Search in sources :

Example 11 with AuthorizationCodeParameters

use of org.apache.cxf.systest.jaxrs.security.oauth2.common.OAuth2TestUtils.AuthorizationCodeParameters in project cxf by apache.

the class OIDCFlowTest method testAuthorizationCodeFlowWithPKCE.

@org.junit.Test
public void testAuthorizationCodeFlowWithPKCE() throws Exception {
    String address = "https://localhost:" + port + "/services/";
    WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(), "alice", "security", null);
    // Save the Cookie for the second request...
    WebClient.getConfig(client).getRequestContext().put(org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE);
    // Get Authorization Code
    AuthorizationCodeParameters parameters = new AuthorizationCodeParameters();
    parameters.setConsumerId("consumer-id");
    parameters.setScope(OidcUtils.OPENID_SCOPE);
    parameters.setResponseType(OAuthConstants.CODE_RESPONSE_TYPE);
    parameters.setPath("authorize/");
    String codeVerifier = Base64UrlUtility.encode(CryptoUtils.generateSecureRandomBytes(32));
    CodeVerifierTransformer transformer = new DigestCodeVerifier();
    parameters.setCodeChallenge(transformer.transformCodeVerifier(codeVerifier));
    parameters.setCodeChallengeMethod(transformer.getChallengeMethod());
    String location = OAuth2TestUtils.getLocation(client, parameters);
    String code = OAuth2TestUtils.getSubstring(location, "code");
    assertNotNull(code);
    // Now get the access token
    client = WebClient.create(address, "consumer-id", "this-is-a-secret", null);
    ClientAccessToken accessToken = OAuth2TestUtils.getAccessTokenWithAuthorizationCode(client, code, "consumer-id", null, codeVerifier);
    assertNotNull(accessToken.getTokenKey());
    if (isAccessTokenInJWTFormat()) {
        validateAccessToken(accessToken.getTokenKey());
    }
}
Also used : CodeVerifierTransformer(org.apache.cxf.rs.security.oauth2.grants.code.CodeVerifierTransformer) DigestCodeVerifier(org.apache.cxf.rs.security.oauth2.grants.code.DigestCodeVerifier) ClientAccessToken(org.apache.cxf.rs.security.oauth2.common.ClientAccessToken) AuthorizationCodeParameters(org.apache.cxf.systest.jaxrs.security.oauth2.common.OAuth2TestUtils.AuthorizationCodeParameters) WebClient(org.apache.cxf.jaxrs.client.WebClient)

Example 12 with AuthorizationCodeParameters

use of org.apache.cxf.systest.jaxrs.security.oauth2.common.OAuth2TestUtils.AuthorizationCodeParameters in project cxf by apache.

the class PublicClientTest method testPKCEDifferentVerifier.

private void testPKCEDifferentVerifier(CodeVerifierTransformer transformer) {
    URL busFile = PublicClientTest.class.getResource("publicclient.xml");
    String address = "https://localhost:" + port + "/services/";
    WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(), "alice", "security", busFile.toString());
    // Save the Cookie for the second request...
    WebClient.getConfig(client).getRequestContext().put(org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE);
    // Get Authorization Code
    AuthorizationCodeParameters parameters = new AuthorizationCodeParameters();
    parameters.setConsumerId("consumer-id");
    String codeVerifier = Base64UrlUtility.encode(CryptoUtils.generateSecureRandomBytes(32));
    parameters.setCodeChallenge(transformer.transformCodeVerifier(codeVerifier));
    parameters.setCodeChallengeMethod(transformer.getChallengeMethod());
    parameters.setResponseType(OAuthConstants.CODE_RESPONSE_TYPE);
    parameters.setPath("authorize/");
    String location = OAuth2TestUtils.getLocation(client, parameters);
    String code = OAuth2TestUtils.getSubstring(location, "code");
    assertNotNull(code);
    // Now get the access token
    client = WebClient.create(tokenServiceAddress, busFile.toString());
    codeVerifier = Base64UrlUtility.encode(CryptoUtils.generateSecureRandomBytes(32));
    try {
        OAuth2TestUtils.getAccessTokenWithAuthorizationCode(client, code, "consumer-id", null, codeVerifier);
        fail("Failure expected on a different verifier");
    } catch (OAuthServiceException ex) {
        assertFalse(ex.getError().getError().isEmpty());
    }
}
Also used : OAuthServiceException(org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException) AuthorizationCodeParameters(org.apache.cxf.systest.jaxrs.security.oauth2.common.OAuth2TestUtils.AuthorizationCodeParameters) WebClient(org.apache.cxf.jaxrs.client.WebClient) URL(java.net.URL)

Aggregations

WebClient (org.apache.cxf.jaxrs.client.WebClient)12 AuthorizationCodeParameters (org.apache.cxf.systest.jaxrs.security.oauth2.common.OAuth2TestUtils.AuthorizationCodeParameters)12 URL (java.net.URL)6 JwtToken (org.apache.cxf.rs.security.jose.jwt.JwtToken)6 JwsHeaders (org.apache.cxf.rs.security.jose.jws.JwsHeaders)4 JwsJwtCompactProducer (org.apache.cxf.rs.security.jose.jws.JwsJwtCompactProducer)4 JwtClaims (org.apache.cxf.rs.security.jose.jwt.JwtClaims)4 ClientAccessToken (org.apache.cxf.rs.security.oauth2.common.ClientAccessToken)4 JwsJwtCompactConsumer (org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer)3 OAuthServiceException (org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException)3 ResponseProcessingException (javax.ws.rs.client.ResponseProcessingException)2 CodeVerifierTransformer (org.apache.cxf.rs.security.oauth2.grants.code.CodeVerifierTransformer)2 DigestCodeVerifier (org.apache.cxf.rs.security.oauth2.grants.code.DigestCodeVerifier)1 PlainCodeVerifier (org.apache.cxf.rs.security.oauth2.grants.code.PlainCodeVerifier)1