public void AddSigningCredential_with_json_web_key_containing_asymmetric_key_should_succeed()
{
IServiceCollection services = new ServiceCollection();
IIdentityServerBuilder identityServerBuilder = new IdentityServerBuilder(services);
String json =
@"{
""alg"" : ""RS256"",
""kty"" : ""RSA"",
""use"" : ""sig"",
""d"" : ""KGGNkbbgm2hNMqW6fP1fmcWwEBy77WOJIPAXnDJ0KxNTtqDF8K5ULj7EElHO1A8ZnNl1Ey/x//G9lJCOQUU9wmj010dOSsW0NBbR5NtRtLLuVbkVdyft53PGeTQs+1S3c51fz9jojtNqmlfXSANPFOH6QhxmzpTx3KLsf/TpCzblkSrEGOOqCCvVdl7ybTcB230jNhh3JoL7po1rvxKtoOM4a/Bs0NtKj7e+VaHcf0GLnBPJYetsHu43ZfNejJeDoouaXZzeVEklY3B0pe10OTCIOu0JUKGZxNekklRIo1WSEYdL+CJfrSKWIv8bLj6xSr5zrASvWODyH443LN6ZvQ=="",
""e"" : ""AQAB"",
""n"" : ""q7mZfquRq8tzg/5slbNdQmrosNN/mFXS25dbSPm11qEDCgZa452KkO8+hvMtqa92QaqdlmalSF8+FRDOz3grDR5NtmnXZxuKnp+raKfzpC6hCvh2JSIe/J9enmsMM4YeI4d1FOSDwhJlZIYMdMnqG/VJtO1LSHjOaF3XN31ANKF0nPAsmr2/WysiQlxnxxiikLEnsFuNdS615ODDXFGTQ1E+zc4zVur4/Ox0cllPwHPA4PqoIgdPJPL+xM9IOIXuAGtsp4CYoxT6VWaRrALIZXXDY806WGTuctq4KKot6FGL9HQte2hRLl4E/r8SzIK86U3wRwrBe7saK+XUXoP0gQ="",
""p"" : ""25dkucyCSqxRcJpRrhl7PXqw7wqBZeLQgYlZLpK493PdM8pFfq+/LK1hFtxIjdFKqXS/TOikB4YCBMEH0Im3HZ8Lo0dub3SWNhdegJyRjMbcoO+A9YSODEj7DFaNpZtdmtDi1n6etJm66ctPSR20NNpzoYZuaJ92fVQiKiOh6Qs="",
""q"" : ""yDKBrS8l1DOx4dwP9hdwhqZJ3XahidiIZSL7m46I/6+cjaki/1mtNiA60MOgqTKegP7Fo7jAYvliqQwnvVGmQvLv19cfKywlIuKN9DdkLHnKh75hfo7aakEbO7GJ5zVgsNnKOdf8wvpclfvIuRDEVva4cksPzsJy6K7C8ENCSCM="",
""dp"" : ""GlYJ6o6wgawxCEQ5z5uWwETau5CS/Fk7kI2ceI14SZVHzlJQC2WglAcnQcqhmQCk57Xsy5iLM6vKyi8sdMJPh+nvR2HlyNA+w7YBy4L7odqn01VmLgv7zVVjZpNq4ZXEoDC1Q+xjtF1LoYaUt7wsRLp+a7znuPyHBXj1sAAeBwk="",
""dq"" : ""W8OK3S83T8VCTBzq1Ap6cb3XLcQq11yBaJpYaj0zXr/IKsbUW+dnFeBAFWEWS3gAX3Bod1tAFB3rs0D3FjhO1XE1ruHUT520iAEAwGiDaj+JLh994NzqELo3GW2PoIM/BtFNeKYgHd9UgQsgPnQJCzOb6Aev/z3yHeW9RRQPVbE="",
""qi"" : ""w4KdmiDN1GtK71JxaasqmEKPNfV3v2KZDXKnfyhUsdx/idKbdTVjvMOkxFPJ4FqV4yIVn06f3QHTm4NEG18Diqxsrzd6kXQIHOa858tLsCcmt9FoGfrgCFgVceh3K/Zah/r8rl9Y61u0Z1kZumwMvFpFE+mVU01t9HgTEAVkHTc="",
}";
JsonWebKey jsonWebKey = new JsonWebKey(json);
SigningCredentials credentials = new SigningCredentials(jsonWebKey, jsonWebKey.Alg);
identityServerBuilder.AddSigningCredential(credentials);
}
public static async Task AddCustomSigningCredential_WithoutCertificate_SetsDeveloperCredentials()
{
// ReSharper disable once StringLiteralTypo
const string expectedKeyId = "xEB-cwCvL4brqLxCMzkw3Q";
WriteEmbeddedDeveloperCertificateToDisk();
var services = new ServiceCollection();
var builder = new IdentityServerBuilder(services);
builder.AddCustomSigningCredential(Mock.Of <ICertificate>(), Mock.Of <ILogger>());
var provider = services.BuildServiceProvider();
var signingCredentialStore = provider.GetService <ISigningCredentialStore>();
var validationKeysStore = provider.GetService <IValidationKeysStore>();
Assert.NotNull(signingCredentialStore);
Assert.NotNull(validationKeysStore);
var signingCredentials = await signingCredentialStore.GetSigningCredentialsAsync();
var validationKeys = (await validationKeysStore.GetValidationKeysAsync()).ToList();
signingCredentials.Should().NotBeNull();
signingCredentials.Kid.Should().Be(expectedKeyId);
validationKeys.Should().NotBeNull();
validationKeys.Should().HaveCount(1);
var securityKey = validationKeys.First();
securityKey.Key.KeyId.Should().Be(expectedKeyId);
DeleteDeveloperCertificate();
}
public static async Task AddCustomSigningCredential_WithCertificate_SetsSigningCredentials()
{
using var x509 = CreateValidCertificate();
var mockCertificate = new Mock <ICertificate>();
mockCertificate.Setup(c => c.Instance).Returns(x509);
mockCertificate.Setup(c => c.IsAvailable).Returns(true);
var services = new ServiceCollection();
var builder = new IdentityServerBuilder(services);
builder.AddCustomSigningCredential(mockCertificate.Object, Mock.Of <ILogger>());
var provider = services.BuildServiceProvider();
var signingCredentialStore = provider.GetService <ISigningCredentialStore>();
var validationKeysStore = provider.GetService <IValidationKeysStore>();
Assert.NotNull(signingCredentialStore);
Assert.NotNull(validationKeysStore);
var signingCredentials = await signingCredentialStore.GetSigningCredentialsAsync();
var validationKeys = (await validationKeysStore.GetValidationKeysAsync()).ToList();
signingCredentials.Should().NotBeNull();
signingCredentials.Kid.Should().Be(x509.Thumbprint);
validationKeys.Should().NotBeNull();
validationKeys.Should().HaveCount(1);
var securityKey = validationKeys.First();
securityKey.Key.KeyId.Should().Be(x509.Thumbprint);
}
/// <summary>
/// Register IdentityServer profile service converting TenantId to user claim using a configuration registered elsewhere.
/// </summary>
/// <typeparam name="TUser"></typeparam>
/// <param name="services"></param>
/// <returns></returns>
public static IServiceCollection AddTenantToClaimIdentityServerProfileService <TUser>(this IServiceCollection services) where TUser : class
{
var builder = new IdentityServerBuilder(services);
builder.AddProfileService <TenantToClaimIdentityServerProfileService <TUser> >();
return(services);
}
public void AddSigningCredential_with_invalid_curve_should_throw_exception(string curveOid, string alg)
{
IServiceCollection services = new ServiceCollection();
IIdentityServerBuilder identityServerBuilder = new IdentityServerBuilder(services);
var key = new ECDsaSecurityKey(ECDsa.Create(
ECCurve.CreateFromOid(Oid.FromOidValue(curveOid, OidGroup.All))));
Assert.Throws <InvalidOperationException>(() => identityServerBuilder.AddSigningCredential(key, alg));
}
public void AddSigningCredential_with_valid_curve_should_succeed(string curveOid, string alg)
{
IServiceCollection services = new ServiceCollection();
IIdentityServerBuilder identityServerBuilder = new IdentityServerBuilder(services);
var key = new ECDsaSecurityKey(ECDsa.Create(
ECCurve.CreateFromOid(Oid.FromOidValue(curveOid, OidGroup.All))));
identityServerBuilder.AddSigningCredential(key, alg);
}
public void AddDeveloperSigningCredential_should_succeed()
{
IServiceCollection services = new ServiceCollection();
IIdentityServerBuilder identityServerBuilder = new IdentityServerBuilder(services);
identityServerBuilder.AddDeveloperSigningCredential();
//clean up... delete stored rsa key
var filename = Path.Combine(Directory.GetCurrentDirectory(), "tempkey.rsa");
if (File.Exists(filename))
{
File.Delete(filename);
}
}
public void AddSigningCredential_with_json_web_key_containing_symmetric_key_should_throw_exception()
{
IServiceCollection services = new ServiceCollection();
IIdentityServerBuilder identityServerBuilder = new IdentityServerBuilder(services);
String json =
@"{
""alg"" : ""HS256"",
""kty"" : ""oct"",
""use"" : ""sig"",
""k"" : ""y5FHaQFtC294HLAtPXAcMkxZ5gHzCq24223vSYQUrDuu-3CUw7UzPru-AX30ubeB2IM_gUsNQ80bX22wwSk_3LC6XxYxqeGJZSeoQqHG0VNbaWCVkqeuB_HOiL1-ksPfGT-o8_A_Uv-6zi2NaEOYpnIyff5LpdW__LhiE-bhIenaw7GhoXSAfsGEZfNZpUUOU35NAiN2dv0T5vptb87wkL1I2zLhV0pdLvWsDWgQPINEa8bbCA_mseBYpB1eioZvt0TZbp6CL9tiEoiikYV_F3IutrJ2SOWYtDNFeQ3sbyYP7zTzh9a2eyaM8ca5_q3qosI92AbZ7WpEFLa9cZ_O7g""
}";
JsonWebKey jsonWebKey = new JsonWebKey(json);
SigningCredentials credentials = new SigningCredentials(jsonWebKey, jsonWebKey.Alg);
Assert.Throws <InvalidOperationException>(() => identityServerBuilder.AddSigningCredential(credentials));
}
public void AddDeveloperSigningCredential_should_succeed_when_called_multiple_times()
{
IServiceCollection services = new ServiceCollection();
IIdentityServerBuilder identityServerBuilder = new IdentityServerBuilder(services);
try
{
identityServerBuilder.AddDeveloperSigningCredential();
//calling a second time will try to load the saved rsa key from disk. An exception will be throw if the private key is not serialized properly.
identityServerBuilder.AddDeveloperSigningCredential();
}
finally
{
//clean up... delete stored rsa key
var filename = Path.Combine(Directory.GetCurrentDirectory(), "tempkey.rsa");
if (File.Exists(filename))
{
File.Delete(filename);
}
}
}
public void AddSigningCredential_with_invalid_crv_value_should_throw_exception(string curveOid, string alg, string crv)
{
IServiceCollection services = new ServiceCollection();
IIdentityServerBuilder identityServerBuilder = new IdentityServerBuilder(services);
var key = new ECDsaSecurityKey(ECDsa.Create(
ECCurve.CreateFromOid(Oid.FromOidValue(curveOid, OidGroup.All))));
var parameters = key.ECDsa.ExportParameters(true);
var jsonWebKeyFromECDsa = new JsonWebKey()
{
Kty = JsonWebAlgorithmsKeyTypes.EllipticCurve,
Use = "sig",
Kid = key.KeyId,
KeyId = key.KeyId,
X = Base64UrlEncoder.Encode(parameters.Q.X),
Y = Base64UrlEncoder.Encode(parameters.Q.Y),
D = Base64UrlEncoder.Encode(parameters.D),
Crv = crv.Replace("-", string.Empty),
Alg = SecurityAlgorithms.EcdsaSha256
};
Assert.Throws <InvalidOperationException>(() => identityServerBuilder.AddSigningCredential(jsonWebKeyFromECDsa, alg));
}
private static IServiceCollection AddIdentityServer(
this IServiceCollection services,
Core.IdentityServerOptions identityServerOptions,
bool isDevelopment,
Action <IdentityServer4.Configuration.IdentityServerOptions> identityServerOptionsAction,
Action <ConfigurationStoreOptions> configurationStoreOptionsAction,
Action <OperationalStoreOptions> operationalStoreOptionsAction,
Action <IdentityOptions> identityOptionsAction,
Action <AspNetCore.Authentication.AuthenticationOptions> authenticationOptionsAction,
Action <IdentityServerAuthenticationOptions> identityServerAuthenticationOptionsAction,
Action <FacebookOptions> facebookOptionsAction)
{
DefaultInboundClaimTypeMap.Clear();
DefaultOutboundClaimTypeMap.Clear();
var builder = new IdentityServerBuilder(services);
identityServerOptionsAction = identityServerOptionsAction ?? (_ =>
{
});
builder.Services.Configure <SecurityStampValidatorOptions>(opts =>
{
opts.OnRefreshingPrincipal = UpdatePrincipal;
});
builder.Services.ConfigureApplicationCookie(options =>
{
options.Cookie.IsEssential = true;
options.Cookie.SameSite = None;
});
builder.Services.ConfigureExternalCookie(options =>
{
options.Cookie.IsEssential = true;
options.Cookie.SameSite = None;
});
builder.Services.Configure <CookieAuthenticationOptions>(TwoFactorRememberMeScheme, options =>
{
options.Cookie.IsEssential = true;
});
builder.Services.Configure <CookieAuthenticationOptions>(TwoFactorUserIdScheme, options =>
{
options.Cookie.IsEssential = true;
});
builder.Services.Configure(identityServerOptionsAction);
builder.Services.AddIdentityServer();
if (identityServerOptions.UseEntityFramework)
{
builder.Services.AddEntityFramework(configurationStoreOptionsAction, operationalStoreOptionsAction);
builder.AddConfigurationStore <IdentityServerDbContext>(configurationStoreOptionsAction);
builder.AddOperationalStore <IdentityServerDbContext>(operationalStoreOptionsAction);
}
if (identityServerOptions.UseIdentity)
{
builder.Services.AddIdentity(identityServerOptions, identityOptionsAction);
builder.AddAspNetIdentity <User>();
}
if (identityServerOptions.UseAuthentication)
{
builder.Services.AddAuthentication(
identityServerOptions,
authenticationOptionsAction,
identityServerAuthenticationOptionsAction,
facebookOptionsAction);
}
if (isDevelopment)
{
builder.AddDeveloperSigningCredential();
}
else
{
if (!IsNullOrWhiteSpace(identityServerOptions.SigningCredential))
{
var rawData = FromBase64String(identityServerOptions.SigningCredential);
var cert = new X509Certificate2(rawData, default(string), MachineKeySet);
builder.AddSigningCredential(cert);
}
if (!IsNullOrWhiteSpace(identityServerOptions.ValidationKey))
{
var rawData = FromBase64String(identityServerOptions.ValidationKey);
var cert = new X509Certificate2(rawData, default(string), MachineKeySet);
builder.AddValidationKey(cert);
}
builder.AddConfigurationStoreCache();
}
return(builder.Services);
}