private void AddBodyParamsAndHeaders(IDictionary <string, string> additionalBodyParameters, string scopes) { _oAuth2Client.AddBodyParameter(OAuth2Parameter.ClientId, _requestParams.AppConfig.ClientId); _oAuth2Client.AddBodyParameter(OAuth2Parameter.ClientInfo, "1"); if (_requestParams.ClientCredential != null) { Dictionary <string, string> ccBodyParameters = ClientCredentialHelper.CreateClientCredentialBodyParameters( _requestParams.RequestContext.Logger, _serviceBundle.PlatformProxy.CryptographyManager, _requestParams.ClientCredential, _requestParams.AppConfig.ClientId, _requestParams.Endpoints, _requestParams.SendX5C); foreach (var entry in ccBodyParameters) { _oAuth2Client.AddBodyParameter(entry.Key, entry.Value); } } _oAuth2Client.AddBodyParameter(OAuth2Parameter.Scope, scopes); _oAuth2Client.AddBodyParameter(OAuth2Parameter.Claims, _requestParams.ClaimsAndClientCapabilities); foreach (var kvp in additionalBodyParameters) { _oAuth2Client.AddBodyParameter(kvp.Key, kvp.Value); } foreach (var kvp in _requestParams.AuthenticationScheme.GetTokenRequestParams()) { _oAuth2Client.AddBodyParameter(kvp.Key, kvp.Value); } _oAuth2Client.AddHeader( TelemetryConstants.XClientCurrentTelemetry, _serviceBundle.HttpTelemetryManager.GetCurrentRequestHeader( _requestParams.RequestContext.ApiEvent)); if (!_requestInProgress) { _requestInProgress = true; _oAuth2Client.AddHeader( TelemetryConstants.XClientLastTelemetry, _serviceBundle.HttpTelemetryManager.GetLastRequestHeader()); } //Signaling that the client can perform PKey Auth on supported platforms if (DeviceAuthHelper.CanOSPerformPKeyAuth()) { _oAuth2Client.AddHeader(PKeyAuthConstants.DeviceAuthHeaderName, PKeyAuthConstants.DeviceAuthHeaderValue); } }
private void AddBodyParamsAndHeaders(IDictionary <string, string> additionalBodyParameters, string scopes) { _oAuth2Client.AddBodyParameter(OAuth2Parameter.ClientId, _requestParams.ClientId); _oAuth2Client.AddBodyParameter(OAuth2Parameter.ClientInfo, "1"); #if DESKTOP || NETSTANDARD1_3 || NET_CORE if (_requestParams.ClientCredential != null) { Dictionary <string, string> ccBodyParameters = ClientCredentialHelper.CreateClientCredentialBodyParameters( _requestParams.RequestContext.Logger, _serviceBundle.PlatformProxy.CryptographyManager, _requestParams.ClientCredential, _requestParams.ClientId, _requestParams.Endpoints, _requestParams.SendX5C); foreach (var entry in ccBodyParameters) { _oAuth2Client.AddBodyParameter(entry.Key, entry.Value); } } #endif _oAuth2Client.AddBodyParameter(OAuth2Parameter.Scope, scopes); _oAuth2Client.AddBodyParameter(OAuth2Parameter.Claims, _requestParams.ClaimsAndClientCapabilities); foreach (var kvp in additionalBodyParameters) { _oAuth2Client.AddBodyParameter(kvp.Key, kvp.Value); } foreach (var kvp in _requestParams.AuthenticationScheme.GetTokenRequestParams()) { _oAuth2Client.AddBodyParameter(kvp.Key, kvp.Value); } _oAuth2Client.AddHeader( TelemetryConstants.XClientCurrentTelemetry, _serviceBundle.HttpTelemetryManager.GetCurrentRequestHeader( _requestParams.RequestContext.ApiEvent)); if (!_requestInProgress) { _requestInProgress = true; _oAuth2Client.AddHeader( TelemetryConstants.XClientLastTelemetry, _serviceBundle.HttpTelemetryManager.GetLastRequestHeader()); } }
public void ClientAssertionRequestValidatorExpirationTimeTest() { var credential = ClientCredentialWrapper.CreateWithSecret(TestConstants.ClientSecret); credential.Audience = _audience1; credential.ContainsX5C = false; credential.CachedAssertion = TestConstants.DefaultClientAssertion; credential.ValidTo = ConvertToTimeT(DateTime.UtcNow + TimeSpan.FromSeconds(JwtToAadLifetimeInSeconds)); // Validate cached client assertion with expiration time // Cached assertion should be valid Assert.IsTrue(ClientCredentialHelper.ValidateClientAssertion(credential, _audience1, false)); // Setting expiration time to now credential.ValidTo = ConvertToTimeT(DateTime.UtcNow); // cached assertion should have expired Assert.IsFalse(ClientCredentialHelper.ValidateClientAssertion(credential, _audience1, false)); }
public void ClientAssertionRequestValidatorExpirationTimeTest() { var credential = new ClientCredentialWrapper(MsalTestConstants.ClientSecret) { Audience = "Audience1", ContainsX5C = false, Assertion = MsalTestConstants.DefaultClientAssertion, ValidTo = ConvertToTimeT(DateTime.UtcNow + TimeSpan.FromSeconds(JwtToAadLifetimeInSeconds)) }; // Validate cached client assertion with expiration time // Cached assertion should be valid Assert.IsTrue(ClientCredentialHelper.ValidateClientAssertion(credential, new AuthorityEndpoints(null, null, "Audience1"), false)); // Setting expiration time to now credential.ValidTo = ConvertToTimeT(DateTime.UtcNow); // cached assertion should have expired Assert.IsFalse(ClientCredentialHelper.ValidateClientAssertion(credential, new AuthorityEndpoints(null, null, "Audience1"), false)); }
public void ClientAssertionRequestValidatorMismatchParameterTest() { string Audience1 = "Audience1"; string Audience2 = "Audience2"; var credential = new ClientCredentialWrapper(MsalTestConstants.ClientSecret) { Audience = Audience1, ContainsX5C = false, Assertion = MsalTestConstants.DefaultClientAssertion, ValidTo = ConvertToTimeT(DateTime.UtcNow + TimeSpan.FromSeconds(JwtToAadLifetimeInSeconds)) }; // Validate cached client assertion with parameters Assert.IsTrue(ClientCredentialHelper.ValidateClientAssertion(credential, new AuthorityEndpoints(null, null, Audience1), false)); // Different audience credential.Audience = Audience2; // cached assertion should be invalid Assert.IsFalse(ClientCredentialHelper.ValidateClientAssertion(credential, new AuthorityEndpoints(null, null, Audience1), false)); // Different x5c, same audience credential.Audience = Audience1; credential.ContainsX5C = true; // cached assertion should be invalid Assert.IsFalse(ClientCredentialHelper.ValidateClientAssertion(credential, new AuthorityEndpoints(null, null, Audience1), false)); // Different audience and x5c credential.Audience = Audience2; // cached assertion should be invalid Assert.IsFalse(ClientCredentialHelper.ValidateClientAssertion(credential, new AuthorityEndpoints(null, null, Audience1), false)); // No cached Assertion credential.Assertion = ""; // should return false Assert.IsFalse(ClientCredentialHelper.ValidateClientAssertion(credential, new AuthorityEndpoints(null, null, Audience1), false)); }
public void ClientAssertionRequestValidatorMismatchParameterTest() { var credential = ClientCredentialWrapper.CreateWithSecret(TestConstants.ClientSecret); credential.Audience = _audience1; credential.ContainsX5C = false; credential.CachedAssertion = TestConstants.DefaultClientAssertion; credential.ValidTo = ConvertToTimeT(DateTime.UtcNow + TimeSpan.FromSeconds(JwtToAadLifetimeInSeconds)); // Validate cached client assertion with parameters Assert.IsTrue(ClientCredentialHelper.ValidateClientAssertion(credential, _audience1, false)); // Different audience credential.Audience = _audience2; // cached assertion should be invalid Assert.IsFalse(ClientCredentialHelper.ValidateClientAssertion(credential, _audience1, false)); // Different x5c, same audience credential.Audience = _audience1; credential.ContainsX5C = true; // cached assertion should be invalid Assert.IsFalse(ClientCredentialHelper.ValidateClientAssertion(credential, _audience1, false)); // Different audience and x5c credential.Audience = _audience2; // cached assertion should be invalid Assert.IsFalse(ClientCredentialHelper.ValidateClientAssertion(credential, _audience1, false)); // No cached Assertion credential.CachedAssertion = ""; // should return false Assert.IsFalse(ClientCredentialHelper.ValidateClientAssertion(credential, _audience1, false)); }
private void AddBodyParamsAndHeaders(IDictionary <string, string> additionalBodyParameters, string scopes) { _oAuth2Client.AddBodyParameter(OAuth2Parameter.ClientId, _requestParams.AppConfig.ClientId); _oAuth2Client.AddBodyParameter(OAuth2Parameter.ClientInfo, "1"); if (_requestParams.ClientCredential != null) { Dictionary <string, string> ccBodyParameters = ClientCredentialHelper.CreateClientCredentialBodyParameters( _requestParams.RequestContext.Logger, _serviceBundle.PlatformProxy.CryptographyManager, _requestParams.ClientCredential, _requestParams.AppConfig.ClientId, _requestParams.Endpoints, _requestParams.SendX5C); foreach (var entry in ccBodyParameters) { _oAuth2Client.AddBodyParameter(entry.Key, entry.Value); } } _oAuth2Client.AddBodyParameter(OAuth2Parameter.Scope, scopes); // Add Kerberos Ticket claims if there's valid service principal name in Configuration. // Kerberos Ticket claim is only allowed at token request due to security issue. // It should not be included for authorize request. KerberosSupplementalTicketManager.AddKerberosTicketClaim(_oAuth2Client, _requestParams); foreach (var kvp in additionalBodyParameters) { _oAuth2Client.AddBodyParameter(kvp.Key, kvp.Value); } foreach (var kvp in _requestParams.AuthenticationScheme.GetTokenRequestParams()) { _oAuth2Client.AddBodyParameter(kvp.Key, kvp.Value); } _oAuth2Client.AddHeader( TelemetryConstants.XClientCurrentTelemetry, _serviceBundle.HttpTelemetryManager.GetCurrentRequestHeader( _requestParams.RequestContext.ApiEvent)); if (!_requestInProgress) { _requestInProgress = true; _oAuth2Client.AddHeader( TelemetryConstants.XClientLastTelemetry, _serviceBundle.HttpTelemetryManager.GetLastRequestHeader()); } //Signaling that the client can perform PKey Auth on supported platforms if (DeviceAuthHelper.CanOSPerformPKeyAuth()) { _oAuth2Client.AddHeader(PKeyAuthConstants.DeviceAuthHeaderName, PKeyAuthConstants.DeviceAuthHeaderValue); } AddExtraHttpHeaders(); }
public async Task <MsalTokenResponse> SendTokenRequestAsync( IDictionary <string, string> additionalBodyParameters, string scopeOverride = null, string tokenEndpointOverride = null, CancellationToken cancellationToken = default) { string tokenEndpoint = tokenEndpointOverride ?? _requestParams.Endpoints.TokenEndpoint; string scopes = !string.IsNullOrEmpty(scopeOverride) ? scopeOverride: GetDefaultScopes(_requestParams.Scope); _oAuth2Client.AddBodyParameter(OAuth2Parameter.ClientId, _requestParams.ClientId); _oAuth2Client.AddBodyParameter(OAuth2Parameter.ClientInfo, "1"); #if DESKTOP || NETSTANDARD1_3 || NET_CORE if (_requestParams.ClientCredential != null) { Dictionary <string, string> ccBodyParameters = ClientCredentialHelper.CreateClientCredentialBodyParameters( _requestParams.RequestContext.Logger, _serviceBundle.PlatformProxy.CryptographyManager, _requestParams.ClientCredential, _requestParams.ClientId, _requestParams.Endpoints, _requestParams.SendX5C); foreach (var entry in ccBodyParameters) { _oAuth2Client.AddBodyParameter(entry.Key, entry.Value); } } #endif _oAuth2Client.AddBodyParameter(OAuth2Parameter.Scope, scopes); _oAuth2Client.AddBodyParameter(OAuth2Parameter.Claims, _requestParams.ClaimsAndClientCapabilities); foreach (var kvp in additionalBodyParameters) { _oAuth2Client.AddBodyParameter(kvp.Key, kvp.Value); } foreach (var kvp in _requestParams.AuthenticationScheme.GetTokenRequestParams()) { _oAuth2Client.AddBodyParameter(kvp.Key, kvp.Value); } MsalTokenResponse response = await SendHttpMessageAsync(tokenEndpoint) .ConfigureAwait(false); if (!string.Equals( response.TokenType, _requestParams.AuthenticationScheme.AccessTokenType, StringComparison.OrdinalIgnoreCase)) { throw new MsalClientException( MsalError.TokenTypeMismatch, MsalErrorMessage.TokenTypeMismatch( _requestParams.AuthenticationScheme.AccessTokenType, response.TokenType)); } return(response); }