/// <summary> /// Signs JWT token using the private key and returns the serialized assertion. /// </summary> /// <param name="payload">the JWT payload to sign.</param> private string CreateAssertionFromPayload(JsonWebSignature.Payload payload) { string serializedHeader = CreateSerializedHeader(); string serializedPayload = NewtonsoftJsonSerializer.Instance.Serialize(payload); var assertion = new StringBuilder(); assertion.Append(TokenEncodingHelpers.UrlSafeBase64Encode(serializedHeader)) .Append('.') .Append(TokenEncodingHelpers.UrlSafeBase64Encode(serializedPayload)); var signature = CreateSignature(Encoding.ASCII.GetBytes(assertion.ToString())); assertion.Append('.').Append(TokenEncodingHelpers.UrlSafeEncode(signature)); return(assertion.ToString()); }
public async Task FetchesOidcToken_CorrectPayloadSent() { // A little bit after the tokens returned from OidcTokenFakes were issued. var clock = new MockClock(new DateTime(2020, 5, 13, 15, 0, 0, 0, DateTimeKind.Utc)); var messageHandler = new OidcTokenResponseSuccessMessageHandler(); var initializer = new ServiceAccountCredential.Initializer("MyId", "http://will.be.ignored") { Clock = clock, ProjectId = "a_project_id", HttpClientFactory = new MockHttpClientFactory(messageHandler) }; var credential = new ServiceAccountCredential(initializer.FromPrivateKey(PrivateKey)); var expectedPayload = new JsonWebSignature.Payload { Issuer = "MyId", Subject = "MyId", Audience = GoogleAuthConsts.OidcTokenUrl, IssuedAtTimeSeconds = (long)(clock.UtcNow - UnixEpoch).TotalSeconds, ExpirationTimeSeconds = (long)(clock.UtcNow.Add(JwtLifetime) - UnixEpoch).TotalSeconds, TargetAudience = "any_audience" }; var serializedExpectedPayload = NewtonsoftJsonSerializer.Instance.Serialize(expectedPayload); var urlSafeEncodedExpectedPayload = TokenEncodingHelpers.UrlSafeBase64Encode(serializedExpectedPayload); var oidcToken = await credential.GetOidcTokenAsync(OidcTokenOptions.FromTargetAudience("any_audience")); await oidcToken.GetAccessTokenAsync(); var requestFormDict = messageHandler.LatestRequestContent.Split('&') .ToDictionary(entry => entry.Split('=')[0], entry => entry.Split('=')[1]); var assertion = requestFormDict["assertion"]; // Assertion format shoould be headers.payload.signature var encodedPayload = assertion.Split('.')[1]; Assert.Contains(urlSafeEncodedExpectedPayload, encodedPayload); }