public async Task JwtAccessTokenIssuer_IncludesAllRequiredData()
{
// Arrange
var options = GetOptions();
var expectedDateTime = new DateTimeOffset(2000, 01, 01, 0, 0, 0, TimeSpan.FromHours(1));
var timeManager = GetTimeManager(expectedDateTime, expectedDateTime.AddHours(1), expectedDateTime);
var issuer = new JwtAccessTokenIssuer(
GetClaimsManager(timeManager),
GetSigningPolicy(options, timeManager),
new JwtSecurityTokenHandler(), options);
var context = GetTokenGenerationContext(
new ClaimsPrincipal(new ClaimsIdentity(new[] { new Claim(ClaimTypes.NameIdentifier, "user") })),
new ClaimsPrincipal(new ClaimsIdentity(new[] { new Claim(IdentityServiceClaimTypes.ClientId, "clientId") })));
context.InitializeForToken(TokenTypes.AccessToken);
// Act
await issuer.IssueAccessTokenAsync(context);
// Assert
Assert.NotNull(context.AccessToken);
var accessToken = Assert.IsType <AccessToken>(context.AccessToken.Token);
Assert.NotNull(accessToken);
Assert.NotNull(accessToken.Id);
Assert.Equal("user", accessToken.Subject);
Assert.Equal("resourceId", accessToken.Audience);
Assert.Equal("clientId", accessToken.AuthorizedParty);
Assert.Equal(new[] { "all" }, accessToken.Scopes);
Assert.Equal(expectedDateTime, accessToken.IssuedAt);
Assert.Equal(expectedDateTime.AddHours(1), accessToken.Expires);
Assert.Equal(expectedDateTime, accessToken.NotBefore);
}
private static TokenManager GetTokenManager()
{
var options = CreateOptions();
var claimsManager = CreateClaimsManager(options);
var factory = new LoggerFactory();
var protector = new EphemeralDataProtectionProvider(factory).CreateProtector("test");
var codeSerializer = new TokenDataSerializer <AuthorizationCode>(options, ArrayPool <char> .Shared);
var codeDataFormat = new SecureDataFormat <AuthorizationCode>(codeSerializer, protector);
var refreshTokenSerializer = new TokenDataSerializer <RefreshToken>(options, ArrayPool <char> .Shared);
var refreshTokenDataFormat = new SecureDataFormat <RefreshToken>(refreshTokenSerializer, protector);
var timeStampManager = new TimeStampManager();
var credentialsPolicy = GetCredentialsPolicy(options, timeStampManager);
var codeIssuer = new AuthorizationCodeIssuer(claimsManager, codeDataFormat, new ProtocolErrorProvider());
var accessTokenIssuer = new JwtAccessTokenIssuer(claimsManager, credentialsPolicy, new JwtSecurityTokenHandler(), options);
var idTokenIssuer = new JwtIdTokenIssuer(claimsManager, credentialsPolicy, new JwtSecurityTokenHandler(), options);
var refreshTokenIssuer = new RefreshTokenIssuer(claimsManager, refreshTokenDataFormat);
return(new TokenManager(
codeIssuer,
accessTokenIssuer,
idTokenIssuer,
refreshTokenIssuer,
new ProtocolErrorProvider()));
}
public async Task JwtAccessTokenIssuer_Fails_IfUserIsMissingUserId()
{
// Arrange
var options = GetOptions();
var issuer = new JwtAccessTokenIssuer(
GetClaimsManager(),
GetSigningPolicy(options, new TimeStampManager()), new JwtSecurityTokenHandler(), options);
var context = GetTokenGenerationContext();
context.InitializeForToken(TokenTypes.AccessToken);
// Act
var exception = await Assert.ThrowsAsync <InvalidOperationException>(
() => issuer.IssueAccessTokenAsync(context));
// Assert
Assert.Equal($"Missing '{ClaimTypes.NameIdentifier}' claim from the user.", exception.Message);
}
public async Task JwtAccessTokenIssuer_SignsAccessToken()
{
// Arrange
var expectedDateTime = new DateTimeOffset(2000, 01, 01, 0, 0, 0, TimeSpan.FromHours(1));
var now = DateTimeOffset.UtcNow;
var expires = new DateTimeOffset(now.Year, now.Month, now.Day, now.Hour, now.Minute, now.Second, TimeSpan.Zero);
var timeManager = GetTimeManager(expectedDateTime, expires, expectedDateTime);
var options = GetOptions();
var handler = new JwtSecurityTokenHandler();
var tokenValidationParameters = new TokenValidationParameters
{
IssuerSigningKey = options.Value.SigningKeys[0].Key,
ValidAudiences = new[] { "resourceId" },
ValidIssuers = new[] { options.Value.Issuer }
};
var issuer = new JwtAccessTokenIssuer(
GetClaimsManager(timeManager),
GetSigningPolicy(options, timeManager),
new JwtSecurityTokenHandler(), options);
var context = GetTokenGenerationContext(
new ClaimsPrincipal(new ClaimsIdentity(new[] { new Claim(ClaimTypes.NameIdentifier, "user") })),
new ClaimsPrincipal(new ClaimsIdentity(new[] { new Claim(IdentityServiceClaimTypes.ClientId, "clientId") })));
context.InitializeForToken(TokenTypes.AccessToken);
// Act
await issuer.IssueAccessTokenAsync(context);
// Assert
Assert.NotNull(context.AccessToken);
Assert.NotNull(context.AccessToken.SerializedValue);
SecurityToken validatedToken;
Assert.NotNull(handler.ValidateToken(context.AccessToken.SerializedValue, tokenValidationParameters, out validatedToken));
Assert.NotNull(validatedToken);
var jwtToken = Assert.IsType <JwtSecurityToken>(validatedToken);
var accessToken = Assert.IsType <AccessToken>(context.AccessToken.Token);
Assert.Equal("http://www.example.com/issuer", jwtToken.Issuer);
var tokenAudience = Assert.Single(jwtToken.Audiences);
Assert.Equal("resourceId", tokenAudience);
var tokenAuthorizedParty = Assert.Single(jwtToken.Claims, c => c.Type.Equals("azp")).Value;
Assert.Equal("clientId", tokenAuthorizedParty);
Assert.Equal("user", jwtToken.Subject);
Assert.Equal(expires, jwtToken.ValidTo);
Assert.Equal(expectedDateTime.UtcDateTime, jwtToken.ValidFrom);
var tokenScopes = jwtToken.Claims
.Where(c => c.Type == IdentityServiceClaimTypes.Scope)
.Select(c => c.Value).OrderBy(c => c)
.ToArray();
Assert.Equal(new[] { "all" }, tokenScopes);
}