public void Should_Request_And_Use_Claims_Id_Token()
{
rpid = "rp-response_type-id_token+token";
signalg = "RS256";
GetProviderMetadata();
// given
string Nonce = WebOperations.RandomString();
OIDClaims requestClaims = new OIDClaims();
requestClaims.IdToken = new Dictionary<string, OIDClaimData>();
requestClaims.IdToken.Add("name", new OIDClaimData());
// when
OIDCAuthImplicitResponseMessage response = (OIDCAuthImplicitResponseMessage) GetAuthResponse(ResponseType.IdToken, Nonce, true, requestClaims);
// then
response.Validate();
Assert.NotNull(response.AccessToken);
OpenIdRelyingParty rp = new OpenIdRelyingParty();
OIDCIdToken idToken = response.GetIdToken(providerMetadata.Keys, clientInformation.ClientSecret);
rp.ValidateIdToken(idToken, clientInformation, providerMetadata.Issuer, Nonce);
Assert.IsNotNullOrEmpty(idToken.Name);
}
public void Should_Reject_Id_Token_With_Wrong_Nonce()
{
rpid = "rp-nonce-invalid";
// given
OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage();
requestMessage.ClientId = clientInformation.ClientId;
OIDClaims requestClaims = new OIDClaims();
requestClaims.Userinfo = new Dictionary<string, OIDClaimData>();
requestClaims.Userinfo.Add("name", new OIDClaimData());
requestMessage.Scope = new List<MessageScope>() { MessageScope.Openid };
requestMessage.ResponseType = new List<ResponseType>() { ResponseType.IdToken, ResponseType.Token };
requestMessage.RedirectUri = clientInformation.RedirectUris[0];
requestMessage.Nonce = WebOperations.RandomString();
requestMessage.State = WebOperations.RandomString();
requestMessage.Claims = requestClaims;
requestMessage.Validate();
OpenIdRelyingParty rp = new OpenIdRelyingParty();
rp.Authenticate(GetBaseUrl("/authorization"), requestMessage);
semaphore.WaitOne();
OIDCAuthImplicitResponseMessage response = rp.ParseAuthImplicitResponse(result, requestMessage.Scope, requestMessage.State);
OIDCIdToken idToken = response.GetIdToken(providerMetadata.Keys, clientInformation.ClientSecret);
// then
rp.ValidateIdToken(idToken, clientInformation, idToken.Iss, "wrong-nonce");
}
public OIDCTokenResponseMessage GetToken(OIDCAuthCodeResponseMessage authResponse)
{
OIDCTokenRequestMessage tokenRequestMessage = new OIDCTokenRequestMessage();
tokenRequestMessage.Scope = authResponse.Scope;
tokenRequestMessage.State = authResponse.State;
tokenRequestMessage.Code = authResponse.Code;
tokenRequestMessage.ClientId = clientInformation.ClientId;
tokenRequestMessage.ClientSecret = clientInformation.ClientSecret;
tokenRequestMessage.RedirectUri = clientInformation.RedirectUris[0];
tokenRequestMessage.GrantType = "authorization_code";
OpenIdRelyingParty rp = new OpenIdRelyingParty();
OIDCTokenResponseMessage response = rp.SubmitTokenRequest(providerMetadata.TokenEndpoint, tokenRequestMessage, clientInformation);
OIDCIdToken idToken = response.GetIdToken(providerMetadata.Keys, tokenRequestMessage.ClientSecret);
rp.ValidateIdToken(idToken, clientInformation, providerMetadata.Issuer, null);
return response;
}
public void Should_Authenticate_With_Claims_In_Scope_Self_Issued()
{
rpid = "rp-scope-userinfo_claims";
WebRequest.RegisterPrefix("openid", new OIDCWebRequestCreate());
// given
OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage();
requestMessage.ClientId = clientInformation.RedirectUris[0];
requestMessage.Scope = new List<MessageScope>() { MessageScope.Openid, MessageScope.Profile, MessageScope.Email, MessageScope.Address, MessageScope.Phone };
requestMessage.State = WebOperations.RandomString();
requestMessage.Nonce = WebOperations.RandomString();
requestMessage.ResponseType = new List<ResponseType>() { ResponseType.IdToken };
requestMessage.RedirectUri = clientInformation.RedirectUris[0];
requestMessage.Validate();
X509Certificate2 certificate = new X509Certificate2("server.pfx", "", X509KeyStorageFlags.Exportable);
OpenIdRelyingParty rp = new OpenIdRelyingParty();
// when
OIDCAuthImplicitResponseMessage response = rp.Authenticate("openid://", requestMessage, certificate);
OIDCIdToken idToken = response.GetIdToken();
// then
response.Validate();
rp.ValidateIdToken(idToken, clientInformation, idToken.Iss, requestMessage.Nonce);
Assert.IsNotNullOrEmpty(idToken.Name);
Assert.IsNotNullOrEmpty(idToken.GivenName);
Assert.IsNotNullOrEmpty(idToken.FamilyName);
Assert.IsNotNullOrEmpty(idToken.Email);
Assert.IsNotNull(idToken.Address);
Assert.IsNotNullOrEmpty(idToken.Address.StreetAddress);
Assert.IsNotNullOrEmpty(idToken.Address.PostalCode);
Assert.IsNotNullOrEmpty(idToken.Address.Locality);
Assert.IsNotNullOrEmpty(idToken.Address.Country);
Assert.IsNotNullOrEmpty(idToken.PhoneNumber);
}
