Search in sources :

Example 6 with TokenVerifier

use of org.keycloak.TokenVerifier in project keycloak by keycloak.

the class ClientTokenExchangeTest method testDirectImpersonation.

@Test
@UncaughtServerErrorExpected
public void testDirectImpersonation() throws Exception {
    testingClient.server().run(ClientTokenExchangeTest::setupRealm);
    Client httpClient = AdminClientUtil.createResteasyClient();
    WebTarget exchangeUrl = httpClient.target(OAuthClient.AUTH_SERVER_ROOT).path("/realms").path(TEST).path("protocol/openid-connect/token");
    System.out.println("Exchange url: " + exchangeUrl.getUri().toString());
    // direct-exchanger can impersonate from token "user" to user "impersonated-user"
    {
        Response response = exchangeUrl.request().header(HttpHeaders.AUTHORIZATION, BasicAuthHelper.createHeader("direct-exchanger", "secret")).post(Entity.form(new Form().param(OAuth2Constants.GRANT_TYPE, OAuth2Constants.TOKEN_EXCHANGE_GRANT_TYPE).param(OAuth2Constants.REQUESTED_SUBJECT, "impersonated-user")));
        Assert.assertEquals(200, response.getStatus());
        AccessTokenResponse accessTokenResponse = response.readEntity(AccessTokenResponse.class);
        response.close();
        String exchangedTokenString = accessTokenResponse.getToken();
        TokenVerifier<AccessToken> verifier = TokenVerifier.create(exchangedTokenString, AccessToken.class);
        AccessToken exchangedToken = verifier.parse().getToken();
        Assert.assertEquals("direct-exchanger", exchangedToken.getIssuedFor());
        Assert.assertNull(exchangedToken.getAudience());
        Assert.assertEquals(exchangedToken.getPreferredUsername(), "impersonated-user");
        Assert.assertNull(exchangedToken.getRealmAccess());
    }
    // direct-legal can impersonate from token "user" to user "impersonated-user" and to "target" client
    {
        Response response = exchangeUrl.request().header(HttpHeaders.AUTHORIZATION, BasicAuthHelper.createHeader("direct-legal", "secret")).post(Entity.form(new Form().param(OAuth2Constants.GRANT_TYPE, OAuth2Constants.TOKEN_EXCHANGE_GRANT_TYPE).param(OAuth2Constants.REQUESTED_SUBJECT, "impersonated-user").param(OAuth2Constants.AUDIENCE, "target")));
        Assert.assertEquals(200, response.getStatus());
        AccessTokenResponse accessTokenResponse = response.readEntity(AccessTokenResponse.class);
        response.close();
        String exchangedTokenString = accessTokenResponse.getToken();
        TokenVerifier<AccessToken> verifier = TokenVerifier.create(exchangedTokenString, AccessToken.class);
        AccessToken exchangedToken = verifier.parse().getToken();
        Assert.assertEquals("direct-legal", exchangedToken.getIssuedFor());
        Assert.assertEquals("target", exchangedToken.getAudience()[0]);
        Assert.assertEquals(exchangedToken.getPreferredUsername(), "impersonated-user");
        Assert.assertTrue(exchangedToken.getRealmAccess().isUserInRole("example"));
    }
    // direct-public fails impersonation
    {
        Response response = exchangeUrl.request().header(HttpHeaders.AUTHORIZATION, BasicAuthHelper.createHeader("direct-public", "secret")).post(Entity.form(new Form().param(OAuth2Constants.GRANT_TYPE, OAuth2Constants.TOKEN_EXCHANGE_GRANT_TYPE).param(OAuth2Constants.REQUESTED_SUBJECT, "impersonated-user").param(OAuth2Constants.AUDIENCE, "target")));
        Assert.assertEquals(403, response.getStatus());
        response.close();
    }
    // direct-no-secret fails impersonation
    {
        Response response = exchangeUrl.request().header(HttpHeaders.AUTHORIZATION, BasicAuthHelper.createHeader("direct-no-secret", "secret")).post(Entity.form(new Form().param(OAuth2Constants.GRANT_TYPE, OAuth2Constants.TOKEN_EXCHANGE_GRANT_TYPE).param(OAuth2Constants.REQUESTED_SUBJECT, "impersonated-user").param(OAuth2Constants.AUDIENCE, "target")));
        Assert.assertTrue(response.getStatus() >= 400);
        response.close();
    }
}
Also used : AccessTokenResponse(org.keycloak.representations.AccessTokenResponse) Response(javax.ws.rs.core.Response) Form(javax.ws.rs.core.Form) AccessToken(org.keycloak.representations.AccessToken) TokenVerifier(org.keycloak.TokenVerifier) WebTarget(javax.ws.rs.client.WebTarget) OAuthClient(org.keycloak.testsuite.util.OAuthClient) Client(javax.ws.rs.client.Client) AccessTokenResponse(org.keycloak.representations.AccessTokenResponse) AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest) Test(org.junit.Test) UncaughtServerErrorExpected(org.keycloak.testsuite.arquillian.annotation.UncaughtServerErrorExpected)

Aggregations

TokenVerifier (org.keycloak.TokenVerifier)6 Response (javax.ws.rs.core.Response)3 Test (org.junit.Test)3 VerificationException (org.keycloak.common.VerificationException)3 AccessToken (org.keycloak.representations.AccessToken)3 AbstractKeycloakTest (org.keycloak.testsuite.AbstractKeycloakTest)3 UncaughtServerErrorExpected (org.keycloak.testsuite.arquillian.annotation.UncaughtServerErrorExpected)3 OAuthClient (org.keycloak.testsuite.util.OAuthClient)3 Client (javax.ws.rs.client.Client)2 WebTarget (javax.ws.rs.client.WebTarget)2 Form (javax.ws.rs.core.Form)2 SignatureProvider (org.keycloak.crypto.SignatureProvider)2 SignatureVerifierContext (org.keycloak.crypto.SignatureVerifierContext)2 AccessTokenResponse (org.keycloak.representations.AccessTokenResponse)2 Map (java.util.Map)1 GET (javax.ws.rs.GET)1 POST (javax.ws.rs.POST)1 AdapterTokenVerifier (org.keycloak.adapters.rotation.AdapterTokenVerifier)1 ExplainedVerificationException (org.keycloak.authentication.ExplainedVerificationException)1 ActionTokenContext (org.keycloak.authentication.actiontoken.ActionTokenContext)1