private void CreateClaims()
{
PublicSamlSecurityTokenHandler samlSecurityTokenHandler = new PublicSamlSecurityTokenHandler();
ExpectedException expectedException = ExpectedException.ArgumentNullException(substringExpected: "samlToken");
CreateClaims(null, "issuer", new TokenValidationParameters(), samlSecurityTokenHandler: samlSecurityTokenHandler, expectedException: expectedException);
}
public void SecurityTokenHandlerCollectionExtensions_Publics()
{
SecurityTokenHandlerCollection securityTokenValidators = new SecurityTokenHandlerCollection();
string defaultSamlToken = IdentityUtilities.CreateSamlToken();
string defaultSaml2Token = IdentityUtilities.CreateSaml2Token();
string defaultJwt = IdentityUtilities.DefaultAsymmetricJwt;
ExpectedException expectedException = ExpectedException.ArgumentNullException("Parameter name: securityToken");
ValidateToken(null, null, securityTokenValidators, expectedException);
expectedException = ExpectedException.ArgumentNullException("Parameter name: validationParameters");
ValidateToken(defaultSamlToken, null, securityTokenValidators, expectedException);
TokenValidationParameters tokenValidationParameters = new TokenValidationParameters();
expectedException = ExpectedException.SecurityTokenValidationException("IDX10201");
ValidateToken(defaultSamlToken, tokenValidationParameters, securityTokenValidators, expectedException);
securityTokenValidators = SecurityTokenHandlerCollectionExtensions.GetDefaultHandlers();
expectedException = ExpectedException.SignatureVerificationFailedException(substringExpected: "ID4037:");
ValidateToken(defaultSamlToken, tokenValidationParameters, securityTokenValidators, expectedException);
securityTokenValidators.Clear();
securityTokenValidators.Add(new IMSamlTokenHandler());
ValidateToken(defaultSamlToken, tokenValidationParameters, securityTokenValidators, ExpectedException.SignatureVerificationFailedException(substringExpected: "ID4037:"));
ValidateToken(defaultSamlToken, IdentityUtilities.DefaultAsymmetricTokenValidationParameters, securityTokenValidators, ExpectedException.NoExceptionExpected);
ValidateToken(defaultSaml2Token, IdentityUtilities.DefaultAsymmetricTokenValidationParameters, securityTokenValidators, ExpectedException.SecurityTokenValidationException(substringExpected: "IDX10201:"));
securityTokenValidators.Add(new IMSaml2TokenHandler());
securityTokenValidators.Add(new System.IdentityModel.Tokens.JwtSecurityTokenHandler());
ValidateToken(defaultSaml2Token, IdentityUtilities.DefaultAsymmetricTokenValidationParameters, securityTokenValidators, ExpectedException.NoExceptionExpected);
ValidateToken(defaultJwt, IdentityUtilities.DefaultAsymmetricTokenValidationParameters, securityTokenValidators, ExpectedException.NoExceptionExpected);
}
public async Task OpenIdConnectConfigurationRetriever_FromNetwork()
{
OpenIdConnectConfiguration configuration = await GetConfigurationFromHttpAsync(OpenIdConfigData.AADCommonUrl, expectedException : ExpectedException.NoExceptionExpected);
Assert.IsNotNull(configuration);
await GetConfigurationFromHttpAsync(string.Empty, expectedException : ExpectedException.ArgumentNullException());
await GetConfigurationFromHttpAsync(OpenIdConfigData.BadUri, expectedException : ExpectedException.IOException(inner: typeof(InvalidOperationException)));
}
private void ValidateToken()
{
// parameter validation
SamlSecurityTokenHandler tokenHandler = new SamlSecurityTokenHandler();
ExpectedException expectedException = ExpectedException.ArgumentNullException(substringExpected: "name: securityToken");
TestUtilities.ValidateToken(securityToken: null, validationParameters: new TokenValidationParameters(), tokenValidator: tokenHandler, expectedException: expectedException);
expectedException = ExpectedException.ArgumentNullException(substringExpected: "name: validationParameters");
TestUtilities.ValidateToken(securityToken: "s", validationParameters: null, tokenValidator: tokenHandler, expectedException: expectedException);
expectedException = ExpectedException.ArgumentException(substringExpected: "IDX10209");
tokenHandler.MaximumTokenSizeInBytes = 1;
TestUtilities.ValidateToken(securityToken: "ss", validationParameters: new TokenValidationParameters(), tokenValidator: tokenHandler, expectedException: expectedException);
tokenHandler.MaximumTokenSizeInBytes = TokenValidationParameters.DefaultMaximumTokenSizeInBytes;
string samlToken = IdentityUtilities.CreateSamlToken();
ValidateAudience();
SecurityTokenDescriptor tokenDescriptor =
new SecurityTokenDescriptor
{
AppliesToAddress = IdentityUtilities.DefaultAudience,
Lifetime = new Lifetime(DateTime.UtcNow, DateTime.UtcNow + TimeSpan.FromHours(1)),
SigningCredentials = KeyingMaterial.DefaultAsymmetricSigningCreds_2048_RsaSha2_Sha2,
Subject = IdentityUtilities.DefaultClaimsIdentity,
TokenIssuerName = IdentityUtilities.DefaultIssuer,
};
samlToken = IdentityUtilities.CreateSamlToken(tokenDescriptor);
TokenValidationParameters validationParameters =
new TokenValidationParameters
{
IssuerSigningToken = KeyingMaterial.DefaultAsymmetricX509Token_2048,
ValidAudience = IdentityUtilities.DefaultAudience,
ValidIssuer = IdentityUtilities.DefaultIssuer,
};
TestUtilities.ValidateTokenReplay(samlToken, tokenHandler, validationParameters);
TestUtilities.ValidateToken(samlToken, validationParameters, tokenHandler, ExpectedException.NoExceptionExpected);
validationParameters.LifetimeValidator =
(nb, exp, st, tvp) =>
{
return(false);
};
TestUtilities.ValidateToken(samlToken, validationParameters, tokenHandler, new ExpectedException(typeExpected: typeof(SecurityTokenInvalidLifetimeException), substringExpected: "IDX10230:"));
validationParameters.ValidateLifetime = false;
validationParameters.LifetimeValidator = IdentityUtilities.LifetimeValidatorThrows;
TestUtilities.ValidateToken(securityToken: samlToken, validationParameters: validationParameters, tokenValidator: tokenHandler, expectedException: ExpectedException.NoExceptionExpected);
}
private void ValidateIssuer()
{
PublicSamlSecurityTokenHandler samlSecurityTokenHandler = new PublicSamlSecurityTokenHandler();
SamlSecurityToken samlToken = IdentityUtilities.CreateSamlSecurityToken();
ValidateIssuer(IdentityUtilities.DefaultIssuer, null, samlToken, samlSecurityTokenHandler, ExpectedException.ArgumentNullException(substringExpected: "name: validationParameters"));
ValidateIssuer("bob", null, samlToken, samlSecurityTokenHandler, ExpectedException.ArgumentNullException(substringExpected: "name: validationParameters"));
ValidateIssuer("bob", new TokenValidationParameters {
ValidateIssuer = false
}, samlToken, samlSecurityTokenHandler, ExpectedException.NoExceptionExpected);
ValidateIssuer("bob", new TokenValidationParameters {
}, samlToken, samlSecurityTokenHandler, ExpectedException.SecurityTokenInvalidIssuerException(substringExpected: "IDX10204"));
ValidateIssuer(IdentityUtilities.DefaultIssuer, new TokenValidationParameters {
ValidIssuer = IdentityUtilities.DefaultIssuer
}, samlToken, samlSecurityTokenHandler, ExpectedException.NoExceptionExpected);
ValidateIssuer("bob", new TokenValidationParameters {
ValidIssuer = "frank"
}, samlToken, samlSecurityTokenHandler, ExpectedException.SecurityTokenInvalidIssuerException(substringExpected: "IDX10205"));
List <string> validIssuers = new List <string> {
"john", "paul", "george", "ringo"
};
ValidateIssuer("bob", new TokenValidationParameters {
ValidIssuers = validIssuers
}, samlToken, samlSecurityTokenHandler, ExpectedException.SecurityTokenInvalidIssuerException(substringExpected: "IDX10205"));
ValidateIssuer("bob", new TokenValidationParameters {
ValidateIssuer = false
}, samlToken, samlSecurityTokenHandler, ExpectedException.NoExceptionExpected);
validIssuers.Add(IdentityUtilities.DefaultIssuer);
string issuer = ValidateIssuer(IdentityUtilities.DefaultIssuer, new TokenValidationParameters {
ValidIssuers = validIssuers
}, samlToken, samlSecurityTokenHandler, ExpectedException.NoExceptionExpected);
Assert.IsTrue(issuer == IdentityUtilities.DefaultIssuer, "issuer mismatch");
TokenValidationParameters validationParameters = new TokenValidationParameters
{
ValidateAudience = false,
IssuerValidator = IdentityUtilities.IssuerValidatorEcho,
};
ValidateIssuer("bob", validationParameters, samlToken, samlSecurityTokenHandler, ExpectedException.SecurityTokenInvalidIssuerException(substringExpected: "IDX10204"));
validationParameters.ValidateIssuer = false;
validationParameters.IssuerValidator = IdentityUtilities.IssuerValidatorThrows;
ValidateIssuer("bob", validationParameters, samlToken, samlSecurityTokenHandler, ExpectedException.NoExceptionExpected);
}
public void JsonWebKeySet_Constructors()
{
JsonWebKeySet jsonWebKeys = new JsonWebKeySet();
Assert.IsTrue(IsDefaultJsonWebKeySet(jsonWebKeys));
// null string, nothing to add
RunJsonWebKeySetTest((string)null, null, ExpectedException.ArgumentNullException());
// null dictionary, nothing to add
RunJsonWebKeySetTest((IDictionary <string, object>)null, null, ExpectedException.ArgumentNullException(), false);
RunJsonWebKeySetTest(OpenIdConfigData.JsonWebKeySetString1, OpenIdConfigData.JsonWebKeySetExpected1, ExpectedException.NoExceptionExpected);
RunJsonWebKeySetTest(OpenIdConfigData.JsonWebKeySetBadFormatingString, null, ExpectedException.ArgumentException());
}
public void OpenIdConnectMessage_Constructors()
{
OpenIdConnectMessage openIdConnectMessage = new OpenIdConnectMessage();
Assert.AreEqual(openIdConnectMessage.IssuerAddress, string.Empty);
openIdConnectMessage = new OpenIdConnectMessage("http://www.got.jwt.com");
Assert.AreEqual(openIdConnectMessage.IssuerAddress, "http://www.got.jwt.com");
ExpectedException expectedException = ExpectedException.ArgumentNullException("issuerAddress");
try
{
openIdConnectMessage = new OpenIdConnectMessage((string)null);
expectedException.ProcessNoException();
}
catch (Exception exception)
{
expectedException.ProcessException(exception);
}
}
public void AuthenticationProtocolMessage_GetSets()
{
AuthenticationProtocolMessage authenticationProtocolMessage = new DerivedAuthenticationProtocolMessage();
List <string> properties = new List <string>()
{
"IssuerAddress",
"PostTitle",
"ScriptButtonText",
"ScriptDisabledText",
};
foreach (string property in properties)
{
TestUtilities.SetGet(authenticationProtocolMessage, property, null, ExpectedException.ArgumentNullException(substringExpected: property));
TestUtilities.SetGet(authenticationProtocolMessage, property, property, ExpectedException.NoExceptionExpected);
TestUtilities.SetGet(authenticationProtocolMessage, property, " ", ExpectedException.NoExceptionExpected);
TestUtilities.SetGet(authenticationProtocolMessage, property, "\t\n\r", ExpectedException.NoExceptionExpected);
}
}
public void WsFederationAuthenticationMessage_Constructors()
{
WsFederationMessage wsFederationMessage = new WsFederationMessage();
Assert.AreEqual(wsFederationMessage.IssuerAddress, string.Empty);
wsFederationMessage = new WsFederationMessage("http://www.got.jwt.com");
Assert.AreEqual(wsFederationMessage.IssuerAddress, "http://www.got.jwt.com");
ExpectedException expectedException = ExpectedException.ArgumentNullException("issuerAddress");
try
{
wsFederationMessage = new WsFederationMessage((string)null);
expectedException.ProcessNoException();
}
catch (Exception exception)
{
expectedException.ProcessException(exception);
}
}
public void OpenIdConnectProtocolValidator_CHash()
{
PublicOpenIdConnectProtocolValidator protocolValidator = new PublicOpenIdConnectProtocolValidator();
string authorizationCode1 = protocolValidator.GenerateNonce();
string authorizationCode2 = protocolValidator.GenerateNonce();
string chash1 = IdentityUtilities.CreateCHash(authorizationCode1, "SHA256");
string chash2 = IdentityUtilities.CreateCHash(authorizationCode2, "SHA256");
Dictionary <string, string> emptyDictionary = new Dictionary <string, string>();
Dictionary <string, string> mappedDictionary = new Dictionary <string, string>(protocolValidator.HashAlgorithmMap);
JwtSecurityToken jwtWithCHash1 =
new JwtSecurityToken
(
audience: IdentityUtilities.DefaultAudience,
claims: new List <Claim> {
new Claim(JwtRegisteredClaimNames.CHash, chash1)
},
issuer: IdentityUtilities.DefaultIssuer
);
JwtSecurityToken jwtWithEmptyCHash =
new JwtSecurityToken
(
audience: IdentityUtilities.DefaultAudience,
claims: new List <Claim> {
new Claim(JwtRegisteredClaimNames.CHash, string.Empty)
},
issuer: IdentityUtilities.DefaultIssuer,
signingCredentials: IdentityUtilities.DefaultAsymmetricSigningCredentials
);
JwtSecurityToken jwtWithoutCHash =
new JwtSecurityToken
(
audience: IdentityUtilities.DefaultAudience,
claims: new List <Claim> {
new Claim(JwtRegisteredClaimNames.Nonce, chash2)
},
issuer: IdentityUtilities.DefaultIssuer
);
JwtSecurityToken jwtWithSignatureChash1 =
new JwtSecurityToken
(
audience: IdentityUtilities.DefaultAudience,
claims: new List <Claim> {
new Claim(JwtRegisteredClaimNames.CHash, chash1)
},
issuer: IdentityUtilities.DefaultIssuer,
signingCredentials: IdentityUtilities.DefaultAsymmetricSigningCredentials
);
JwtSecurityToken jwtWithSignatureMultipleChashes =
new JwtSecurityToken
(
audience: IdentityUtilities.DefaultAudience,
claims: new List <Claim> {
new Claim(JwtRegisteredClaimNames.CHash, chash1), new Claim(JwtRegisteredClaimNames.CHash, chash2)
},
issuer: IdentityUtilities.DefaultIssuer,
signingCredentials: IdentityUtilities.DefaultAsymmetricSigningCredentials
);
OpenIdConnectProtocolValidationContext validationContext = new OpenIdConnectProtocolValidationContext();
validationContext.AuthorizationCode = authorizationCode2;
// chash is not a string, but array
ValidateCHash(jwt: jwtWithSignatureMultipleChashes, protocolValidator: protocolValidator, validationContext: validationContext, ee: new ExpectedException(typeExpected: typeof(OpenIdConnectProtocolInvalidCHashException), substringExpected: "IDX10304:"));
// chash doesn't match
ValidateCHash(jwt: jwtWithSignatureChash1, protocolValidator: protocolValidator, validationContext: validationContext, ee: new ExpectedException(typeExpected: typeof(OpenIdConnectProtocolInvalidCHashException), substringExpected: "IDX10304:"));
// use algorithm map
validationContext.AuthorizationCode = authorizationCode1;
ValidateCHash(jwt: jwtWithSignatureChash1, protocolValidator: protocolValidator, validationContext: validationContext, ee: ExpectedException.NoExceptionExpected);
// Creation of algorithm failed, need to map.
protocolValidator.SetHashAlgorithmMap(emptyDictionary);
ValidateCHash(jwt: jwtWithSignatureChash1, protocolValidator: protocolValidator, validationContext: validationContext, ee: new ExpectedException(typeExpected: typeof(OpenIdConnectProtocolInvalidCHashException), substringExpected: "IDX10307:"));
protocolValidator.SetHashAlgorithmMap(mappedDictionary);
ValidateCHash(jwt: null, protocolValidator: protocolValidator, validationContext: validationContext, ee: ExpectedException.ArgumentNullException());
ValidateCHash(jwt: jwtWithoutCHash, protocolValidator: protocolValidator, validationContext: validationContext, ee: new ExpectedException(typeExpected: typeof(OpenIdConnectProtocolInvalidCHashException), substringExpected: "IDX10308:"));
ValidateCHash(jwt: jwtWithEmptyCHash, protocolValidator: protocolValidator, validationContext: validationContext, ee: new ExpectedException(typeExpected: typeof(OpenIdConnectProtocolInvalidCHashException), substringExpected: "IDX10304:"));
ValidateCHash(jwt: jwtWithCHash1, protocolValidator: protocolValidator, validationContext: validationContext, ee: new ExpectedException(typeExpected: typeof(OpenIdConnectProtocolInvalidCHashException), substringExpected: "IDX10307:"));
ValidateCHash(jwt: jwtWithoutCHash, protocolValidator: protocolValidator, validationContext: null, ee: ExpectedException.ArgumentNullException());
// make sure default alg works.
validationContext.AuthorizationCode = authorizationCode1;
jwtWithCHash1.Header.Remove("alg");
ValidateCHash(jwt: jwtWithCHash1, protocolValidator: protocolValidator, validationContext: validationContext, ee: ExpectedException.NoExceptionExpected);
}
public void OpenIdConnectConfiguration_Constructors()
{
RunOpenIdConnectConfigurationTest((string)null, new OpenIdConnectConfiguration(), ExpectedException.ArgumentNullException());
RunOpenIdConnectConfigurationTest((IDictionary <string, object>)null, new OpenIdConnectConfiguration(), ExpectedException.ArgumentNullException());
RunOpenIdConnectConfigurationTest(OpenIdConfigData.OpenIdConnectMetadataString, OpenIdConfigData.OpenIdConnectConfiguration1, ExpectedException.NoExceptionExpected);
}
private void ValidateIssuer()
{
DerivedSamlSecurityTokenHandler samlSecurityTokenHandler = new DerivedSamlSecurityTokenHandler();
ExpectedException expectedException = ExpectedException.NoExceptionExpected;
ValidateIssuer(null, new TokenValidationParameters {
ValidateIssuer = false
}, samlSecurityTokenHandler, expectedException);
expectedException = ExpectedException.ArgumentNullException(substringExpected: "Parameter name: validationParameters");
ValidateIssuer("bob", null, samlSecurityTokenHandler, expectedException);
expectedException = ExpectedException.SecurityTokenInvalidIssuerException(substringExpected: "IDX10204");
ValidateIssuer("bob", new TokenValidationParameters {
}, samlSecurityTokenHandler, expectedException);
expectedException = ExpectedException.NoExceptionExpected;
string issuer = ValidateIssuer("bob", new TokenValidationParameters {
ValidIssuer = "bob"
}, samlSecurityTokenHandler, expectedException);
Assert.IsTrue(issuer == "bob", "issuer mismatch");
expectedException = ExpectedException.SecurityTokenInvalidIssuerException(substringExpected: "IDX10205");
ValidateIssuer("bob", new TokenValidationParameters {
ValidIssuer = "frank"
}, samlSecurityTokenHandler, expectedException);
List <string> validIssuers = new List <string> {
"john", "paul", "george", "ringo"
};
expectedException = ExpectedException.SecurityTokenInvalidIssuerException(substringExpected: "IDX10205");
ValidateIssuer("bob", new TokenValidationParameters {
ValidIssuers = validIssuers
}, samlSecurityTokenHandler, expectedException);
expectedException = ExpectedException.NoExceptionExpected;
ValidateIssuer("bob", new TokenValidationParameters {
ValidateIssuer = false
}, samlSecurityTokenHandler, expectedException);
validIssuers.Add("bob");
expectedException = ExpectedException.NoExceptionExpected;
issuer = ValidateIssuer("bob", new TokenValidationParameters {
ValidIssuers = validIssuers
}, samlSecurityTokenHandler, expectedException);
Assert.IsTrue(issuer == "bob", "issuer mismatch");
expectedException = ExpectedException.SecurityTokenInvalidIssuerException(substringExpected: "IDX10204");
TokenValidationParameters validationParameters = new TokenValidationParameters
{
ValidateAudience = false,
IssuerValidator = IdentityUtilities.IssuerValidatorEcho,
};
ValidateIssuer("bob", validationParameters, samlSecurityTokenHandler, expectedException);
// no delegate secondary should still succeed
expectedException = ExpectedException.NoExceptionExpected;
validationParameters = new TokenValidationParameters
{
ValidateAudience = false,
ValidIssuers = validIssuers,
};
issuer = ValidateIssuer("bob", validationParameters, samlSecurityTokenHandler, expectedException);
Assert.IsTrue(issuer == "bob", "issuer mismatch");
// no delegate, secondary should fail
validIssuers = new List <string> {
"john", "paul", "george", "ringo"
};
expectedException = ExpectedException.SecurityTokenInvalidIssuerException(substringExpected: "IDX10205");
validationParameters = new TokenValidationParameters
{
IssuerSigningKey = new X509SecurityKey(KeyingMaterial.DefaultCert_2048),
ValidateAudience = false,
ValidIssuer = "http://Bob",
};
ValidateIssuer("bob", validationParameters, samlSecurityTokenHandler, expectedException);
validationParameters.ValidateIssuer = false;
validationParameters.IssuerValidator = IdentityUtilities.IssuerValidatorThrows;
ValidateIssuer("bob", validationParameters, samlSecurityTokenHandler, ExpectedException.NoExceptionExpected);
}
public void Saml2SecurityTokenHandler_ValidateToken()
{
// parameter validation
Saml2SecurityTokenHandler tokenHandler = new Saml2SecurityTokenHandler();
TestUtilities.ValidateToken(securityToken: null, validationParameters: new TokenValidationParameters(), tokenValidator: tokenHandler, expectedException: ExpectedException.ArgumentNullException(substringExpected: "name: securityToken"));
TestUtilities.ValidateToken(securityToken: "s", validationParameters: null, tokenValidator: tokenHandler, expectedException: ExpectedException.ArgumentNullException(substringExpected: "name: validationParameters"));
tokenHandler.MaximumTokenSizeInBytes = 1;
TestUtilities.ValidateToken(securityToken: "ss", validationParameters: new TokenValidationParameters(), tokenValidator: tokenHandler, expectedException: ExpectedException.ArgumentException(substringExpected: "IDX10209"));
tokenHandler.MaximumTokenSizeInBytes = TokenValidationParameters.DefaultMaximumTokenSizeInBytes;
string samlToken = IdentityUtilities.CreateSaml2Token();
TestUtilities.ValidateToken(samlToken, IdentityUtilities.DefaultAsymmetricTokenValidationParameters, tokenHandler, ExpectedException.NoExceptionExpected);
// EncryptedAssertion
SecurityTokenDescriptor tokenDescriptor =
new SecurityTokenDescriptor
{
AppliesToAddress = IdentityUtilities.DefaultAudience,
EncryptingCredentials = new EncryptedKeyEncryptingCredentials(KeyingMaterial.DefaultAsymmetricCert_2048),
Lifetime = new Lifetime(DateTime.UtcNow, DateTime.UtcNow + TimeSpan.FromHours(1)),
SigningCredentials = KeyingMaterial.DefaultAsymmetricSigningCreds_2048_RsaSha2_Sha2,
Subject = IdentityUtilities.DefaultClaimsIdentity,
TokenIssuerName = IdentityUtilities.DefaultIssuer,
};
samlToken = IdentityUtilities.CreateSaml2Token(tokenDescriptor);
TestUtilities.ValidateToken(samlToken, IdentityUtilities.DefaultAsymmetricTokenValidationParameters, tokenHandler, new ExpectedException(typeExpected: typeof(EncryptedTokenDecryptionFailedException), substringExpected: "ID4022"));
TokenValidationParameters validationParameters = IdentityUtilities.DefaultAsymmetricTokenValidationParameters;
validationParameters.ClientDecryptionTokens = new List <SecurityToken> {
KeyingMaterial.DefaultX509Token_2048
}.AsReadOnly();
TestUtilities.ValidateToken(samlToken, validationParameters, tokenHandler, ExpectedException.NoExceptionExpected);
TestUtilities.ValidateTokenReplay(samlToken, tokenHandler, validationParameters);
TestUtilities.ValidateToken(samlToken, validationParameters, tokenHandler, ExpectedException.NoExceptionExpected);
validationParameters.LifetimeValidator =
(nb, exp, st, tvp) =>
{
return(false);
};
TestUtilities.ValidateToken(samlToken, validationParameters, tokenHandler, new ExpectedException(typeExpected: typeof(SecurityTokenInvalidLifetimeException), substringExpected: "IDX10230:"));
validationParameters.ValidateLifetime = false;
validationParameters.LifetimeValidator = IdentityUtilities.LifetimeValidatorThrows;
TestUtilities.ValidateToken(securityToken: samlToken, validationParameters: validationParameters, tokenValidator: tokenHandler, expectedException: ExpectedException.NoExceptionExpected);
}
public void OpenIdConnectProtocolValidator_Validate()
{
JwtSecurityToken jwt = new JwtSecurityToken();
OpenIdConnectProtocolValidationContext validationContext = new OpenIdConnectProtocolValidationContext();
OpenIdConnectProtocolValidator protocolValidator = new OpenIdConnectProtocolValidator();
// jwt null
Validate(jwt: null, protocolValidator: protocolValidator, validationContext: null, ee: ExpectedException.ArgumentNullException());
// validationContext null
Validate(jwt: jwt, protocolValidator: protocolValidator, validationContext: null, ee: ExpectedException.ArgumentNullException());
// aud missing
Validate(jwt: jwt, protocolValidator: protocolValidator, validationContext: validationContext, ee: new ExpectedException(typeExpected: typeof(OpenIdConnectProtocolException), substringExpected: "IDX10309:"));
// exp missing
jwt.Payload.AddClaim(new Claim(JwtRegisteredClaimNames.Aud, IdentityUtilities.DefaultAudience));
Validate(jwt: jwt, protocolValidator: protocolValidator, validationContext: validationContext, ee: new ExpectedException(typeExpected: typeof(OpenIdConnectProtocolException), substringExpected: "IDX10309:"));
// iat missing
jwt.Payload.AddClaim(new Claim(JwtRegisteredClaimNames.Exp, EpochTime.GetIntDate(DateTime.UtcNow).ToString()));
Validate(jwt: jwt, protocolValidator: protocolValidator, validationContext: validationContext, ee: new ExpectedException(typeExpected: typeof(OpenIdConnectProtocolException), substringExpected: "IDX10309:"));
// iss missing
jwt.Payload.AddClaim(new Claim(JwtRegisteredClaimNames.Iat, EpochTime.GetIntDate(DateTime.UtcNow).ToString()));
Validate(jwt: jwt, protocolValidator: protocolValidator, validationContext: validationContext, ee: new ExpectedException(typeExpected: typeof(OpenIdConnectProtocolException), substringExpected: "IDX10309:"));
// add iis, nonce is not retuired.
protocolValidator.RequireNonce = false;
jwt.Payload.AddClaim(new Claim(JwtRegisteredClaimNames.Iss, IdentityUtilities.DefaultIssuer));
Validate(jwt: jwt, protocolValidator: protocolValidator, validationContext: validationContext, ee: ExpectedException.NoExceptionExpected);
// nonce invalid
string validNonce = protocolValidator.GenerateNonce();
// add the valid 'nonce' but set validationContext.Nonce to a different 'nonce'.
protocolValidator.RequireNonce = true;
jwt.Payload.AddClaim(new Claim(JwtRegisteredClaimNames.Nonce, validNonce));
validationContext.Nonce = protocolValidator.GenerateNonce();
Validate(jwt: jwt, protocolValidator: protocolValidator, validationContext: validationContext, ee: new ExpectedException(typeExpected: typeof(OpenIdConnectProtocolInvalidNonceException), substringExpected: "IDX10301:"));
// sub missing, default not required
validationContext.Nonce = validNonce;
Validate(jwt: jwt, protocolValidator: protocolValidator, validationContext: validationContext, ee: ExpectedException.NoExceptionExpected);
protocolValidator.RequireSub = true;
Validate(jwt: jwt, protocolValidator: protocolValidator, validationContext: validationContext, ee: new ExpectedException(typeExpected: typeof(OpenIdConnectProtocolException), substringExpected: "IDX10309:"));
// authorizationCode invalid
string validAuthorizationCode = protocolValidator.GenerateNonce();
string validChash = IdentityUtilities.CreateCHash(validAuthorizationCode, "SHA256");
JwtSecurityToken jwtWithSignatureChash =
new JwtSecurityToken
(
audience: IdentityUtilities.DefaultAudience,
claims: new List <Claim>
{
new Claim(JwtRegisteredClaimNames.CHash, validChash),
new Claim(JwtRegisteredClaimNames.Iat, EpochTime.GetIntDate(DateTime.UtcNow).ToString()),
new Claim(JwtRegisteredClaimNames.Nonce, validNonce),
new Claim(JwtRegisteredClaimNames.Sub, "sub"),
},
expires: DateTime.UtcNow + TimeSpan.FromHours(1),
issuer: IdentityUtilities.DefaultIssuer,
signingCredentials: IdentityUtilities.DefaultAsymmetricSigningCredentials
);
Dictionary <string, string> algmap = new Dictionary <string, string>(protocolValidator.HashAlgorithmMap);
protocolValidator.HashAlgorithmMap.Clear();
protocolValidator.HashAlgorithmMap.Add(JwtAlgorithms.RSA_SHA256, "SHA256");
validationContext.Nonce = validNonce;
validationContext.AuthorizationCode = validNonce;
Validate(jwt: jwtWithSignatureChash, protocolValidator: protocolValidator, validationContext: validationContext, ee: new ExpectedException(typeExpected: typeof(OpenIdConnectProtocolInvalidCHashException), substringExpected: "IDX10304:"));
// nonce and authorizationCode valid
validationContext.AuthorizationCode = validAuthorizationCode;
Validate(jwt: jwtWithSignatureChash, protocolValidator: protocolValidator, validationContext: validationContext, ee: ExpectedException.NoExceptionExpected);
// validate optional claims
protocolValidator.RequireAcr = true;
Validate(jwt: jwtWithSignatureChash, protocolValidator: protocolValidator, validationContext: validationContext, ee: new ExpectedException(typeExpected: typeof(OpenIdConnectProtocolException), substringExpected: "IDX10312:"));
jwtWithSignatureChash.Payload.AddClaim(new Claim(JwtRegisteredClaimNames.Acr, "acr"));
protocolValidator.RequireAmr = true;
Validate(jwt: jwtWithSignatureChash, protocolValidator: protocolValidator, validationContext: validationContext, ee: new ExpectedException(typeExpected: typeof(OpenIdConnectProtocolException), substringExpected: "IDX10313:"));
jwtWithSignatureChash.Payload.AddClaim(new Claim(JwtRegisteredClaimNames.Amr, "amr"));
protocolValidator.RequireAuthTime = true;
Validate(jwt: jwtWithSignatureChash, protocolValidator: protocolValidator, validationContext: validationContext, ee: new ExpectedException(typeExpected: typeof(OpenIdConnectProtocolException), substringExpected: "IDX10314:"));
jwtWithSignatureChash.Payload.AddClaim(new Claim(JwtRegisteredClaimNames.AuthTime, "authTime"));
protocolValidator.RequireAzp = true;
Validate(jwt: jwtWithSignatureChash, protocolValidator: protocolValidator, validationContext: validationContext, ee: new ExpectedException(typeExpected: typeof(OpenIdConnectProtocolException), substringExpected: "IDX10315:"));
jwtWithSignatureChash.Payload.AddClaim(new Claim(JwtRegisteredClaimNames.Azp, "azp"));
Validate(jwt: jwtWithSignatureChash, protocolValidator: protocolValidator, validationContext: validationContext, ee: ExpectedException.NoExceptionExpected);
}
public void OpenIdConnectProtocolValidator_GetSets()
{
OpenIdConnectProtocolValidator validationParameters = new OpenIdConnectProtocolValidator();
Type type = typeof(OpenIdConnectProtocolValidator);
PropertyInfo[] properties = type.GetProperties();
if (properties.Length != 9)
{
Assert.Fail("Number of properties has changed from 9 to: " + properties.Length + ", adjust tests");
}
GetSetContext context =
new GetSetContext
{
PropertyNamesAndSetGetValue = new List <KeyValuePair <string, List <object> > >
{
new KeyValuePair <string, List <object> >("NonceLifetime", new List <object> {
TimeSpan.FromMinutes(60), TimeSpan.FromMinutes(10), TimeSpan.FromMinutes(100)
}),
new KeyValuePair <string, List <object> >("RequireAcr", new List <object> {
false, true, false
}),
new KeyValuePair <string, List <object> >("RequireAmr", new List <object> {
false, true, false
}),
new KeyValuePair <string, List <object> >("RequireAuthTime", new List <object> {
false, true, false
}),
new KeyValuePair <string, List <object> >("RequireAzp", new List <object> {
false, true, false
}),
new KeyValuePair <string, List <object> >("RequireNonce", new List <object> {
true, false, true
}),
new KeyValuePair <string, List <object> >("RequireSub", new List <object> {
false, true, false
}),
new KeyValuePair <string, List <object> >("RequireTimeStampInNonce", new List <object> {
true, false, true
}),
},
Object = validationParameters,
};
TestUtilities.GetSet(context);
TestUtilities.AssertFailIfErrors(MethodInfo.GetCurrentMethod().Name, context.Errors);
ExpectedException ee = ExpectedException.ArgumentNullException();
Assert.IsNotNull(validationParameters.HashAlgorithmMap);
Assert.AreEqual(validationParameters.HashAlgorithmMap.Count, 9);
ee = ExpectedException.ArgumentOutOfRangeException();
try
{
validationParameters.NonceLifetime = TimeSpan.Zero;
ee.ProcessNoException();
}
catch (Exception ex)
{
ee.ProcessException(ex);
}
}
public void OpenIdConnectProtocolValidator_ValidateNonce()
{
PublicOpenIdConnectProtocolValidator protocolValidatorRequiresTimeStamp = new PublicOpenIdConnectProtocolValidator();
string nonceWithTimeStamp = protocolValidatorRequiresTimeStamp.GenerateNonce();
PublicOpenIdConnectProtocolValidator protocolValidatorDoesNotRequireTimeStamp =
new PublicOpenIdConnectProtocolValidator
{
RequireTimeStampInNonce = false,
};
PublicOpenIdConnectProtocolValidator protocolValidatorDoesNotRequireNonce =
new PublicOpenIdConnectProtocolValidator
{
RequireNonce = false,
};
string nonceWithoutTimeStamp = protocolValidatorDoesNotRequireTimeStamp.GenerateNonce();
string nonceBadTimeStamp = "abc.abc";
string nonceTicksTooLarge = Int64.MaxValue.ToString() + "." + nonceWithoutTimeStamp;
string nonceTicksTooSmall = Int64.MinValue.ToString() + "." + nonceWithoutTimeStamp;
string nonceTicksNegative = ((Int64)(-1)).ToString() + "." + nonceWithoutTimeStamp;
string nonceTicksZero = ((Int64)(0)).ToString() + "." + nonceWithoutTimeStamp;
JwtSecurityToken jwtWithNonceWithTimeStamp = new JwtSecurityToken(claims: new List <Claim> {
new Claim(JwtRegisteredClaimNames.Nonce, nonceWithTimeStamp)
});
JwtSecurityToken jwtWithNonceWithoutTimeStamp = new JwtSecurityToken(claims: new List <Claim> {
new Claim(JwtRegisteredClaimNames.Nonce, nonceWithoutTimeStamp)
});
JwtSecurityToken jwtWithNonceWithBadTimeStamp = new JwtSecurityToken(claims: new List <Claim> {
new Claim(JwtRegisteredClaimNames.Nonce, nonceBadTimeStamp)
});
JwtSecurityToken jwtWithNonceTicksTooLarge = new JwtSecurityToken(claims: new List <Claim> {
new Claim(JwtRegisteredClaimNames.Nonce, nonceTicksTooLarge)
});
JwtSecurityToken jwtWithNonceTicksTooSmall = new JwtSecurityToken(claims: new List <Claim> {
new Claim(JwtRegisteredClaimNames.Nonce, nonceTicksTooSmall)
});
JwtSecurityToken jwtWithNonceTicksNegative = new JwtSecurityToken(claims: new List <Claim> {
new Claim(JwtRegisteredClaimNames.Nonce, nonceTicksNegative)
});
JwtSecurityToken jwtWithNonceZero = new JwtSecurityToken(claims: new List <Claim> {
new Claim(JwtRegisteredClaimNames.Nonce, nonceTicksZero)
});
JwtSecurityToken jwtWithoutNonce = new JwtSecurityToken(claims: new List <Claim> {
new Claim(JwtRegisteredClaimNames.NameId, nonceWithTimeStamp)
});
JwtSecurityToken jwtWithNonceWhitespace = new JwtSecurityToken(claims: new List <Claim> {
new Claim(JwtRegisteredClaimNames.Nonce, "")
});
OpenIdConnectProtocolValidationContext validationContext = new OpenIdConnectProtocolValidationContext();
validationContext.Nonce = null;
ValidateNonce(jwt: null, protocolValidator: protocolValidatorRequiresTimeStamp, validationContext: validationContext, ee: ExpectedException.ArgumentNullException());
ValidateNonce(jwt: jwtWithNonceWithTimeStamp, protocolValidator: protocolValidatorRequiresTimeStamp, validationContext: null, ee: ExpectedException.ArgumentNullException());
// nonce is null, RequireNonce is true.
ValidateNonce(jwt: jwtWithNonceWithTimeStamp, protocolValidator: protocolValidatorRequiresTimeStamp, validationContext: validationContext, ee: new ExpectedException(typeof(OpenIdConnectProtocolInvalidNonceException), substringExpected: "IDX10311:"));
validationContext.Nonce = nonceWithoutTimeStamp;
ValidateNonce(jwt: jwtWithoutNonce, protocolValidator: protocolValidatorRequiresTimeStamp, validationContext: validationContext, ee: new ExpectedException(typeof(OpenIdConnectProtocolInvalidNonceException), substringExpected: "IDX10322:"));
ValidateNonce(jwt: jwtWithNonceWhitespace, protocolValidator: protocolValidatorRequiresTimeStamp, validationContext: validationContext, ee: new ExpectedException(typeof(OpenIdConnectProtocolInvalidNonceException), substringExpected: "IDX10301:"));
ValidateNonce(jwt: jwtWithNonceWithTimeStamp, protocolValidator: protocolValidatorRequiresTimeStamp, validationContext: validationContext, ee: new ExpectedException(typeof(OpenIdConnectProtocolInvalidNonceException), substringExpected: "IDX10301:"));
validationContext.Nonce = nonceWithTimeStamp;
ValidateNonce(jwt: jwtWithNonceWithTimeStamp, protocolValidator: protocolValidatorRequiresTimeStamp, validationContext: validationContext, ee: ExpectedException.NoExceptionExpected);
// nonce expired
validationContext.Nonce = nonceWithTimeStamp;
protocolValidatorRequiresTimeStamp.NonceLifetime = TimeSpan.FromMilliseconds(10);
Thread.Sleep(100);
ValidateNonce(jwt: jwtWithNonceWithTimeStamp, protocolValidator: protocolValidatorRequiresTimeStamp, validationContext: validationContext, ee: new ExpectedException(typeof(OpenIdConnectProtocolInvalidNonceException)));
// nonce missing timestamp, validator requires time stamp
// 1. not well formed, no '.'
validationContext.Nonce = nonceWithoutTimeStamp;
protocolValidatorRequiresTimeStamp.NonceLifetime = TimeSpan.FromMinutes(10);
ValidateNonce(jwt: jwtWithNonceWithoutTimeStamp, protocolValidator: protocolValidatorRequiresTimeStamp, validationContext: validationContext, ee: new ExpectedException(typeof(OpenIdConnectProtocolInvalidNonceException), substringExpected: "IDX10317:"));
// 2. timestamp not well formed
validationContext.Nonce = nonceBadTimeStamp;
ValidateNonce(jwt: jwtWithNonceWithBadTimeStamp, protocolValidator: protocolValidatorRequiresTimeStamp, validationContext: validationContext, ee: new ExpectedException(typeExpected: typeof(OpenIdConnectProtocolInvalidNonceException), innerTypeExpected: typeof(FormatException), substringExpected: "IDX10318:"));
// 3. timestamp not required
validationContext.Nonce = nonceBadTimeStamp;
ValidateNonce(jwt: jwtWithNonceWithBadTimeStamp, protocolValidator: protocolValidatorDoesNotRequireTimeStamp, validationContext: validationContext, ee: ExpectedException.NoExceptionExpected);
// 4. ticks max value
validationContext.Nonce = nonceTicksTooLarge;
ValidateNonce(jwt: jwtWithNonceTicksTooLarge, protocolValidator: protocolValidatorRequiresTimeStamp, validationContext: validationContext, ee: new ExpectedException(typeExpected: typeof(OpenIdConnectProtocolInvalidNonceException), innerTypeExpected: typeof(ArgumentException), substringExpected: "IDX10320:"));
// 5. ticks min value small
validationContext.Nonce = nonceTicksTooSmall;
ValidateNonce(jwt: jwtWithNonceTicksTooSmall, protocolValidator: protocolValidatorRequiresTimeStamp, validationContext: validationContext, ee: new ExpectedException(typeExpected: typeof(OpenIdConnectProtocolInvalidNonceException), substringExpected: "IDX10318:"));
// 6. ticks negative
validationContext.Nonce = nonceTicksNegative;
ValidateNonce(jwt: jwtWithNonceTicksNegative, protocolValidator: protocolValidatorRequiresTimeStamp, validationContext: validationContext, ee: new ExpectedException(typeExpected: typeof(OpenIdConnectProtocolInvalidNonceException), substringExpected: "IDX10318:"));
// 7. ticks zero
validationContext.Nonce = nonceTicksZero;
ValidateNonce(jwt: jwtWithNonceZero, protocolValidator: protocolValidatorRequiresTimeStamp, validationContext: validationContext, ee: new ExpectedException(typeExpected: typeof(OpenIdConnectProtocolInvalidNonceException), substringExpected: "IDX10318:"));
// require nonce false
validationContext.Nonce = null;
ValidateNonce(jwt: jwtWithNonceWithoutTimeStamp, protocolValidator: protocolValidatorDoesNotRequireNonce, validationContext: validationContext, ee: ExpectedException.NoExceptionExpected);
// validationContext has nonce
validationContext.Nonce = nonceWithTimeStamp;
ValidateNonce(jwt: jwtWithoutNonce, protocolValidator: protocolValidatorDoesNotRequireNonce, validationContext: validationContext, ee: new ExpectedException(typeExpected: typeof(OpenIdConnectProtocolInvalidNonceException), substringExpected: "IDX10323:"));
}
public void AuthenticationProtocolMessage_Publics()
{
string value1 = "value1";
string value2 = "value2";
string param1 = "param1";
string param2 = "param2";
AuthenticationProtocolMessage authenticationProtocolMessage = new DerivedAuthenticationProtocolMessage();
ExpectedException expectedException = ExpectedException.ArgumentNullException(substringExpected: "parameter");
try
{
authenticationProtocolMessage.GetParameter(null);
expectedException.ProcessNoException();
}
catch (Exception exception)
{
expectedException.ProcessException(exception);
}
expectedException = ExpectedException.ArgumentNullException(substringExpected: "parameter");
try
{
authenticationProtocolMessage.RemoveParameter(null);
expectedException.ProcessNoException();
}
catch (Exception exception)
{
expectedException.ProcessException(exception);
}
expectedException = ExpectedException.ArgumentNullException(substringExpected: "parameter");
try
{
authenticationProtocolMessage.SetParameter(null, null);
expectedException.ProcessNoException();
}
catch (Exception exception)
{
expectedException.ProcessException(exception);
}
authenticationProtocolMessage.SetParameter(param1, value1);
authenticationProtocolMessage.RemoveParameter(param2);
Assert.AreEqual(authenticationProtocolMessage.GetParameter(param1), value1);
authenticationProtocolMessage.RemoveParameter(param1);
Assert.IsNull(authenticationProtocolMessage.GetParameter(param1));
authenticationProtocolMessage.SetParameter(param1, value1);
authenticationProtocolMessage.SetParameter(param1, value2);
authenticationProtocolMessage.SetParameter(param2, value2);
authenticationProtocolMessage.SetParameter(param2, value1);
Assert.AreEqual(authenticationProtocolMessage.GetParameter(param1), value2);
Assert.AreEqual(authenticationProtocolMessage.GetParameter(param2), value1);
authenticationProtocolMessage = new DerivedAuthenticationProtocolMessage(@"http://www.gotjwt.com");
authenticationProtocolMessage.SetParameter("bob", " ");
string queryString = authenticationProtocolMessage.BuildRedirectUrl();
Assert.IsNotNull(queryString);
Assert.IsTrue(queryString.Contains("bob"));
authenticationProtocolMessage.IssuerAddress = string.Empty;
queryString = authenticationProtocolMessage.BuildRedirectUrl();
Assert.IsNotNull(queryString);
}
