public async Task Roundtrips(RoundtripSignedHttpRequestTheoryData theoryData)
{
var context = TestUtilities.WriteHeader($"{this}.Roundtrips", theoryData);
try
{
var handler = new SignedHttpRequestHandler();
var signedHttpRequestDescriptor = new SignedHttpRequestDescriptor(theoryData.AccessToken, theoryData.HttpRequestData, theoryData.SigningCredentials, theoryData.SignedHttpRequestCreationParameters);
signedHttpRequestDescriptor.CnfClaimValue = theoryData.CnfClaimValue;
var signedHttpRequest = handler.CreateSignedHttpRequest(signedHttpRequestDescriptor);
var cryptoProviderFactory = signedHttpRequestDescriptor.SigningCredentials.CryptoProviderFactory ?? signedHttpRequestDescriptor.SigningCredentials.Key.CryptoProviderFactory;
if (cryptoProviderFactory.CryptoProviderCache.TryGetSignatureProvider(
signedHttpRequestDescriptor.SigningCredentials.Key,
signedHttpRequestDescriptor.SigningCredentials.Algorithm,
signedHttpRequestDescriptor.SigningCredentials.Key is AsymmetricSecurityKey ? typeof(AsymmetricSignatureProvider).ToString() : typeof(SymmetricSignatureProvider).ToString(),
true,
out _))
{
context.Diffs.Add(LogHelper.FormatInvariant("SignedHttpRequest cached SignatureProvider (Signing), Key: '{0}', Algorithm: '{1}'", signedHttpRequestDescriptor.SigningCredentials.Key, signedHttpRequestDescriptor.SigningCredentials.Algorithm));
}
var signedHttpRequestValidationContext = new SignedHttpRequestValidationContext(signedHttpRequest, theoryData.HttpRequestData, theoryData.TokenValidationParameters, theoryData.SignedHttpRequestValidationParameters);
var result = await handler.ValidateSignedHttpRequestAsync(signedHttpRequestValidationContext, CancellationToken.None).ConfigureAwait(false);
if (cryptoProviderFactory.CryptoProviderCache.TryGetSignatureProvider(
signedHttpRequestDescriptor.SigningCredentials.Key,
signedHttpRequestDescriptor.SigningCredentials.Algorithm,
signedHttpRequestDescriptor.SigningCredentials.Key is AsymmetricSecurityKey ? typeof(AsymmetricSignatureProvider).ToString() : typeof(SymmetricSignatureProvider).ToString(),
false,
out _))
{
context.Diffs.Add(LogHelper.FormatInvariant("SignedHttpRequest cached SignatureProvider (Validate), Key: '{0}', Algorithm: '{1}'", signedHttpRequestDescriptor.SigningCredentials.Key, signedHttpRequestDescriptor.SigningCredentials.Algorithm));
}
IdentityComparer.AreBoolsEqual(result.IsValid, theoryData.IsValid, context);
if (result.Exception != null)
{
throw result.Exception;
}
Assert.NotNull(result);
Assert.NotNull(result.SignedHttpRequest);
Assert.NotNull(result.ValidatedSignedHttpRequest);
Assert.NotNull(result.AccessTokenValidationResult);
theoryData.ExpectedException.ProcessNoException(context);
}
catch (Exception ex)
{
theoryData.ExpectedException.ProcessException(ex, context);
}
TestUtilities.AssertFailIfErrors(context);
}
public async Task PopTest_ExternalWilsonSigning_Async()
{
var confidentialApp = ConfidentialClientApplicationBuilder
.Create(PublicCloudConfidentialClientID)
.WithExperimentalFeatures()
.WithAuthority(PublicCloudTestAuthority)
.WithClientSecret(s_publicCloudCcaSecret)
.Build();
// Create an RSA key Wilson style (SigningCredentials)
var key = CreateRsaSecurityKey();
var popCredentials = new SigningCredentials(key, SecurityAlgorithms.RsaSha256);
var popConfig = new PoPAuthenticationConfiguration()
{
PopCryptoProvider = new SigningCredentialsToPopCryptoProviderAdapter(popCredentials, true),
SignHttpRequest = false,
};
var result = await confidentialApp.AcquireTokenForClient(s_keyvaultScope)
.WithProofOfPossession(popConfig)
.ExecuteAsync(CancellationToken.None)
.ConfigureAwait(false);
Assert.AreEqual("pop", result.TokenType);
Assert.AreEqual(
TokenSource.IdentityProvider,
result.AuthenticationResultMetadata.TokenSource);
SignedHttpRequestDescriptor signedHttpRequestDescriptor =
new SignedHttpRequestDescriptor(
result.AccessToken,
new IdentityModel.Protocols.HttpRequestData()
{
Uri = new Uri(ProtectedUrl),
Method = HttpMethod.Post.ToString()
},
popCredentials);
var signedHttpRequestHandler = new SignedHttpRequestHandler();
string req = signedHttpRequestHandler.CreateSignedHttpRequest(signedHttpRequestDescriptor);
await VerifyPoPTokenAsync(
PublicCloudConfidentialClientID,
ProtectedUrl,
HttpMethod.Post,
req, "pop").ConfigureAwait(false);
var result2 = await confidentialApp.AcquireTokenForClient(s_keyvaultScope)
.WithProofOfPossession(popConfig)
.ExecuteAsync(CancellationToken.None)
.ConfigureAwait(false);
Assert.AreEqual(
TokenSource.Cache,
result2.AuthenticationResultMetadata.TokenSource);
}
