public void When_Passing_Null_Parameters_To_ClientSecretPost_Then_Exceptions_Are_Thrown()
{
// ARRANGE
InitializeFakeObjects();
// ACT & ASSERT
Assert.Throws <ArgumentNullException>(() => _clientAuthSelector.UseClientSecretPostAuth(null, null));
Assert.Throws <ArgumentNullException>(() => _clientAuthSelector.UseClientSecretPostAuth("client_id", null));
}
public async Task When_Using_ClientCredentials_Grant_Type_Then_AccessToken_Is_Returned()
{
// ARRANGE
InitializeFakeObjects();
_httpClientFactoryStub.Setup(h => h.GetHttpClient()).Returns(_server.Client);
// ACT
var result = await _clientAuthSelector.UseClientSecretPostAuth("resource_server", "resource_server")
.UseClientCredentials("uma_protection", "uma_authorization")
.ResolveAsync(baseUrl + "/.well-known/uma2-configuration");
// ASSERTS
Assert.NotNull(result);
Assert.NotEmpty(result.AccessToken);
}
public async Task When_Revoke_Token_And_Client_Cannot_Be_Authenticated_Then_Error_Is_Returned()
{
// ARRANGE
InitializeFakeObjects();
_httpClientFactoryStub.Setup(h => h.GetHttpClient()).Returns(_server.Client);
// ACT
var ex = await _clientAuthSelector.UseClientSecretPostAuth("invalid_client", "invalid_client")
.RevokeToken("access_token", TokenType.AccessToken)
.ResolveAsync(baseUrl + "/.well-known/openid-configuration");
// ASSERT
Assert.True(ex.ContainsError);
Assert.Equal((string)"invalid_client", (string)ex.Error.Error);
Assert.Equal((string)"the client doesn't exist", (string)ex.Error.ErrorDescription);
}
public async Task When_Using_ClientCredentials_Grant_Type_Then_AccessToken_Is_Returned()
{
// ARRANGE
InitializeFakeObjects();
_httpClientFactoryStub.Setup(h => h.GetHttpClient()).Returns(_server.Client);
// ACT
var result = await _clientAuthSelector.UseClientSecretPostAuth("stateless_client", "stateless_client")
.UseClientCredentials("openid")
.ResolveAsync(baseUrl + "/.well-known/openid-configuration");
// var claims = await _userInfoClient.Resolve(baseUrl + "/.well-known/openid-configuration", result.AccessToken);
// ASSERTS
Assert.NotNull(result);
Assert.NotEmpty(result.AccessToken);
}
public async Task When_Ticket_Id_Doesnt_Exist_Then_Error_Is_Returned()
{
// ARRANGE
InitializeFakeObjects();
_httpClientFactoryStub.Setup(h => h.GetHttpClient()).Returns(_server.Client);
// ACT
var token = await _clientAuthSelector.UseClientSecretPostAuth("resource_server", "resource_server") // Try to get the access token via "ticket_id" grant-type.
.UseTicketId("ticket_id", "")
.ResolveAsync(baseUrl + "/.well-known/uma2-configuration");
// ASSERT
Assert.NotNull(token);
Assert.True(token.ContainsError);
Assert.Equal("invalid_ticket", token.Error.Error);
Assert.Equal("the ticket ticket_id doesn't exist", token.Error.ErrorDescription);
}
public async Task When_Pass_Client_Access_Token_To_UserInfo_Then_Error_Is_Returned()
{
// ARRANGE
InitializeFakeObjects();
_httpClientFactoryStub.Setup(h => h.GetHttpClient()).Returns(_server.Client);
// ACT
var result = await _clientAuthSelector.UseClientSecretPostAuth("stateless_client", "stateless_client")
.UseClientCredentials("openid")
.ResolveAsync(baseUrl + "/.well-known/openid-configuration");
var getUserInfoResult = await _userInfoClient.Resolve(baseUrl + "/.well-known/openid-configuration", result.Content.AccessToken);
// ASSERTS
Assert.NotNull(getUserInfoResult);
Assert.True(getUserInfoResult.ContainsError);
Assert.Equal("invalid_token", getUserInfoResult.Error.Error);
Assert.Equal("not a valid resource owner token", getUserInfoResult.Error.ErrorDescription);
}
public async Task When_Introspecting_IdToken_Then_Information_Are_Returned()
{
// ARRANGE
InitializeFakeObjects();
_httpClientFactoryStub.Setup(h => h.GetHttpClient()).Returns(_server.Client);
// ACT
var result = await _clientAuthSelector.UseClientSecretPostAuth("client", "client")
.UsePassword("administrator", "password", "scim")
.ResolveAsync(baseUrl + "/.well-known/openid-configuration");
var introspection = await _clientAuthSelector.UseClientSecretPostAuth("client", "client")
.Introspect(result.IdToken, TokenType.AccessToken)
.ResolveAsync(baseUrl + "/.well-known/openid-configuration");
// ASSERT
Assert.NotNull(introspection);
Assert.NotNull(introspection.Scope);
Assert.True(introspection.Scope.Count() == 1 && introspection.Scope.First() == "scim");
}
public async Task When_Get_Filter_And_Doesnt_Exist_Then_Not_Found_Is_Returned()
{
// ARRANGE
InitializeFakeObjects();
_httpClientFactoryStub.Setup(h => h.GetHttpClient()).Returns(_server.Client);
_server.SharedCtx.Oauth2IntrospectionHttpClientFactory.Setup(h => h.GetHttpClient()).Returns(_server.Client);
var grantedToken = await _clientAuthSelector.UseClientSecretPostAuth("stateless_client", "stateless_client")
.UseClientCredentials("manage_account_filtering")
.ResolveAsync($"{baseUrl}/.well-known/openid-configuration").ConfigureAwait(false);
// ACT
var result = await _filterClient.Get(baseUrl + "/filters", "filter_id", grantedToken.Content.AccessToken);
// ASSERTS
Assert.True((bool)result.ContainsError);
Assert.Equal(HttpStatusCode.NotFound, result.HttpStatus);
}
public async Task When_Get_AccessToken_Then_Signature_Is_Correct()
{
// ARRANGE
InitializeFakeObjects();
_httpClientFactoryStub.Setup(h => h.GetHttpClient()).Returns(_server.Client);
var jwsParser = new JwsParserFactory().BuildJwsParser();
// ACT
var result = await _clientAuthSelector.UseClientSecretPostAuth("client", "client")
.UsePassword("administrator", "password", "scim")
.ResolveAsync(baseUrl + "/.well-known/openid-configuration");
var jwks = await _jwksClient.ResolveAsync(baseUrl + "/.well-known/openid-configuration");
// ASSERTS
Assert.NotNull(result);
Assert.False(result.ContainsError);
Assert.NotEmpty(result.Content.AccessToken);
var accessToken = result.Content.AccessToken;
var payload = jwsParser.ValidateSignature(accessToken, jwks);
Assert.NotNull(payload);
}
public async Task When_Use_RefreshToken_Grant_Type_And_Another_Client_Tries_ToRefresh_Then_Json_Is_Returned()
{
// ARRANGE
InitializeFakeObjects();
_httpClientFactoryStub.Setup(h => h.GetHttpClient()).Returns(_server.Client);
// ACT
var result = await _clientAuthSelector.UseClientSecretPostAuth("stateless_client", "stateless_client")
.UseClientCredentials("openid")
.ResolveAsync(baseUrl + "/.well-known/openid-configuration");
var refreshToken = await _clientAuthSelector.UseClientSecretPostAuth("client", "client")
.UseRefreshToken(result.Content.RefreshToken)
.ResolveAsync(baseUrl + "/.well-known/openid-configuration");
// ASSERTS
Assert.Equal(HttpStatusCode.BadRequest, refreshToken.Status);
Assert.Equal("invalid_grant", refreshToken.Error.Error);
Assert.Equal("the refresh token can be used only by the same issuer", refreshToken.Error.ErrorDescription);
}
public async Task When_Link_Profile_And_No_UserId_Is_Passed_Then_Error_Is_Returned()
{
// ARRANGE
InitializeFakeObjects();
_httpClientFactoryStub.Setup(h => h.GetHttpClient()).Returns(_server.Client);
_server.SharedCtx.Oauth2IntrospectionHttpClientFactory.Setup(h => h.GetHttpClient()).Returns(_server.Client);
var grantedToken = await _clientAuthSelector.UseClientSecretPostAuth("stateless_client", "stateless_client")
.UseClientCredentials("manage_profile")
.ResolveAsync($"{baseUrl}/.well-known/openid-configuration").ConfigureAwait(false);
// ACT
var result = await _profileClient.LinkProfile(baseUrl + "/profiles", "currentSubject", new LinkProfileRequest
{
}, grantedToken.Content.AccessToken);
// ASSERT
Assert.True((bool)result.ContainsError);
Assert.Equal((string)"invalid_request", (string)result.Error.Error);
Assert.Equal((string)"the parameter user_id is missing", (string)result.Error.ErrorDescription);
}
public async Task When_Using_Password_Grant_Type_Then_Access_Token_Is_Returned()
{
// ARRANGE
InitializeFakeObjects();
_httpClientFactoryStub.Setup(h => h.GetHttpClient()).Returns(_server.Client);
// ACT
var result = await _clientAuthSelector.UseClientSecretPostAuth("client", "client")
.UsePassword("administrator", "password", "scim")
.ResolveAsync(baseUrl + "/.well-known/openid-configuration");
// var claims = await _userInfoClient.Resolve(baseUrl + "/.well-known/openid-configuration", result.AccessToken);
// ASSERTS
Assert.NotNull(result);
Assert.NotEmpty(result.AccessToken);
/*
* Assert.NotNull(claims);
* Assert.True(claims[Core.Jwt.Constants.StandardResourceOwnerClaimNames.Subject].ToString() == "administrator");
* Assert.True(claims[Core.Jwt.Constants.StandardResourceOwnerClaimNames.ScimId].ToString() == "id");
* Assert.True(claims[Core.Jwt.Constants.StandardResourceOwnerClaimNames.ScimLocation].ToString() == "http://localhost:5555/Users/id");
*/
}
public async Task When_Introspect_Identity_Token_Then_Claims_Are_Returned()
{
// ARRANGE
InitializeFakeObjects();
_httpClientFactoryStub.Setup(h => h.GetHttpClient()).Returns(_server.Client);
// ACT
var result = await _clientAuthSelector.UseClientSecretPostAuth("client", "client")
.UsePassword("superuser", "password", "role")
.ResolveAsync(baseUrl + "/.well-known/openid-configuration");
var authResult = await UserInfoIntrospectionHandler.HandleAuthenticate(_httpClientFactoryStub.Object, baseUrl + "/.well-known/openid-configuration", result.Content.AccessToken);
// ASSERT
Assert.True(authResult.Succeeded);
}
public async Task When_Empty_Json_Request_Is_Passed_To_Registration_Api_Then_Error_Is_Returned()
{
// ARRANGE
InitializeFakeObjects();
_httpClientFactoryStub.Setup(h => h.GetHttpClient()).Returns(_server.Client);
_server.SharedCtx.Oauth2IntrospectionHttpClientFactory.Setup(h => h.GetHttpClient()).Returns(_server.Client);
var grantedToken = await _clientAuthSelector.UseClientSecretPostAuth("stateless_client", "stateless_client")
.UseClientCredentials("register_client")
.ResolveAsync($"{baseUrl}/.well-known/openid-configuration").ConfigureAwait(false);
var obj = new { fake = "fake" };
var fakeJson = JsonConvert.SerializeObject(obj, new JsonSerializerSettings
{
NullValueHandling = NullValueHandling.Ignore
});
var httpRequest = new HttpRequestMessage
{
Method = HttpMethod.Post,
RequestUri = new Uri($"{baseUrl}/registration"),
Content = new StringContent(fakeJson)
};
httpRequest.Content.Headers.ContentType = new MediaTypeHeaderValue("application/json");
httpRequest.Headers.Add("Authorization", "Bearer " + grantedToken.Content.AccessToken);
// ACT
var httpResult = await _server.Client.SendAsync(httpRequest);
var json = await httpResult.Content.ReadAsStringAsync().ConfigureAwait(false);
var error = JsonConvert.DeserializeObject <ErrorResponseWithState>(json);
// ASSERT
Assert.Equal(HttpStatusCode.BadRequest, httpResult.StatusCode);
Assert.Equal((string)"invalid_redirect_uri", (string)error.Error);
Assert.Equal((string)"the parameter request_uris is missing", (string)error.ErrorDescription);
}
private async Task <string> GetAccessToken()
{
var url = _options.Package.WellKnownConfigurationEdp;
try
{
var response = await _clientAuthSelector.UseClientSecretPostAuth(_options.Package.ClientId, _options.Package.ClientSecret)
.UseClientCredentials(Constants.Scope)
.ResolveAsync(url);
if (response == null)
{
return(null);
}
return(response.AccessToken);
}
catch
{
return(null);
}
}
public async Task <string> GetIdentityToken(
string login,
string password,
params string[] scopes)
{
if (string.IsNullOrWhiteSpace(login))
{
throw new ArgumentNullException(nameof(login));
}
if (string.IsNullOrWhiteSpace(password))
{
throw new ArgumentNullException(nameof(password));
}
var grantedToken = await _clientAuthSelector
.UseClientSecretPostAuth(_authOptions.ClientId, _authOptions.ClientSecret)
.UsePassword(login, password, scopes)
.ResolveAsync(_authOptions.OpenIdConfigurationUrl);
return(grantedToken.IdToken);
}
public async Task When_Introspect_And_Client_Not_Authenticated_Then_Error_Is_Returned()
{
// ARRANGE
InitializeFakeObjects();
_httpClientFactoryStub.Setup(h => h.GetHttpClient()).Returns(_server.Client);
// ACT
var introspection = await _clientAuthSelector.UseClientSecretPostAuth("invalid_client", "invalid_client")
.Introspect("invalid_token", TokenType.AccessToken)
.ResolveAsync(baseUrl + "/.well-known/openid-configuration");
// ASSERT
Assert.NotNull(introspection);
Assert.True(introspection.ContainsError);
Assert.Equal("invalid_client", introspection.Error.Error);
Assert.Equal("the client doesn't exist", introspection.Error.ErrorDescription);
}
public async Task When_Revoking_AccessToken_Then_True_Is_Returned()
{
// ARRANGE
InitializeFakeObjects();
_httpClientFactoryStub.Setup(h => h.GetHttpClient()).Returns(_server.Client);
// ACT
var result = await _clientAuthSelector.UseClientSecretPostAuth("client", "client")
.UsePassword("administrator", "password", "scim")
.ResolveAsync(baseUrl + "/.well-known/openid-configuration");
var revoke = await _clientAuthSelector.UseClientSecretPostAuth("client", "client")
.RevokeToken(result.AccessToken, TokenType.AccessToken)
.ResolveAsync(baseUrl + "/.well-known/openid-configuration");
var ex = await Assert.ThrowsAsync <HttpRequestException>(() => _clientAuthSelector.UseClientSecretPostAuth("client", "client")
.Introspect(result.AccessToken, TokenType.AccessToken)
.ResolveAsync(baseUrl + "/.well-known/openid-configuration"));
// ASSERT
Assert.True(revoke);
Assert.NotNull(ex);
}
