public void Should_Nonce_Be_Present_In_Self_Issued() { rpid = "rp-nonce-unless_code_flow"; WebRequest.RegisterPrefix("openid", new OIDCWebRequestCreate()); // given OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage(); requestMessage.ClientId = clientInformation.RedirectUris[0]; requestMessage.Scope = new List <MessageScope>() { MessageScope.Openid, MessageScope.Profile, MessageScope.Email, MessageScope.Address, MessageScope.Phone }; requestMessage.State = WebOperations.RandomString(); requestMessage.Nonce = WebOperations.RandomString(); requestMessage.ResponseType = new List <ResponseType>() { ResponseType.IdToken }; requestMessage.RedirectUri = clientInformation.RedirectUris[0]; requestMessage.Validate(); X509Certificate2 certificate = new X509Certificate2("server.pfx", "", X509KeyStorageFlags.Exportable); OpenIdRelyingParty rp = new OpenIdRelyingParty(); // when OIDCAuthImplicitResponseMessage response = rp.Authenticate("openid://", requestMessage, certificate); OIDCIdToken idToken = response.GetIdToken(); // then response.Validate(); }
public void Should_Authenticate_Client_With_Client_Secret_Jwt() { rpid = "rp-token_endpoint-client_secret_jwt"; // given OIDCAuthCodeResponseMessage response = (OIDCAuthCodeResponseMessage)GetAuthResponse(ResponseType.Code); OIDCTokenRequestMessage tokenRequestMessage = new OIDCTokenRequestMessage(); tokenRequestMessage.Scope = response.Scope; tokenRequestMessage.State = response.State; tokenRequestMessage.Code = response.Code; tokenRequestMessage.ClientId = clientInformation.ClientId; tokenRequestMessage.ClientSecret = clientInformation.ClientSecret; tokenRequestMessage.GrantType = "authorization_code"; tokenRequestMessage.RedirectUri = clientInformation.RedirectUris[0]; // when OpenIdRelyingParty rp = new OpenIdRelyingParty(); clientInformation.TokenEndpointAuthMethod = "client_secret_jwt"; OIDCTokenResponseMessage tokenResponse = rp.SubmitTokenRequest(GetBaseUrl("/token"), tokenRequestMessage, clientInformation); // then Assert.NotNull(tokenResponse.IdToken); OIDCIdToken idToken = tokenResponse.GetIdToken(providerMetadata.Keys); idToken.Validate(); }
public void Should_Request_And_Use_Claims_Id_Token() { rpid = "rp-response_type-id_token+token"; signalg = "RS256"; GetProviderMetadata(); // given string Nonce = WebOperations.RandomString(); OIDClaims requestClaims = new OIDClaims(); requestClaims.IdToken = new Dictionary <string, OIDClaimData>(); requestClaims.IdToken.Add("name", new OIDClaimData()); // when OIDCAuthImplicitResponseMessage response = (OIDCAuthImplicitResponseMessage)GetAuthResponse(ResponseType.IdToken, Nonce, true, requestClaims); // then response.Validate(); Assert.NotNull(response.AccessToken); OpenIdRelyingParty rp = new OpenIdRelyingParty(); OIDCIdToken idToken = response.GetIdToken(providerMetadata.Keys, clientInformation.ClientSecret); rp.ValidateIdToken(idToken, clientInformation, providerMetadata.Issuer, Nonce); Assert.IsNotNullOrEmpty(idToken.Name); }
public static string successPage(string authCode, string accessToken, OIDCIdToken idToken, OIDCUserInfoResponseMessage userInfoResponse) { string stringIdToken = idToken.serializeToJsonString(); string userInfoString = userInfoResponse.serializeToJsonString(); String successPage = File.ReadAllText(Path.Combine(Client.ROOT_PATH, "success_page.html")); return(String.Format(successPage, authCode, accessToken, stringIdToken, userInfoString)); }
public void Should_Reject_Id_Token_With_Invalid_ES256_Signature() { rpid = "rp-id_token-bad_es256_sig"; // givens OpenIdRelyingParty rp = new OpenIdRelyingParty(); OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage(); requestMessage.ClientId = clientInformation.ClientId; requestMessage.Scope = new List <MessageScope>() { MessageScope.Openid }; requestMessage.ResponseType = new List <ResponseType>() { ResponseType.Token, ResponseType.IdToken }; requestMessage.RedirectUri = clientInformation.RedirectUris[1]; requestMessage.Nonce = WebOperations.RandomString(); requestMessage.State = WebOperations.RandomString(); requestMessage.Validate(); // Manipulate keys to make them invalid List <OIDCKey> manipulatedKeys = new List <OIDCKey>(); foreach (OIDCKey curKey in providerMetadata.Keys) { OIDCKey newKey = curKey.Clone() as OIDCKey; if (curKey.N != null) { StringBuilder strBuilder = new StringBuilder(newKey.N); strBuilder[17] = (char)(newKey.N[17] + 1); newKey.N = strBuilder.ToString(); } manipulatedKeys.Add(newKey); } rp.Authenticate(GetBaseUrl("/authorization"), requestMessage); semaphore.WaitOne(); // when OIDCAuthImplicitResponseMessage response = rp.ParseAuthImplicitResponse(result, requestMessage.Scope, requestMessage.State); // then Assert.NotNull(response.IdToken); OIDCIdToken idToken = response.GetIdToken(manipulatedKeys); idToken.Validate(); }
public void implicitFlowCallback(HttpListenerRequest req, HttpListenerResponse res, HTTPSession session) { // Callback redirect URI //String url = req.url() + "#" + req.queryParams("url_fragment"); // TODO parse authentication response from url // TODO validate the ID Token according to the OpenID Connect spec (sec 3.2.2.11.) // TODO set the appropriate values string authCode = null; string accessToken = null; OIDCIdToken idToken = null; OIDCUserInfoResponseMessage userInfoResponse = null; }
private Dictionary <string, object> PerformSelfIssuedAuthentication(OIDCAuthorizationRequestMessage requestMessage, X509Certificate2 certificate) { OIDCIdToken idToken = new OIDCIdToken(); idToken.Iss = "https://self-issued.me"; idToken.Sub = Convert.ToBase64String(Encoding.UTF8.GetBytes(certificate.Thumbprint)); idToken.Aud = new List <string>() { requestMessage.RedirectUri }; idToken.Nonce = requestMessage.Nonce; idToken.Exp = DateTime.MaxValue; idToken.Iat = DateTime.MaxValue; idToken.SubJkw = KeyManager.GetOIDCKey(certificate, "RSA", "AQAB", "sig"); if (requestMessage.Scope.Contains(MessageScope.Profile)) { idToken.GivenName = "Myself"; idToken.FamilyName = "User"; idToken.Name = idToken.GivenName + " " + idToken.FamilyName; } if (requestMessage.Scope.Contains(MessageScope.Email)) { idToken.Email = "*****@*****.**"; } if (requestMessage.Scope.Contains(MessageScope.Address)) { idToken.Address = new OIDCAddress(); idToken.Address.Country = "Italy"; idToken.Address.PostalCode = "20100"; idToken.Address.StreetAddress = "Via Test, 1"; idToken.Address.Locality = "Milano"; } if (requestMessage.Scope.Contains(MessageScope.Phone)) { idToken.PhoneNumber = "0"; } idToken.Validate(); Dictionary <string, object> responseMessage = new Dictionary <string, object>(); responseMessage["id_token"] = JWT.Encode(idToken.SerializeToJsonString(), null, JwsAlgorithm.none); responseMessage["state"] = requestMessage.State; return(responseMessage); }
public void Should_Reject_Id_Token_With_Incorrect_At_Hash() { rpid = "rp-id_token-bad_at_hash"; // given OpenIdRelyingParty rp = new OpenIdRelyingParty(); // when OIDCAuthImplicitResponseMessage response = (OIDCAuthImplicitResponseMessage)GetAuthResponse(ResponseType.IdToken); // then Assert.NotNull(response.IdToken); OIDCIdToken idToken = response.GetIdToken(providerMetadata.Keys); string ExpectedAtHash = response.GetExpectedHash(response.AccessToken, providerMetadata.Keys); idToken.Validate(GetBaseUrl("/"), clientInformation.ClientId, null, ExpectedAtHash); }
public void Should_Reject_Id_Token_With_Wrong_Iat() { rpid = "rp-id_token-iat"; // given // when OIDCAuthImplicitResponseMessage response = (OIDCAuthImplicitResponseMessage)GetAuthResponse(ResponseType.IdToken); // then OpenIdRelyingParty rp = new OpenIdRelyingParty(); Assert.NotNull(response.IdToken); OIDCIdToken idToken = response.GetIdToken(providerMetadata.Keys); idToken.Iat = DateTime.MinValue; idToken.Validate(); }
public void Should_Reject_Id_Token_Without_Kid_If_Multiple_JWK() { rpid = "rp-id_token-kid_absent_multiple_jwks"; // given // when OIDCAuthImplicitResponseMessage response = (OIDCAuthImplicitResponseMessage)GetAuthResponse(ResponseType.IdToken); // then OpenIdRelyingParty rp = new OpenIdRelyingParty(); // then Assert.NotNull(response.IdToken); OIDCIdToken idToken = response.GetIdToken(providerMetadata.Keys); idToken.Validate(); }
public void Should_Authenticate_With_Claims_In_Scope_Self_Issued() { rpid = "rp-scope-userinfo_claims"; WebRequest.RegisterPrefix("openid", new OIDCWebRequestCreate()); // given OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage(); requestMessage.ClientId = clientInformation.RedirectUris[0]; requestMessage.Scope = new List <MessageScope>() { MessageScope.Openid, MessageScope.Profile, MessageScope.Email, MessageScope.Address, MessageScope.Phone }; requestMessage.State = WebOperations.RandomString(); requestMessage.Nonce = WebOperations.RandomString(); requestMessage.ResponseType = new List <ResponseType>() { ResponseType.IdToken }; requestMessage.RedirectUri = clientInformation.RedirectUris[0]; requestMessage.Validate(); X509Certificate2 certificate = new X509Certificate2("server.pfx", "", X509KeyStorageFlags.Exportable); OpenIdRelyingParty rp = new OpenIdRelyingParty(); // when OIDCAuthImplicitResponseMessage response = rp.Authenticate("openid://", requestMessage, certificate); OIDCIdToken idToken = response.GetIdToken(); // then response.Validate(); rp.ValidateIdToken(idToken, clientInformation, idToken.Iss, requestMessage.Nonce); Assert.IsNotNullOrEmpty(idToken.Name); Assert.IsNotNullOrEmpty(idToken.GivenName); Assert.IsNotNullOrEmpty(idToken.FamilyName); Assert.IsNotNullOrEmpty(idToken.Email); Assert.IsNotNull(idToken.Address); Assert.IsNotNullOrEmpty(idToken.Address.StreetAddress); Assert.IsNotNullOrEmpty(idToken.Address.PostalCode); Assert.IsNotNullOrEmpty(idToken.Address.Locality); Assert.IsNotNullOrEmpty(idToken.Address.Country); Assert.IsNotNullOrEmpty(idToken.PhoneNumber); }
public OIDCTokenResponseMessage GetToken(OIDCAuthCodeResponseMessage authResponse) { OIDCTokenRequestMessage tokenRequestMessage = new OIDCTokenRequestMessage(); tokenRequestMessage.Scope = authResponse.Scope; tokenRequestMessage.State = authResponse.State; tokenRequestMessage.Code = authResponse.Code; tokenRequestMessage.ClientId = clientInformation.ClientId; tokenRequestMessage.ClientSecret = clientInformation.ClientSecret; tokenRequestMessage.RedirectUri = clientInformation.RedirectUris[0]; tokenRequestMessage.GrantType = "authorization_code"; OpenIdRelyingParty rp = new OpenIdRelyingParty(); OIDCTokenResponseMessage response = rp.SubmitTokenRequest(providerMetadata.TokenEndpoint, tokenRequestMessage, clientInformation); OIDCIdToken idToken = response.GetIdToken(providerMetadata.Keys, tokenRequestMessage.ClientSecret); rp.ValidateIdToken(idToken, clientInformation, providerMetadata.Issuer, null); return(response); }
private OIDCTokenResponseMessage GetToken(OIDCAuthCodeResponseMessage authResponse, IOptions options, HttpSessionState session, string redirectUri) { OpenIDProviderData providerData = options.OpenIDProviders[session["op"] as string]; OIDCTokenRequestMessage tokenRequestMessage = new OIDCTokenRequestMessage(); tokenRequestMessage.Scope = authResponse.Scope; tokenRequestMessage.State = authResponse.State; tokenRequestMessage.Code = authResponse.Code; tokenRequestMessage.ClientId = providerData.ClientInformation.ClientId; tokenRequestMessage.ClientSecret = providerData.ClientInformation.ClientSecret; tokenRequestMessage.RedirectUri = redirectUri; tokenRequestMessage.GrantType = "authorization_code"; OIDCTokenResponseMessage response = rp.SubmitTokenRequest(providerData.ProviderMatadata.TokenEndpoint, tokenRequestMessage, providerData.ClientInformation); OIDCIdToken idToken = response.GetIdToken(providerData.ProviderMatadata.Keys, tokenRequestMessage.ClientSecret); rp.ValidateIdToken(idToken, providerData.ClientInformation, providerData.ProviderMatadata.Issuer, null); return(response); }
public void Should_Reject_Id_Token_With_Wrong_Iss() { rpid = "rp-id_token-mismatching_issuer"; // given // when OIDCAuthImplicitResponseMessage response = (OIDCAuthImplicitResponseMessage)GetAuthResponse(ResponseType.IdToken); // then OpenIdRelyingParty rp = new OpenIdRelyingParty(); Assert.NotNull(response.IdToken); OIDCIdToken idToken = response.GetIdToken(providerMetadata.Keys); idToken.Iss = "ManipulatedIssuer"; string ExpectedAtHash = response.GetExpectedHash(response.AccessToken, providerMetadata.Keys); idToken.Validate(GetBaseUrl("/"), clientInformation.ClientId, null, ExpectedAtHash); }
public void codeFlowCallback(HttpListenerRequest req, HttpListenerResponse res, HTTPSession session) { // Callback redirect URI String queryString = req.Url.Query; // TODO parse authentication response from url // TODO make token request // TODO validate the ID Token according to the OpenID Connect spec (sec 3.1.3.7.) // TODO make userinfo request // TODO set the appropriate values string authCode = null; string accessToken = null; OIDCIdToken idToken = null; OIDCUserInfoResponseMessage userInfoResponse = null; string responsePage = WebServer.successPage(authCode, accessToken, idToken, userInfoResponse); WebServer.SendResponse(req, res, responsePage); }
public void Should_Reject_Id_Token_With_Wrong_Aud() { rpid = "rp-id_token-aud"; // given // when OIDCAuthImplicitResponseMessage response = (OIDCAuthImplicitResponseMessage)GetAuthResponse(ResponseType.IdToken); // then OpenIdRelyingParty rp = new OpenIdRelyingParty(); // then Assert.NotNull(response.IdToken); OIDCIdToken idToken = response.GetIdToken(providerMetadata.Keys); idToken.Aud = new List <string> { "ManipulatedAud" }; idToken.Validate(GetBaseUrl("/"), clientInformation.ClientId); }
public void Should_Authenticate_With_Self_Issued_Provider() { rpid = "rp-response_type-self_issued"; WebRequest.RegisterPrefix("openid", new OIDCWebRequestCreate()); // given OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage(); requestMessage.ClientId = clientInformation.RedirectUris[1]; requestMessage.Scope = new List <MessageScope>() { MessageScope.Openid }; requestMessage.State = WebOperations.RandomString(); requestMessage.Nonce = WebOperations.RandomString(); requestMessage.ResponseType = new List <ResponseType>() { ResponseType.IdToken }; requestMessage.RedirectUri = clientInformation.RedirectUris[1]; requestMessage.Validate(); X509Certificate2 certificate = new X509Certificate2("server.pfx", "", X509KeyStorageFlags.Exportable); OpenIdRelyingParty rp = new OpenIdRelyingParty(); // when OIDCAuthImplicitResponseMessage response = rp.Authenticate("openid://", requestMessage, certificate); // then OIDCIdToken idToken = response.GetIdToken(); //The Client MUST validate that the aud (audience) Claim contains the value of the //redirect_uri that the Client sent in the Authentication Request as an audience. CollectionAssert.Contains(idToken.Aud, requestMessage.RedirectUri); //If a nonce value was sent in the Authentication Request, a nonce Claim MUST be present //and its value checked to verify that it is the same value as the one that was sent in //the Authentication Request. Assert.AreEqual(requestMessage.Nonce, idToken.Nonce); }
public void Should_Reject_Userinfo_With_Invalid_Sub() { rpid = "rp-user_info-bad_sub_claim"; // given OIDClaims requestClaims = new OIDClaims(); requestClaims.IdToken = new Dictionary <string, OIDClaimData>(); requestClaims.IdToken.Add("name", new OIDClaimData()); OIDCAuthImplicitResponseMessage authResponse = (OIDCAuthImplicitResponseMessage)GetAuthResponse(ResponseType.IdToken, null, true, requestClaims); OIDCIdToken idToken = authResponse.GetIdToken(providerMetadata.Keys); idToken.Validate(); // when OIDCUserInfoResponseMessage response = GetUserInfo(authResponse.Scope, authResponse.State, authResponse.AccessToken, idToken.Sub + "Wrong"); // then response.Validate(); Assert.IsNotNullOrEmpty(response.Name); }
public void Should_Nonce_Be_Present_In_Implicit() { rpid = "rp-nonce-unless_code_flow"; // given OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage(); requestMessage.ClientId = clientInformation.ClientId; OIDClaims requestClaims = new OIDClaims(); requestClaims.Userinfo = new Dictionary <string, OIDClaimData>(); requestClaims.Userinfo.Add("name", new OIDClaimData()); requestMessage.Scope = new List <MessageScope>() { MessageScope.Openid }; requestMessage.ResponseType = new List <ResponseType>() { ResponseType.IdToken, ResponseType.Token }; requestMessage.RedirectUri = clientInformation.RedirectUris[0]; requestMessage.Nonce = WebOperations.RandomString(); requestMessage.State = WebOperations.RandomString(); requestMessage.Claims = requestClaims; requestMessage.Validate(); OpenIdRelyingParty rp = new OpenIdRelyingParty(); rp.Authenticate(GetBaseUrl("/authorization"), requestMessage); semaphore.WaitOne(); OIDCAuthImplicitResponseMessage response = rp.ParseAuthImplicitResponse(result, requestMessage.Scope, requestMessage.State); OIDCIdToken idToken = response.GetIdToken(providerMetadata.Keys, clientInformation.ClientSecret); // then idToken.Validate(); }
/// <summary> /// Method that validates the IdToken with specific rules /// </summary> /// <param name="idToken"></param> /// <param name="clientInformation"></param> /// <param name="providerMetadata"></param> /// <param name="nonce"></param> public void ValidateIdToken(OIDCIdToken idToken, OIDCClientInformation clientInformation, string Issuer, string Nonce) { if (idToken.Iss.Trim('/') != Issuer.Trim('/')) { throw new OIDCException("Wrong issuer for the token."); } if (Issuer != "https://self-issued.me" && !idToken.Aud.Contains(clientInformation.ClientId)) { throw new OIDCException("Intended audience of the token does not include client_id."); } if (idToken.Aud.Count > 1 && idToken.Azp == null) { throw new OIDCException("Multiple audience but no authorized party specified."); } if (idToken.Azp != null && idToken.Azp != clientInformation.ClientId) { throw new OIDCException("The authorized party does not match client_id."); } if (idToken.Exp < DateTime.UtcNow - new TimeSpan(0, 10, 0)) { throw new OIDCException("The token is expired."); } if (idToken.Iat < DateTime.Now - new TimeSpan(24, 0, 0)) { throw new OIDCException("The token has ben issued more than a day ago."); } if (Nonce != null && idToken.Nonce != Nonce) { throw new OIDCException("Wrong nonce value in token."); } }
public void Should_Authenticate_Client_With_Private_Key_Jwt() { rpid = "rp-token_endpoint-client_secret_jwt"; // given OIDCAuthCodeResponseMessage response = (OIDCAuthCodeResponseMessage)GetAuthResponse(ResponseType.Code); OIDCTokenRequestMessage tokenRequestMessage = new OIDCTokenRequestMessage(); tokenRequestMessage.Scope = response.Scope; tokenRequestMessage.State = response.State; tokenRequestMessage.Code = response.Code; tokenRequestMessage.ClientId = clientInformation.ClientId; tokenRequestMessage.ClientSecret = clientInformation.ClientSecret; tokenRequestMessage.GrantType = "authorization_code"; tokenRequestMessage.RedirectUri = clientInformation.RedirectUris[0]; RSACryptoServiceProvider privateKey = providerMetadata.Keys.Find( delegate(OIDCKey k) { return(k.Use == "enc" && k.Kty == "RSA"); } ).GetRSA(); // when OpenIdRelyingParty rp = new OpenIdRelyingParty(); clientInformation.TokenEndpointAuthMethod = "private_key_jwt"; OIDCTokenResponseMessage tokenResponse = rp.SubmitTokenRequest(GetBaseUrl("/token"), tokenRequestMessage, clientInformation, privateKey.ExportCspBlob(false)); // then Assert.NotNull(tokenResponse.IdToken); OIDCIdToken idToken = tokenResponse.GetIdToken(providerMetadata.Keys); idToken.Validate(); }
public void Should_Reject_Id_Token_With_Incorrect_C_Hash() { rpid = "rp-id_token-bad_c_hash"; // givens OpenIdRelyingParty rp = new OpenIdRelyingParty(); OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage(); requestMessage.ClientId = clientInformation.ClientId; requestMessage.Scope = new List <MessageScope>() { MessageScope.Openid }; requestMessage.ResponseType = new List <ResponseType>() { ResponseType.Code, ResponseType.IdToken }; requestMessage.RedirectUri = clientInformation.RedirectUris[0]; requestMessage.Nonce = WebOperations.RandomString(); requestMessage.State = WebOperations.RandomString(); requestMessage.Validate(); rp.Authenticate(GetBaseUrl("/authorization"), requestMessage); semaphore.WaitOne(); // when OIDCAuthCodeResponseMessage response = rp.ParseAuthCodeResponse(result, requestMessage.Scope, requestMessage.State); // then Assert.NotNull(response.IdToken); OIDCIdToken idToken = response.GetIdToken(providerMetadata.Keys); string ExpectedCHash = response.GetExpectedHash(response.Code, providerMetadata.Keys); idToken.Validate(GetBaseUrl("/"), clientInformation.ClientId, ExpectedCHash, null); }
public void Should_Request_And_Use_Signed_And_Encrypted_Id_Token() { rpid = "rp-id_token-sig+enc"; signalg = "RS256"; encalg = "RSA1_5:A128CBC-HS256"; // given OpenIdRelyingParty rp = new OpenIdRelyingParty(); string registrationEndopoint = GetBaseUrl("/registration"); OIDCClientInformation clientMetadata = new OIDCClientInformation(); clientMetadata.ApplicationType = "web"; clientMetadata.RedirectUris = new List <string>() { myBaseUrl + "code_flow_callback" }; clientMetadata.ResponseTypes = new List <ResponseType>() { ResponseType.Code }; clientMetadata.IdTokenEncryptedResponseAlg = "RSA1_5"; clientMetadata.IdTokenEncryptedResponseEnc = "A128CBC-HS256"; clientMetadata.JwksUri = myBaseUrl + "my_public_keys.jwks"; OIDCClientInformation clientInformation = rp.RegisterClient(registrationEndopoint, clientMetadata); OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage(); requestMessage.ClientId = clientInformation.ClientId; requestMessage.Scope = new List <MessageScope>() { MessageScope.Openid }; requestMessage.ResponseType = new List <ResponseType>() { ResponseType.Code }; requestMessage.RedirectUri = clientInformation.RedirectUris[0]; requestMessage.Nonce = WebOperations.RandomString(); requestMessage.State = WebOperations.RandomString(); requestMessage.Validate(); rp.Authenticate(GetBaseUrl("/authorization"), requestMessage); semaphore.WaitOne(); OIDCAuthCodeResponseMessage response = rp.ParseAuthCodeResponse(result, requestMessage.Scope, requestMessage.State); OIDCTokenRequestMessage tokenRequestMessage = new OIDCTokenRequestMessage(); tokenRequestMessage.Scope = response.Scope; tokenRequestMessage.State = response.State; tokenRequestMessage.Code = response.Code; tokenRequestMessage.ClientId = clientInformation.ClientId; tokenRequestMessage.ClientSecret = clientInformation.ClientSecret; tokenRequestMessage.GrantType = "authorization_code"; tokenRequestMessage.RedirectUri = clientInformation.RedirectUris[0]; X509Certificate2 signCert = new X509Certificate2("server.pfx", "", X509KeyStorageFlags.Exportable); X509Certificate2 encCert = new X509Certificate2("server.pfx", "", X509KeyStorageFlags.Exportable); List <OIDCKey> myKeys = KeyManager.GetKeysJwkList(signCert, encCert); // when OIDCTokenResponseMessage tokenResponse = rp.SubmitTokenRequest(GetBaseUrl("/token"), tokenRequestMessage, clientInformation); // then Assert.NotNull(tokenResponse.IdToken); OIDCIdToken idToken = tokenResponse.GetIdToken(providerMetadata.Keys, null, myKeys); idToken.Validate(); }
public void Should_Request_And_Use_Unsigned_Id_Token() { rpid = "rp-id_token-sig_none"; // givens OpenIdRelyingParty rp = new OpenIdRelyingParty(); string registrationEndopoint = GetBaseUrl("/registration"); OIDCClientInformation clientMetadata = new OIDCClientInformation(); clientMetadata.ApplicationType = "web"; clientMetadata.RedirectUris = new List <string>() { myBaseUrl + "code_flow_callback" }; clientMetadata.ResponseTypes = new List <ResponseType>() { ResponseType.Code }; clientMetadata.IdTokenSignedResponseAlg = "none"; OIDCClientInformation clientInformation = rp.RegisterClient(registrationEndopoint, clientMetadata); OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage(); requestMessage.ClientId = clientInformation.ClientId; requestMessage.Scope = new List <MessageScope>() { MessageScope.Openid }; requestMessage.ResponseType = new List <ResponseType>() { ResponseType.Code }; requestMessage.RedirectUri = clientInformation.RedirectUris[0]; requestMessage.Nonce = WebOperations.RandomString(); requestMessage.State = WebOperations.RandomString(); requestMessage.Validate(); rp.Authenticate(GetBaseUrl("/authorization"), requestMessage); semaphore.WaitOne(); OIDCAuthCodeResponseMessage response = rp.ParseAuthCodeResponse(result, requestMessage.Scope, requestMessage.State); OIDCTokenRequestMessage tokenRequestMessage = new OIDCTokenRequestMessage(); tokenRequestMessage.Scope = response.Scope; tokenRequestMessage.State = response.State; tokenRequestMessage.Code = response.Code; tokenRequestMessage.ClientId = clientInformation.ClientId; tokenRequestMessage.ClientSecret = clientInformation.ClientSecret; tokenRequestMessage.GrantType = "authorization_code"; tokenRequestMessage.RedirectUri = clientInformation.RedirectUris[0]; // when OIDCTokenResponseMessage tokenResponse = rp.SubmitTokenRequest(GetBaseUrl("/token"), tokenRequestMessage, clientInformation); // then Assert.NotNull(tokenResponse.IdToken); OIDCIdToken idToken = tokenResponse.GetIdToken(); idToken.Validate(); }