private void CreateClaims() { PublicSamlSecurityTokenHandler samlSecurityTokenHandler = new PublicSamlSecurityTokenHandler(); ExpectedException expectedException = ExpectedException.ArgumentNullException(substringExpected: "samlToken"); CreateClaims(null, "issuer", new TokenValidationParameters(), samlSecurityTokenHandler: samlSecurityTokenHandler, expectedException: expectedException); }
public void SecurityTokenHandlerCollectionExtensions_Publics() { SecurityTokenHandlerCollection securityTokenValidators = new SecurityTokenHandlerCollection(); string defaultSamlToken = IdentityUtilities.CreateSamlToken(); string defaultSaml2Token = IdentityUtilities.CreateSaml2Token(); string defaultJwt = IdentityUtilities.DefaultAsymmetricJwt; ExpectedException expectedException = ExpectedException.ArgumentNullException("Parameter name: securityToken"); ValidateToken(null, null, securityTokenValidators, expectedException); expectedException = ExpectedException.ArgumentNullException("Parameter name: validationParameters"); ValidateToken(defaultSamlToken, null, securityTokenValidators, expectedException); TokenValidationParameters tokenValidationParameters = new TokenValidationParameters(); expectedException = ExpectedException.SecurityTokenValidationException("IDX10201"); ValidateToken(defaultSamlToken, tokenValidationParameters, securityTokenValidators, expectedException); securityTokenValidators = SecurityTokenHandlerCollectionExtensions.GetDefaultHandlers(); expectedException = ExpectedException.SignatureVerificationFailedException(substringExpected: "ID4037:"); ValidateToken(defaultSamlToken, tokenValidationParameters, securityTokenValidators, expectedException); securityTokenValidators.Clear(); securityTokenValidators.Add(new IMSamlTokenHandler()); ValidateToken(defaultSamlToken, tokenValidationParameters, securityTokenValidators, ExpectedException.SignatureVerificationFailedException(substringExpected: "ID4037:")); ValidateToken(defaultSamlToken, IdentityUtilities.DefaultAsymmetricTokenValidationParameters, securityTokenValidators, ExpectedException.NoExceptionExpected); ValidateToken(defaultSaml2Token, IdentityUtilities.DefaultAsymmetricTokenValidationParameters, securityTokenValidators, ExpectedException.SecurityTokenValidationException(substringExpected: "IDX10201:")); securityTokenValidators.Add(new IMSaml2TokenHandler()); securityTokenValidators.Add(new System.IdentityModel.Tokens.JwtSecurityTokenHandler()); ValidateToken(defaultSaml2Token, IdentityUtilities.DefaultAsymmetricTokenValidationParameters, securityTokenValidators, ExpectedException.NoExceptionExpected); ValidateToken(defaultJwt, IdentityUtilities.DefaultAsymmetricTokenValidationParameters, securityTokenValidators, ExpectedException.NoExceptionExpected); }
public async Task OpenIdConnectConfigurationRetriever_FromNetwork() { OpenIdConnectConfiguration configuration = await GetConfigurationFromHttpAsync(OpenIdConfigData.AADCommonUrl, expectedException : ExpectedException.NoExceptionExpected); Assert.IsNotNull(configuration); await GetConfigurationFromHttpAsync(string.Empty, expectedException : ExpectedException.ArgumentNullException()); await GetConfigurationFromHttpAsync(OpenIdConfigData.BadUri, expectedException : ExpectedException.IOException(inner: typeof(InvalidOperationException))); }
private void ValidateToken() { // parameter validation SamlSecurityTokenHandler tokenHandler = new SamlSecurityTokenHandler(); ExpectedException expectedException = ExpectedException.ArgumentNullException(substringExpected: "name: securityToken"); TestUtilities.ValidateToken(securityToken: null, validationParameters: new TokenValidationParameters(), tokenValidator: tokenHandler, expectedException: expectedException); expectedException = ExpectedException.ArgumentNullException(substringExpected: "name: validationParameters"); TestUtilities.ValidateToken(securityToken: "s", validationParameters: null, tokenValidator: tokenHandler, expectedException: expectedException); expectedException = ExpectedException.ArgumentException(substringExpected: "IDX10209"); tokenHandler.MaximumTokenSizeInBytes = 1; TestUtilities.ValidateToken(securityToken: "ss", validationParameters: new TokenValidationParameters(), tokenValidator: tokenHandler, expectedException: expectedException); tokenHandler.MaximumTokenSizeInBytes = TokenValidationParameters.DefaultMaximumTokenSizeInBytes; string samlToken = IdentityUtilities.CreateSamlToken(); ValidateAudience(); SecurityTokenDescriptor tokenDescriptor = new SecurityTokenDescriptor { AppliesToAddress = IdentityUtilities.DefaultAudience, Lifetime = new Lifetime(DateTime.UtcNow, DateTime.UtcNow + TimeSpan.FromHours(1)), SigningCredentials = KeyingMaterial.DefaultAsymmetricSigningCreds_2048_RsaSha2_Sha2, Subject = IdentityUtilities.DefaultClaimsIdentity, TokenIssuerName = IdentityUtilities.DefaultIssuer, }; samlToken = IdentityUtilities.CreateSamlToken(tokenDescriptor); TokenValidationParameters validationParameters = new TokenValidationParameters { IssuerSigningToken = KeyingMaterial.DefaultAsymmetricX509Token_2048, ValidAudience = IdentityUtilities.DefaultAudience, ValidIssuer = IdentityUtilities.DefaultIssuer, }; TestUtilities.ValidateTokenReplay(samlToken, tokenHandler, validationParameters); TestUtilities.ValidateToken(samlToken, validationParameters, tokenHandler, ExpectedException.NoExceptionExpected); validationParameters.LifetimeValidator = (nb, exp, st, tvp) => { return(false); }; TestUtilities.ValidateToken(samlToken, validationParameters, tokenHandler, new ExpectedException(typeExpected: typeof(SecurityTokenInvalidLifetimeException), substringExpected: "IDX10230:")); validationParameters.ValidateLifetime = false; validationParameters.LifetimeValidator = IdentityUtilities.LifetimeValidatorThrows; TestUtilities.ValidateToken(securityToken: samlToken, validationParameters: validationParameters, tokenValidator: tokenHandler, expectedException: ExpectedException.NoExceptionExpected); }
private void ValidateIssuer() { PublicSamlSecurityTokenHandler samlSecurityTokenHandler = new PublicSamlSecurityTokenHandler(); SamlSecurityToken samlToken = IdentityUtilities.CreateSamlSecurityToken(); ValidateIssuer(IdentityUtilities.DefaultIssuer, null, samlToken, samlSecurityTokenHandler, ExpectedException.ArgumentNullException(substringExpected: "name: validationParameters")); ValidateIssuer("bob", null, samlToken, samlSecurityTokenHandler, ExpectedException.ArgumentNullException(substringExpected: "name: validationParameters")); ValidateIssuer("bob", new TokenValidationParameters { ValidateIssuer = false }, samlToken, samlSecurityTokenHandler, ExpectedException.NoExceptionExpected); ValidateIssuer("bob", new TokenValidationParameters { }, samlToken, samlSecurityTokenHandler, ExpectedException.SecurityTokenInvalidIssuerException(substringExpected: "IDX10204")); ValidateIssuer(IdentityUtilities.DefaultIssuer, new TokenValidationParameters { ValidIssuer = IdentityUtilities.DefaultIssuer }, samlToken, samlSecurityTokenHandler, ExpectedException.NoExceptionExpected); ValidateIssuer("bob", new TokenValidationParameters { ValidIssuer = "frank" }, samlToken, samlSecurityTokenHandler, ExpectedException.SecurityTokenInvalidIssuerException(substringExpected: "IDX10205")); List <string> validIssuers = new List <string> { "john", "paul", "george", "ringo" }; ValidateIssuer("bob", new TokenValidationParameters { ValidIssuers = validIssuers }, samlToken, samlSecurityTokenHandler, ExpectedException.SecurityTokenInvalidIssuerException(substringExpected: "IDX10205")); ValidateIssuer("bob", new TokenValidationParameters { ValidateIssuer = false }, samlToken, samlSecurityTokenHandler, ExpectedException.NoExceptionExpected); validIssuers.Add(IdentityUtilities.DefaultIssuer); string issuer = ValidateIssuer(IdentityUtilities.DefaultIssuer, new TokenValidationParameters { ValidIssuers = validIssuers }, samlToken, samlSecurityTokenHandler, ExpectedException.NoExceptionExpected); Assert.IsTrue(issuer == IdentityUtilities.DefaultIssuer, "issuer mismatch"); TokenValidationParameters validationParameters = new TokenValidationParameters { ValidateAudience = false, IssuerValidator = IdentityUtilities.IssuerValidatorEcho, }; ValidateIssuer("bob", validationParameters, samlToken, samlSecurityTokenHandler, ExpectedException.SecurityTokenInvalidIssuerException(substringExpected: "IDX10204")); validationParameters.ValidateIssuer = false; validationParameters.IssuerValidator = IdentityUtilities.IssuerValidatorThrows; ValidateIssuer("bob", validationParameters, samlToken, samlSecurityTokenHandler, ExpectedException.NoExceptionExpected); }
public void JsonWebKeySet_Constructors() { JsonWebKeySet jsonWebKeys = new JsonWebKeySet(); Assert.IsTrue(IsDefaultJsonWebKeySet(jsonWebKeys)); // null string, nothing to add RunJsonWebKeySetTest((string)null, null, ExpectedException.ArgumentNullException()); // null dictionary, nothing to add RunJsonWebKeySetTest((IDictionary <string, object>)null, null, ExpectedException.ArgumentNullException(), false); RunJsonWebKeySetTest(OpenIdConfigData.JsonWebKeySetString1, OpenIdConfigData.JsonWebKeySetExpected1, ExpectedException.NoExceptionExpected); RunJsonWebKeySetTest(OpenIdConfigData.JsonWebKeySetBadFormatingString, null, ExpectedException.ArgumentException()); }
public void OpenIdConnectMessage_Constructors() { OpenIdConnectMessage openIdConnectMessage = new OpenIdConnectMessage(); Assert.AreEqual(openIdConnectMessage.IssuerAddress, string.Empty); openIdConnectMessage = new OpenIdConnectMessage("http://www.got.jwt.com"); Assert.AreEqual(openIdConnectMessage.IssuerAddress, "http://www.got.jwt.com"); ExpectedException expectedException = ExpectedException.ArgumentNullException("issuerAddress"); try { openIdConnectMessage = new OpenIdConnectMessage((string)null); expectedException.ProcessNoException(); } catch (Exception exception) { expectedException.ProcessException(exception); } }
public void AuthenticationProtocolMessage_GetSets() { AuthenticationProtocolMessage authenticationProtocolMessage = new DerivedAuthenticationProtocolMessage(); List <string> properties = new List <string>() { "IssuerAddress", "PostTitle", "ScriptButtonText", "ScriptDisabledText", }; foreach (string property in properties) { TestUtilities.SetGet(authenticationProtocolMessage, property, null, ExpectedException.ArgumentNullException(substringExpected: property)); TestUtilities.SetGet(authenticationProtocolMessage, property, property, ExpectedException.NoExceptionExpected); TestUtilities.SetGet(authenticationProtocolMessage, property, " ", ExpectedException.NoExceptionExpected); TestUtilities.SetGet(authenticationProtocolMessage, property, "\t\n\r", ExpectedException.NoExceptionExpected); } }
public void WsFederationAuthenticationMessage_Constructors() { WsFederationMessage wsFederationMessage = new WsFederationMessage(); Assert.AreEqual(wsFederationMessage.IssuerAddress, string.Empty); wsFederationMessage = new WsFederationMessage("http://www.got.jwt.com"); Assert.AreEqual(wsFederationMessage.IssuerAddress, "http://www.got.jwt.com"); ExpectedException expectedException = ExpectedException.ArgumentNullException("issuerAddress"); try { wsFederationMessage = new WsFederationMessage((string)null); expectedException.ProcessNoException(); } catch (Exception exception) { expectedException.ProcessException(exception); } }
public void OpenIdConnectProtocolValidator_CHash() { PublicOpenIdConnectProtocolValidator protocolValidator = new PublicOpenIdConnectProtocolValidator(); string authorizationCode1 = protocolValidator.GenerateNonce(); string authorizationCode2 = protocolValidator.GenerateNonce(); string chash1 = IdentityUtilities.CreateCHash(authorizationCode1, "SHA256"); string chash2 = IdentityUtilities.CreateCHash(authorizationCode2, "SHA256"); Dictionary <string, string> emptyDictionary = new Dictionary <string, string>(); Dictionary <string, string> mappedDictionary = new Dictionary <string, string>(protocolValidator.HashAlgorithmMap); JwtSecurityToken jwtWithCHash1 = new JwtSecurityToken ( audience: IdentityUtilities.DefaultAudience, claims: new List <Claim> { new Claim(JwtRegisteredClaimNames.CHash, chash1) }, issuer: IdentityUtilities.DefaultIssuer ); JwtSecurityToken jwtWithEmptyCHash = new JwtSecurityToken ( audience: IdentityUtilities.DefaultAudience, claims: new List <Claim> { new Claim(JwtRegisteredClaimNames.CHash, string.Empty) }, issuer: IdentityUtilities.DefaultIssuer, signingCredentials: IdentityUtilities.DefaultAsymmetricSigningCredentials ); JwtSecurityToken jwtWithoutCHash = new JwtSecurityToken ( audience: IdentityUtilities.DefaultAudience, claims: new List <Claim> { new Claim(JwtRegisteredClaimNames.Nonce, chash2) }, issuer: IdentityUtilities.DefaultIssuer ); JwtSecurityToken jwtWithSignatureChash1 = new JwtSecurityToken ( audience: IdentityUtilities.DefaultAudience, claims: new List <Claim> { new Claim(JwtRegisteredClaimNames.CHash, chash1) }, issuer: IdentityUtilities.DefaultIssuer, signingCredentials: IdentityUtilities.DefaultAsymmetricSigningCredentials ); JwtSecurityToken jwtWithSignatureMultipleChashes = new JwtSecurityToken ( audience: IdentityUtilities.DefaultAudience, claims: new List <Claim> { new Claim(JwtRegisteredClaimNames.CHash, chash1), new Claim(JwtRegisteredClaimNames.CHash, chash2) }, issuer: IdentityUtilities.DefaultIssuer, signingCredentials: IdentityUtilities.DefaultAsymmetricSigningCredentials ); OpenIdConnectProtocolValidationContext validationContext = new OpenIdConnectProtocolValidationContext(); validationContext.AuthorizationCode = authorizationCode2; // chash is not a string, but array ValidateCHash(jwt: jwtWithSignatureMultipleChashes, protocolValidator: protocolValidator, validationContext: validationContext, ee: new ExpectedException(typeExpected: typeof(OpenIdConnectProtocolInvalidCHashException), substringExpected: "IDX10304:")); // chash doesn't match ValidateCHash(jwt: jwtWithSignatureChash1, protocolValidator: protocolValidator, validationContext: validationContext, ee: new ExpectedException(typeExpected: typeof(OpenIdConnectProtocolInvalidCHashException), substringExpected: "IDX10304:")); // use algorithm map validationContext.AuthorizationCode = authorizationCode1; ValidateCHash(jwt: jwtWithSignatureChash1, protocolValidator: protocolValidator, validationContext: validationContext, ee: ExpectedException.NoExceptionExpected); // Creation of algorithm failed, need to map. protocolValidator.SetHashAlgorithmMap(emptyDictionary); ValidateCHash(jwt: jwtWithSignatureChash1, protocolValidator: protocolValidator, validationContext: validationContext, ee: new ExpectedException(typeExpected: typeof(OpenIdConnectProtocolInvalidCHashException), substringExpected: "IDX10307:")); protocolValidator.SetHashAlgorithmMap(mappedDictionary); ValidateCHash(jwt: null, protocolValidator: protocolValidator, validationContext: validationContext, ee: ExpectedException.ArgumentNullException()); ValidateCHash(jwt: jwtWithoutCHash, protocolValidator: protocolValidator, validationContext: validationContext, ee: new ExpectedException(typeExpected: typeof(OpenIdConnectProtocolInvalidCHashException), substringExpected: "IDX10308:")); ValidateCHash(jwt: jwtWithEmptyCHash, protocolValidator: protocolValidator, validationContext: validationContext, ee: new ExpectedException(typeExpected: typeof(OpenIdConnectProtocolInvalidCHashException), substringExpected: "IDX10304:")); ValidateCHash(jwt: jwtWithCHash1, protocolValidator: protocolValidator, validationContext: validationContext, ee: new ExpectedException(typeExpected: typeof(OpenIdConnectProtocolInvalidCHashException), substringExpected: "IDX10307:")); ValidateCHash(jwt: jwtWithoutCHash, protocolValidator: protocolValidator, validationContext: null, ee: ExpectedException.ArgumentNullException()); // make sure default alg works. validationContext.AuthorizationCode = authorizationCode1; jwtWithCHash1.Header.Remove("alg"); ValidateCHash(jwt: jwtWithCHash1, protocolValidator: protocolValidator, validationContext: validationContext, ee: ExpectedException.NoExceptionExpected); }
public void OpenIdConnectConfiguration_Constructors() { RunOpenIdConnectConfigurationTest((string)null, new OpenIdConnectConfiguration(), ExpectedException.ArgumentNullException()); RunOpenIdConnectConfigurationTest((IDictionary <string, object>)null, new OpenIdConnectConfiguration(), ExpectedException.ArgumentNullException()); RunOpenIdConnectConfigurationTest(OpenIdConfigData.OpenIdConnectMetadataString, OpenIdConfigData.OpenIdConnectConfiguration1, ExpectedException.NoExceptionExpected); }
private void ValidateIssuer() { DerivedSamlSecurityTokenHandler samlSecurityTokenHandler = new DerivedSamlSecurityTokenHandler(); ExpectedException expectedException = ExpectedException.NoExceptionExpected; ValidateIssuer(null, new TokenValidationParameters { ValidateIssuer = false }, samlSecurityTokenHandler, expectedException); expectedException = ExpectedException.ArgumentNullException(substringExpected: "Parameter name: validationParameters"); ValidateIssuer("bob", null, samlSecurityTokenHandler, expectedException); expectedException = ExpectedException.SecurityTokenInvalidIssuerException(substringExpected: "IDX10204"); ValidateIssuer("bob", new TokenValidationParameters { }, samlSecurityTokenHandler, expectedException); expectedException = ExpectedException.NoExceptionExpected; string issuer = ValidateIssuer("bob", new TokenValidationParameters { ValidIssuer = "bob" }, samlSecurityTokenHandler, expectedException); Assert.IsTrue(issuer == "bob", "issuer mismatch"); expectedException = ExpectedException.SecurityTokenInvalidIssuerException(substringExpected: "IDX10205"); ValidateIssuer("bob", new TokenValidationParameters { ValidIssuer = "frank" }, samlSecurityTokenHandler, expectedException); List <string> validIssuers = new List <string> { "john", "paul", "george", "ringo" }; expectedException = ExpectedException.SecurityTokenInvalidIssuerException(substringExpected: "IDX10205"); ValidateIssuer("bob", new TokenValidationParameters { ValidIssuers = validIssuers }, samlSecurityTokenHandler, expectedException); expectedException = ExpectedException.NoExceptionExpected; ValidateIssuer("bob", new TokenValidationParameters { ValidateIssuer = false }, samlSecurityTokenHandler, expectedException); validIssuers.Add("bob"); expectedException = ExpectedException.NoExceptionExpected; issuer = ValidateIssuer("bob", new TokenValidationParameters { ValidIssuers = validIssuers }, samlSecurityTokenHandler, expectedException); Assert.IsTrue(issuer == "bob", "issuer mismatch"); expectedException = ExpectedException.SecurityTokenInvalidIssuerException(substringExpected: "IDX10204"); TokenValidationParameters validationParameters = new TokenValidationParameters { ValidateAudience = false, IssuerValidator = IdentityUtilities.IssuerValidatorEcho, }; ValidateIssuer("bob", validationParameters, samlSecurityTokenHandler, expectedException); // no delegate secondary should still succeed expectedException = ExpectedException.NoExceptionExpected; validationParameters = new TokenValidationParameters { ValidateAudience = false, ValidIssuers = validIssuers, }; issuer = ValidateIssuer("bob", validationParameters, samlSecurityTokenHandler, expectedException); Assert.IsTrue(issuer == "bob", "issuer mismatch"); // no delegate, secondary should fail validIssuers = new List <string> { "john", "paul", "george", "ringo" }; expectedException = ExpectedException.SecurityTokenInvalidIssuerException(substringExpected: "IDX10205"); validationParameters = new TokenValidationParameters { IssuerSigningKey = new X509SecurityKey(KeyingMaterial.DefaultCert_2048), ValidateAudience = false, ValidIssuer = "http://Bob", }; ValidateIssuer("bob", validationParameters, samlSecurityTokenHandler, expectedException); validationParameters.ValidateIssuer = false; validationParameters.IssuerValidator = IdentityUtilities.IssuerValidatorThrows; ValidateIssuer("bob", validationParameters, samlSecurityTokenHandler, ExpectedException.NoExceptionExpected); }
public void Saml2SecurityTokenHandler_ValidateToken() { // parameter validation Saml2SecurityTokenHandler tokenHandler = new Saml2SecurityTokenHandler(); TestUtilities.ValidateToken(securityToken: null, validationParameters: new TokenValidationParameters(), tokenValidator: tokenHandler, expectedException: ExpectedException.ArgumentNullException(substringExpected: "name: securityToken")); TestUtilities.ValidateToken(securityToken: "s", validationParameters: null, tokenValidator: tokenHandler, expectedException: ExpectedException.ArgumentNullException(substringExpected: "name: validationParameters")); tokenHandler.MaximumTokenSizeInBytes = 1; TestUtilities.ValidateToken(securityToken: "ss", validationParameters: new TokenValidationParameters(), tokenValidator: tokenHandler, expectedException: ExpectedException.ArgumentException(substringExpected: "IDX10209")); tokenHandler.MaximumTokenSizeInBytes = TokenValidationParameters.DefaultMaximumTokenSizeInBytes; string samlToken = IdentityUtilities.CreateSaml2Token(); TestUtilities.ValidateToken(samlToken, IdentityUtilities.DefaultAsymmetricTokenValidationParameters, tokenHandler, ExpectedException.NoExceptionExpected); // EncryptedAssertion SecurityTokenDescriptor tokenDescriptor = new SecurityTokenDescriptor { AppliesToAddress = IdentityUtilities.DefaultAudience, EncryptingCredentials = new EncryptedKeyEncryptingCredentials(KeyingMaterial.DefaultAsymmetricCert_2048), Lifetime = new Lifetime(DateTime.UtcNow, DateTime.UtcNow + TimeSpan.FromHours(1)), SigningCredentials = KeyingMaterial.DefaultAsymmetricSigningCreds_2048_RsaSha2_Sha2, Subject = IdentityUtilities.DefaultClaimsIdentity, TokenIssuerName = IdentityUtilities.DefaultIssuer, }; samlToken = IdentityUtilities.CreateSaml2Token(tokenDescriptor); TestUtilities.ValidateToken(samlToken, IdentityUtilities.DefaultAsymmetricTokenValidationParameters, tokenHandler, new ExpectedException(typeExpected: typeof(EncryptedTokenDecryptionFailedException), substringExpected: "ID4022")); TokenValidationParameters validationParameters = IdentityUtilities.DefaultAsymmetricTokenValidationParameters; validationParameters.ClientDecryptionTokens = new List <SecurityToken> { KeyingMaterial.DefaultX509Token_2048 }.AsReadOnly(); TestUtilities.ValidateToken(samlToken, validationParameters, tokenHandler, ExpectedException.NoExceptionExpected); TestUtilities.ValidateTokenReplay(samlToken, tokenHandler, validationParameters); TestUtilities.ValidateToken(samlToken, validationParameters, tokenHandler, ExpectedException.NoExceptionExpected); validationParameters.LifetimeValidator = (nb, exp, st, tvp) => { return(false); }; TestUtilities.ValidateToken(samlToken, validationParameters, tokenHandler, new ExpectedException(typeExpected: typeof(SecurityTokenInvalidLifetimeException), substringExpected: "IDX10230:")); validationParameters.ValidateLifetime = false; validationParameters.LifetimeValidator = IdentityUtilities.LifetimeValidatorThrows; TestUtilities.ValidateToken(securityToken: samlToken, validationParameters: validationParameters, tokenValidator: tokenHandler, expectedException: ExpectedException.NoExceptionExpected); }
public void OpenIdConnectProtocolValidator_Validate() { JwtSecurityToken jwt = new JwtSecurityToken(); OpenIdConnectProtocolValidationContext validationContext = new OpenIdConnectProtocolValidationContext(); OpenIdConnectProtocolValidator protocolValidator = new OpenIdConnectProtocolValidator(); // jwt null Validate(jwt: null, protocolValidator: protocolValidator, validationContext: null, ee: ExpectedException.ArgumentNullException()); // validationContext null Validate(jwt: jwt, protocolValidator: protocolValidator, validationContext: null, ee: ExpectedException.ArgumentNullException()); // aud missing Validate(jwt: jwt, protocolValidator: protocolValidator, validationContext: validationContext, ee: new ExpectedException(typeExpected: typeof(OpenIdConnectProtocolException), substringExpected: "IDX10309:")); // exp missing jwt.Payload.AddClaim(new Claim(JwtRegisteredClaimNames.Aud, IdentityUtilities.DefaultAudience)); Validate(jwt: jwt, protocolValidator: protocolValidator, validationContext: validationContext, ee: new ExpectedException(typeExpected: typeof(OpenIdConnectProtocolException), substringExpected: "IDX10309:")); // iat missing jwt.Payload.AddClaim(new Claim(JwtRegisteredClaimNames.Exp, EpochTime.GetIntDate(DateTime.UtcNow).ToString())); Validate(jwt: jwt, protocolValidator: protocolValidator, validationContext: validationContext, ee: new ExpectedException(typeExpected: typeof(OpenIdConnectProtocolException), substringExpected: "IDX10309:")); // iss missing jwt.Payload.AddClaim(new Claim(JwtRegisteredClaimNames.Iat, EpochTime.GetIntDate(DateTime.UtcNow).ToString())); Validate(jwt: jwt, protocolValidator: protocolValidator, validationContext: validationContext, ee: new ExpectedException(typeExpected: typeof(OpenIdConnectProtocolException), substringExpected: "IDX10309:")); // add iis, nonce is not retuired. protocolValidator.RequireNonce = false; jwt.Payload.AddClaim(new Claim(JwtRegisteredClaimNames.Iss, IdentityUtilities.DefaultIssuer)); Validate(jwt: jwt, protocolValidator: protocolValidator, validationContext: validationContext, ee: ExpectedException.NoExceptionExpected); // nonce invalid string validNonce = protocolValidator.GenerateNonce(); // add the valid 'nonce' but set validationContext.Nonce to a different 'nonce'. protocolValidator.RequireNonce = true; jwt.Payload.AddClaim(new Claim(JwtRegisteredClaimNames.Nonce, validNonce)); validationContext.Nonce = protocolValidator.GenerateNonce(); Validate(jwt: jwt, protocolValidator: protocolValidator, validationContext: validationContext, ee: new ExpectedException(typeExpected: typeof(OpenIdConnectProtocolInvalidNonceException), substringExpected: "IDX10301:")); // sub missing, default not required validationContext.Nonce = validNonce; Validate(jwt: jwt, protocolValidator: protocolValidator, validationContext: validationContext, ee: ExpectedException.NoExceptionExpected); protocolValidator.RequireSub = true; Validate(jwt: jwt, protocolValidator: protocolValidator, validationContext: validationContext, ee: new ExpectedException(typeExpected: typeof(OpenIdConnectProtocolException), substringExpected: "IDX10309:")); // authorizationCode invalid string validAuthorizationCode = protocolValidator.GenerateNonce(); string validChash = IdentityUtilities.CreateCHash(validAuthorizationCode, "SHA256"); JwtSecurityToken jwtWithSignatureChash = new JwtSecurityToken ( audience: IdentityUtilities.DefaultAudience, claims: new List <Claim> { new Claim(JwtRegisteredClaimNames.CHash, validChash), new Claim(JwtRegisteredClaimNames.Iat, EpochTime.GetIntDate(DateTime.UtcNow).ToString()), new Claim(JwtRegisteredClaimNames.Nonce, validNonce), new Claim(JwtRegisteredClaimNames.Sub, "sub"), }, expires: DateTime.UtcNow + TimeSpan.FromHours(1), issuer: IdentityUtilities.DefaultIssuer, signingCredentials: IdentityUtilities.DefaultAsymmetricSigningCredentials ); Dictionary <string, string> algmap = new Dictionary <string, string>(protocolValidator.HashAlgorithmMap); protocolValidator.HashAlgorithmMap.Clear(); protocolValidator.HashAlgorithmMap.Add(JwtAlgorithms.RSA_SHA256, "SHA256"); validationContext.Nonce = validNonce; validationContext.AuthorizationCode = validNonce; Validate(jwt: jwtWithSignatureChash, protocolValidator: protocolValidator, validationContext: validationContext, ee: new ExpectedException(typeExpected: typeof(OpenIdConnectProtocolInvalidCHashException), substringExpected: "IDX10304:")); // nonce and authorizationCode valid validationContext.AuthorizationCode = validAuthorizationCode; Validate(jwt: jwtWithSignatureChash, protocolValidator: protocolValidator, validationContext: validationContext, ee: ExpectedException.NoExceptionExpected); // validate optional claims protocolValidator.RequireAcr = true; Validate(jwt: jwtWithSignatureChash, protocolValidator: protocolValidator, validationContext: validationContext, ee: new ExpectedException(typeExpected: typeof(OpenIdConnectProtocolException), substringExpected: "IDX10312:")); jwtWithSignatureChash.Payload.AddClaim(new Claim(JwtRegisteredClaimNames.Acr, "acr")); protocolValidator.RequireAmr = true; Validate(jwt: jwtWithSignatureChash, protocolValidator: protocolValidator, validationContext: validationContext, ee: new ExpectedException(typeExpected: typeof(OpenIdConnectProtocolException), substringExpected: "IDX10313:")); jwtWithSignatureChash.Payload.AddClaim(new Claim(JwtRegisteredClaimNames.Amr, "amr")); protocolValidator.RequireAuthTime = true; Validate(jwt: jwtWithSignatureChash, protocolValidator: protocolValidator, validationContext: validationContext, ee: new ExpectedException(typeExpected: typeof(OpenIdConnectProtocolException), substringExpected: "IDX10314:")); jwtWithSignatureChash.Payload.AddClaim(new Claim(JwtRegisteredClaimNames.AuthTime, "authTime")); protocolValidator.RequireAzp = true; Validate(jwt: jwtWithSignatureChash, protocolValidator: protocolValidator, validationContext: validationContext, ee: new ExpectedException(typeExpected: typeof(OpenIdConnectProtocolException), substringExpected: "IDX10315:")); jwtWithSignatureChash.Payload.AddClaim(new Claim(JwtRegisteredClaimNames.Azp, "azp")); Validate(jwt: jwtWithSignatureChash, protocolValidator: protocolValidator, validationContext: validationContext, ee: ExpectedException.NoExceptionExpected); }
public void OpenIdConnectProtocolValidator_GetSets() { OpenIdConnectProtocolValidator validationParameters = new OpenIdConnectProtocolValidator(); Type type = typeof(OpenIdConnectProtocolValidator); PropertyInfo[] properties = type.GetProperties(); if (properties.Length != 9) { Assert.Fail("Number of properties has changed from 9 to: " + properties.Length + ", adjust tests"); } GetSetContext context = new GetSetContext { PropertyNamesAndSetGetValue = new List <KeyValuePair <string, List <object> > > { new KeyValuePair <string, List <object> >("NonceLifetime", new List <object> { TimeSpan.FromMinutes(60), TimeSpan.FromMinutes(10), TimeSpan.FromMinutes(100) }), new KeyValuePair <string, List <object> >("RequireAcr", new List <object> { false, true, false }), new KeyValuePair <string, List <object> >("RequireAmr", new List <object> { false, true, false }), new KeyValuePair <string, List <object> >("RequireAuthTime", new List <object> { false, true, false }), new KeyValuePair <string, List <object> >("RequireAzp", new List <object> { false, true, false }), new KeyValuePair <string, List <object> >("RequireNonce", new List <object> { true, false, true }), new KeyValuePair <string, List <object> >("RequireSub", new List <object> { false, true, false }), new KeyValuePair <string, List <object> >("RequireTimeStampInNonce", new List <object> { true, false, true }), }, Object = validationParameters, }; TestUtilities.GetSet(context); TestUtilities.AssertFailIfErrors(MethodInfo.GetCurrentMethod().Name, context.Errors); ExpectedException ee = ExpectedException.ArgumentNullException(); Assert.IsNotNull(validationParameters.HashAlgorithmMap); Assert.AreEqual(validationParameters.HashAlgorithmMap.Count, 9); ee = ExpectedException.ArgumentOutOfRangeException(); try { validationParameters.NonceLifetime = TimeSpan.Zero; ee.ProcessNoException(); } catch (Exception ex) { ee.ProcessException(ex); } }
public void OpenIdConnectProtocolValidator_ValidateNonce() { PublicOpenIdConnectProtocolValidator protocolValidatorRequiresTimeStamp = new PublicOpenIdConnectProtocolValidator(); string nonceWithTimeStamp = protocolValidatorRequiresTimeStamp.GenerateNonce(); PublicOpenIdConnectProtocolValidator protocolValidatorDoesNotRequireTimeStamp = new PublicOpenIdConnectProtocolValidator { RequireTimeStampInNonce = false, }; PublicOpenIdConnectProtocolValidator protocolValidatorDoesNotRequireNonce = new PublicOpenIdConnectProtocolValidator { RequireNonce = false, }; string nonceWithoutTimeStamp = protocolValidatorDoesNotRequireTimeStamp.GenerateNonce(); string nonceBadTimeStamp = "abc.abc"; string nonceTicksTooLarge = Int64.MaxValue.ToString() + "." + nonceWithoutTimeStamp; string nonceTicksTooSmall = Int64.MinValue.ToString() + "." + nonceWithoutTimeStamp; string nonceTicksNegative = ((Int64)(-1)).ToString() + "." + nonceWithoutTimeStamp; string nonceTicksZero = ((Int64)(0)).ToString() + "." + nonceWithoutTimeStamp; JwtSecurityToken jwtWithNonceWithTimeStamp = new JwtSecurityToken(claims: new List <Claim> { new Claim(JwtRegisteredClaimNames.Nonce, nonceWithTimeStamp) }); JwtSecurityToken jwtWithNonceWithoutTimeStamp = new JwtSecurityToken(claims: new List <Claim> { new Claim(JwtRegisteredClaimNames.Nonce, nonceWithoutTimeStamp) }); JwtSecurityToken jwtWithNonceWithBadTimeStamp = new JwtSecurityToken(claims: new List <Claim> { new Claim(JwtRegisteredClaimNames.Nonce, nonceBadTimeStamp) }); JwtSecurityToken jwtWithNonceTicksTooLarge = new JwtSecurityToken(claims: new List <Claim> { new Claim(JwtRegisteredClaimNames.Nonce, nonceTicksTooLarge) }); JwtSecurityToken jwtWithNonceTicksTooSmall = new JwtSecurityToken(claims: new List <Claim> { new Claim(JwtRegisteredClaimNames.Nonce, nonceTicksTooSmall) }); JwtSecurityToken jwtWithNonceTicksNegative = new JwtSecurityToken(claims: new List <Claim> { new Claim(JwtRegisteredClaimNames.Nonce, nonceTicksNegative) }); JwtSecurityToken jwtWithNonceZero = new JwtSecurityToken(claims: new List <Claim> { new Claim(JwtRegisteredClaimNames.Nonce, nonceTicksZero) }); JwtSecurityToken jwtWithoutNonce = new JwtSecurityToken(claims: new List <Claim> { new Claim(JwtRegisteredClaimNames.NameId, nonceWithTimeStamp) }); JwtSecurityToken jwtWithNonceWhitespace = new JwtSecurityToken(claims: new List <Claim> { new Claim(JwtRegisteredClaimNames.Nonce, "") }); OpenIdConnectProtocolValidationContext validationContext = new OpenIdConnectProtocolValidationContext(); validationContext.Nonce = null; ValidateNonce(jwt: null, protocolValidator: protocolValidatorRequiresTimeStamp, validationContext: validationContext, ee: ExpectedException.ArgumentNullException()); ValidateNonce(jwt: jwtWithNonceWithTimeStamp, protocolValidator: protocolValidatorRequiresTimeStamp, validationContext: null, ee: ExpectedException.ArgumentNullException()); // nonce is null, RequireNonce is true. ValidateNonce(jwt: jwtWithNonceWithTimeStamp, protocolValidator: protocolValidatorRequiresTimeStamp, validationContext: validationContext, ee: new ExpectedException(typeof(OpenIdConnectProtocolInvalidNonceException), substringExpected: "IDX10311:")); validationContext.Nonce = nonceWithoutTimeStamp; ValidateNonce(jwt: jwtWithoutNonce, protocolValidator: protocolValidatorRequiresTimeStamp, validationContext: validationContext, ee: new ExpectedException(typeof(OpenIdConnectProtocolInvalidNonceException), substringExpected: "IDX10322:")); ValidateNonce(jwt: jwtWithNonceWhitespace, protocolValidator: protocolValidatorRequiresTimeStamp, validationContext: validationContext, ee: new ExpectedException(typeof(OpenIdConnectProtocolInvalidNonceException), substringExpected: "IDX10301:")); ValidateNonce(jwt: jwtWithNonceWithTimeStamp, protocolValidator: protocolValidatorRequiresTimeStamp, validationContext: validationContext, ee: new ExpectedException(typeof(OpenIdConnectProtocolInvalidNonceException), substringExpected: "IDX10301:")); validationContext.Nonce = nonceWithTimeStamp; ValidateNonce(jwt: jwtWithNonceWithTimeStamp, protocolValidator: protocolValidatorRequiresTimeStamp, validationContext: validationContext, ee: ExpectedException.NoExceptionExpected); // nonce expired validationContext.Nonce = nonceWithTimeStamp; protocolValidatorRequiresTimeStamp.NonceLifetime = TimeSpan.FromMilliseconds(10); Thread.Sleep(100); ValidateNonce(jwt: jwtWithNonceWithTimeStamp, protocolValidator: protocolValidatorRequiresTimeStamp, validationContext: validationContext, ee: new ExpectedException(typeof(OpenIdConnectProtocolInvalidNonceException))); // nonce missing timestamp, validator requires time stamp // 1. not well formed, no '.' validationContext.Nonce = nonceWithoutTimeStamp; protocolValidatorRequiresTimeStamp.NonceLifetime = TimeSpan.FromMinutes(10); ValidateNonce(jwt: jwtWithNonceWithoutTimeStamp, protocolValidator: protocolValidatorRequiresTimeStamp, validationContext: validationContext, ee: new ExpectedException(typeof(OpenIdConnectProtocolInvalidNonceException), substringExpected: "IDX10317:")); // 2. timestamp not well formed validationContext.Nonce = nonceBadTimeStamp; ValidateNonce(jwt: jwtWithNonceWithBadTimeStamp, protocolValidator: protocolValidatorRequiresTimeStamp, validationContext: validationContext, ee: new ExpectedException(typeExpected: typeof(OpenIdConnectProtocolInvalidNonceException), innerTypeExpected: typeof(FormatException), substringExpected: "IDX10318:")); // 3. timestamp not required validationContext.Nonce = nonceBadTimeStamp; ValidateNonce(jwt: jwtWithNonceWithBadTimeStamp, protocolValidator: protocolValidatorDoesNotRequireTimeStamp, validationContext: validationContext, ee: ExpectedException.NoExceptionExpected); // 4. ticks max value validationContext.Nonce = nonceTicksTooLarge; ValidateNonce(jwt: jwtWithNonceTicksTooLarge, protocolValidator: protocolValidatorRequiresTimeStamp, validationContext: validationContext, ee: new ExpectedException(typeExpected: typeof(OpenIdConnectProtocolInvalidNonceException), innerTypeExpected: typeof(ArgumentException), substringExpected: "IDX10320:")); // 5. ticks min value small validationContext.Nonce = nonceTicksTooSmall; ValidateNonce(jwt: jwtWithNonceTicksTooSmall, protocolValidator: protocolValidatorRequiresTimeStamp, validationContext: validationContext, ee: new ExpectedException(typeExpected: typeof(OpenIdConnectProtocolInvalidNonceException), substringExpected: "IDX10318:")); // 6. ticks negative validationContext.Nonce = nonceTicksNegative; ValidateNonce(jwt: jwtWithNonceTicksNegative, protocolValidator: protocolValidatorRequiresTimeStamp, validationContext: validationContext, ee: new ExpectedException(typeExpected: typeof(OpenIdConnectProtocolInvalidNonceException), substringExpected: "IDX10318:")); // 7. ticks zero validationContext.Nonce = nonceTicksZero; ValidateNonce(jwt: jwtWithNonceZero, protocolValidator: protocolValidatorRequiresTimeStamp, validationContext: validationContext, ee: new ExpectedException(typeExpected: typeof(OpenIdConnectProtocolInvalidNonceException), substringExpected: "IDX10318:")); // require nonce false validationContext.Nonce = null; ValidateNonce(jwt: jwtWithNonceWithoutTimeStamp, protocolValidator: protocolValidatorDoesNotRequireNonce, validationContext: validationContext, ee: ExpectedException.NoExceptionExpected); // validationContext has nonce validationContext.Nonce = nonceWithTimeStamp; ValidateNonce(jwt: jwtWithoutNonce, protocolValidator: protocolValidatorDoesNotRequireNonce, validationContext: validationContext, ee: new ExpectedException(typeExpected: typeof(OpenIdConnectProtocolInvalidNonceException), substringExpected: "IDX10323:")); }
public void AuthenticationProtocolMessage_Publics() { string value1 = "value1"; string value2 = "value2"; string param1 = "param1"; string param2 = "param2"; AuthenticationProtocolMessage authenticationProtocolMessage = new DerivedAuthenticationProtocolMessage(); ExpectedException expectedException = ExpectedException.ArgumentNullException(substringExpected: "parameter"); try { authenticationProtocolMessage.GetParameter(null); expectedException.ProcessNoException(); } catch (Exception exception) { expectedException.ProcessException(exception); } expectedException = ExpectedException.ArgumentNullException(substringExpected: "parameter"); try { authenticationProtocolMessage.RemoveParameter(null); expectedException.ProcessNoException(); } catch (Exception exception) { expectedException.ProcessException(exception); } expectedException = ExpectedException.ArgumentNullException(substringExpected: "parameter"); try { authenticationProtocolMessage.SetParameter(null, null); expectedException.ProcessNoException(); } catch (Exception exception) { expectedException.ProcessException(exception); } authenticationProtocolMessage.SetParameter(param1, value1); authenticationProtocolMessage.RemoveParameter(param2); Assert.AreEqual(authenticationProtocolMessage.GetParameter(param1), value1); authenticationProtocolMessage.RemoveParameter(param1); Assert.IsNull(authenticationProtocolMessage.GetParameter(param1)); authenticationProtocolMessage.SetParameter(param1, value1); authenticationProtocolMessage.SetParameter(param1, value2); authenticationProtocolMessage.SetParameter(param2, value2); authenticationProtocolMessage.SetParameter(param2, value1); Assert.AreEqual(authenticationProtocolMessage.GetParameter(param1), value2); Assert.AreEqual(authenticationProtocolMessage.GetParameter(param2), value1); authenticationProtocolMessage = new DerivedAuthenticationProtocolMessage(@"http://www.gotjwt.com"); authenticationProtocolMessage.SetParameter("bob", " "); string queryString = authenticationProtocolMessage.BuildRedirectUrl(); Assert.IsNotNull(queryString); Assert.IsTrue(queryString.Contains("bob")); authenticationProtocolMessage.IssuerAddress = string.Empty; queryString = authenticationProtocolMessage.BuildRedirectUrl(); Assert.IsNotNull(queryString); }