use of org.keycloak.admin.client.resource.RealmResource in project keycloak by keycloak.
the class BackchannelLogoutTest method createProviderRealmUser.
@Before
public void createProviderRealmUser() {
log.debug("creating user for realm " + nbc.providerRealmName());
final UserRepresentation userProviderRealm = new UserRepresentation();
userProviderRealm.setUsername(nbc.getUserLogin());
userProviderRealm.setEmail(nbc.getUserEmail());
userProviderRealm.setEmailVerified(true);
userProviderRealm.setEnabled(true);
final RealmResource realmResource = adminClient.realm(nbc.providerRealmName());
userIdProviderRealm = createUserWithAdminClient(realmResource, userProviderRealm);
resetUserPassword(realmResource.users().get(userIdProviderRealm), nbc.getUserPassword(), false);
}
use of org.keycloak.admin.client.resource.RealmResource in project keycloak by keycloak.
the class OIDCProtocolMappersTest method testUserRolesMovedFromAccessTokenProperties.
// Test to update protocolMappers to not have roles on the default position (realm_access and resource_access properties)
@Test
@AuthServerContainerExclude(AuthServer.REMOTE)
public void testUserRolesMovedFromAccessTokenProperties() throws Exception {
RealmResource realm = adminClient.realm("test");
ClientScopeResource rolesScope = ApiUtil.findClientScopeByName(realm, OIDCLoginProtocolFactory.ROLES_SCOPE);
// Update builtin protocolMappers to put roles to different position (claim "custom.roles") for both realm and client roles
ProtocolMapperRepresentation realmRolesMapper = null;
ProtocolMapperRepresentation clientRolesMapper = null;
for (ProtocolMapperRepresentation rep : rolesScope.getProtocolMappers().getMappers()) {
if (OIDCLoginProtocolFactory.REALM_ROLES.equals(rep.getName())) {
realmRolesMapper = rep;
} else if (OIDCLoginProtocolFactory.CLIENT_ROLES.equals(rep.getName())) {
clientRolesMapper = rep;
}
}
String realmRolesTokenClaimOrig = realmRolesMapper.getConfig().get(OIDCAttributeMapperHelper.TOKEN_CLAIM_NAME);
String clientRolesTokenClaimOrig = clientRolesMapper.getConfig().get(OIDCAttributeMapperHelper.TOKEN_CLAIM_NAME);
realmRolesMapper.getConfig().put(OIDCAttributeMapperHelper.TOKEN_CLAIM_NAME, "custom.roles");
rolesScope.getProtocolMappers().update(realmRolesMapper.getId(), realmRolesMapper);
clientRolesMapper.getConfig().put(OIDCAttributeMapperHelper.TOKEN_CLAIM_NAME, "custom.roles");
rolesScope.getProtocolMappers().update(clientRolesMapper.getId(), clientRolesMapper);
// Create some hardcoded role mapper
Response resp = rolesScope.getProtocolMappers().createMapper(createHardcodedRole("hard-realm", "hardcoded"));
String hardcodedMapperId = ApiUtil.getCreatedId(resp);
resp.close();
try {
OAuthClient.AccessTokenResponse response = browserLogin("password", "test-user@localhost", "password");
AccessToken accessToken = oauth.verifyToken(response.getAccessToken());
// Assert roles are not on their original positions
Assert.assertNull(accessToken.getRealmAccess());
Assert.assertTrue(accessToken.getResourceAccess().isEmpty());
// KEYCLOAK-8481 Assert that accessToken JSON doesn't have "realm_access" or "resource_access" fields in it
String accessTokenJson = new String(new JWSInput(response.getAccessToken()).getContent(), StandardCharsets.UTF_8);
Assert.assertFalse(accessTokenJson.contains("realm_access"));
Assert.assertFalse(accessTokenJson.contains("resource_access"));
// Assert both realm and client roles on the new position. Hardcoded role should be here as well
Map<String, Object> cst1 = (Map<String, Object>) accessToken.getOtherClaims().get("custom");
List<String> roles = (List<String>) cst1.get("roles");
Assert.assertNames(roles, "offline_access", "user", "customer-user", "hardcoded", AccountRoles.VIEW_PROFILE, AccountRoles.MANAGE_ACCOUNT, AccountRoles.MANAGE_ACCOUNT_LINKS);
// Assert audience
Assert.assertNames(Arrays.asList(accessToken.getAudience()), "account");
} finally {
// Revert
rolesScope.getProtocolMappers().delete(hardcodedMapperId);
realmRolesMapper.getConfig().put(OIDCAttributeMapperHelper.TOKEN_CLAIM_NAME, realmRolesTokenClaimOrig);
rolesScope.getProtocolMappers().update(realmRolesMapper.getId(), realmRolesMapper);
clientRolesMapper.getConfig().put(OIDCAttributeMapperHelper.TOKEN_CLAIM_NAME, clientRolesTokenClaimOrig);
rolesScope.getProtocolMappers().update(clientRolesMapper.getId(), clientRolesMapper);
}
}
use of org.keycloak.admin.client.resource.RealmResource in project keycloak by keycloak.
the class AccessTokenTest method testClientSessionMaxLifespan.
@Test
public void testClientSessionMaxLifespan() throws Exception {
ClientResource client = ApiUtil.findClientByClientId(adminClient.realm("test"), "test-app");
ClientRepresentation clientRepresentation = client.toRepresentation();
RealmResource realm = adminClient.realm("test");
RealmRepresentation rep = realm.toRepresentation();
int accessTokenLifespan = rep.getAccessTokenLifespan();
Integer originalClientSessionMaxLifespan = rep.getClientSessionMaxLifespan();
try {
oauth.doLogin("test-user@localhost", "password");
String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
OAuthClient.AccessTokenResponse response = oauth.doAccessTokenRequest(code, "password");
assertEquals(200, response.getStatusCode());
assertExpiration(response.getExpiresIn(), accessTokenLifespan);
rep.setClientSessionMaxLifespan(accessTokenLifespan - 100);
realm.update(rep);
String refreshToken = response.getRefreshToken();
response = oauth.doRefreshTokenRequest(refreshToken, "password");
assertEquals(200, response.getStatusCode());
assertExpiration(response.getExpiresIn(), accessTokenLifespan - 100);
clientRepresentation.getAttributes().put(OIDCConfigAttributes.CLIENT_SESSION_MAX_LIFESPAN, Integer.toString(accessTokenLifespan - 200));
client.update(clientRepresentation);
refreshToken = response.getRefreshToken();
response = oauth.doRefreshTokenRequest(refreshToken, "password");
assertEquals(200, response.getStatusCode());
assertExpiration(response.getExpiresIn(), accessTokenLifespan - 200);
} finally {
rep.setClientSessionMaxLifespan(originalClientSessionMaxLifespan);
realm.update(rep);
clientRepresentation.getAttributes().put(OIDCConfigAttributes.CLIENT_SESSION_MAX_LIFESPAN, null);
client.update(clientRepresentation);
}
}
use of org.keycloak.admin.client.resource.RealmResource in project keycloak by keycloak.
the class RefreshTokenTest method testClientSessionIdleTimeout.
@Test
public void testClientSessionIdleTimeout() throws Exception {
ClientResource client = ApiUtil.findClientByClientId(adminClient.realm("test"), "test-app");
ClientRepresentation clientRepresentation = client.toRepresentation();
RealmResource realm = adminClient.realm("test");
RealmRepresentation rep = realm.toRepresentation();
int ssoSessionIdleTimeout = rep.getSsoSessionIdleTimeout();
Integer originalClientSessionIdleTimeout = rep.getClientSessionIdleTimeout();
try {
oauth.doLogin("test-user@localhost", "password");
String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
OAuthClient.AccessTokenResponse response = oauth.doAccessTokenRequest(code, "password");
assertEquals(200, response.getStatusCode());
assertExpiration(response.getRefreshExpiresIn(), ssoSessionIdleTimeout);
rep.setClientSessionIdleTimeout(ssoSessionIdleTimeout - 100);
realm.update(rep);
String refreshToken = response.getRefreshToken();
response = oauth.doRefreshTokenRequest(refreshToken, "password");
assertEquals(200, response.getStatusCode());
assertExpiration(response.getRefreshExpiresIn(), ssoSessionIdleTimeout - 100);
clientRepresentation.getAttributes().put(CLIENT_SESSION_IDLE_TIMEOUT, Integer.toString(ssoSessionIdleTimeout - 200));
client.update(clientRepresentation);
refreshToken = response.getRefreshToken();
response = oauth.doRefreshTokenRequest(refreshToken, "password");
assertEquals(200, response.getStatusCode());
assertExpiration(response.getRefreshExpiresIn(), ssoSessionIdleTimeout - 200);
} finally {
rep.setClientSessionIdleTimeout(originalClientSessionIdleTimeout);
realm.update(rep);
clientRepresentation.getAttributes().put(CLIENT_SESSION_IDLE_TIMEOUT, null);
client.update(clientRepresentation);
}
}
use of org.keycloak.admin.client.resource.RealmResource in project keycloak by keycloak.
the class RefreshTokenTest method testCheckSsl.
@Test
public void testCheckSsl() throws Exception {
Client client = AdminClientUtil.createResteasyClient();
try {
UriBuilder builder = UriBuilder.fromUri(AUTH_SERVER_ROOT);
URI grantUri = OIDCLoginProtocolService.tokenUrl(builder).build("test");
WebTarget grantTarget = client.target(grantUri);
builder = UriBuilder.fromUri(AUTH_SERVER_ROOT);
URI uri = OIDCLoginProtocolService.tokenUrl(builder).build("test");
WebTarget refreshTarget = client.target(uri);
String refreshToken = null;
{
Response response = executeGrantAccessTokenRequest(grantTarget);
assertEquals(200, response.getStatus());
org.keycloak.representations.AccessTokenResponse tokenResponse = response.readEntity(org.keycloak.representations.AccessTokenResponse.class);
refreshToken = tokenResponse.getRefreshToken();
response.close();
}
{
Response response = executeRefreshToken(refreshTarget, refreshToken);
assertEquals(200, response.getStatus());
org.keycloak.representations.AccessTokenResponse tokenResponse = response.readEntity(org.keycloak.representations.AccessTokenResponse.class);
refreshToken = tokenResponse.getRefreshToken();
response.close();
}
if (!AUTH_SERVER_SSL_REQUIRED) {
// test checkSsl
RealmResource realmResource = adminClient.realm("test");
{
RealmManager.realm(realmResource).sslRequired(SslRequired.ALL.toString());
}
Response response = executeRefreshToken(refreshTarget, refreshToken);
assertEquals(403, response.getStatus());
response.close();
{
RealmManager.realm(realmResource).sslRequired(SslRequired.EXTERNAL.toString());
}
}
{
Response response = executeRefreshToken(refreshTarget, refreshToken);
assertEquals(200, response.getStatus());
org.keycloak.representations.AccessTokenResponse tokenResponse = response.readEntity(org.keycloak.representations.AccessTokenResponse.class);
refreshToken = tokenResponse.getRefreshToken();
response.close();
}
} finally {
client.close();
resetTimeOffset();
events.clear();
}
}
Aggregations