public async Task Sliding_Expiration_within_absolute_Expiration()
{
var store = new InMemoryRefreshTokenStore();
var service = new DefaultRefreshTokenService(store);
var client = await _clients.FindClientByIdAsync("roclient_sliding_refresh_expiration_one_time_only");
var token = TokenFactory.CreateAccessToken(client.ClientId, "valid", 60, "read", "write");
var handle = await service.CreateRefreshTokenAsync(token, client);
var refreshToken = await store.GetAsync(handle);
var lifetime = refreshToken.LifeTime;
await Task.Delay(1000);
var newHandle = await service.UpdateRefreshTokenAsync(refreshToken, client);
var newRefreshToken = await store.GetAsync(newHandle);
var newLifetime = newRefreshToken.LifeTime;
Assert.AreEqual(newLifetime, client.SlidingRefreshTokenLifetime + 1);
}
public async Task Sliding_Expiration_does_not_exceed_absolute_Expiration()
{
var store = new InMemoryRefreshTokenStore();
var service = new DefaultRefreshTokenService(store);
var client = await _clients.FindClientByIdAsync("roclient_sliding_refresh_expiration_one_time_only");
var token = TokenFactory.CreateAccessToken(client.ClientId, "valid", 60, "read", "write");
var handle = await service.CreateRefreshTokenAsync(token, client);
var refreshToken = await store.GetAsync(handle);
var lifetime = refreshToken.LifeTime;
await Task.Delay(8000);
var newHandle = await service.UpdateRefreshTokenAsync(handle, refreshToken, client);
var newRefreshToken = await store.GetAsync(newHandle);
var newLifetime = newRefreshToken.LifeTime;
newLifetime.Should().Be(client.AbsoluteRefreshTokenLifetime);
}
public async Task JWT_Token_with_scopes_have_expected_claims(bool flag)
{
var options = TestIdentityServerOptions.Create();
options.EmitScopesAsSpaceDelimitedStringInJwt = flag;
var signer = Factory.CreateDefaultTokenCreator(options);
var jwt = await signer.CreateTokenAsync(TokenFactory.CreateAccessToken(new Client {
ClientId = "roclient"
}, "valid", 600, "read", "write"));
var validator = Factory.CreateTokenValidator(null);
var result = await validator.ValidateAccessTokenAsync(jwt);
result.IsError.Should().BeFalse();
result.Jwt.Should().NotBeNullOrEmpty();
result.Client.ClientId.Should().Be("roclient");
result.Claims.Count().Should().Be(9);
var scopes = result.Claims.Where(c => c.Type == "scope").Select(c => c.Value).ToArray();
scopes.Count().Should().Be(2);
scopes[0].Should().Be("read");
scopes[1].Should().Be("write");
}
public async Task Valid_Reference_Token()
{
var store = Factory.CreateReferenceTokenStore();
var validator = Factory.CreateTokenValidator(store);
var token = TokenFactory.CreateAccessToken(new Client {
ClientId = "roclient"
}, "valid", 600, "read", "write");
var handle = await store.StoreReferenceTokenAsync(token);
var result = await validator.ValidateAccessTokenAsync(handle);
result.IsError.Should().BeFalse();
result.Claims.Count().Should().Be(9);
result.Claims.First(c => c.Type == JwtClaimTypes.ClientId).Value.Should().Be("roclient");
var claimTypes = result.Claims.Select(c => c.Type).ToList();
claimTypes.Should().Contain("iss");
claimTypes.Should().Contain("aud");
claimTypes.Should().Contain("iat");
claimTypes.Should().Contain("nbf");
claimTypes.Should().Contain("exp");
claimTypes.Should().Contain("client_id");
claimTypes.Should().Contain("sub");
claimTypes.Should().Contain("scope");
}
public async Task Valid_JWT_Token()
{
var signer = new DefaultTokenSigningService(TestIdentityServerOptions.Create());
var jwt = await signer.SignTokenAsync(TokenFactory.CreateAccessToken("roclient", "valid", 600, "read", "write"));
var validator = Factory.CreateTokenValidator(null);
var result = await validator.ValidateAccessTokenAsync(jwt);
Assert.IsFalse(result.IsError);
}
public async Task Valid_JWT_Token()
{
var signer = Factory.CreateDefaultTokenCreator();
var jwt = await signer.CreateTokenAsync(TokenFactory.CreateAccessToken(new Client {
ClientId = "roclient"
}, "valid", 600, "read", "write"));
var validator = Factory.CreateTokenValidator(null);
var result = await validator.ValidateAccessTokenAsync(jwt);
result.IsError.Should().BeFalse();
}
public async Task JWT_Token_invalid_Audience()
{
var signer = new DefaultTokenSigningService(TestIdentityServerOptions.Create());
var token = TokenFactory.CreateAccessToken("roclient", "valid", 600, "read", "write");
token.Audience = "invalid";
var jwt = await signer.SignTokenAsync(token);
var validator = Factory.CreateTokenValidator(null);
var result = await validator.ValidateAccessTokenAsync(jwt);
Assert.IsTrue(result.IsError);
Assert.AreEqual(Constants.ProtectedResourceErrors.InvalidToken, result.Error);
}
public async Task Valid_AccessToken_but_Client_not_active()
{
var store = new InMemoryTokenHandleStore();
var validator = Factory.CreateTokenValidator(store);
var token = TokenFactory.CreateAccessToken("unknown", "valid", 600, "read", "write");
var handle = "123";
await store.StoreAsync(handle, token);
var result = await validator.ValidateAccessTokenAsync("123");
Assert.IsTrue(result.IsError);
}
public async Task Valid_Reference_Token_with_required_Scope()
{
var store = new InMemoryTokenHandleStore();
var validator = Factory.CreateTokenValidator(store);
var token = TokenFactory.CreateAccessToken("roclient", "valid", 600, "read", "write");
var handle = "123";
await store.StoreAsync(handle, token);
var result = await validator.ValidateAccessTokenAsync("123", "read");
Assert.IsFalse(result.IsError);
}
public async Task Valid_Reference_Token_with_required_Scope()
{
var store = Factory.CreateReferenceTokenStore();
var validator = Factory.CreateTokenValidator(store);
var token = TokenFactory.CreateAccessToken(new Client {
ClientId = "roclient"
}, "valid", 600, "read", "write");
var handle = await store.StoreReferenceTokenAsync(token);
var result = await validator.ValidateAccessTokenAsync(handle, "read");
result.IsError.Should().BeFalse();
}
public async Task Valid_AccessToken_but_Client_not_active()
{
var store = Factory.CreateReferenceTokenStore();
var validator = Factory.CreateTokenValidator(store);
var token = TokenFactory.CreateAccessToken(new Client {
ClientId = "unknown"
}, "valid", 600, "read", "write");
var handle = await store.StoreReferenceTokenAsync(token);
var result = await validator.ValidateAccessTokenAsync(handle);
result.IsError.Should().BeTrue();
}
public async Task Valid_Reference_Token_with_missing_Scope()
{
var store = new InMemoryTokenHandleStore();
var validator = Factory.CreateTokenValidator(store);
var token = TokenFactory.CreateAccessToken("roclient", "valid", 600, "read", "write");
var handle = "123";
await store.StoreAsync(handle, token);
var result = await validator.ValidateAccessTokenAsync("123", "missing");
Assert.IsTrue(result.IsError);
Assert.AreEqual(Constants.ProtectedResourceErrors.InsufficientScope, result.Error);
}
public async Task ReUse_Handle_reuses_Handle()
{
var store = new InMemoryRefreshTokenStore();
var service = new DefaultRefreshTokenService(store);
var client = await _clients.FindClientByIdAsync("roclient_absolute_refresh_expiration_reuse");
var token = TokenFactory.CreateAccessToken(client.ClientId, "valid", 60, "read", "write");
var handle = await service.CreateRefreshTokenAsync(token, client);
var newHandle = await service.UpdateRefreshTokenAsync(await store.GetAsync(handle), client);
Assert.AreEqual(handle, newHandle);
}
public async Task OneTime_Handle_creates_new_Handle()
{
var store = new InMemoryRefreshTokenStore();
var service = new DefaultRefreshTokenService(store);
var client = await _clients.FindClientByIdAsync("roclient_absolute_refresh_expiration_one_time_only");
var token = TokenFactory.CreateAccessToken(client.ClientId, "valid", 60, "read", "write");
var handle = await service.CreateRefreshTokenAsync(token, client);
var newHandle = await service.UpdateRefreshTokenAsync(handle, await store.GetAsync(handle), client);
newHandle.Should().NotBe(handle);
}
public async Task Valid_Reference_Token_with_missing_Scope()
{
var store = Factory.CreateReferenceTokenStore();
var validator = Factory.CreateTokenValidator(store);
var token = TokenFactory.CreateAccessToken(new Client {
ClientId = "roclient"
}, "valid", 600, "read", "write");
var handle = await store.StoreReferenceTokenAsync(token);
var result = await validator.ValidateAccessTokenAsync(handle, "missing");
result.IsError.Should().BeTrue();
result.Error.Should().Be(OidcConstants.ProtectedResourceErrors.InsufficientScope);
}
public async Task JWT_Token_invalid_Audience()
{
var signer = Factory.CreateDefaultTokenCreator();
var token = TokenFactory.CreateAccessToken(new Client {
ClientId = "roclient"
}, "valid", 600, "read", "write");
token.Audience = "invalid";
var jwt = await signer.CreateTokenAsync(token);
var validator = Factory.CreateTokenValidator(null);
var result = await validator.ValidateAccessTokenAsync(jwt);
result.IsError.Should().BeTrue();
result.Error.Should().Be(OidcConstants.ProtectedResourceErrors.InvalidToken);
}
public async Task Valid_Reference_Token()
{
var store = new InMemoryTokenHandleStore();
var validator = Factory.CreateTokenValidator(store);
var token = TokenFactory.CreateAccessToken("roclient", "valid", 600, "read", "write");
var handle = "123";
await store.StoreAsync(handle, token);
var result = await validator.ValidateAccessTokenAsync("123");
Assert.IsFalse(result.IsError);
Assert.AreEqual(8, result.Claims.Count());
Assert.AreEqual("roclient", result.Claims.First(c => c.Type == Constants.ClaimTypes.ClientId).Value);
}
public async Task JWT_Token_invalid_Issuer()
{
var signer = new DefaultTokenSigningService(TestIdentityServerOptions.Create());
var token = TokenFactory.CreateAccessToken(new Client {
ClientId = "roclient"
}, "valid", 600, "read", "write");
token.Issuer = "invalid";
var jwt = await signer.SignTokenAsync(token);
var validator = Factory.CreateTokenValidator(null);
var result = await validator.ValidateAccessTokenAsync(jwt);
result.IsError.Should().BeTrue();
result.Error.Should().Be(Constants.ProtectedResourceErrors.InvalidToken);
}
public async Task Valid_Reference_Token()
{
var store = Factory.CreateReferenceTokenStore();
var validator = Factory.CreateTokenValidator(store);
var token = TokenFactory.CreateAccessToken(new Client {
ClientId = "roclient"
}, "valid", 600, "read", "write");
var handle = await store.StoreReferenceTokenAsync(token);
var result = await validator.ValidateAccessTokenAsync(handle);
result.IsError.Should().BeFalse();
result.Claims.Count().Should().Be(8);
result.Claims.First(c => c.Type == JwtClaimTypes.ClientId).Value.Should().Be("roclient");
}
public async Task Expired_Reference_Token()
{
var store = new InMemoryTokenHandleStore();
var validator = Factory.CreateTokenValidator(store);
var token = TokenFactory.CreateAccessToken("roclient", "valid", 2, "read", "write");
var handle = "123";
await store.StoreAsync(handle, token);
await Task.Delay(2000);
var result = await validator.ValidateAccessTokenAsync("123");
Assert.IsTrue(result.IsError);
Assert.AreEqual(Constants.ProtectedResourceErrors.ExpiredToken, result.Error);
}
public async Task Valid_AccessToken_but_User_not_active()
{
var mock = new Mock <IUserService>();
mock.Setup(u => u.IsActiveAsync(It.IsAny <ClaimsPrincipal>())).Returns(Task.FromResult(false));
var store = new InMemoryTokenHandleStore();
var validator = Factory.CreateTokenValidator(tokenStore: store, users: mock.Object);
var token = TokenFactory.CreateAccessToken("roclient", "invalid", 600, "read", "write");
var handle = "123";
await store.StoreAsync(handle, token);
var result = await validator.ValidateAccessTokenAsync("123");
result.IsError.Should().BeTrue();
}
public async Task Expired_Reference_Token()
{
now = DateTimeOffset.UtcNow;
var store = new InMemoryTokenHandleStore();
var validator = Factory.CreateTokenValidator(store);
var token = TokenFactory.CreateAccessToken(new Client {
ClientId = "roclient"
}, "valid", 2, "read", "write");
var handle = "123";
await store.StoreAsync(handle, token);
now = now.AddMilliseconds(2000);
var result = await validator.ValidateAccessTokenAsync("123");
result.IsError.Should().BeTrue();
result.Error.Should().Be(OidcConstants.ProtectedResourceErrors.ExpiredToken);
}
public async Task Expired_Reference_Token()
{
now = DateTime.UtcNow;
var store = Factory.CreateReferenceTokenStore();
var validator = Factory.CreateTokenValidator(store, clock: _clock);
var token = TokenFactory.CreateAccessToken(new Client {
ClientId = "roclient"
}, "valid", 2, "read", "write");
token.CreationTime = now;
var handle = await store.StoreReferenceTokenAsync(token);
now = now.AddSeconds(3);
var result = await validator.ValidateAccessTokenAsync(handle);
result.IsError.Should().BeTrue();
result.Error.Should().Be(OidcConstants.ProtectedResourceErrors.ExpiredToken);
}
public async Task Create_Refresh_Token_Absolute_Lifetime()
{
var store = new InMemoryRefreshTokenStore();
var service = new DefaultRefreshTokenService(store);
var client = await _clients.FindClientByIdAsync("roclient_absolute_refresh_expiration_one_time_only");
var token = TokenFactory.CreateAccessToken(client.ClientId, "valid", 60, "read", "write");
var handle = await service.CreateRefreshTokenAsync(token, client);
// make sure a handle is returned
Assert.IsFalse(string.IsNullOrWhiteSpace(handle));
// make sure refresh token is in store
var refreshToken = await store.GetAsync(handle);
Assert.IsNotNull(refreshToken);
// check refresh token values
Assert.AreEqual(refreshToken.ClientId, client.ClientId);
Assert.AreEqual(refreshToken.LifeTime, client.AbsoluteRefreshTokenLifetime);
}
public async Task Create_Refresh_Token_Sliding_Lifetime()
{
var store = new InMemoryRefreshTokenStore();
var service = new DefaultRefreshTokenService(store);
var client = await _clients.FindClientByIdAsync("roclient_sliding_refresh_expiration_one_time_only");
var token = TokenFactory.CreateAccessToken(client.ClientId, "valid", 60, "read", "write");
var handle = await service.CreateRefreshTokenAsync(token, client);
// make sure a handle is returned
string.IsNullOrWhiteSpace(handle).Should().BeFalse();
// make sure refresh token is in store
var refreshToken = await store.GetAsync(handle);
refreshToken.Should().NotBeNull();
// check refresh token values
client.ClientId.Should().Be(refreshToken.ClientId);
client.SlidingRefreshTokenLifetime.Should().Be(refreshToken.LifeTime);
}
public virtual async Task <string> GenerateAccessToken(T entity)
{
var entityType = entity.GetType();
(byte[], string)? tokenData = null;
if (entityType.IsAssignableTo(typeof(Doctor)))
{
tokenData = TokenFactory.CreateAccessToken(Roles.Doctor, entity.Id);
}
else if (entityType.IsAssignableTo(typeof(Assistant)))
{
tokenData = TokenFactory.CreateAccessToken(Roles.Assistant, entity.Id);
}
else
{
throw new InvalidEnumArgumentException();
}
_accessTokens.Add(entity.Id, tokenData.Value.Item1);
return(await Task.FromResult(tokenData.Value.Item2));
}
