Search in sources :

Example 66 with AuthzClient

use of org.keycloak.authorization.client.AuthzClient in project keycloak by keycloak.

the class AuthzClientCredentialsTest method testNoRefreshToken.

@Test
public void testNoRefreshToken() throws Exception {
    ClientsResource clients = getAdminClient().realm("authz-test-no-rt").clients();
    AuthzClient authzClient = getAuthzClient("default-session-keycloak-no-rt.json");
    org.keycloak.authorization.client.resource.AuthorizationResource authorization = authzClient.authorization();
    AuthorizationResponse response = authorization.authorize();
    AccessToken accessToken = toAccessToken(response.getToken());
    assertEquals(1, accessToken.getAuthorization().getPermissions().size());
    assertEquals("Default Resource", accessToken.getAuthorization().getPermissions().iterator().next().getResourceName());
    ProtectionResource protection = authzClient.protection();
    assertEquals(1, protection.resource().findAll().length);
    try {
        // force token expiration on the client side
        Time.setOffset(1000);
        // should refresh tokens by doing client credentials again
        assertEquals(1, protection.resource().findAll().length);
    } finally {
        Time.setOffset(0);
    }
}
Also used : ProtectionResource(org.keycloak.authorization.client.resource.ProtectionResource) AuthzClient(org.keycloak.authorization.client.AuthzClient) AccessToken(org.keycloak.representations.AccessToken) ClientsResource(org.keycloak.admin.client.resource.ClientsResource) AuthorizationResponse(org.keycloak.representations.idm.authorization.AuthorizationResponse) Test(org.junit.Test)

Example 67 with AuthzClient

use of org.keycloak.authorization.client.AuthzClient in project keycloak by keycloak.

the class AuthzClientCredentialsTest method testSingleSessionPerUser.

@Test
public void testSingleSessionPerUser() throws Exception {
    ClientsResource clients = getAdminClient().realm("authz-test-session").clients();
    ClientRepresentation clientRepresentation = clients.findByClientId("resource-server-test").get(0);
    List<UserSessionRepresentation> userSessions = clients.get(clientRepresentation.getId()).getUserSessions(-1, -1);
    assertEquals(0, userSessions.size());
    AuthzClient authzClient = getAuthzClient("default-session-keycloak.json");
    org.keycloak.authorization.client.resource.AuthorizationResource authorization = authzClient.authorization("marta", "password");
    AuthorizationResponse response = authorization.authorize();
    AccessToken accessToken = toAccessToken(response.getToken());
    String sessionState = accessToken.getSessionState();
    assertEquals(1, accessToken.getAuthorization().getPermissions().size());
    assertEquals("Default Resource", accessToken.getAuthorization().getPermissions().iterator().next().getResourceName());
    userSessions = clients.get(clientRepresentation.getId()).getUserSessions(null, null);
    assertEquals(1, userSessions.size());
    for (int i = 0; i < 3; i++) {
        response = authorization.authorize();
        accessToken = toAccessToken(response.getToken());
        assertEquals(sessionState, accessToken.getSessionState());
        Thread.sleep(1000);
    }
    userSessions = clients.get(clientRepresentation.getId()).getUserSessions(null, null);
    assertEquals(1, userSessions.size());
}
Also used : UserSessionRepresentation(org.keycloak.representations.idm.UserSessionRepresentation) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) AuthorizationResponse(org.keycloak.representations.idm.authorization.AuthorizationResponse) AuthzClient(org.keycloak.authorization.client.AuthzClient) AccessToken(org.keycloak.representations.AccessToken) ClientsResource(org.keycloak.admin.client.resource.ClientsResource) Test(org.junit.Test)

Example 68 with AuthzClient

use of org.keycloak.authorization.client.AuthzClient in project keycloak by keycloak.

the class AuthzClientCredentialsTest method testSuccessfulAuthorizationRequest.

@Test
public void testSuccessfulAuthorizationRequest() throws Exception {
    AuthzClient authzClient = getAuthzClient("keycloak-with-jwt-authentication.json");
    ProtectionResource protection = authzClient.protection();
    PermissionRequest request = new PermissionRequest("Default Resource");
    PermissionResponse ticketResponse = protection.permission().create(request);
    String ticket = ticketResponse.getTicket();
    AuthorizationResponse authorizationResponse = authzClient.authorization("marta", "password").authorize(new AuthorizationRequest(ticket));
    String rpt = authorizationResponse.getToken();
    assertNotNull(rpt);
    AccessToken accessToken = new JWSInput(rpt).readJsonContent(AccessToken.class);
    AccessToken.Authorization authorization = accessToken.getAuthorization();
    assertNotNull(authorization);
    List<Permission> permissions = new ArrayList<>(authorization.getPermissions());
    assertFalse(permissions.isEmpty());
    assertEquals("Default Resource", permissions.get(0).getResourceName());
}
Also used : PermissionRequest(org.keycloak.representations.idm.authorization.PermissionRequest) ProtectionResource(org.keycloak.authorization.client.resource.ProtectionResource) AuthorizationRequest(org.keycloak.representations.idm.authorization.AuthorizationRequest) ArrayList(java.util.ArrayList) PermissionResponse(org.keycloak.representations.idm.authorization.PermissionResponse) JWSInput(org.keycloak.jose.jws.JWSInput) AuthorizationResponse(org.keycloak.representations.idm.authorization.AuthorizationResponse) AuthzClient(org.keycloak.authorization.client.AuthzClient) AccessToken(org.keycloak.representations.AccessToken) Permission(org.keycloak.representations.idm.authorization.Permission) Test(org.junit.Test)

Example 69 with AuthzClient

use of org.keycloak.authorization.client.AuthzClient in project keycloak by keycloak.

the class ClientScopePolicyTest method testWithoutExpectedClientScope.

@Test
public void testWithoutExpectedClientScope() {
    // Access Resource A with client scope baz.
    AuthzClient authzClient = getAuthzClient();
    PermissionRequest request = new PermissionRequest("Resource A");
    String ticket = authzClient.protection().permission().create(request).getTicket();
    try {
        authzClient.authorization("marta", "password", "baz").authorize(new AuthorizationRequest(ticket));
        fail("Should fail.");
    } catch (AuthorizationDeniedException ignore) {
    }
    // Access Resource B with client scope foo.
    request = new PermissionRequest("Resource B");
    ticket = authzClient.protection().permission().create(request).getTicket();
    try {
        authzClient.authorization("marta", "password", "foo").authorize(new AuthorizationRequest(ticket));
        fail("Should fail.");
    } catch (AuthorizationDeniedException ignore) {
    }
}
Also used : PermissionRequest(org.keycloak.representations.idm.authorization.PermissionRequest) AuthorizationDeniedException(org.keycloak.authorization.client.AuthorizationDeniedException) AuthzClient(org.keycloak.authorization.client.AuthzClient) AuthorizationRequest(org.keycloak.representations.idm.authorization.AuthorizationRequest) Test(org.junit.Test)

Example 70 with AuthzClient

use of org.keycloak.authorization.client.AuthzClient in project alfresco-repository by Alfresco.

the class AuthenticatorAuthzClientFactoryBean method getObject.

@Override
public AuthzClient getObject() throws Exception {
    // for instance when Keycloak is configured for 'bearer only' authentication or Direct Access Grants are disabled.
    if (!enabled) {
        return null;
    }
    // Build default http client using the keycloak client builder.
    int conTimeout = identityServiceConfig.getClientConnectionTimeout();
    int socTimeout = identityServiceConfig.getClientSocketTimeout();
    HttpClient client = new HttpClientBuilder().establishConnectionTimeout(conTimeout, TimeUnit.MILLISECONDS).socketTimeout(socTimeout, TimeUnit.MILLISECONDS).build(this.identityServiceConfig);
    // Add secret to credentials if needed.
    // AuthzClient configuration needs credentials with a secret even if the client in Keycloak is configured as public.
    Map<String, Object> credentials = identityServiceConfig.getCredentials();
    if (credentials == null || !credentials.containsKey("secret")) {
        credentials = credentials == null ? new HashMap<>() : new HashMap<>(credentials);
        credentials.put("secret", "");
    }
    // Create default AuthzClient for authenticating users against keycloak
    String authServerUrl = identityServiceConfig.getAuthServerUrl();
    String realm = identityServiceConfig.getRealm();
    String resource = identityServiceConfig.getResource();
    Configuration authzConfig = new Configuration(authServerUrl, realm, resource, credentials, client);
    AuthzClient authzClient = AuthzClient.create(authzConfig);
    if (logger.isDebugEnabled()) {
        logger.debug(" Created Keycloak AuthzClient");
        logger.debug(" Keycloak AuthzClient server URL: " + authzClient.getConfiguration().getAuthServerUrl());
        logger.debug(" Keycloak AuthzClient realm: " + authzClient.getConfiguration().getRealm());
        logger.debug(" Keycloak AuthzClient resource: " + authzClient.getConfiguration().getResource());
    }
    return authzClient;
}
Also used : AuthzClient(org.keycloak.authorization.client.AuthzClient) Configuration(org.keycloak.authorization.client.Configuration) HashMap(java.util.HashMap) HttpClient(org.apache.http.client.HttpClient) HttpClientBuilder(org.keycloak.adapters.HttpClientBuilder)

Aggregations

AuthzClient (org.keycloak.authorization.client.AuthzClient)70 Test (org.junit.Test)60 AuthorizationRequest (org.keycloak.representations.idm.authorization.AuthorizationRequest)50 ResourceRepresentation (org.keycloak.representations.idm.authorization.ResourceRepresentation)43 AuthorizationResponse (org.keycloak.representations.idm.authorization.AuthorizationResponse)40 PermissionRequest (org.keycloak.representations.idm.authorization.PermissionRequest)31 PermissionResponse (org.keycloak.representations.idm.authorization.PermissionResponse)29 AuthorizationResource (org.keycloak.admin.client.resource.AuthorizationResource)27 ClientResource (org.keycloak.admin.client.resource.ClientResource)26 HttpResponseException (org.keycloak.authorization.client.util.HttpResponseException)22 JSPolicyRepresentation (org.keycloak.representations.idm.authorization.JSPolicyRepresentation)20 Permission (org.keycloak.representations.idm.authorization.Permission)20 OAuthClient (org.keycloak.testsuite.util.OAuthClient)20 Response (javax.ws.rs.core.Response)18 TokenIntrospectionResponse (org.keycloak.authorization.client.representation.TokenIntrospectionResponse)17 AccessTokenResponse (org.keycloak.representations.AccessTokenResponse)17 ResourcePermissionRepresentation (org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation)16 ScopePermissionRepresentation (org.keycloak.representations.idm.authorization.ScopePermissionRepresentation)16 AccessToken (org.keycloak.representations.AccessToken)14 ArrayList (java.util.ArrayList)12