public void DeprecatedAuthorityTest()
{
const string uriNoPort = "https://login.windows.net/mytenant.com";
const string uriCustomPort = "https://login.windows.net:444/mytenant.com/";
var authority = Authority.CreateAuthority(uriNoPort, false);
Assert.AreEqual("https://login.microsoftonline.com/mytenant.com/", authority.CanonicalAuthority);
authority = Authority.CreateAuthority(uriCustomPort, false);
Assert.AreEqual("https://login.microsoftonline.com:444/mytenant.com/", authority.CanonicalAuthority);
authority = Authority.CreateAuthority("https://login.windows.net/tfp/tenant/policy", false);
Assert.AreEqual("https://login.microsoftonline.com/tfp/tenant/policy/", authority.CanonicalAuthority);
authority = Authority.CreateAuthority("https://login.windows.net:444/tfp/tenant/policy", false);
Assert.AreEqual("https://login.microsoftonline.com:444/tfp/tenant/policy/", authority.CanonicalAuthority);
}
public void OAuthClient_FailsWithServiceExceptionWhenEntireResponseIsNull()
{
using (var httpManager = new MockHttpManager())
{
var serviceBundle = ServiceBundle.CreateWithCustomHttpManager(httpManager, _myReceiver);
var authority = Authority.CreateAuthority(serviceBundle, MsalTestConstants.AuthorityHomeTenant, false);
httpManager.AddMockHandler(
new MockHttpMessageHandler
{
Method = HttpMethod.Get,
ResponseMessage = null
});
var parameters = new AuthenticationRequestParameters
{
Authority = authority,
ClientId = MsalTestConstants.ClientId,
Scope = MsalTestConstants.Scope,
TokenCache = null,
RequestContext = new RequestContext(null, new MsalLogger(Guid.NewGuid(), null)),
RedirectUri = new Uri("some://uri"),
};
var ui = new MockWebUI();
var request = new InteractiveRequest(
serviceBundle,
parameters,
ApiEvent.ApiIds.None,
MsalTestConstants.ScopeForAnotherResource.ToArray(),
MsalTestConstants.DisplayableId,
UIBehavior.SelectAccount,
ui);
try
{
request.ExecuteAsync(CancellationToken.None).Wait();
Assert.Fail("MsalException should have been thrown here");
}
catch (Exception exc)
{
var innerException = exc.InnerException as InvalidOperationException;
Assert.IsNotNull(innerException);
}
}
}
public void FailedValidationTest()
{
using (var harness = CreateTestHarness())
{
// add mock response for instance validation
harness.HttpManager.AddMockHandler(
new MockHttpMessageHandler
{
ExpectedMethod = HttpMethod.Get,
ExpectedUrl = "https://login.microsoftonline.com/common/discovery/instance",
ExpectedQueryParams = new Dictionary <string, string>
{
{ "api-version", "1.1" },
{
"authorization_endpoint",
"https%3A%2F%2Flogin.microsoft0nline.com%2Fmytenant.com%2Foauth2%2Fv2.0%2Fauthorize"
},
},
ResponseMessage = MockHelpers.CreateFailureMessage(
HttpStatusCode.BadRequest,
"{\"error\":\"invalid_instance\"," + "\"error_description\":\"AADSTS50049: " +
"Unknown or invalid instance. Trace " + "ID: b9d0894d-a9a4-4dba-b38e-8fb6a009bc00 " +
"Correlation ID: 34f7b4cf-4fa2-4f35-a59b" + "-54b6f91a9c94 Timestamp: 2016-08-23 " +
"20:45:49Z\",\"error_codes\":[50049]," + "\"timestamp\":\"2016-08-23 20:45:49Z\"," +
"\"trace_id\":\"b9d0894d-a9a4-4dba-b38e-8f" + "b6a009bc00\",\"correlation_id\":\"34f7b4cf-" +
"4fa2-4f35-a59b-54b6f91a9c94\"}")
});
Authority instance = Authority.CreateAuthority(harness.ServiceBundle, "https://login.microsoft0nline.com/mytenant.com", true);
Assert.IsNotNull(instance);
Assert.AreEqual(instance.AuthorityInfo.AuthorityType, AuthorityType.Aad);
try
{
var resolver = new AuthorityEndpointResolutionManager(harness.ServiceBundle);
var endpoints = resolver.ResolveEndpointsAsync(
instance.AuthorityInfo,
null,
new RequestContext(harness.ServiceBundle, Guid.NewGuid()))
.ConfigureAwait(false).GetAwaiter().GetResult();
Assert.Fail("validation should have failed here");
}
catch (Exception exc)
{
Assert.IsTrue(exc is MsalServiceException);
Assert.AreEqual(((MsalServiceException)exc).ErrorCode, "invalid_instance");
}
}
}
public void SilentRefreshFailedNoCacheItemFoundTest()
{
using (var httpManager = new MockHttpManager())
{
var serviceBundle = ServiceBundle.CreateWithCustomHttpManager(httpManager);
var aadInstanceDiscovery = new AadInstanceDiscovery(httpManager, new TelemetryManager());
var authority = Authority.CreateAuthority(serviceBundle, MsalTestConstants.AuthorityHomeTenant, false);
_cache = new TokenCache()
{
ClientId = MsalTestConstants.ClientId,
ServiceBundle = serviceBundle
};
httpManager.AddInstanceDiscoveryMockHandler();
var parameters = new AuthenticationRequestParameters()
{
Authority = authority,
ClientId = MsalTestConstants.ClientId,
Scope = ScopeHelper.CreateSortedSetFromEnumerable(
new[]
{
"some-scope1",
"some-scope2"
}),
TokenCache = _cache,
Account = new Account(MsalTestConstants.UserIdentifier, MsalTestConstants.DisplayableId, null),
RequestContext = new RequestContext(null, new MsalLogger(Guid.NewGuid(), null))
};
var crypto = PlatformProxyFactory.GetPlatformProxy().CryptographyManager;
var telemetryManager = new TelemetryManager();
try
{
var request = new SilentRequest(serviceBundle, parameters, ApiEvent.ApiIds.None, false);
Task <AuthenticationResult> task = request.RunAsync(CancellationToken.None);
var authenticationResult = task.Result;
Assert.Fail("MsalUiRequiredException should be thrown here");
}
catch (AggregateException ae)
{
var exc = ae.InnerException as MsalUiRequiredException;
Assert.IsNotNull(exc, "Actual exception type is " + ae.InnerException.GetType());
Assert.AreEqual(MsalUiRequiredException.NoTokensFoundError, exc.ErrorCode);
}
}
}
public async Task ForceRefreshParameterTrueTestAsync()
{
var cache = new TokenCache();
TokenCacheHelper.PopulateCache(cache.TokenCacheAccessor);
var authority = Authority.CreateAuthority(TestConstants.AuthorityHomeTenant, false).CanonicalAuthority;
var app = new ConfidentialClientApplication(TestConstants.ClientId, authority,
TestConstants.RedirectUri, new ClientCredential(TestConstants.ClientSecret),
null, cache)
{
ValidateAuthority = false
};
//add mock response for tenant endpoint discovery
HttpMessageHandlerFactory.AddMockHandler(new MockHttpMessageHandler
{
Method = HttpMethod.Get,
ResponseMessage = MockHelpers.CreateOpenIdConfigurationResponse(app.Authority)
});
//add mock response for successful token retrival
const string tokenRetrievedFromNetCall = "token retrieved from network call";
HttpMessageHandlerFactory.AddMockHandler(new MockHttpMessageHandler
{
Method = HttpMethod.Post,
ResponseMessage =
MockHelpers.CreateSuccessfulClientCredentialTokenResponseMessage(tokenRetrievedFromNetCall)
});
var result = await app.AcquireTokenForClientAsync(TestConstants.Scope, true);
Assert.AreEqual(tokenRetrievedFromNetCall, result.AccessToken);
// make sure token in Cache was updated
var accessTokens = cache.GetAllAccessTokensForClient(new RequestContext(Guid.NewGuid(), null));
var accessTokenInCache = accessTokens.Where(
item =>
item.ScopeSet.ScopeContains(TestConstants.Scope))
.ToList()
.FirstOrDefault();
Assert.AreEqual(tokenRetrievedFromNetCall, accessTokenInCache?.AccessToken);
Assert.IsNotNull(_myReceiver.EventsReceived.Find(anEvent => // Expect finding such an event
anEvent[EventBase.EventNameKey].EndsWith("api_event") && anEvent[ApiEvent.WasSuccessfulKey] == "true" &&
anEvent[ApiEvent.ApiIdKey] == "727"));
}
public void FailedValidationTest()
{
//add mock response for instance validation
HttpMessageHandlerFactory.AddMockHandler(new MockHttpMessageHandler
{
Method = HttpMethod.Get,
Url = "https://login.microsoftonline.com/common/discovery/instance",
QueryParams = new Dictionary <string, string>
{
{ "api-version", "1.0" },
{ "authorization_endpoint", "https%3A%2F%2Flogin.microsoft0nline.com%2Fmytenant.com%2Foauth2%2Fv2.0%2Fauthorize" },
},
ResponseMessage =
MockHelpers.CreateFailureMessage(HttpStatusCode.BadRequest, "{\"error\":\"invalid_instance\"," +
"\"error_description\":\"AADSTS50049: " +
"Unknown or invalid instance. Trace " +
"ID: b9d0894d-a9a4-4dba-b38e-8fb6a009bc00 " +
"Correlation ID: 34f7b4cf-4fa2-4f35-a59b" +
"-54b6f91a9c94 Timestamp: 2016-08-23 " +
"20:45:49Z\",\"error_codes\":[50049]," +
"\"timestamp\":\"2016-08-23 20:45:49Z\"," +
"\"trace_id\":\"b9d0894d-a9a4-4dba-b38e-8f" +
"b6a009bc00\",\"correlation_id\":\"34f7b4cf-" +
"4fa2-4f35-a59b-54b6f91a9c94\"}")
});
Authority instance = Authority.CreateAuthority("https://login.microsoft0nline.com/mytenant.com", true);
Assert.IsNotNull(instance);
Assert.AreEqual(instance.AuthorityType, AuthorityType.Aad);
try
{
Task.Run(async() =>
{
await instance.ResolveEndpointsAsync(null, new RequestContext(Guid.NewGuid(), null));
})
.GetAwaiter()
.GetResult();
Assert.Fail("validation should have failed here");
}
catch (Exception exc)
{
Assert.IsNotNull(exc is MsalServiceException);
Assert.AreEqual(((MsalServiceException)exc).ErrorCode, "invalid_instance");
}
Assert.AreEqual(0, HttpMessageHandlerFactory.MockCount);
}
public void FailedValidationResourceNotInTrustedRealmTest()
{
//add mock response for on-premise DRS request
HttpMessageHandlerFactory.AddMockHandler(new MockHttpMessageHandler
{
Method = HttpMethod.Get,
Url = "https://enterpriseregistration.fabrikam.com/enrollmentserver/contract",
QueryParams = new Dictionary <string, string>
{
{ "api-version", "1.0" }
},
ResponseMessage = MockHelpers.CreateSuccessResponseMessage(File.ReadAllText("drs-response.json"))
});
//add mock response for on-premise webfinger request
HttpMessageHandlerFactory.AddMockHandler(new MockHttpMessageHandler
{
Method = HttpMethod.Get,
Url = "https://fs.fabrikam.com/adfs/.well-known/webfinger",
QueryParams = new Dictionary <string, string>
{
{ "resource", "https://fs.contoso.com" },
{ "rel", "http://schemas.microsoft.com/rel/trusted-realm" }
},
ResponseMessage = MockHelpers.CreateSuccessWebFingerResponseMessage("https://fs.some-other-sts.com")
});
Authority instance = Authority.CreateAuthority(TestConstants.OnPremiseAuthority, true);
Assert.IsNotNull(instance);
Assert.AreEqual(instance.AuthorityType, AuthorityType.Adfs);
try
{
Task.Run(async() =>
{
await instance.ResolveEndpointsAsync(TestConstants.FabrikamDisplayableId, new RequestContext(Guid.NewGuid(), null));
}).GetAwaiter().GetResult();
Assert.Fail("ResolveEndpointsAsync should have failed here");
}
catch (Exception exc)
{
Assert.IsNotNull(exc);
}
Assert.AreEqual(0, HttpMessageHandlerFactory.MockCount);
}
public void ExpiredTokenRefreshFlowTest()
{
Authority authority = Authority.CreateAuthority(TestConstants.AuthorityHomeTenant, false);
TokenCache cache = new TokenCache()
{
ClientId = TestConstants.ClientId
};
TokenCacheHelper.PopulateCache(cache.TokenCacheAccessor);
AuthenticationRequestParameters parameters = new AuthenticationRequestParameters()
{
Authority = authority,
ClientId = TestConstants.ClientId,
Scope = new[] { "some-scope1", "some-scope2" }.CreateSetFromEnumerable(),
TokenCache = cache,
RequestContext = new RequestContext(Guid.Empty, null),
User = new User()
{
Identifier = TestConstants.UserIdentifier,
DisplayableId = TestConstants.DisplayableId
}
};
//add mock response for tenant endpoint discovery
HttpMessageHandlerFactory.AddMockHandler(new MockHttpMessageHandler
{
Method = HttpMethod.Get,
ResponseMessage = MockHelpers.CreateOpenIdConfigurationResponse(TestConstants.AuthorityHomeTenant)
});
HttpMessageHandlerFactory.AddMockHandler(new MockHttpMessageHandler()
{
Method = HttpMethod.Post,
ResponseMessage = MockHelpers.CreateSuccessTokenResponseMessage()
});
SilentRequest request = new SilentRequest(parameters, false);
Task <AuthenticationResult> task = request.RunAsync();
AuthenticationResult result = task.Result;
Assert.IsNotNull(result);
Assert.AreEqual("some-access-token", result.AccessToken);
Assert.AreEqual("some-scope1 some-scope2", result.Scopes.AsSingleString());
Assert.IsTrue(HttpMessageHandlerFactory.IsMocksQueueEmpty, "All mocks should have been consumed");
}
public static Authority CreateAuthorityFromUrl(string uri)
{
var httpManager = new MockHttpManager();
var appConfig = new ApplicationConfiguration()
{
HttpManager = httpManager,
AuthorityInfo = AuthorityInfo.FromAuthorityUri(uri, false)
};
var serviceBundle = ServiceBundle.Create(appConfig);
Authority authority = Authority.CreateAuthority(
serviceBundle,
uri);
return(authority);
}
public void SaveAccessAndRefreshTokenWithLessScopesTest()
{
TokenCache cache = new TokenCache()
{
ClientId = TestConstants.ClientId
};
TokenResponse response = new TokenResponse();
response.IdToken = MockHelpers.CreateIdToken(TestConstants.UniqueId, TestConstants.DisplayableId);
response.ClientInfo = MockHelpers.CreateClientInfo();
response.AccessToken = "access-token";
response.ExpiresIn = 3599;
response.CorrelationId = "correlation-id";
response.RefreshToken = "refresh-token";
response.Scope = TestConstants.Scope.AsSingleString();
response.TokenType = "Bearer";
RequestContext requestContext = new RequestContext(Guid.NewGuid(), null);
AuthenticationRequestParameters requestParams = new AuthenticationRequestParameters()
{
RequestContext = requestContext,
Authority = Authority.CreateAuthority(TestConstants.AuthorityHomeTenant, false),
ClientId = TestConstants.ClientId,
TenantUpdatedCanonicalAuthority = TestConstants.AuthorityHomeTenant
};
cache.SaveAccessAndRefreshToken(requestParams, response);
response = new TokenResponse();
response.IdToken = MockHelpers.CreateIdToken(TestConstants.UniqueId, TestConstants.DisplayableId);
response.ClientInfo = MockHelpers.CreateClientInfo();
response.AccessToken = "access-token-2";
response.ExpiresIn = 3599;
response.CorrelationId = "correlation-id";
response.RefreshToken = "refresh-token-2";
response.Scope = TestConstants.Scope.First();
response.TokenType = "Bearer";
cache.SaveAccessAndRefreshToken(requestParams, response);
Assert.AreEqual(1, cache.TokenCacheAccessor.RefreshTokenCacheDictionary.Count);
Assert.AreEqual(1, cache.TokenCacheAccessor.AccessTokenCacheDictionary.Count);
Assert.AreEqual("refresh-token-2", cache.GetAllRefreshTokensForClient(requestContext).First().RefreshToken);
Assert.AreEqual("access-token-2", cache.GetAllAccessTokensForClient(requestContext).First().AccessToken);
}
public void NotEnoughPathSegmentsTest()
{
try
{
var serviceBundle = TestCommon.CreateDefaultServiceBundle();
var instance = Authority.CreateAuthority("https://login.microsoftonline.in/tfp/");
Assert.IsNotNull(instance);
Assert.AreEqual(instance.AuthorityInfo.AuthorityType, AuthorityType.B2C);
Assert.Fail("test should have failed");
}
catch (Exception exc)
{
Assert.IsInstanceOfType(exc, typeof(ArgumentException));
Assert.AreEqual(MsalErrorMessage.B2cAuthorityUriInvalidPath, exc.Message);
}
}
public void GetRefreshTokenTest()
{
TokenCache cache = new TokenCache()
{
ClientId = TestConstants.ClientId
};
RefreshTokenCacheItem rtItem = new RefreshTokenCacheItem()
{
Environment = TestConstants.ProductionEnvironment,
ClientId = TestConstants.ClientId,
RefreshToken = "someRT",
RawClientInfo = MockHelpers.CreateClientInfo(),
DisplayableId = TestConstants.DisplayableId,
IdentityProvider = TestConstants.IdentityProvider,
Name = TestConstants.Name
};
rtItem.ClientInfo = ClientInfo.CreateFromJson(rtItem.RawClientInfo);
RefreshTokenCacheKey rtKey = rtItem.GetRefreshTokenItemKey();
cache.TokenCacheAccessor.RefreshTokenCacheDictionary[rtKey.ToString()] = JsonHelper.SerializeToJson(rtItem);
var authParams = new AuthenticationRequestParameters()
{
RequestContext = new RequestContext(Guid.Empty, null),
ClientId = TestConstants.ClientId,
Authority = Authority.CreateAuthority(TestConstants.AuthorityHomeTenant, false),
Scope = TestConstants.Scope,
User = TestConstants.User
};
Assert.IsNotNull(cache.FindRefreshToken(authParams));
// RT is stored by environment, client id and userIdentifier as index.
// any change to authority (within same environment), uniqueid and displyableid will not
// change the outcome of cache look up.
Assert.IsNotNull(cache.FindRefreshToken(new AuthenticationRequestParameters()
{
RequestContext = new RequestContext(Guid.Empty, null),
ClientId = TestConstants.ClientId,
Authority = Authority.CreateAuthority(TestConstants.AuthorityHomeTenant + "more", false),
Scope = TestConstants.Scope,
User = TestConstants.User
}));
}
public void GetIntersectedScopesMatchedAccessTokenTest()
{
TokenCache cache = new TokenCache()
{
ClientId = TestConstants.ClientId
};
AccessTokenCacheItem atItem = new AccessTokenCacheItem()
{
Authority = TestConstants.AuthorityHomeTenant,
ClientId = TestConstants.ClientId,
TokenType = "Bearer",
ScopeSet = TestConstants.Scope,
ExpiresOnUnixTimestamp = MsalHelpers.DateTimeToUnixTimestamp(DateTime.UtcNow + TimeSpan.FromHours(1)),
RawIdToken = MockHelpers.CreateIdToken(TestConstants.UniqueId, TestConstants.DisplayableId)
};
// create key out of access token cache item and then
// set it as the value of the access token.
AccessTokenCacheKey atKey = atItem.GetAccessTokenItemKey();
atItem.AccessToken = atKey.ToString();
cache.TokenCacheAccessor.AccessTokenCacheDictionary[atKey.ToString()] = JsonHelper.SerializeToJson(atItem);
var param = new AuthenticationRequestParameters()
{
RequestContext = new RequestContext(Guid.Empty, null),
ClientId = TestConstants.ClientId,
Authority = Authority.CreateAuthority(TestConstants.AuthorityHomeTenant, false),
Scope = new SortedSet <string>(),
User =
new User()
{
DisplayableId = TestConstants.DisplayableId,
Identifier = TestConstants.UserIdentifier
}
};
param.Scope.Add(TestConstants.Scope.First());
param.Scope.Add("non-existant-scopes");
AccessTokenCacheItem item = cache.FindAccessToken(param);
//intersected scopes are not returned.
Assert.IsNull(item);
}
public void ConstructorTests()
{
Authority authority = Authority.CreateAuthority(TestConstants.AuthorityHomeTenant, false);
TokenCache cache = new TokenCache()
{
ClientId = TestConstants.ClientId
};
AuthenticationRequestParameters parameters = new AuthenticationRequestParameters()
{
Authority = authority,
ClientId = TestConstants.ClientId,
Scope = TestConstants.Scope,
TokenCache = cache,
RequestContext = new RequestContext(Guid.Empty, null)
};
parameters.User = null;
try
{
new SilentRequest(parameters, false);
Assert.Fail("MsalUiRequiredException should have been thrown here");
}
catch (MsalUiRequiredException exc)
{
Assert.AreEqual(exc.ErrorCode, MsalUiRequiredException.UserNullError);
}
parameters.User = new User()
{
DisplayableId = TestConstants.DisplayableId
};
SilentRequest request = new SilentRequest(parameters, false);
Assert.IsNotNull(request);
parameters.User = new User()
{
};
request = new SilentRequest(parameters, false);
Assert.IsNotNull(request);
request = new SilentRequest(parameters, false);
Assert.IsNotNull(request);
}
public void B2CLoginAuthorityCreateAuthority()
{
using (var httpManager = new MockHttpManager())
{
var appConfig = new ApplicationConfiguration()
{
HttpManager = httpManager,
AuthorityInfo = AuthorityInfo.FromAuthorityUri(TestConstants.B2CLoginAuthority, false)
};
var serviceBundle = ServiceBundle.Create(appConfig);
// add mock response for tenant endpoint discovery
httpManager.AddMockHandler(
new MockHttpMessageHandler
{
ExpectedMethod = HttpMethod.Get,
ExpectedUrl = "https://sometenantid.b2clogin.com/tfp/sometenantid/policy/v2.0/.well-known/openid-configuration",
ResponseMessage = MockHelpers.CreateSuccessResponseMessage(
File.ReadAllText(ResourceHelper.GetTestResourceRelativePath("OpenidConfiguration-B2CLogin.json")))
});
Authority instance = Authority.CreateAuthority(
serviceBundle,
TestConstants.B2CLoginAuthority);
Assert.IsNotNull(instance);
Assert.AreEqual(instance.AuthorityInfo.AuthorityType, AuthorityType.B2C);
var resolver = new AuthorityEndpointResolutionManager(serviceBundle);
var endpoints = resolver.ResolveEndpointsAsync(
instance.AuthorityInfo,
null,
new RequestContext(serviceBundle, Guid.NewGuid()))
.GetAwaiter().GetResult();
Assert.AreEqual(
"https://sometenantid.b2clogin.com/6babcaad-604b-40ac-a9d7-9fd97c0b779f/policy/oauth2/v2.0/authorize",
endpoints.AuthorizationEndpoint);
Assert.AreEqual(
"https://sometenantid.b2clogin.com/6babcaad-604b-40ac-a9d7-9fd97c0b779f/policy/oauth2/v2.0/token",
endpoints.TokenEndpoint);
Assert.AreEqual("https://sometenantid.b2clogin.com/6babcaad-604b-40ac-a9d7-9fd97c0b779f/v2.0/", endpoints.SelfSignedJwtAudience);
}
}
public void CreateEndpointsWithCommonTenantTest()
{
using (var harness = CreateTestHarness())
{
Authority instance = Authority.CreateAuthority("https://login.microsoftonline.com/common");
Assert.IsNotNull(instance);
Assert.AreEqual(instance.AuthorityInfo.AuthorityType, AuthorityType.Aad);
var resolver = new AuthorityResolutionManager();
var endpoints = resolver.ResolveEndpoints(
instance,
null,
new RequestContext(harness.ServiceBundle, Guid.NewGuid()));
Assert.AreEqual("https://login.microsoftonline.com/common/oauth2/v2.0/authorize", endpoints.AuthorizationEndpoint);
Assert.AreEqual("https://login.microsoftonline.com/common/oauth2/v2.0/token", endpoints.TokenEndpoint);
Assert.AreEqual("https://login.microsoftonline.com/common/oauth2/v2.0/token", endpoints.SelfSignedJwtAudience);
}
}
public void GetSubsetScopesMatchedAccessTokenTest()
{
TokenCache cache = new TokenCache()
{
ClientId = TestConstants.ClientId
};
AccessTokenCacheItem atItem = new AccessTokenCacheItem()
{
Authority = TestConstants.AuthorityHomeTenant,
ClientId = TestConstants.ClientId,
TokenType = "Bearer",
ScopeSet = TestConstants.Scope,
Scope = TestConstants.Scope.AsSingleString(),
ExpiresOnUnixTimestamp = MsalHelpers.DateTimeToUnixTimestamp(DateTime.UtcNow + TimeSpan.FromHours(1)),
RawIdToken = MockHelpers.CreateIdToken(TestConstants.UniqueId, TestConstants.DisplayableId),
RawClientInfo = MockHelpers.CreateClientInfo(),
};
atItem.IdToken = IdToken.Parse(atItem.RawIdToken);
atItem.ClientInfo = ClientInfo.CreateFromJson(atItem.RawClientInfo);
// create key out of access token cache item and then
// set it as the value of the access token.
AccessTokenCacheKey atKey = atItem.GetAccessTokenItemKey();
atItem.AccessToken = atKey.ToString();
cache.TokenCacheAccessor.AccessTokenCacheDictionary[atKey.ToString()] = JsonHelper.SerializeToJson(atItem);
var param = new AuthenticationRequestParameters()
{
RequestContext = new RequestContext(Guid.Empty, null),
ClientId = TestConstants.ClientId,
Authority = Authority.CreateAuthority(TestConstants.AuthorityHomeTenant, false),
Scope = new SortedSet <string>(),
User = TestConstants.User
};
param.Scope.Add("r1/scope1");
AccessTokenCacheItem item = cache.FindAccessToken(param);
Assert.IsNotNull(item);
Assert.AreEqual(atKey.ToString(), item.AccessToken);
}
public void SuccessfulValidationTest()
{
//add mock response for instance validation
HttpMessageHandlerFactory.AddMockHandler(new MockHttpMessageHandler
{
Method = HttpMethod.Get,
Url = "https://login.microsoftonline.com/common/discovery/instance",
QueryParams = new Dictionary <string, string>
{
{ "api-version", "1.0" },
{ "authorization_endpoint", "https%3A%2F%2Flogin.microsoftonline.in%2Fmytenant.com%2Foauth2%2Fv2.0%2Fauthorize" },
},
ResponseMessage = MockHelpers.CreateSuccessResponseMessage(
"{\"tenant_discovery_endpoint\":\"https://login.microsoftonline.in/mytenant.com/.well-known/openid-configuration\"}")
});
//add mock response for tenant endpoint discovery
HttpMessageHandlerFactory.AddMockHandler(new MockHttpMessageHandler
{
Method = HttpMethod.Get,
Url = "https://login.microsoftonline.in/mytenant.com/.well-known/openid-configuration",
ResponseMessage = MockHelpers.CreateSuccessResponseMessage(File.ReadAllText("OpenidConfiguration.json"))
});
Authority instance = Authority.CreateAuthority("https://login.microsoftonline.in/mytenant.com", true);
Assert.IsNotNull(instance);
Assert.AreEqual(instance.AuthorityType, AuthorityType.Aad);
Task.Run(async() =>
{
await instance.ResolveEndpointsAsync(null, new RequestContext(Guid.NewGuid(), null)).ConfigureAwait(false);
})
.GetAwaiter()
.GetResult();
Assert.AreEqual("https://login.microsoftonline.com/6babcaad-604b-40ac-a9d7-9fd97c0b779f/oauth2/v2.0/authorize",
instance.AuthorizationEndpoint);
Assert.AreEqual("https://login.microsoftonline.com/6babcaad-604b-40ac-a9d7-9fd97c0b779f/oauth2/v2.0/token",
instance.TokenEndpoint);
Assert.AreEqual("https://sts.windows.net/6babcaad-604b-40ac-a9d7-9fd97c0b779f/",
instance.SelfSignedJwtAudience);
Assert.AreEqual(0, HttpMessageHandlerFactory.MockCount);
}
public async Task ConfidentialClientWithRSACertificateTestAsync()
{
AuthenticationResult authResult;
IConfidentialClientApplication confidentialApp;
X509Certificate2 cert = GetCertificate(true);
confidentialApp = ConfidentialClientApplicationBuilder
.Create(PublicCloudConfidentialClientID)
.WithAuthority(PublicCloudTestAuthority)
.WithCertificate(cert)
.Build();
var appCacheRecorder = confidentialApp.AppTokenCache.RecordAccess();
authResult = await confidentialApp
.AcquireTokenForClient(s_keyvaultScope)
.WithAuthority(PublicCloudTestAuthority, true)
.ExecuteAsync(CancellationToken.None)
.ConfigureAwait(false);
MsalAssert.AssertAuthResult(authResult);
appCacheRecorder.AssertAccessCounts(1, 1);
Assert.AreEqual(TokenSource.IdentityProvider, authResult.AuthenticationResultMetadata.TokenSource);
Assert.IsTrue(appCacheRecorder.LastAfterAccessNotificationArgs.IsApplicationCache);
Assert.AreEqual(
GetExpectedCacheKey(PublicCloudConfidentialClientID, Authority.CreateAuthority(PublicCloudTestAuthority, false).TenantId),
appCacheRecorder.LastAfterAccessNotificationArgs.SuggestedCacheKey);
// Call again to ensure token cache is hit
authResult = await confidentialApp
.AcquireTokenForClient(s_keyvaultScope)
.WithAuthority(PublicCloudTestAuthority, true)
.ExecuteAsync(CancellationToken.None)
.ConfigureAwait(false);
MsalAssert.AssertAuthResult(authResult);
appCacheRecorder.AssertAccessCounts(2, 1);
Assert.AreEqual(TokenSource.Cache, authResult.AuthenticationResultMetadata.TokenSource);
Assert.IsTrue(appCacheRecorder.LastAfterAccessNotificationArgs.IsApplicationCache);
Assert.AreEqual(
GetExpectedCacheKey(PublicCloudConfidentialClientID, Authority.CreateAuthority(PublicCloudTestAuthority, false).TenantId),
appCacheRecorder.LastAfterAccessNotificationArgs.SuggestedCacheKey);
}
public async Task RunTestWithClientSecretAsync(
string clientID,
string confidentialClientAuthority,
string secret)
{
var confidentialApp = ConfidentialClientApplicationBuilder
.Create(clientID)
.WithClientSecret(secret)
.WithAuthority(confidentialClientAuthority)
.WithTestLogging()
.Build();
var appCacheRecorder = confidentialApp.AppTokenCache.RecordAccess();
var authResult = await confidentialApp.AcquireTokenForClient(s_keyvaultScope)
.WithAuthority(confidentialClientAuthority)
.ExecuteAsync(CancellationToken.None)
.ConfigureAwait(false);
MsalAssert.AssertAuthResult(authResult);
appCacheRecorder.AssertAccessCounts(1, 1);
Assert.AreEqual(TokenSource.IdentityProvider, authResult.AuthenticationResultMetadata.TokenSource);
Assert.IsTrue(appCacheRecorder.LastAfterAccessNotificationArgs.IsApplicationCache);
Assert.AreEqual(
GetExpectedCacheKey(clientID, Authority.CreateAuthority(confidentialClientAuthority, false).TenantId),
appCacheRecorder.LastAfterAccessNotificationArgs.SuggestedCacheKey);
// Call again to ensure token cache is hit
authResult = await confidentialApp.AcquireTokenForClient(s_keyvaultScope)
.WithAuthority(confidentialClientAuthority)
.ExecuteAsync(CancellationToken.None)
.ConfigureAwait(false);
MsalAssert.AssertAuthResult(authResult);
appCacheRecorder.AssertAccessCounts(2, 1);
Assert.AreEqual(TokenSource.Cache, authResult.AuthenticationResultMetadata.TokenSource);
Assert.AreEqual(
GetExpectedCacheKey(clientID, Authority.CreateAuthority(confidentialClientAuthority, false).TenantId),
appCacheRecorder.LastAfterAccessNotificationArgs.SuggestedCacheKey);
Assert.IsTrue(appCacheRecorder.LastAfterAccessNotificationArgs.IsApplicationCache);
}
public void DuplicateQueryParameterErrorTest()
{
using (var httpManager = new MockHttpManager())
{
var serviceBundle = ServiceBundle.CreateWithCustomHttpManager(httpManager, _myReceiver);
var authority = Authority.CreateAuthority(serviceBundle, MsalTestConstants.AuthorityHomeTenant, false);
var parameters = new AuthenticationRequestParameters
{
Authority = authority,
ClientId = MsalTestConstants.ClientId,
Scope = MsalTestConstants.Scope,
TokenCache = null,
RequestContext = new RequestContext(null, new MsalLogger(Guid.NewGuid(), null)),
RedirectUri = new Uri("some://uri"),
ExtraQueryParameters = "extra=qp&prompt=login"
};
MockInstanceDiscoveryAndOpenIdRequest(httpManager);
var request = new InteractiveRequest(
serviceBundle,
parameters,
ApiEvent.ApiIds.None,
MsalTestConstants.ScopeForAnotherResource.ToArray(),
null,
UIBehavior.ForceLogin,
new MockWebUI());
try
{
request.ExecuteAsync(CancellationToken.None).Wait();
Assert.Fail("MsalException should be thrown here");
}
catch (Exception exc)
{
Assert.IsTrue(exc.InnerException is MsalException);
Assert.AreEqual(
MsalClientException.DuplicateQueryParameterError,
((MsalException)exc.InnerException).ErrorCode);
}
}
}
public void NotEnoughPathSegmentsTest()
{
try
{
Authority instance = Authority.CreateAuthority("https://login.microsoftonline.in/tfp/", false);
Assert.IsNotNull(instance);
Assert.AreEqual(instance.AuthorityType, AuthorityType.B2C);
Task
.Run(
async() => { await instance.ResolveEndpointsAsync(null, new RequestContext(Guid.NewGuid(), null)).ConfigureAwait(false); })
.GetAwaiter()
.GetResult();
Assert.Fail("test should have failed");
}
catch (Exception exc)
{
Assert.IsInstanceOfType(exc, typeof(ArgumentException));
Assert.AreEqual(MsalErrorMessage.B2cAuthorityUriInvalidPath, exc.Message);
}
}
private AuthenticationRequestParameters CreateAuthenticationRequestParameters(
IServiceBundle serviceBundle,
Authority authority = null,
SortedSet <string> scopes = null,
RequestContext requestContext = null)
{
var commonParameters = new AcquireTokenCommonParameters
{
Scopes = scopes ?? TestConstants.s_scope,
};
return(new AuthenticationRequestParameters(
serviceBundle,
new TokenCache(serviceBundle),
commonParameters,
requestContext ?? new RequestContext(serviceBundle, Guid.NewGuid()))
{
Authority = authority ?? Authority.CreateAuthority(serviceBundle, TestConstants.AuthorityTestTenant)
});
}
public void CanonicalAuthorityInitTest()
{
const string uriNoPort = "https://login.microsoftonline.in/mytenant.com";
const string uriNoPortTailSlash = "https://login.microsoftonline.in/mytenant.com/";
const string uriDefaultPort = "https://login.microsoftonline.in:443/mytenant.com";
const string uriCustomPort = "https://login.microsoftonline.in:444/mytenant.com";
const string uriCustomPortTailSlash = "https://login.microsoftonline.in:444/mytenant.com/";
var authority = Authority.CreateAuthority(uriNoPort, false);
Assert.AreEqual(uriNoPortTailSlash, authority.CanonicalAuthority);
authority = Authority.CreateAuthority(uriDefaultPort, false);
Assert.AreEqual(uriNoPortTailSlash, authority.CanonicalAuthority);
authority = Authority.CreateAuthority(uriCustomPort, false);
Assert.AreEqual(uriCustomPortTailSlash, authority.CanonicalAuthority);
}
private AuthenticationRequestParameters CreateAuthenticationRequestParameters(
IServiceBundle serviceBundle,
Authority authority = null,
SortedSet <string> scopes = null,
RequestContext requestContext = null)
{
var commonParameters = new AcquireTokenCommonParameters
{
Scopes = scopes ?? MsalTestConstants.Scope,
};
return(new AuthenticationRequestParameters(
serviceBundle,
null,
commonParameters,
requestContext ?? RequestContext.CreateForTest(serviceBundle))
{
Authority = authority ?? Authority.CreateAuthority(serviceBundle, MsalTestConstants.AuthorityTestTenant)
});
}
public AuthenticationRequestParameters CreateAuthenticationRequestParameters(
string authority,
IEnumerable <string> scopes = null,
ITokenCacheInternal tokenCache = null,
IAccount account = null,
IDictionary <string, string> extraQueryParameters = null,
string claims = null,
ApiEvent.ApiIds apiId = ApiEvent.ApiIds.None,
bool validateAuthority = false)
{
scopes = scopes ?? TestConstants.s_scope;
tokenCache = tokenCache ?? new TokenCache(ServiceBundle, false);
var commonParameters = new AcquireTokenCommonParameters
{
Scopes = scopes ?? TestConstants.s_scope,
ExtraQueryParameters = extraQueryParameters ?? new Dictionary <string, string>(),
Claims = claims,
ApiId = apiId
};
var authorityObj = Authority.CreateAuthority(authority, validateAuthority);
var requestContext = new RequestContext(ServiceBundle, Guid.NewGuid());
AuthenticationRequestParameters authenticationRequestParameters =
new AuthenticationRequestParameters(
ServiceBundle,
tokenCache,
commonParameters,
requestContext,
authorityObj)
{
Account = account,
};
authenticationRequestParameters.RequestContext.ApiEvent = new ApiEvent(
authenticationRequestParameters.RequestContext.Logger,
ServiceBundle.PlatformProxy.CryptographyManager,
Guid.NewGuid().AsMatsCorrelationId());
return(authenticationRequestParameters);
}
public void TestPluginSelection()
{
var ex = AssertException.Throws <MsalClientException>(
() => _wamBroker.IsMsaRequestAsync(Authority.CreateAuthority(TestConstants.B2CAuthority), null, false).GetAwaiter().GetResult());
Assert.AreEqual(MsalError.WamNoB2C, ex.ErrorCode);
Assert.IsFalse(
_wamBroker.IsMsaRequestAsync(Authority.CreateAuthority(TestConstants.ADFSAuthority), null, false).Result,
"ADFS authorities should be handled by AAD plugin");
Assert.IsTrue(
_wamBroker.IsMsaRequestAsync(Authority.CreateAuthority(TestConstants.AuthorityCommonTenant), TestConstants.MsaTenantId, false).Result,
"Common authority - look at account tenant ID to determine plugin");
Assert.IsFalse(
_wamBroker.IsMsaRequestAsync(Authority.CreateAuthority(TestConstants.AuthorityCommonTenant), TestConstants.TenantId, false).Result,
"Common authority - look at account tenant ID to determine plugin");
Assert.IsFalse(
_wamBroker.IsMsaRequestAsync(Authority.CreateAuthority(TestConstants.AuthorityOrganizationsTenant), TestConstants.TenantId, false).Result,
"Organizations authority - AAD plugin unless MSA-pt");
Assert.IsFalse(
_wamBroker.IsMsaRequestAsync(Authority.CreateAuthority(TestConstants.AuthorityOrganizationsTenant), TestConstants.TenantId, true).Result,
"Organizations authority with MSA-pt - based on home account id");
Assert.IsTrue(
_wamBroker.IsMsaRequestAsync(Authority.CreateAuthority(TestConstants.AuthorityOrganizationsTenant), TestConstants.MsaTenantId, true).Result,
"Organizations authority with MSA-pt - based on home account id");
Assert.IsTrue(
_wamBroker.IsMsaRequestAsync(Authority.CreateAuthority(TestConstants.AuthorityConsumersTenant), TestConstants.TenantId, false).Result,
"Consumer authority - msa plugin");
Assert.IsFalse(
_wamBroker.IsMsaRequestAsync(Authority.CreateAuthority(TestConstants.AuthorityGuidTenant), TestConstants.TenantId, true).Result,
"Tenanted authorities - AAD plugin");
}
public void FailedValidationMissingFieldsInDrsResponseTest()
{
using (var httpManager = new MockHttpManager())
{
var serviceBundle = ServiceBundle.CreateWithCustomHttpManager(httpManager);
//add mock failure response for on-premise DRS request
httpManager.AddMockHandler(
new MockHttpMessageHandler
{
Method = HttpMethod.Get,
Url = "https://enterpriseregistration.fabrikam.com/enrollmentserver/contract",
QueryParams = new Dictionary <string, string>
{
{ "api-version", "1.0" }
},
ResponseMessage =
MockHelpers.CreateSuccessResponseMessage(
ResourceHelper.GetTestResourceRelativePath(File.ReadAllText("drs-response-missing-field.json")))
});
Authority instance = Authority.CreateAuthority(serviceBundle, CoreTestConstants.OnPremiseAuthority, true);
Assert.IsNotNull(instance);
Assert.AreEqual(instance.AuthorityType, AuthorityType.Adfs);
try
{
Task.Run(
async() =>
{
await instance.ResolveEndpointsAsync(
CoreTestConstants.FabrikamDisplayableId,
new RequestContext(null, new MsalLogger(Guid.NewGuid(), null))).ConfigureAwait(false);
}).GetAwaiter().GetResult();
Assert.Fail("ResolveEndpointsAsync should have failed here");
}
catch (Exception exc)
{
Assert.IsNotNull(exc);
}
}
}
public void FailedValidationMissingFieldsTest()
{
using (var httpManager = new MockHttpManager())
{
var serviceBundle = ServiceBundle.CreateWithCustomHttpManager(httpManager);
//add mock response for instance validation
httpManager.AddMockHandler(
new MockHttpMessageHandler
{
Method = HttpMethod.Get,
Url = "https://login.windows.net/common/discovery/instance",
QueryParams = new Dictionary <string, string>
{
{ "api-version", "1.0" },
{ "authorization_endpoint", "https://login.microsoft0nline.com/mytenant.com/oauth2/v2.0/authorize" },
},
ResponseMessage = MockHelpers.CreateSuccessResponseMessage("{}")
});
var aadInstanceDiscovery = new AadInstanceDiscovery(httpManager, new TelemetryManager());
Authority instance = Authority.CreateAuthority(serviceBundle, "https://login.microsoft0nline.com/mytenant.com", true);
Assert.IsNotNull(instance);
Assert.AreEqual(instance.AuthorityType, AuthorityType.Aad);
try
{
Task.Run(
async() =>
{
await instance.ResolveEndpointsAsync(
null,
new RequestContext(null, new MsalLogger(Guid.NewGuid(), null))).ConfigureAwait(false);
}).GetAwaiter().GetResult();
Assert.Fail("validation should have failed here");
}
catch (Exception exc)
{
Assert.IsNotNull(exc);
}
}
}
public void GetExpiredAccessTokenTest()
{
cache = new TokenCache()
{
ClientId = TestConstants.ClientId
};
AccessTokenCacheItem item = new AccessTokenCacheItem()
{
Authority = TestConstants.AuthorityHomeTenant,
ClientId = TestConstants.ClientId,
TokenType = "Bearer",
ExpiresOnUnixTimestamp = MsalHelpers.DateTimeToUnixTimestamp(DateTime.UtcNow),
RawIdToken = MockHelpers.CreateIdToken(TestConstants.UniqueId, TestConstants.DisplayableId),
RawClientInfo = MockHelpers.CreateClientInfo(),
ScopeSet = TestConstants.Scope
};
item.IdToken = IdToken.Parse(item.RawIdToken);
item.ClientInfo = ClientInfo.CreateFromJson(item.RawClientInfo);
item.AccessToken = item.GetAccessTokenItemKey().ToString();
cache.TokenCacheAccessor.AccessTokenCacheDictionary[item.GetAccessTokenItemKey().ToString()] =
JsonHelper.SerializeToJson(item);
cache.TokenCacheAccessor.AccessTokenCacheDictionary[item.GetAccessTokenItemKey().ToString()] =
JsonHelper.SerializeToJson(item);
Assert.IsNull(cache.FindAccessToken(new AuthenticationRequestParameters()
{
RequestContext = new RequestContext(Guid.Empty, null),
ClientId = TestConstants.ClientId,
Authority = Authority.CreateAuthority(TestConstants.AuthorityHomeTenant, false),
Scope = TestConstants.Scope,
User =
new User()
{
DisplayableId = TestConstants.DisplayableId,
Identifier = TestConstants.UserIdentifier
}
}));
}
