public async Task StoreReferenceTokenAsync_should_persist_grant()
{
var token1 = new Token()
{
ClientId = "client",
Audience = "aud",
CreationTime = DateTime.Now,
Type = "type",
Claims = new List <Claim>
{
new Claim("sub", "123"),
new Claim("scope", "foo")
},
Version = 1
};
await _referenceTokens.StoreReferenceTokenAsync("key", token1);
var token2 = await _referenceTokens.GetReferenceTokenAsync("key");
token1.ClientId.Should().Be(token2.ClientId);
token1.Audience.Should().Be(token2.Audience);
token1.CreationTime.Should().Be(token2.CreationTime);
token1.Type.Should().Be(token2.Type);
token1.Lifetime.Should().Be(token2.Lifetime);
token1.Version.Should().Be(token2.Version);
}
public async Task StoreReferenceTokenAsync_should_persist_grant()
{
var token1 = new Token()
{
ClientId = "client",
Audiences = { "aud" },
CreationTime = DateTime.UtcNow,
Lifetime = 10,
Type = "type",
Claims = new List <Claim>
{
new Claim("sub", "123"),
new Claim("scope", "foo")
},
Version = 1
};
var handle = await _referenceTokens.StoreReferenceTokenAsync(token1);
var token2 = await _referenceTokens.GetReferenceTokenAsync(handle);
token1.ClientId.Should().Be(token2.ClientId);
token1.Audiences.Count.Should().Be(1);
token1.Audiences.First().Should().Be("aud");
token1.CreationTime.Should().Be(token2.CreationTime);
token1.Type.Should().Be(token2.Type);
token1.Lifetime.Should().Be(token2.Lifetime);
token1.Version.Should().Be(token2.Version);
}
public async Task valid_token_should_successfully_validate()
{
var token = new Token {
Issuer = "http://op",
ClientId = "codeclient",
Lifetime = 1000,
Claims =
{
new System.Security.Claims.Claim("scope", "a"),
new System.Security.Claims.Claim("scope", "b")
}
};
var handle = await _referenceTokenStore.StoreReferenceTokenAsync(token);
var param = new NameValueCollection()
{
{ "token", handle }
};
var result = await _subject.ValidateAsync(param, null);
result.IsError.Should().Be(false);
result.IsActive.Should().Be(true);
result.Claims.Count().Should().Be(5);
result.Token.Should().Be(handle);
}
public virtual async Task <string> CreateSecurityTokenAsync(Token token)
{
string tokenResult;
if (token.Type == OidcConstants.TokenTypes.AccessToken)
{
if (token.AccessTokenType == AccessTokenType.Jwt)
{
_logger.LogTrace("Creating JWT access token");
tokenResult = await _creationService.CreateTokenAsync(token);
}
else
{
_logger.LogTrace("Creating reference access token");
tokenResult = await _referenceTokenStore.StoreReferenceTokenAsync(token);
}
}
else if (token.Type == OidcConstants.TokenTypes.IdentityToken)
{
_logger.LogTrace("Creating JWT identity token");
tokenResult = await _creationService.CreateTokenAsync(token);
}
else
{
throw new InvalidOperationException("Invalid token type.");
}
return(tokenResult);
}
public async Task valid_token_should_successfully_validate()
{
var token = new Token {
CreationTime = DateTime.UtcNow,
Issuer = "http://op",
ClientId = "codeclient",
Lifetime = 1000,
Claims =
{
new System.Security.Claims.Claim("scope", "a"),
new System.Security.Claims.Claim("scope", "b")
}
};
var handle = await _referenceTokenStore.StoreReferenceTokenAsync(token);
var param = new NameValueCollection()
{
{ "token", handle }
};
var result = await _subject.ValidateAsync(param, null);
result.IsError.Should().Be(false);
result.IsActive.Should().Be(true);
result.Claims.Count().Should().Be(6);
result.Token.Should().Be(handle);
var claimTypes = result.Claims.Select(c => c.Type).ToList();
claimTypes.Should().Contain("iss");
claimTypes.Should().Contain("scope");
claimTypes.Should().Contain("iat");
claimTypes.Should().Contain("nbf");
claimTypes.Should().Contain("exp");
}
public virtual async Task <string> CreateSecurityTokenAsync(Token token)
{
string result;
if (token.Type == "access_token")
{
if (token.AccessTokenType == AccessTokenType.Jwt)
{
Logger.LogTrace("Creating JWT access token");
result = await CreationService.CreateTokenAsync(token);
}
else
{
Logger.LogTrace("Creating reference access token");
result = await ReferenceTokenStore.StoreReferenceTokenAsync(token);
}
}
else
{
if (!(token.Type == "id_token"))
{
throw new InvalidOperationException("Invalid token type.");
}
Logger.LogTrace("Creating JWT identity token");
result = await CreationService.CreateTokenAsync(token);
}
return(result);
}
public async Task test()
{
var token = new Token {
Issuer = "http://op",
ClientId = "codeclient",
Lifetime = 1000,
Claims =
{
new System.Security.Claims.Claim("scope", "a"),
new System.Security.Claims.Claim("scope", "b"),
}
};
var handle = await _referenceTokenStore.StoreReferenceTokenAsync(token);
var param = new NameValueCollection()
{
{ "token", handle }
};
var api = new ApiResource("a");
var result = await _subject.ValidateAsync(param, api);
var scopes = result.Claims.Where(x => x.Type == "scope");
scopes.Count().Should().Be(1);
scopes.First().Value.Should().Be("a");
}
/// <summary>
/// Creates a serialized and protected security token.
/// </summary>
/// <param name="token">The token.</param>
/// <returns>
/// A security token in serialized form
/// </returns>
/// <exception cref="System.InvalidOperationException">Invalid token type.</exception>
public virtual async Task <string> CreateSecurityTokenAsync(Token token)
{
using var activity = Tracing.ServiceActivitySource.StartActivity("DefaultTokenService.CreateSecurityToken");
string tokenResult;
if (token.Type == OidcConstants.TokenTypes.AccessToken)
{
var currentJwtId = token.Claims.FirstOrDefault(x => x.Type == JwtClaimTypes.JwtId);
if (token.IncludeJwtId || (currentJwtId != null && token.Version < 5))
{
if (currentJwtId != null)
{
token.Claims.Remove(currentJwtId);
}
token.Claims.Add(new Claim(JwtClaimTypes.JwtId, CryptoRandom.CreateUniqueId(16, CryptoRandom.OutputFormat.Hex)));
}
if (token.AccessTokenType == AccessTokenType.Jwt)
{
Logger.LogTrace("Creating JWT access token");
tokenResult = await CreationService.CreateTokenAsync(token);
}
else
{
Logger.LogTrace("Creating reference access token");
var handle = await ReferenceTokenStore.StoreReferenceTokenAsync(token);
tokenResult = handle;
}
}
else if (token.Type == OidcConstants.TokenTypes.IdentityToken)
{
Logger.LogTrace("Creating JWT identity token");
tokenResult = await CreationService.CreateTokenAsync(token);
}
else
{
throw new InvalidOperationException("Invalid token type.");
}
return(tokenResult);
}
/// <summary>
/// Creates a serialized and protected security token.
/// </summary>
/// <param name="token">The token.</param>
/// <returns>
/// A security token in serialized form
/// </returns>
/// <exception cref="System.InvalidOperationException">Invalid token type.</exception>
public virtual async Task <string> CreateSecurityTokenAsync(Token token)
{
string tokenResult;
if (token.Type == OidcConstants.TokenTypes.AccessToken)
{
if (token.AccessTokenType == AccessTokenType.Jwt)
{
_logger.LogTrace("Creating JWT access token");
tokenResult = await _creationService.CreateTokenAsync(token);
}
else
{
_logger.LogTrace("Creating reference access token");
var handle = CryptoRandom.CreateUniqueId();
await _referenceTokenStore.StoreReferenceTokenAsync(handle, token);
tokenResult = handle;
}
}
else if (token.Type == OidcConstants.TokenTypes.IdentityToken)
{
_logger.LogTrace("Creating JWT identity token");
tokenResult = await _creationService.CreateTokenAsync(token);
}
else
{
throw new InvalidOperationException("Invalid token type.");
}
await _events.RaiseTokenIssuedEventAsync(token, tokenResult);
return(tokenResult);
}
public async Task GetAllGrantsAsync_should_return_all_grants()
{
await _userConsent.StoreUserConsentAsync(new Consent()
{
CreationTime = DateTime.UtcNow,
ClientId = "client1",
SubjectId = "123",
Scopes = new string[] { "foo1", "foo2" }
});
await _userConsent.StoreUserConsentAsync(new Consent()
{
CreationTime = DateTime.UtcNow,
ClientId = "client2",
SubjectId = "123",
Scopes = new string[] { "foo3" }
});
await _userConsent.StoreUserConsentAsync(new Consent()
{
CreationTime = DateTime.UtcNow,
ClientId = "client1",
SubjectId = "456",
Scopes = new string[] { "foo3" }
});
var handle1 = await _referenceTokens.StoreReferenceTokenAsync(new Token()
{
ClientId = "client1",
Audiences = { "aud" },
CreationTime = DateTime.UtcNow,
Type = "type",
Claims = new List <Claim>
{
new Claim("sub", "123"),
new Claim("scope", "bar1"),
new Claim("scope", "bar2")
}
});
var handle2 = await _referenceTokens.StoreReferenceTokenAsync(new Token()
{
ClientId = "client2",
Audiences = { "aud" },
CreationTime = DateTime.UtcNow,
Type = "type",
Claims = new List <Claim>
{
new Claim("sub", "123"),
new Claim("scope", "bar3")
}
});
var handle3 = await _referenceTokens.StoreReferenceTokenAsync(new Token()
{
ClientId = "client1",
Audiences = { "aud" },
CreationTime = DateTime.UtcNow,
Type = "type",
Claims = new List <Claim>
{
new Claim("sub", "456"),
new Claim("scope", "bar3")
}
});
var handle4 = await _refreshTokens.StoreRefreshTokenAsync(new RefreshToken()
{
CreationTime = DateTime.UtcNow,
Lifetime = 10,
AccessToken = new Token
{
ClientId = "client1",
Audiences = { "aud" },
CreationTime = DateTime.UtcNow,
Type = "type",
Claims = new List <Claim>
{
new Claim("sub", "123"),
new Claim("scope", "baz1"),
new Claim("scope", "baz2")
}
},
Version = 1
});
var handle5 = await _refreshTokens.StoreRefreshTokenAsync(new RefreshToken()
{
CreationTime = DateTime.UtcNow,
Lifetime = 10,
AccessToken = new Token
{
ClientId = "client1",
Audiences = { "aud" },
CreationTime = DateTime.UtcNow,
Type = "type",
Claims = new List <Claim>
{
new Claim("sub", "456"),
new Claim("scope", "baz3")
}
},
Version = 1
});
var handle6 = await _refreshTokens.StoreRefreshTokenAsync(new RefreshToken()
{
CreationTime = DateTime.UtcNow,
Lifetime = 10,
AccessToken = new Token
{
ClientId = "client2",
Audiences = { "aud" },
CreationTime = DateTime.UtcNow,
Type = "type",
Claims = new List <Claim>
{
new Claim("sub", "123"),
new Claim("scope", "baz3")
}
},
Version = 1
});
var handle7 = await _codes.StoreAuthorizationCodeAsync(new AuthorizationCode()
{
ClientId = "client1",
CreationTime = DateTime.UtcNow,
Lifetime = 10,
Subject = _user,
CodeChallenge = "challenge",
RedirectUri = "http://client/cb",
Nonce = "nonce",
RequestedScopes = new string[] { "quux1", "quux2" }
});
var handle8 = await _codes.StoreAuthorizationCodeAsync(new AuthorizationCode()
{
ClientId = "client2",
CreationTime = DateTime.UtcNow,
Lifetime = 10,
Subject = _user,
CodeChallenge = "challenge",
RedirectUri = "http://client/cb",
Nonce = "nonce",
RequestedScopes = new string[] { "quux3" }
});
var handle9 = await _codes.StoreAuthorizationCodeAsync(new AuthorizationCode()
{
ClientId = "client1",
CreationTime = DateTime.UtcNow,
Lifetime = 10,
Subject = new IdentityServerUser("456").CreatePrincipal(),
CodeChallenge = "challenge",
RedirectUri = "http://client/cb",
Nonce = "nonce",
RequestedScopes = new string[] { "quux3" }
});
var grants = await _subject.GetAllGrantsAsync("123");
grants.Count().Should().Be(2);
var grant1 = grants.First(x => x.ClientId == "client1");
grant1.SubjectId.Should().Be("123");
grant1.ClientId.Should().Be("client1");
grant1.Scopes.ShouldBeEquivalentTo(new string[] { "foo1", "foo2", "bar1", "bar2", "baz1", "baz2", "quux1", "quux2" });
var grant2 = grants.First(x => x.ClientId == "client2");
grant2.SubjectId.Should().Be("123");
grant2.ClientId.Should().Be("client2");
grant2.Scopes.ShouldBeEquivalentTo(new string[] { "foo3", "bar3", "baz3", "quux3" });
}