public void CreateKeyAcceptsAKeySize() { var keySize = 1024; var key = JwkNetExtensions.CreateKey(keySize); Assert.That(key.KeySize, Is.EqualTo(keySize)); }
public async static Task <LoginResult> RefreshTokenAsync(OidcSettings settings, string refreshToken) { var config = await LoadOpenIdConnectConfigurationAsync(settings); var tokenClient = new TokenClient( config.TokenEndpoint, settings.ClientId, settings.ClientSecret); var provider = JwkNetExtensions.CreateProvider(); var jwk = provider.ToJsonWebKey(); var tokenResponse = await tokenClient.RequestRefreshTokenPopAsync( refreshToken : refreshToken, algorithm : jwk.Alg, key : jwk.ToJwkString()); if (tokenResponse.IsError) { return(new LoginResult { ErrorMessage = tokenResponse.Error }); } else { return(new LoginResult { Success = true, AccessToken = tokenResponse.AccessToken, RefreshToken = tokenResponse.RefreshToken, IdentityToken = tokenResponse.IdentityToken, AccessTokenExpiration = DateTime.Now.AddSeconds(tokenResponse.ExpiresIn) }); } }
public void CanSpecifyAlgorithm() { var alg = "RS512"; var key = JwkNetExtensions.CreateKey(); var jwt = key.ToJsonWebKey(alg); Assert.That(jwt.Alg, Is.EqualTo(alg)); }
public void CanSpecifyKeyId() { var keyId = "myKeyId"; var key = JwkNetExtensions.CreateKey(); var jwt = key.ToJsonWebKey(kid: keyId); Assert.That(jwt.Kid, Is.EqualTo(keyId)); }
public void CanConvertKeyToJwkWithPublicParametersAndDefaultValues() { var key = JwkNetExtensions.CreateKey(); var jwt = key.ToJsonWebKey(); Assert.That(jwt.HasPrivateKey, Is.False); Assert.That(jwt.Kid.Length, Is.EqualTo(32)); var e = Base64Url.Decode(jwt.E); Assert.That(e.Length, Is.EqualTo(3)); // Always 65537, which needs 3 bytes (2^16 + 1) Assert.That(e[0], Is.EqualTo(1)); // 1 x 2^0 = 1 Assert.That(e[1], Is.EqualTo(0)); // 0 x 2^8 = 0 Assert.That(e[2], Is.EqualTo(1)); // 1 x 2^16 = 65536 var n = Base64Url.Decode(jwt.N); Assert.That(n.Length, Is.EqualTo(key.KeySize / 8)); // KeySize is in bits, so / 8 for bytes Assert.That(jwt.Kty, Is.EqualTo("RSA")); Assert.That(jwt.Alg, Is.EqualTo("RS256")); }
private async void refresh_Click(object sender, RoutedEventArgs e) { if (_config == null) { await LoadOpenIdConnectConfigurationAsync(); } var tokenClient = new TokenClient( _config.TokenEndpoint, _settings.ClientId, _settings.ClientSecret); _provider = JwkNetExtensions.CreateProvider(); var jwk = _provider.ToJsonWebKey(); var tokenResponse = await tokenClient.RequestRefreshTokenPopAsync( refreshToken : _result?.RefreshToken, algorithm : jwk.Alg, key : jwk.ToJwkString()); if (tokenResponse.IsError) { _result = new LoginResult { ErrorMessage = tokenResponse.Error }; } else { _result = new LoginResult { Success = true, AccessToken = tokenResponse.AccessToken, RefreshToken = tokenResponse.RefreshToken, IdentityToken = tokenResponse.IdentityToken, AccessTokenExpiration = DateTime.Now.AddSeconds(tokenResponse.ExpiresIn) }; } ShowTokenResult(); }
public void CreateKeyDefaultsTo2048Bits() { var key = JwkNetExtensions.CreateKey(); Assert.That(key.KeySize, Is.EqualTo(2048)); }
private async static Task <LoginResult> ValidateResponseAsync(AuthorizeResponse response, OidcSettings settings, OpenIdConnectConfiguration config, string expectedNonce, string verifier) { var tokenClaims = ValidateIdentityToken(response.IdentityToken, settings, config); if (tokenClaims == null) { return(new LoginResult { ErrorMessage = "Invalid identity token." }); } var nonce = tokenClaims.FirstOrDefault(c => c.Type == JwtClaimTypes.Nonce); if (nonce == null || !string.Equals(nonce.Value, expectedNonce, StringComparison.Ordinal)) { return(new LoginResult { ErrorMessage = "Inalid nonce." }); } var codeHash = tokenClaims.FirstOrDefault(c => c.Type == JwtClaimTypes.AuthorizationCodeHash); if (codeHash == null || ValidateCodeHash(codeHash.Value, response.Code) == false) { return(new LoginResult { ErrorMessage = "Invalid code." }); } var provider = JwkNetExtensions.CreateProvider(); var jwk = provider.ToJsonWebKey(); var tokenClient = new TokenClient( config.TokenEndpoint, settings.ClientId, settings.ClientSecret); var tokenResponse = await tokenClient.RequestAuthorizationCodePopAsync( code : response.Code, redirectUri : settings.RedirectUri, codeVerifier : settings.UsePkce?verifier : null, algorithm : jwk.Alg, key : jwk.ToJwkString()); if (tokenResponse.IsError) { return(new LoginResult { ErrorMessage = tokenResponse.Error }); } var profileClaims = new List <Claim>(); if (settings.LoadUserProfile) { var userInfoClient = new UserInfoClient( new Uri(config.UserInfoEndpoint), tokenResponse.AccessToken); var userInfoResponse = await userInfoClient.GetAsync(); profileClaims = userInfoResponse.GetClaimsIdentity().Claims.ToList(); } var principal = CreatePrincipal(tokenClaims, profileClaims, settings); return(new LoginResult { Success = true, User = principal, IdentityToken = response.IdentityToken, AccessToken = tokenResponse.AccessToken, RefreshToken = tokenResponse.RefreshToken, AccessTokenExpiration = DateTime.Now.AddSeconds(tokenResponse.ExpiresIn) }); }
private async Task <LoginResult> ValidateResponseAsync(AuthorizeResponse response) { // id_token validieren var tokenClaims = ValidateIdentityToken(response.IdentityToken); if (tokenClaims == null) { return(new LoginResult { ErrorMessage = "Invalid identity token." }); } // nonce validieren var nonce = tokenClaims.FirstOrDefault(c => c.Type == JwtClaimTypes.Nonce); if (nonce == null || !string.Equals(nonce.Value, _nonce, StringComparison.Ordinal)) { return(new LoginResult { ErrorMessage = "Inalid nonce." }); } // c_hash validieren var c_hash = tokenClaims.FirstOrDefault(c => c.Type == JwtClaimTypes.AuthorizationCodeHash); if (c_hash == null || ValidateCodeHash(c_hash.Value, response.Code) == false) { return(new LoginResult { ErrorMessage = "Invalid code." }); } _provider = JwkNetExtensions.CreateProvider(); var jwk = _provider.ToJsonWebKey(); // code eintauschen gegen tokens var tokenClient = new TokenClient( _config.TokenEndpoint, _settings.ClientId, _settings.ClientSecret); var tokenResponse = await tokenClient.RequestAuthorizationCodePopAsync( code : response.Code, redirectUri : _settings.RedirectUri, codeVerifier : _verifier, algorithm : jwk.Alg, key : jwk.ToJwkString()); if (tokenResponse.IsError) { return(new LoginResult { ErrorMessage = tokenResponse.Error }); } // optional userinfo aufrufen var profileClaims = new List <Claim>(); if (_settings.LoadUserProfile) { var userInfoClient = new UserInfoClient( new Uri(_config.UserInfoEndpoint), tokenResponse.AccessToken); var userInfoResponse = await userInfoClient.GetAsync(); profileClaims = userInfoResponse.GetClaimsIdentity().Claims.ToList(); } var principal = CreatePrincipal(tokenClaims, profileClaims); return(new LoginResult { Success = true, User = principal, IdentityToken = response.IdentityToken, AccessToken = tokenResponse.AccessToken, RefreshToken = tokenResponse.RefreshToken, AccessTokenExpiration = DateTime.Now.AddSeconds(tokenResponse.ExpiresIn) }); }