public OpenIdConnectAuthenticationOptions(string authenticationType)
: base(authenticationType)
{
AuthenticationMode = Security.AuthenticationMode.Active;
BackchannelTimeout = TimeSpan.FromMinutes(1);
Caption = OpenIdConnectAuthenticationDefaults.Caption;
ProtocolValidator = new OpenIdConnectProtocolValidator();
RefreshOnIssuerKeyNotFound = true;
ResponseType = OpenIdConnectResponseTypes.CodeIdToken;
Scope = OpenIdConnectScopes.OpenIdProfile;
TokenValidationParameters = new TokenValidationParameters();
UseTokenLifetime = true;
}
public OpenIdConnectAuthenticationOptions(string authenticationScheme)
{
AuthenticationScheme = authenticationScheme;
BackchannelTimeout = TimeSpan.FromMinutes(1);
Caption = OpenIdConnectAuthenticationDefaults.Caption;
GetClaimsFromUserInfoEndpoint = false;
ProtocolValidator = new OpenIdConnectProtocolValidator() { RequireState = false };
RefreshOnIssuerKeyNotFound = true;
ResponseMode = OpenIdConnectResponseModes.FormPost;
ResponseType = OpenIdConnectResponseTypes.CodeIdToken;
Scope = OpenIdConnectScopes.OpenIdProfile;
TokenValidationParameters = new TokenValidationParameters();
UseTokenLifetime = true;
}
public void OpenIdConnectProtocolValidator_GenerateNonce()
{
List<string> errors = new List<string>();
OpenIdConnectProtocolValidator protocolValidator = new OpenIdConnectProtocolValidator();
string nonce = protocolValidator.GenerateNonce();
int endOfTimestamp = nonce.IndexOf('.');
if (endOfTimestamp == -1)
{
errors.Add("nonce does not have '.' seperator");
}
else
{
}
}
public void OpenIdConnectProtocolValidator_GetSets()
{
OpenIdConnectProtocolValidator validationParameters = new OpenIdConnectProtocolValidator();
Type type = typeof(OpenIdConnectProtocolValidator);
PropertyInfo[] properties = type.GetProperties();
if (properties.Length != 9)
Assert.Fail("Number of properties has changed from 9 to: " + properties.Length + ", adjust tests");
GetSetContext context =
new GetSetContext
{
PropertyNamesAndSetGetValue = new List<KeyValuePair<string, List<object>>>
{
new KeyValuePair<string, List<object>>("NonceLifetime", new List<object>{TimeSpan.FromMinutes(60), TimeSpan.FromMinutes(10), TimeSpan.FromMinutes(100)}),
new KeyValuePair<string, List<object>>("RequireAcr", new List<object>{false, true, false}),
new KeyValuePair<string, List<object>>("RequireAmr", new List<object>{false, true, false}),
new KeyValuePair<string, List<object>>("RequireAuthTime", new List<object>{false, true, false}),
new KeyValuePair<string, List<object>>("RequireAzp", new List<object>{false, true, false}),
new KeyValuePair<string, List<object>>("RequireNonce", new List<object>{true, false, true}),
new KeyValuePair<string, List<object>>("RequireSub", new List<object>{false, true, false}),
new KeyValuePair<string, List<object>>("RequireTimeStampInNonce", new List<object>{true, false, true}),
},
Object = validationParameters,
};
TestUtilities.GetSet(context);
TestUtilities.AssertFailIfErrors(MethodInfo.GetCurrentMethod().Name, context.Errors);
ExpectedException ee = ExpectedException.ArgumentNullException();
Assert.IsNotNull(validationParameters.HashAlgorithmMap);
Assert.AreEqual(validationParameters.HashAlgorithmMap.Count, 9);
ee = ExpectedException.ArgumentOutOfRangeException();
try
{
validationParameters.NonceLifetime = TimeSpan.Zero;
ee.ProcessNoException();
}
catch (Exception ex)
{
ee.ProcessException(ex);
}
}
public void Validate(JwtSecurityToken jwt, OpenIdConnectProtocolValidator protocolValidator, OpenIdConnectProtocolValidationContext validationContext, ExpectedException ee)
{
try
{
protocolValidator.Validate(jwt, validationContext);
ee.ProcessNoException();
}
catch (Exception ex)
{
ee.ProcessException(ex);
}
}
public void OpenIdConnectProtocolValidator_Validate()
{
JwtSecurityToken jwt = new JwtSecurityToken();
OpenIdConnectProtocolValidationContext validationContext = new OpenIdConnectProtocolValidationContext();
OpenIdConnectProtocolValidator protocolValidator = new OpenIdConnectProtocolValidator();
// jwt null
Validate(jwt: null, protocolValidator: protocolValidator, validationContext: null, ee: ExpectedException.ArgumentNullException());
// validationContext null
Validate(jwt: jwt, protocolValidator: protocolValidator, validationContext: null, ee: ExpectedException.ArgumentNullException());
// aud missing
Validate(jwt: jwt, protocolValidator: protocolValidator, validationContext: validationContext, ee: new ExpectedException(typeExpected: typeof(OpenIdConnectProtocolException), substringExpected: "IDX10309:"));
// exp missing
jwt.Payload.AddClaim(new Claim(JwtRegisteredClaimNames.Aud, IdentityUtilities.DefaultAudience));
Validate(jwt: jwt, protocolValidator: protocolValidator, validationContext: validationContext, ee: new ExpectedException(typeExpected: typeof(OpenIdConnectProtocolException), substringExpected: "IDX10309:"));
// iat missing
jwt.Payload.AddClaim(new Claim(JwtRegisteredClaimNames.Exp, EpochTime.GetIntDate(DateTime.UtcNow).ToString()));
Validate(jwt: jwt, protocolValidator: protocolValidator, validationContext: validationContext, ee: new ExpectedException(typeExpected: typeof(OpenIdConnectProtocolException), substringExpected: "IDX10309:"));
// iss missing
jwt.Payload.AddClaim(new Claim(JwtRegisteredClaimNames.Iat, EpochTime.GetIntDate(DateTime.UtcNow).ToString()));
Validate(jwt: jwt, protocolValidator: protocolValidator, validationContext: validationContext, ee: new ExpectedException(typeExpected: typeof(OpenIdConnectProtocolException), substringExpected: "IDX10309:"));
// add iis, nonce is not retuired.
protocolValidator.RequireNonce = false;
jwt.Payload.AddClaim(new Claim(JwtRegisteredClaimNames.Iss, IdentityUtilities.DefaultIssuer));
Validate(jwt: jwt, protocolValidator: protocolValidator, validationContext: validationContext, ee: ExpectedException.NoExceptionExpected);
// nonce invalid
string validNonce = protocolValidator.GenerateNonce();
// add the valid 'nonce' but set validationContext.Nonce to a different 'nonce'.
protocolValidator.RequireNonce = true;
jwt.Payload.AddClaim(new Claim(JwtRegisteredClaimNames.Nonce, validNonce));
validationContext.Nonce = protocolValidator.GenerateNonce();
Validate(jwt: jwt, protocolValidator: protocolValidator, validationContext: validationContext, ee: new ExpectedException(typeExpected: typeof(OpenIdConnectProtocolInvalidNonceException), substringExpected: "IDX10301:"));
// sub missing, default not required
validationContext.Nonce = validNonce;
Validate(jwt: jwt, protocolValidator: protocolValidator, validationContext: validationContext, ee: ExpectedException.NoExceptionExpected);
protocolValidator.RequireSub = true;
Validate(jwt: jwt, protocolValidator: protocolValidator, validationContext: validationContext, ee: new ExpectedException(typeExpected: typeof(OpenIdConnectProtocolException), substringExpected: "IDX10309:"));
// authorizationCode invalid
string validAuthorizationCode = protocolValidator.GenerateNonce();
string validChash = IdentityUtilities.CreateCHash(validAuthorizationCode, "SHA256");
JwtSecurityToken jwtWithSignatureChash =
new JwtSecurityToken
(
audience: IdentityUtilities.DefaultAudience,
claims: new List<Claim>
{
new Claim(JwtRegisteredClaimNames.CHash, validChash),
new Claim(JwtRegisteredClaimNames.Iat, EpochTime.GetIntDate(DateTime.UtcNow).ToString()),
new Claim(JwtRegisteredClaimNames.Nonce, validNonce),
new Claim(JwtRegisteredClaimNames.Sub, "sub"),
},
expires: DateTime.UtcNow + TimeSpan.FromHours(1),
issuer: IdentityUtilities.DefaultIssuer,
signingCredentials: IdentityUtilities.DefaultAsymmetricSigningCredentials
);
Dictionary<string,string> algmap = new Dictionary<string,string>(protocolValidator.HashAlgorithmMap);
protocolValidator.HashAlgorithmMap.Clear();
protocolValidator.HashAlgorithmMap.Add(JwtAlgorithms.RSA_SHA256, "SHA256");
validationContext.Nonce = validNonce;
validationContext.AuthorizationCode = validNonce;
Validate(jwt: jwtWithSignatureChash, protocolValidator: protocolValidator, validationContext: validationContext, ee: new ExpectedException(typeExpected: typeof(OpenIdConnectProtocolInvalidCHashException), substringExpected: "IDX10304:"));
// nonce and authorizationCode valid
validationContext.AuthorizationCode = validAuthorizationCode;
Validate(jwt: jwtWithSignatureChash, protocolValidator: protocolValidator, validationContext: validationContext, ee: ExpectedException.NoExceptionExpected);
// validate optional claims
protocolValidator.RequireAcr = true;
Validate(jwt: jwtWithSignatureChash, protocolValidator: protocolValidator, validationContext: validationContext, ee: new ExpectedException(typeExpected: typeof(OpenIdConnectProtocolException), substringExpected: "IDX10312:"));
jwtWithSignatureChash.Payload.AddClaim(new Claim(JwtRegisteredClaimNames.Acr, "acr"));
protocolValidator.RequireAmr = true;
Validate(jwt: jwtWithSignatureChash, protocolValidator: protocolValidator, validationContext: validationContext, ee: new ExpectedException(typeExpected: typeof(OpenIdConnectProtocolException), substringExpected: "IDX10313:"));
jwtWithSignatureChash.Payload.AddClaim(new Claim(JwtRegisteredClaimNames.Amr, "amr"));
protocolValidator.RequireAuthTime = true;
Validate(jwt: jwtWithSignatureChash, protocolValidator: protocolValidator, validationContext: validationContext, ee: new ExpectedException(typeExpected: typeof(OpenIdConnectProtocolException), substringExpected: "IDX10314:"));
jwtWithSignatureChash.Payload.AddClaim(new Claim(JwtRegisteredClaimNames.AuthTime, "authTime"));
protocolValidator.RequireAzp = true;
Validate(jwt: jwtWithSignatureChash, protocolValidator: protocolValidator, validationContext: validationContext, ee: new ExpectedException(typeExpected: typeof(OpenIdConnectProtocolException), substringExpected: "IDX10315:"));
jwtWithSignatureChash.Payload.AddClaim(new Claim(JwtRegisteredClaimNames.Azp, "azp"));
Validate(jwt: jwtWithSignatureChash, protocolValidator: protocolValidator, validationContext: validationContext, ee: ExpectedException.NoExceptionExpected);
}
