public async Task OnGeneratingClaims_AddsRedirectUriIfPresentOnTheRequest()
        {
            // Arrange
            var expectedRedirectUri = "http://wwww.example.com/callback";
            var context             = new TokenGeneratingContext(
                new ClaimsPrincipal(),
                new ClaimsPrincipal(),
                new OpenIdConnectMessage()
            {
                RedirectUri = expectedRedirectUri
            },
                new RequestGrants());

            var options = new IdentityServiceOptions()
            {
                Issuer = "http://www.example.com/Identity"
            };
            var claimsProvider = new DefaultTokenClaimsProvider(Options.Create(options));

            context.InitializeForToken(TokenTypes.AuthorizationCode);

            // Act
            await claimsProvider.OnGeneratingClaims(context);

            // Assert
            Assert.Single(
                context.CurrentClaims,
                c => c.Type.Equals(IdentityServiceClaimTypes.RedirectUri, StringComparison.Ordinal) &&
                c.Value.Equals(expectedRedirectUri));
        }
        public async Task OnGeneratingClaims_AddsIssuerForAccessTokenAndIdToken(string tokenType)
        {
            // Arrange
            var context = new TokenGeneratingContext(
                new ClaimsPrincipal(),
                new ClaimsPrincipal(),
                new OpenIdConnectMessage(),
                new RequestGrants());

            var options = new IdentityServiceOptions()
            {
                Issuer = "http://www.example.com/Identity"
            };
            var claimsProvider = new DefaultTokenClaimsProvider(Options.Create(options));

            context.InitializeForToken(tokenType);

            // Act
            await claimsProvider.OnGeneratingClaims(context);

            // Assert
            Assert.Single(
                context.CurrentClaims,
                c => c.Type.Equals(IdentityServiceClaimTypes.Issuer, StringComparison.Ordinal));
        }
Пример #3
0
        public async Task OnGeneratingClaims_AddsCustomScopesFromRequest_ToAccessTokenOnTokenRequest()
        {
            // Arrange
            var applicationScopes = new List <ApplicationScope> {
                ApplicationScope.OpenId,
                new ApplicationScope("resourceId", "custom"),
                new ApplicationScope("resourceId", "custom2")
            };

            var expectedResourceValue = applicationScopes.FirstOrDefault(s => s.ClientId != null)?.ClientId;

            var context = new TokenGeneratingContext(
                new ClaimsPrincipal(),
                new ClaimsPrincipal(),
                new OpenIdConnectMessage()
            {
                ClientId = "clientId"
            },
                new RequestGrants()
            {
                Scopes = applicationScopes.ToList(),
                // This is just to prove that we always pick the values for the scope related claims
                // from the set of granted scopes (for access tokens).
                Claims = new List <Claim>
                {
                    new Claim(IdentityServiceClaimTypes.Resource, "ridClaim"),
                    new Claim(IdentityServiceClaimTypes.Scope, "custom3")
                }
            });

            var claimsProvider = new ScopesTokenClaimsProvider();

            context.InitializeForToken(TokenTypes.AccessToken);

            // Act
            await claimsProvider.OnGeneratingClaims(context);

            var claims = context.CurrentClaims;

            // Assert
            Assert.Single(claims, c => c.Type.Equals(IdentityServiceClaimTypes.Scope) && c.Value.Equals("custom custom2"));
            Assert.Single(claims, c => c.Type.Equals(IdentityServiceClaimTypes.Audience) && c.Value.Equals("resourceId"));
            Assert.Single(claims, c => c.Type.Equals(IdentityServiceClaimTypes.AuthorizedParty) && c.Value.Equals("clientId"));
        }
Пример #4
0
        public async Task OnGeneratingClaims_AddsAllScopesFromGrantClaims_ToRefreshTokenOnTokenRequest()
        {
            // Arrange
            // This is just to prove that we always transfer the scope and resource claims from the grant
            // into the refresh token untouched.
            var applicationScopes = new List <ApplicationScope>
            {
                ApplicationScope.OpenId,
                new ApplicationScope("resourceId", "custom"),
                new ApplicationScope("resourceId", "custom2")
            };

            var expectedResourceValue = applicationScopes.FirstOrDefault(s => s.ClientId != null)?.ClientId;

            var context = new TokenGeneratingContext(
                new ClaimsPrincipal(),
                new ClaimsPrincipal(),
                new OpenIdConnectMessage()
            {
                ClientId = "clientId"
            },
                new RequestGrants()
            {
                Scopes = applicationScopes.ToList(),
                Claims = new List <Claim>
                {
                    new Claim(IdentityServiceClaimTypes.Resource, "ridClaim"),
                    new Claim(IdentityServiceClaimTypes.Scope, "openid custom3")
                }
            });

            var claimsProvider = new ScopesTokenClaimsProvider();

            context.InitializeForToken(TokenTypes.RefreshToken);

            // Act
            await claimsProvider.OnGeneratingClaims(context);

            var claims = context.CurrentClaims;

            // Assert
            Assert.Single(claims, c => c.Type.Equals(IdentityServiceClaimTypes.Scope) && c.Value.Equals("openid custom3"));
            Assert.Single(claims, c => c.Type.Equals(IdentityServiceClaimTypes.Resource) && c.Value.Equals("ridClaim"));
        }
        public async Task OnGeneratingClaims_AddsGrantedTokensForRefreshToken()
        {
            // Arrange
            var context = new TokenGeneratingContext(
                new ClaimsPrincipal(),
                new ClaimsPrincipal(),
                new OpenIdConnectMessage(),
                new RequestGrants()
            {
                Tokens = new List <string>
                {
                    TokenTypes.AccessToken,
                    TokenTypes.IdToken,
                    TokenTypes.RefreshToken
                }
            });

            var expectedTokens = new[]
            {
                TokenTypes.AccessToken,
                TokenTypes.IdToken,
                TokenTypes.RefreshToken
            };

            var claimsProvider = new GrantedTokensTokenClaimsProvider();

            context.InitializeForToken(TokenTypes.RefreshToken);

            // Act
            await claimsProvider.OnGeneratingClaims(context);

            var granted = context.CurrentClaims
                          .Where(c => c.Type.Equals(IdentityServiceClaimTypes.GrantedToken))
                          .OrderBy(c => c.Value)
                          .Select(c => c.Value)
                          .ToArray();

            // Assert
            Assert.Equal(expectedTokens, granted);
        }
Пример #6
0
        public async Task OnGeneratingClaims_AddsIssuedAtNotBeforeAndExpires_ForAllTokenTypes(
            string tokenType,
            string issuedAt,
            string notBefore,
            string expires)
        {
            // Arrange
            var context = new TokenGeneratingContext(
                new ClaimsPrincipal(),
                new ClaimsPrincipal(),
                new OpenIdConnectMessage {
            },
                new RequestGrants {
            });

            // Reference time
            var reference = new DateTimeOffset(2000, 01, 01, 0, 0, 0, TimeSpan.Zero);

            var timestampManager = new TestTimeStampManager(reference);
            var options          = new IdentityServiceOptions();

            SetTimeStampOptions(options.AuthorizationCodeOptions, 1);
            SetTimeStampOptions(options.AccessTokenOptions, 2);
            SetTimeStampOptions(options.IdTokenOptions, 3);
            SetTimeStampOptions(options.RefreshTokenOptions, 4);

            var claimsProvider = new TimestampsTokenClaimsProvider(timestampManager, Options.Create(options));

            context.InitializeForToken(tokenType);

            // Act
            await claimsProvider.OnGeneratingClaims(context);

            var claims = context.CurrentClaims;

            // Assert
            Assert.Single(claims, c => c.Type.Equals(IdentityServiceClaimTypes.IssuedAt) && c.Value.Equals(issuedAt));
            Assert.Single(claims, c => c.Type.Equals(IdentityServiceClaimTypes.NotBefore) && c.Value.Equals(notBefore));
            Assert.Single(claims, c => c.Type.Equals(IdentityServiceClaimTypes.Expires) && c.Value.Equals(expires));
        }
Пример #7
0
        public async Task OnGeneratingClaims_DoesNothing_IfChallengeNotPresent()
        {
            // Arrange
            var context = new TokenGeneratingContext(
                new ClaimsPrincipal(),
                new ClaimsPrincipal(),
                new OpenIdConnectMessage(new Dictionary <string, string[]>
            {
                [ProofOfKeyForCodeExchangeParameterNames.CodeChallengeMethod] = new[] { "S256" },
            }),
                new RequestGrants());

            context.InitializeForToken(TokenTypes.AuthorizationCode);

            var provider = new ProofOfKeyForCodeExchangeTokenClaimsProvider();

            // Act
            await provider.OnGeneratingClaims(context);

            // Assert
            Assert.Empty(context.CurrentClaims);
        }
Пример #8
0
        public async Task OnGeneratingClaims_AddsCodeChallengeAndChallengeMethod_ToTheAuthorizationCode()
        {
            // Arrange
            var context = new TokenGeneratingContext(
                new ClaimsPrincipal(),
                new ClaimsPrincipal(),
                new OpenIdConnectMessage(new Dictionary <string, string[]>
            {
                [ProofOfKeyForCodeExchangeParameterNames.CodeChallenge]       = new[] { "challenge" },
                [ProofOfKeyForCodeExchangeParameterNames.CodeChallengeMethod] = new[] { "S256" },
            }),
                new RequestGrants());

            context.InitializeForToken(TokenTypes.AuthorizationCode);

            var provider = new ProofOfKeyForCodeExchangeTokenClaimsProvider();

            // Act
            await provider.OnGeneratingClaims(context);

            // Assert
            Assert.Contains(context.CurrentClaims, c => c.Type == IdentityServiceClaimTypes.CodeChallenge && c.Value == "challenge");
            Assert.Contains(context.CurrentClaims, c => c.Type == IdentityServiceClaimTypes.CodeChallengeMethod && c.Value == "S256");
        }
        public async Task OnGeneratingClaims_MapsClaimsFromUsersApplicationsAndAmbient(string tokenType)
        {
            // Arrange
            var expectedClaims = new List <Claim>
            {
                new Claim("user-single", "us"),
                new Claim("user-single-claim", "usa"),
                new Claim("user-multiple", "um1"),
                new Claim("user-multiple", "um2"),
                new Claim("user-multiple-claim", "uma1"),
                new Claim("user-multiple-claim", "uma2"),
                new Claim("application-single", "as"),
                new Claim("application-single-claim", "asa"),
                new Claim("application-multiple", "am1"),
                new Claim("application-multiple", "am2"),
                new Claim("application-multiple-claim", "ama1"),
                new Claim("application-multiple-claim", "ama2"),
                new Claim("context-single", "cs"),
                new Claim("context-single-claim", "csa"),
                new Claim("context-multiple", "cm1"),
                new Claim("context-multiple", "cm2"),
                new Claim("context-multiple-claim", "cma1"),
                new Claim("context-multiple-claim", "cma2"),
            };

            var user = new ClaimsPrincipal(new ClaimsIdentity(new List <Claim>
            {
                new Claim("user-single", "us"),
                new Claim("user-single-aliased", "usa"),
                new Claim("user-multiple", "um1"),
                new Claim("user-multiple", "um2"),
                new Claim("user-multiple-aliased", "uma1"),
                new Claim("user-multiple-aliased", "uma2"),
            }));

            var application = new ClaimsPrincipal(new ClaimsIdentity(new List <Claim>
            {
                new Claim("application-single", "as"),
                new Claim("application-single-aliased", "asa"),
                new Claim("application-multiple", "am1"),
                new Claim("application-multiple", "am2"),
                new Claim("application-multiple-aliased", "ama1"),
                new Claim("application-multiple-aliased", "ama2"),
            }));

            var context = new TokenGeneratingContext(
                user,
                application,
                new OpenIdConnectMessage(),
                new RequestGrants());

            context.AmbientClaims.Add(new Claim("context-single", "cs"));
            context.AmbientClaims.Add(new Claim("context-single-aliased", "csa"));
            context.AmbientClaims.Add(new Claim("context-multiple", "cm1"));
            context.AmbientClaims.Add(new Claim("context-multiple", "cm2"));
            context.AmbientClaims.Add(new Claim("context-multiple-aliased", "cma1"));
            context.AmbientClaims.Add(new Claim("context-multiple-aliased", "cma2"));

            var options = new IdentityServiceOptions()
            {
                Issuer = "http://www.example.com/Identity"
            };

            CreateTestMapping(options.AuthorizationCodeOptions);
            CreateTestMapping(options.AccessTokenOptions);
            CreateTestMapping(options.IdTokenOptions);
            CreateTestMapping(options.RefreshTokenOptions);

            var claimsProvider = new DefaultTokenClaimsProvider(Options.Create(options));

            context.InitializeForToken(tokenType);

            // Act
            await claimsProvider.OnGeneratingClaims(context);

            var claims = context.CurrentClaims.Where(c =>
                                                     c.Type != IdentityServiceClaimTypes.Issuer &&
                                                     c.Type != IdentityServiceClaimTypes.TokenUniqueId).ToList();

            // Assert
            Assert.Equal(expectedClaims.Count, claims.Count);
            foreach (var claim in expectedClaims)
            {
                Assert.Contains(claims, c => c.Type.Equals(claim.Type) && c.Value.Equals(claim.Value));
            }
        }