Search in sources :

Example 21 with RealmResource

use of org.keycloak.admin.client.resource.RealmResource in project keycloak by keycloak.

the class RefreshTokenTest method testUserSessionRefreshAndIdle.

@Test
public void testUserSessionRefreshAndIdle() throws Exception {
    oauth.doLogin("test-user@localhost", "password");
    EventRepresentation loginEvent = events.expectLogin().assertEvent();
    String sessionId = loginEvent.getSessionId();
    String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
    OAuthClient.AccessTokenResponse tokenResponse = oauth.doAccessTokenRequest(code, "password");
    events.poll();
    String refreshId = oauth.parseRefreshToken(tokenResponse.getRefreshToken()).getId();
    int last = testingClient.testing().getLastSessionRefresh("test", sessionId, false);
    setTimeOffset(2);
    tokenResponse = oauth.doRefreshTokenRequest(tokenResponse.getRefreshToken(), "password");
    AccessToken refreshedToken = oauth.verifyToken(tokenResponse.getAccessToken());
    RefreshToken refreshedRefreshToken = oauth.parseRefreshToken(tokenResponse.getRefreshToken());
    assertEquals(200, tokenResponse.getStatusCode());
    int next = testingClient.testing().getLastSessionRefresh("test", sessionId, false);
    Assert.assertNotEquals(last, next);
    RealmResource realmResource = adminClient.realm("test");
    int lastAccessTokenLifespan = realmResource.toRepresentation().getAccessTokenLifespan();
    int originalIdle = realmResource.toRepresentation().getSsoSessionIdleTimeout();
    try {
        RealmManager.realm(realmResource).accessTokenLifespan(100000);
        setTimeOffset(4);
        tokenResponse = oauth.doRefreshTokenRequest(tokenResponse.getRefreshToken(), "password");
        next = testingClient.testing().getLastSessionRefresh("test", sessionId, false);
        // lastSEssionRefresh should be updated because access code lifespan is higher than sso idle timeout
        Assert.assertThat(next, allOf(greaterThan(last), lessThan(last + 50)));
        RealmManager.realm(realmResource).ssoSessionIdleTimeout(1);
        events.clear();
        // Needs to add some additional time due the tollerance allowed by IDLE_TIMEOUT_WINDOW_SECONDS
        setTimeOffset(6 + SessionTimeoutHelper.IDLE_TIMEOUT_WINDOW_SECONDS);
        tokenResponse = oauth.doRefreshTokenRequest(tokenResponse.getRefreshToken(), "password");
        // test idle timeout
        assertEquals(400, tokenResponse.getStatusCode());
        assertNull(tokenResponse.getAccessToken());
        assertNull(tokenResponse.getRefreshToken());
        events.expectRefresh(refreshId, sessionId).error(Errors.INVALID_TOKEN);
    } finally {
        RealmManager.realm(realmResource).ssoSessionIdleTimeout(originalIdle).accessTokenLifespan(lastAccessTokenLifespan);
        events.clear();
        setTimeOffset(0);
    }
}
Also used : RefreshToken(org.keycloak.representations.RefreshToken) OAuthClient(org.keycloak.testsuite.util.OAuthClient) AccessToken(org.keycloak.representations.AccessToken) RealmResource(org.keycloak.admin.client.resource.RealmResource) EventRepresentation(org.keycloak.representations.idm.EventRepresentation) AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest) Test(org.junit.Test)

Example 22 with RealmResource

use of org.keycloak.admin.client.resource.RealmResource in project keycloak by keycloak.

the class RefreshTokenTest method testClientSessionMaxLifespan.

@Test
public void testClientSessionMaxLifespan() throws Exception {
    ClientResource client = ApiUtil.findClientByClientId(adminClient.realm("test"), "test-app");
    ClientRepresentation clientRepresentation = client.toRepresentation();
    RealmResource realm = adminClient.realm("test");
    RealmRepresentation rep = realm.toRepresentation();
    Integer originalSsoSessionMaxLifespan = rep.getSsoSessionMaxLifespan();
    int ssoSessionMaxLifespan = rep.getSsoSessionIdleTimeout() - 100;
    Integer originalClientSessionMaxLifespan = rep.getClientSessionMaxLifespan();
    try {
        rep.setSsoSessionMaxLifespan(ssoSessionMaxLifespan);
        realm.update(rep);
        oauth.doLogin("test-user@localhost", "password");
        String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
        OAuthClient.AccessTokenResponse response = oauth.doAccessTokenRequest(code, "password");
        assertEquals(200, response.getStatusCode());
        assertExpiration(response.getRefreshExpiresIn(), ssoSessionMaxLifespan);
        rep.setClientSessionMaxLifespan(ssoSessionMaxLifespan - 100);
        realm.update(rep);
        String refreshToken = response.getRefreshToken();
        response = oauth.doRefreshTokenRequest(refreshToken, "password");
        assertEquals(200, response.getStatusCode());
        assertExpiration(response.getRefreshExpiresIn(), ssoSessionMaxLifespan - 100);
        clientRepresentation.getAttributes().put(OIDCConfigAttributes.CLIENT_SESSION_MAX_LIFESPAN, Integer.toString(ssoSessionMaxLifespan - 200));
        client.update(clientRepresentation);
        refreshToken = response.getRefreshToken();
        response = oauth.doRefreshTokenRequest(refreshToken, "password");
        assertEquals(200, response.getStatusCode());
        assertExpiration(response.getRefreshExpiresIn(), ssoSessionMaxLifespan - 200);
    } finally {
        rep.setSsoSessionMaxLifespan(originalSsoSessionMaxLifespan);
        rep.setClientSessionMaxLifespan(originalClientSessionMaxLifespan);
        realm.update(rep);
        clientRepresentation.getAttributes().put(OIDCConfigAttributes.CLIENT_SESSION_MAX_LIFESPAN, null);
        client.update(clientRepresentation);
    }
}
Also used : OAuthClient(org.keycloak.testsuite.util.OAuthClient) RealmResource(org.keycloak.admin.client.resource.RealmResource) RealmRepresentation(org.keycloak.representations.idm.RealmRepresentation) ClientResource(org.keycloak.admin.client.resource.ClientResource) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest) Test(org.junit.Test)

Example 23 with RealmResource

use of org.keycloak.admin.client.resource.RealmResource in project keycloak by keycloak.

the class ResourceOwnerPasswordCredentialsGrantTest method grantAccessTokenWithDynamicScope.

@Test
@EnableFeature(value = Profile.Feature.DYNAMIC_SCOPES, skipRestart = true)
public void grantAccessTokenWithDynamicScope() throws Exception {
    ClientScopeRepresentation clientScope = new ClientScopeRepresentation();
    clientScope.setName("dynamic-scope");
    clientScope.setAttributes(new HashMap<String, String>() {

        {
            put(ClientScopeModel.IS_DYNAMIC_SCOPE, "true");
            put(ClientScopeModel.DYNAMIC_SCOPE_REGEXP, "dynamic-scope:*");
        }
    });
    clientScope.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL);
    RealmResource realmResource = adminClient.realm("test");
    try (Response response = realmResource.clientScopes().create(clientScope)) {
        String scopeId = ApiUtil.getCreatedId(response);
        getCleanup().addClientScopeId(scopeId);
        ClientResource resourceOwnerPublicClient = ApiUtil.findClientByClientId(realmResource, "resource-owner-public");
        ClientRepresentation testAppRep = resourceOwnerPublicClient.toRepresentation();
        resourceOwnerPublicClient.update(testAppRep);
        resourceOwnerPublicClient.addOptionalClientScope(scopeId);
    }
    oauth.scope("dynamic-scope:123");
    oauth.clientId("resource-owner-public");
    OAuthClient.AccessTokenResponse response = oauth.doGrantAccessTokenRequest("secret", "direct-login", "password");
    assertTrue(response.getScope().contains("dynamic-scope:123"));
    assertEquals(200, response.getStatusCode());
    AccessToken accessToken = oauth.verifyToken(response.getAccessToken());
    RefreshToken refreshToken = oauth.parseRefreshToken(response.getRefreshToken());
    events.expectLogin().client("resource-owner-public").user(userId).session(accessToken.getSessionState()).detail(Details.GRANT_TYPE, OAuth2Constants.PASSWORD).detail(Details.TOKEN_ID, accessToken.getId()).detail(Details.REFRESH_TOKEN_ID, refreshToken.getId()).detail(Details.USERNAME, "direct-login").removeDetail(Details.CODE_ID).removeDetail(Details.REDIRECT_URI).removeDetail(Details.CONSENT).assertEvent();
    assertTrue(accessToken.getScope().contains("dynamic-scope:123"));
}
Also used : Response(javax.ws.rs.core.Response) HttpResponse(org.apache.http.HttpResponse) RefreshToken(org.keycloak.representations.RefreshToken) OAuthClient(org.keycloak.testsuite.util.OAuthClient) RealmResource(org.keycloak.admin.client.resource.RealmResource) AccessToken(org.keycloak.representations.AccessToken) ClientScopeRepresentation(org.keycloak.representations.idm.ClientScopeRepresentation) ClientResource(org.keycloak.admin.client.resource.ClientResource) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest) Test(org.junit.Test) EnableFeature(org.keycloak.testsuite.arquillian.annotation.EnableFeature)

Example 24 with RealmResource

use of org.keycloak.admin.client.resource.RealmResource in project keycloak by keycloak.

the class ResourceOwnerPasswordCredentialsGrantTest method grantAccessTokenVerifyEmail.

@Test
public void grantAccessTokenVerifyEmail() throws Exception {
    int authSessionsBefore = getAuthenticationSessionsCount();
    RealmResource realmResource = adminClient.realm("test");
    RealmManager.realm(realmResource).verifyEmail(true);
    oauth.clientId("resource-owner");
    OAuthClient.AccessTokenResponse response = oauth.doGrantAccessTokenRequest("secret", "test-user@localhost", "password");
    assertEquals(400, response.getStatusCode());
    assertEquals("invalid_grant", response.getError());
    assertEquals("Account is not fully set up", response.getErrorDescription());
    events.expectLogin().client("resource-owner").session((String) null).clearDetails().error(Errors.RESOLVE_REQUIRED_ACTIONS).user((String) null).assertEvent();
    RealmManager.realm(realmResource).verifyEmail(false);
    UserManager.realm(realmResource).username("test-user@localhost").removeRequiredAction(UserModel.RequiredAction.VERIFY_EMAIL.toString());
    // Check that count of authSessions is same as before authentication (as authentication session was removed)
    Assert.assertEquals(authSessionsBefore, getAuthenticationSessionsCount());
}
Also used : OAuthClient(org.keycloak.testsuite.util.OAuthClient) RealmResource(org.keycloak.admin.client.resource.RealmResource) AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest) Test(org.junit.Test)

Example 25 with RealmResource

use of org.keycloak.admin.client.resource.RealmResource in project keycloak by keycloak.

the class ResourceOwnerPasswordCredentialsGrantTest method grantAccessTokenExpiredPassword.

@Test
public void grantAccessTokenExpiredPassword() throws Exception {
    RealmResource realmResource = adminClient.realm("test");
    RealmManager.realm(realmResource).passwordPolicy("forceExpiredPasswordChange(1)");
    try {
        setTimeOffset(60 * 60 * 48);
        oauth.clientId("resource-owner");
        OAuthClient.AccessTokenResponse response = oauth.doGrantAccessTokenRequest("secret", "test-user@localhost", "password");
        assertEquals(400, response.getStatusCode());
        assertEquals("invalid_grant", response.getError());
        assertEquals("Account is not fully set up", response.getErrorDescription());
        setTimeOffset(0);
        events.expectLogin().client("resource-owner").session((String) null).clearDetails().error(Errors.RESOLVE_REQUIRED_ACTIONS).user((String) null).assertEvent();
    } finally {
        RealmManager.realm(realmResource).passwordPolicy("");
        UserManager.realm(realmResource).username("test-user@localhost").removeRequiredAction(UserModel.RequiredAction.UPDATE_PASSWORD.toString());
    }
}
Also used : OAuthClient(org.keycloak.testsuite.util.OAuthClient) RealmResource(org.keycloak.admin.client.resource.RealmResource) AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest) Test(org.junit.Test)

Aggregations

RealmResource (org.keycloak.admin.client.resource.RealmResource)263 Test (org.junit.Test)190 UserRepresentation (org.keycloak.representations.idm.UserRepresentation)67 AbstractKeycloakTest (org.keycloak.testsuite.AbstractKeycloakTest)61 ClientRepresentation (org.keycloak.representations.idm.ClientRepresentation)58 Response (javax.ws.rs.core.Response)55 RealmRepresentation (org.keycloak.representations.idm.RealmRepresentation)48 ClientResource (org.keycloak.admin.client.resource.ClientResource)39 OAuthClient (org.keycloak.testsuite.util.OAuthClient)37 GroupRepresentation (org.keycloak.representations.idm.GroupRepresentation)36 RoleRepresentation (org.keycloak.representations.idm.RoleRepresentation)34 Before (org.junit.Before)31 UserResource (org.keycloak.admin.client.resource.UserResource)30 IdentityProviderRepresentation (org.keycloak.representations.idm.IdentityProviderRepresentation)25 List (java.util.List)19 LinkedList (java.util.LinkedList)16 ClientScopeRepresentation (org.keycloak.representations.idm.ClientScopeRepresentation)16 VerifyProfileTest (org.keycloak.testsuite.forms.VerifyProfileTest)14 ProtocolMapperRepresentation (org.keycloak.representations.idm.ProtocolMapperRepresentation)13 AccessToken (org.keycloak.representations.AccessToken)12