUtilities.CreateSamlToken();
Assert.IsTrue(CanReadToken(securityToken: samlString, samlSecurityTokenHandler: samlSecurityTokenHandler, expectedException: ExpectedException.NoExceptionExpected));
}
public void OpenIdConnectProtocolValidator_CHash()
{
PublicOpenIdConnectProtocolValidator protocolValidator = new PublicOpenIdConnectProtocolValidator();
string authorizationCode1 = protocolValidator.GenerateNonce();
string authorizationCode2 = protocolValidator.GenerateNonce();
string chash1 = IdentityUtilities.CreateCHash(authorizationCode1, "SHA256");
string chash2 = IdentityUtilities.CreateCHash(authorizationCode2, "SHA256");
Dictionary <string, string> emptyDictionary = new Dictionary <string, string>();
Dictionary <string, string> mappedDictionary = new Dictionary <string, string>(protocolValidator.HashAlgorithmMap);
JwtSecurityToken jwtWithCHash1 =
new JwtSecurityToken
(
audience: IdentityUtilities.DefaultAudience,
claims: new List <Claim> {
new Claim(JwtRegisteredClaimNames.CHash, chash1)
},
issuer: IdentityUtilities.DefaultIssuer
);
JwtSecurityToken jwtWithEmptyCHash =
new JwtSecurityToken
(
audience: IdentityUtilities.DefaultAudience,
claims: new List <Claim> {
new Claim(JwtRegisteredClaimNames.CHash, string.Empty)
},
issuer: IdentityUtilities.DefaultIssuer,
signingCredentials: IdentityUtilities.DefaultAsymmetricSigningCredentials
);
JwtSecurityToken jwtWithoutCHash =
new JwtSecurityToken
(
audience: IdentityUtilities.DefaultAudience,
claims: new List <Claim> {
new Claim(JwtRegisteredClaimNames.Nonce, chash2)
},
issuer: IdentityUtilities.DefaultIssuer
);
JwtSecurityToken jwtWithSignatureChash1 =
new JwtSecurityToken
(
audience: IdentityUtilities.DefaultAudience,
claims: new List <Claim> {
new Claim(JwtRegisteredClaimNames.CHash, chash1)
},
issuer: IdentityUtilities.DefaultIssuer,
signingCredentials: IdentityUtilities.DefaultAsymmetricSigningCredentials
);
JwtSecurityToken jwtWithSignatureMultipleChashes =
new JwtSecurityToken
(
audience: IdentityUtilities.DefaultAudience,
claims: new List <Claim> {
new Claim(JwtRegisteredClaimNames.CHash, chash1), new Claim(JwtRegisteredClaimNames.CHash, chash2)
},
issuer: IdentityUtilities.DefaultIssuer,
signingCredentials: IdentityUtilities.DefaultAsymmetricSigningCredentials
);
OpenIdConnectProtocolValidationContext validationContext = new OpenIdConnectProtocolValidationContext();
validationContext.AuthorizationCode = authorizationCode2;
// chash is not a string, but array
ValidateCHash(jwt: jwtWithSignatureMultipleChashes, protocolValidator: protocolValidator, validationContext: validationContext, ee: new ExpectedException(typeExpected: typeof(OpenIdConnectProtocolInvalidCHashException), substringExpected: "IDX10304:"));
// chash doesn't match
ValidateCHash(jwt: jwtWithSignatureChash1, protocolValidator: protocolValidator, validationContext: validationContext, ee: new ExpectedException(typeExpected: typeof(OpenIdConnectProtocolInvalidCHashException), substringExpected: "IDX10304:"));
// use algorithm map
validationContext.AuthorizationCode = authorizationCode1;
ValidateCHash(jwt: jwtWithSignatureChash1, protocolValidator: protocolValidator, validationContext: validationContext, ee: ExpectedException.NoExceptionExpected);
// Creation of algorithm failed, need to map.
protocolValidator.SetHashAlgorithmMap(emptyDictionary);
ValidateCHash(jwt: jwtWithSignatureChash1, protocolValidator: protocolValidator, validationContext: validationContext, ee: new ExpectedException(typeExpected: typeof(OpenIdConnectProtocolInvalidCHashException), substringExpected: "IDX10307:"));
protocolValidator.SetHashAlgorithmMap(mappedDictionary);
ValidateCHash(jwt: null, protocolValidator: protocolValidator, validationContext: validationContext, ee: ExpectedException.ArgumentNullException());
ValidateCHash(jwt: jwtWithoutCHash, protocolValidator: protocolValidator, validationContext: validationContext, ee: new ExpectedException(typeExpected: typeof(OpenIdConnectProtocolInvalidCHashException), substringExpected: "IDX10308:"));
ValidateCHash(jwt: jwtWithEmptyCHash, protocolValidator: protocolValidator, validationContext: validationContext, ee: new ExpectedException(typeExpected: typeof(OpenIdConnectProtocolInvalidCHashException), substringExpected: "IDX10304:"));
ValidateCHash(jwt: jwtWithCHash1, protocolValidator: protocolValidator, validationContext: validationContext, ee: new ExpectedException(typeExpected: typeof(OpenIdConnectProtocolInvalidCHashException), substringExpected: "IDX10307:"));
ValidateCHash(jwt: jwtWithoutCHash, protocolValidator: protocolValidator, validationContext: null, ee: ExpectedException.ArgumentNullException());
// make sure default alg works.
validationContext.AuthorizationCode = authorizationCode1;
jwtWithCHash1.Header.Remove("alg");
ValidateCHash(jwt: jwtWithCHash1, protocolValidator: protocolValidator, validationContext: validationContext, ee: ExpectedException.NoExceptionExpected);
}
public void OpenIdConnectProtocolValidator_Validate()
{
JwtSecurityToken jwt = new JwtSecurityToken();
OpenIdConnectProtocolValidationContext validationContext = new OpenIdConnectProtocolValidationContext();
OpenIdConnectProtocolValidator protocolValidator = new OpenIdConnectProtocolValidator();
// jwt null
Validate(jwt: null, protocolValidator: protocolValidator, validationContext: null, ee: ExpectedException.ArgumentNullException());
// validationContext null
Validate(jwt: jwt, protocolValidator: protocolValidator, validationContext: null, ee: ExpectedException.ArgumentNullException());
// aud missing
Validate(jwt: jwt, protocolValidator: protocolValidator, validationContext: validationContext, ee: new ExpectedException(typeExpected: typeof(OpenIdConnectProtocolException), substringExpected: "IDX10309:"));
// exp missing
jwt.Payload.AddClaim(new Claim(JwtRegisteredClaimNames.Aud, IdentityUtilities.DefaultAudience));
Validate(jwt: jwt, protocolValidator: protocolValidator, validationContext: validationContext, ee: new ExpectedException(typeExpected: typeof(OpenIdConnectProtocolException), substringExpected: "IDX10309:"));
// iat missing
jwt.Payload.AddClaim(new Claim(JwtRegisteredClaimNames.Exp, EpochTime.GetIntDate(DateTime.UtcNow).ToString()));
Validate(jwt: jwt, protocolValidator: protocolValidator, validationContext: validationContext, ee: new ExpectedException(typeExpected: typeof(OpenIdConnectProtocolException), substringExpected: "IDX10309:"));
// iss missing
jwt.Payload.AddClaim(new Claim(JwtRegisteredClaimNames.Iat, EpochTime.GetIntDate(DateTime.UtcNow).ToString()));
Validate(jwt: jwt, protocolValidator: protocolValidator, validationContext: validationContext, ee: new ExpectedException(typeExpected: typeof(OpenIdConnectProtocolException), substringExpected: "IDX10309:"));
// add iis, nonce is not retuired.
protocolValidator.RequireNonce = false;
jwt.Payload.AddClaim(new Claim(JwtRegisteredClaimNames.Iss, IdentityUtilities.DefaultIssuer));
Validate(jwt: jwt, protocolValidator: protocolValidator, validationContext: validationContext, ee: ExpectedException.NoExceptionExpected);
// nonce invalid
string validNonce = protocolValidator.GenerateNonce();
// add the valid 'nonce' but set validationContext.Nonce to a different 'nonce'.
protocolValidator.RequireNonce = true;
jwt.Payload.AddClaim(new Claim(JwtRegisteredClaimNames.Nonce, validNonce));
validationContext.Nonce = protocolValidator.GenerateNonce();
Validate(jwt: jwt, protocolValidator: protocolValidator, validationContext: validationContext, ee: new ExpectedException(typeExpected: typeof(OpenIdConnectProtocolInvalidNonceException), substringExpected: "IDX10301:"));
// sub missing, default not required
validationContext.Nonce = validNonce;
Validate(jwt: jwt, protocolValidator: protocolValidator, validationContext: validationContext, ee: ExpectedException.NoExceptionExpected);
protocolValidator.RequireSub = true;
Validate(jwt: jwt, protocolValidator: protocolValidator, validationContext: validationContext, ee: new ExpectedException(typeExpected: typeof(OpenIdConnectProtocolException), substringExpected: "IDX10309:"));
// authorizationCode invalid
string validAuthorizationCode = protocolValidator.GenerateNonce();
string validChash = IdentityUtilities.CreateCHash(validAuthorizationCode, "SHA256");
JwtSecurityToken jwtWithSignatureChash =
new JwtSecurityToken
(
audience: IdentityUtilities.DefaultAudience,
claims: new List <Claim>
{
new Claim(JwtRegisteredClaimNames.CHash, validChash),
new Claim(JwtRegisteredClaimNames.Iat, EpochTime.GetIntDate(DateTime.UtcNow).ToString()),
new Claim(JwtRegisteredClaimNames.Nonce, validNonce),
new Claim(JwtRegisteredClaimNames.Sub, "sub"),
},
expires: DateTime.UtcNow + TimeSpan.FromHours(1),
issuer: IdentityUtilities.DefaultIssuer,
signingCredentials: IdentityUtilities.DefaultAsymmetricSigningCredentials
);
Dictionary <string, string> algmap = new Dictionary <string, string>(protocolValidator.HashAlgorithmMap);
protocolValidator.HashAlgorithmMap.Clear();
protocolValidator.HashAlgorithmMap.Add(JwtAlgorithms.RSA_SHA256, "SHA256");
validationContext.Nonce = validNonce;
validationContext.AuthorizationCode = validNonce;
Validate(jwt: jwtWithSignatureChash, protocolValidator: protocolValidator, validationContext: validationContext, ee: new ExpectedException(typeExpected: typeof(OpenIdConnectProtocolInvalidCHashException), substringExpected: "IDX10304:"));
// nonce and authorizationCode valid
validationContext.AuthorizationCode = validAuthorizationCode;
Validate(jwt: jwtWithSignatureChash, protocolValidator: protocolValidator, validationContext: validationContext, ee: ExpectedException.NoExceptionExpected);
// validate optional claims
protocolValidator.RequireAcr = true;
Validate(jwt: jwtWithSignatureChash, protocolValidator: protocolValidator, validationContext: validationContext, ee: new ExpectedException(typeExpected: typeof(OpenIdConnectProtocolException), substringExpected: "IDX10312:"));
jwtWithSignatureChash.Payload.AddClaim(new Claim(JwtRegisteredClaimNames.Acr, "acr"));
protocolValidator.RequireAmr = true;
Validate(jwt: jwtWithSignatureChash, protocolValidator: protocolValidator, validationContext: validationContext, ee: new ExpectedException(typeExpected: typeof(OpenIdConnectProtocolException), substringExpected: "IDX10313:"));
jwtWithSignatureChash.Payload.AddClaim(new Claim(JwtRegisteredClaimNames.Amr, "amr"));
protocolValidator.RequireAuthTime = true;
Validate(jwt: jwtWithSignatureChash, protocolValidator: protocolValidator, validationContext: validationContext, ee: new ExpectedException(typeExpected: typeof(OpenIdConnectProtocolException), substringExpected: "IDX10314:"));
jwtWithSignatureChash.Payload.AddClaim(new Claim(JwtRegisteredClaimNames.AuthTime, "authTime"));
protocolValidator.RequireAzp = true;
Validate(jwt: jwtWithSignatureChash, protocolValidator: protocolValidator, validationContext: validationContext, ee: new ExpectedException(typeExpected: typeof(OpenIdConnectProtocolException), substringExpected: "IDX10315:"));
jwtWithSignatureChash.Payload.AddClaim(new Claim(JwtRegisteredClaimNames.Azp, "azp"));
Validate(jwt: jwtWithSignatureChash, protocolValidator: protocolValidator, validationContext: validationContext, ee: ExpectedException.NoExceptionExpected);
}
private void ValidateAudience()
{
Saml2SecurityTokenHandler tokenHandler = new Saml2SecurityTokenHandler();
ExpectedException expectedException;
string samlString = IdentityUtilities.CreateSaml2Token();
TokenValidationParameters validationParameters =
new TokenValidationParameters
{
IssuerSigningToken = IdentityUtilities.DefaultAsymmetricSigningToken,
RequireExpirationTime = false,
RequireSignedTokens = false,
ValidIssuer = IdentityUtilities.DefaultIssuer,
};
// Do not validate audience
validationParameters.ValidateAudience = false;
expectedException = ExpectedException.NoExceptionExpected;
TestUtilities.ValidateToken(securityToken: samlString, validationParameters: validationParameters, tokenValidator: tokenHandler, expectedException: expectedException);
// no valid audiences
validationParameters.ValidateAudience = true;
expectedException = ExpectedException.SecurityTokenInvalidAudienceException("IDX10208");
TestUtilities.ValidateToken(securityToken: samlString, validationParameters: validationParameters, tokenValidator: tokenHandler, expectedException: expectedException);
validationParameters.ValidateAudience = true;
validationParameters.ValidAudience = "John";
expectedException = new ExpectedException(typeExpected: typeof(SecurityTokenInvalidAudienceException), substringExpected: "IDX10214");
TestUtilities.ValidateToken(securityToken: samlString, validationParameters: validationParameters, tokenValidator: tokenHandler, expectedException: expectedException);
// UriKind.Absolute, no match.
validationParameters.ValidateAudience = true;
validationParameters.ValidAudience = IdentityUtilities.NotDefaultAudience;
expectedException = new ExpectedException(typeExpected: typeof(SecurityTokenInvalidAudienceException), substringExpected: "IDX10214");
TestUtilities.ValidateToken(securityToken: samlString, validationParameters: validationParameters, tokenValidator: tokenHandler, expectedException: expectedException);
expectedException = ExpectedException.NoExceptionExpected;
validationParameters.ValidAudience = IdentityUtilities.DefaultAudience;
validationParameters.ValidAudiences = null;
TestUtilities.ValidateToken(securityToken: samlString, validationParameters: validationParameters, tokenValidator: tokenHandler, expectedException: expectedException);
// !UriKind.Absolute
List <string> audiences = new List <string> {
"John", "Paul", "George", "Ringo"
};
validationParameters.ValidAudience = null;
validationParameters.ValidAudiences = audiences;
validationParameters.ValidateAudience = false;
expectedException = ExpectedException.NoExceptionExpected;
TestUtilities.ValidateToken(securityToken: samlString, validationParameters: validationParameters, tokenValidator: tokenHandler, expectedException: expectedException);
// UriKind.Absolute, no match
audiences = new List <string> {
"http://www.John.com", "http://www.Paul.com", "http://www.George.com", "http://www.Ringo.com", " "
};
validationParameters.ValidAudience = null;
validationParameters.ValidAudiences = audiences;
validationParameters.ValidateAudience = false;
expectedException = ExpectedException.NoExceptionExpected;
TestUtilities.ValidateToken(securityToken: samlString, validationParameters: validationParameters, tokenValidator: tokenHandler, expectedException: expectedException);
validationParameters.ValidateAudience = true;
expectedException = new ExpectedException(typeExpected: typeof(SecurityTokenInvalidAudienceException), substringExpected: "IDX10214");
TestUtilities.ValidateToken(securityToken: samlString, validationParameters: validationParameters, tokenValidator: tokenHandler, expectedException: expectedException);
validationParameters.ValidateAudience = true;
expectedException = ExpectedException.NoExceptionExpected;
audiences.Add(IdentityUtilities.DefaultAudience);
TestUtilities.ValidateToken(securityToken: samlString, validationParameters: validationParameters, tokenValidator: tokenHandler, expectedException: expectedException);
validationParameters.AudienceValidator =
(aud, token, tvp) =>
{
return(false);
};
expectedException = new ExpectedException(typeExpected: typeof(SecurityTokenInvalidAudienceException), substringExpected: "IDX10231:");
audiences.Add(IdentityUtilities.DefaultAudience);
TestUtilities.ValidateToken(securityToken: samlString, validationParameters: validationParameters, tokenValidator: tokenHandler, expectedException: expectedException);
validationParameters.ValidateAudience = false;
validationParameters.AudienceValidator = IdentityUtilities.AudienceValidatorThrows;
TestUtilities.ValidateToken(securityToken: samlString, validationParameters: validationParameters, tokenValidator: tokenHandler, expectedException: ExpectedException.NoExceptionExpected);
}