public async Task Roundtrips(RoundtripSignedHttpRequestTheoryData theoryData) { var context = TestUtilities.WriteHeader($"{this}.Roundtrips", theoryData); try { var handler = new SignedHttpRequestHandler(); var signedHttpRequestDescriptor = new SignedHttpRequestDescriptor(theoryData.AccessToken, theoryData.HttpRequestData, theoryData.SigningCredentials, theoryData.SignedHttpRequestCreationParameters); signedHttpRequestDescriptor.CnfClaimValue = theoryData.CnfClaimValue; var signedHttpRequest = handler.CreateSignedHttpRequest(signedHttpRequestDescriptor); var cryptoProviderFactory = signedHttpRequestDescriptor.SigningCredentials.CryptoProviderFactory ?? signedHttpRequestDescriptor.SigningCredentials.Key.CryptoProviderFactory; if (cryptoProviderFactory.CryptoProviderCache.TryGetSignatureProvider( signedHttpRequestDescriptor.SigningCredentials.Key, signedHttpRequestDescriptor.SigningCredentials.Algorithm, signedHttpRequestDescriptor.SigningCredentials.Key is AsymmetricSecurityKey ? typeof(AsymmetricSignatureProvider).ToString() : typeof(SymmetricSignatureProvider).ToString(), true, out _)) { context.Diffs.Add(LogHelper.FormatInvariant("SignedHttpRequest cached SignatureProvider (Signing), Key: '{0}', Algorithm: '{1}'", signedHttpRequestDescriptor.SigningCredentials.Key, signedHttpRequestDescriptor.SigningCredentials.Algorithm)); } var signedHttpRequestValidationContext = new SignedHttpRequestValidationContext(signedHttpRequest, theoryData.HttpRequestData, theoryData.TokenValidationParameters, theoryData.SignedHttpRequestValidationParameters); var result = await handler.ValidateSignedHttpRequestAsync(signedHttpRequestValidationContext, CancellationToken.None).ConfigureAwait(false); if (cryptoProviderFactory.CryptoProviderCache.TryGetSignatureProvider( signedHttpRequestDescriptor.SigningCredentials.Key, signedHttpRequestDescriptor.SigningCredentials.Algorithm, signedHttpRequestDescriptor.SigningCredentials.Key is AsymmetricSecurityKey ? typeof(AsymmetricSignatureProvider).ToString() : typeof(SymmetricSignatureProvider).ToString(), false, out _)) { context.Diffs.Add(LogHelper.FormatInvariant("SignedHttpRequest cached SignatureProvider (Validate), Key: '{0}', Algorithm: '{1}'", signedHttpRequestDescriptor.SigningCredentials.Key, signedHttpRequestDescriptor.SigningCredentials.Algorithm)); } IdentityComparer.AreBoolsEqual(result.IsValid, theoryData.IsValid, context); if (result.Exception != null) { throw result.Exception; } Assert.NotNull(result); Assert.NotNull(result.SignedHttpRequest); Assert.NotNull(result.ValidatedSignedHttpRequest); Assert.NotNull(result.AccessTokenValidationResult); theoryData.ExpectedException.ProcessNoException(context); } catch (Exception ex) { theoryData.ExpectedException.ProcessException(ex, context); } TestUtilities.AssertFailIfErrors(context); }
public async Task PopTest_ExternalWilsonSigning_Async() { var confidentialApp = ConfidentialClientApplicationBuilder .Create(PublicCloudConfidentialClientID) .WithExperimentalFeatures() .WithAuthority(PublicCloudTestAuthority) .WithClientSecret(s_publicCloudCcaSecret) .Build(); // Create an RSA key Wilson style (SigningCredentials) var key = CreateRsaSecurityKey(); var popCredentials = new SigningCredentials(key, SecurityAlgorithms.RsaSha256); var popConfig = new PoPAuthenticationConfiguration() { PopCryptoProvider = new SigningCredentialsToPopCryptoProviderAdapter(popCredentials, true), SignHttpRequest = false, }; var result = await confidentialApp.AcquireTokenForClient(s_keyvaultScope) .WithProofOfPossession(popConfig) .ExecuteAsync(CancellationToken.None) .ConfigureAwait(false); Assert.AreEqual("pop", result.TokenType); Assert.AreEqual( TokenSource.IdentityProvider, result.AuthenticationResultMetadata.TokenSource); SignedHttpRequestDescriptor signedHttpRequestDescriptor = new SignedHttpRequestDescriptor( result.AccessToken, new IdentityModel.Protocols.HttpRequestData() { Uri = new Uri(ProtectedUrl), Method = HttpMethod.Post.ToString() }, popCredentials); var signedHttpRequestHandler = new SignedHttpRequestHandler(); string req = signedHttpRequestHandler.CreateSignedHttpRequest(signedHttpRequestDescriptor); await VerifyPoPTokenAsync( PublicCloudConfidentialClientID, ProtectedUrl, HttpMethod.Post, req, "pop").ConfigureAwait(false); var result2 = await confidentialApp.AcquireTokenForClient(s_keyvaultScope) .WithProofOfPossession(popConfig) .ExecuteAsync(CancellationToken.None) .ConfigureAwait(false); Assert.AreEqual( TokenSource.Cache, result2.AuthenticationResultMetadata.TokenSource); }