public void Should_Reject_Id_Token_With_Invalid_Signature_HS256() { rpid = "rp-id_token-bad_asym_sig_hs256"; signalg = "HS256"; // givens OIDCAuthCodeResponseMessage response = (OIDCAuthCodeResponseMessage)GetAuthResponse(ResponseType.Code); OIDCTokenRequestMessage tokenRequestMessage = new OIDCTokenRequestMessage(); tokenRequestMessage.Scope = response.Scope; tokenRequestMessage.State = response.State; tokenRequestMessage.Code = response.Code; tokenRequestMessage.ClientId = clientInformation.ClientId; tokenRequestMessage.ClientSecret = clientInformation.ClientSecret; tokenRequestMessage.GrantType = "authorization_code"; tokenRequestMessage.RedirectUri = clientInformation.RedirectUris[0]; // Manipulate keys to make them invalid StringBuilder strBuilder = new StringBuilder(clientInformation.ClientSecret); strBuilder[17] = (char)(clientInformation.ClientSecret[17] + 1); string manipulatedClientSecret = strBuilder.ToString(); // when OpenIdRelyingParty rp = new OpenIdRelyingParty(); OIDCTokenResponseMessage tokenResponse = rp.SubmitTokenRequest(GetBaseUrl("/token"), tokenRequestMessage, clientInformation); // then Assert.NotNull(tokenResponse.IdToken); tokenResponse.GetIdToken(null, manipulatedClientSecret); }
public void Should_Authenticate_Client_With_Client_Secret_Jwt() { rpid = "rp-token_endpoint-client_secret_jwt"; // given OIDCAuthCodeResponseMessage response = (OIDCAuthCodeResponseMessage)GetAuthResponse(ResponseType.Code); OIDCTokenRequestMessage tokenRequestMessage = new OIDCTokenRequestMessage(); tokenRequestMessage.Scope = response.Scope; tokenRequestMessage.State = response.State; tokenRequestMessage.Code = response.Code; tokenRequestMessage.ClientId = clientInformation.ClientId; tokenRequestMessage.ClientSecret = clientInformation.ClientSecret; tokenRequestMessage.GrantType = "authorization_code"; tokenRequestMessage.RedirectUri = clientInformation.RedirectUris[0]; // when OpenIdRelyingParty rp = new OpenIdRelyingParty(); clientInformation.TokenEndpointAuthMethod = "client_secret_jwt"; OIDCTokenResponseMessage tokenResponse = rp.SubmitTokenRequest(GetBaseUrl("/token"), tokenRequestMessage, clientInformation); // then Assert.NotNull(tokenResponse.IdToken); OIDCIdToken idToken = tokenResponse.GetIdToken(providerMetadata.Keys); idToken.Validate(); }
public OIDCTokenResponseMessage GetToken(OIDCAuthCodeResponseMessage authResponse) { OIDCTokenRequestMessage tokenRequestMessage = new OIDCTokenRequestMessage(); tokenRequestMessage.Scope = authResponse.Scope; tokenRequestMessage.State = authResponse.State; tokenRequestMessage.Code = authResponse.Code; tokenRequestMessage.ClientId = clientInformation.ClientId; tokenRequestMessage.ClientSecret = clientInformation.ClientSecret; tokenRequestMessage.RedirectUri = clientInformation.RedirectUris[0]; tokenRequestMessage.GrantType = "authorization_code"; OpenIdRelyingParty rp = new OpenIdRelyingParty(); OIDCTokenResponseMessage response = rp.SubmitTokenRequest(providerMetadata.TokenEndpoint, tokenRequestMessage, clientInformation); OIDCIdToken idToken = response.GetIdToken(providerMetadata.Keys, tokenRequestMessage.ClientSecret); rp.ValidateIdToken(idToken, clientInformation, providerMetadata.Issuer, null); return(response); }
private OIDCTokenResponseMessage GetToken(OIDCAuthCodeResponseMessage authResponse, IOptions options, HttpSessionState session, string redirectUri) { OpenIDProviderData providerData = options.OpenIDProviders[session["op"] as string]; OIDCTokenRequestMessage tokenRequestMessage = new OIDCTokenRequestMessage(); tokenRequestMessage.Scope = authResponse.Scope; tokenRequestMessage.State = authResponse.State; tokenRequestMessage.Code = authResponse.Code; tokenRequestMessage.ClientId = providerData.ClientInformation.ClientId; tokenRequestMessage.ClientSecret = providerData.ClientInformation.ClientSecret; tokenRequestMessage.RedirectUri = redirectUri; tokenRequestMessage.GrantType = "authorization_code"; OIDCTokenResponseMessage response = rp.SubmitTokenRequest(providerData.ProviderMatadata.TokenEndpoint, tokenRequestMessage, providerData.ClientInformation); OIDCIdToken idToken = response.GetIdToken(providerData.ProviderMatadata.Keys, tokenRequestMessage.ClientSecret); rp.ValidateIdToken(idToken, providerData.ClientInformation, providerData.ProviderMatadata.Issuer, null); return(response); }
private OIDCTokenResponseMessage AuthenticateAndRetrieveIdToken() { OIDCAuthorizationRequestMessage requestMessage = generateRequestMessage(); OpenIdRelyingParty rp = new OpenIdRelyingParty(); rp.Authenticate(GetBaseUrl("/authorization"), requestMessage); semaphore.WaitOne(); OIDCAuthCodeResponseMessage response = rp.ParseAuthCodeResponse(result, requestMessage.Scope, requestMessage.State); OIDCTokenRequestMessage tokenRequestMessage = new OIDCTokenRequestMessage(); tokenRequestMessage.Scope = response.Scope; tokenRequestMessage.Code = response.Code; tokenRequestMessage.ClientId = clientInformation.ClientId; tokenRequestMessage.ClientSecret = clientInformation.ClientSecret; tokenRequestMessage.GrantType = "authorization_code"; tokenRequestMessage.RedirectUri = clientInformation.RedirectUris[0]; return(rp.SubmitTokenRequest(GetBaseUrl("/token"), tokenRequestMessage, clientInformation)); }
public OIDCTokenResponseMessage SubmitTokenRequest(string url, OIDCTokenRequestMessage tokenRequestMessage, OIDCClientInformation clientInformation) { WebRequest request = WebRequest.Create(url); OIDCAuthenticatedMessage message = tokenRequestMessage as OIDCAuthenticatedMessage; string grantType = clientInformation.TokenEndpointAuthMethod; OIDCClientSecretJWT tokenData = AddClientAuthenticatedToRequest(ref request, ref message, grantType, clientInformation); Dictionary <string, object> returnedJson = PostUrlContent(request, message); if (returnedJson.Keys.Contains("error")) { OIDCResponseError error = new OIDCResponseError(); error.deserializeFromDynamic(returnedJson); throw new OIDCException("Error while registering client: " + error.Error + "\n" + error.ErrorDescription); } OIDCTokenResponseMessage tokenResponse = new OIDCTokenResponseMessage(); tokenResponse.deserializeFromDynamic(returnedJson); return(tokenResponse); }
public void Should_Reject_Id_Token_With_Invalid_Signature_RS256() { rpid = "rp-id_token-bad_asym_sig_rs256"; signalg = "RS256"; // givens OIDCAuthCodeResponseMessage response = (OIDCAuthCodeResponseMessage)GetAuthResponse(ResponseType.Code); OIDCTokenRequestMessage tokenRequestMessage = new OIDCTokenRequestMessage(); tokenRequestMessage.Scope = response.Scope; tokenRequestMessage.State = response.State; tokenRequestMessage.Code = response.Code; tokenRequestMessage.ClientId = clientInformation.ClientId; tokenRequestMessage.ClientSecret = clientInformation.ClientSecret; tokenRequestMessage.GrantType = "authorization_code"; tokenRequestMessage.RedirectUri = clientInformation.RedirectUris[0]; // Manipulate keys to make them invalid List <OIDCKey> manipulatedKeys = new List <OIDCKey>(); foreach (OIDCKey curKey in providerMetadata.Keys) { OIDCKey newKey = curKey.Clone() as OIDCKey; if (curKey.N != null) { StringBuilder strBuilder = new StringBuilder(newKey.N); strBuilder[17] = (char)(newKey.N[17] + 1); newKey.N = strBuilder.ToString(); } manipulatedKeys.Add(newKey); } // when OpenIdRelyingParty rp = new OpenIdRelyingParty(); OIDCTokenResponseMessage tokenResponse = rp.SubmitTokenRequest(GetBaseUrl("/token"), tokenRequestMessage, clientInformation); // then Assert.NotNull(tokenResponse.IdToken); tokenResponse.GetIdToken(manipulatedKeys); }
/// <summary> /// Method that submits a tokn request to the OP. /// </summary> /// <param name="url">The URL to be used where to send the request</param> /// <param name="tokenRequestMessage">The token request message</param> /// <param name="clientInformation">The client information obtained from the OP</param> /// <returns>Returns the token response obtained from the OP</returns> public OIDCTokenResponseMessage SubmitTokenRequest(string url, OIDCTokenRequestMessage tokenRequestMessage, OIDCClientInformation clientInformation, byte[] privateKey = null) { WebRequest request = WebRequest.Create(url); OIDCAuthenticatedMessage message = tokenRequestMessage as OIDCAuthenticatedMessage; string grantType = clientInformation.TokenEndpointAuthMethod; AddClientAuthenticatedToRequest(ref request, ref message, grantType, clientInformation, privateKey); string returnedString = WebOperations.PostUrlContent(request, message); Dictionary <string, object> returnedJson = Deserializer.DeserializeFromJson <Dictionary <string, object> >(returnedString); if (returnedJson.Keys.Contains("error")) { OIDCResponseError error = new OIDCResponseError(); error.DeserializeFromDictionary(returnedJson); throw new OIDCException("Error while registering client: " + error.Error + "\n" + error.ErrorDescription); } OIDCTokenResponseMessage tokenResponse = new OIDCTokenResponseMessage(); tokenResponse.DeserializeFromDictionary(returnedJson); return(tokenResponse); }
public void Should_Authenticate_Client_With_Private_Key_Jwt() { rpid = "rp-token_endpoint-client_secret_jwt"; // given OIDCAuthCodeResponseMessage response = (OIDCAuthCodeResponseMessage)GetAuthResponse(ResponseType.Code); OIDCTokenRequestMessage tokenRequestMessage = new OIDCTokenRequestMessage(); tokenRequestMessage.Scope = response.Scope; tokenRequestMessage.State = response.State; tokenRequestMessage.Code = response.Code; tokenRequestMessage.ClientId = clientInformation.ClientId; tokenRequestMessage.ClientSecret = clientInformation.ClientSecret; tokenRequestMessage.GrantType = "authorization_code"; tokenRequestMessage.RedirectUri = clientInformation.RedirectUris[0]; RSACryptoServiceProvider privateKey = providerMetadata.Keys.Find( delegate(OIDCKey k) { return(k.Use == "enc" && k.Kty == "RSA"); } ).GetRSA(); // when OpenIdRelyingParty rp = new OpenIdRelyingParty(); clientInformation.TokenEndpointAuthMethod = "private_key_jwt"; OIDCTokenResponseMessage tokenResponse = rp.SubmitTokenRequest(GetBaseUrl("/token"), tokenRequestMessage, clientInformation, privateKey.ExportCspBlob(false)); // then Assert.NotNull(tokenResponse.IdToken); OIDCIdToken idToken = tokenResponse.GetIdToken(providerMetadata.Keys); idToken.Validate(); }
public void Should_Request_And_Use_Unsigned_Id_Token() { rpid = "rp-id_token-sig_none"; // givens OpenIdRelyingParty rp = new OpenIdRelyingParty(); string registrationEndopoint = GetBaseUrl("/registration"); OIDCClientInformation clientMetadata = new OIDCClientInformation(); clientMetadata.ApplicationType = "web"; clientMetadata.RedirectUris = new List <string>() { myBaseUrl + "code_flow_callback" }; clientMetadata.ResponseTypes = new List <ResponseType>() { ResponseType.Code }; clientMetadata.IdTokenSignedResponseAlg = "none"; OIDCClientInformation clientInformation = rp.RegisterClient(registrationEndopoint, clientMetadata); OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage(); requestMessage.ClientId = clientInformation.ClientId; requestMessage.Scope = new List <MessageScope>() { MessageScope.Openid }; requestMessage.ResponseType = new List <ResponseType>() { ResponseType.Code }; requestMessage.RedirectUri = clientInformation.RedirectUris[0]; requestMessage.Nonce = WebOperations.RandomString(); requestMessage.State = WebOperations.RandomString(); requestMessage.Validate(); rp.Authenticate(GetBaseUrl("/authorization"), requestMessage); semaphore.WaitOne(); OIDCAuthCodeResponseMessage response = rp.ParseAuthCodeResponse(result, requestMessage.Scope, requestMessage.State); OIDCTokenRequestMessage tokenRequestMessage = new OIDCTokenRequestMessage(); tokenRequestMessage.Scope = response.Scope; tokenRequestMessage.State = response.State; tokenRequestMessage.Code = response.Code; tokenRequestMessage.ClientId = clientInformation.ClientId; tokenRequestMessage.ClientSecret = clientInformation.ClientSecret; tokenRequestMessage.GrantType = "authorization_code"; tokenRequestMessage.RedirectUri = clientInformation.RedirectUris[0]; // when OIDCTokenResponseMessage tokenResponse = rp.SubmitTokenRequest(GetBaseUrl("/token"), tokenRequestMessage, clientInformation); // then Assert.NotNull(tokenResponse.IdToken); OIDCIdToken idToken = tokenResponse.GetIdToken(); idToken.Validate(); }
public void Should_Request_And_Use_Signed_And_Encrypted_Id_Token() { rpid = "rp-id_token-sig+enc"; signalg = "RS256"; encalg = "RSA1_5:A128CBC-HS256"; // given OpenIdRelyingParty rp = new OpenIdRelyingParty(); string registrationEndopoint = GetBaseUrl("/registration"); OIDCClientInformation clientMetadata = new OIDCClientInformation(); clientMetadata.ApplicationType = "web"; clientMetadata.RedirectUris = new List <string>() { myBaseUrl + "code_flow_callback" }; clientMetadata.ResponseTypes = new List <ResponseType>() { ResponseType.Code }; clientMetadata.IdTokenEncryptedResponseAlg = "RSA1_5"; clientMetadata.IdTokenEncryptedResponseEnc = "A128CBC-HS256"; clientMetadata.JwksUri = myBaseUrl + "my_public_keys.jwks"; OIDCClientInformation clientInformation = rp.RegisterClient(registrationEndopoint, clientMetadata); OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage(); requestMessage.ClientId = clientInformation.ClientId; requestMessage.Scope = new List <MessageScope>() { MessageScope.Openid }; requestMessage.ResponseType = new List <ResponseType>() { ResponseType.Code }; requestMessage.RedirectUri = clientInformation.RedirectUris[0]; requestMessage.Nonce = WebOperations.RandomString(); requestMessage.State = WebOperations.RandomString(); requestMessage.Validate(); rp.Authenticate(GetBaseUrl("/authorization"), requestMessage); semaphore.WaitOne(); OIDCAuthCodeResponseMessage response = rp.ParseAuthCodeResponse(result, requestMessage.Scope, requestMessage.State); OIDCTokenRequestMessage tokenRequestMessage = new OIDCTokenRequestMessage(); tokenRequestMessage.Scope = response.Scope; tokenRequestMessage.State = response.State; tokenRequestMessage.Code = response.Code; tokenRequestMessage.ClientId = clientInformation.ClientId; tokenRequestMessage.ClientSecret = clientInformation.ClientSecret; tokenRequestMessage.GrantType = "authorization_code"; tokenRequestMessage.RedirectUri = clientInformation.RedirectUris[0]; X509Certificate2 signCert = new X509Certificate2("server.pfx", "", X509KeyStorageFlags.Exportable); X509Certificate2 encCert = new X509Certificate2("server.pfx", "", X509KeyStorageFlags.Exportable); List <OIDCKey> myKeys = KeyManager.GetKeysJwkList(signCert, encCert); // when OIDCTokenResponseMessage tokenResponse = rp.SubmitTokenRequest(GetBaseUrl("/token"), tokenRequestMessage, clientInformation); // then Assert.NotNull(tokenResponse.IdToken); OIDCIdToken idToken = tokenResponse.GetIdToken(providerMetadata.Keys, null, myKeys); idToken.Validate(); }