Finalize implementaton and ut

Author: bgavrilMS

src/Microsoft.Identity.Web.TokenAcquisition/MsAuth10AtPop.cs

@@ -3,6 +3,7 @@
 
 using System;
 using System.Collections.Generic;
+using System.IdentityModel.Tokens.Jwt;
 using System.Security.Cryptography.X509Certificates;
 using System.Threading.Tasks;
 using Microsoft.Identity.Client;
@@ -68,19 +69,19 @@ internal static AcquireTokenForClientParameterBuilder WithAtPop(
                 SigningCredentials = signingCredentials
             };
 
+            JwtSecurityTokenHandler tokenHandler = new JwtSecurityTokenHandler();
+            JwtSecurityToken token = (JwtSecurityToken)tokenHandler.CreateToken(securityTokenDescriptor);
+
             if (sendX5C)
             {
-                if (signingCredentials.Key is X509SecurityKey x509SecurityKey)
-                {
-                    string x5cValue = Convert.ToBase64String(x509SecurityKey.Certificate.GetRawCertData());
-
-                    // Does not seem to work?!
-                    securityTokenDescriptor.AdditionalHeaderClaims = new Dictionary<string, object>() { { "x5c", x5cValue } };
-                }
+                string exportedCertificate = Convert.ToBase64String(certificate.Export(X509ContentType.Cert));
+                token.Header.Add(
+                    IdentityModel.JsonWebTokens.JwtHeaderParameterNames.X5c, 
+                    new List<string> { exportedCertificate });
             }
 
-            var handler = new JsonWebTokenHandler();
-            return handler.CreateToken(securityTokenDescriptor);
+            string stringToken =  tokenHandler.WriteToken(token);
+            return stringToken;
         }
     }
 }

tests/Microsoft.Identity.Web.Test.Common/Mocks/MockHttpMessageHandler.cs

@@ -2,10 +2,14 @@
 // Licensed under the MIT License.
 
 using System;
+using System.Collections.Generic;
+using System.Globalization;
 using System.Net;
 using System.Net.Http;
 using System.Threading;
 using System.Threading.Tasks;
+using System.Web;
+using Azure;
 using Xunit;
 
 namespace Microsoft.Identity.Web.Test.Common.Mocks
@@ -32,8 +36,9 @@ public MockHttpMessageHandler()
         /// Once the http message is executed, this property holds the request message.
         /// </summary>
         public HttpRequestMessage ActualRequestMessage { get; private set; }
+        public Dictionary<string, string> ActualRequestPostData { get; private set; }
 
-        protected override Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
+        protected override async Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
         {
             ActualRequestMessage = request;
 
@@ -62,7 +67,7 @@ protected override Task<HttpResponseMessage> SendAsync(HttpRequestMessage reques
                         Content = new StringContent(TestConstants.DiscoveryJsonResponse),
                     };
 
-                    return Task.FromResult(responseMessage);
+                    return responseMessage;
                 }
             }
 
@@ -81,10 +86,109 @@ protected override Task<HttpResponseMessage> SendAsync(HttpRequestMessage reques
 
             if (request.Method != HttpMethod.Get && request.Content != null)
             {
-                string postData = request.Content.ReadAsStringAsync().Result;
+                string postData = await request.Content.ReadAsStringAsync();
+                ActualRequestPostData = QueryStringParser.ParseKeyValueList(postData, '&', true, false);
+
+            }
+
+            return ResponseMessage;
+        }
+    }
+
+    public static class QueryStringParser
+    {
+        public static Dictionary<string, string> ParseKeyValueList(string input, char delimiter, bool urlDecode,
+          bool lowercaseKeys)
+        {
+            var response = new Dictionary<string, string>();
+
+            var queryPairs = SplitWithQuotes(input, delimiter);
+
+            foreach (string queryPair in queryPairs)
+            {
+                var pair = SplitWithQuotes(queryPair, '=');
+
+                if (pair.Count == 2 && !string.IsNullOrWhiteSpace(pair[0]) && !string.IsNullOrWhiteSpace(pair[1]))
+                {
+                    string key = pair[0];
+                    string value = pair[1];
+
+                    // Url decoding is needed for parsing OAuth response, but not for parsing WWW-Authenticate header in 401 challenge
+                    if (urlDecode)
+                    {
+                        key = UrlDecode(key);
+                        value = UrlDecode(value);
+                    }
+
+                    if (lowercaseKeys)
+                    {
+                        key = key.Trim().ToLowerInvariant();
+                    }
+
+                    value = value.Trim().Trim('\"').Trim();
+
+                    response[key] = value;
+                }
+            }
+
+            return response;
+        }
+
+        public static Dictionary<string, string> ParseKeyValueList(string input, char delimiter, bool urlDecode)
+        {
+            return ParseKeyValueList(input, delimiter, urlDecode, true);
+        }
+
+        private static string UrlDecode(string message)
+        {
+            if (string.IsNullOrEmpty(message))
+            {
+                return message;
+            }
+
+            message = message.Replace("+", "%20");
+            message = Uri.UnescapeDataString(message);
+
+            return message;
+        }
+
+        internal static IReadOnlyList<string> SplitWithQuotes(string input, char delimiter)
+        {
+            if (string.IsNullOrWhiteSpace(input))
+            {
+                return Array.Empty<string>();
+            }
+
+            var items = new List<string>();
+
+            int startIndex = 0;
+            bool insideString = false;
+            string item;
+            for (int i = 0; i < input.Length; i++)
+            {
+                if (input[i] == delimiter && !insideString)
+                {
+                    item = input.Substring(startIndex, i - startIndex);
+                    if (!string.IsNullOrWhiteSpace(item.Trim()))
+                    {
+                        items.Add(item);
+                    }
+
+                    startIndex = i + 1;
+                }
+                else if (input[i] == '"')
+                {
+                    insideString = !insideString;
+                }
+            }
+
+            item = input.Substring(startIndex);
+            if (!string.IsNullOrWhiteSpace(item.Trim()))
+            {
+                items.Add(item);
             }
 
-            return Task.FromResult(ResponseMessage);
+            return items;
         }
     }
 }

tests/Microsoft.Identity.Web.Test/MsAuth10AtPopTests.cs

@@ -2,8 +2,12 @@
 // Licensed under the MIT License.
 
 using System;
+using System.Collections.Generic;
+using System.IdentityModel.Tokens.Jwt;
+using System.Linq;
 using System.Security.Cryptography.X509Certificates;
 using System.Threading.Tasks;
+using Microsoft.Graph;
 using Microsoft.Identity.Client;
 using Microsoft.Identity.Web.Test.Common;
 using Microsoft.Identity.Web.Test.Common.Mocks;
@@ -17,14 +21,13 @@ public class MsAuth10AtPopTests
         public async Task MsAuth10AtPop_WithAtPop_ShouldPopulateBuilderWithProofOfPosessionKeyIdAndOnBeforeTokenRequestTestAsync()
         {
             // Arrange
-
             MockHttpClientFactory mockHttpClientFactory = new MockHttpClientFactory();
-            var tokenHandler = MockHttpCreator.CreateClientCredentialTokenHandler();
+            var httpTokenRequest = MockHttpCreator.CreateClientCredentialTokenHandler();
             mockHttpClientFactory.AddMockHandler(MockHttpCreator.CreateInstanceDiscoveryMockHandler());
-            mockHttpClientFactory.AddMockHandler(tokenHandler);
+            mockHttpClientFactory.AddMockHandler(httpTokenRequest);
 
             var certificateDescription = CertificateDescription.FromBase64Encoded(
-                TestConstants.CertificateX5cWithPrivateKey, 
+                TestConstants.CertificateX5cWithPrivateKey,
                 TestConstants.CertificateX5cWithPrivateKeyPassword);
             ICertificateLoader loader = new DefaultCertificateLoader();
             loader.LoadIfNeeded(certificateDescription);
@@ -37,18 +40,37 @@ public async Task MsAuth10AtPop_WithAtPop_ShouldPopulateBuilderWithProofOfPosess
                             .WithHttpClientFactory(mockHttpClientFactory)
                             .Build();
 
-            
+
             var popPublicKey = "pop_key";
             var jwkClaim = "jwk_claim";
-            var clientId = "client_id";
 
             // Act
             AuthenticationResult result = await app.AcquireTokenForClient(new[] { TestConstants.Scopes })
-                .WithAtPop(certificateDescription.Certificate, popPublicKey, jwkClaim, clientId, true)
+                .WithAtPop(certificateDescription.Certificate, popPublicKey, jwkClaim, TestConstants.ClientId, true)
                 .ExecuteAsync();
 
             // Assert
-            Assert.NotNull(result);
+            httpTokenRequest.ActualRequestPostData.TryGetValue("request", out string? request);
+            Assert.NotNull(request);
+            httpTokenRequest.ActualRequestPostData.TryGetValue("client_assertion", out string? clientAssertion);
+            Assert.Null(clientAssertion);
+
+            JwtSecurityTokenHandler jwtSecurityTokenHandler = new JwtSecurityTokenHandler();
+            JwtSecurityToken assertion = jwtSecurityTokenHandler.ReadJwtToken(request);
+
+            Assert.Equal("https://login.microsoftonline.com/common/oauth2/v2.0/token", assertion.Claims.Single(c => c.Type == "aud").Value);
+            Assert.Equal(TestConstants.ClientId, assertion.Claims.Single(c => c.Type == "iss").Value);
+            Assert.Equal(TestConstants.ClientId, assertion.Claims.Single(c => c.Type == "sub").Value);
+            Assert.NotEmpty(assertion.Claims.Single(c => c.Type == "jti").Value);
+            Assert.Equal(jwkClaim, assertion.Claims.Single(c => c.Type == "pop_jwk").Value);
+
+            assertion.Header.TryGetValue("x5c", out var x5cClaimValue);
+            Assert.NotNull(x5cClaimValue);
+            string actualX5c = (string)((List<object>)x5cClaimValue).Single();
+
+            string expectedX5C= Convert.ToBase64String(certificateDescription.Certificate.RawData);
+
+            Assert.Equal(expectedX5C, actualX5c);
         }
 
         [Fact]
@@ -62,11 +84,11 @@ public void MsAuth10AtPop_ThrowsWithNullPopKeyTest()
 
             // Act & Assert
             Assert.Throws<ArgumentNullException>(() => MsAuth10AtPop.WithAtPop(
-                app.AcquireTokenForClient(new[] { TestConstants.Scopes }), 
-                clientCertificate, 
+                app.AcquireTokenForClient(new[] { TestConstants.Scopes }),
+                clientCertificate,
                 string.Empty,
-                jwkClaim, 
-                clientId, 
+                jwkClaim,
+                clientId,
                 true));
         }