use of org.keycloak.admin.client.resource.RealmResource in project keycloak by keycloak.
the class RefreshTokenTest method testUserSessionRefreshAndIdle.
@Test
public void testUserSessionRefreshAndIdle() throws Exception {
oauth.doLogin("test-user@localhost", "password");
EventRepresentation loginEvent = events.expectLogin().assertEvent();
String sessionId = loginEvent.getSessionId();
String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
OAuthClient.AccessTokenResponse tokenResponse = oauth.doAccessTokenRequest(code, "password");
events.poll();
String refreshId = oauth.parseRefreshToken(tokenResponse.getRefreshToken()).getId();
int last = testingClient.testing().getLastSessionRefresh("test", sessionId, false);
setTimeOffset(2);
tokenResponse = oauth.doRefreshTokenRequest(tokenResponse.getRefreshToken(), "password");
AccessToken refreshedToken = oauth.verifyToken(tokenResponse.getAccessToken());
RefreshToken refreshedRefreshToken = oauth.parseRefreshToken(tokenResponse.getRefreshToken());
assertEquals(200, tokenResponse.getStatusCode());
int next = testingClient.testing().getLastSessionRefresh("test", sessionId, false);
Assert.assertNotEquals(last, next);
RealmResource realmResource = adminClient.realm("test");
int lastAccessTokenLifespan = realmResource.toRepresentation().getAccessTokenLifespan();
int originalIdle = realmResource.toRepresentation().getSsoSessionIdleTimeout();
try {
RealmManager.realm(realmResource).accessTokenLifespan(100000);
setTimeOffset(4);
tokenResponse = oauth.doRefreshTokenRequest(tokenResponse.getRefreshToken(), "password");
next = testingClient.testing().getLastSessionRefresh("test", sessionId, false);
// lastSEssionRefresh should be updated because access code lifespan is higher than sso idle timeout
Assert.assertThat(next, allOf(greaterThan(last), lessThan(last + 50)));
RealmManager.realm(realmResource).ssoSessionIdleTimeout(1);
events.clear();
// Needs to add some additional time due the tollerance allowed by IDLE_TIMEOUT_WINDOW_SECONDS
setTimeOffset(6 + SessionTimeoutHelper.IDLE_TIMEOUT_WINDOW_SECONDS);
tokenResponse = oauth.doRefreshTokenRequest(tokenResponse.getRefreshToken(), "password");
// test idle timeout
assertEquals(400, tokenResponse.getStatusCode());
assertNull(tokenResponse.getAccessToken());
assertNull(tokenResponse.getRefreshToken());
events.expectRefresh(refreshId, sessionId).error(Errors.INVALID_TOKEN);
} finally {
RealmManager.realm(realmResource).ssoSessionIdleTimeout(originalIdle).accessTokenLifespan(lastAccessTokenLifespan);
events.clear();
setTimeOffset(0);
}
}
use of org.keycloak.admin.client.resource.RealmResource in project keycloak by keycloak.
the class RefreshTokenTest method testClientSessionMaxLifespan.
@Test
public void testClientSessionMaxLifespan() throws Exception {
ClientResource client = ApiUtil.findClientByClientId(adminClient.realm("test"), "test-app");
ClientRepresentation clientRepresentation = client.toRepresentation();
RealmResource realm = adminClient.realm("test");
RealmRepresentation rep = realm.toRepresentation();
Integer originalSsoSessionMaxLifespan = rep.getSsoSessionMaxLifespan();
int ssoSessionMaxLifespan = rep.getSsoSessionIdleTimeout() - 100;
Integer originalClientSessionMaxLifespan = rep.getClientSessionMaxLifespan();
try {
rep.setSsoSessionMaxLifespan(ssoSessionMaxLifespan);
realm.update(rep);
oauth.doLogin("test-user@localhost", "password");
String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
OAuthClient.AccessTokenResponse response = oauth.doAccessTokenRequest(code, "password");
assertEquals(200, response.getStatusCode());
assertExpiration(response.getRefreshExpiresIn(), ssoSessionMaxLifespan);
rep.setClientSessionMaxLifespan(ssoSessionMaxLifespan - 100);
realm.update(rep);
String refreshToken = response.getRefreshToken();
response = oauth.doRefreshTokenRequest(refreshToken, "password");
assertEquals(200, response.getStatusCode());
assertExpiration(response.getRefreshExpiresIn(), ssoSessionMaxLifespan - 100);
clientRepresentation.getAttributes().put(OIDCConfigAttributes.CLIENT_SESSION_MAX_LIFESPAN, Integer.toString(ssoSessionMaxLifespan - 200));
client.update(clientRepresentation);
refreshToken = response.getRefreshToken();
response = oauth.doRefreshTokenRequest(refreshToken, "password");
assertEquals(200, response.getStatusCode());
assertExpiration(response.getRefreshExpiresIn(), ssoSessionMaxLifespan - 200);
} finally {
rep.setSsoSessionMaxLifespan(originalSsoSessionMaxLifespan);
rep.setClientSessionMaxLifespan(originalClientSessionMaxLifespan);
realm.update(rep);
clientRepresentation.getAttributes().put(OIDCConfigAttributes.CLIENT_SESSION_MAX_LIFESPAN, null);
client.update(clientRepresentation);
}
}
use of org.keycloak.admin.client.resource.RealmResource in project keycloak by keycloak.
the class ResourceOwnerPasswordCredentialsGrantTest method grantAccessTokenWithDynamicScope.
@Test
@EnableFeature(value = Profile.Feature.DYNAMIC_SCOPES, skipRestart = true)
public void grantAccessTokenWithDynamicScope() throws Exception {
ClientScopeRepresentation clientScope = new ClientScopeRepresentation();
clientScope.setName("dynamic-scope");
clientScope.setAttributes(new HashMap<String, String>() {
{
put(ClientScopeModel.IS_DYNAMIC_SCOPE, "true");
put(ClientScopeModel.DYNAMIC_SCOPE_REGEXP, "dynamic-scope:*");
}
});
clientScope.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL);
RealmResource realmResource = adminClient.realm("test");
try (Response response = realmResource.clientScopes().create(clientScope)) {
String scopeId = ApiUtil.getCreatedId(response);
getCleanup().addClientScopeId(scopeId);
ClientResource resourceOwnerPublicClient = ApiUtil.findClientByClientId(realmResource, "resource-owner-public");
ClientRepresentation testAppRep = resourceOwnerPublicClient.toRepresentation();
resourceOwnerPublicClient.update(testAppRep);
resourceOwnerPublicClient.addOptionalClientScope(scopeId);
}
oauth.scope("dynamic-scope:123");
oauth.clientId("resource-owner-public");
OAuthClient.AccessTokenResponse response = oauth.doGrantAccessTokenRequest("secret", "direct-login", "password");
assertTrue(response.getScope().contains("dynamic-scope:123"));
assertEquals(200, response.getStatusCode());
AccessToken accessToken = oauth.verifyToken(response.getAccessToken());
RefreshToken refreshToken = oauth.parseRefreshToken(response.getRefreshToken());
events.expectLogin().client("resource-owner-public").user(userId).session(accessToken.getSessionState()).detail(Details.GRANT_TYPE, OAuth2Constants.PASSWORD).detail(Details.TOKEN_ID, accessToken.getId()).detail(Details.REFRESH_TOKEN_ID, refreshToken.getId()).detail(Details.USERNAME, "direct-login").removeDetail(Details.CODE_ID).removeDetail(Details.REDIRECT_URI).removeDetail(Details.CONSENT).assertEvent();
assertTrue(accessToken.getScope().contains("dynamic-scope:123"));
}
use of org.keycloak.admin.client.resource.RealmResource in project keycloak by keycloak.
the class ResourceOwnerPasswordCredentialsGrantTest method grantAccessTokenVerifyEmail.
@Test
public void grantAccessTokenVerifyEmail() throws Exception {
int authSessionsBefore = getAuthenticationSessionsCount();
RealmResource realmResource = adminClient.realm("test");
RealmManager.realm(realmResource).verifyEmail(true);
oauth.clientId("resource-owner");
OAuthClient.AccessTokenResponse response = oauth.doGrantAccessTokenRequest("secret", "test-user@localhost", "password");
assertEquals(400, response.getStatusCode());
assertEquals("invalid_grant", response.getError());
assertEquals("Account is not fully set up", response.getErrorDescription());
events.expectLogin().client("resource-owner").session((String) null).clearDetails().error(Errors.RESOLVE_REQUIRED_ACTIONS).user((String) null).assertEvent();
RealmManager.realm(realmResource).verifyEmail(false);
UserManager.realm(realmResource).username("test-user@localhost").removeRequiredAction(UserModel.RequiredAction.VERIFY_EMAIL.toString());
// Check that count of authSessions is same as before authentication (as authentication session was removed)
Assert.assertEquals(authSessionsBefore, getAuthenticationSessionsCount());
}
use of org.keycloak.admin.client.resource.RealmResource in project keycloak by keycloak.
the class ResourceOwnerPasswordCredentialsGrantTest method grantAccessTokenExpiredPassword.
@Test
public void grantAccessTokenExpiredPassword() throws Exception {
RealmResource realmResource = adminClient.realm("test");
RealmManager.realm(realmResource).passwordPolicy("forceExpiredPasswordChange(1)");
try {
setTimeOffset(60 * 60 * 48);
oauth.clientId("resource-owner");
OAuthClient.AccessTokenResponse response = oauth.doGrantAccessTokenRequest("secret", "test-user@localhost", "password");
assertEquals(400, response.getStatusCode());
assertEquals("invalid_grant", response.getError());
assertEquals("Account is not fully set up", response.getErrorDescription());
setTimeOffset(0);
events.expectLogin().client("resource-owner").session((String) null).clearDetails().error(Errors.RESOLVE_REQUIRED_ACTIONS).user((String) null).assertEvent();
} finally {
RealmManager.realm(realmResource).passwordPolicy("");
UserManager.realm(realmResource).username("test-user@localhost").removeRequiredAction(UserModel.RequiredAction.UPDATE_PASSWORD.toString());
}
}
Aggregations