Add a unit test around WithClientClaims (#5216)

* Add a unit test around WithClientClaims

* Test with extra claim

* 1

* 2

Author: bgavrilMS

tests/Microsoft.Identity.Test.Unit/PublicApiTests/ClientCredentialWithCertTest.cs

@@ -22,6 +22,7 @@
 using Microsoft.VisualStudio.TestTools.UnitTesting;
 using static Microsoft.Identity.Client.Internal.JsonWebToken;
 using Microsoft.Identity.Client.RP;
+using Microsoft.Identity.Client.Http;
 
 namespace Microsoft.Identity.Test.Unit
 {
@@ -68,6 +69,7 @@ private static MockHttpMessageHandler CreateTokenResponseHttpHandlerWithX5CValid
                     var handler = new JwtSecurityTokenHandler();
                     var jsonToken = handler.ReadJwtToken(encodedJwt);
                     var x5c = jsonToken.Header.FirstOrDefault(header => header.Key == "x5c");
+
                     if (expectedX5C != null)
                     {
                         Assert.AreEqual("x5c", x5c.Key, "x5c should be present");
@@ -220,6 +222,118 @@ public async Task TestX5C(
             }
         }
 
+        [TestMethod]
+        public async Task ClientAssertionHasExpiration()
+        {
+            using (var harness = CreateTestHarness())
+            {
+                harness.HttpManager.AddInstanceDiscoveryMockHandler();
+                var certificate = CertHelper.GetOrCreateTestCert();
+                var exportedCertificate = Convert.ToBase64String(certificate.Export(X509ContentType.Cert));
+
+                IDictionary<string, string> extraAssertionContent = new Dictionary<string, string>
+                {
+                    { "foo", "bar" },
+                    
+                };
+
+                var cca = ConfidentialClientApplicationBuilder
+                    .Create(TestConstants.ClientId)
+                    .WithAuthority("https://login.microsoftonline.com/tid")    
+                    .WithHttpManager(harness.HttpManager)                    
+                    .WithClientClaims(certificate, extraAssertionContent, mergeWithDefaultClaims: true, sendX5C: true) // x5c can also be enabled on the request
+                    .Build();
+
+                // Checks the client assertion for x5c and for expiration
+                var handler = harness.HttpManager.AddTokenResponse(TokenResponseType.Valid_ClientCredentials);
+                handler.AdditionalRequestValidation = (r) => ValidateClientAssertion(r, exportedCertificate, validateStandardClaims: true);
+
+                AuthenticationResult result = await cca.AcquireTokenForClient(TestConstants.s_scope)
+                    .WithSendX5C(true) // x5c can also be enabled here on the request
+                    .ExecuteAsync()
+                    .ConfigureAwait(false);
+
+                Assert.IsNotNull(result.AccessToken);
+            }
+        }
+
+        [TestMethod]
+        public async Task ClientAssertionWithClaimOverride()
+        {
+            using (var harness = CreateTestHarness())
+            {
+                harness.HttpManager.AddInstanceDiscoveryMockHandler();
+                var certificate = CertHelper.GetOrCreateTestCert();
+                var exportedCertificate = Convert.ToBase64String(certificate.Export(X509ContentType.Cert));
+
+                IDictionary<string, string> extraAssertionContent = new Dictionary<string, string>
+                {
+                    { "foo", "bar" },
+                    { "iss", "issuer_override" }
+                };
+
+                var cca = ConfidentialClientApplicationBuilder
+                    .Create(TestConstants.ClientId)
+                    .WithAuthority("https://login.microsoftonline.com/tid")
+                    .WithHttpManager(harness.HttpManager)
+                    .WithClientClaims(certificate, extraAssertionContent, mergeWithDefaultClaims: true, sendX5C: false)
+                    .Build();
+
+                // Checks the client assertion for x5c and for expiration
+                var handler = harness.HttpManager.AddTokenResponse(TokenResponseType.Valid_ClientCredentials);
+                JwtSecurityToken assertion = null;
+                handler.AdditionalRequestValidation = (r) => assertion = ValidateClientAssertion(r, exportedCertificate, validateStandardClaims: false);
+
+                AuthenticationResult result = await cca.AcquireTokenForClient(TestConstants.s_scope)
+                    .WithSendX5C(true)
+                    .ExecuteAsync()
+                    .ConfigureAwait(false);
+
+                Assert.IsNotNull(result.AccessToken);
+                assertion.Claims.Single(c => c.Type == "iss").Value.Equals("issuer_override");
+            }
+        }
+
+        private JwtSecurityToken ValidateClientAssertion(HttpRequestMessage request, string expectedX5cValue, bool validateStandardClaims )
+        {
+            var requestContent = request.Content.ReadAsStringAsync().GetAwaiter().GetResult();
+            var formsData = CoreHelpers.ParseKeyValueList(requestContent, '&', true, null);
+
+            // Check presence of client_assertion in request
+            Assert.IsTrue(formsData.TryGetValue("client_assertion", out string encodedJwt), "Missing client_assertion from request");
+
+            // Check presence and value of x5c cert claim.
+            var handler = new JwtSecurityTokenHandler();
+            JwtSecurityToken assertionJwt = handler.ReadJwtToken(encodedJwt);
+            if (validateStandardClaims)
+            {
+                Assert.AreEqual("https://login.microsoftonline.com/tid/oauth2/v2.0/token", assertionJwt.Claims.Single(c => c.Type == "aud").Value);
+                Assert.AreEqual(TestConstants.ClientId, assertionJwt.Claims.Single(c => c.Type == "iss").Value);
+                Assert.AreEqual(TestConstants.ClientId, assertionJwt.Claims.Single(c => c.Type == "sub").Value);
+            }
+
+            // Assert extra claims
+            Assert.AreEqual("bar", assertionJwt.Claims.Single(c => c.Type == "foo").Value);
+
+            // Assert exp and nbf claims 
+            long exp = long.Parse(assertionJwt.Claims.Single(c => c.Type == "exp").Value);
+
+            DateTimeOffset actualExpDate = DateTimeOffset.FromUnixTimeSeconds(exp);
+            DateTimeOffset expectedExpDate = DateTimeOffset.Now + TimeSpan.FromSeconds(JsonWebToken.JwtToAadLifetimeInSeconds);
+            CoreAssert.IsWithinRange(expectedExpDate, actualExpDate, TimeSpan.FromSeconds(5));
+
+            long nbf = long.Parse(assertionJwt.Claims.Single(c => c.Type == "nbf").Value);
+            DateTimeOffset actualNbfDate = DateTimeOffset.FromUnixTimeSeconds(nbf);
+            CoreAssert.IsWithinRange(DateTimeOffset.Now, actualNbfDate, TimeSpan.FromSeconds(5));
+
+            var x5c = assertionJwt.Header.FirstOrDefault(header => header.Key == "x5c");
+
+            Assert.AreEqual("x5c", x5c.Key, "x5c should be present");
+            Assert.AreEqual(x5c.Value.ToString(), expectedX5cValue);
+
+            return assertionJwt;
+        }
+
         [TestMethod]
         [Description("Test for client assertion with X509 public certificate using sendCertificate")]
         public async Task JsonWebTokenWithX509PublicCertSendCertificateTestAsync()
@@ -694,8 +808,8 @@ public async Task RopcCcaSendsX5CAsync(bool sendX5C)
 
                 harness.HttpManager.AddMockHandler(
                     CreateTokenResponseHttpHandlerWithX5CValidation(
-                        clientCredentialFlow: false, 
-                        expectedX5C: sendX5C ? exportedCertificate: null));
+                        clientCredentialFlow: false,
+                        expectedX5C: sendX5C ? exportedCertificate : null));
 
                 var result = await (app as IByUsernameAndPassword)
                     .AcquireTokenByUsernamePassword(
@@ -900,7 +1014,7 @@ public void EnsureNullCertDoesNotSetSerialNumberTestAsync()
                                               .WithExperimentalFeatures()
                                               .BuildConcrete();
                 });
-                
+
                 Assert.IsTrue(exception.Message.Contains("Value cannot be null"));
             }
         }