public void Should_Spport_Third_Party_Initiated_Login() { rpid = "rp-support_3rd_party_init_login"; // given OIDCThirdPartyLoginRequest thirdPartyRequest = new OIDCThirdPartyLoginRequest(); thirdPartyRequest.Iss = GetBaseUrl("/"); WebRequest webRequest = WebRequest.Create(clientInformation.InitiateLoginUri + "?" + thirdPartyRequest.SerializeToQueryString()); OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage(); requestMessage.ClientId = clientInformation.ClientId; requestMessage.Scope = new List<MessageScope>{ MessageScope.Openid }; requestMessage.ResponseType = new List<ResponseType>() { ResponseType.Code }; requestMessage.RedirectUri = clientInformation.RedirectUris[0]; requestMessage.Validate(); request = requestMessage.SerializeToQueryString(); param = providerMetadata.AuthorizationEndpoint; OpenIdRelyingParty rp = new OpenIdRelyingParty(); // when WebOperations.GetUrlContent(webRequest); semaphore.WaitOne(); OIDCAuthCodeResponseMessage response = rp.ParseAuthCodeResponse(result); // then response.Validate(); }
public void Should_Use_Request_Uri_Parameter_Signed() { rpid = "rp-request_uri-sig"; // given OIDCAuthorizationRequestMessage requestMessage = generateRequestMessage(); OIDCAuthorizationRequestMessage requestObject = generateRequestObject(requestMessage.State, requestMessage.Nonce); RSACryptoServiceProvider signKey = getSignKey(); request = JWT.Encode(requestObject.SerializeToJsonString(), signKey, JwsAlgorithm.RS256); OpenIdRelyingParty rp = new OpenIdRelyingParty(); // when rp.Authenticate(GetBaseUrl("/authorization"), requestMessage); semaphore.WaitOne(); OIDCAuthCodeResponseMessage response = rp.ParseAuthCodeResponse(result, requestMessage.Scope); // then response.Validate(); }
public void Should_Authenticate_With_Code_Response_Type() { rpid = "rp-response_type-code"; // given OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage(); requestMessage.ClientId = clientInformation.ClientId; requestMessage.Scope = new List<MessageScope>() { MessageScope.Openid }; requestMessage.ResponseType = new List<ResponseType>() { ResponseType.Code }; requestMessage.RedirectUri = clientInformation.RedirectUris[0]; requestMessage.Validate(); OpenIdRelyingParty rp = new OpenIdRelyingParty(); // when rp.Authenticate(GetBaseUrl("/authorization"), requestMessage); semaphore.WaitOne(); OIDCAuthCodeResponseMessage response = rp.ParseAuthCodeResponse(result, requestMessage.Scope); // then response.Validate(); }
public OIDClientSerializableMessage GetAuthResponse(ResponseType RespType, string Nonce = null, bool Profile = false, OIDClaims Claims = null) { OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage(); requestMessage.ClientId = clientInformation.ClientId; requestMessage.Scope = new List<MessageScope>() { MessageScope.Openid }; requestMessage.RedirectUri = clientInformation.RedirectUris[0]; requestMessage.Nonce = (Nonce == null) ? WebOperations.RandomString() : Nonce; requestMessage.State = WebOperations.RandomString(); requestMessage.Claims = Claims; if (Profile) { requestMessage.Scope.Add(MessageScope.Profile); requestMessage.Scope.Add(MessageScope.Address); requestMessage.Scope.Add(MessageScope.Phone); requestMessage.Scope.Add(MessageScope.Email); } if (ResponseType.Code == RespType) { requestMessage.ResponseType = new List<ResponseType>() { ResponseType.Code }; } else if (ResponseType.IdToken == RespType) { requestMessage.ResponseType = new List<ResponseType>() { ResponseType.IdToken, ResponseType.Token }; } requestMessage.Validate(); OpenIdRelyingParty rp = new OpenIdRelyingParty(); rp.Authenticate(GetBaseUrl("/authorization"), requestMessage); semaphore.WaitOne(); if (ResponseType.Code == RespType) { return rp.ParseAuthCodeResponse(result, requestMessage.Scope, requestMessage.State); } else if (ResponseType.IdToken == RespType) { return rp.ParseAuthImplicitResponse(result, requestMessage.Scope, requestMessage.State); } throw new Exception("Error in parameter passed"); }
public void Should_Support_Provider_Crypt_Key_Rotation() { rpid = "rp-key_rotation-op_enc_key"; // given OIDCAuthorizationRequestMessage requestMessage1 = generateRequestMessage(true); OIDCAuthorizationRequestMessage requestObject1 = generateRequestMessage(false, requestMessage1.State, requestMessage1.Nonce); RSACryptoServiceProvider encKey1 = getEncKey(); OIDCAuthorizationRequestMessage requestMessage2 = generateRequestMessage(true); OIDCAuthorizationRequestMessage requestObject2 = generateRequestMessage(false, requestMessage2.State, requestMessage2.Nonce); RSACryptoServiceProvider encKey2 = getEncKey(); OpenIdRelyingParty rp = new OpenIdRelyingParty(); // when request = JWT.Encode(requestObject1.SerializeToJsonString(), encKey1, JweAlgorithm.RSA1_5, JweEncryption.A128CBC_HS256); rp.Authenticate(GetBaseUrl("/authorization"), requestMessage1); semaphore.WaitOne(); OIDCAuthCodeResponseMessage response1 = rp.ParseAuthCodeResponse(result, requestMessage1.Scope); request = JWT.Encode(requestObject2.SerializeToJsonString(), encKey2, JweAlgorithm.RSA1_5, JweEncryption.A128CBC_HS256); rp.Authenticate(GetBaseUrl("/authorization"), requestMessage2); semaphore.WaitOne(); OIDCAuthCodeResponseMessage response2 = rp.ParseAuthCodeResponse(result, requestMessage2.Scope); // then response1.Validate(); response2.Validate(); }
private OIDCTokenResponseMessage AuthenticateAndRetrieveIdToken() { OIDCAuthorizationRequestMessage requestMessage = generateRequestMessage(); OpenIdRelyingParty rp = new OpenIdRelyingParty(); rp.Authenticate(GetBaseUrl("/authorization"), requestMessage); semaphore.WaitOne(); OIDCAuthCodeResponseMessage response = rp.ParseAuthCodeResponse(result, requestMessage.Scope, requestMessage.State); OIDCTokenRequestMessage tokenRequestMessage = new OIDCTokenRequestMessage(); tokenRequestMessage.Scope = response.Scope; tokenRequestMessage.Code = response.Code; tokenRequestMessage.ClientId = clientInformation.ClientId; tokenRequestMessage.ClientSecret = clientInformation.ClientSecret; tokenRequestMessage.GrantType = "authorization_code"; tokenRequestMessage.RedirectUri = clientInformation.RedirectUris[0]; return rp.SubmitTokenRequest(GetBaseUrl("/token"), tokenRequestMessage, clientInformation); }
public void Should_Support_Signing_Key_Rotation() { rpid = "rp-key_rotation-rp_sign_key"; // given RSACryptoServiceProvider signKey1 = getSignKey("server.pfx"); OIDCAuthorizationRequestMessage requestMessage1 = generateRequestMessage(true); OIDCAuthorizationRequestMessage requestObject1 = generateRequestMessage(false, requestMessage1.State, requestMessage1.Nonce); RSACryptoServiceProvider signKey2 = getSignKey("server2.pfx"); OIDCAuthorizationRequestMessage requestMessage2 = generateRequestMessage(true); OIDCAuthorizationRequestMessage requestObject2 = generateRequestMessage(false, requestMessage1.State, requestMessage1.Nonce); OpenIdRelyingParty rp = new OpenIdRelyingParty(); // when request = JWT.Encode(requestObject1.SerializeToJsonString(), signKey1, JwsAlgorithm.RS256); rp.Authenticate(GetBaseUrl("/authorization"), requestMessage1); semaphore.WaitOne(); OIDCAuthCodeResponseMessage response1 = rp.ParseAuthCodeResponse(result, requestMessage1.Scope, requestMessage1.State); request = JWT.Encode(requestObject2.SerializeToJsonString(), signKey1, JwsAlgorithm.RS256); rp.Authenticate(GetBaseUrl("/authorization"), requestMessage2); semaphore.WaitOne(); OIDCAuthCodeResponseMessage response2 = rp.ParseAuthCodeResponse(result, requestMessage2.Scope, requestMessage2.State); // then response1.Validate(); response2.Validate(); }
public void Should_Request_And_Use_Unsigned_Id_Token() { rpid = "rp-id_token-sig_none"; // givens OpenIdRelyingParty rp = new OpenIdRelyingParty(); string registrationEndopoint = GetBaseUrl("/registration"); OIDCClientInformation clientMetadata = new OIDCClientInformation(); clientMetadata.ApplicationType = "web"; clientMetadata.RedirectUris = new List<string>() { myBaseUrl + "code_flow_callback" }; clientMetadata.ResponseTypes = new List<ResponseType>() { ResponseType.Code }; clientMetadata.IdTokenSignedResponseAlg = "none"; OIDCClientInformation clientInformation = rp.RegisterClient(registrationEndopoint, clientMetadata); OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage(); requestMessage.ClientId = clientInformation.ClientId; requestMessage.Scope = new List<MessageScope>() { MessageScope.Openid }; requestMessage.ResponseType = new List<ResponseType>() { ResponseType.Code }; requestMessage.RedirectUri = clientInformation.RedirectUris[0]; requestMessage.Nonce = WebOperations.RandomString(); requestMessage.State = WebOperations.RandomString(); requestMessage.Validate(); rp.Authenticate(GetBaseUrl("/authorization"), requestMessage); semaphore.WaitOne(); OIDCAuthCodeResponseMessage response = rp.ParseAuthCodeResponse(result, requestMessage.Scope, requestMessage.State); OIDCTokenRequestMessage tokenRequestMessage = new OIDCTokenRequestMessage(); tokenRequestMessage.Scope = response.Scope; tokenRequestMessage.State = response.State; tokenRequestMessage.Code = response.Code; tokenRequestMessage.ClientId = clientInformation.ClientId; tokenRequestMessage.ClientSecret = clientInformation.ClientSecret; tokenRequestMessage.GrantType = "authorization_code"; tokenRequestMessage.RedirectUri = clientInformation.RedirectUris[0]; // when OIDCTokenResponseMessage tokenResponse = rp.SubmitTokenRequest(GetBaseUrl("/token"), tokenRequestMessage, clientInformation); // then Assert.NotNull(tokenResponse.IdToken); OIDCIdToken idToken = tokenResponse.GetIdToken(); idToken.Validate(); }
public void Should_Request_And_Use_Signed_And_Encrypted_Id_Token() { rpid = "rp-id_token-sig+enc"; signalg = "RS256"; encalg = "RSA1_5:A128CBC-HS256"; // given OpenIdRelyingParty rp = new OpenIdRelyingParty(); string registrationEndopoint = GetBaseUrl("/registration"); OIDCClientInformation clientMetadata = new OIDCClientInformation(); clientMetadata.ApplicationType = "web"; clientMetadata.RedirectUris = new List<string>() { myBaseUrl + "code_flow_callback" }; clientMetadata.ResponseTypes = new List<ResponseType>() { ResponseType.Code }; clientMetadata.IdTokenEncryptedResponseAlg = "RSA1_5"; clientMetadata.IdTokenEncryptedResponseEnc = "A128CBC-HS256"; clientMetadata.JwksUri = myBaseUrl + "my_public_keys.jwks"; OIDCClientInformation clientInformation = rp.RegisterClient(registrationEndopoint, clientMetadata); OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage(); requestMessage.ClientId = clientInformation.ClientId; requestMessage.Scope = new List<MessageScope>() { MessageScope.Openid }; requestMessage.ResponseType = new List<ResponseType>() { ResponseType.Code }; requestMessage.RedirectUri = clientInformation.RedirectUris[0]; requestMessage.Nonce = WebOperations.RandomString(); requestMessage.State = WebOperations.RandomString(); requestMessage.Validate(); rp.Authenticate(GetBaseUrl("/authorization"), requestMessage); semaphore.WaitOne(); OIDCAuthCodeResponseMessage response = rp.ParseAuthCodeResponse(result, requestMessage.Scope, requestMessage.State); OIDCTokenRequestMessage tokenRequestMessage = new OIDCTokenRequestMessage(); tokenRequestMessage.Scope = response.Scope; tokenRequestMessage.State = response.State; tokenRequestMessage.Code = response.Code; tokenRequestMessage.ClientId = clientInformation.ClientId; tokenRequestMessage.ClientSecret = clientInformation.ClientSecret; tokenRequestMessage.GrantType = "authorization_code"; tokenRequestMessage.RedirectUri = clientInformation.RedirectUris[0]; X509Certificate2 signCert = new X509Certificate2("server.pfx", "", X509KeyStorageFlags.Exportable); X509Certificate2 encCert = new X509Certificate2("server.pfx", "", X509KeyStorageFlags.Exportable); List<OIDCKey> myKeys = KeyManager.GetKeysJwkList(signCert, encCert); // when OIDCTokenResponseMessage tokenResponse = rp.SubmitTokenRequest(GetBaseUrl("/token"), tokenRequestMessage, clientInformation); // then Assert.NotNull(tokenResponse.IdToken); OIDCIdToken idToken = tokenResponse.GetIdToken(providerMetadata.Keys, null, myKeys); idToken.Validate(); }
public void Should_Reject_Id_Token_With_Incorrect_C_Hash() { rpid = "rp-id_token-bad_c_hash"; // givens OpenIdRelyingParty rp = new OpenIdRelyingParty(); OIDCAuthorizationRequestMessage requestMessage = new OIDCAuthorizationRequestMessage(); requestMessage.ClientId = clientInformation.ClientId; requestMessage.Scope = new List<MessageScope>() { MessageScope.Openid }; requestMessage.ResponseType = new List<ResponseType>() { ResponseType.Code, ResponseType.IdToken }; requestMessage.RedirectUri = clientInformation.RedirectUris[0]; requestMessage.Nonce = WebOperations.RandomString(); requestMessage.State = WebOperations.RandomString(); requestMessage.Validate(); rp.Authenticate(GetBaseUrl("/authorization"), requestMessage); semaphore.WaitOne(); // when OIDCAuthCodeResponseMessage response = rp.ParseAuthCodeResponse(result, requestMessage.Scope, requestMessage.State); // then Assert.NotNull(response.IdToken); OIDCIdToken idToken = response.GetIdToken(providerMetadata.Keys); string ExpectedCHash = response.GetExpectedHash(response.Code, providerMetadata.Keys); idToken.Validate(GetBaseUrl("/"), clientInformation.ClientId, ExpectedCHash, null); }
public void Should_Use_Request_Uri_Parameter_Signed_And_Encrypted() { rpid = "rp-request_uri-sig+enc"; // given OIDCAuthorizationRequestMessage requestMessage = generateRequestMessage(); OIDCAuthorizationRequestMessage requestObject = generateRequestObject(requestMessage.State, requestMessage.Nonce); X509Certificate2 certificate = new X509Certificate2("server.pfx", "", X509KeyStorageFlags.Exportable); RSACryptoServiceProvider signKey = getSignKey(); RSACryptoServiceProvider encKey = getEncKey(); request = JWT.Encode(requestObject.SerializeToJsonString(), signKey, JwsAlgorithm.RS256); request = JWT.Encode(request, encKey, JweAlgorithm.RSA1_5, JweEncryption.A128CBC_HS256); OpenIdRelyingParty rp = new OpenIdRelyingParty(); // when rp.Authenticate(GetBaseUrl("/authorization"), requestMessage); semaphore.WaitOne(); OIDCAuthCodeResponseMessage response = rp.ParseAuthCodeResponse(result, requestMessage.Scope); // then response.Validate(); }