public void Should_Nonce_Be_Present_In_Self_Issued()
{
rpid = "rp-nonce-unless_code_flow";
WebRequest.RegisterPrefix("openid", new OIDCWebRequestCreate());
// given
OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage();
requestMessage.ClientId = clientInformation.RedirectUris[0];
requestMessage.Scope = new List <MessageScope>()
{
MessageScope.Openid, MessageScope.Profile, MessageScope.Email, MessageScope.Address, MessageScope.Phone
};
requestMessage.State = WebOperations.RandomString();
requestMessage.Nonce = WebOperations.RandomString();
requestMessage.ResponseType = new List <ResponseType>()
{
ResponseType.IdToken
};
requestMessage.RedirectUri = clientInformation.RedirectUris[0];
requestMessage.Validate();
X509Certificate2 certificate = new X509Certificate2("server.pfx", "", X509KeyStorageFlags.Exportable);
OpenIdRelyingParty rp = new OpenIdRelyingParty();
// when
OIDCAuthImplicitResponseMessage response = rp.Authenticate("openid://", requestMessage, certificate);
OIDCIdToken idToken = response.GetIdToken();
// then
response.Validate();
}
public void Should_Authenticate_Client_With_Client_Secret_Jwt()
{
rpid = "rp-token_endpoint-client_secret_jwt";
// given
OIDCAuthCodeResponseMessage response = (OIDCAuthCodeResponseMessage)GetAuthResponse(ResponseType.Code);
OIDCTokenRequestMessage tokenRequestMessage = new OIDCTokenRequestMessage();
tokenRequestMessage.Scope = response.Scope;
tokenRequestMessage.State = response.State;
tokenRequestMessage.Code = response.Code;
tokenRequestMessage.ClientId = clientInformation.ClientId;
tokenRequestMessage.ClientSecret = clientInformation.ClientSecret;
tokenRequestMessage.GrantType = "authorization_code";
tokenRequestMessage.RedirectUri = clientInformation.RedirectUris[0];
// when
OpenIdRelyingParty rp = new OpenIdRelyingParty();
clientInformation.TokenEndpointAuthMethod = "client_secret_jwt";
OIDCTokenResponseMessage tokenResponse = rp.SubmitTokenRequest(GetBaseUrl("/token"), tokenRequestMessage, clientInformation);
// then
Assert.NotNull(tokenResponse.IdToken);
OIDCIdToken idToken = tokenResponse.GetIdToken(providerMetadata.Keys);
idToken.Validate();
}
public void Should_Request_And_Use_Claims_Id_Token()
{
rpid = "rp-response_type-id_token+token";
signalg = "RS256";
GetProviderMetadata();
// given
string Nonce = WebOperations.RandomString();
OIDClaims requestClaims = new OIDClaims();
requestClaims.IdToken = new Dictionary <string, OIDClaimData>();
requestClaims.IdToken.Add("name", new OIDClaimData());
// when
OIDCAuthImplicitResponseMessage response = (OIDCAuthImplicitResponseMessage)GetAuthResponse(ResponseType.IdToken, Nonce, true, requestClaims);
// then
response.Validate();
Assert.NotNull(response.AccessToken);
OpenIdRelyingParty rp = new OpenIdRelyingParty();
OIDCIdToken idToken = response.GetIdToken(providerMetadata.Keys, clientInformation.ClientSecret);
rp.ValidateIdToken(idToken, clientInformation, providerMetadata.Issuer, Nonce);
Assert.IsNotNullOrEmpty(idToken.Name);
}
public static string successPage(string authCode, string accessToken, OIDCIdToken idToken, OIDCUserInfoResponseMessage userInfoResponse)
{
string stringIdToken = idToken.serializeToJsonString();
string userInfoString = userInfoResponse.serializeToJsonString();
String successPage = File.ReadAllText(Path.Combine(Client.ROOT_PATH, "success_page.html"));
return(String.Format(successPage, authCode, accessToken, stringIdToken, userInfoString));
}
public void Should_Reject_Id_Token_With_Invalid_ES256_Signature()
{
rpid = "rp-id_token-bad_es256_sig";
// givens
OpenIdRelyingParty rp = new OpenIdRelyingParty();
OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage();
requestMessage.ClientId = clientInformation.ClientId;
requestMessage.Scope = new List <MessageScope>()
{
MessageScope.Openid
};
requestMessage.ResponseType = new List <ResponseType>()
{
ResponseType.Token, ResponseType.IdToken
};
requestMessage.RedirectUri = clientInformation.RedirectUris[1];
requestMessage.Nonce = WebOperations.RandomString();
requestMessage.State = WebOperations.RandomString();
requestMessage.Validate();
// Manipulate keys to make them invalid
List <OIDCKey> manipulatedKeys = new List <OIDCKey>();
foreach (OIDCKey curKey in providerMetadata.Keys)
{
OIDCKey newKey = curKey.Clone() as OIDCKey;
if (curKey.N != null)
{
StringBuilder strBuilder = new StringBuilder(newKey.N);
strBuilder[17] = (char)(newKey.N[17] + 1);
newKey.N = strBuilder.ToString();
}
manipulatedKeys.Add(newKey);
}
rp.Authenticate(GetBaseUrl("/authorization"), requestMessage);
semaphore.WaitOne();
// when
OIDCAuthImplicitResponseMessage response = rp.ParseAuthImplicitResponse(result, requestMessage.Scope, requestMessage.State);
// then
Assert.NotNull(response.IdToken);
OIDCIdToken idToken = response.GetIdToken(manipulatedKeys);
idToken.Validate();
}
public void implicitFlowCallback(HttpListenerRequest req, HttpListenerResponse res, HTTPSession session)
{
// Callback redirect URI
//String url = req.url() + "#" + req.queryParams("url_fragment");
// TODO parse authentication response from url
// TODO validate the ID Token according to the OpenID Connect spec (sec 3.2.2.11.)
// TODO set the appropriate values
string authCode = null;
string accessToken = null;
OIDCIdToken idToken = null;
OIDCUserInfoResponseMessage userInfoResponse = null;
}
private Dictionary <string, object> PerformSelfIssuedAuthentication(OIDCAuthorizationRequestMessage requestMessage, X509Certificate2 certificate)
{
OIDCIdToken idToken = new OIDCIdToken();
idToken.Iss = "https://self-issued.me";
idToken.Sub = Convert.ToBase64String(Encoding.UTF8.GetBytes(certificate.Thumbprint));
idToken.Aud = new List <string>()
{
requestMessage.RedirectUri
};
idToken.Nonce = requestMessage.Nonce;
idToken.Exp = DateTime.MaxValue;
idToken.Iat = DateTime.MaxValue;
idToken.SubJkw = KeyManager.GetOIDCKey(certificate, "RSA", "AQAB", "sig");
if (requestMessage.Scope.Contains(MessageScope.Profile))
{
idToken.GivenName = "Myself";
idToken.FamilyName = "User";
idToken.Name = idToken.GivenName + " " + idToken.FamilyName;
}
if (requestMessage.Scope.Contains(MessageScope.Email))
{
idToken.Email = "*****@*****.**";
}
if (requestMessage.Scope.Contains(MessageScope.Address))
{
idToken.Address = new OIDCAddress();
idToken.Address.Country = "Italy";
idToken.Address.PostalCode = "20100";
idToken.Address.StreetAddress = "Via Test, 1";
idToken.Address.Locality = "Milano";
}
if (requestMessage.Scope.Contains(MessageScope.Phone))
{
idToken.PhoneNumber = "0";
}
idToken.Validate();
Dictionary <string, object> responseMessage = new Dictionary <string, object>();
responseMessage["id_token"] = JWT.Encode(idToken.SerializeToJsonString(), null, JwsAlgorithm.none);
responseMessage["state"] = requestMessage.State;
return(responseMessage);
}
public void Should_Reject_Id_Token_With_Incorrect_At_Hash()
{
rpid = "rp-id_token-bad_at_hash";
// given
OpenIdRelyingParty rp = new OpenIdRelyingParty();
// when
OIDCAuthImplicitResponseMessage response = (OIDCAuthImplicitResponseMessage)GetAuthResponse(ResponseType.IdToken);
// then
Assert.NotNull(response.IdToken);
OIDCIdToken idToken = response.GetIdToken(providerMetadata.Keys);
string ExpectedAtHash = response.GetExpectedHash(response.AccessToken, providerMetadata.Keys);
idToken.Validate(GetBaseUrl("/"), clientInformation.ClientId, null, ExpectedAtHash);
}
public void Should_Reject_Id_Token_With_Wrong_Iat()
{
rpid = "rp-id_token-iat";
// given
// when
OIDCAuthImplicitResponseMessage response = (OIDCAuthImplicitResponseMessage)GetAuthResponse(ResponseType.IdToken);
// then
OpenIdRelyingParty rp = new OpenIdRelyingParty();
Assert.NotNull(response.IdToken);
OIDCIdToken idToken = response.GetIdToken(providerMetadata.Keys);
idToken.Iat = DateTime.MinValue;
idToken.Validate();
}
public void Should_Reject_Id_Token_Without_Kid_If_Multiple_JWK()
{
rpid = "rp-id_token-kid_absent_multiple_jwks";
// given
// when
OIDCAuthImplicitResponseMessage response = (OIDCAuthImplicitResponseMessage)GetAuthResponse(ResponseType.IdToken);
// then
OpenIdRelyingParty rp = new OpenIdRelyingParty();
// then
Assert.NotNull(response.IdToken);
OIDCIdToken idToken = response.GetIdToken(providerMetadata.Keys);
idToken.Validate();
}
public void Should_Authenticate_With_Claims_In_Scope_Self_Issued()
{
rpid = "rp-scope-userinfo_claims";
WebRequest.RegisterPrefix("openid", new OIDCWebRequestCreate());
// given
OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage();
requestMessage.ClientId = clientInformation.RedirectUris[0];
requestMessage.Scope = new List <MessageScope>()
{
MessageScope.Openid, MessageScope.Profile, MessageScope.Email, MessageScope.Address, MessageScope.Phone
};
requestMessage.State = WebOperations.RandomString();
requestMessage.Nonce = WebOperations.RandomString();
requestMessage.ResponseType = new List <ResponseType>()
{
ResponseType.IdToken
};
requestMessage.RedirectUri = clientInformation.RedirectUris[0];
requestMessage.Validate();
X509Certificate2 certificate = new X509Certificate2("server.pfx", "", X509KeyStorageFlags.Exportable);
OpenIdRelyingParty rp = new OpenIdRelyingParty();
// when
OIDCAuthImplicitResponseMessage response = rp.Authenticate("openid://", requestMessage, certificate);
OIDCIdToken idToken = response.GetIdToken();
// then
response.Validate();
rp.ValidateIdToken(idToken, clientInformation, idToken.Iss, requestMessage.Nonce);
Assert.IsNotNullOrEmpty(idToken.Name);
Assert.IsNotNullOrEmpty(idToken.GivenName);
Assert.IsNotNullOrEmpty(idToken.FamilyName);
Assert.IsNotNullOrEmpty(idToken.Email);
Assert.IsNotNull(idToken.Address);
Assert.IsNotNullOrEmpty(idToken.Address.StreetAddress);
Assert.IsNotNullOrEmpty(idToken.Address.PostalCode);
Assert.IsNotNullOrEmpty(idToken.Address.Locality);
Assert.IsNotNullOrEmpty(idToken.Address.Country);
Assert.IsNotNullOrEmpty(idToken.PhoneNumber);
}
public OIDCTokenResponseMessage GetToken(OIDCAuthCodeResponseMessage authResponse)
{
OIDCTokenRequestMessage tokenRequestMessage = new OIDCTokenRequestMessage();
tokenRequestMessage.Scope = authResponse.Scope;
tokenRequestMessage.State = authResponse.State;
tokenRequestMessage.Code = authResponse.Code;
tokenRequestMessage.ClientId = clientInformation.ClientId;
tokenRequestMessage.ClientSecret = clientInformation.ClientSecret;
tokenRequestMessage.RedirectUri = clientInformation.RedirectUris[0];
tokenRequestMessage.GrantType = "authorization_code";
OpenIdRelyingParty rp = new OpenIdRelyingParty();
OIDCTokenResponseMessage response = rp.SubmitTokenRequest(providerMetadata.TokenEndpoint, tokenRequestMessage, clientInformation);
OIDCIdToken idToken = response.GetIdToken(providerMetadata.Keys, tokenRequestMessage.ClientSecret);
rp.ValidateIdToken(idToken, clientInformation, providerMetadata.Issuer, null);
return(response);
}
private OIDCTokenResponseMessage GetToken(OIDCAuthCodeResponseMessage authResponse, IOptions options, HttpSessionState session, string redirectUri)
{
OpenIDProviderData providerData = options.OpenIDProviders[session["op"] as string];
OIDCTokenRequestMessage tokenRequestMessage = new OIDCTokenRequestMessage();
tokenRequestMessage.Scope = authResponse.Scope;
tokenRequestMessage.State = authResponse.State;
tokenRequestMessage.Code = authResponse.Code;
tokenRequestMessage.ClientId = providerData.ClientInformation.ClientId;
tokenRequestMessage.ClientSecret = providerData.ClientInformation.ClientSecret;
tokenRequestMessage.RedirectUri = redirectUri;
tokenRequestMessage.GrantType = "authorization_code";
OIDCTokenResponseMessage response = rp.SubmitTokenRequest(providerData.ProviderMatadata.TokenEndpoint, tokenRequestMessage, providerData.ClientInformation);
OIDCIdToken idToken = response.GetIdToken(providerData.ProviderMatadata.Keys, tokenRequestMessage.ClientSecret);
rp.ValidateIdToken(idToken, providerData.ClientInformation, providerData.ProviderMatadata.Issuer, null);
return(response);
}
public void Should_Reject_Id_Token_With_Wrong_Iss()
{
rpid = "rp-id_token-mismatching_issuer";
// given
// when
OIDCAuthImplicitResponseMessage response = (OIDCAuthImplicitResponseMessage)GetAuthResponse(ResponseType.IdToken);
// then
OpenIdRelyingParty rp = new OpenIdRelyingParty();
Assert.NotNull(response.IdToken);
OIDCIdToken idToken = response.GetIdToken(providerMetadata.Keys);
idToken.Iss = "ManipulatedIssuer";
string ExpectedAtHash = response.GetExpectedHash(response.AccessToken, providerMetadata.Keys);
idToken.Validate(GetBaseUrl("/"), clientInformation.ClientId, null, ExpectedAtHash);
}
public void codeFlowCallback(HttpListenerRequest req, HttpListenerResponse res, HTTPSession session)
{
// Callback redirect URI
String queryString = req.Url.Query;
// TODO parse authentication response from url
// TODO make token request
// TODO validate the ID Token according to the OpenID Connect spec (sec 3.1.3.7.)
// TODO make userinfo request
// TODO set the appropriate values
string authCode = null;
string accessToken = null;
OIDCIdToken idToken = null;
OIDCUserInfoResponseMessage userInfoResponse = null;
string responsePage = WebServer.successPage(authCode, accessToken, idToken, userInfoResponse);
WebServer.SendResponse(req, res, responsePage);
}
public void Should_Reject_Id_Token_With_Wrong_Aud()
{
rpid = "rp-id_token-aud";
// given
// when
OIDCAuthImplicitResponseMessage response = (OIDCAuthImplicitResponseMessage)GetAuthResponse(ResponseType.IdToken);
// then
OpenIdRelyingParty rp = new OpenIdRelyingParty();
// then
Assert.NotNull(response.IdToken);
OIDCIdToken idToken = response.GetIdToken(providerMetadata.Keys);
idToken.Aud = new List <string> {
"ManipulatedAud"
};
idToken.Validate(GetBaseUrl("/"), clientInformation.ClientId);
}
public void Should_Authenticate_With_Self_Issued_Provider()
{
rpid = "rp-response_type-self_issued";
WebRequest.RegisterPrefix("openid", new OIDCWebRequestCreate());
// given
OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage();
requestMessage.ClientId = clientInformation.RedirectUris[1];
requestMessage.Scope = new List <MessageScope>()
{
MessageScope.Openid
};
requestMessage.State = WebOperations.RandomString();
requestMessage.Nonce = WebOperations.RandomString();
requestMessage.ResponseType = new List <ResponseType>()
{
ResponseType.IdToken
};
requestMessage.RedirectUri = clientInformation.RedirectUris[1];
requestMessage.Validate();
X509Certificate2 certificate = new X509Certificate2("server.pfx", "", X509KeyStorageFlags.Exportable);
OpenIdRelyingParty rp = new OpenIdRelyingParty();
// when
OIDCAuthImplicitResponseMessage response = rp.Authenticate("openid://", requestMessage, certificate);
// then
OIDCIdToken idToken = response.GetIdToken();
//The Client MUST validate that the aud (audience) Claim contains the value of the
//redirect_uri that the Client sent in the Authentication Request as an audience.
CollectionAssert.Contains(idToken.Aud, requestMessage.RedirectUri);
//If a nonce value was sent in the Authentication Request, a nonce Claim MUST be present
//and its value checked to verify that it is the same value as the one that was sent in
//the Authentication Request.
Assert.AreEqual(requestMessage.Nonce, idToken.Nonce);
}
public void Should_Reject_Userinfo_With_Invalid_Sub()
{
rpid = "rp-user_info-bad_sub_claim";
// given
OIDClaims requestClaims = new OIDClaims();
requestClaims.IdToken = new Dictionary <string, OIDClaimData>();
requestClaims.IdToken.Add("name", new OIDClaimData());
OIDCAuthImplicitResponseMessage authResponse = (OIDCAuthImplicitResponseMessage)GetAuthResponse(ResponseType.IdToken, null, true, requestClaims);
OIDCIdToken idToken = authResponse.GetIdToken(providerMetadata.Keys);
idToken.Validate();
// when
OIDCUserInfoResponseMessage response = GetUserInfo(authResponse.Scope, authResponse.State, authResponse.AccessToken, idToken.Sub + "Wrong");
// then
response.Validate();
Assert.IsNotNullOrEmpty(response.Name);
}
public void Should_Nonce_Be_Present_In_Implicit()
{
rpid = "rp-nonce-unless_code_flow";
// given
OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage();
requestMessage.ClientId = clientInformation.ClientId;
OIDClaims requestClaims = new OIDClaims();
requestClaims.Userinfo = new Dictionary <string, OIDClaimData>();
requestClaims.Userinfo.Add("name", new OIDClaimData());
requestMessage.Scope = new List <MessageScope>()
{
MessageScope.Openid
};
requestMessage.ResponseType = new List <ResponseType>()
{
ResponseType.IdToken, ResponseType.Token
};
requestMessage.RedirectUri = clientInformation.RedirectUris[0];
requestMessage.Nonce = WebOperations.RandomString();
requestMessage.State = WebOperations.RandomString();
requestMessage.Claims = requestClaims;
requestMessage.Validate();
OpenIdRelyingParty rp = new OpenIdRelyingParty();
rp.Authenticate(GetBaseUrl("/authorization"), requestMessage);
semaphore.WaitOne();
OIDCAuthImplicitResponseMessage response = rp.ParseAuthImplicitResponse(result, requestMessage.Scope, requestMessage.State);
OIDCIdToken idToken = response.GetIdToken(providerMetadata.Keys, clientInformation.ClientSecret);
// then
idToken.Validate();
}
/// <summary>
/// Method that validates the IdToken with specific rules
/// </summary>
/// <param name="idToken"></param>
/// <param name="clientInformation"></param>
/// <param name="providerMetadata"></param>
/// <param name="nonce"></param>
public void ValidateIdToken(OIDCIdToken idToken, OIDCClientInformation clientInformation, string Issuer, string Nonce)
{
if (idToken.Iss.Trim('/') != Issuer.Trim('/'))
{
throw new OIDCException("Wrong issuer for the token.");
}
if (Issuer != "https://self-issued.me" && !idToken.Aud.Contains(clientInformation.ClientId))
{
throw new OIDCException("Intended audience of the token does not include client_id.");
}
if (idToken.Aud.Count > 1 && idToken.Azp == null)
{
throw new OIDCException("Multiple audience but no authorized party specified.");
}
if (idToken.Azp != null && idToken.Azp != clientInformation.ClientId)
{
throw new OIDCException("The authorized party does not match client_id.");
}
if (idToken.Exp < DateTime.UtcNow - new TimeSpan(0, 10, 0))
{
throw new OIDCException("The token is expired.");
}
if (idToken.Iat < DateTime.Now - new TimeSpan(24, 0, 0))
{
throw new OIDCException("The token has ben issued more than a day ago.");
}
if (Nonce != null && idToken.Nonce != Nonce)
{
throw new OIDCException("Wrong nonce value in token.");
}
}
public void Should_Authenticate_Client_With_Private_Key_Jwt()
{
rpid = "rp-token_endpoint-client_secret_jwt";
// given
OIDCAuthCodeResponseMessage response = (OIDCAuthCodeResponseMessage)GetAuthResponse(ResponseType.Code);
OIDCTokenRequestMessage tokenRequestMessage = new OIDCTokenRequestMessage();
tokenRequestMessage.Scope = response.Scope;
tokenRequestMessage.State = response.State;
tokenRequestMessage.Code = response.Code;
tokenRequestMessage.ClientId = clientInformation.ClientId;
tokenRequestMessage.ClientSecret = clientInformation.ClientSecret;
tokenRequestMessage.GrantType = "authorization_code";
tokenRequestMessage.RedirectUri = clientInformation.RedirectUris[0];
RSACryptoServiceProvider privateKey = providerMetadata.Keys.Find(
delegate(OIDCKey k)
{
return(k.Use == "enc" && k.Kty == "RSA");
}
).GetRSA();
// when
OpenIdRelyingParty rp = new OpenIdRelyingParty();
clientInformation.TokenEndpointAuthMethod = "private_key_jwt";
OIDCTokenResponseMessage tokenResponse = rp.SubmitTokenRequest(GetBaseUrl("/token"), tokenRequestMessage, clientInformation, privateKey.ExportCspBlob(false));
// then
Assert.NotNull(tokenResponse.IdToken);
OIDCIdToken idToken = tokenResponse.GetIdToken(providerMetadata.Keys);
idToken.Validate();
}
public void Should_Reject_Id_Token_With_Incorrect_C_Hash()
{
rpid = "rp-id_token-bad_c_hash";
// givens
OpenIdRelyingParty rp = new OpenIdRelyingParty();
OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage();
requestMessage.ClientId = clientInformation.ClientId;
requestMessage.Scope = new List <MessageScope>()
{
MessageScope.Openid
};
requestMessage.ResponseType = new List <ResponseType>()
{
ResponseType.Code, ResponseType.IdToken
};
requestMessage.RedirectUri = clientInformation.RedirectUris[0];
requestMessage.Nonce = WebOperations.RandomString();
requestMessage.State = WebOperations.RandomString();
requestMessage.Validate();
rp.Authenticate(GetBaseUrl("/authorization"), requestMessage);
semaphore.WaitOne();
// when
OIDCAuthCodeResponseMessage response = rp.ParseAuthCodeResponse(result, requestMessage.Scope, requestMessage.State);
// then
Assert.NotNull(response.IdToken);
OIDCIdToken idToken = response.GetIdToken(providerMetadata.Keys);
string ExpectedCHash = response.GetExpectedHash(response.Code, providerMetadata.Keys);
idToken.Validate(GetBaseUrl("/"), clientInformation.ClientId, ExpectedCHash, null);
}
public void Should_Request_And_Use_Signed_And_Encrypted_Id_Token()
{
rpid = "rp-id_token-sig+enc";
signalg = "RS256";
encalg = "RSA1_5:A128CBC-HS256";
// given
OpenIdRelyingParty rp = new OpenIdRelyingParty();
string registrationEndopoint = GetBaseUrl("/registration");
OIDCClientInformation clientMetadata = new OIDCClientInformation();
clientMetadata.ApplicationType = "web";
clientMetadata.RedirectUris = new List <string>()
{
myBaseUrl + "code_flow_callback"
};
clientMetadata.ResponseTypes = new List <ResponseType>()
{
ResponseType.Code
};
clientMetadata.IdTokenEncryptedResponseAlg = "RSA1_5";
clientMetadata.IdTokenEncryptedResponseEnc = "A128CBC-HS256";
clientMetadata.JwksUri = myBaseUrl + "my_public_keys.jwks";
OIDCClientInformation clientInformation = rp.RegisterClient(registrationEndopoint, clientMetadata);
OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage();
requestMessage.ClientId = clientInformation.ClientId;
requestMessage.Scope = new List <MessageScope>()
{
MessageScope.Openid
};
requestMessage.ResponseType = new List <ResponseType>()
{
ResponseType.Code
};
requestMessage.RedirectUri = clientInformation.RedirectUris[0];
requestMessage.Nonce = WebOperations.RandomString();
requestMessage.State = WebOperations.RandomString();
requestMessage.Validate();
rp.Authenticate(GetBaseUrl("/authorization"), requestMessage);
semaphore.WaitOne();
OIDCAuthCodeResponseMessage response = rp.ParseAuthCodeResponse(result, requestMessage.Scope, requestMessage.State);
OIDCTokenRequestMessage tokenRequestMessage = new OIDCTokenRequestMessage();
tokenRequestMessage.Scope = response.Scope;
tokenRequestMessage.State = response.State;
tokenRequestMessage.Code = response.Code;
tokenRequestMessage.ClientId = clientInformation.ClientId;
tokenRequestMessage.ClientSecret = clientInformation.ClientSecret;
tokenRequestMessage.GrantType = "authorization_code";
tokenRequestMessage.RedirectUri = clientInformation.RedirectUris[0];
X509Certificate2 signCert = new X509Certificate2("server.pfx", "", X509KeyStorageFlags.Exportable);
X509Certificate2 encCert = new X509Certificate2("server.pfx", "", X509KeyStorageFlags.Exportable);
List <OIDCKey> myKeys = KeyManager.GetKeysJwkList(signCert, encCert);
// when
OIDCTokenResponseMessage tokenResponse = rp.SubmitTokenRequest(GetBaseUrl("/token"), tokenRequestMessage, clientInformation);
// then
Assert.NotNull(tokenResponse.IdToken);
OIDCIdToken idToken = tokenResponse.GetIdToken(providerMetadata.Keys, null, myKeys);
idToken.Validate();
}
public void Should_Request_And_Use_Unsigned_Id_Token()
{
rpid = "rp-id_token-sig_none";
// givens
OpenIdRelyingParty rp = new OpenIdRelyingParty();
string registrationEndopoint = GetBaseUrl("/registration");
OIDCClientInformation clientMetadata = new OIDCClientInformation();
clientMetadata.ApplicationType = "web";
clientMetadata.RedirectUris = new List <string>()
{
myBaseUrl + "code_flow_callback"
};
clientMetadata.ResponseTypes = new List <ResponseType>()
{
ResponseType.Code
};
clientMetadata.IdTokenSignedResponseAlg = "none";
OIDCClientInformation clientInformation = rp.RegisterClient(registrationEndopoint, clientMetadata);
OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage();
requestMessage.ClientId = clientInformation.ClientId;
requestMessage.Scope = new List <MessageScope>()
{
MessageScope.Openid
};
requestMessage.ResponseType = new List <ResponseType>()
{
ResponseType.Code
};
requestMessage.RedirectUri = clientInformation.RedirectUris[0];
requestMessage.Nonce = WebOperations.RandomString();
requestMessage.State = WebOperations.RandomString();
requestMessage.Validate();
rp.Authenticate(GetBaseUrl("/authorization"), requestMessage);
semaphore.WaitOne();
OIDCAuthCodeResponseMessage response = rp.ParseAuthCodeResponse(result, requestMessage.Scope, requestMessage.State);
OIDCTokenRequestMessage tokenRequestMessage = new OIDCTokenRequestMessage();
tokenRequestMessage.Scope = response.Scope;
tokenRequestMessage.State = response.State;
tokenRequestMessage.Code = response.Code;
tokenRequestMessage.ClientId = clientInformation.ClientId;
tokenRequestMessage.ClientSecret = clientInformation.ClientSecret;
tokenRequestMessage.GrantType = "authorization_code";
tokenRequestMessage.RedirectUri = clientInformation.RedirectUris[0];
// when
OIDCTokenResponseMessage tokenResponse = rp.SubmitTokenRequest(GetBaseUrl("/token"), tokenRequestMessage, clientInformation);
// then
Assert.NotNull(tokenResponse.IdToken);
OIDCIdToken idToken = tokenResponse.GetIdToken();
idToken.Validate();
}
