use of io.jans.as.model.common.ResponseType in project jans by JanssenProject.
the class TokenEndpointAuthMethodRestrictionHttpTest method tokenEndpointAuthMethodPrivateKeyJwtSigningAlgRS384Fail4.
@Parameters({ "redirectUris", "redirectUri", "userId", "userSecret", "clientJwksUri", "ES384_keyId", "dnName", "keyStoreFile", "keyStoreSecret", "sectorIdentifierUri" })
@Test
public void tokenEndpointAuthMethodPrivateKeyJwtSigningAlgRS384Fail4(final String redirectUris, final String redirectUri, final String userId, final String userSecret, final String clientJwksUri, final String keyId, final String dnName, final String keyStoreFile, final String keyStoreSecret, final String sectorIdentifierUri) throws Exception {
showTitle("tokenEndpointAuthMethodPrivateKeyJwtSigningAlgRS384Fail4");
// 1. Register client
RegisterRequest registerRequest = new RegisterRequest(ApplicationType.WEB, "jans test app", StringUtils.spaceSeparatedToList(redirectUris));
registerRequest.setTokenEndpointAuthMethod(AuthenticationMethod.PRIVATE_KEY_JWT);
registerRequest.setTokenEndpointAuthSigningAlg(SignatureAlgorithm.RS384);
registerRequest.setJwksUri(clientJwksUri);
registerRequest.setSectorIdentifierUri(sectorIdentifierUri);
RegisterClient registerClient = new RegisterClient(registrationEndpoint);
registerClient.setRequest(registerRequest);
RegisterResponse registerResponse = registerClient.exec();
showClient(registerClient);
assertRegisterResponseOk(registerResponse, 201, true);
String clientId = registerResponse.getClientId();
String registrationAccessToken = registerResponse.getRegistrationAccessToken();
String registrationClientUri = registerResponse.getRegistrationClientUri();
// 2. Client read
RegisterRequest readClientRequest = new RegisterRequest(registrationAccessToken);
RegisterClient readClient = new RegisterClient(registrationClientUri);
readClient.setRequest(readClientRequest);
RegisterResponse readClientResponse = readClient.exec();
showClient(readClient);
assertRegisterResponseOk(readClientResponse, 200, false);
assertTrue(readClientResponse.getClaims().containsKey(TOKEN_ENDPOINT_AUTH_METHOD.toString()));
assertEquals(readClientResponse.getClaims().get(TOKEN_ENDPOINT_AUTH_METHOD.toString()), AuthenticationMethod.PRIVATE_KEY_JWT.toString());
assertTrue(readClientResponse.getClaims().containsKey(TOKEN_ENDPOINT_AUTH_SIGNING_ALG.toString()));
assertEquals(readClientResponse.getClaims().get(TOKEN_ENDPOINT_AUTH_SIGNING_ALG.toString()), SignatureAlgorithm.RS384.toString());
assertRegisterResponseClaimsNotNull(readClientResponse, RESPONSE_TYPES, REDIRECT_URIS.APPLICATION_TYPE, CLIENT_NAME, ID_TOKEN_SIGNED_RESPONSE_ALG, SCOPE);
// 3. Request authorization
List<ResponseType> responseTypes = Arrays.asList(ResponseType.CODE);
List<String> scopes = Arrays.asList("openid", "profile", "address", "email");
String state = UUID.randomUUID().toString();
AuthorizationRequest authorizationRequest = new AuthorizationRequest(responseTypes, clientId, scopes, redirectUri, null);
authorizationRequest.setState(state);
AuthorizationResponse authorizationResponse = authenticateResourceOwnerAndGrantAccess(authorizationEndpoint, authorizationRequest, userId, userSecret);
assertAuthorizationResponse(authorizationResponse, true);
assertNull(authorizationResponse.getIdToken(), "The id token is not null");
String authorizationCode = authorizationResponse.getCode();
// 4. Get Access Token
AuthCryptoProvider cryptoProvider = new AuthCryptoProvider(keyStoreFile, keyStoreSecret, dnName);
TokenRequest tokenRequest = new TokenRequest(GrantType.AUTHORIZATION_CODE);
tokenRequest.setAuthenticationMethod(AuthenticationMethod.PRIVATE_KEY_JWT);
tokenRequest.setAlgorithm(SignatureAlgorithm.ES384);
tokenRequest.setCryptoProvider(cryptoProvider);
tokenRequest.setKeyId(keyId);
tokenRequest.setAudience(tokenEndpoint);
tokenRequest.setCode(authorizationCode);
tokenRequest.setRedirectUri(redirectUri);
tokenRequest.setAuthUsername(clientId);
TokenClient tokenClient = new TokenClient(tokenEndpoint);
tokenClient.setRequest(tokenRequest);
TokenResponse tokenResponse = tokenClient.exec();
showClient(tokenClient);
assertEquals(tokenResponse.getStatus(), 401, "Unexpected response code: " + tokenResponse.getStatus());
assertNotNull(tokenResponse.getErrorType(), "The error type is null");
assertNotNull(tokenResponse.getErrorDescription(), "The error description is null");
}
use of io.jans.as.model.common.ResponseType in project jans by JanssenProject.
the class PkceHttpTest method tokenWithPkceCheck.
@Parameters({ "redirectUris", "userId", "userSecret", "redirectUri", "sectorIdentifierUri" })
@Test
public void tokenWithPkceCheck(final String redirectUris, final String userId, final String userSecret, final String redirectUri, final String sectorIdentifierUri) throws Exception {
showTitle("tokenWithPkceCheck");
// 1. Register client
List<ResponseType> responseTypes = Arrays.asList(ResponseType.CODE, ResponseType.ID_TOKEN);
RegisterRequest registerRequest = new RegisterRequest(ApplicationType.WEB, "jans test app", StringUtils.spaceSeparatedToList(redirectUris));
registerRequest.setTokenEndpointAuthMethod(AuthenticationMethod.CLIENT_SECRET_POST);
registerRequest.setSectorIdentifierUri(sectorIdentifierUri);
registerRequest.setResponseTypes(responseTypes);
RegisterClient registerClient = new RegisterClient(registrationEndpoint);
registerClient.setRequest(registerRequest);
RegisterResponse registerResponse = registerClient.exec();
showClient(registerClient);
assertRegisterResponseOk(registerResponse, 201, true);
// 3. Request authorization
List<String> scopes = Arrays.asList("openid", "profile", "address", "email");
String state = UUID.randomUUID().toString();
String nonce = UUID.randomUUID().toString();
AuthorizationRequest authorizationRequest = new AuthorizationRequest(responseTypes, registerResponse.getClientId(), scopes, redirectUri, nonce);
authorizationRequest.setState(state);
CodeVerifier verifier = authorizationRequest.generateAndSetCodeChallengeWithMethod();
AuthorizationResponse authorizationResponse = authenticateResourceOwnerAndGrantAccess(authorizationEndpoint, authorizationRequest, userId, userSecret);
assertNotNull(authorizationResponse.getLocation(), "The location is null");
assertNotNull(authorizationResponse.getCode(), "The authorization code is null");
assertNotNull(authorizationResponse.getIdToken(), "The ID Token is null");
assertNotNull(authorizationResponse.getState(), "The state is null");
assertNotNull(authorizationResponse.getScope(), "The scope is null");
String authorizationCode = authorizationResponse.getCode();
String idToken = authorizationResponse.getIdToken();
// 4. Validate id_token
Jwt jwt = Jwt.parse(idToken);
assertJwtStandarClaimsNotNull(jwt, false);
assertNotNull(jwt.getClaims().getClaimAsString(JwtClaimName.CODE_HASH));
RSAPublicKey publicKey = JwkClient.getRSAPublicKey(jwksUri, jwt.getHeader().getClaimAsString(JwtHeaderName.KEY_ID));
RSASigner rsaSigner = new RSASigner(SignatureAlgorithm.RS256, publicKey);
assertTrue(rsaSigner.validate(jwt));
// 5. Get Access Token
TokenRequest tokenRequest = new TokenRequest(GrantType.AUTHORIZATION_CODE);
tokenRequest.setCode(authorizationCode);
tokenRequest.setRedirectUri(redirectUri);
tokenRequest.setAuthUsername(registerResponse.getClientId());
tokenRequest.setAuthPassword(registerResponse.getClientSecret());
tokenRequest.setAuthenticationMethod(AuthenticationMethod.CLIENT_SECRET_POST);
tokenRequest.setCodeVerifier(verifier.getCodeVerifier());
TokenClient tokenClient = new TokenClient(tokenEndpoint);
tokenClient.setRequest(tokenRequest);
TokenResponse tokenResponse = tokenClient.exec();
showClient(tokenClient);
assertTokenResponseOk(tokenResponse, true);
}
use of io.jans.as.model.common.ResponseType in project jans by JanssenProject.
the class TokenBindingHttpTest method tokenBindingWithImplicitFlow.
@Parameters({ "userId", "userSecret", "redirectUris", "redirectUri", "sectorIdentifierUri" })
@Test
public void tokenBindingWithImplicitFlow(final String userId, final String userSecret, final String redirectUris, final String redirectUri, final String sectorIdentifierUri) throws Exception {
showTitle("tokenBindingWithImplicitFlow");
List<ResponseType> responseTypes = Arrays.asList(ResponseType.TOKEN, ResponseType.ID_TOKEN);
List<GrantType> grantTypes = Arrays.asList(GrantType.RESOURCE_OWNER_PASSWORD_CREDENTIALS);
// 1. Register client
RegisterResponse registerResponse = registerClientInternal(redirectUri, responseTypes, grantTypes, sectorIdentifierUri);
String clientId = registerResponse.getClientId();
// 2. Request authorization
AuthorizationResponse authorizationResponse = requestAuthorization(userId, userSecret, redirectUri, responseTypes, clientId);
Jwt jwt = Jwt.parse(authorizationResponse.getIdToken());
Assert.assertEquals(EXPECTED_ID_HASH, jwt.getClaims().getClaimAsJSON(JwtClaimName.CNF).optString(JwtClaimName.TOKEN_BINDING_HASH));
}
use of io.jans.as.model.common.ResponseType in project jans by JanssenProject.
the class AuthorizationResponseModeJwtResponseTypeCodeSignedEncryptedHttpTest method ensureRequestObjectWithoutRedirectUriFails.
@Parameters({ "redirectUri", "redirectUris", "clientJwksUri", "RSA_OAEP_keyId", "PS256_keyId", "dnName", "keyStoreFile", "keyStoreSecret", "sectorIdentifierUri" })
// Enable FAPI to run this test!
@Test(enabled = false)
public void ensureRequestObjectWithoutRedirectUriFails(final String redirectUri, final String redirectUris, final String clientJwksUri, final String encryptionKeyId, final String signingKeyId, final String dnName, final String keyStoreFile, final String keyStoreSecret, final String sectorIdentifierUri) throws Exception {
showTitle("ensureRequestObjectWithoutRedirectUriFails");
List<ResponseType> responseTypes = Arrays.asList(ResponseType.CODE);
// 1. Dynamic Client Registration
RegisterResponse registerResponse = registerClient(redirectUris, responseTypes, sectorIdentifierUri, clientJwksUri, SignatureAlgorithm.PS256, KeyEncryptionAlgorithm.RSA_OAEP, BlockEncryptionAlgorithm.A256GCM);
String clientId = registerResponse.getClientId();
// 2. Request authorization
List<String> scope = Arrays.asList("openid", "profile", "address", "email");
String state = UUID.randomUUID().toString();
String nonce = UUID.randomUUID().toString();
AuthorizationRequest authorizationRequest = new AuthorizationRequest(responseTypes, clientId, scope, redirectUri, null);
AuthCryptoProvider cryptoProvider1 = new AuthCryptoProvider(keyStoreFile, keyStoreSecret, dnName);
JwtAuthorizationRequest jwsAuthorizationRequest = new JwtAuthorizationRequest(authorizationRequest, SignatureAlgorithm.PS256, cryptoProvider1);
jwsAuthorizationRequest.setKeyId(signingKeyId);
jwsAuthorizationRequest.setRedirectUri(null);
jwsAuthorizationRequest.setResponseMode(ResponseMode.JWT);
jwsAuthorizationRequest.setState(state);
// FAPI: nonce param is required
jwsAuthorizationRequest.setNonce(nonce);
// FAPI: require the request object to contain an exp claim that has a lifetime of no longer than 60 minutes after the nbf claim
jwsAuthorizationRequest.setNbf((int) Instant.now().getEpochSecond());
// FAPI: require the request object to contain an exp claim that has a lifetime of no longer than 60 minutes after the nbf claim
jwsAuthorizationRequest.setExp(jwsAuthorizationRequest.getNbf() + 3600);
Jwt authJws = Jwt.parse(jwsAuthorizationRequest.getEncodedJwt());
JwkClient jwkClient = new JwkClient(jwksUri);
JwkResponse jwkResponse = jwkClient.exec();
String serverKeyId = jwkResponse.getKeyId(Algorithm.RSA_OAEP);
assertNotNull(serverKeyId);
JSONObject jwks = JwtUtil.getJSONWebKeys(jwksUri);
AuthCryptoProvider cryptoProvider2 = new AuthCryptoProvider(keyStoreFile, keyStoreSecret, dnName);
privateKey = cryptoProvider2.getPrivateKey(encryptionKeyId);
JwtAuthorizationRequest jweAuthorizationRequest = new JwtAuthorizationRequest(authorizationRequest, KeyEncryptionAlgorithm.RSA_OAEP, BlockEncryptionAlgorithm.A256GCM, cryptoProvider2);
jweAuthorizationRequest.setKeyId(serverKeyId);
jweAuthorizationRequest.setNestedPayload(authJws);
String authJwe = jweAuthorizationRequest.getEncodedJwt(jwks);
authorizationRequest.setRequest(authJwe);
AuthorizeClient authorizeClient = new AuthorizeClient(authorizationEndpoint);
authorizeClient.setRequest(authorizationRequest);
AuthorizationResponse authorizationResponse = authorizeClient.exec();
showClient(authorizeClient);
assertNotNull(authorizationResponse.getResponse());
Jwe response = Jwe.parse(authorizationResponse.getResponse(), privateKey, null);
assertJweResponse(response);
assertTrue(Arrays.asList("invalid_request", "invalid_request_object").contains(response.getClaims().getClaimAsString("error")));
// Clear private key to do not affect to other tests
privateKey = null;
}
use of io.jans.as.model.common.ResponseType in project jans by JanssenProject.
the class AuthorizationResponseModeJwtResponseTypeCodeSignedEncryptedHttpTest method ensureRequestObjectWithoutScopeFails.
@Parameters({ "redirectUri", "redirectUris", "clientJwksUri", "RSA_OAEP_keyId", "PS256_keyId", "dnName", "keyStoreFile", "keyStoreSecret", "sectorIdentifierUri" })
// Enable FAPI to run this test!
@Test(enabled = false)
public void ensureRequestObjectWithoutScopeFails(final String redirectUri, final String redirectUris, final String clientJwksUri, final String encryptionKeyId, final String signingKeyId, final String dnName, final String keyStoreFile, final String keyStoreSecret, final String sectorIdentifierUri) throws Exception {
showTitle("ensureRequestObjectWithoutScopeFails");
List<ResponseType> responseTypes = Arrays.asList(ResponseType.CODE);
// 1. Dynamic Client Registration
RegisterResponse registerResponse = registerClient(redirectUris, responseTypes, sectorIdentifierUri, clientJwksUri, SignatureAlgorithm.PS256, KeyEncryptionAlgorithm.RSA_OAEP, BlockEncryptionAlgorithm.A256GCM);
String clientId = registerResponse.getClientId();
// 2. Request authorization
List<String> scope = Arrays.asList("openid", "profile", "address", "email");
String state = UUID.randomUUID().toString();
String nonce = UUID.randomUUID().toString();
AuthorizationRequest authorizationRequest = new AuthorizationRequest(responseTypes, clientId, scope, redirectUri, null);
AuthCryptoProvider cryptoProvider1 = new AuthCryptoProvider(keyStoreFile, keyStoreSecret, dnName);
JwtAuthorizationRequest jwsAuthorizationRequest = new JwtAuthorizationRequest(authorizationRequest, SignatureAlgorithm.PS256, cryptoProvider1);
jwsAuthorizationRequest.setKeyId(signingKeyId);
jwsAuthorizationRequest.setRedirectUri(redirectUri);
jwsAuthorizationRequest.setResponseMode(ResponseMode.JWT);
jwsAuthorizationRequest.setState(state);
// FAPI: nonce param is required
jwsAuthorizationRequest.setNonce(nonce);
// FAPI: scope param is required
jwsAuthorizationRequest.setScopes(null);
// FAPI: require the request object to contain an exp claim that has a lifetime of no longer than 60 minutes after the nbf claim
jwsAuthorizationRequest.setNbf((int) Instant.now().getEpochSecond());
// FAPI: require the request object to contain an exp claim that has a lifetime of no longer than 60 minutes after the nbf claim
jwsAuthorizationRequest.setExp(jwsAuthorizationRequest.getNbf() + 3600);
Jwt authJws = Jwt.parse(jwsAuthorizationRequest.getEncodedJwt());
JwkClient jwkClient = new JwkClient(jwksUri);
JwkResponse jwkResponse = jwkClient.exec();
String serverKeyId = jwkResponse.getKeyId(Algorithm.RSA_OAEP);
assertNotNull(serverKeyId);
JSONObject jwks = JwtUtil.getJSONWebKeys(jwksUri);
AuthCryptoProvider cryptoProvider2 = new AuthCryptoProvider(keyStoreFile, keyStoreSecret, dnName);
privateKey = cryptoProvider2.getPrivateKey(encryptionKeyId);
JwtAuthorizationRequest jweAuthorizationRequest = new JwtAuthorizationRequest(authorizationRequest, KeyEncryptionAlgorithm.RSA_OAEP, BlockEncryptionAlgorithm.A256GCM, cryptoProvider2);
jweAuthorizationRequest.setKeyId(serverKeyId);
jweAuthorizationRequest.setNestedPayload(authJws);
String authJwe = jweAuthorizationRequest.getEncodedJwt(jwks);
authorizationRequest.setRequest(authJwe);
AuthorizeClient authorizeClient = new AuthorizeClient(authorizationEndpoint);
authorizeClient.setRequest(authorizationRequest);
AuthorizationResponse authorizationResponse = authorizeClient.exec();
showClient(authorizeClient);
assertNotNull(authorizationResponse.getResponse());
Jwe response = Jwe.parse(authorizationResponse.getResponse(), privateKey, null);
assertJweResponse(response);
assertTrue(Arrays.asList("invalid_request", "invalid_request_object", "invalid_request_uri", "access_denied").contains(response.getClaims().getClaimAsString("error")));
// Clear private key to do not affect to other tests
privateKey = null;
}
Aggregations