Examples with AuthenticationRequestAcknowledgement org.keycloak.testsuite.util.OAuthClient.AuthenticationRequestAcknowledgement used on opensource projects

Search in sources :

Example 1 with AuthenticationRequestAcknowledgement

use of org.keycloak.testsuite.util.OAuthClient.AuthenticationRequestAcknowledgement in project keycloak by keycloak.

the class CIBATest method testBadBindingMessage.

// Corresponds to the test fapi-ciba-id1-ensure-authorization-request-with-potentially-bad-binding-message from the FAPI CIBA conformance testsuite
@Test
public void testBadBindingMessage() throws Exception {
    ClientResource clientResource = null;
    ClientRepresentation clientRep = null;
    try {
        final String username = "nutzername-schwarz";
        clientResource = ApiUtil.findClientByClientId(adminClient.realm(TEST_REALM_NAME), TEST_CLIENT_NAME);
        clientRep = clientResource.toRepresentation();
        prepareCIBASettings(clientResource, clientRep);
        // Binding message with non plain-text characters
        String bindingMessage = "1234 \uD83D\uDC4D\uD83C\uDFFF 品川 Lor";
        AuthenticationRequestAcknowledgement response = oauth.doBackchannelAuthenticationRequest(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, username, bindingMessage, null);
        assertThat(response.getStatusCode(), is(equalTo(400)));
        assertThat(response.getError(), is(OAuthErrorException.INVALID_BINDING_MESSAGE));
        // Long binding message
        bindingMessage = "Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud.";
        response = oauth.doBackchannelAuthenticationRequest(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, username, bindingMessage, null);
        assertThat(response.getStatusCode(), is(equalTo(400)));
        assertThat(response.getError(), is(OAuthErrorException.INVALID_BINDING_MESSAGE));
        // Empty binding message
        bindingMessage = "";
        response = oauth.doBackchannelAuthenticationRequest(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, username, bindingMessage, null);
        assertThat(response.getStatusCode(), is(equalTo(400)));
        assertThat(response.getError(), is(OAuthErrorException.INVALID_BINDING_MESSAGE));
        // Valid binding message
        bindingMessage = "Lorem_ipsum";
        response = oauth.doBackchannelAuthenticationRequest(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, username, bindingMessage, null);
        assertThat(response.getStatusCode(), is(equalTo(200)));
        assertThat(response.getError(), is(nullValue()));
    } finally {
        revertCIBASettings(clientResource, clientRep);
    }
}
Also used : ClientResource(org.keycloak.admin.client.resource.ClientResource) Matchers.containsString(org.hamcrest.Matchers.containsString) AuthenticationRequestAcknowledgement(org.keycloak.testsuite.util.OAuthClient.AuthenticationRequestAcknowledgement) OIDCClientRepresentation(org.keycloak.representations.oidc.OIDCClientRepresentation) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) Test(org.junit.Test)

Example 2 with AuthenticationRequestAcknowledgement

use of org.keycloak.testsuite.util.OAuthClient.AuthenticationRequestAcknowledgement in project keycloak by keycloak.

the class CIBATest method testAttackerClientUseAuthReqIdInCallbackEndpoint.

// This tests that client should *not* be allowed to do whole CIBA flow by himself without any interaction from the user
@Test
public void testAttackerClientUseAuthReqIdInCallbackEndpoint() throws Exception {
    ClientResource clientResource = null;
    ClientRepresentation clientRep = null;
    try {
        final String username = "nutzername-rot";
        final String bindingMessage = "BASTION";
        // prepare CIBA settings
        clientResource = ApiUtil.findClientByClientId(adminClient.realm(TEST_REALM_NAME), TEST_CLIENT_NAME);
        clientRep = clientResource.toRepresentation();
        prepareCIBASettings(clientResource, clientRep);
        // client sends Backchannel Authentication Request
        AuthenticationRequestAcknowledgement response = doBackchannelAuthenticationRequest(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, username, bindingMessage);
        // This request should not ever pass. Client should not be allowed to send the successfull "approve" request to the BackchannelAuthenticationCallbackEndpoint
        // with using the "authReqId" as a bearer token
        int statusCode = oauth.doAuthenticationChannelCallback(response.getAuthReqId(), SUCCEED);
        assertThat(statusCode, is(equalTo(403)));
        // client sends TokenRequest - This should not pass and should return 400
        OAuthClient.AccessTokenResponse tokenRes = oauth.doBackchannelAuthenticationTokenRequest(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, response.getAuthReqId());
        assertThat(tokenRes.getStatusCode(), is(equalTo(400)));
        assertThat(tokenRes.getError(), is(equalTo(OAuthErrorException.AUTHORIZATION_PENDING)));
    } finally {
        revertCIBASettings(clientResource, clientRep);
    }
}
Also used : OAuthClient(org.keycloak.testsuite.util.OAuthClient) ClientResource(org.keycloak.admin.client.resource.ClientResource) Matchers.containsString(org.hamcrest.Matchers.containsString) AuthenticationRequestAcknowledgement(org.keycloak.testsuite.util.OAuthClient.AuthenticationRequestAcknowledgement) OIDCClientRepresentation(org.keycloak.representations.oidc.OIDCClientRepresentation) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) Test(org.junit.Test)

Example 3 with AuthenticationRequestAcknowledgement

use of org.keycloak.testsuite.util.OAuthClient.AuthenticationRequestAcknowledgement in project keycloak by keycloak.

the class CIBATest method testDuplicatedTokenRequestWithSameAuthReqId.

@Test
public void testDuplicatedTokenRequestWithSameAuthReqId() throws Exception {
    ClientResource clientResource = null;
    ClientRepresentation clientRep = null;
    try {
        final String username = "nutzername-gelb";
        // prepare CIBA settings
        clientResource = ApiUtil.findClientByClientId(adminClient.realm(TEST_REALM_NAME), TEST_CLIENT_NAME);
        assertThat(clientResource, notNullValue());
        clientRep = clientResource.toRepresentation();
        prepareCIBASettings(clientResource, clientRep);
        // user Backchannel Authentication Request
        AuthenticationRequestAcknowledgement response = doBackchannelAuthenticationRequest(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, username, "kciwje86");
        // user Authentication Channel Request
        TestAuthenticationChannelRequest authenticationChannelReq = doAuthenticationChannelRequest("kciwje86");
        // user Authentication Channel completed
        doAuthenticationChannelCallback(authenticationChannelReq);
        // user Token Request
        OAuthClient.AccessTokenResponse tokenRes = oauth.doBackchannelAuthenticationTokenRequest(TEST_CLIENT_PASSWORD, response.getAuthReqId());
        assertThat(tokenRes.getStatusCode(), is(equalTo(200)));
        IDToken idToken = oauth.verifyIDToken(tokenRes.getIdToken());
        assertThat(idToken.getPreferredUsername(), is(equalTo(username)));
        AccessToken accessToken = oauth.verifyToken(tokenRes.getAccessToken());
        // duplicate user Token Request
        tokenRes = oauth.doBackchannelAuthenticationTokenRequest(TEST_CLIENT_PASSWORD, response.getAuthReqId());
        assertThat(tokenRes.getStatusCode(), is(equalTo(400)));
        assertThat(tokenRes.getError(), is(OAuthErrorException.INVALID_GRANT));
    } finally {
        revertCIBASettings(clientResource, clientRep);
    }
}
Also used : OAuthClient(org.keycloak.testsuite.util.OAuthClient) AccessToken(org.keycloak.representations.AccessToken) ClientResource(org.keycloak.admin.client.resource.ClientResource) IDToken(org.keycloak.representations.IDToken) Matchers.containsString(org.hamcrest.Matchers.containsString) AuthenticationRequestAcknowledgement(org.keycloak.testsuite.util.OAuthClient.AuthenticationRequestAcknowledgement) TestAuthenticationChannelRequest(org.keycloak.testsuite.rest.representation.TestAuthenticationChannelRequest) OIDCClientRepresentation(org.keycloak.representations.oidc.OIDCClientRepresentation) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) Test(org.junit.Test)

Example 4 with AuthenticationRequestAcknowledgement

use of org.keycloak.testsuite.util.OAuthClient.AuthenticationRequestAcknowledgement in project keycloak by keycloak.

the class CIBATest method testCibaGrantDeactivated.

@Test
public void testCibaGrantDeactivated() throws Exception {
    ClientResource clientResource = null;
    ClientRepresentation clientRep = null;
    try {
        final String username = "nutzername-rot";
        // prepare CIBA settings with ciba grant deactivated
        clientResource = ApiUtil.findClientByClientId(adminClient.realm(TEST_REALM_NAME), TEST_CLIENT_NAME);
        assertThat(clientResource, notNullValue());
        clientRep = clientResource.toRepresentation();
        Map<String, String> attributes = Optional.ofNullable(clientRep.getAttributes()).orElse(new HashMap<>());
        attributes.put(CibaConfig.CIBA_BACKCHANNEL_TOKEN_DELIVERY_MODE_PER_CLIENT, "poll");
        attributes.put(CibaConfig.OIDC_CIBA_GRANT_ENABLED, null);
        attributes.put(CibaConfig.CIBA_BACKCHANNEL_AUTH_REQUEST_SIGNING_ALG, Algorithm.RS256);
        clientRep.setAttributes(attributes);
        clientResource.update(clientRep);
        // clientResource = ApiUtil.findClientByClientId(adminClient.realm(TEST_REALM_NAME), TEST_CLIENT_NAME);
        clientRep = clientResource.toRepresentation();
        Assert.assertNull(clientRep.getAttributes().get(CibaConfig.OIDC_CIBA_GRANT_ENABLED));
        Assert.assertThat(clientRep.getAttributes().get(CibaConfig.CIBA_BACKCHANNEL_AUTH_REQUEST_SIGNING_ALG), is(Algorithm.RS256));
        // user Backchannel Authentication Request
        AuthenticationRequestAcknowledgement response = oauth.doBackchannelAuthenticationRequest(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, username, "gilwekDe3", "acr2");
        assertThat(response.getStatusCode(), is(equalTo(401)));
        assertThat(response.getError(), is(OAuthErrorException.INVALID_GRANT));
        assertThat(response.getErrorDescription(), is("Client not allowed OIDC CIBA Grant"));
        // activate ciba grant
        clientResource = ApiUtil.findClientByClientId(adminClient.realm(TEST_REALM_NAME), TEST_CLIENT_NAME);
        assertThat(clientResource, notNullValue());
        clientRep = clientResource.toRepresentation();
        attributes = clientRep.getAttributes();
        attributes.put(CibaConfig.OIDC_CIBA_GRANT_ENABLED, Boolean.TRUE.toString());
        attributes.put(CibaConfig.CIBA_BACKCHANNEL_AUTH_REQUEST_SIGNING_ALG, Algorithm.ES256);
        clientRep.setAttributes(attributes);
        clientResource.update(clientRep);
        clientRep = clientResource.toRepresentation();
        Assert.assertThat(clientRep.getAttributes().get(CibaConfig.OIDC_CIBA_GRANT_ENABLED), is(Boolean.TRUE.toString()));
        Assert.assertThat(clientRep.getAttributes().get(CibaConfig.CIBA_BACKCHANNEL_AUTH_REQUEST_SIGNING_ALG), is(Algorithm.ES256));
        // user Backchannel Authentication Request
        response = doBackchannelAuthenticationRequest(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, username, "Fkb4T3s");
        // user Authentication Channel Request
        TestAuthenticationChannelRequest authenticationChannelReq = doAuthenticationChannelRequest("Fkb4T3s");
        // user Authentication Channel completed
        doAuthenticationChannelCallback(authenticationChannelReq);
        // deactivate ciba grant
        clientResource = ApiUtil.findClientByClientId(adminClient.realm(TEST_REALM_NAME), TEST_CLIENT_NAME);
        assertThat(clientResource, notNullValue());
        clientRep = clientResource.toRepresentation();
        attributes = clientRep.getAttributes();
        attributes.put(CibaConfig.OIDC_CIBA_GRANT_ENABLED, Boolean.FALSE.toString());
        attributes.put(CibaConfig.CIBA_BACKCHANNEL_AUTH_REQUEST_SIGNING_ALG, "none");
        clientRep.setAttributes(attributes);
        clientResource.update(clientRep);
        clientRep = clientResource.toRepresentation();
        Assert.assertThat(clientRep.getAttributes().get(CibaConfig.OIDC_CIBA_GRANT_ENABLED), is(Boolean.FALSE.toString()));
        Assert.assertThat(clientRep.getAttributes().get(CibaConfig.CIBA_BACKCHANNEL_AUTH_REQUEST_SIGNING_ALG), is("none"));
        // user Token Request
        OAuthClient.AccessTokenResponse tokenRes = oauth.doBackchannelAuthenticationTokenRequest(SECOND_TEST_CLIENT_NAME, SECOND_TEST_CLIENT_SECRET, response.getAuthReqId());
        assertThat(tokenRes.getStatusCode(), is(equalTo(400)));
        assertThat(tokenRes.getError(), is(OAuthErrorException.INVALID_GRANT));
        assertThat(tokenRes.getErrorDescription(), is("Client not allowed OIDC CIBA Grant"));
    } finally {
        revertCIBASettings(clientResource, clientRep);
    }
}
Also used : OAuthClient(org.keycloak.testsuite.util.OAuthClient) ClientResource(org.keycloak.admin.client.resource.ClientResource) Matchers.containsString(org.hamcrest.Matchers.containsString) AuthenticationRequestAcknowledgement(org.keycloak.testsuite.util.OAuthClient.AuthenticationRequestAcknowledgement) TestAuthenticationChannelRequest(org.keycloak.testsuite.rest.representation.TestAuthenticationChannelRequest) OIDCClientRepresentation(org.keycloak.representations.oidc.OIDCClientRepresentation) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) Test(org.junit.Test)

Example 5 with AuthenticationRequestAcknowledgement

use of org.keycloak.testsuite.util.OAuthClient.AuthenticationRequestAcknowledgement in project keycloak by keycloak.

the class CIBATest method testLoginHintTokenRequiredButNotSend.

@Test
public void testLoginHintTokenRequiredButNotSend() throws Exception {
    ClientResource clientResource = null;
    ClientRepresentation clientRep = null;
    try {
        final String username = "nutzername-schwarz";
        clientResource = ApiUtil.findClientByClientId(adminClient.realm(TEST_REALM_NAME), TEST_CLIENT_NAME);
        clientRep = clientResource.toRepresentation();
        prepareCIBASettings(clientResource, clientRep);
        RealmRepresentation rep = backupCIBAPolicy();
        Map<String, String> attrMap = Optional.ofNullable(rep.getAttributes()).orElse(new HashMap<>());
        attrMap.put(CibaConfig.CIBA_AUTH_REQUESTED_USER_HINT, CibaGrantType.LOGIN_HINT_TOKEN);
        rep.setAttributes(attrMap);
        testRealm().update(rep);
        // user Backchannel Authentication Request
        AuthenticationRequestAcknowledgement response = oauth.doBackchannelAuthenticationRequest(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, username, null, null);
        assertThat(response.getStatusCode(), is(equalTo(400)));
        assertThat(response.getError(), is(OAuthErrorException.INVALID_REQUEST));
    } finally {
        revertCIBASettings(clientResource, clientRep);
        restoreCIBAPolicy();
    }
}
Also used : RealmRepresentation(org.keycloak.representations.idm.RealmRepresentation) ClientResource(org.keycloak.admin.client.resource.ClientResource) Matchers.containsString(org.hamcrest.Matchers.containsString) AuthenticationRequestAcknowledgement(org.keycloak.testsuite.util.OAuthClient.AuthenticationRequestAcknowledgement) OIDCClientRepresentation(org.keycloak.representations.oidc.OIDCClientRepresentation) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) Test(org.junit.Test)

Aggregations

AuthenticationRequestAcknowledgement (org.keycloak.testsuite.util.OAuthClient.AuthenticationRequestAcknowledgement)46 Matchers.containsString (org.hamcrest.Matchers.containsString)42 ClientRepresentation (org.keycloak.representations.idm.ClientRepresentation)41 ClientResource (org.keycloak.admin.client.resource.ClientResource)39 Test (org.junit.Test)37 OIDCClientRepresentation (org.keycloak.representations.oidc.OIDCClientRepresentation)37 OAuthClient (org.keycloak.testsuite.util.OAuthClient)27 TestAuthenticationChannelRequest (org.keycloak.testsuite.rest.representation.TestAuthenticationChannelRequest)26 AuthenticationChannelRequest (org.keycloak.protocol.oidc.grants.ciba.channel.AuthenticationChannelRequest)9 EventRepresentation (org.keycloak.representations.idm.EventRepresentation)9 AuthorizationEndpointRequestObject (org.keycloak.testsuite.rest.resource.TestingOIDCEndpointsApplicationResource.AuthorizationEndpointRequestObject)8 ClientPoliciesBuilder (org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPoliciesBuilder)8 ClientPolicyBuilder (org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPolicyBuilder)8 ClientProfileBuilder (org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfileBuilder)8 ClientProfilesBuilder (org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfilesBuilder)8 HashMap (java.util.HashMap)7 RealmRepresentation (org.keycloak.representations.idm.RealmRepresentation)6 IDToken (org.keycloak.representations.IDToken)5 IOException (java.io.IOException)4 CloseableHttpResponse (org.apache.http.client.methods.CloseableHttpResponse)4
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial