public void Should_Support_Provider_Crypt_Key_Rotation()
{
rpid = "rp-key_rotation-op_enc_key";
// given
OIDCAuthorizationRequestMessage requestMessage1 = generateRequestMessage(true);
OIDCAuthorizationRequestMessage requestObject1 = generateRequestMessage(false, requestMessage1.State, requestMessage1.Nonce);
RSACryptoServiceProvider encKey1 = getEncKey();
OIDCAuthorizationRequestMessage requestMessage2 = generateRequestMessage(true);
OIDCAuthorizationRequestMessage requestObject2 = generateRequestMessage(false, requestMessage2.State, requestMessage2.Nonce);
RSACryptoServiceProvider encKey2 = getEncKey();
OpenIdRelyingParty rp = new OpenIdRelyingParty();
// when
request = JWT.Encode(requestObject1.SerializeToJsonString(), encKey1, JweAlgorithm.RSA1_5, JweEncryption.A128CBC_HS256);
rp.Authenticate(GetBaseUrl("/authorization"), requestMessage1);
semaphore.WaitOne();
OIDCAuthCodeResponseMessage response1 = rp.ParseAuthCodeResponse(result, requestMessage1.Scope);
request = JWT.Encode(requestObject2.SerializeToJsonString(), encKey2, JweAlgorithm.RSA1_5, JweEncryption.A128CBC_HS256);
rp.Authenticate(GetBaseUrl("/authorization"), requestMessage2);
semaphore.WaitOne();
OIDCAuthCodeResponseMessage response2 = rp.ParseAuthCodeResponse(result, requestMessage2.Scope);
// then
response1.Validate();
response2.Validate();
}
public void Should_Support_Signing_Key_Rotation()
{
rpid = "rp-key_rotation-rp_sign_key";
// given
RSACryptoServiceProvider signKey1 = getSignKey("server.pfx");
OIDCAuthorizationRequestMessage requestMessage1 = generateRequestMessage(true);
OIDCAuthorizationRequestMessage requestObject1 = generateRequestMessage(false, requestMessage1.State, requestMessage1.Nonce);
RSACryptoServiceProvider signKey2 = getSignKey("server2.pfx");
OIDCAuthorizationRequestMessage requestMessage2 = generateRequestMessage(true);
OIDCAuthorizationRequestMessage requestObject2 = generateRequestMessage(false, requestMessage1.State, requestMessage1.Nonce);
OpenIdRelyingParty rp = new OpenIdRelyingParty();
// when
request = JWT.Encode(requestObject1.SerializeToJsonString(), signKey1, JwsAlgorithm.RS256);
rp.Authenticate(GetBaseUrl("/authorization"), requestMessage1);
semaphore.WaitOne();
OIDCAuthCodeResponseMessage response1 = rp.ParseAuthCodeResponse(result, requestMessage1.Scope, requestMessage1.State);
request = JWT.Encode(requestObject2.SerializeToJsonString(), signKey1, JwsAlgorithm.RS256);
rp.Authenticate(GetBaseUrl("/authorization"), requestMessage2);
semaphore.WaitOne();
OIDCAuthCodeResponseMessage response2 = rp.ParseAuthCodeResponse(result, requestMessage2.Scope, requestMessage2.State);
// then
response1.Validate();
response2.Validate();
}
public void Should_Use_Request_Uri_Parameter_Signed_And_Encrypted()
{
rpid = "rp-request_uri-sig+enc";
// given
OIDCAuthorizationRequestMessage requestMessage = generateRequestMessage();
OIDCAuthorizationRequestMessage requestObject = generateRequestObject(requestMessage.State, requestMessage.Nonce);
X509Certificate2 certificate = new X509Certificate2("server.pfx", "", X509KeyStorageFlags.Exportable);
RSACryptoServiceProvider signKey = getSignKey();
RSACryptoServiceProvider encKey = getEncKey();
request = JWT.Encode(requestObject.SerializeToJsonString(), signKey, JwsAlgorithm.RS256);
request = JWT.Encode(request, encKey, JweAlgorithm.RSA1_5, JweEncryption.A128CBC_HS256);
OpenIdRelyingParty rp = new OpenIdRelyingParty();
// when
rp.Authenticate(GetBaseUrl("/authorization"), requestMessage);
semaphore.WaitOne();
OIDCAuthCodeResponseMessage response = rp.ParseAuthCodeResponse(result, requestMessage.Scope);
// then
response.Validate();
}
public void Should_Authenticate_With_Code_Response_Type()
{
rpid = "rp-response_type-code";
// given
OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage();
requestMessage.ClientId = clientInformation.ClientId;
requestMessage.Scope = new List <MessageScope>()
{
MessageScope.Openid
};
requestMessage.ResponseType = new List <ResponseType>()
{
ResponseType.Code
};
requestMessage.RedirectUri = clientInformation.RedirectUris[0];
requestMessage.Validate();
OpenIdRelyingParty rp = new OpenIdRelyingParty();
// when
rp.Authenticate(GetBaseUrl("/authorization"), requestMessage);
semaphore.WaitOne();
OIDCAuthCodeResponseMessage response = rp.ParseAuthCodeResponse(result, requestMessage.Scope);
// then
response.Validate();
}
private OIDCAuthCodeResponseMessage GetAuthResponse(HttpRequestData request, HttpSessionState session)
{
var scope = new List <MessageScope>()
{
MessageScope.Openid, MessageScope.Profile
};
var state = session["state"];
return(rp.ParseAuthCodeResponse(request.Url.Query, scope));
}
public OIDClientSerializableMessage GetAuthResponse(ResponseType RespType, string Nonce = null, bool Profile = false, OIDClaims Claims = null)
{
OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage();
requestMessage.ClientId = clientInformation.ClientId;
requestMessage.Scope = new List <MessageScope>()
{
MessageScope.Openid
};
requestMessage.RedirectUri = clientInformation.RedirectUris[0];
requestMessage.Nonce = (Nonce == null) ? WebOperations.RandomString() : Nonce;
requestMessage.State = WebOperations.RandomString();
requestMessage.Claims = Claims;
if (Profile)
{
requestMessage.Scope.Add(MessageScope.Profile);
requestMessage.Scope.Add(MessageScope.Address);
requestMessage.Scope.Add(MessageScope.Phone);
requestMessage.Scope.Add(MessageScope.Email);
}
if (ResponseType.Code == RespType)
{
requestMessage.ResponseType = new List <ResponseType>()
{
ResponseType.Code
};
}
else if (ResponseType.IdToken == RespType)
{
requestMessage.ResponseType = new List <ResponseType>()
{
ResponseType.IdToken, ResponseType.Token
};
}
requestMessage.Validate();
OpenIdRelyingParty rp = new OpenIdRelyingParty();
rp.Authenticate(GetBaseUrl("/authorization"), requestMessage);
semaphore.WaitOne();
if (ResponseType.Code == RespType)
{
return(rp.ParseAuthCodeResponse(result, requestMessage.Scope, requestMessage.State));
}
else if (ResponseType.IdToken == RespType)
{
return(rp.ParseAuthImplicitResponse(result, requestMessage.Scope, requestMessage.State));
}
throw new Exception("Error in parameter passed");
}
public void Should_Use_Request_Uri_Parameter_Unsigned()
{
rpid = "rp-request_uri-unsigned";
// given
OIDCAuthorizationRequestMessage requestMessage = generateRequestMessage();
OIDCAuthorizationRequestMessage requestObject = generateRequestObject(requestMessage.State, requestMessage.Nonce);
request = JWT.Encode(requestObject.SerializeToJsonString(), null, JwsAlgorithm.none);
OpenIdRelyingParty rp = new OpenIdRelyingParty();
// when
rp.Authenticate(GetBaseUrl("/authorization"), requestMessage);
semaphore.WaitOne();
OIDCAuthCodeResponseMessage response = rp.ParseAuthCodeResponse(result, requestMessage.Scope);
// then
response.Validate();
}
private OIDCTokenResponseMessage AuthenticateAndRetrieveIdToken()
{
OIDCAuthorizationRequestMessage requestMessage = generateRequestMessage();
OpenIdRelyingParty rp = new OpenIdRelyingParty();
rp.Authenticate(GetBaseUrl("/authorization"), requestMessage);
semaphore.WaitOne();
OIDCAuthCodeResponseMessage response = rp.ParseAuthCodeResponse(result, requestMessage.Scope, requestMessage.State);
OIDCTokenRequestMessage tokenRequestMessage = new OIDCTokenRequestMessage();
tokenRequestMessage.Scope = response.Scope;
tokenRequestMessage.Code = response.Code;
tokenRequestMessage.ClientId = clientInformation.ClientId;
tokenRequestMessage.ClientSecret = clientInformation.ClientSecret;
tokenRequestMessage.GrantType = "authorization_code";
tokenRequestMessage.RedirectUri = clientInformation.RedirectUris[0];
return(rp.SubmitTokenRequest(GetBaseUrl("/token"), tokenRequestMessage, clientInformation));
}
public void Should_Use_Request_Uri_Parameter_Encrypted()
{
rpid = "rp-request_uri-enc";
// given
OIDCAuthorizationRequestMessage requestMessage = generateRequestMessage();
OIDCAuthorizationRequestMessage requestObject = generateRequestObject(requestMessage.State, requestMessage.Nonce);
RSACryptoServiceProvider encKey = getEncKey();
request = JWT.Encode(requestObject.SerializeToJsonString(), encKey, JweAlgorithm.RSA1_5, JweEncryption.A128CBC_HS256);
OpenIdRelyingParty rp = new OpenIdRelyingParty();
// when
rp.Authenticate(GetBaseUrl("/authorization"), requestMessage);
semaphore.WaitOne();
OIDCAuthCodeResponseMessage response = rp.ParseAuthCodeResponse(result, requestMessage.Scope);
// then
response.Validate();
}
public void Should_Spport_Third_Party_Initiated_Login()
{
rpid = "rp-support_3rd_party_init_login";
// given
OIDCThirdPartyLoginRequest thirdPartyRequest = new OIDCThirdPartyLoginRequest();
thirdPartyRequest.Iss = GetBaseUrl("/");
WebRequest webRequest = WebRequest.Create(clientInformation.InitiateLoginUri + "?" + thirdPartyRequest.SerializeToQueryString());
OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage();
requestMessage.ClientId = clientInformation.ClientId;
requestMessage.Scope = new List <MessageScope> {
MessageScope.Openid
};
requestMessage.ResponseType = new List <ResponseType>()
{
ResponseType.Code
};
requestMessage.RedirectUri = clientInformation.RedirectUris[0];
requestMessage.Validate();
request = requestMessage.SerializeToQueryString();
param = providerMetadata.AuthorizationEndpoint;
OpenIdRelyingParty rp = new OpenIdRelyingParty();
// when
WebOperations.GetUrlContent(webRequest);
semaphore.WaitOne();
OIDCAuthCodeResponseMessage response = rp.ParseAuthCodeResponse(result);
// then
response.Validate();
}
public void Should_Reject_Id_Token_With_Incorrect_C_Hash()
{
rpid = "rp-id_token-bad_c_hash";
// givens
OpenIdRelyingParty rp = new OpenIdRelyingParty();
OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage();
requestMessage.ClientId = clientInformation.ClientId;
requestMessage.Scope = new List <MessageScope>()
{
MessageScope.Openid
};
requestMessage.ResponseType = new List <ResponseType>()
{
ResponseType.Code, ResponseType.IdToken
};
requestMessage.RedirectUri = clientInformation.RedirectUris[0];
requestMessage.Nonce = WebOperations.RandomString();
requestMessage.State = WebOperations.RandomString();
requestMessage.Validate();
rp.Authenticate(GetBaseUrl("/authorization"), requestMessage);
semaphore.WaitOne();
// when
OIDCAuthCodeResponseMessage response = rp.ParseAuthCodeResponse(result, requestMessage.Scope, requestMessage.State);
// then
Assert.NotNull(response.IdToken);
OIDCIdToken idToken = response.GetIdToken(providerMetadata.Keys);
string ExpectedCHash = response.GetExpectedHash(response.Code, providerMetadata.Keys);
idToken.Validate(GetBaseUrl("/"), clientInformation.ClientId, ExpectedCHash, null);
}
public void Should_Request_And_Use_Unsigned_Id_Token()
{
rpid = "rp-id_token-sig_none";
// givens
OpenIdRelyingParty rp = new OpenIdRelyingParty();
string registrationEndopoint = GetBaseUrl("/registration");
OIDCClientInformation clientMetadata = new OIDCClientInformation();
clientMetadata.ApplicationType = "web";
clientMetadata.RedirectUris = new List <string>()
{
myBaseUrl + "code_flow_callback"
};
clientMetadata.ResponseTypes = new List <ResponseType>()
{
ResponseType.Code
};
clientMetadata.IdTokenSignedResponseAlg = "none";
OIDCClientInformation clientInformation = rp.RegisterClient(registrationEndopoint, clientMetadata);
OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage();
requestMessage.ClientId = clientInformation.ClientId;
requestMessage.Scope = new List <MessageScope>()
{
MessageScope.Openid
};
requestMessage.ResponseType = new List <ResponseType>()
{
ResponseType.Code
};
requestMessage.RedirectUri = clientInformation.RedirectUris[0];
requestMessage.Nonce = WebOperations.RandomString();
requestMessage.State = WebOperations.RandomString();
requestMessage.Validate();
rp.Authenticate(GetBaseUrl("/authorization"), requestMessage);
semaphore.WaitOne();
OIDCAuthCodeResponseMessage response = rp.ParseAuthCodeResponse(result, requestMessage.Scope, requestMessage.State);
OIDCTokenRequestMessage tokenRequestMessage = new OIDCTokenRequestMessage();
tokenRequestMessage.Scope = response.Scope;
tokenRequestMessage.State = response.State;
tokenRequestMessage.Code = response.Code;
tokenRequestMessage.ClientId = clientInformation.ClientId;
tokenRequestMessage.ClientSecret = clientInformation.ClientSecret;
tokenRequestMessage.GrantType = "authorization_code";
tokenRequestMessage.RedirectUri = clientInformation.RedirectUris[0];
// when
OIDCTokenResponseMessage tokenResponse = rp.SubmitTokenRequest(GetBaseUrl("/token"), tokenRequestMessage, clientInformation);
// then
Assert.NotNull(tokenResponse.IdToken);
OIDCIdToken idToken = tokenResponse.GetIdToken();
idToken.Validate();
}
public void Should_Request_And_Use_Signed_And_Encrypted_Id_Token()
{
rpid = "rp-id_token-sig+enc";
signalg = "RS256";
encalg = "RSA1_5:A128CBC-HS256";
// given
OpenIdRelyingParty rp = new OpenIdRelyingParty();
string registrationEndopoint = GetBaseUrl("/registration");
OIDCClientInformation clientMetadata = new OIDCClientInformation();
clientMetadata.ApplicationType = "web";
clientMetadata.RedirectUris = new List <string>()
{
myBaseUrl + "code_flow_callback"
};
clientMetadata.ResponseTypes = new List <ResponseType>()
{
ResponseType.Code
};
clientMetadata.IdTokenEncryptedResponseAlg = "RSA1_5";
clientMetadata.IdTokenEncryptedResponseEnc = "A128CBC-HS256";
clientMetadata.JwksUri = myBaseUrl + "my_public_keys.jwks";
OIDCClientInformation clientInformation = rp.RegisterClient(registrationEndopoint, clientMetadata);
OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage();
requestMessage.ClientId = clientInformation.ClientId;
requestMessage.Scope = new List <MessageScope>()
{
MessageScope.Openid
};
requestMessage.ResponseType = new List <ResponseType>()
{
ResponseType.Code
};
requestMessage.RedirectUri = clientInformation.RedirectUris[0];
requestMessage.Nonce = WebOperations.RandomString();
requestMessage.State = WebOperations.RandomString();
requestMessage.Validate();
rp.Authenticate(GetBaseUrl("/authorization"), requestMessage);
semaphore.WaitOne();
OIDCAuthCodeResponseMessage response = rp.ParseAuthCodeResponse(result, requestMessage.Scope, requestMessage.State);
OIDCTokenRequestMessage tokenRequestMessage = new OIDCTokenRequestMessage();
tokenRequestMessage.Scope = response.Scope;
tokenRequestMessage.State = response.State;
tokenRequestMessage.Code = response.Code;
tokenRequestMessage.ClientId = clientInformation.ClientId;
tokenRequestMessage.ClientSecret = clientInformation.ClientSecret;
tokenRequestMessage.GrantType = "authorization_code";
tokenRequestMessage.RedirectUri = clientInformation.RedirectUris[0];
X509Certificate2 signCert = new X509Certificate2("server.pfx", "", X509KeyStorageFlags.Exportable);
X509Certificate2 encCert = new X509Certificate2("server.pfx", "", X509KeyStorageFlags.Exportable);
List <OIDCKey> myKeys = KeyManager.GetKeysJwkList(signCert, encCert);
// when
OIDCTokenResponseMessage tokenResponse = rp.SubmitTokenRequest(GetBaseUrl("/token"), tokenRequestMessage, clientInformation);
// then
Assert.NotNull(tokenResponse.IdToken);
OIDCIdToken idToken = tokenResponse.GetIdToken(providerMetadata.Keys, null, myKeys);
idToken.Validate();
}