use of org.keycloak.admin.client.resource.ProtocolMappersResource in project keycloak by keycloak.
the class OIDCProtocolMappersTest method testUserGroupRoleToAttributeMappersScopedClientNotSet.
@Test
public void testUserGroupRoleToAttributeMappersScopedClientNotSet() throws Exception {
String clientId = "test-app-scope";
ProtocolMapperRepresentation realmMapper = ProtocolMapperUtil.createUserRealmRoleMappingMapper("pref.", "Realm roles mapper", "roles-custom.realm", true, true);
ProtocolMapperRepresentation clientMapper = ProtocolMapperUtil.createUserClientRoleMappingMapper(null, null, "Client roles mapper", "roles-custom.test-app-scope", true, true);
ProtocolMappersResource protocolMappers = ApiUtil.findClientResourceByClientId(adminClient.realm("test"), clientId).getProtocolMappers();
protocolMappers.createMapper(Arrays.asList(realmMapper, clientMapper));
// Login user
ClientManager.realm(adminClient.realm("test")).clientId(clientId).directAccessGrant(true);
oauth.clientId(clientId);
OAuthClient.AccessTokenResponse response = browserLogin("password", "rich.roles@redhat.com", "password");
IDToken idToken = oauth.verifyIDToken(response.getIdToken());
// Verify attribute is filled
Map<String, Object> roleMappings = (Map<String, Object>) idToken.getOtherClaims().get("roles-custom");
Assert.assertThat(roleMappings.keySet(), containsInAnyOrder("realm", clientId));
String realmRoleMappings = (String) roleMappings.get("realm");
String testAppScopeMappings = (String) roleMappings.get(clientId);
assertRolesString(realmRoleMappings, // from direct assignment to /roleRichGroup/level2group
"pref.admin", // from parent group of /roleRichGroup/level2group, i.e. from /roleRichGroup
"pref.user", "pref.customer-user-premium");
assertRolesString(testAppScopeMappings, // from direct assignment to roleRichUser, present as scope allows it
"test-app-allowed-by-scope", // from direct assignment to /roleRichGroup/level2group, present as scope allows it
"test-app-disallowed-by-scope");
// Revert
deleteMappers(protocolMappers);
}
use of org.keycloak.admin.client.resource.ProtocolMappersResource in project keycloak by keycloak.
the class OIDCProtocolMappersTest method testUserRoleToAttributeMappers.
@Test
@AuthServerContainerExclude(AuthServer.REMOTE)
public void testUserRoleToAttributeMappers() throws Exception {
// Add mapper for realm roles
ProtocolMapperRepresentation realmMapper = ProtocolMapperUtil.createUserRealmRoleMappingMapper("pref.", "Realm roles mapper", "roles-custom.realm", true, true);
ProtocolMapperRepresentation clientMapper = ProtocolMapperUtil.createUserClientRoleMappingMapper("test-app", null, "Client roles mapper", "roles-custom.test-app", true, true);
ProtocolMappersResource protocolMappers = ApiUtil.findClientResourceByClientId(adminClient.realm("test"), "test-app").getProtocolMappers();
protocolMappers.createMapper(Arrays.asList(realmMapper, clientMapper));
// Login user
OAuthClient.AccessTokenResponse response = browserLogin("password", "test-user@localhost", "password");
IDToken idToken = oauth.verifyIDToken(response.getIdToken());
// Verify attribute is filled
Map<String, Object> roleMappings = (Map<String, Object>) idToken.getOtherClaims().get("roles-custom");
Assert.assertThat(roleMappings.keySet(), containsInAnyOrder("realm", "test-app"));
String realmRoleMappings = (String) roleMappings.get("realm");
String testAppMappings = (String) roleMappings.get("test-app");
assertRolesString(realmRoleMappings, // from direct assignment in user definition
"pref.user", // from direct assignment in user definition
"pref.offline_access");
assertRolesString(testAppMappings, // from direct assignment in user definition
"customer-user");
// Revert
deleteMappers(protocolMappers);
}
use of org.keycloak.admin.client.resource.ProtocolMappersResource in project keycloak by keycloak.
the class OIDCProtocolMappersTest method testUserGroupRoleToAttributeMappersScoped.
@Test
public void testUserGroupRoleToAttributeMappersScoped() throws Exception {
String clientId = "test-app-scope";
ProtocolMapperRepresentation realmMapper = ProtocolMapperUtil.createUserRealmRoleMappingMapper("pref.", "Realm roles mapper", "roles-custom.realm", true, true);
ProtocolMapperRepresentation clientMapper = ProtocolMapperUtil.createUserClientRoleMappingMapper(clientId, null, "Client roles mapper", "roles-custom.test-app-scope", true, true);
ProtocolMappersResource protocolMappers = ApiUtil.findClientResourceByClientId(adminClient.realm("test"), clientId).getProtocolMappers();
protocolMappers.createMapper(Arrays.asList(realmMapper, clientMapper));
// Login user
ClientManager.realm(adminClient.realm("test")).clientId(clientId).directAccessGrant(true);
oauth.clientId(clientId);
OAuthClient.AccessTokenResponse response = browserLogin("password", "rich.roles@redhat.com", "password");
IDToken idToken = oauth.verifyIDToken(response.getIdToken());
// Verify attribute is filled
Map<String, Object> roleMappings = (Map<String, Object>) idToken.getOtherClaims().get("roles-custom");
Assert.assertThat(roleMappings.keySet(), containsInAnyOrder("realm", clientId));
String realmRoleMappings = (String) roleMappings.get("realm");
String testAppScopeMappings = (String) roleMappings.get(clientId);
assertRolesString(realmRoleMappings, // from direct assignment to /roleRichGroup/level2group
"pref.admin", // from parent group of /roleRichGroup/level2group, i.e. from /roleRichGroup
"pref.user", "pref.customer-user-premium");
assertRolesString(testAppScopeMappings, // from direct assignment to roleRichUser, present as scope allows it
"test-app-allowed-by-scope", "test-app-disallowed-by-scope");
// Revert
deleteMappers(protocolMappers);
}
use of org.keycloak.admin.client.resource.ProtocolMappersResource in project keycloak by keycloak.
the class OIDCProtocolMappersTest method testGroupAttributeTwoGroupMultiValueNoAggregate.
@Test
public void testGroupAttributeTwoGroupMultiValueNoAggregate() throws Exception {
// get the user
UserResource userResource = findUserByUsernameId(adminClient.realm("test"), "test-user@localhost");
// create two groups with two values (one is the same value)
GroupRepresentation group1 = new GroupRepresentation();
group1.setName("group1");
group1.setAttributes(new HashMap<>());
group1.getAttributes().put("group-value", Arrays.asList("value1", "value2"));
adminClient.realm("test").groups().add(group1);
group1 = adminClient.realm("test").getGroupByPath("/group1");
userResource.joinGroup(group1.getId());
GroupRepresentation group2 = new GroupRepresentation();
group2.setName("group2");
group2.setAttributes(new HashMap<>());
group2.getAttributes().put("group-value", Arrays.asList("value2", "value3"));
adminClient.realm("test").groups().add(group2);
group2 = adminClient.realm("test").getGroupByPath("/group2");
userResource.joinGroup(group2.getId());
// create the attribute mapper
ProtocolMappersResource protocolMappers = findClientResourceByClientId(adminClient.realm("test"), "test-app").getProtocolMappers();
protocolMappers.createMapper(createClaimMapper("group-value", "group-value", "group-value", "String", true, true, true, false)).close();
try {
// test it
OAuthClient.AccessTokenResponse response = browserLogin("password", "test-user@localhost", "password");
IDToken idToken = oauth.verifyIDToken(response.getIdToken());
assertNotNull(idToken.getOtherClaims());
assertNotNull(idToken.getOtherClaims().get("group-value"));
assertTrue(idToken.getOtherClaims().get("group-value") instanceof List);
assertEquals(2, ((List) idToken.getOtherClaims().get("group-value")).size());
assertTrue((((List) idToken.getOtherClaims().get("group-value")).contains("value1") && ((List) idToken.getOtherClaims().get("group-value")).contains("value2")) || (((List) idToken.getOtherClaims().get("group-value")).contains("value2") && ((List) idToken.getOtherClaims().get("group-value")).contains("value3")));
} finally {
// revert
userResource.leaveGroup(group1.getId());
adminClient.realm("test").groups().group(group1.getId()).remove();
userResource.leaveGroup(group2.getId());
adminClient.realm("test").groups().group(group2.getId()).remove();
deleteMappers(protocolMappers);
}
}
use of org.keycloak.admin.client.resource.ProtocolMappersResource in project keycloak by keycloak.
the class OIDCProtocolMappersTest method testUserRoleToAttributeMappersWithFullScopeDisabled.
/**
* KEYCLOAK-5259
* @throws Exception
*/
@Test
public void testUserRoleToAttributeMappersWithFullScopeDisabled() throws Exception {
// Add mapper for realm roles
ProtocolMapperRepresentation realmMapper = ProtocolMapperUtil.createUserRealmRoleMappingMapper("pref.", "Realm roles mapper", "roles-custom.realm", true, true, true);
ProtocolMapperRepresentation clientMapper = ProtocolMapperUtil.createUserClientRoleMappingMapper("test-app", null, "Client roles mapper", "roles-custom.test-app", true, true, true);
ClientResource client = ApiUtil.findClientResourceByClientId(adminClient.realm("test"), "test-app");
// Disable full-scope-allowed
ClientRepresentation rep = client.toRepresentation();
rep.setFullScopeAllowed(false);
client.update(rep);
ProtocolMappersResource protocolMappers = ApiUtil.findClientResourceByClientId(adminClient.realm("test"), "test-app").getProtocolMappers();
protocolMappers.createMapper(Arrays.asList(realmMapper, clientMapper));
// Login user
OAuthClient.AccessTokenResponse response = browserLogin("password", "test-user@localhost", "password");
IDToken idToken = oauth.verifyIDToken(response.getIdToken());
// Verify attribute is filled
Map<String, Object> roleMappings = (Map<String, Object>) idToken.getOtherClaims().get("roles-custom");
Assert.assertThat(roleMappings.keySet(), containsInAnyOrder("realm", "test-app"));
Assert.assertThat(roleMappings.get("realm"), CoreMatchers.instanceOf(List.class));
Assert.assertThat(roleMappings.get("test-app"), CoreMatchers.instanceOf(List.class));
List<String> realmRoleMappings = (List<String>) roleMappings.get("realm");
List<String> testAppMappings = (List<String>) roleMappings.get("test-app");
assertRoles(realmRoleMappings, // from direct assignment in user definition
"pref.user");
assertRoles(testAppMappings, // from direct assignment in user definition
"customer-user");
// Revert
deleteMappers(protocolMappers);
rep = client.toRepresentation();
rep.setFullScopeAllowed(true);
client.update(rep);
}
Aggregations