public void Should_Authenticate_Client_With_Client_Secret_Jwt()
        {
            rpid = "rp-token_endpoint-client_secret_jwt";

            // given
            OIDCAuthCodeResponseMessage response = (OIDCAuthCodeResponseMessage)GetAuthResponse(ResponseType.Code);

            OIDCTokenRequestMessage tokenRequestMessage = new OIDCTokenRequestMessage();

            tokenRequestMessage.Scope        = response.Scope;
            tokenRequestMessage.State        = response.State;
            tokenRequestMessage.Code         = response.Code;
            tokenRequestMessage.ClientId     = clientInformation.ClientId;
            tokenRequestMessage.ClientSecret = clientInformation.ClientSecret;
            tokenRequestMessage.GrantType    = "authorization_code";
            tokenRequestMessage.RedirectUri  = clientInformation.RedirectUris[0];

            // when
            OpenIdRelyingParty rp = new OpenIdRelyingParty();

            clientInformation.TokenEndpointAuthMethod = "client_secret_jwt";
            OIDCTokenResponseMessage tokenResponse = rp.SubmitTokenRequest(GetBaseUrl("/token"), tokenRequestMessage, clientInformation);

            // then
            Assert.NotNull(tokenResponse.IdToken);
            OIDCIdToken idToken = tokenResponse.GetIdToken(providerMetadata.Keys);

            idToken.Validate();
        }
Exemplo n.º 2
0
        public void Should_Reject_Id_Token_With_Invalid_Signature_HS256()
        {
            rpid    = "rp-id_token-bad_asym_sig_hs256";
            signalg = "HS256";

            // givens
            OIDCAuthCodeResponseMessage response = (OIDCAuthCodeResponseMessage)GetAuthResponse(ResponseType.Code);

            OIDCTokenRequestMessage tokenRequestMessage = new OIDCTokenRequestMessage();

            tokenRequestMessage.Scope        = response.Scope;
            tokenRequestMessage.State        = response.State;
            tokenRequestMessage.Code         = response.Code;
            tokenRequestMessage.ClientId     = clientInformation.ClientId;
            tokenRequestMessage.ClientSecret = clientInformation.ClientSecret;
            tokenRequestMessage.GrantType    = "authorization_code";
            tokenRequestMessage.RedirectUri  = clientInformation.RedirectUris[0];

            // Manipulate keys to make them invalid
            StringBuilder strBuilder = new StringBuilder(clientInformation.ClientSecret);

            strBuilder[17] = (char)(clientInformation.ClientSecret[17] + 1);
            string manipulatedClientSecret = strBuilder.ToString();

            // when
            OpenIdRelyingParty       rp            = new OpenIdRelyingParty();
            OIDCTokenResponseMessage tokenResponse = rp.SubmitTokenRequest(GetBaseUrl("/token"), tokenRequestMessage, clientInformation);

            // then
            Assert.NotNull(tokenResponse.IdToken);
            tokenResponse.GetIdToken(null, manipulatedClientSecret);
        }
        public OIDCTokenResponseMessage GetToken(OIDCAuthCodeResponseMessage authResponse)
        {
            OIDCTokenRequestMessage tokenRequestMessage = new OIDCTokenRequestMessage();

            tokenRequestMessage.Scope        = authResponse.Scope;
            tokenRequestMessage.State        = authResponse.State;
            tokenRequestMessage.Code         = authResponse.Code;
            tokenRequestMessage.ClientId     = clientInformation.ClientId;
            tokenRequestMessage.ClientSecret = clientInformation.ClientSecret;
            tokenRequestMessage.RedirectUri  = clientInformation.RedirectUris[0];
            tokenRequestMessage.GrantType    = "authorization_code";

            OpenIdRelyingParty       rp       = new OpenIdRelyingParty();
            OIDCTokenResponseMessage response = rp.SubmitTokenRequest(providerMetadata.TokenEndpoint, tokenRequestMessage, clientInformation);
            OIDCIdToken idToken = response.GetIdToken(providerMetadata.Keys, tokenRequestMessage.ClientSecret);

            rp.ValidateIdToken(idToken, clientInformation, providerMetadata.Issuer, null);
            return(response);
        }
        private OIDCTokenResponseMessage GetToken(OIDCAuthCodeResponseMessage authResponse, IOptions options, HttpSessionState session, string redirectUri)
        {
            OpenIDProviderData providerData = options.OpenIDProviders[session["op"] as string];

            OIDCTokenRequestMessage tokenRequestMessage = new OIDCTokenRequestMessage();

            tokenRequestMessage.Scope        = authResponse.Scope;
            tokenRequestMessage.State        = authResponse.State;
            tokenRequestMessage.Code         = authResponse.Code;
            tokenRequestMessage.ClientId     = providerData.ClientInformation.ClientId;
            tokenRequestMessage.ClientSecret = providerData.ClientInformation.ClientSecret;
            tokenRequestMessage.RedirectUri  = redirectUri;
            tokenRequestMessage.GrantType    = "authorization_code";

            OIDCTokenResponseMessage response = rp.SubmitTokenRequest(providerData.ProviderMatadata.TokenEndpoint, tokenRequestMessage, providerData.ClientInformation);
            OIDCIdToken idToken = response.GetIdToken(providerData.ProviderMatadata.Keys, tokenRequestMessage.ClientSecret);

            rp.ValidateIdToken(idToken, providerData.ClientInformation, providerData.ProviderMatadata.Issuer, null);
            return(response);
        }
Exemplo n.º 5
0
        private OIDCTokenResponseMessage AuthenticateAndRetrieveIdToken()
        {
            OIDCAuthorizationRequestMessage requestMessage = generateRequestMessage();
            OpenIdRelyingParty rp = new OpenIdRelyingParty();

            rp.Authenticate(GetBaseUrl("/authorization"), requestMessage);
            semaphore.WaitOne();
            OIDCAuthCodeResponseMessage response = rp.ParseAuthCodeResponse(result, requestMessage.Scope, requestMessage.State);

            OIDCTokenRequestMessage tokenRequestMessage = new OIDCTokenRequestMessage();

            tokenRequestMessage.Scope        = response.Scope;
            tokenRequestMessage.Code         = response.Code;
            tokenRequestMessage.ClientId     = clientInformation.ClientId;
            tokenRequestMessage.ClientSecret = clientInformation.ClientSecret;
            tokenRequestMessage.GrantType    = "authorization_code";
            tokenRequestMessage.RedirectUri  = clientInformation.RedirectUris[0];

            return(rp.SubmitTokenRequest(GetBaseUrl("/token"), tokenRequestMessage, clientInformation));
        }
Exemplo n.º 6
0
        public void Should_Reject_Id_Token_With_Invalid_Signature_RS256()
        {
            rpid    = "rp-id_token-bad_asym_sig_rs256";
            signalg = "RS256";

            // givens
            OIDCAuthCodeResponseMessage response = (OIDCAuthCodeResponseMessage)GetAuthResponse(ResponseType.Code);

            OIDCTokenRequestMessage tokenRequestMessage = new OIDCTokenRequestMessage();

            tokenRequestMessage.Scope        = response.Scope;
            tokenRequestMessage.State        = response.State;
            tokenRequestMessage.Code         = response.Code;
            tokenRequestMessage.ClientId     = clientInformation.ClientId;
            tokenRequestMessage.ClientSecret = clientInformation.ClientSecret;
            tokenRequestMessage.GrantType    = "authorization_code";
            tokenRequestMessage.RedirectUri  = clientInformation.RedirectUris[0];

            // Manipulate keys to make them invalid
            List <OIDCKey> manipulatedKeys = new List <OIDCKey>();

            foreach (OIDCKey curKey in providerMetadata.Keys)
            {
                OIDCKey newKey = curKey.Clone() as OIDCKey;
                if (curKey.N != null)
                {
                    StringBuilder strBuilder = new StringBuilder(newKey.N);
                    strBuilder[17] = (char)(newKey.N[17] + 1);
                    newKey.N       = strBuilder.ToString();
                }
                manipulatedKeys.Add(newKey);
            }

            // when
            OpenIdRelyingParty       rp            = new OpenIdRelyingParty();
            OIDCTokenResponseMessage tokenResponse = rp.SubmitTokenRequest(GetBaseUrl("/token"), tokenRequestMessage, clientInformation);

            // then
            Assert.NotNull(tokenResponse.IdToken);
            tokenResponse.GetIdToken(manipulatedKeys);
        }
        public void Should_Authenticate_Client_With_Private_Key_Jwt()
        {
            rpid = "rp-token_endpoint-client_secret_jwt";

            // given
            OIDCAuthCodeResponseMessage response = (OIDCAuthCodeResponseMessage)GetAuthResponse(ResponseType.Code);

            OIDCTokenRequestMessage tokenRequestMessage = new OIDCTokenRequestMessage();

            tokenRequestMessage.Scope        = response.Scope;
            tokenRequestMessage.State        = response.State;
            tokenRequestMessage.Code         = response.Code;
            tokenRequestMessage.ClientId     = clientInformation.ClientId;
            tokenRequestMessage.ClientSecret = clientInformation.ClientSecret;
            tokenRequestMessage.GrantType    = "authorization_code";
            tokenRequestMessage.RedirectUri  = clientInformation.RedirectUris[0];

            RSACryptoServiceProvider privateKey = providerMetadata.Keys.Find(
                delegate(OIDCKey k)
            {
                return(k.Use == "enc" && k.Kty == "RSA");
            }
                ).GetRSA();

            // when
            OpenIdRelyingParty rp = new OpenIdRelyingParty();

            clientInformation.TokenEndpointAuthMethod = "private_key_jwt";
            OIDCTokenResponseMessage tokenResponse = rp.SubmitTokenRequest(GetBaseUrl("/token"), tokenRequestMessage, clientInformation, privateKey.ExportCspBlob(false));

            // then
            Assert.NotNull(tokenResponse.IdToken);
            OIDCIdToken idToken = tokenResponse.GetIdToken(providerMetadata.Keys);

            idToken.Validate();
        }
Exemplo n.º 8
0
        public void Should_Request_And_Use_Unsigned_Id_Token()
        {
            rpid = "rp-id_token-sig_none";

            // givens
            OpenIdRelyingParty rp = new OpenIdRelyingParty();

            string registrationEndopoint         = GetBaseUrl("/registration");
            OIDCClientInformation clientMetadata = new OIDCClientInformation();

            clientMetadata.ApplicationType = "web";
            clientMetadata.RedirectUris    = new List <string>()
            {
                myBaseUrl + "code_flow_callback"
            };
            clientMetadata.ResponseTypes = new List <ResponseType>()
            {
                ResponseType.Code
            };
            clientMetadata.IdTokenSignedResponseAlg = "none";
            OIDCClientInformation clientInformation = rp.RegisterClient(registrationEndopoint, clientMetadata);

            OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage();

            requestMessage.ClientId = clientInformation.ClientId;
            requestMessage.Scope    = new List <MessageScope>()
            {
                MessageScope.Openid
            };
            requestMessage.ResponseType = new List <ResponseType>()
            {
                ResponseType.Code
            };
            requestMessage.RedirectUri = clientInformation.RedirectUris[0];
            requestMessage.Nonce       = WebOperations.RandomString();
            requestMessage.State       = WebOperations.RandomString();
            requestMessage.Validate();

            rp.Authenticate(GetBaseUrl("/authorization"), requestMessage);
            semaphore.WaitOne();
            OIDCAuthCodeResponseMessage response = rp.ParseAuthCodeResponse(result, requestMessage.Scope, requestMessage.State);

            OIDCTokenRequestMessage tokenRequestMessage = new OIDCTokenRequestMessage();

            tokenRequestMessage.Scope        = response.Scope;
            tokenRequestMessage.State        = response.State;
            tokenRequestMessage.Code         = response.Code;
            tokenRequestMessage.ClientId     = clientInformation.ClientId;
            tokenRequestMessage.ClientSecret = clientInformation.ClientSecret;
            tokenRequestMessage.GrantType    = "authorization_code";
            tokenRequestMessage.RedirectUri  = clientInformation.RedirectUris[0];

            // when
            OIDCTokenResponseMessage tokenResponse = rp.SubmitTokenRequest(GetBaseUrl("/token"), tokenRequestMessage, clientInformation);

            // then
            Assert.NotNull(tokenResponse.IdToken);
            OIDCIdToken idToken = tokenResponse.GetIdToken();

            idToken.Validate();
        }
Exemplo n.º 9
0
        public void Should_Request_And_Use_Signed_And_Encrypted_Id_Token()
        {
            rpid    = "rp-id_token-sig+enc";
            signalg = "RS256";
            encalg  = "RSA1_5:A128CBC-HS256";

            // given
            OpenIdRelyingParty rp = new OpenIdRelyingParty();

            string registrationEndopoint         = GetBaseUrl("/registration");
            OIDCClientInformation clientMetadata = new OIDCClientInformation();

            clientMetadata.ApplicationType = "web";
            clientMetadata.RedirectUris    = new List <string>()
            {
                myBaseUrl + "code_flow_callback"
            };
            clientMetadata.ResponseTypes = new List <ResponseType>()
            {
                ResponseType.Code
            };
            clientMetadata.IdTokenEncryptedResponseAlg = "RSA1_5";
            clientMetadata.IdTokenEncryptedResponseEnc = "A128CBC-HS256";
            clientMetadata.JwksUri = myBaseUrl + "my_public_keys.jwks";
            OIDCClientInformation clientInformation = rp.RegisterClient(registrationEndopoint, clientMetadata);

            OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage();

            requestMessage.ClientId = clientInformation.ClientId;
            requestMessage.Scope    = new List <MessageScope>()
            {
                MessageScope.Openid
            };
            requestMessage.ResponseType = new List <ResponseType>()
            {
                ResponseType.Code
            };
            requestMessage.RedirectUri = clientInformation.RedirectUris[0];
            requestMessage.Nonce       = WebOperations.RandomString();
            requestMessage.State       = WebOperations.RandomString();
            requestMessage.Validate();

            rp.Authenticate(GetBaseUrl("/authorization"), requestMessage);
            semaphore.WaitOne();
            OIDCAuthCodeResponseMessage response = rp.ParseAuthCodeResponse(result, requestMessage.Scope, requestMessage.State);

            OIDCTokenRequestMessage tokenRequestMessage = new OIDCTokenRequestMessage();

            tokenRequestMessage.Scope        = response.Scope;
            tokenRequestMessage.State        = response.State;
            tokenRequestMessage.Code         = response.Code;
            tokenRequestMessage.ClientId     = clientInformation.ClientId;
            tokenRequestMessage.ClientSecret = clientInformation.ClientSecret;
            tokenRequestMessage.GrantType    = "authorization_code";
            tokenRequestMessage.RedirectUri  = clientInformation.RedirectUris[0];

            X509Certificate2 signCert = new X509Certificate2("server.pfx", "", X509KeyStorageFlags.Exportable);
            X509Certificate2 encCert  = new X509Certificate2("server.pfx", "", X509KeyStorageFlags.Exportable);
            List <OIDCKey>   myKeys   = KeyManager.GetKeysJwkList(signCert, encCert);

            // when
            OIDCTokenResponseMessage tokenResponse = rp.SubmitTokenRequest(GetBaseUrl("/token"), tokenRequestMessage, clientInformation);

            // then
            Assert.NotNull(tokenResponse.IdToken);
            OIDCIdToken idToken = tokenResponse.GetIdToken(providerMetadata.Keys, null, myKeys);

            idToken.Validate();
        }