// Copyright (c) .NET Foundation. All rights reserved. See License.txt in the project root for license information. using System; using System.Linq; using System.Net; using System.Net.Http; using System.Security.Claims; using System.Text; using System.Text.Encodings.Web; using System.Threading.Tasks; using Microsoft.AspNetCore.Authentication.OAuth; using Microsoft.AspNetCore.Builder; using Microsoft.AspNetCore.DataProtection; using Microsoft.AspNetCore.Hosting; using Microsoft.AspNetCore.Http; using Microsoft.AspNetCore.Http.Authentication; using Microsoft.AspNetCore.TestHost; using Microsoft.Extensions.DependencyInjection; using Newtonsoft.Json; using Xunit; namespace Microsoft.AspNetCore.Authentication.Tests.MicrosoftAccount { public class MicrosoftAccountMiddlewareTests { [Fact] public async Task ChallengeWillTriggerApplyRedirectEvent() { var server = CreateServer(new MicrosoftAccountOptions { ClientId = "Test Client Id", ClientSecret = "Test Client Secret", Events = new OAuthEvents { OnRedirectToAuthorizationEndpoint = context => { context.Response.Redirect(context.RedirectUri + "&custom=test"); return Task.FromResult(0); } } }); var transaction = await server.SendAsync("http://example.com/challenge"); Assert.Equal(HttpStatusCode.Redirect, transaction.Response.StatusCode); var query = transaction.Response.Headers.Location.Query; Assert.Contains("custom=test", query); } [Fact] public async Task SignInThrows() { var server = CreateServer(new MicrosoftAccountOptions { ClientId = "Test Id", ClientSecret = "Test Secret" }); var transaction = await server.SendAsync("https://example.com/signIn"); Assert.Equal(HttpStatusCode.OK, transaction.Response.StatusCode); } [Fact] public async Task SignOutThrows() { var server = CreateServer(new MicrosoftAccountOptions { ClientId = "Test Id", ClientSecret = "Test Secret" }); var transaction = await server.SendAsync("https://example.com/signOut"); Assert.Equal(HttpStatusCode.OK, transaction.Response.StatusCode); } [Fact] public async Task ForbidThrows() { var server = CreateServer(new MicrosoftAccountOptions { ClientId = "Test Id", ClientSecret = "Test Secret" }); var transaction = await server.SendAsync("https://example.com/signOut"); Assert.Equal(HttpStatusCode.OK, transaction.Response.StatusCode); } [Fact] public async Task ChallengeWillTriggerRedirection() { var server = CreateServer(new MicrosoftAccountOptions { ClientId = "Test Client Id", ClientSecret = "Test Client Secret" }); var transaction = await server.SendAsync("http://example.com/challenge"); Assert.Equal(HttpStatusCode.Redirect, transaction.Response.StatusCode); var location = transaction.Response.Headers.Location.AbsoluteUri; Assert.Contains("https://login.microsoftonline.com/common/oauth2/v2.0/authorize", location); Assert.Contains("response_type=code", location); Assert.Contains("client_id=", location); Assert.Contains("redirect_uri=", location); Assert.Contains("scope=", location); Assert.Contains("state=", location); } [Fact] public async Task AuthenticatedEventCanGetRefreshToken() { var stateFormat = new PropertiesDataFormat(new EphemeralDataProtectionProvider().CreateProtector("MsftTest")); var server = CreateServer(new MicrosoftAccountOptions { ClientId = "Test Client Id", ClientSecret = "Test Client Secret", StateDataFormat = stateFormat, BackchannelHttpHandler = new TestHttpMessageHandler { Sender = req => { if (req.RequestUri.AbsoluteUri == "https://login.microsoftonline.com/common/oauth2/v2.0/token") { return ReturnJsonResponse(new { access_token = "Test Access Token", expire_in = 3600, token_type = "Bearer", refresh_token = "Test Refresh Token" }); } else if (req.RequestUri.GetComponents(UriComponents.SchemeAndServer | UriComponents.Path, UriFormat.UriEscaped) == "https://graph.microsoft.com/v1.0/me") { return ReturnJsonResponse(new { id = "Test User ID", displayName = "Test Name", givenName = "Test Given Name", surname = "Test Family Name", mail = "Test email" }); } return null; } }, Events = new OAuthEvents { OnCreatingTicket = context => { var refreshToken = context.RefreshToken; context.Ticket.Principal.AddIdentity(new ClaimsIdentity(new Claim[] { new Claim("RefreshToken", refreshToken, ClaimValueTypes.String, "Microsoft") }, "Microsoft")); return Task.FromResult(null); } } }); var properties = new AuthenticationProperties(); var correlationKey = ".xsrf"; var correlationValue = "TestCorrelationId"; properties.Items.Add(correlationKey, correlationValue); properties.RedirectUri = "/me"; var state = stateFormat.Protect(properties); var transaction = await server.SendAsync( "https://example.com/signin-microsoft?code=TestCode&state=" + UrlEncoder.Default.Encode(state), $".AspNetCore.Correlation.Microsoft.{correlationValue}=N"); Assert.Equal(HttpStatusCode.Redirect, transaction.Response.StatusCode); Assert.Equal("/me", transaction.Response.Headers.GetValues("Location").First()); Assert.Equal(2, transaction.SetCookie.Count); Assert.Contains($".AspNetCore.Correlation.Microsoft.{correlationValue}", transaction.SetCookie[0]); Assert.Contains(".AspNetCore." + TestExtensions.CookieAuthenticationScheme, transaction.SetCookie[1]); var authCookie = transaction.AuthenticationCookieValue; transaction = await server.SendAsync("https://example.com/me", authCookie); Assert.Equal(HttpStatusCode.OK, transaction.Response.StatusCode); Assert.Equal("Test Refresh Token", transaction.FindClaimValue("RefreshToken")); } private static TestServer CreateServer(MicrosoftAccountOptions options) { var builder = new WebHostBuilder() .Configure(app => { app.UseCookieAuthentication(new CookieAuthenticationOptions { AuthenticationScheme = TestExtensions.CookieAuthenticationScheme, AutomaticAuthenticate = true }); app.UseMicrosoftAccountAuthentication(options); app.Use(async (context, next) => { var req = context.Request; var res = context.Response; if (req.Path == new PathString("/challenge")) { await context.Authentication.ChallengeAsync("Microsoft"); } else if (req.Path == new PathString("/me")) { res.Describe(context.User); } else if (req.Path == new PathString("/signIn")) { await Assert.ThrowsAsync(() => context.Authentication.SignInAsync("Microsoft", new ClaimsPrincipal())); } else if (req.Path == new PathString("/signOut")) { await Assert.ThrowsAsync(() => context.Authentication.SignOutAsync("Microsoft")); } else if (req.Path == new PathString("/forbid")) { await Assert.ThrowsAsync(() => context.Authentication.ForbidAsync("Microsoft")); } else { await next(); } }); }) .ConfigureServices(services => { services.AddAuthentication(); services.Configure(authOptions => { authOptions.SignInScheme = TestExtensions.CookieAuthenticationScheme; }); }); return new TestServer(builder); } private static HttpResponseMessage ReturnJsonResponse(object content) { var res = new HttpResponseMessage(HttpStatusCode.OK); var text = JsonConvert.SerializeObject(content); res.Content = new StringContent(text, Encoding.UTF8, "application/json"); return res; } } }