private async Task <Tokens> GetTokensAsync()
{
await _mockPipeline.LoginAsync("bob");
var authorizationResponse = await _mockPipeline.RequestAuthorizationEndpointAsync(
client_id,
"code",
"api offline_access",
"https://client/callback");
authorizationResponse.IsError.Should().BeFalse();
authorizationResponse.Code.Should().NotBeNull();
var tokenResponse = await _mockPipeline.BackChannelClient.RequestAuthorizationCodeTokenAsync(new AuthorizationCodeTokenRequest
{
Address = IdentityServerPipeline.TokenEndpoint,
ClientId = client_id,
ClientSecret = client_secret,
Code = authorizationResponse.Code,
RedirectUri = redirect_uri
});
tokenResponse.IsError.Should().BeFalse();
tokenResponse.AccessToken.Should().NotBeNull();
tokenResponse.RefreshToken.Should().NotBeNull();
return(new Tokens(tokenResponse));
}
public async Task Authenticated_user_with_valid_anonymous_request_should_receive_authorization_response_with_valid_access_token_expires_in()
{
await _mockPipeline.LoginAsync("bob");
var url = _mockPipeline.CreateAuthorizeUrl(
clientId: "client4",
responseType: "code",
scope: "openid",
redirectUri: "https://client4/callback",
state: "123_state",
nonce: "123_nonce",
acrValues: "0",
responseMode: "json");
var response = await _mockPipeline.BrowserClient.GetAsync(url);
var result = JObject.Parse(await response.Content.ReadAsStringAsync());
var tokenResponse = await _mockPipeline.BrowserClient.RequestAuthorizationCodeTokenAsync(new AuthorizationCodeTokenRequest()
{
Code = (string)result["code"],
RedirectUri = "https://client4/callback",
Address = IdentityServerPipeline.TokenEndpoint,
ClientId = "client4",
});
tokenResponse.ExpiresIn.Should().Be(3600);
}
public async Task Request_with_response_type_code_supported()
{
await _mockPipeline.LoginAsync("bob");
var metadata = await _mockPipeline.BackChannelClient.GetAsync(IdentityServerPipeline.DiscoveryEndpoint);
metadata.StatusCode.Should().Be(HttpStatusCode.OK);
var state = Guid.NewGuid().ToString();
var nonce = Guid.NewGuid().ToString();
var url = _mockPipeline.CreateAuthorizeUrl(
clientId: "code_client",
responseType: "code",
scope: "openid",
redirectUri: "https://code_client/callback",
state: state,
nonce: nonce);
var response = await _mockPipeline.BrowserClient.GetAsync(url);
response.StatusCode.Should().Be(HttpStatusCode.Found);
var authorization = new IdentityModel.Client.AuthorizeResponse(response.Headers.Location.ToString());
authorization.IsError.Should().BeFalse();
authorization.Code.Should().NotBeNull();
authorization.State.Should().Be(state);
}
public async Task No_state_should_not_result_in_shash()
{
await _pipeline.LoginAsync("bob");
var nonce = Guid.NewGuid().ToString();
_pipeline.BrowserClient.AllowAutoRedirect = false;
var url = _pipeline.CreateAuthorizeUrl(
clientId: "code_pipeline.Client",
responseType: "code",
scope: "openid",
redirectUri: "https://code_pipeline.Client/callback?foo=bar&baz=quux",
nonce: nonce);
var response = await _pipeline.BrowserClient.GetAsync(url);
var authorization = _pipeline.ParseAuthorizationResponseUrl(response.Headers.Location.ToString());
authorization.Code.Should().NotBeNull();
var code = authorization.Code;
// backchannel client
var wrapper = new MessageHandlerWrapper(_pipeline.Handler);
var tokenClient = new HttpClient(wrapper);
var tokenResult = await tokenClient.RequestAuthorizationCodeTokenAsync(new AuthorizationCodeTokenRequest
{
Address = IdentityServerPipeline.TokenEndpoint,
ClientId = "code_pipeline.Client",
ClientSecret = "secret",
Code = code,
RedirectUri = "https://code_pipeline.Client/callback?foo=bar&baz=quux"
});
tokenResult.IsError.Should().BeFalse();
tokenResult.HttpErrorReason.Should().Be("OK");
tokenResult.TokenType.Should().Be("Bearer");
tokenResult.AccessToken.Should().NotBeNull();
tokenResult.ExpiresIn.Should().BeGreaterThan(0);
tokenResult.IdentityToken.Should().NotBeNull();
var token = new JwtSecurityToken(tokenResult.IdentityToken);
token.Claims.Count().Should().Be(12);
var s_hash = token.Claims.FirstOrDefault(c => c.Type == "s_hash");
s_hash.Should().BeNull();
}
public async Task custom_profile_should_return_claims_for_implicit_client()
{
await _mockPipeline.LoginAsync("bob");
var url = _mockPipeline.CreateAuthorizeUrl(
clientId: "implicit",
responseType: "id_token",
scope: "openid custom_identity",
redirectUri: "https://client/callback",
state: "state",
nonce: "nonce");
_mockPipeline.BrowserClient.AllowAutoRedirect = false;
var response = await _mockPipeline.BrowserClient.GetAsync(url);
response.StatusCode.Should().Be(HttpStatusCode.Redirect);
response.Headers.Location.ToString().Should().StartWith("https://client/callback");
var authorization = new IdentityModel.Client.AuthorizeResponse(response.Headers.Location.ToString());
authorization.IsError.Should().BeFalse();
authorization.IdentityToken.Should().NotBeNull();
var payload = authorization.IdentityToken.Split('.')[1];
var json = Encoding.UTF8.GetString(Base64Url.Decode(payload));
var obj = JObject.Parse(json);
obj.GetValue("foo").Should().NotBeNull();
obj["foo"].ToString().Should().Be("bar");
}
public async Task client_requires_consent_should_show_consent_page()
{
await _mockPipeline.LoginAsync("bob");
var url = _mockPipeline.CreateAuthorizeUrl(
clientId: "client2",
responseType: "id_token",
scope: "openid",
redirectUri: "https://client2/callback",
state: "123_state",
nonce: "123_nonce"
);
var response = await _mockPipeline.BrowserClient.GetAsync(url);
_mockPipeline.ConsentWasCalled.Should().BeTrue();
}
public async Task Token_endpoint_supports_client_authentication_with_basic_authentication_with_POST()
{
await _pipeline.LoginAsync("bob");
var nonce = Guid.NewGuid().ToString();
_pipeline.BrowserClient.AllowAutoRedirect = false;
var url = _pipeline.CreateAuthorizeUrl(
clientId: "code_pipeline.Client",
responseType: "code",
scope: "openid",
redirectUri: "https://code_pipeline.Client/callback?foo=bar&baz=quux",
nonce: nonce);
var response = await _pipeline.BrowserClient.GetAsync(url);
var authorization = _pipeline.ParseAuthorizationResponseUrl(response.Headers.Location.ToString());
authorization.Code.Should().NotBeNull();
var code = authorization.Code;
// backchannel client
var wrapper = new MessageHandlerWrapper(_pipeline.Handler);
var tokenClient = new HttpClient(wrapper);
var tokenResult = await tokenClient.RequestAuthorizationCodeTokenAsync(new AuthorizationCodeTokenRequest
{
Address = IdentityServerPipeline.TokenEndpoint,
ClientId = "code_pipeline.Client",
ClientSecret = "secret",
Code = code,
RedirectUri = "https://code_pipeline.Client/callback?foo=bar&baz=quux"
});
tokenResult.IsError.Should().BeFalse();
tokenResult.HttpErrorReason.Should().Be("OK");
tokenResult.TokenType.Should().Be("Bearer");
tokenResult.AccessToken.Should().NotBeNull();
tokenResult.ExpiresIn.Should().BeGreaterThan(0);
tokenResult.IdentityToken.Should().NotBeNull();
wrapper.Response.Headers.CacheControl.NoCache.Should().BeTrue();
wrapper.Response.Headers.CacheControl.NoStore.Should().BeTrue();
}
public async Task Reject_redirect_uri_not_matching_registered_redirect_uri()
{
await _mockPipeline.LoginAsync("bob");
var nonce = Guid.NewGuid().ToString();
var state = Guid.NewGuid().ToString();
var url = _mockPipeline.CreateAuthorizeUrl(
clientId: "code_client",
responseType: "code",
scope: "openid",
redirectUri: "https://bad",
state: state,
nonce: nonce);
var response = await _mockPipeline.BrowserClient.GetAsync(url);
_mockPipeline.ErrorWasCalled.Should().BeTrue();
_mockPipeline.ErrorMessage.Error.Should().Be("invalid_request");
}
public async Task malformed_clientId_should_be_handled_correctly()
{
await _mockPipeline.LoginAsync("bob");
_mockPipeline.BrowserClient.AllowAutoRedirect = false;
var url = _mockPipeline.CreateAuthorizeUrl(
clientId: "client1}",
responseType: "id_token",
responseMode: "form_post",
scope: "openid",
redirectUri: "https://client1/callback",
state: "123_state",
nonce: "123_nonce");
var response = await _mockPipeline.BrowserClient.GetAsync(url);
response.StatusCode.Should().Be(HttpStatusCode.Redirect);
response.Headers.Location.ToString().Should().StartWith("https://server/home/error");
}
public async Task valid_request_to_federated_signout_endpoint_should_render_page_with_iframe()
{
await _pipeline.LoginAsync(_user);
await _pipeline.RequestAuthorizationEndpointAsync(
clientId : "client1",
responseType : "id_token",
scope : "openid",
redirectUri : "https://client1/callback",
state : "123_state",
nonce : "123_nonce");
var response = await _pipeline.BrowserClient.GetAsync(IdentityServerPipeline.FederatedSignOutUrl + "?sid=123");
response.StatusCode.Should().Be(HttpStatusCode.OK);
response.Content.Headers.ContentType.MediaType.Should().Be("text/html");
var html = await response.Content.ReadAsStringAsync();
html.Should().Contain("https://server/connect/endsession/callback?endSessionId=");
}
public async Task no_resource_indicator_on_code_exchange_should_succeed()
{
await _mockPipeline.LoginAsync("bob");
_mockPipeline.BrowserClient.AllowAutoRedirect = false;
var url = _mockPipeline.CreateAuthorizeUrl(
clientId: "client1",
responseType: "code",
scope: "openid profile scope1 scope2 scope3 scope4 offline_access",
redirectUri: "https://client1/callback");
url += "&resource=urn:resource1";
url += "&resource=urn:resource3";
var response = await _mockPipeline.BrowserClient.GetAsync(url);
var code = GetCode(response);
var tokenResponse = await _mockPipeline.BackChannelClient.RequestAuthorizationCodeTokenAsync(new AuthorizationCodeTokenRequest
{
Address = IdentityServerPipeline.TokenEndpoint,
ClientId = "client1",
ClientSecret = "secret",
Code = code,
RedirectUri = "https://client1/callback"
});
{
var claims = ParseAccessTokenClaims(tokenResponse);
claims.Where(x => x.Type == "aud").Select(x => x.Value).Should().BeEquivalentTo(new[] { "urn:resource1", "urn:resource2" });
claims.Where(x => x.Type == "scope").Select(x => x.Value).Should().BeEquivalentTo(new[] { "openid", "profile", "scope1", "scope2", "scope3", "scope4", "offline_access" });
}
}
private async Task <Tokens> GetTokensAsync()
{
await _mockPipeline.LoginAsync("bob");
var authorizationResponse = await _mockPipeline.RequestAuthorizationEndpointAsync(
client_id,
"code",
"api offline_access",
"https://client/callback");
authorizationResponse.IsError.Should().BeFalse();
authorizationResponse.Code.Should().NotBeNull();
var tokenClient = new TokenClient(IdentityServerPipeline.TokenEndpoint, client_id, client_secret, _mockPipeline.Handler);
var tokenResponse = await tokenClient.RequestAuthorizationCodeAsync(authorizationResponse.Code, redirect_uri);
tokenResponse.IsError.Should().BeFalse();
tokenResponse.AccessToken.Should().NotBeNull();
tokenResponse.RefreshToken.Should().NotBeNull();
return(new Tokens(tokenResponse));
}
public async Task Unrestricted_implicit_client_can_request_IdToken()
{
await _mockPipeline.LoginAsync(_user);
var url = _mockPipeline.CreateAuthorizeUrl("client1",
"id_token", "openid", "https://client1/callback", "state", "nonce");
_mockPipeline.BrowserClient.AllowAutoRedirect = false;
var response = await _mockPipeline.BrowserClient.GetAsync(url);
response.StatusCode.Should().Be(HttpStatusCode.Found);
response.Headers.Location.AbsoluteUri.Should().StartWith("https://client1/callback");
var authorization = new IdentityModel.Client.AuthorizeResponse(response.Headers.Location.ToString());
authorization.IdentityToken.Should().NotBeNull();
authorization.AccessToken.Should().BeNull();
}
public async Task session_id_should_be_reissued_if_session_cookie_absent()
{
await _mockPipeline.LoginAsync("bob");
var sid1 = _mockPipeline.GetSessionCookie().Value;
sid1.Should().NotBeNull();
_mockPipeline.RemoveSessionCookie();
await _mockPipeline.BrowserClient.GetAsync(IdentityServerPipeline.DiscoveryEndpoint);
var sid2 = _mockPipeline.GetSessionCookie().Value;
sid2.Should().Be(sid1);
}
public async Task login_should_create_server_side_session()
{
(await _sessionStore.GetSessionsAsync(new SessionFilter {
SubjectId = "bob"
})).Should().BeEmpty();
await _pipeline.LoginAsync("bob");
(await _sessionStore.GetSessionsAsync(new SessionFilter {
SubjectId = "bob"
})).Should().NotBeEmpty();
(await IsLoggedIn()).Should().BeTrue();
}
public async Task get_request_should_redirect_to_configured_logout_path()
{
_mockPipeline.Options.UserInteraction.LogoutUrl = "/logout";
_mockPipeline.Options.UserInteraction.LogoutIdParameter = "id";
await _mockPipeline.LoginAsync("bob");
var url = _mockPipeline.CreateAuthorizeUrl(
clientId: "client1",
responseType: "id_token",
scope: "openid",
redirectUri: "https://client1/callback",
state: "123_state",
nonce: "123_nonce");
_mockPipeline.BrowserClient.AllowAutoRedirect = false;
var response = await _mockPipeline.BrowserClient.GetAsync(url);
var authorization = new IdentityModel.Client.AuthorizeResponse(response.Headers.Location.ToString());
var id_token = authorization.IdentityToken;
response = await _mockPipeline.BrowserClient.GetAsync(IdentityServerPipeline.EndSessionEndpoint +
"?id_token_hint=" + id_token +
"&post_logout_redirect_uri=https://client1/signout-callback");
response.StatusCode.Should().Be(HttpStatusCode.Redirect);
response.Headers.Location.ToString().Should().StartWith("https://server/logout?id=");
}
public async Task Client_cannot_use_plain_code_challenge_method(string clientId)
{
await _pipeline.LoginAsync("bob");
var nonce = Guid.NewGuid().ToString();
var code_challenge = code_verifier;
var authorizeResponse = await _pipeline.RequestAuthorizationEndpointAsync(clientId,
response_type,
IdentityServerConstants.StandardScopes.OpenId,
redirect_uri,
nonce : nonce,
codeChallenge : code_challenge,
codeChallengeMethod : OidcConstants.CodeChallengeMethods.Plain);
_pipeline.ErrorWasCalled.Should().BeTrue();
_pipeline.ErrorMessage.Error.Should().Be(OidcConstants.AuthorizeErrors.InvalidRequest);
}
public async Task Shared_session_id_should_be_included_in_authenticated_access_token()
{
await _mockPipeline.LoginAsync("bob");
var url = _mockPipeline.CreateAuthorizeUrl(
clientId: "client4",
responseType: "code",
scope: "openid",
redirectUri: "https://client4/callback",
state: "123_state",
nonce: "123_nonce",
acrValues: "0",
responseMode: "json");
var response = await _mockPipeline.BrowserClient.GetAsync(url);
var result = JObject.Parse(await response.Content.ReadAsStringAsync());
var tokenResponse = await _mockPipeline.BrowserClient.RequestAuthorizationCodeTokenAsync(new AuthorizationCodeTokenRequest()
{
Code = (string)result["code"],
RedirectUri = "https://client4/callback",
Address = IdentityServerPipeline.TokenEndpoint,
ClientId = "client4",
});
var token = _mockPipeline.ReadJwtToken(tokenResponse.AccessToken);
token.Claims.Should().Contain(c => c.Type == JwtClaimTypes.SharedSessionId);
}
public async Task Shared_session_id_should_be_included_in_authenticated_access_token()
{
await _mockPipeline.LoginAsync("bob");
var url = _mockPipeline.CreateAuthorizeUrl(
clientId: "client2",
responseType: "id_token token",
scope: "openid api2",
redirectUri: "https://client2/callback",
state: "123_state",
nonce: "123_nonce",
acrValues: "0",
responseMode: "json");
var response = await _mockPipeline.BrowserClient.GetAsync(url);
var result = JObject.Parse(await response.Content.ReadAsStringAsync());
var token = _mockPipeline.ReadJwtToken(((string)result["access_token"]));
token.Claims.Should().Contain(c => c.Type == JwtClaimTypes.SharedSessionId);
}
public async Task authenticated_user_with_valid_request_should_receive_authorization_response()
{
await _mockPipeline.LoginAsync("bob");
_mockPipeline.BrowserClient.AllowAutoRedirect = false;
var url = _mockPipeline.CreateAuthorizeUrl(
clientId: "client1",
responseType: "id_token",
scope: "openid",
redirectUri: "https://client1/callback",
state: "123_state",
nonce: "123_nonce");
var response = await _mockPipeline.BrowserClient.GetAsync(url);
response.StatusCode.Should().Be(HttpStatusCode.Redirect);
response.Headers.Location.ToString().Should().StartWith("https://client1/callback");
var authorization = new IdentityModel.Client.AuthorizeResponse(response.Headers.Location.ToString());
authorization.IsError.Should().BeFalse();
authorization.IdentityToken.Should().NotBeNull();
authorization.State.Should().Be("123_state");
}
