public async Task Passes_Token_Validation_HS256()
{
var authUrl = GetVariable("AUTH0_AUTHENTICATION_API_URL");
var clientId = GetVariable("AUTH0_HS256_CLIENT_ID");
var clientSecret = GetVariable("AUTH0_HS256_CLIENT_SECRET");
// Arrange
using (var authenticationApiClient = new AuthenticationApiClient(authUrl))
{
// Act
var authenticationResponse = await authenticationApiClient.GetTokenAsync(new ResourceOwnerTokenRequest
{
ClientId = clientId,
ClientSecret = clientSecret,
Realm = _connection.Name,
SigningAlgorithm = JwtSignatureAlgorithm.HS256,
Scope = "openid",
Username = _user.Email,
Password = Password
});
var issuer = $"https://{authUrl}/";
var requirements = new IdTokenRequirements(JwtSignatureAlgorithm.HS256, issuer, clientId, TimeSpan.FromMinutes(1));
await new IdTokenValidator().Assert(requirements, authenticationResponse.IdToken, clientSecret);
}
}
public async void SucceedsWhenNonceShouldBeIgnored()
{
var token = "eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczovL3Rva2Vucy10ZXN0LmF1dGgwLmNvbS8iLCJzdWIiOiJhdXRoMHwxMjM0NTY3ODkiLCJhdWQiOlsidG9rZW5zLXRlc3QtMTIzIiwiZXh0ZXJuYWwtdGVzdC05OTkiXSwiZXhwIjoxNTY4MTgwODk0LjIyNCwiaWF0IjoxNTY4MDA4MDk0LjIyNCwibm9uY2UiOiJhMWIyYzNkNGU1IiwiYXpwIjoidG9rZW5zLXRlc3QtMTIzIiwiYXV0aF90aW1lIjoxNTY4MDk0NDk0LjIyNH0.IfreWGZM2PVjgYG1E0WLIJ0f9-omYlq6v3FSn3ruu3a9gpTzhN-VB4ZKJRYmqkNLz_0F1mMFJgfpcCZ-ra5KW0aviiIAZHadYPoYLHsQsIVdOQmxkpwzaIoOwtgwvvg8QCKa3DTTPERRriUTYBfSgc5_4qg4bTxulZ7R3whygRMhVBI1uzjTHWMGXeu2PMezo1NtlFTVc3859UpDhGOUAYwBP3oC5JD1B2K15B9qpCtMq8AaAX1bieM8kX4Jez8r_ZwS1NTPMsCWOa2tpGFGhgu7ic9dlQpDjmxQdG8zXTgGJfejzSi0oHHAEtHxD-znTsyRVqu5psq_LEKBnWi6HA";
var reqs = new IdTokenRequirements("https://tokens-test.auth0.com/", "tokens-test-123", TimeSpan.FromMinutes(5))
{
MaxAge = TimeSpan.FromSeconds(100)
};
await ValidateToken(token, reqs);
}
public async Task Assert(IdTokenRequirements requirements, string idToken, string clientSecret, DateTime?pointInTime = null)
{
if (string.IsNullOrWhiteSpace(idToken))
{
throw new IdTokenValidationException("ID token is required but missing.");
}
var verifiedToken = await DecodeSignedToken(requirements, idToken, clientSecret).ConfigureAwait(false);
IdTokenClaimValidator.AssertClaimsMeetRequirements(requirements, verifiedToken, pointInTime ?? DateTime.Now);
}
public async Task Passes_Token_Validation()
{
// Arrange
var authenticationApiClient = new AuthenticationApiClient(GetVariable("AUTH0_AUTHENTICATION_API_URL"));
// Act
var authenticationResponse = await authenticationApiClient.GetTokenAsync(new ResourceOwnerTokenRequest
{
ClientId = GetVariable("AUTH0_CLIENT_ID"),
ClientSecret = GetVariable("AUTH0_CLIENT_SECRET"),
Realm = _connection.Name,
Scope = "openid",
Username = _user.Email,
Password = Password
});
var idTokenValidation = new IdTokenRequirements($"https://{GetVariable("AUTH0_AUTHENTICATION_API_URL")}/", GetVariable("AUTH0_CLIENT_ID"), TimeSpan.FromMinutes(1));
await idTokenValidation.AssertTokenMeetsRequirements(authenticationResponse.IdToken);
}
public async Task Passes_Token_Validation_With_CNAME()
{
// Arrange
var authenticationApiClient = new AuthenticationApiClient(GetVariable("BRUCKE_AUTHENTICATION_API_URL"));
// Act
var authenticationResponse = await authenticationApiClient.GetTokenAsync(new ResourceOwnerTokenRequest
{
ClientId = GetVariable("BRUCKE_CLIENT_ID"),
ClientSecret = GetVariable("BRUCKE_CLIENT_SECRET"),
Realm = GetVariable("BRUCKE_CONNECTION_NAME"),
Scope = "openid",
Username = GetVariable("BRUCKE_USERNAME"),
Password = GetVariable("BRUCKE_PASSWORD")
});
var idTokenValidation = new IdTokenRequirements($"https://{GetVariable("BRUCKE_AUTHENTICATION_API_URL")}/", GetVariable("BRUCKE_CLIENT_ID"), TimeSpan.FromMinutes(1));
await idTokenValidation.AssertTokenMeetsRequirements(authenticationResponse.IdToken);
}
private Task <JwtSecurityToken> DecodeSignedToken(IdTokenRequirements requirements, string idToken, string clientSecret)
{
switch (requirements.SignatureAlgorithm)
{
case JwtSignatureAlgorithm.HS256:
return(Task.FromResult(new SymmetricSignedDecoder(clientSecret).DecodeSignedToken(idToken)));
case JwtSignatureAlgorithm.RS256:
try
{
return(AssertRS256IdTokenValid(idToken, requirements.Issuer, maxJwksKeySetValidFor));
}
catch (IdTokenValidationKeyMissingException)
{
return(AssertRS256IdTokenValid(idToken, requirements.Issuer, minJwksRefreshInterval));
}
default:
throw new ArgumentOutOfRangeException($"SignatureAlgorithm '{requirements.SignatureAlgorithm}' not supported.", nameof(requirements));
}
}
public async Task Passes_Token_Validation_With_CNAME()
{
// Arrange
using (var authenticationApiClient = new AuthenticationApiClient(GetVariable("BRUCKE_AUTHENTICATION_API_URL")))
{
// Act
var authenticationResponse = await authenticationApiClient.GetTokenAsync(new ResourceOwnerTokenRequest
{
ClientId = GetVariable("BRUCKE_CLIENT_ID"),
ClientSecret = GetVariable("BRUCKE_CLIENT_SECRET"),
Realm = GetVariable("BRUCKE_CONNECTION_NAME"),
Scope = "openid",
Username = GetVariable("BRUCKE_USERNAME"),
Password = GetVariable("BRUCKE_PASSWORD")
});
var issuer = $"https://{GetVariable("BRUCKE_AUTHENTICATION_API_URL")}/";
var requirements = new IdTokenRequirements(JwtSignatureAlgorithm.RS256, issuer, GetVariable("BRUCKE_CLIENT_ID"), TimeSpan.FromMinutes(1));
await new IdTokenValidator().Assert(requirements, authenticationResponse.IdToken, GetVariable("BRUCKE_CLIENT_SECRET"));
}
}
public async Task Fails_Token_Validation_With_Incorrect_Audience()
{
// Arrange
var authenticationApiClient = new AuthenticationApiClient(GetVariable("AUTH0_AUTHENTICATION_API_URL"));
// Act
var authenticationResponse = await authenticationApiClient.GetTokenAsync(new ResourceOwnerTokenRequest
{
ClientId = GetVariable("AUTH0_CLIENT_ID"),
ClientSecret = GetVariable("AUTH0_CLIENT_SECRET"),
Realm = _connection.Name,
Scope = "openid",
Username = _user.Email,
Password = Password
});
var idTokenValidation = new IdTokenRequirements($"https://{GetVariable("AUTH0_AUTHENTICATION_API_URL")}/", "invalid_audience", TimeSpan.FromMinutes(1));
// Assert
authenticationResponse.IdToken.Should().NotBeNull();
await Assert.ThrowsAsync <IdTokenValidationException>(() => idTokenValidation.AssertTokenMeetsRequirements(authenticationResponse.IdToken));
}
public async Task Fails_Token_Validation_With_Incorrect_Domain()
{
// Arrange
using (var authenticationApiClient = new AuthenticationApiClient(GetVariable("AUTH0_AUTHENTICATION_API_URL")))
{
// Act
var authenticationResponse = await authenticationApiClient.GetTokenAsync(new ResourceOwnerTokenRequest
{
ClientId = GetVariable("AUTH0_CLIENT_ID"),
ClientSecret = GetVariable("AUTH0_CLIENT_SECRET"),
Realm = _connection.Name,
Scope = "openid",
Username = _user.Email,
Password = Password
});
var requirements = new IdTokenRequirements(JwtSignatureAlgorithm.RS256, "https://auth0.auth0.com/", GetVariable("AUTH0_CLIENT_ID"), TimeSpan.FromMinutes(1));
// Assert
authenticationResponse.IdToken.Should().NotBeNull();
await Assert.ThrowsAsync <IdTokenValidationKeyMissingException>(() => new IdTokenValidator().Assert(requirements, authenticationResponse.IdToken, GetVariable("AUTH0_CLIENT_SECRET")));
}
}
private Task AssertIdTokenValid(string idToken, string audience, JwtSignatureAlgorithm algorithm, string clientSecret, string organization = null)
{
var requirements = new IdTokenRequirements(algorithm, BaseUri.AbsoluteUri, audience, idTokenValidationLeeway, null, organization);
return(idTokenValidator.Assert(requirements, idToken, clientSecret));
}
private Task ValidateToken(string token, IdTokenRequirements reqs = null, DateTime?when = null, ISignatureVerifier signatureVerifier = null)
{
return(IdTokenValidator.AssertTokenMeetsRequirements(reqs ?? defaultReqs, token, when ?? tokensWereValid, signatureVerifier ?? rs256NoSignature));
}
/// <summary>
/// Create a new instance of <see cref="Auth0ClientBase"/>.
/// </summary>
/// <param name="options"><see cref="Auth0ClientOptions"/> specifying the configuration options for this client.</param>
/// <param name="platformName">Platform name that forms part of the user-agent when communicating with Auth0 servers.</param>
protected Auth0ClientBase(Auth0ClientOptions options, string platformName)
{
_options = options;
_idTokenRequirements = new IdTokenRequirements($"https://{_options.Domain}/", _options.ClientId, options.Leeway, options.MaxAge);
_userAgent = CreateAgentString(platformName);
}
private void ValidateToken(string token, IdTokenRequirements reqs = null)
{
var decodedToken = securityTokenHandler.ReadJwtToken(token);
IdTokenClaimValidator.AssertClaimsMeetRequirements(reqs ?? defaultReqs, decodedToken, tokensWereValid);
}
private async Task AssertIdTokenValid(string idToken, string issuer)
{
var requirements = new IdTokenRequirements(_baseUri.AbsoluteUri, issuer, TimeSpan.FromMinutes(1));
await requirements.AssertTokenMeetsRequirements(idToken);
}
