Example 6 with AuthorizationCodeParameters
use of org.apache.cxf.systest.jaxrs.security.oauth2.common.OAuth2TestUtils.AuthorizationCodeParameters in project cxf by apache.
the class OIDCNegativeTest method testJWTRequestNonmatchingResponseType.
@org.junit.Test
public void testJWTRequestNonmatchingResponseType() throws Exception {
URL busFile = OIDCNegativeTest.class.getResource("client.xml");
String address = "https://localhost:" + PORT + "/unsignedjwtservices/";
WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(), "alice", "security", busFile.toString());
// Save the Cookie for the second request...
WebClient.getConfig(client).getRequestContext().put(org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE);
JwtClaims claims = new JwtClaims();
claims.setIssuer("consumer-id");
claims.setIssuedAt(Instant.now().getEpochSecond());
claims.setAudiences(Collections.singletonList("https://localhost:" + PORT + "/unsignedjwtservices/"));
claims.setProperty("response_type", "token");
JwsHeaders headers = new JwsHeaders();
headers.setAlgorithm("none");
JwtToken token = new JwtToken(headers, claims);
JwsJwtCompactProducer jws = new JwsJwtCompactProducer(token);
String request = jws.getSignedEncodedJws();
AuthorizationCodeParameters parameters = new AuthorizationCodeParameters();
parameters.setConsumerId("consumer-id");
parameters.setScope("openid");
parameters.setResponseType("code");
parameters.setPath("authorize/");
parameters.setRequest(request);
// Get Authorization Code
try {
OAuth2TestUtils.getLocation(client, parameters);
fail("Failure expected on a non-matching response_type");
} catch (ResponseProcessingException ex) {
// expected
}
}
Also used :
JwtToken(org.apache.cxf.rs.security.jose.jwt.JwtToken)
JwsHeaders(org.apache.cxf.rs.security.jose.jws.JwsHeaders)
JwsJwtCompactProducer(org.apache.cxf.rs.security.jose.jws.JwsJwtCompactProducer)
JwtClaims(org.apache.cxf.rs.security.jose.jwt.JwtClaims)
AuthorizationCodeParameters(org.apache.cxf.systest.jaxrs.security.oauth2.common.OAuth2TestUtils.AuthorizationCodeParameters)
ResponseProcessingException(javax.ws.rs.client.ResponseProcessingException)
WebClient(org.apache.cxf.jaxrs.client.WebClient)
URL(java.net.URL)
Example 7 with AuthorizationCodeParameters
use of org.apache.cxf.systest.jaxrs.security.oauth2.common.OAuth2TestUtils.AuthorizationCodeParameters in project cxf by apache.
the class OIDCFlowTest method testHybridCodeIdToken.
@org.junit.Test
public void testHybridCodeIdToken() throws Exception {
URL busFile = OIDCFlowTest.class.getResource("client.xml");
String address = "https://localhost:" + PORT + "/services/";
WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(), "alice", "security", busFile.toString());
WebClient.getConfig(client).getHttpConduit().getClient().setReceiveTimeout(100000000);
// Save the Cookie for the second request...
WebClient.getConfig(client).getRequestContext().put(org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE);
// Get location
AuthorizationCodeParameters parameters = new AuthorizationCodeParameters();
parameters.setConsumerId("consumer-id");
parameters.setScope("openid");
parameters.setNonce("123456789");
parameters.setResponseType("code id_token");
parameters.setPath("authorize-hybrid/");
String location = OAuth2TestUtils.getLocation(client, parameters);
assertNotNull(location);
// Check code
String code = OAuth2TestUtils.getSubstring(location, "code");
assertNotNull(code);
// Check id_token
String idToken = OAuth2TestUtils.getSubstring(location, "id_token");
assertNotNull(idToken);
validateIdToken(idToken, "123456789");
// check the code hash is returned from the implicit authorization endpoint
JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(idToken);
JwtToken jwt = jwtConsumer.getJwtToken();
Assert.assertNotNull(jwt.getClaims().getClaim(IdToken.AUTH_CODE_HASH_CLAIM));
// Now get the access token
client = WebClient.create(address, OAuth2TestUtils.setupProviders(), "consumer-id", "this-is-a-secret", busFile.toString());
// Save the Cookie for the second request...
WebClient.getConfig(client).getRequestContext().put(org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE);
ClientAccessToken accessToken = OAuth2TestUtils.getAccessTokenWithAuthorizationCode(client, code);
assertNotNull(accessToken.getTokenKey());
assertTrue(accessToken.getApprovedScope().contains("openid"));
// Check id_token from the token endpoint
idToken = accessToken.getParameters().get("id_token");
assertNotNull(idToken);
validateIdToken(idToken, null);
// check the code hash is returned from the token endpoint
jwtConsumer = new JwsJwtCompactConsumer(idToken);
jwt = jwtConsumer.getJwtToken();
Assert.assertNotNull(jwt.getClaims().getClaim(IdToken.AUTH_CODE_HASH_CLAIM));
}
Also used :
JwtToken(org.apache.cxf.rs.security.jose.jwt.JwtToken)
ClientAccessToken(org.apache.cxf.rs.security.oauth2.common.ClientAccessToken)
AuthorizationCodeParameters(org.apache.cxf.systest.jaxrs.security.oauth2.common.OAuth2TestUtils.AuthorizationCodeParameters)
JwsJwtCompactConsumer(org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer)
WebClient(org.apache.cxf.jaxrs.client.WebClient)
URL(java.net.URL)
Aggregations
URL (java.net.URL)7
WebClient (org.apache.cxf.jaxrs.client.WebClient)7
AuthorizationCodeParameters (org.apache.cxf.systest.jaxrs.security.oauth2.common.OAuth2TestUtils.AuthorizationCodeParameters)7
JwtToken (org.apache.cxf.rs.security.jose.jwt.JwtToken)6
JwsHeaders (org.apache.cxf.rs.security.jose.jws.JwsHeaders)4
JwsJwtCompactProducer (org.apache.cxf.rs.security.jose.jws.JwsJwtCompactProducer)4
JwtClaims (org.apache.cxf.rs.security.jose.jwt.JwtClaims)4
JwsJwtCompactConsumer (org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer)3
ResponseProcessingException (javax.ws.rs.client.ResponseProcessingException)2
ClientAccessToken (org.apache.cxf.rs.security.oauth2.common.ClientAccessToken)2
