public async Task Algorithms_supported_should_match_signing_key() { var key = CryptoHelper.CreateECDsaSecurityKey(JsonWebKeyECTypes.P256); var expectedAlgorithm = SecurityAlgorithms.EcdsaSha256; IdentityServerPipeline pipeline = new IdentityServerPipeline(); pipeline.OnPostConfigureServices += services => { // add key to standard RSA key services.AddIdentityServerBuilder() .AddSigningCredential(key, expectedAlgorithm); }; pipeline.Initialize("/ROOT"); var result = await pipeline.BackChannelClient.GetAsync("https://server/root/.well-known/openid-configuration"); var json = await result.Content.ReadAsStringAsync(); var data = JObject.Parse(json); var algorithmsSupported = data["id_token_signing_alg_values_supported"]; algorithmsSupported.Count().Should().Be(2); algorithmsSupported.Values().Should().Contain(SecurityAlgorithms.RsaSha256); algorithmsSupported.Values().Should().Contain(SecurityAlgorithms.EcdsaSha256); }
public async Task Jwks_entries_should_contain_alg() { IdentityServerPipeline pipeline = new IdentityServerPipeline(); pipeline.Initialize("/ROOT"); var result = await pipeline.BackChannelClient.GetAsync("https://server/root/.well-known/openid-configuration/jwks"); var json = await result.Content.ReadAsStringAsync(); var data = JObject.Parse(json); var keys = data["keys"]; keys.Should().NotBeNull(); var key = keys[0]; key.Should().NotBeNull(); var alg = key["alg"]; alg.Should().NotBeNull(); alg.Value <string>().Should().Be(Constants.SigningAlgorithms.RSA_SHA_256); }
public async Task Jwks_with_ecdsa_should_have_parsable_key(string crv, string alg) { var key = CryptoHelper.CreateECDsaSecurityKey(crv); IdentityServerPipeline pipeline = new IdentityServerPipeline(); pipeline.OnPostConfigureServices += services => { services.AddIdentityServerBuilder() .AddSigningCredential(key, alg); }; pipeline.Initialize("/ROOT"); var result = await pipeline.BackChannelClient.GetAsync("https://server/root/.well-known/openid-configuration/jwks"); var json = await result.Content.ReadAsStringAsync(); var jwks = new JsonWebKeySet(json); var parsedKeys = jwks.GetSigningKeys(); var matchingKey = parsedKeys.FirstOrDefault(x => x.KeyId == key.KeyId); matchingKey.Should().NotBeNull(); matchingKey.Should().BeOfType <ECDsaSecurityKey>(); }
public async Task Jwks_with_two_key_using_different_algs_expect_different_alg_values() { var ecdsaKey = CryptoHelper.CreateECDsaSecurityKey(); var rsaKey = CryptoHelper.CreateRsaSecurityKey(); IdentityServerPipeline pipeline = new IdentityServerPipeline(); pipeline.OnPostConfigureServices += services => { services.AddIdentityServerBuilder() .AddSigningCredential(ecdsaKey, "ES256") .AddValidationKey(new SecurityKeyInfo { Key = rsaKey, SigningAlgorithm = "RS256" }); }; pipeline.Initialize("/ROOT"); var result = await pipeline.BackChannelClient.GetAsync("https://server/root/.well-known/openid-configuration/jwks"); var json = await result.Content.ReadAsStringAsync(); var jwks = new JsonWebKeySet(json); jwks.Keys.Should().Contain(x => x.KeyId == ecdsaKey.KeyId && x.Alg == "ES256"); jwks.Keys.Should().Contain(x => x.KeyId == rsaKey.KeyId && x.Alg == "RS256"); }
public async Task Issuer_uri_should_be_lowercase() { IdentityServerPipeline pipeline = new IdentityServerPipeline(); pipeline.Initialize("/ROOT"); var result = await pipeline.BackChannelClient.GetAsync("HTTPS://SERVER/ROOT/.WELL-KNOWN/OPENID-CONFIGURATION"); var json = await result.Content.ReadAsStringAsync(); var data = JsonSerializer.Deserialize <Dictionary <string, JsonElement> >(json); data["issuer"].GetString().Should().Be("https://server/root"); }
public async Task Jwks_entries_should_countain_crv() { var ecdsaKey = CryptoHelper.CreateECDsaSecurityKey(JsonWebKeyECTypes.P256); var parameters = ecdsaKey.ECDsa.ExportParameters(true); IdentityServerPipeline pipeline = new IdentityServerPipeline(); var jsonWebKeyFromECDsa = new JsonWebKey() { Kty = JsonWebAlgorithmsKeyTypes.EllipticCurve, Use = "sig", Kid = ecdsaKey.KeyId, KeyId = ecdsaKey.KeyId, X = Base64UrlEncoder.Encode(parameters.Q.X), Y = Base64UrlEncoder.Encode(parameters.Q.Y), D = Base64UrlEncoder.Encode(parameters.D), Crv = JsonWebKeyECTypes.P256, Alg = SecurityAlgorithms.EcdsaSha256 }; pipeline.OnPostConfigureServices += services => { // add ECDsa as JsonWebKey services.AddIdentityServerBuilder() .AddSigningCredential(jsonWebKeyFromECDsa, SecurityAlgorithms.EcdsaSha256); }; pipeline.Initialize("/ROOT"); var result = await pipeline.BackChannelClient.GetAsync("https://server/root/.well-known/openid-configuration/jwks"); var json = await result.Content.ReadAsStringAsync(); var data = JObject.Parse(json); var keys = data["keys"]; keys.Should().NotBeNull(); var key = keys[1]; key.Should().NotBeNull(); var crv = key["crv"]; crv.Should().NotBeNull(); crv.Value <string>().Should().Be(JsonWebKeyECTypes.P256); }
public async Task Issuer_uri_should_be_lowercase() { IdentityServerPipeline pipeline = new IdentityServerPipeline(); pipeline.Initialize("/ROOT"); var result = await pipeline.BackChannelClient.GetAsync("HTTPS://SERVER/ROOT/.WELL-KNOWN/OPENID-CONFIGURATION"); var json = await result.Content.ReadAsStringAsync(); var data = JObject.Parse(json); var issuer = data["issuer"].ToString(); issuer.Should().Be("https://server/root"); }
public async Task unicode_values_in_url_should_be_processed_correctly() { var pipeline = new IdentityServerPipeline(); pipeline.Initialize(); var discoClient = new DiscoveryClient("https://грант.рф", pipeline.Handler); discoClient.Policy.ValidateIssuerName = false; discoClient.Policy.ValidateEndpoints = false; discoClient.Policy.RequireHttps = false; discoClient.Policy.RequireKeySet = false; var result = await discoClient.GetAsync(); result.Issuer.Should().Be("https://грант.рф"); }
public FederatedSignoutTests() { _user = new IdentityServerUser("bob") { AdditionalClaims = { new Claim(JwtClaimTypes.SessionId, "123") } }.CreatePrincipal(); _pipeline = new IdentityServerPipeline(); _pipeline.IdentityScopes.AddRange(new IdentityResource[] { new IdentityResources.OpenId() }); _pipeline.Clients.Add(new Client { ClientId = "client1", AllowedGrantTypes = GrantTypes.Implicit, RequireConsent = false, AllowedScopes = new List <string> { "openid" }, RedirectUris = new List <string> { "https://client1/callback" }, FrontChannelLogoutUri = "https://client1/signout", PostLogoutRedirectUris = new List <string> { "https://client1/signout-callback" }, AllowAccessTokensViaBrowser = true }); _pipeline.Users.Add(new TestUser { SubjectId = "bob", Username = "******", Claims = new Claim[] { new Claim("name", "Bob Loblaw"), new Claim("email", "*****@*****.**"), new Claim("role", "Attorney") } }); _pipeline.Initialize(); }
public async Task Unicode_values_in_url_should_be_processed_correctly() { var pipeline = new IdentityServerPipeline(); pipeline.Initialize(); var result = await pipeline.BackChannelClient.GetDiscoveryDocumentAsync(new DiscoveryDocumentRequest { Address = "https://грант.рф", Policy = { ValidateIssuerName = false, ValidateEndpoints = false, RequireHttps = false, RequireKeySet = false } }); result.Issuer.Should().Be("https://грант.рф"); }
public void Init() { _mockPipeline = new IdentityServerPipeline(); _mockPipeline.Clients.AddRange(new Client[] { new Client { ClientId = "client1", AllowedGrantTypes = GrantTypes.Implicit, RequireConsent = false, AllowedScopes = new List <string> { "openid", "profile", "aid" }, RedirectUris = new List <string> { "https://client1/callback" }, AllowAccessTokensViaBrowser = true, AccessTokenLifetime = 3600, IdentityTokenLifetime = 500 }, new Client { ClientId = "client2", AllowedGrantTypes = GrantTypes.Implicit, RequireConsent = true, AllowedScopes = new List <string> { "openid", "profile", "api1", "api2", "aid", "aid_idResource" }, RedirectUris = new List <string> { "https://client2/callback" }, AllowAccessTokensViaBrowser = true, AlwaysIncludeUserClaimsInIdToken = true } }); _mockPipeline.Users.Add(new TestUser { SubjectId = "bob", Username = "******", Claims = new Claim[] { new Claim("name", "Bob Loblaw"), new Claim("email", "*****@*****.**"), new Claim("role", "Attorney") } }); _mockPipeline.IdentityScopes.AddRange(new IdentityResource[] { new IdentityResources.OpenId(), new IdentityResources.Profile(), new IdentityResources.Email(), new IdentityResource("aid_idResource", new [] { "aid" }) }); _mockPipeline.ApiScopes.AddRange(new ApiResource[] { new ApiResource { Name = "api", Scopes = { new Scope { Name = "api1" }, new Scope { Name = "api2" }, new Scope { Name = "aid", UserClaims = new List <string>() { "aid" } } } } }); _mockPipeline.Initialize(); }
public void Init() { _mockPipeline = new IdentityServerPipeline(); _mockPipeline.Initialize(); }
public void Init() { _mockPipeline = new IdentityServerPipeline(); _mockPipeline.Clients.AddRange(new Client[] { _client1 = new Client { ClientId = "client1", AllowedGrantTypes = GrantTypes.Implicit, RequireConsent = false, AllowedScopes = new List <string> { "openid", "profile" }, RedirectUris = new List <string> { "https://client1/callback" }, AllowAccessTokensViaBrowser = true, AccessTokenLifetime = 3600 }, new Client { ClientId = "client2", AllowedGrantTypes = GrantTypes.Implicit, RequireConsent = true, AllowedScopes = new List <string> { "openid", "profile", "api1", "api2" }, RedirectUris = new List <string> { "https://client2/callback" }, AllowAccessTokensViaBrowser = true }, new Client { ClientId = "client3", AllowedGrantTypes = GrantTypes.Implicit, RequireConsent = false, AllowedScopes = new List <string> { "openid", "profile", "api1", "api2" }, RedirectUris = new List <string> { "https://client3/callback" }, AllowAccessTokensViaBrowser = true, EnableLocalLogin = false, IdentityProviderRestrictions = new List <string> { "google" } }, new Client { ClientId = "client4", AllowedGrantTypes = GrantTypes.Code, RequireClientSecret = false, RequireConsent = false, AllowedScopes = new List <string> { "openid", "profile", "api1", "api2" }, RedirectUris = new List <string> { "https://client4/callback" }, AccessTokenLifetime = 3600 }, new Client { ClientId = client_id, ClientSecrets = new List <Secret> { new Secret(client_secret.Sha256()) }, AllowedGrantTypes = { GrantType.ClientCredentials, GrantType.ResourceOwnerPassword }, AllowedScopes = new List <string> { "api3" }, AccessTokenLifetime = 3600 } }); _mockPipeline.Users.Add(new TestUser { SubjectId = "bob", Username = "******", Password = "******", Claims = new Claim[] { new Claim("name", "Bob Loblaw"), new Claim("email", "*****@*****.**"), new Claim("role", "Attorney") } }); _mockPipeline.IdentityScopes.AddRange(new IdentityResource[] { new IdentityResources.OpenId(), new IdentityResources.Profile(), new IdentityResources.Email() }); _mockPipeline.ApiScopes.AddRange(new ApiResource[] { new ApiResource { Name = "api", Scopes = { new Scope { Name = "api1" }, new Scope { Name = "api2" } } }, new ApiResource { Name = "api1", ApiSecrets = new List <Secret> { new Secret(scope_secret.Sha256()) }, Scopes = { new Scope { Name = scope_name } } } }); _mockPipeline.Initialize(); }