public async Task Valid_Code_Request()
{
var client = await _clients.FindClientByIdAsync("codeclient");
var store = new InMemoryAuthorizationCodeStore();
var code = new AuthorizationCode
{
Subject = IdentityServerPrincipal.Create("123", "bob"),
Client = client,
RedirectUri = "https://server/cb",
RequestedScopes = new List <Scope>
{
new Scope
{
Name = "openid"
}
}
};
await store.StoreAsync("valid", code);
var validator = Factory.CreateTokenRequestValidator(
authorizationCodeStore: store);
var parameters = new NameValueCollection();
parameters.Add(Constants.TokenRequest.GrantType, Constants.GrantTypes.AuthorizationCode);
parameters.Add(Constants.TokenRequest.Code, "valid");
parameters.Add(Constants.TokenRequest.RedirectUri, "https://server/cb");
var result = await validator.ValidateRequestAsync(parameters, client);
result.IsError.Should().BeFalse();
}
public async Task Client_Trying_To_Request_Token_Using_Another_Clients_Code()
{
var client1 = await _clients.FindClientByIdAsync("codeclient");
var client2 = await _clients.FindClientByIdAsync("codeclient_restricted");
var store = new InMemoryAuthorizationCodeStore();
var code = new AuthorizationCode
{
Client = client1,
IsOpenId = true,
RedirectUri = "https://server/cb",
};
await store.StoreAsync("valid", code);
var validator = Factory.CreateTokenRequestValidator(
authorizationCodeStore: store);
var parameters = new NameValueCollection();
parameters.Add(Constants.TokenRequest.GrantType, Constants.GrantTypes.AuthorizationCode);
parameters.Add(Constants.TokenRequest.Code, "valid");
parameters.Add(Constants.TokenRequest.RedirectUri, "https://server/cb");
var result = await validator.ValidateRequestAsync(parameters, client2);
result.IsError.Should().BeTrue();
result.Error.Should().Be(Constants.TokenErrors.InvalidGrant);
}
public async Task Unknown_Grant_Type()
{
var client = await _clients.FindClientByIdAsync("codeclient");
var store = new InMemoryAuthorizationCodeStore();
var code = new AuthorizationCode
{
Client = client,
IsOpenId = true,
RedirectUri = "https://server/cb",
};
await store.StoreAsync("valid", code);
var validator = Factory.CreateTokenRequestValidator(
authorizationCodeStore: store);
var parameters = new NameValueCollection();
parameters.Add(Constants.TokenRequest.GrantType, "unknown");
parameters.Add(Constants.TokenRequest.Code, "valid");
parameters.Add(Constants.TokenRequest.RedirectUri, "https://server/cb");
var result = await validator.ValidateRequestAsync(parameters, client);
result.IsError.Should().BeTrue();
result.Error.Should().Be(Constants.TokenErrors.UnsupportedGrantType);
}
public async Task Expired_AuthorizationCode()
{
var client = await _clients.FindClientByIdAsync("codeclient");
var store = new InMemoryAuthorizationCodeStore();
var code = new AuthorizationCode
{
Client = client,
IsOpenId = true,
RedirectUri = "https://server/cb",
CreationTime = DateTimeOffset.UtcNow.AddSeconds(-100)
};
await store.StoreAsync("valid", code);
var validator = Factory.CreateTokenRequestValidator(
authorizationCodeStore: store);
var parameters = new NameValueCollection();
parameters.Add(Constants.TokenRequest.GrantType, Constants.GrantTypes.AuthorizationCode);
parameters.Add(Constants.TokenRequest.Code, "valid");
parameters.Add(Constants.TokenRequest.RedirectUri, "https://server/cb");
var result = await validator.ValidateRequestAsync(parameters, client);
result.IsError.Should().BeTrue();
result.Error.Should().Be(Constants.TokenErrors.InvalidGrant);
}
public async Task AuthorizationCodeTooLong()
{
var client = await _clients.FindClientByIdAsync("codeclient");
var store = new InMemoryAuthorizationCodeStore();
var options = new IdentityServerOptions();
var code = new AuthorizationCode
{
Client = client,
IsOpenId = true,
RedirectUri = "https://server/cb",
};
await store.StoreAsync("valid", code);
var validator = Factory.CreateTokenRequestValidator(
authorizationCodeStore: store);
var longCode = "x".Repeat(options.InputLengthRestrictions.AuthorizationCode + 1);
var parameters = new NameValueCollection();
parameters.Add(OidcConstants.TokenRequest.GrantType, OidcConstants.GrantTypes.AuthorizationCode);
parameters.Add(OidcConstants.TokenRequest.Code, longCode);
parameters.Add(OidcConstants.TokenRequest.RedirectUri, "https://server/cb");
var result = await validator.ValidateRequestAsync(parameters, client);
result.IsError.Should().BeTrue();
result.Error.Should().Be(OidcConstants.TokenErrors.InvalidGrant);
}
public async Task Different_RedirectUri_Between_Authorize_And_Token_Request()
{
var client = await _clients.FindClientByIdAsync("codeclient");
var store = new InMemoryAuthorizationCodeStore();
var code = new AuthorizationCode
{
Client = client,
IsOpenId = true,
RedirectUri = "https://server1/cb",
};
await store.StoreAsync("valid", code);
var validator = Factory.CreateTokenRequestValidator(
authorizationCodeStore: store);
var parameters = new NameValueCollection();
parameters.Add(OidcConstants.TokenRequest.GrantType, OidcConstants.GrantTypes.AuthorizationCode);
parameters.Add(OidcConstants.TokenRequest.Code, "valid");
parameters.Add(OidcConstants.TokenRequest.RedirectUri, "https://server2/cb");
var result = await validator.ValidateRequestAsync(parameters, client);
result.IsError.Should().BeTrue();
result.Error.Should().Be(OidcConstants.TokenErrors.UnauthorizedClient);
}
public async Task Client_Not_Authorized_For_AuthorizationCode_Flow()
{
var client = await _clients.FindClientByIdAsync("implicitclient");
var store = new InMemoryAuthorizationCodeStore();
var code = new AuthorizationCode
{
Client = client,
IsOpenId = true,
RedirectUri = new Uri("https://server/cb"),
};
await store.StoreAsync("valid", code);
var validator = Factory.CreateTokenValidator(
authorizationCodeStore: store);
var parameters = new NameValueCollection();
parameters.Add(Constants.TokenRequest.GrantType, Constants.GrantTypes.AuthorizationCode);
parameters.Add(Constants.TokenRequest.Code, "valid");
parameters.Add(Constants.TokenRequest.RedirectUri, "https://server/cb");
var result = await validator.ValidateRequestAsync(parameters, client);
Assert.IsTrue(result.IsError);
Assert.AreEqual(Constants.TokenErrors.UnauthorizedClient, result.Error);
}
public async Task Reused_AuthorizationCode()
{
var client = await _clients.FindClientByIdAsync("codeclient");
var store = new InMemoryAuthorizationCodeStore();
var code = new AuthorizationCode
{
Subject = IdentityServerPrincipal.Create("123", "bob"),
Client = client,
IsOpenId = true,
RedirectUri = "https://server/cb",
RequestedScopes = new List <Scope>
{
new Scope
{
Name = "openid"
}
}
};
await store.StoreAsync("valid", code);
var validator = Factory.CreateTokenRequestValidator(
authorizationCodeStore: store,
customRequestValidator: new DefaultCustomRequestValidator());
var parameters = new NameValueCollection();
parameters.Add(OidcConstants.TokenRequest.GrantType, OidcConstants.GrantTypes.AuthorizationCode);
parameters.Add(OidcConstants.TokenRequest.Code, "valid");
parameters.Add(OidcConstants.TokenRequest.RedirectUri, "https://server/cb");
// request first time
var result = await validator.ValidateRequestAsync(parameters, client);
result.IsError.Should().BeFalse();
// request second time
validator = Factory.CreateTokenRequestValidator(
authorizationCodeStore: store,
customRequestValidator: new DefaultCustomRequestValidator());
result = await validator.ValidateRequestAsync(parameters, client);
result.IsError.Should().BeTrue();
result.Error.Should().Be(OidcConstants.TokenErrors.InvalidGrant);
}
public async Task Reused_AuthorizationCode()
{
var client = await _clients.FindClientByIdAsync("codeclient");
var store = new InMemoryAuthorizationCodeStore();
var code = new AuthorizationCode
{
Client = client,
IsOpenId = true,
RedirectUri = new Uri("https://server/cb"),
RequestedScopes = new List <Scope>
{
new Scope
{
Name = "openid"
}
}
};
await store.StoreAsync("valid", code);
var validator = Factory.CreateTokenRequestValidator(
authorizationCodeStore: store,
customRequestValidator: new DefaultCustomRequestValidator());
var parameters = new NameValueCollection();
parameters.Add(Constants.TokenRequest.GrantType, Constants.GrantTypes.AuthorizationCode);
parameters.Add(Constants.TokenRequest.Code, "valid");
parameters.Add(Constants.TokenRequest.RedirectUri, "https://server/cb");
// request first time
var result = await validator.ValidateRequestAsync(parameters, client);
Assert.IsFalse(result.IsError);
// request second time
validator = Factory.CreateTokenRequestValidator(
authorizationCodeStore: store,
customRequestValidator: new DefaultCustomRequestValidator());
result = await validator.ValidateRequestAsync(parameters, client);
Assert.IsTrue(result.IsError);
Assert.AreEqual(Constants.TokenErrors.InvalidGrant, result.Error);
}
public async Task Valid_Code_Request_With_CodeVerifier_Sha256()
{
var client = await _clients.FindClientByIdAsync("codewithproofkeyclient");
var store = new InMemoryAuthorizationCodeStore();
var options = new IdentityServerOptions();
var codeVerifier = "x".Repeat(options.InputLengthRestrictions.CodeChallengeMinLength);
var codeVerifierBytes = Encoding.ASCII.GetBytes(codeVerifier);
var hashedBytes = codeVerifierBytes.Sha256();
var codeChallenge = Base64Url.Encode(hashedBytes);
var code = new AuthorizationCode
{
Client = client,
Subject = IdentityServerPrincipal.Create("123", "bob"),
RedirectUri = "https://server/cb",
CodeChallenge = codeChallenge.Sha256(),
CodeChallengeMethod = Constants.CodeChallengeMethods.SHA_256,
RequestedScopes = new List <Scope>
{
new Scope
{
Name = "openid"
}
}
};
await store.StoreAsync("valid", code);
var validator = Factory.CreateTokenRequestValidator(
authorizationCodeStore: store);
var parameters = new NameValueCollection();
parameters.Add(Constants.TokenRequest.GrantType, Constants.GrantTypes.AuthorizationCode);
parameters.Add(Constants.TokenRequest.Code, "valid");
parameters.Add(Constants.TokenRequest.RedirectUri, "https://server/cb");
parameters.Add(Constants.TokenRequest.CodeVerifier, codeVerifier);
var result = await validator.ValidateRequestAsync(parameters, client);
result.IsError.Should().BeFalse();
}
public async Task Code_Request_with_disabled_User()
{
var client = await _clients.FindClientByIdAsync("codeclient");
var store = new InMemoryAuthorizationCodeStore();
var mock = new Mock <IUserService>();
mock.Setup(u => u.IsActiveAsync(It.IsAny <IsActiveContext>())).Callback <IsActiveContext>(ctx =>
{
ctx.IsActive = false;
}).Returns(Task.FromResult(0));
var code = new AuthorizationCode
{
Client = client,
Subject = IdentityServerPrincipal.Create("123", "bob"),
RedirectUri = "https://server/cb",
RequestedScopes = new List <Scope>
{
new Scope
{
Name = "openid"
}
}
};
await store.StoreAsync("valid", code);
var validator = Factory.CreateTokenRequestValidator(
authorizationCodeStore: store,
userService: mock.Object);
var parameters = new NameValueCollection();
parameters.Add(Constants.TokenRequest.GrantType, Constants.GrantTypes.AuthorizationCode);
parameters.Add(Constants.TokenRequest.Code, "valid");
parameters.Add(Constants.TokenRequest.RedirectUri, "https://server/cb");
var result = await validator.ValidateRequestAsync(parameters, client);
result.IsError.Should().BeTrue();
}
public async Task Code_Request_PKCE_Transformed_CodeVerifier_Doesnt_Match_CodeChallenge_Sha256(string clientId)
{
var client = await _clients.FindClientByIdAsync(clientId);
var store = new InMemoryAuthorizationCodeStore();
var options = new IdentityServerOptions();
var code = new AuthorizationCode
{
Client = client,
Subject = IdentityServerPrincipal.Create("123", "bob"),
RedirectUri = "https://server/cb",
CodeChallenge = "x".Repeat(options.InputLengthRestrictions.CodeChallengeMinLength),
CodeChallengeMethod = Constants.CodeChallengeMethods.SHA_256,
RequestedScopes = new List <Scope>
{
new Scope
{
Name = "openid"
}
}
};
await store.StoreAsync("valid", code);
var validator = Factory.CreateTokenRequestValidator(
authorizationCodeStore: store);
var parameters = new NameValueCollection();
parameters.Add(Constants.TokenRequest.GrantType, Constants.GrantTypes.AuthorizationCode);
parameters.Add(Constants.TokenRequest.Code, "valid");
parameters.Add(Constants.TokenRequest.RedirectUri, "https://server/cb");
parameters.Add(Constants.TokenRequest.CodeVerifier, "x".Repeat(options.InputLengthRestrictions.CodeVerifierMinLength) + "doesntmatch");
var result = await validator.ValidateRequestAsync(parameters, client);
result.IsError.Should().BeTrue();
result.Error.Should().Be(Constants.TokenErrors.InvalidGrant);
}
public async Task Valid_Code_Request_with_Refresh_Token()
{
var client = await _clients.FindClientByIdAsync("codeclient");
var store = new InMemoryAuthorizationCodeStore();
var code = new AuthorizationCode
{
Client = client,
RedirectUri = new Uri("https://server/cb"),
RequestedScopes = new List <Scope>
{
new Scope
{
Name = "openid"
},
new Scope
{
Name = "offline_access"
}
}
};
await store.StoreAsync("valid", code);
var validator = Factory.CreateTokenRequestValidator(
authorizationCodeStore: store);
var parameters = new NameValueCollection();
parameters.Add(Constants.TokenRequest.GrantType, Constants.GrantTypes.AuthorizationCode);
parameters.Add(Constants.TokenRequest.Code, "valid");
parameters.Add(Constants.TokenRequest.RedirectUri, "https://server/cb");
var result = await validator.ValidateRequestAsync(parameters, client);
Assert.IsFalse(result.IsError);
}
public async Task Code_Request_with_disabled_User()
{
var client = await _clients.FindClientByIdAsync("codeclient");
var store = new InMemoryAuthorizationCodeStore();
var code = new AuthorizationCode
{
Client = client,
Subject = IdentityServerPrincipal.Create("123", "bob"),
RedirectUri = "https://server/cb",
RequestedScopes = new List <Scope>
{
new Scope
{
Name = "openid"
}
}
};
await store.StoreAsync("valid", code);
var validator = Factory.CreateTokenRequestValidator(
authorizationCodeStore: store,
profile: new TestProfileService(shouldBeActive: false));
var parameters = new NameValueCollection();
parameters.Add(OidcConstants.TokenRequest.GrantType, OidcConstants.GrantTypes.AuthorizationCode);
parameters.Add(OidcConstants.TokenRequest.Code, "valid");
parameters.Add(OidcConstants.TokenRequest.RedirectUri, "https://server/cb");
var result = await validator.ValidateRequestAsync(parameters, client);
result.IsError.Should().BeTrue();
result.Error.Should().Be(OidcConstants.TokenErrors.InvalidRequest);
}
