Example 1 with ClientRegistrationException
use of org.keycloak.client.registration.ClientRegistrationException in project keycloak by keycloak.
the class CIBATest method testSecureCibaAuthenticationRequestSigningAlgorithmEnforceExecutor.
@Test
public void testSecureCibaAuthenticationRequestSigningAlgorithmEnforceExecutor() throws Exception {
// register profiles
String json = (new ClientProfilesBuilder()).addProfile((new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Den Forsta Profilen").addExecutor(SecureCibaAuthenticationRequestSigningAlgorithmExecutorFactory.PROVIDER_ID, null).toRepresentation()).toString();
updateProfiles(json);
// register policies
json = (new ClientPoliciesBuilder()).addPolicy((new ClientPolicyBuilder()).createPolicy(POLICY_NAME, "Den Forsta Policyn", Boolean.TRUE).addCondition(ClientUpdaterContextConditionFactory.PROVIDER_ID, createClientUpdateContextConditionConfig(Arrays.asList(ClientUpdaterContextConditionFactory.BY_AUTHENTICATED_USER, ClientUpdaterContextConditionFactory.BY_INITIAL_ACCESS_TOKEN, ClientUpdaterContextConditionFactory.BY_REGISTRATION_ACCESS_TOKEN))).addProfile(PROFILE_NAME).toRepresentation()).toString();
updatePolicies(json);
// create by Admin REST API - fail
try {
createClientByAdmin(generateSuffixedName("App-by-Admin"), (ClientRepresentation clientRep) -> {
clientRep.setSecret("secret");
clientRep.setAttributes(new HashMap<>());
clientRep.getAttributes().put(CibaConfig.CIBA_BACKCHANNEL_AUTH_REQUEST_SIGNING_ALG, "none");
});
fail();
} catch (ClientPolicyException e) {
assertEquals(OAuthErrorException.INVALID_REQUEST, e.getMessage());
}
// create by Admin REST API - success
String cAppAdminId = createClientByAdmin(generateSuffixedName("App-by-Admin"), (ClientRepresentation clientRep) -> {
clientRep.setAttributes(new HashMap<>());
clientRep.getAttributes().put(CibaConfig.CIBA_BACKCHANNEL_AUTH_REQUEST_SIGNING_ALG, org.keycloak.crypto.Algorithm.ES256);
});
ClientRepresentation cRep = getClientByAdmin(cAppAdminId);
assertEquals(org.keycloak.crypto.Algorithm.ES256, cRep.getAttributes().get(CibaConfig.CIBA_BACKCHANNEL_AUTH_REQUEST_SIGNING_ALG));
// create by Admin REST API - success, PS256 enforced
String cAppAdmin2Id = createClientByAdmin(generateSuffixedName("App-by-Admin2"), (ClientRepresentation client2Rep) -> {
});
ClientRepresentation cRep2 = getClientByAdmin(cAppAdmin2Id);
assertEquals(org.keycloak.crypto.Algorithm.PS256, cRep2.getAttributes().get(CibaConfig.CIBA_BACKCHANNEL_AUTH_REQUEST_SIGNING_ALG));
// update by Admin REST API - fail
try {
updateClientByAdmin(cAppAdminId, (ClientRepresentation clientRep) -> {
clientRep.setAttributes(new HashMap<>());
clientRep.getAttributes().put(CibaConfig.CIBA_BACKCHANNEL_AUTH_REQUEST_SIGNING_ALG, org.keycloak.crypto.Algorithm.RS512);
});
} catch (ClientPolicyException cpe) {
assertEquals(Errors.INVALID_REQUEST, cpe.getError());
}
cRep = getClientByAdmin(cAppAdminId);
assertEquals(org.keycloak.crypto.Algorithm.ES256, cRep.getAttributes().get(CibaConfig.CIBA_BACKCHANNEL_AUTH_REQUEST_SIGNING_ALG));
// update by Admin REST API - success
updateClientByAdmin(cAppAdminId, (ClientRepresentation clientRep) -> {
clientRep.setAttributes(new HashMap<>());
clientRep.getAttributes().put(CibaConfig.CIBA_BACKCHANNEL_AUTH_REQUEST_SIGNING_ALG, org.keycloak.crypto.Algorithm.PS384);
});
cRep = getClientByAdmin(cAppAdminId);
assertEquals(org.keycloak.crypto.Algorithm.PS384, cRep.getAttributes().get(CibaConfig.CIBA_BACKCHANNEL_AUTH_REQUEST_SIGNING_ALG));
// update profiles, ES256 enforced
json = (new ClientProfilesBuilder()).addProfile((new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Den Forsta Profilen").addExecutor(SecureCibaAuthenticationRequestSigningAlgorithmExecutorFactory.PROVIDER_ID, createSecureCibaAuthenticationRequestSigningAlgorithmExecutorConfig(org.keycloak.crypto.Algorithm.ES256)).toRepresentation()).toString();
updateProfiles(json);
// update by Admin REST API - success
updateClientByAdmin(cAppAdmin2Id, (ClientRepresentation client2Rep) -> {
client2Rep.getAttributes().remove(CibaConfig.CIBA_BACKCHANNEL_AUTH_REQUEST_SIGNING_ALG);
});
cRep2 = getClientByAdmin(cAppAdmin2Id);
assertEquals(org.keycloak.crypto.Algorithm.ES256, cRep2.getAttributes().get(CibaConfig.CIBA_BACKCHANNEL_AUTH_REQUEST_SIGNING_ALG));
// update profiles, fall back to PS256
json = (new ClientProfilesBuilder()).addProfile((new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Den Forsta Profilen").addExecutor(SecureCibaAuthenticationRequestSigningAlgorithmExecutorFactory.PROVIDER_ID, createSecureCibaAuthenticationRequestSigningAlgorithmExecutorConfig(org.keycloak.crypto.Algorithm.RS512)).toRepresentation()).toString();
updateProfiles(json);
// create dynamically - fail
try {
createClientByAdmin(generateSuffixedName("App-in-Dynamic"), (ClientRepresentation clientRep) -> {
clientRep.setSecret("secret");
clientRep.setAttributes(new HashMap<>());
clientRep.getAttributes().put(CibaConfig.CIBA_BACKCHANNEL_AUTH_REQUEST_SIGNING_ALG, org.keycloak.crypto.Algorithm.RS384);
});
fail();
} catch (ClientPolicyException e) {
assertEquals(OAuthErrorException.INVALID_REQUEST, e.getMessage());
}
// create dynamically - success
String cAppDynamicClientId = createClientDynamically(generateSuffixedName("App-in-Dynamic"), (OIDCClientRepresentation clientRep) -> {
clientRep.setBackchannelAuthenticationRequestSigningAlg(org.keycloak.crypto.Algorithm.ES256);
});
events.expect(EventType.CLIENT_REGISTER).client(cAppDynamicClientId).user(org.hamcrest.Matchers.isEmptyOrNullString()).assertEvent();
// update dynamically - fail
try {
updateClientDynamically(cAppDynamicClientId, (OIDCClientRepresentation clientRep) -> {
clientRep.setBackchannelAuthenticationRequestSigningAlg(org.keycloak.crypto.Algorithm.RS256);
});
fail();
} catch (ClientRegistrationException e) {
assertEquals(ERR_MSG_CLIENT_REG_FAIL, e.getMessage());
}
assertEquals(org.keycloak.crypto.Algorithm.ES256, getClientDynamically(cAppDynamicClientId).getBackchannelAuthenticationRequestSigningAlg());
// update dynamically - success
updateClientDynamically(cAppDynamicClientId, (OIDCClientRepresentation clientRep) -> {
clientRep.setBackchannelAuthenticationRequestSigningAlg(org.keycloak.crypto.Algorithm.ES384);
});
assertEquals(org.keycloak.crypto.Algorithm.ES384, getClientDynamically(cAppDynamicClientId).getBackchannelAuthenticationRequestSigningAlg());
// create dynamically - success, PS256 enforced
restartAuthenticatedClientRegistrationSetting();
String cAppDynamicClient2Id = createClientDynamically(generateSuffixedName("App-in-Dynamic"), (OIDCClientRepresentation client2Rep) -> {
});
OIDCClientRepresentation cAppDynamicClient2Rep = getClientDynamically(cAppDynamicClient2Id);
assertEquals(org.keycloak.crypto.Algorithm.PS256, cAppDynamicClient2Rep.getBackchannelAuthenticationRequestSigningAlg());
// update profiles, enforce ES256
json = (new ClientProfilesBuilder()).addProfile((new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Den Forsta Profilen").addExecutor(SecureCibaAuthenticationRequestSigningAlgorithmExecutorFactory.PROVIDER_ID, createSecureCibaAuthenticationRequestSigningAlgorithmExecutorConfig(org.keycloak.crypto.Algorithm.ES256)).toRepresentation()).toString();
updateProfiles(json);
// update dynamically - success, ES256 enforced
updateClientDynamically(cAppDynamicClient2Id, (OIDCClientRepresentation client2Rep) -> {
client2Rep.setBackchannelAuthenticationRequestSigningAlg(null);
});
cAppDynamicClient2Rep = getClientDynamically(cAppDynamicClient2Id);
assertEquals(org.keycloak.crypto.Algorithm.ES256, cAppDynamicClient2Rep.getBackchannelAuthenticationRequestSigningAlg());
}
Also used :
ClientProfileBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfileBuilder)
OIDCClientRepresentation(org.keycloak.representations.oidc.OIDCClientRepresentation)
ClientProfilesBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfilesBuilder)
ClientPoliciesBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPoliciesBuilder)
ClientPolicyBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPolicyBuilder)
ClientRegistrationException(org.keycloak.client.registration.ClientRegistrationException)
Matchers.containsString(org.hamcrest.Matchers.containsString)
OIDCClientRepresentation(org.keycloak.representations.oidc.OIDCClientRepresentation)
ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation)
ClientPolicyException(org.keycloak.services.clientpolicy.ClientPolicyException)
Test(org.junit.Test)
Example 2 with ClientRegistrationException
use of org.keycloak.client.registration.ClientRegistrationException in project keycloak by keycloak.
the class ClientPoliciesTest method testClientUpdateSourceRolesCondition.
@Test
public void testClientUpdateSourceRolesCondition() throws Exception {
// register profiles
String json = (new ClientProfilesBuilder()).addProfile((new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Il Primo Profilo").addExecutor(SecureClientAuthenticatorExecutorFactory.PROVIDER_ID, createSecureClientAuthenticatorExecutorConfig(Arrays.asList(JWTClientSecretAuthenticator.PROVIDER_ID), null)).toRepresentation()).toString();
updateProfiles(json);
// register policies
json = (new ClientPoliciesBuilder()).addPolicy((new ClientPolicyBuilder()).createPolicy(POLICY_NAME, "La Prima Politica", Boolean.TRUE).addCondition(ClientUpdaterSourceRolesConditionFactory.PROVIDER_ID, createClientUpdateSourceRolesConditionConfig(Arrays.asList(Constants.REALM_MANAGEMENT_CLIENT_ID + "." + AdminRoles.CREATE_CLIENT))).addProfile(PROFILE_NAME).toRepresentation()).toString();
updatePolicies(json);
try {
authCreateClients();
createClientDynamically(generateSuffixedName(CLIENT_NAME), (OIDCClientRepresentation clientRep) -> {
});
fail();
} catch (ClientRegistrationException e) {
assertEquals(ERR_MSG_CLIENT_REG_FAIL, e.getMessage());
}
authManageClients();
try {
createClientDynamically(generateSuffixedName(CLIENT_NAME), (OIDCClientRepresentation clientRep) -> {
});
} catch (Exception e) {
fail();
}
}
Also used :
ClientProfileBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfileBuilder)
OIDCClientRepresentation(org.keycloak.representations.oidc.OIDCClientRepresentation)
ClientProfilesBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfilesBuilder)
ClientPoliciesBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPoliciesBuilder)
ClientPolicyBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPolicyBuilder)
ClientRegistrationException(org.keycloak.client.registration.ClientRegistrationException)
IOException(java.io.IOException)
ClientPolicyException(org.keycloak.services.clientpolicy.ClientPolicyException)
OAuthErrorException(org.keycloak.OAuthErrorException)
BadRequestException(javax.ws.rs.BadRequestException)
ClientRegistrationException(org.keycloak.client.registration.ClientRegistrationException)
Test(org.junit.Test)
Example 3 with ClientRegistrationException
use of org.keycloak.client.registration.ClientRegistrationException in project keycloak by keycloak.
the class ClientRegistrationTester method main.
public static void main(String[] args) throws ClientRegistrationException {
ClientRepresentation rep = createRep1();
ClientRegistration reg = ClientRegistration.create().url("http://localhost:8081/auth", "test").build();
try {
ClientRepresentation createdRep = reg.create(rep);
System.out.println("Created client: " + createdRep.getClientId());
} catch (ClientRegistrationException ex) {
HttpErrorException httpEx = (HttpErrorException) ex.getCause();
System.err.println("HttpException when registering client. Status=" + httpEx.getStatusLine().getStatusCode() + ", Details=" + httpEx.getErrorResponse());
}
}
Also used :
ClientRegistration(org.keycloak.client.registration.ClientRegistration)
ClientRegistrationException(org.keycloak.client.registration.ClientRegistrationException)
HttpErrorException(org.keycloak.client.registration.HttpErrorException)
ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation)
Example 4 with ClientRegistrationException
use of org.keycloak.client.registration.ClientRegistrationException in project keycloak by keycloak.
the class ClientPoliciesTest method testClientUpdateSourceGroupsCondition.
@Test
public void testClientUpdateSourceGroupsCondition() throws Exception {
// register profiles
String json = (new ClientProfilesBuilder()).addProfile((new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Den Forste Profil").addExecutor(SecureClientAuthenticatorExecutorFactory.PROVIDER_ID, createSecureClientAuthenticatorExecutorConfig(Arrays.asList(JWTClientAuthenticator.PROVIDER_ID), null)).toRepresentation()).toString();
updateProfiles(json);
// register policies
json = (new ClientPoliciesBuilder()).addPolicy((new ClientPolicyBuilder()).createPolicy(POLICY_NAME, "Den Forste Politik", Boolean.TRUE).addCondition(ClientUpdaterSourceGroupsConditionFactory.PROVIDER_ID, createClientUpdateSourceGroupsConditionConfig(Arrays.asList("topGroup"))).addProfile(PROFILE_NAME).toRepresentation()).toString();
updatePolicies(json);
try {
authCreateClients();
createClientDynamically(generateSuffixedName(CLIENT_NAME), (OIDCClientRepresentation clientRep) -> {
});
fail();
} catch (ClientRegistrationException e) {
assertEquals(ERR_MSG_CLIENT_REG_FAIL, e.getMessage());
}
authManageClients();
try {
createClientDynamically(generateSuffixedName(CLIENT_NAME), (OIDCClientRepresentation clientRep) -> {
});
} catch (Exception e) {
fail();
}
}
Also used :
ClientProfileBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfileBuilder)
OIDCClientRepresentation(org.keycloak.representations.oidc.OIDCClientRepresentation)
ClientProfilesBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfilesBuilder)
ClientPoliciesBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPoliciesBuilder)
ClientPolicyBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPolicyBuilder)
ClientRegistrationException(org.keycloak.client.registration.ClientRegistrationException)
IOException(java.io.IOException)
ClientPolicyException(org.keycloak.services.clientpolicy.ClientPolicyException)
OAuthErrorException(org.keycloak.OAuthErrorException)
BadRequestException(javax.ws.rs.BadRequestException)
ClientRegistrationException(org.keycloak.client.registration.ClientRegistrationException)
Test(org.junit.Test)
Example 5 with ClientRegistrationException
use of org.keycloak.client.registration.ClientRegistrationException in project keycloak by keycloak.
the class KeyRotationTest method testTokens.
@Test
public void testTokens() throws Exception {
// Create keys #1
Map<String, String> keys1 = createKeys1();
// Get token with keys #1
oauth.doLogin("test-user@localhost", "password");
OAuthClient.AccessTokenResponse response = oauth.doAccessTokenRequest(oauth.getCurrentQuery().get("code"), "password");
assertEquals(200, response.getStatusCode());
assertTokenKid(keys1.get(Algorithm.RS256), response.getAccessToken());
assertTokenKid(keys1.get(Algorithm.HS256), response.getRefreshToken());
// Create client with keys #1
ClientInitialAccessCreatePresentation initialToken = new ClientInitialAccessCreatePresentation();
initialToken.setCount(100);
initialToken.setExpiration(0);
ClientInitialAccessPresentation accessRep = adminClient.realm("test").clientInitialAccess().create(initialToken);
String initialAccessToken = accessRep.getToken();
ClientRegistration reg = ClientRegistration.create().url(suiteContext.getAuthServerInfo().getContextRoot() + "/auth", "test").build();
reg.auth(Auth.token(initialAccessToken));
ClientRepresentation clientRep = reg.create(ClientBuilder.create().clientId("test").build());
// Userinfo with keys #1
assertUserInfo(response.getAccessToken(), 200);
// Token introspection with keys #1
assertTokenIntrospection(response.getAccessToken(), true);
// Get client with keys #1 - registration access token should not have changed
ClientRepresentation clientRep2 = reg.auth(Auth.token(clientRep.getRegistrationAccessToken())).get("test");
assertEquals(clientRep.getRegistrationAccessToken(), clientRep2.getRegistrationAccessToken());
// Create keys #2
Map<String, String> keys2 = createKeys2();
assertNotEquals(keys1.get(Algorithm.RS256), keys2.get(Algorithm.RS256));
assertNotEquals(keys1.get(Algorithm.HS256), keys2.get(Algorithm.HS512));
// Refresh token with keys #2
response = oauth.doRefreshTokenRequest(response.getRefreshToken(), "password");
assertEquals(200, response.getStatusCode());
assertTokenKid(keys2.get(Algorithm.RS256), response.getAccessToken());
assertTokenKid(keys2.get(Algorithm.HS256), response.getRefreshToken());
// Userinfo with keys #2
assertUserInfo(response.getAccessToken(), 200);
// Token introspection with keys #2
assertTokenIntrospection(response.getAccessToken(), true);
// Get client with keys #2 - registration access token should be changed
ClientRepresentation clientRep3 = reg.auth(Auth.token(clientRep.getRegistrationAccessToken())).get("test");
assertNotEquals(clientRep.getRegistrationAccessToken(), clientRep3.getRegistrationAccessToken());
// Drop key #1
dropKeys1();
// Refresh token with keys #1 dropped - should pass as refresh token should be signed with key #2
response = oauth.doRefreshTokenRequest(response.getRefreshToken(), "password");
assertTokenKid(keys2.get(Algorithm.RS256), response.getAccessToken());
assertTokenKid(keys2.get(Algorithm.HS256), response.getRefreshToken());
// Userinfo with keys #1 dropped
assertUserInfo(response.getAccessToken(), 200);
// Token introspection with keys #1 dropped
assertTokenIntrospection(response.getAccessToken(), true);
// Get client with keys #1 - should fail
try {
reg.auth(Auth.token(clientRep.getRegistrationAccessToken())).get("test");
fail("Expected to fail");
} catch (ClientRegistrationException e) {
}
// Get client with keys #2 - should succeed
ClientRepresentation clientRep4 = reg.auth(Auth.token(clientRep3.getRegistrationAccessToken())).get("test");
assertNotEquals(clientRep2.getRegistrationAccessToken(), clientRep4.getRegistrationAccessToken());
// Drop key #2
dropKeys2();
// Userinfo with keys #2 dropped
assertUserInfo(response.getAccessToken(), 401);
// Token introspection with keys #2 dropped
assertTokenIntrospection(response.getAccessToken(), false);
// Refresh token with keys #2 dropped - should fail as refresh token is signed with key #2
response = oauth.doRefreshTokenRequest(response.getRefreshToken(), "password");
assertEquals(400, response.getStatusCode());
assertEquals("Invalid refresh token", response.getErrorDescription());
}
Also used :
ClientRegistration(org.keycloak.client.registration.ClientRegistration)
OAuthClient(org.keycloak.testsuite.util.OAuthClient)
ClientRegistrationException(org.keycloak.client.registration.ClientRegistrationException)
ClientInitialAccessCreatePresentation(org.keycloak.representations.idm.ClientInitialAccessCreatePresentation)
ClientInitialAccessPresentation(org.keycloak.representations.idm.ClientInitialAccessPresentation)
ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation)
Test(org.junit.Test)
AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest)
Aggregations
ClientRegistrationException (org.keycloak.client.registration.ClientRegistrationException)29
Test (org.junit.Test)22
ClientRepresentation (org.keycloak.representations.idm.ClientRepresentation)20
OIDCClientRepresentation (org.keycloak.representations.oidc.OIDCClientRepresentation)11
ClientInitialAccessCreatePresentation (org.keycloak.representations.idm.ClientInitialAccessCreatePresentation)7
ClientInitialAccessPresentation (org.keycloak.representations.idm.ClientInitialAccessPresentation)7
ClientRegistration (org.keycloak.client.registration.ClientRegistration)6
IOException (java.io.IOException)5
HttpErrorException (org.keycloak.client.registration.HttpErrorException)5
ClientPolicyException (org.keycloak.services.clientpolicy.ClientPolicyException)5
ClientPoliciesBuilder (org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPoliciesBuilder)5
ClientPolicyBuilder (org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPolicyBuilder)5
ClientProfileBuilder (org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfileBuilder)5
ClientProfilesBuilder (org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfilesBuilder)5
Collectors (java.util.stream.Collectors)3
BadRequestException (javax.ws.rs.BadRequestException)3
Assert.assertEquals (org.junit.Assert.assertEquals)3
Assert.assertNotNull (org.junit.Assert.assertNotNull)3
OAuthErrorException (org.keycloak.OAuthErrorException)3
List (java.util.List)2
