Search in sources :

Example 1 with EndSessionResponse

use of org.gluu.oxauth.client.EndSessionResponse in project oxAuth by GluuFederation.

the class EndSessionRestWebServiceHttpTest method requestEndSessionFail1.

@Test
public void requestEndSessionFail1() throws Exception {
    showTitle("requestEndSessionFail1");
    EndSessionClient endSessionClient = new EndSessionClient(endSessionEndpoint);
    EndSessionResponse response = endSessionClient.execEndSession(null, null, null);
    showClient(endSessionClient);
    assertEquals(response.getStatus(), 400, "Unexpected response code. Entity: " + response.getEntity());
    assertNotNull(response.getEntity(), "The entity is null");
    assertNotNull(response.getErrorType(), "The error type is null");
    assertNotNull(response.getErrorDescription(), "The error description is null");
}
Also used : EndSessionClient(org.gluu.oxauth.client.EndSessionClient) EndSessionResponse(org.gluu.oxauth.client.EndSessionResponse) BaseTest(org.gluu.oxauth.BaseTest) Test(org.testng.annotations.Test)

Example 2 with EndSessionResponse

use of org.gluu.oxauth.client.EndSessionResponse in project oxAuth by GluuFederation.

the class EndSessionRestWebServiceHttpTest method requestEndSession.

@Parameters({ "userId", "userSecret", "redirectUri", "redirectUris", "postLogoutRedirectUri", "logoutUri", "sectorIdentifierUri" })
@Test
public void requestEndSession(final String userId, final String userSecret, final String redirectUri, final String redirectUris, final String postLogoutRedirectUri, final String logoutUri, final String sectorIdentifierUri) throws Exception {
    showTitle("requestEndSession by id_token");
    // 1. OpenID Connect Dynamic Registration
    RegisterRequest registerRequest = new RegisterRequest(ApplicationType.WEB, "oxAuth test app", StringUtils.spaceSeparatedToList(redirectUris));
    registerRequest.setResponseTypes(Arrays.asList(ResponseType.TOKEN, ResponseType.ID_TOKEN));
    registerRequest.setPostLogoutRedirectUris(Arrays.asList(postLogoutRedirectUri));
    registerRequest.setFrontChannelLogoutUris(Lists.newArrayList(logoutUri));
    registerRequest.setSectorIdentifierUri(sectorIdentifierUri);
    RegisterClient registerClient = new RegisterClient(registrationEndpoint);
    registerClient.setRequest(registerRequest);
    RegisterResponse response = registerClient.exec();
    showClient(registerClient);
    assertEquals(response.getStatus(), 200, "Unexpected response code: " + response.getEntity());
    assertNotNull(response.getClientId());
    assertNotNull(response.getClientSecret());
    assertNotNull(response.getRegistrationAccessToken());
    assertNotNull(response.getClientSecretExpiresAt());
    String clientId = response.getClientId();
    // 2. Request authorization
    List<ResponseType> responseTypes = new ArrayList<ResponseType>();
    responseTypes.add(ResponseType.TOKEN);
    responseTypes.add(ResponseType.ID_TOKEN);
    List<String> scopes = new ArrayList<String>();
    scopes.add("openid");
    scopes.add("profile");
    scopes.add("address");
    scopes.add("email");
    String nonce = UUID.randomUUID().toString();
    String state = UUID.randomUUID().toString();
    AuthorizationRequest authorizationRequest = new AuthorizationRequest(responseTypes, clientId, scopes, redirectUri, nonce);
    authorizationRequest.setState(state);
    AuthorizationResponse authorizationResponse = authenticateResourceOwnerAndGrantAccess(authorizationEndpoint, authorizationRequest, userId, userSecret);
    assertNotNull(authorizationResponse.getLocation(), "The location is null");
    assertNotNull(authorizationResponse.getAccessToken(), "The access token is null");
    assertEquals(authorizationResponse.getState(), state);
    assertNotNull(authorizationResponse.getTokenType(), "The token type is null");
    assertNotNull(authorizationResponse.getExpiresIn(), "The expires in value is null");
    assertNotNull(authorizationResponse.getScope(), "The scope must be null");
    assertNotNull(authorizationResponse.getSessionId(), "The session_id is null");
    assertNotNull(authorizationResponse.getSid(), "The sid is null");
    String idToken = authorizationResponse.getIdToken();
    // 3. End session
    String endSessionId1 = UUID.randomUUID().toString();
    EndSessionRequest endSessionRequest1 = new EndSessionRequest(idToken, postLogoutRedirectUri, endSessionId1);
    endSessionRequest1.setSid(authorizationResponse.getSid());
    EndSessionClient endSessionClient = new EndSessionClient(endSessionEndpoint);
    endSessionClient.setRequest(endSessionRequest1);
    EndSessionResponse endSessionResponse1 = endSessionClient.exec();
    showClient(endSessionClient);
    assertEquals(endSessionResponse1.getStatus(), 200);
    assertNotNull(endSessionResponse1.getHtmlPage(), "The HTML page is null");
    // silly validation of html content returned by server but at least it verifies that logout_uri and post_logout_uri are present
    assertTrue(endSessionResponse1.getHtmlPage().contains("<html>"), "The HTML page is null");
    assertTrue(endSessionResponse1.getHtmlPage().contains(logoutUri), "logout_uri is not present on html page");
    assertTrue(endSessionResponse1.getHtmlPage().contains(postLogoutRedirectUri), "postLogoutRedirectUri is not present on html page");
    // assertEquals(endSessionResponse.getState(), endSessionId); // commented out, for http-based logout we get html page
    // 4. End session with an already ended session
    String endSessionId2 = UUID.randomUUID().toString();
    EndSessionRequest endSessionRequest2 = new EndSessionRequest(idToken, postLogoutRedirectUri, endSessionId2);
    endSessionRequest2.setSid(authorizationResponse.getSid());
    EndSessionClient endSessionClient2 = new EndSessionClient(endSessionEndpoint);
    endSessionClient2.setRequest(endSessionRequest2);
    EndSessionResponse endSessionResponse2 = endSessionClient2.exec();
    showClient(endSessionClient2);
    assertStatusOrRedirect(endSessionResponse2.getStatus(), Status.BAD_REQUEST.getStatusCode());
    assertEquals(endSessionResponse2.getErrorType(), EndSessionErrorResponseType.INVALID_GRANT_AND_SESSION);
}
Also used : RegisterRequest(org.gluu.oxauth.client.RegisterRequest) AuthorizationRequest(org.gluu.oxauth.client.AuthorizationRequest) EndSessionClient(org.gluu.oxauth.client.EndSessionClient) ArrayList(java.util.ArrayList) EndSessionResponse(org.gluu.oxauth.client.EndSessionResponse) ResponseType(org.gluu.oxauth.model.common.ResponseType) EndSessionErrorResponseType(org.gluu.oxauth.model.session.EndSessionErrorResponseType) AuthorizationResponse(org.gluu.oxauth.client.AuthorizationResponse) RegisterResponse(org.gluu.oxauth.client.RegisterResponse) RegisterClient(org.gluu.oxauth.client.RegisterClient) EndSessionRequest(org.gluu.oxauth.client.EndSessionRequest) Parameters(org.testng.annotations.Parameters) BaseTest(org.gluu.oxauth.BaseTest) Test(org.testng.annotations.Test)

Example 3 with EndSessionResponse

use of org.gluu.oxauth.client.EndSessionResponse in project oxTrust by GluuFederation.

the class AuthenticationSessionService method sessionDestroyed.

@PreDestroy
public void sessionDestroyed() {
    OauthData oauthData = identity.getOauthData();
    if ((oauthData == null) || StringHelper.isEmpty(oauthData.getSessionState())) {
        return;
    }
    String userUid = oauthData.getUserUid();
    log.debug("Calling oxAuth logout method at the end of HTTP session. User: '{}'", userUid);
    try {
        String endSessionState = UUID.randomUUID().toString();
        EndSessionRequest endSessionRequest = new EndSessionRequest(oauthData.getIdToken(), appConfiguration.getLogoutRedirectUrl(), endSessionState);
        endSessionRequest.setSid(oauthData.getSessionState());
        EndSessionClient endSessionClient = new EndSessionClient(openIdService.getOpenIdConfiguration().getEndSessionEndpoint());
        endSessionClient.setRequest(endSessionRequest);
        EndSessionResponse endSessionResponse = endSessionClient.exec();
        if ((endSessionResponse == null) || (endSessionResponse.getStatus() != 302)) {
            log.error("Invalid response code at oxAuth logout. User: '{}'", userUid);
        }
    } catch (Exception ex) {
        log.error("Exception happened at oxAuth logout. User: '{}'", userUid, ex);
    }
}
Also used : OauthData(org.gluu.oxtrust.security.OauthData) EndSessionClient(org.gluu.oxauth.client.EndSessionClient) EndSessionRequest(org.gluu.oxauth.client.EndSessionRequest) EndSessionResponse(org.gluu.oxauth.client.EndSessionResponse) PreDestroy(javax.annotation.PreDestroy)

Example 4 with EndSessionResponse

use of org.gluu.oxauth.client.EndSessionResponse in project oxAuth by GluuFederation.

the class EndSessionRestWebServiceHttpTest method requestEndSessionWithSessionId.

@Parameters({ "userId", "userSecret", "redirectUri", "redirectUris", "postLogoutRedirectUri", "logoutUri", "sectorIdentifierUri" })
@Test
public void requestEndSessionWithSessionId(final String userId, final String userSecret, final String redirectUri, final String redirectUris, final String postLogoutRedirectUri, final String logoutUri, final String sectorIdentifierUri) throws Exception {
    showTitle("requestEndSession by session_id");
    // 1. OpenID Connect Dynamic Registration
    RegisterRequest registerRequest = new RegisterRequest(ApplicationType.WEB, "oxAuth test app", StringUtils.spaceSeparatedToList(redirectUris));
    registerRequest.setResponseTypes(Arrays.asList(ResponseType.TOKEN, ResponseType.ID_TOKEN));
    registerRequest.setPostLogoutRedirectUris(Arrays.asList(postLogoutRedirectUri));
    registerRequest.setFrontChannelLogoutUris(Lists.newArrayList(logoutUri));
    registerRequest.setSectorIdentifierUri(sectorIdentifierUri);
    RegisterClient registerClient = new RegisterClient(registrationEndpoint);
    registerClient.setRequest(registerRequest);
    RegisterResponse response = registerClient.exec();
    showClient(registerClient);
    assertEquals(response.getStatus(), 200, "Unexpected response code: " + response.getEntity());
    assertNotNull(response.getClientId());
    assertNotNull(response.getClientSecret());
    assertNotNull(response.getRegistrationAccessToken());
    assertNotNull(response.getClientSecretExpiresAt());
    String clientId = response.getClientId();
    // 2. Request authorization
    List<ResponseType> responseTypes = new ArrayList<ResponseType>();
    responseTypes.add(ResponseType.TOKEN);
    responseTypes.add(ResponseType.ID_TOKEN);
    List<String> scopes = new ArrayList<String>();
    scopes.add("openid");
    scopes.add("profile");
    scopes.add("address");
    scopes.add("email");
    String nonce = UUID.randomUUID().toString();
    String state = UUID.randomUUID().toString();
    AuthorizationRequest authorizationRequest = new AuthorizationRequest(responseTypes, clientId, scopes, redirectUri, nonce);
    authorizationRequest.setState(state);
    AuthorizationResponse authorizationResponse = authenticateResourceOwnerAndGrantAccess(authorizationEndpoint, authorizationRequest, userId, userSecret);
    assertNotNull(authorizationResponse.getLocation(), "The location is null");
    assertNotNull(authorizationResponse.getAccessToken(), "The access token is null");
    assertEquals(authorizationResponse.getState(), state);
    assertNotNull(authorizationResponse.getTokenType(), "The token type is null");
    assertNotNull(authorizationResponse.getExpiresIn(), "The expires in value is null");
    assertNotNull(authorizationResponse.getScope(), "The scope must be null");
    assertNotNull(authorizationResponse.getSessionId(), "The session_id is null");
    // 3. End session
    String endSessionId1 = UUID.randomUUID().toString();
    EndSessionRequest endSessionRequest1 = new EndSessionRequest(null, postLogoutRedirectUri, endSessionId1);
    endSessionRequest1.setSid(authorizationResponse.getSid());
    EndSessionClient endSessionClient = new EndSessionClient(endSessionEndpoint);
    endSessionClient.setRequest(endSessionRequest1);
    EndSessionResponse endSessionResponse1 = endSessionClient.exec();
    showClient(endSessionClient);
    assertEquals(endSessionResponse1.getStatus(), 200);
    assertNotNull(endSessionResponse1.getHtmlPage(), "The HTML page is null");
    // silly validation of html content returned by server but at least it verifies that logout_uri and post_logout_uri are present
    assertTrue(endSessionResponse1.getHtmlPage().contains("<html>"), "The HTML page is null");
    assertTrue(endSessionResponse1.getHtmlPage().contains(logoutUri), "logout_uri is not present on html page");
    assertTrue(endSessionResponse1.getHtmlPage().contains(postLogoutRedirectUri), "postLogoutRedirectUri is not present on html page");
    // assertEquals(endSessionResponse.getState(), endSessionId); // commented out, for http-based logout we get html page
    // 4. End session with an already ended session
    String endSessionId2 = UUID.randomUUID().toString();
    EndSessionRequest endSessionRequest2 = new EndSessionRequest(null, postLogoutRedirectUri, endSessionId2);
    endSessionRequest2.setSid(authorizationResponse.getSid());
    EndSessionClient endSessionClient2 = new EndSessionClient(endSessionEndpoint);
    endSessionClient2.setRequest(endSessionRequest2);
    EndSessionResponse endSessionResponse2 = endSessionClient2.exec();
    showClient(endSessionClient2);
    assertStatusOrRedirect(endSessionResponse2.getStatus(), Status.BAD_REQUEST.getStatusCode());
    assertEquals(endSessionResponse2.getErrorType(), EndSessionErrorResponseType.INVALID_GRANT_AND_SESSION);
}
Also used : RegisterRequest(org.gluu.oxauth.client.RegisterRequest) AuthorizationRequest(org.gluu.oxauth.client.AuthorizationRequest) EndSessionClient(org.gluu.oxauth.client.EndSessionClient) ArrayList(java.util.ArrayList) EndSessionResponse(org.gluu.oxauth.client.EndSessionResponse) ResponseType(org.gluu.oxauth.model.common.ResponseType) EndSessionErrorResponseType(org.gluu.oxauth.model.session.EndSessionErrorResponseType) AuthorizationResponse(org.gluu.oxauth.client.AuthorizationResponse) RegisterResponse(org.gluu.oxauth.client.RegisterResponse) RegisterClient(org.gluu.oxauth.client.RegisterClient) EndSessionRequest(org.gluu.oxauth.client.EndSessionRequest) Parameters(org.testng.annotations.Parameters) BaseTest(org.gluu.oxauth.BaseTest) Test(org.testng.annotations.Test)

Example 5 with EndSessionResponse

use of org.gluu.oxauth.client.EndSessionResponse in project oxAuth by GluuFederation.

the class EndSessionRestWebServiceHttpTest method requestEndSessionFail2.

@Parameters({ "postLogoutRedirectUri" })
@Test
public void requestEndSessionFail2(final String postLogoutRedirectUri) throws Exception {
    showTitle("requestEndSessionFail2");
    String state = UUID.randomUUID().toString();
    EndSessionClient endSessionClient = new EndSessionClient(endSessionEndpoint);
    EndSessionResponse response = endSessionClient.execEndSession("INVALID_ACCESS_TOKEN", postLogoutRedirectUri, state);
    showClient(endSessionClient);
    assertStatusOrRedirect(response.getStatus(), Status.BAD_REQUEST.getStatusCode());
    assertNotNull(response.getEntity(), "The entity is null");
    assertNotNull(response.getErrorType(), "The error type is null");
    assertNotNull(response.getErrorDescription(), "The error description is null");
}
Also used : EndSessionClient(org.gluu.oxauth.client.EndSessionClient) EndSessionResponse(org.gluu.oxauth.client.EndSessionResponse) Parameters(org.testng.annotations.Parameters) BaseTest(org.gluu.oxauth.BaseTest) Test(org.testng.annotations.Test)

Aggregations

EndSessionClient (org.gluu.oxauth.client.EndSessionClient)6 EndSessionResponse (org.gluu.oxauth.client.EndSessionResponse)6 BaseTest (org.gluu.oxauth.BaseTest)5 Test (org.testng.annotations.Test)5 EndSessionRequest (org.gluu.oxauth.client.EndSessionRequest)4 AuthorizationRequest (org.gluu.oxauth.client.AuthorizationRequest)3 AuthorizationResponse (org.gluu.oxauth.client.AuthorizationResponse)3 RegisterClient (org.gluu.oxauth.client.RegisterClient)3 RegisterRequest (org.gluu.oxauth.client.RegisterRequest)3 RegisterResponse (org.gluu.oxauth.client.RegisterResponse)3 Parameters (org.testng.annotations.Parameters)3 ArrayList (java.util.ArrayList)2 ResponseType (org.gluu.oxauth.model.common.ResponseType)2 EndSessionErrorResponseType (org.gluu.oxauth.model.session.EndSessionErrorResponseType)2 PreDestroy (javax.annotation.PreDestroy)1 AuthorizeClient (org.gluu.oxauth.client.AuthorizeClient)1 TokenClient (org.gluu.oxauth.client.TokenClient)1 TokenRequest (org.gluu.oxauth.client.TokenRequest)1 TokenResponse (org.gluu.oxauth.client.TokenResponse)1 UserInfoClient (org.gluu.oxauth.client.UserInfoClient)1