You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
942 lines
40 KiB
942 lines
40 KiB
/*
|
|
* Licensed under the Apache License, Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
|
|
* See https://github.com/openiddict/openiddict-core for more information concerning
|
|
* the license and the contributors participating to this project.
|
|
*/
|
|
|
|
using System;
|
|
using System.Collections.Immutable;
|
|
using System.Security.Claims;
|
|
using System.Threading;
|
|
using System.Threading.Tasks;
|
|
using AspNet.Security.OpenIdConnect.Client;
|
|
using AspNet.Security.OpenIdConnect.Extensions;
|
|
using AspNet.Security.OpenIdConnect.Primitives;
|
|
using AspNet.Security.OpenIdConnect.Server;
|
|
using Microsoft.AspNetCore.Authentication;
|
|
using Microsoft.AspNetCore.Builder;
|
|
using Microsoft.AspNetCore.Http.Authentication;
|
|
using Microsoft.Extensions.DependencyInjection;
|
|
using Moq;
|
|
using OpenIddict.Core;
|
|
using OpenIddict.Models;
|
|
using Xunit;
|
|
|
|
namespace OpenIddict.Tests
|
|
{
|
|
public partial class OpenIddictProviderTests
|
|
{
|
|
[Fact]
|
|
public async Task ProcessSigninResponse_AuthenticationPropertiesAreAutomaticallyRestored()
|
|
{
|
|
// Arrange
|
|
var identity = new ClaimsIdentity(OpenIdConnectServerDefaults.AuthenticationScheme);
|
|
identity.AddClaim(OpenIdConnectConstants.Claims.Subject, "Bob le Bricoleur");
|
|
|
|
var ticket = new AuthenticationTicket(
|
|
new ClaimsPrincipal(identity),
|
|
new AuthenticationProperties(),
|
|
OpenIdConnectServerDefaults.AuthenticationScheme);
|
|
|
|
ticket.SetTokenId("60FFF7EA-F98E-437B-937E-5073CC313103");
|
|
ticket.SetTokenUsage(OpenIdConnectConstants.TokenUsages.RefreshToken);
|
|
ticket.SetScopes(OpenIdConnectConstants.Scopes.OpenId, OpenIdConnectConstants.Scopes.OfflineAccess);
|
|
ticket.SetProperty("custom_property_in_original_ticket", "original_value");
|
|
|
|
var format = new Mock<ISecureDataFormat<AuthenticationTicket>>();
|
|
|
|
format.Setup(mock => mock.Protect(It.IsAny<AuthenticationTicket>()))
|
|
.Returns("8xLOxBtZp8");
|
|
|
|
format.Setup(mock => mock.Unprotect("8xLOxBtZp8"))
|
|
.Returns(ticket);
|
|
|
|
var token = new OpenIddictToken();
|
|
|
|
var manager = CreateTokenManager(instance =>
|
|
{
|
|
instance.Setup(mock => mock.FindByIdAsync("60FFF7EA-F98E-437B-937E-5073CC313103", It.IsAny<CancellationToken>()))
|
|
.ReturnsAsync(token);
|
|
|
|
instance.Setup(mock => mock.IsRedeemedAsync(token, It.IsAny<CancellationToken>()))
|
|
.ReturnsAsync(false);
|
|
|
|
instance.Setup(mock => mock.IsValidAsync(token, It.IsAny<CancellationToken>()))
|
|
.ReturnsAsync(true);
|
|
});
|
|
|
|
var server = CreateAuthorizationServer(builder =>
|
|
{
|
|
builder.Services.AddSingleton(manager);
|
|
|
|
builder.UseRollingTokens();
|
|
|
|
builder.Configure(options => options.RefreshTokenFormat = format.Object);
|
|
});
|
|
|
|
var client = new OpenIdConnectClient(server.CreateClient());
|
|
|
|
// Act
|
|
var response = await client.PostAsync(TokenEndpoint, new OpenIdConnectRequest
|
|
{
|
|
GrantType = OpenIdConnectConstants.GrantTypes.RefreshToken,
|
|
RefreshToken = "8xLOxBtZp8",
|
|
["do-not-flow-original-properties"] = true
|
|
});
|
|
|
|
// Assert
|
|
Assert.NotNull(response.IdToken);
|
|
Assert.NotNull(response.RefreshToken);
|
|
|
|
format.Verify(mock => mock.Protect(
|
|
It.Is<AuthenticationTicket>(value =>
|
|
value.Properties.Items["custom_property_in_original_ticket"] == "original_value" &&
|
|
value.Properties.Items["custom_property_in_new_ticket"] == "new_value")));
|
|
}
|
|
[Fact]
|
|
public async Task ProcessSigninResponse_RefreshTokenIsAlwaysIssuedWhenRollingTokensAreEnabled()
|
|
{
|
|
// Arrange
|
|
var identity = new ClaimsIdentity(OpenIdConnectServerDefaults.AuthenticationScheme);
|
|
identity.AddClaim(OpenIdConnectConstants.Claims.Subject, "Bob le Bricoleur");
|
|
|
|
var ticket = new AuthenticationTicket(
|
|
new ClaimsPrincipal(identity),
|
|
new AuthenticationProperties(),
|
|
OpenIdConnectServerDefaults.AuthenticationScheme);
|
|
|
|
ticket.SetTokenId("60FFF7EA-F98E-437B-937E-5073CC313103");
|
|
ticket.SetTokenUsage(OpenIdConnectConstants.TokenUsages.RefreshToken);
|
|
ticket.SetScopes(OpenIdConnectConstants.Scopes.OpenId, OpenIdConnectConstants.Scopes.OfflineAccess);
|
|
|
|
var format = new Mock<ISecureDataFormat<AuthenticationTicket>>();
|
|
|
|
format.Setup(mock => mock.Protect(It.IsAny<AuthenticationTicket>()))
|
|
.Returns("8xLOxBtZp8");
|
|
|
|
format.Setup(mock => mock.Unprotect("8xLOxBtZp8"))
|
|
.Returns(ticket);
|
|
|
|
var token = new OpenIddictToken();
|
|
|
|
var manager = CreateTokenManager(instance =>
|
|
{
|
|
instance.Setup(mock => mock.FindByIdAsync("60FFF7EA-F98E-437B-937E-5073CC313103", It.IsAny<CancellationToken>()))
|
|
.ReturnsAsync(token);
|
|
|
|
instance.Setup(mock => mock.IsRedeemedAsync(token, It.IsAny<CancellationToken>()))
|
|
.ReturnsAsync(false);
|
|
|
|
instance.Setup(mock => mock.IsValidAsync(token, It.IsAny<CancellationToken>()))
|
|
.ReturnsAsync(true);
|
|
});
|
|
|
|
var server = CreateAuthorizationServer(builder =>
|
|
{
|
|
builder.Services.AddSingleton(manager);
|
|
|
|
builder.UseRollingTokens();
|
|
|
|
builder.Configure(options => options.RefreshTokenFormat = format.Object);
|
|
});
|
|
|
|
var client = new OpenIdConnectClient(server.CreateClient());
|
|
|
|
// Act
|
|
var response = await client.PostAsync(TokenEndpoint, new OpenIdConnectRequest
|
|
{
|
|
GrantType = OpenIdConnectConstants.GrantTypes.RefreshToken,
|
|
RefreshToken = "8xLOxBtZp8"
|
|
});
|
|
|
|
// Assert
|
|
Assert.NotNull(response.RefreshToken);
|
|
}
|
|
|
|
[Fact]
|
|
public async Task ProcessSigninResponse_RefreshTokenIsNotIssuedWhenRollingTokensAreDisabled()
|
|
{
|
|
// Arrange
|
|
var identity = new ClaimsIdentity(OpenIdConnectServerDefaults.AuthenticationScheme);
|
|
identity.AddClaim(OpenIdConnectConstants.Claims.Subject, "Bob le Bricoleur");
|
|
|
|
var ticket = new AuthenticationTicket(
|
|
new ClaimsPrincipal(identity),
|
|
new AuthenticationProperties(),
|
|
OpenIdConnectServerDefaults.AuthenticationScheme);
|
|
|
|
ticket.SetTokenId("60FFF7EA-F98E-437B-937E-5073CC313103");
|
|
ticket.SetTokenUsage(OpenIdConnectConstants.TokenUsages.RefreshToken);
|
|
ticket.SetScopes(OpenIdConnectConstants.Scopes.OpenId, OpenIdConnectConstants.Scopes.OfflineAccess);
|
|
|
|
var format = new Mock<ISecureDataFormat<AuthenticationTicket>>();
|
|
|
|
format.Setup(mock => mock.Protect(It.IsAny<AuthenticationTicket>()))
|
|
.Returns("8xLOxBtZp8");
|
|
|
|
format.Setup(mock => mock.Unprotect("8xLOxBtZp8"))
|
|
.Returns(ticket);
|
|
|
|
var token = new OpenIddictToken();
|
|
|
|
var manager = CreateTokenManager(instance =>
|
|
{
|
|
instance.Setup(mock => mock.FindByIdAsync("60FFF7EA-F98E-437B-937E-5073CC313103", It.IsAny<CancellationToken>()))
|
|
.ReturnsAsync(token);
|
|
|
|
instance.Setup(mock => mock.IsRedeemedAsync(token, It.IsAny<CancellationToken>()))
|
|
.ReturnsAsync(false);
|
|
|
|
instance.Setup(mock => mock.IsValidAsync(token, It.IsAny<CancellationToken>()))
|
|
.ReturnsAsync(true);
|
|
});
|
|
|
|
var server = CreateAuthorizationServer(builder =>
|
|
{
|
|
builder.Services.AddSingleton(manager);
|
|
|
|
builder.Configure(options => options.RefreshTokenFormat = format.Object);
|
|
});
|
|
|
|
var client = new OpenIdConnectClient(server.CreateClient());
|
|
|
|
// Act
|
|
var response = await client.PostAsync(TokenEndpoint, new OpenIdConnectRequest
|
|
{
|
|
GrantType = OpenIdConnectConstants.GrantTypes.RefreshToken,
|
|
RefreshToken = "8xLOxBtZp8"
|
|
});
|
|
|
|
// Assert
|
|
Assert.Null(response.RefreshToken);
|
|
}
|
|
|
|
[Fact]
|
|
public async Task ProcessSigninResponse_AuthorizationCodeIsAutomaticallyRedeemed()
|
|
{
|
|
// Arrange
|
|
var identity = new ClaimsIdentity(OpenIdConnectServerDefaults.AuthenticationScheme);
|
|
identity.AddClaim(OpenIdConnectConstants.Claims.Subject, "Bob le Bricoleur");
|
|
|
|
var ticket = new AuthenticationTicket(
|
|
new ClaimsPrincipal(identity),
|
|
new AuthenticationProperties(),
|
|
OpenIdConnectServerDefaults.AuthenticationScheme);
|
|
|
|
ticket.SetPresenters("Fabrikam");
|
|
ticket.SetTokenId("3E228451-1555-46F7-A471-951EFBA23A56");
|
|
ticket.SetTokenUsage(OpenIdConnectConstants.TokenUsages.AuthorizationCode);
|
|
|
|
var format = new Mock<ISecureDataFormat<AuthenticationTicket>>();
|
|
|
|
format.Setup(mock => mock.Unprotect("SplxlOBeZQQYbYS6WxSbIA"))
|
|
.Returns(ticket);
|
|
|
|
var token = new OpenIddictToken();
|
|
|
|
var manager = CreateTokenManager(instance =>
|
|
{
|
|
instance.Setup(mock => mock.FindByIdAsync("3E228451-1555-46F7-A471-951EFBA23A56", It.IsAny<CancellationToken>()))
|
|
.ReturnsAsync(token);
|
|
|
|
instance.Setup(mock => mock.IsValidAsync(token, It.IsAny<CancellationToken>()))
|
|
.ReturnsAsync(true);
|
|
});
|
|
|
|
var server = CreateAuthorizationServer(builder =>
|
|
{
|
|
builder.Services.AddSingleton(CreateApplicationManager(instance =>
|
|
{
|
|
var application = new OpenIddictApplication();
|
|
|
|
instance.Setup(mock => mock.FindByClientIdAsync("Fabrikam", It.IsAny<CancellationToken>()))
|
|
.ReturnsAsync(application);
|
|
|
|
instance.Setup(mock => mock.GetClientTypeAsync(application, It.IsAny<CancellationToken>()))
|
|
.ReturnsAsync(OpenIddictConstants.ClientTypes.Public);
|
|
}));
|
|
|
|
builder.Services.AddSingleton(manager);
|
|
|
|
builder.Configure(options => options.AuthorizationCodeFormat = format.Object);
|
|
});
|
|
|
|
var client = new OpenIdConnectClient(server.CreateClient());
|
|
|
|
// Act
|
|
var response = await client.PostAsync(TokenEndpoint, new OpenIdConnectRequest
|
|
{
|
|
ClientId = "Fabrikam",
|
|
Code = "SplxlOBeZQQYbYS6WxSbIA",
|
|
GrantType = OpenIdConnectConstants.GrantTypes.AuthorizationCode,
|
|
RedirectUri = "http://www.fabrikam.com/path"
|
|
});
|
|
|
|
// Assert
|
|
Mock.Get(manager).Verify(mock => mock.FindByIdAsync("3E228451-1555-46F7-A471-951EFBA23A56", It.IsAny<CancellationToken>()), Times.Exactly(2));
|
|
Mock.Get(manager).Verify(mock => mock.RedeemAsync(token, It.IsAny<CancellationToken>()), Times.Once());
|
|
}
|
|
|
|
[Fact]
|
|
public async Task ProcessSigninResponse_ReturnsErrorResponseWhenRedeemingAuthorizationCodeFails()
|
|
{
|
|
// Arrange
|
|
var identity = new ClaimsIdentity(OpenIdConnectServerDefaults.AuthenticationScheme);
|
|
identity.AddClaim(OpenIdConnectConstants.Claims.Subject, "Bob le Bricoleur");
|
|
|
|
var ticket = new AuthenticationTicket(
|
|
new ClaimsPrincipal(identity),
|
|
new AuthenticationProperties(),
|
|
OpenIdConnectServerDefaults.AuthenticationScheme);
|
|
|
|
ticket.SetPresenters("Fabrikam");
|
|
ticket.SetTokenId("3E228451-1555-46F7-A471-951EFBA23A56");
|
|
ticket.SetTokenUsage(OpenIdConnectConstants.TokenUsages.AuthorizationCode);
|
|
|
|
var format = new Mock<ISecureDataFormat<AuthenticationTicket>>();
|
|
|
|
format.Setup(mock => mock.Unprotect("SplxlOBeZQQYbYS6WxSbIA"))
|
|
.Returns(ticket);
|
|
|
|
var token = new OpenIddictToken();
|
|
|
|
var manager = CreateTokenManager(instance =>
|
|
{
|
|
instance.Setup(mock => mock.FindByIdAsync("3E228451-1555-46F7-A471-951EFBA23A56", It.IsAny<CancellationToken>()))
|
|
.ReturnsAsync(token);
|
|
|
|
instance.Setup(mock => mock.IsValidAsync(token, It.IsAny<CancellationToken>()))
|
|
.ReturnsAsync(true);
|
|
|
|
instance.Setup(mock => mock.RedeemAsync(token, It.IsAny<CancellationToken>()))
|
|
.ThrowsAsync(new Exception());
|
|
});
|
|
|
|
var server = CreateAuthorizationServer(builder =>
|
|
{
|
|
builder.Services.AddSingleton(CreateApplicationManager(instance =>
|
|
{
|
|
var application = new OpenIddictApplication();
|
|
|
|
instance.Setup(mock => mock.FindByClientIdAsync("Fabrikam", It.IsAny<CancellationToken>()))
|
|
.ReturnsAsync(application);
|
|
|
|
instance.Setup(mock => mock.GetClientTypeAsync(application, It.IsAny<CancellationToken>()))
|
|
.ReturnsAsync(OpenIddictConstants.ClientTypes.Public);
|
|
}));
|
|
|
|
builder.Services.AddSingleton(manager);
|
|
|
|
builder.Configure(options => options.AuthorizationCodeFormat = format.Object);
|
|
});
|
|
|
|
var client = new OpenIdConnectClient(server.CreateClient());
|
|
|
|
// Act
|
|
var response = await client.PostAsync(TokenEndpoint, new OpenIdConnectRequest
|
|
{
|
|
ClientId = "Fabrikam",
|
|
Code = "SplxlOBeZQQYbYS6WxSbIA",
|
|
GrantType = OpenIdConnectConstants.GrantTypes.AuthorizationCode,
|
|
RedirectUri = "http://www.fabrikam.com/path"
|
|
});
|
|
|
|
// Assert
|
|
Assert.Equal(OpenIdConnectConstants.Errors.InvalidGrant, response.Error);
|
|
Assert.Equal("The specified authorization code is no longer valid.", response.ErrorDescription);
|
|
|
|
Mock.Get(manager).Verify(mock => mock.FindByIdAsync("3E228451-1555-46F7-A471-951EFBA23A56", It.IsAny<CancellationToken>()), Times.Exactly(2));
|
|
Mock.Get(manager).Verify(mock => mock.RedeemAsync(token, It.IsAny<CancellationToken>()), Times.Once());
|
|
}
|
|
|
|
[Fact]
|
|
public async Task ProcessSigninResponse_RefreshTokenIsAutomaticallyRedeemedWhenRollingTokensAreEnabled()
|
|
{
|
|
// Arrange
|
|
var identity = new ClaimsIdentity(OpenIdConnectServerDefaults.AuthenticationScheme);
|
|
identity.AddClaim(OpenIdConnectConstants.Claims.Subject, "Bob le Bricoleur");
|
|
|
|
var ticket = new AuthenticationTicket(
|
|
new ClaimsPrincipal(identity),
|
|
new AuthenticationProperties(),
|
|
OpenIdConnectServerDefaults.AuthenticationScheme);
|
|
|
|
ticket.SetTokenId("60FFF7EA-F98E-437B-937E-5073CC313103");
|
|
ticket.SetTokenUsage(OpenIdConnectConstants.TokenUsages.RefreshToken);
|
|
ticket.SetScopes(OpenIdConnectConstants.Scopes.OpenId, OpenIdConnectConstants.Scopes.OfflineAccess);
|
|
|
|
var format = new Mock<ISecureDataFormat<AuthenticationTicket>>();
|
|
|
|
format.Setup(mock => mock.Protect(It.IsAny<AuthenticationTicket>()))
|
|
.Returns("8xLOxBtZp8");
|
|
|
|
format.Setup(mock => mock.Unprotect("8xLOxBtZp8"))
|
|
.Returns(ticket);
|
|
|
|
var token = new OpenIddictToken();
|
|
|
|
var manager = CreateTokenManager(instance =>
|
|
{
|
|
instance.Setup(mock => mock.FindByIdAsync("60FFF7EA-F98E-437B-937E-5073CC313103", It.IsAny<CancellationToken>()))
|
|
.ReturnsAsync(token);
|
|
|
|
instance.Setup(mock => mock.IsRedeemedAsync(token, It.IsAny<CancellationToken>()))
|
|
.ReturnsAsync(false);
|
|
|
|
instance.Setup(mock => mock.IsValidAsync(token, It.IsAny<CancellationToken>()))
|
|
.ReturnsAsync(true);
|
|
});
|
|
|
|
var server = CreateAuthorizationServer(builder =>
|
|
{
|
|
builder.Services.AddSingleton(manager);
|
|
|
|
builder.UseRollingTokens();
|
|
|
|
builder.Configure(options => options.RefreshTokenFormat = format.Object);
|
|
});
|
|
|
|
var client = new OpenIdConnectClient(server.CreateClient());
|
|
|
|
// Act
|
|
var response = await client.PostAsync(TokenEndpoint, new OpenIdConnectRequest
|
|
{
|
|
GrantType = OpenIdConnectConstants.GrantTypes.RefreshToken,
|
|
RefreshToken = "8xLOxBtZp8"
|
|
});
|
|
|
|
// Assert
|
|
Assert.NotNull(response.RefreshToken);
|
|
|
|
Mock.Get(manager).Verify(mock => mock.FindByIdAsync("60FFF7EA-F98E-437B-937E-5073CC313103", It.IsAny<CancellationToken>()), Times.Exactly(2));
|
|
Mock.Get(manager).Verify(mock => mock.RedeemAsync(token, It.IsAny<CancellationToken>()), Times.Once());
|
|
}
|
|
|
|
[Fact]
|
|
public async Task ProcessSigninResponse_ReturnsErrorResponseWhenRedeemingRefreshTokenFails()
|
|
{
|
|
// Arrange
|
|
var identity = new ClaimsIdentity(OpenIdConnectServerDefaults.AuthenticationScheme);
|
|
identity.AddClaim(OpenIdConnectConstants.Claims.Subject, "Bob le Bricoleur");
|
|
|
|
var ticket = new AuthenticationTicket(
|
|
new ClaimsPrincipal(identity),
|
|
new AuthenticationProperties(),
|
|
OpenIdConnectServerDefaults.AuthenticationScheme);
|
|
|
|
ticket.SetTokenId("60FFF7EA-F98E-437B-937E-5073CC313103");
|
|
ticket.SetTokenUsage(OpenIdConnectConstants.TokenUsages.RefreshToken);
|
|
ticket.SetScopes(OpenIdConnectConstants.Scopes.OpenId, OpenIdConnectConstants.Scopes.OfflineAccess);
|
|
|
|
var format = new Mock<ISecureDataFormat<AuthenticationTicket>>();
|
|
|
|
format.Setup(mock => mock.Protect(It.IsAny<AuthenticationTicket>()))
|
|
.Returns("8xLOxBtZp8");
|
|
|
|
format.Setup(mock => mock.Unprotect("8xLOxBtZp8"))
|
|
.Returns(ticket);
|
|
|
|
var token = new OpenIddictToken();
|
|
|
|
var manager = CreateTokenManager(instance =>
|
|
{
|
|
instance.Setup(mock => mock.FindByIdAsync("60FFF7EA-F98E-437B-937E-5073CC313103", It.IsAny<CancellationToken>()))
|
|
.ReturnsAsync(token);
|
|
|
|
instance.Setup(mock => mock.IsRedeemedAsync(token, It.IsAny<CancellationToken>()))
|
|
.ReturnsAsync(false);
|
|
|
|
instance.Setup(mock => mock.IsValidAsync(token, It.IsAny<CancellationToken>()))
|
|
.ReturnsAsync(true);
|
|
|
|
instance.Setup(mock => mock.RedeemAsync(token, It.IsAny<CancellationToken>()))
|
|
.ThrowsAsync(new Exception());
|
|
});
|
|
|
|
var server = CreateAuthorizationServer(builder =>
|
|
{
|
|
builder.Services.AddSingleton(manager);
|
|
|
|
builder.UseRollingTokens();
|
|
|
|
builder.Configure(options => options.RefreshTokenFormat = format.Object);
|
|
});
|
|
|
|
var client = new OpenIdConnectClient(server.CreateClient());
|
|
|
|
// Act
|
|
var response = await client.PostAsync(TokenEndpoint, new OpenIdConnectRequest
|
|
{
|
|
GrantType = OpenIdConnectConstants.GrantTypes.RefreshToken,
|
|
RefreshToken = "8xLOxBtZp8"
|
|
});
|
|
|
|
// Assert
|
|
Assert.Equal(OpenIdConnectConstants.Errors.InvalidGrant, response.Error);
|
|
Assert.Equal("The specified authorization code is no longer valid.", response.ErrorDescription);
|
|
|
|
Mock.Get(manager).Verify(mock => mock.FindByIdAsync("60FFF7EA-F98E-437B-937E-5073CC313103", It.IsAny<CancellationToken>()), Times.Exactly(2));
|
|
Mock.Get(manager).Verify(mock => mock.RedeemAsync(token, It.IsAny<CancellationToken>()), Times.Once());
|
|
}
|
|
|
|
[Fact]
|
|
public async Task ProcessSigninResponse_RefreshTokenIsNotRedeemedWhenRollingTokensAreDisabled()
|
|
{
|
|
// Arrange
|
|
var identity = new ClaimsIdentity(OpenIdConnectServerDefaults.AuthenticationScheme);
|
|
identity.AddClaim(OpenIdConnectConstants.Claims.Subject, "Bob le Bricoleur");
|
|
|
|
var ticket = new AuthenticationTicket(
|
|
new ClaimsPrincipal(identity),
|
|
new AuthenticationProperties(),
|
|
OpenIdConnectServerDefaults.AuthenticationScheme);
|
|
|
|
ticket.SetTokenId("60FFF7EA-F98E-437B-937E-5073CC313103");
|
|
ticket.SetTokenUsage(OpenIdConnectConstants.TokenUsages.RefreshToken);
|
|
ticket.SetScopes(OpenIdConnectConstants.Scopes.OpenId, OpenIdConnectConstants.Scopes.OfflineAccess);
|
|
|
|
var format = new Mock<ISecureDataFormat<AuthenticationTicket>>();
|
|
|
|
format.Setup(mock => mock.Unprotect("8xLOxBtZp8"))
|
|
.Returns(ticket);
|
|
|
|
var token = new OpenIddictToken();
|
|
|
|
var manager = CreateTokenManager(instance =>
|
|
{
|
|
instance.Setup(mock => mock.FindByIdAsync("60FFF7EA-F98E-437B-937E-5073CC313103", It.IsAny<CancellationToken>()))
|
|
.ReturnsAsync(token);
|
|
|
|
instance.Setup(mock => mock.IsRedeemedAsync(token, It.IsAny<CancellationToken>()))
|
|
.ReturnsAsync(false);
|
|
|
|
instance.Setup(mock => mock.IsValidAsync(token, It.IsAny<CancellationToken>()))
|
|
.ReturnsAsync(true);
|
|
});
|
|
|
|
var server = CreateAuthorizationServer(builder =>
|
|
{
|
|
builder.Services.AddSingleton(manager);
|
|
|
|
builder.Configure(options => options.RefreshTokenFormat = format.Object);
|
|
});
|
|
|
|
var client = new OpenIdConnectClient(server.CreateClient());
|
|
|
|
// Act
|
|
var response = await client.PostAsync(TokenEndpoint, new OpenIdConnectRequest
|
|
{
|
|
GrantType = OpenIdConnectConstants.GrantTypes.RefreshToken,
|
|
RefreshToken = "8xLOxBtZp8"
|
|
});
|
|
|
|
// Assert
|
|
Assert.Null(response.RefreshToken);
|
|
|
|
Mock.Get(manager).Verify(mock => mock.FindByIdAsync("60FFF7EA-F98E-437B-937E-5073CC313103", It.IsAny<CancellationToken>()), Times.Exactly(2));
|
|
Mock.Get(manager).Verify(mock => mock.RedeemAsync(token, It.IsAny<CancellationToken>()), Times.Never());
|
|
}
|
|
|
|
[Fact]
|
|
public async Task ProcessSigninResponse_PreviousTokensAreAutomaticallyRevokedWhenRollingTokensAreEnabled()
|
|
{
|
|
// Arrange
|
|
var identity = new ClaimsIdentity(OpenIdConnectServerDefaults.AuthenticationScheme);
|
|
identity.AddClaim(OpenIdConnectConstants.Claims.Subject, "Bob le Bricoleur");
|
|
|
|
var ticket = new AuthenticationTicket(
|
|
new ClaimsPrincipal(identity),
|
|
new AuthenticationProperties(),
|
|
OpenIdConnectServerDefaults.AuthenticationScheme);
|
|
|
|
ticket.SetTokenId("60FFF7EA-F98E-437B-937E-5073CC313103");
|
|
ticket.SetTokenUsage(OpenIdConnectConstants.TokenUsages.RefreshToken);
|
|
ticket.SetScopes(OpenIdConnectConstants.Scopes.OpenId, OpenIdConnectConstants.Scopes.OfflineAccess);
|
|
ticket.SetProperty(OpenIddictConstants.Properties.AuthorizationId, "18D15F73-BE2B-6867-DC01-B3C1E8AFDED0");
|
|
|
|
var format = new Mock<ISecureDataFormat<AuthenticationTicket>>();
|
|
|
|
format.Setup(mock => mock.Protect(It.IsAny<AuthenticationTicket>()))
|
|
.Returns("8xLOxBtZp8");
|
|
|
|
format.Setup(mock => mock.Unprotect("8xLOxBtZp8"))
|
|
.Returns(ticket);
|
|
|
|
var tokens = ImmutableArray.Create(
|
|
new OpenIddictToken(),
|
|
new OpenIddictToken(),
|
|
new OpenIddictToken());
|
|
|
|
var manager = CreateTokenManager(instance =>
|
|
{
|
|
instance.Setup(mock => mock.FindByIdAsync("60FFF7EA-F98E-437B-937E-5073CC313103", It.IsAny<CancellationToken>()))
|
|
.ReturnsAsync(tokens[0]);
|
|
|
|
instance.Setup(mock => mock.IsRedeemedAsync(tokens[0], It.IsAny<CancellationToken>()))
|
|
.ReturnsAsync(false);
|
|
|
|
instance.Setup(mock => mock.IsValidAsync(tokens[0], It.IsAny<CancellationToken>()))
|
|
.ReturnsAsync(true);
|
|
|
|
instance.Setup(mock => mock.FindByAuthorizationIdAsync("18D15F73-BE2B-6867-DC01-B3C1E8AFDED0", It.IsAny<CancellationToken>()))
|
|
.ReturnsAsync(tokens);
|
|
});
|
|
|
|
var server = CreateAuthorizationServer(builder =>
|
|
{
|
|
builder.Services.AddSingleton(manager);
|
|
|
|
builder.UseRollingTokens();
|
|
|
|
builder.Configure(options => options.RefreshTokenFormat = format.Object);
|
|
});
|
|
|
|
var client = new OpenIdConnectClient(server.CreateClient());
|
|
|
|
// Act
|
|
var response = await client.PostAsync(TokenEndpoint, new OpenIdConnectRequest
|
|
{
|
|
GrantType = OpenIdConnectConstants.GrantTypes.RefreshToken,
|
|
RefreshToken = "8xLOxBtZp8"
|
|
});
|
|
|
|
// Assert
|
|
Assert.NotNull(response.RefreshToken);
|
|
|
|
Mock.Get(manager).Verify(mock => mock.FindByIdAsync("60FFF7EA-F98E-437B-937E-5073CC313103", It.IsAny<CancellationToken>()), Times.Exactly(2));
|
|
Mock.Get(manager).Verify(mock => mock.RevokeAsync(tokens[1], It.IsAny<CancellationToken>()), Times.Once());
|
|
Mock.Get(manager).Verify(mock => mock.RevokeAsync(tokens[2], It.IsAny<CancellationToken>()), Times.Once());
|
|
}
|
|
|
|
[Fact]
|
|
public async Task ProcessSigninResponse_PreviousTokensAreNotRevokedWhenRollingTokensAreDisabled()
|
|
{
|
|
// Arrange
|
|
var identity = new ClaimsIdentity(OpenIdConnectServerDefaults.AuthenticationScheme);
|
|
identity.AddClaim(OpenIdConnectConstants.Claims.Subject, "Bob le Bricoleur");
|
|
|
|
var ticket = new AuthenticationTicket(
|
|
new ClaimsPrincipal(identity),
|
|
new AuthenticationProperties(),
|
|
OpenIdConnectServerDefaults.AuthenticationScheme);
|
|
|
|
ticket.SetTokenId("60FFF7EA-F98E-437B-937E-5073CC313103");
|
|
ticket.SetTokenUsage(OpenIdConnectConstants.TokenUsages.RefreshToken);
|
|
ticket.SetScopes(OpenIdConnectConstants.Scopes.OpenId, OpenIdConnectConstants.Scopes.OfflineAccess);
|
|
ticket.SetProperty(OpenIddictConstants.Properties.AuthorizationId, "18D15F73-BE2B-6867-DC01-B3C1E8AFDED0");
|
|
|
|
var format = new Mock<ISecureDataFormat<AuthenticationTicket>>();
|
|
|
|
format.Setup(mock => mock.Unprotect("8xLOxBtZp8"))
|
|
.Returns(ticket);
|
|
|
|
var tokens = ImmutableArray.Create(
|
|
new OpenIddictToken(),
|
|
new OpenIddictToken(),
|
|
new OpenIddictToken());
|
|
|
|
var manager = CreateTokenManager(instance =>
|
|
{
|
|
instance.Setup(mock => mock.FindByIdAsync("60FFF7EA-F98E-437B-937E-5073CC313103", It.IsAny<CancellationToken>()))
|
|
.ReturnsAsync(tokens[0]);
|
|
|
|
instance.Setup(mock => mock.IsRedeemedAsync(tokens[0], It.IsAny<CancellationToken>()))
|
|
.ReturnsAsync(false);
|
|
|
|
instance.Setup(mock => mock.IsValidAsync(tokens[0], It.IsAny<CancellationToken>()))
|
|
.ReturnsAsync(true);
|
|
|
|
instance.Setup(mock => mock.FindByAuthorizationIdAsync("18D15F73-BE2B-6867-DC01-B3C1E8AFDED0", It.IsAny<CancellationToken>()))
|
|
.ReturnsAsync(tokens);
|
|
});
|
|
|
|
var server = CreateAuthorizationServer(builder =>
|
|
{
|
|
builder.Services.AddSingleton(manager);
|
|
|
|
builder.Configure(options => options.RefreshTokenFormat = format.Object);
|
|
});
|
|
|
|
var client = new OpenIdConnectClient(server.CreateClient());
|
|
|
|
// Act
|
|
var response = await client.PostAsync(TokenEndpoint, new OpenIdConnectRequest
|
|
{
|
|
GrantType = OpenIdConnectConstants.GrantTypes.RefreshToken,
|
|
RefreshToken = "8xLOxBtZp8"
|
|
});
|
|
|
|
// Assert
|
|
Assert.Null(response.RefreshToken);
|
|
|
|
Mock.Get(manager).Verify(mock => mock.FindByIdAsync("60FFF7EA-F98E-437B-937E-5073CC313103", It.IsAny<CancellationToken>()), Times.Exactly(2));
|
|
Mock.Get(manager).Verify(mock => mock.RevokeAsync(tokens[1], It.IsAny<CancellationToken>()), Times.Never());
|
|
Mock.Get(manager).Verify(mock => mock.RevokeAsync(tokens[2], It.IsAny<CancellationToken>()), Times.Never());
|
|
}
|
|
|
|
[Fact]
|
|
public async Task ProcessSigninResponse_ExtendsLifetimeWhenRollingTokensAreDisabledAndSlidingExpirationEnabled()
|
|
{
|
|
// Arrange
|
|
var ticket = new AuthenticationTicket(
|
|
new ClaimsPrincipal(),
|
|
new AuthenticationProperties(),
|
|
OpenIdConnectServerDefaults.AuthenticationScheme);
|
|
|
|
ticket.SetTokenId("60FFF7EA-F98E-437B-937E-5073CC313103");
|
|
ticket.SetTokenUsage(OpenIdConnectConstants.TokenUsages.RefreshToken);
|
|
ticket.SetScopes(OpenIdConnectConstants.Scopes.OpenId, OpenIdConnectConstants.Scopes.OfflineAccess);
|
|
|
|
var format = new Mock<ISecureDataFormat<AuthenticationTicket>>();
|
|
|
|
format.Setup(mock => mock.Protect(It.IsAny<AuthenticationTicket>()))
|
|
.Returns("8xLOxBtZp8");
|
|
|
|
format.Setup(mock => mock.Unprotect("8xLOxBtZp8"))
|
|
.Returns(ticket);
|
|
|
|
var token = new OpenIddictToken();
|
|
|
|
var manager = CreateTokenManager(instance =>
|
|
{
|
|
instance.Setup(mock => mock.FindByIdAsync("60FFF7EA-F98E-437B-937E-5073CC313103", It.IsAny<CancellationToken>()))
|
|
.ReturnsAsync(token);
|
|
|
|
instance.Setup(mock => mock.IsRedeemedAsync(token, It.IsAny<CancellationToken>()))
|
|
.ReturnsAsync(false);
|
|
|
|
instance.Setup(mock => mock.IsValidAsync(token, It.IsAny<CancellationToken>()))
|
|
.ReturnsAsync(true);
|
|
});
|
|
|
|
var server = CreateAuthorizationServer(builder =>
|
|
{
|
|
builder.Services.AddSingleton(manager);
|
|
|
|
builder.Configure(options =>
|
|
{
|
|
options.SystemClock = Mock.Of<ISystemClock>(mock => mock.UtcNow ==
|
|
new DateTimeOffset(2017, 01, 05, 00, 00, 00, TimeSpan.Zero));
|
|
options.RefreshTokenLifetime = TimeSpan.FromDays(10);
|
|
options.RefreshTokenFormat = format.Object;
|
|
});
|
|
});
|
|
|
|
var client = new OpenIdConnectClient(server.CreateClient());
|
|
|
|
// Act
|
|
var response = await client.PostAsync(TokenEndpoint, new OpenIdConnectRequest
|
|
{
|
|
GrantType = OpenIdConnectConstants.GrantTypes.RefreshToken,
|
|
RefreshToken = "8xLOxBtZp8"
|
|
});
|
|
|
|
// Assert
|
|
Assert.Null(response.RefreshToken);
|
|
|
|
Mock.Get(manager).Verify(mock => mock.ExtendAsync(token,
|
|
new DateTimeOffset(2017, 01, 15, 00, 00, 00, TimeSpan.Zero),
|
|
It.IsAny<CancellationToken>()), Times.Once());
|
|
}
|
|
|
|
[Fact]
|
|
public async Task ProcessSigninResponse_DoesNotExtendLifetimeWhenSlidingExpirationIsDisabled()
|
|
{
|
|
// Arrange
|
|
var ticket = new AuthenticationTicket(
|
|
new ClaimsPrincipal(),
|
|
new AuthenticationProperties(),
|
|
OpenIdConnectServerDefaults.AuthenticationScheme);
|
|
|
|
ticket.SetTokenId("60FFF7EA-F98E-437B-937E-5073CC313103");
|
|
ticket.SetTokenUsage(OpenIdConnectConstants.TokenUsages.RefreshToken);
|
|
ticket.SetScopes(OpenIdConnectConstants.Scopes.OpenId, OpenIdConnectConstants.Scopes.OfflineAccess);
|
|
|
|
var format = new Mock<ISecureDataFormat<AuthenticationTicket>>();
|
|
|
|
format.Setup(mock => mock.Protect(It.IsAny<AuthenticationTicket>()))
|
|
.Returns("8xLOxBtZp8");
|
|
|
|
format.Setup(mock => mock.Unprotect("8xLOxBtZp8"))
|
|
.Returns(ticket);
|
|
|
|
var token = new OpenIddictToken();
|
|
|
|
var manager = CreateTokenManager(instance =>
|
|
{
|
|
instance.Setup(mock => mock.FindByIdAsync("60FFF7EA-F98E-437B-937E-5073CC313103", It.IsAny<CancellationToken>()))
|
|
.ReturnsAsync(token);
|
|
|
|
instance.Setup(mock => mock.IsRedeemedAsync(token, It.IsAny<CancellationToken>()))
|
|
.ReturnsAsync(false);
|
|
|
|
instance.Setup(mock => mock.IsValidAsync(token, It.IsAny<CancellationToken>()))
|
|
.ReturnsAsync(true);
|
|
});
|
|
|
|
var server = CreateAuthorizationServer(builder =>
|
|
{
|
|
builder.Services.AddSingleton(manager);
|
|
|
|
builder.DisableSlidingExpiration();
|
|
|
|
builder.Configure(options =>
|
|
{
|
|
options.SystemClock = Mock.Of<ISystemClock>(mock => mock.UtcNow ==
|
|
new DateTimeOffset(2017, 01, 05, 00, 00, 00, TimeSpan.Zero));
|
|
options.RefreshTokenLifetime = TimeSpan.FromDays(10);
|
|
options.RefreshTokenFormat = format.Object;
|
|
});
|
|
});
|
|
|
|
var client = new OpenIdConnectClient(server.CreateClient());
|
|
|
|
// Act
|
|
var response = await client.PostAsync(TokenEndpoint, new OpenIdConnectRequest
|
|
{
|
|
GrantType = OpenIdConnectConstants.GrantTypes.RefreshToken,
|
|
RefreshToken = "8xLOxBtZp8"
|
|
});
|
|
|
|
// Assert
|
|
Assert.Null(response.RefreshToken);
|
|
|
|
Mock.Get(manager).Verify(mock => mock.ExtendAsync(token,
|
|
new DateTimeOffset(2017, 01, 15, 00, 00, 00, TimeSpan.Zero),
|
|
It.IsAny<CancellationToken>()), Times.Never());
|
|
}
|
|
|
|
[Fact]
|
|
public async Task ProcessSigninResponse_ReturnsErrorResponseWhenExtendingLifetimeOfExistingTokenFailed()
|
|
{
|
|
// Arrange
|
|
var ticket = new AuthenticationTicket(
|
|
new ClaimsPrincipal(),
|
|
new AuthenticationProperties(),
|
|
OpenIdConnectServerDefaults.AuthenticationScheme);
|
|
|
|
ticket.SetTokenId("60FFF7EA-F98E-437B-937E-5073CC313103");
|
|
ticket.SetTokenUsage(OpenIdConnectConstants.TokenUsages.RefreshToken);
|
|
ticket.SetScopes(OpenIdConnectConstants.Scopes.OpenId, OpenIdConnectConstants.Scopes.OfflineAccess);
|
|
|
|
var format = new Mock<ISecureDataFormat<AuthenticationTicket>>();
|
|
|
|
format.Setup(mock => mock.Protect(It.IsAny<AuthenticationTicket>()))
|
|
.Returns("8xLOxBtZp8");
|
|
|
|
format.Setup(mock => mock.Unprotect("8xLOxBtZp8"))
|
|
.Returns(ticket);
|
|
|
|
var token = new OpenIddictToken();
|
|
|
|
var manager = CreateTokenManager(instance =>
|
|
{
|
|
instance.Setup(mock => mock.FindByIdAsync("60FFF7EA-F98E-437B-937E-5073CC313103", It.IsAny<CancellationToken>()))
|
|
.ReturnsAsync(token);
|
|
|
|
instance.Setup(mock => mock.IsRedeemedAsync(token, It.IsAny<CancellationToken>()))
|
|
.ReturnsAsync(false);
|
|
|
|
instance.Setup(mock => mock.IsValidAsync(token, It.IsAny<CancellationToken>()))
|
|
.ReturnsAsync(true);
|
|
|
|
instance.Setup(mock => mock.ExtendAsync(token, It.IsAny<DateTimeOffset?>(), It.IsAny<CancellationToken>()))
|
|
.ThrowsAsync(new Exception());
|
|
});
|
|
|
|
var server = CreateAuthorizationServer(builder =>
|
|
{
|
|
builder.Services.AddSingleton(manager);
|
|
|
|
builder.Configure(options =>
|
|
{
|
|
options.SystemClock = Mock.Of<ISystemClock>(mock => mock.UtcNow ==
|
|
new DateTimeOffset(2017, 01, 05, 00, 00, 00, TimeSpan.Zero));
|
|
options.RefreshTokenLifetime = TimeSpan.FromDays(10);
|
|
options.RefreshTokenFormat = format.Object;
|
|
});
|
|
});
|
|
|
|
var client = new OpenIdConnectClient(server.CreateClient());
|
|
|
|
// Act
|
|
var response = await client.PostAsync(TokenEndpoint, new OpenIdConnectRequest
|
|
{
|
|
GrantType = OpenIdConnectConstants.GrantTypes.RefreshToken,
|
|
RefreshToken = "8xLOxBtZp8"
|
|
});
|
|
|
|
// Assert
|
|
Assert.Equal(OpenIdConnectConstants.Errors.InvalidGrant, response.Error);
|
|
Assert.Equal("The specified refresh token is no longer valid.", response.ErrorDescription);
|
|
|
|
Mock.Get(manager).Verify(mock => mock.ExtendAsync(token,
|
|
new DateTimeOffset(2017, 01, 15, 00, 00, 00, TimeSpan.Zero),
|
|
It.IsAny<CancellationToken>()), Times.Once());
|
|
}
|
|
|
|
[Fact]
|
|
public async Task ProcessSigninResponse_AdHocAuthorizationIsAutomaticallyCreated()
|
|
{
|
|
// Arrange
|
|
var token = new OpenIddictToken();
|
|
|
|
var manager = CreateAuthorizationManager(instance =>
|
|
{
|
|
instance.Setup(mock => mock.FindByIdAsync("1AF06AB2-A0FC-4E3D-86AF-E04DA8C7BE70", It.IsAny<CancellationToken>()))
|
|
.ReturnsAsync(new OpenIddictAuthorization());
|
|
});
|
|
|
|
var server = CreateAuthorizationServer(builder =>
|
|
{
|
|
builder.Services.AddSingleton(CreateApplicationManager(instance =>
|
|
{
|
|
var application = new OpenIddictApplication();
|
|
|
|
instance.Setup(mock => mock.FindByClientIdAsync("Fabrikam", It.IsAny<CancellationToken>()))
|
|
.ReturnsAsync(application);
|
|
|
|
instance.Setup(mock => mock.ValidateRedirectUriAsync(application, "http://www.fabrikam.com/path", It.IsAny<CancellationToken>()))
|
|
.ReturnsAsync(true);
|
|
|
|
instance.Setup(mock => mock.GetClientTypeAsync(application, It.IsAny<CancellationToken>()))
|
|
.ReturnsAsync(OpenIddictConstants.ClientTypes.Public);
|
|
|
|
instance.Setup(mock => mock.GetIdAsync(application, It.IsAny<CancellationToken>()))
|
|
.ReturnsAsync("3E228451-1555-46F7-A471-951EFBA23A56");
|
|
}));
|
|
|
|
builder.Services.AddSingleton(CreateTokenManager(instance =>
|
|
{
|
|
instance.Setup(mock => mock.CreateAsync(It.IsAny<OpenIddictTokenDescriptor>(), It.IsAny<CancellationToken>()))
|
|
.ReturnsAsync(token);
|
|
|
|
instance.Setup(mock => mock.GetIdAsync(token, It.IsAny<CancellationToken>()))
|
|
.ReturnsAsync("3E228451-1555-46F7-A471-951EFBA23A56");
|
|
}));
|
|
|
|
builder.Services.AddSingleton(manager);
|
|
});
|
|
|
|
var client = new OpenIdConnectClient(server.CreateClient());
|
|
|
|
// Act
|
|
var response = await client.PostAsync(AuthorizationEndpoint, new OpenIdConnectRequest
|
|
{
|
|
ClientId = "Fabrikam",
|
|
RedirectUri = "http://www.fabrikam.com/path",
|
|
ResponseType = OpenIdConnectConstants.ResponseTypes.Code,
|
|
});
|
|
|
|
// Assert
|
|
Assert.NotNull(response.Code);
|
|
|
|
Mock.Get(manager).Verify(mock => mock.CreateAsync(
|
|
It.Is<OpenIddictAuthorizationDescriptor>(descriptor =>
|
|
descriptor.ApplicationId == "3E228451-1555-46F7-A471-951EFBA23A56" &&
|
|
descriptor.Subject == "Bob le Magnifique" &&
|
|
descriptor.Type == OpenIddictConstants.AuthorizationTypes.AdHoc),
|
|
It.IsAny<CancellationToken>()), Times.Once());
|
|
}
|
|
}
|
|
}
|
|
|