Examples with JWSInput org.keycloak.jose.jws.JWSInput used on opensource projects

Search in sources :

Example 56 with JWSInput

use of org.keycloak.jose.jws.JWSInput in project keycloak by keycloak.

the class HoKTest method verifyHoKTokenCertThumbPrint.

private void verifyHoKTokenCertThumbPrint(AccessTokenResponse response, String certThumbPrint, boolean checkRefreshToken) {
    JWSInput jws = null;
    AccessToken at = null;
    try {
        jws = new JWSInput(response.getAccessToken());
        at = jws.readJsonContent(AccessToken.class);
    } catch (JWSInputException e) {
        Assert.fail(e.toString());
    }
    assertTrue(MessageDigest.isEqual(certThumbPrint.getBytes(), at.getCertConf().getCertThumbprint().getBytes()));
    if (checkRefreshToken) {
        RefreshToken rt = null;
        try {
            jws = new JWSInput(response.getRefreshToken());
            rt = jws.readJsonContent(RefreshToken.class);
        } catch (JWSInputException e) {
            Assert.fail(e.toString());
        }
        assertTrue(MessageDigest.isEqual(certThumbPrint.getBytes(), rt.getCertConf().getCertThumbprint().getBytes()));
    }
}
Also used : RefreshToken(org.keycloak.representations.RefreshToken) AccessToken(org.keycloak.representations.AccessToken) JWSInputException(org.keycloak.jose.jws.JWSInputException) JWSInput(org.keycloak.jose.jws.JWSInput)

Example 57 with JWSInput

use of org.keycloak.jose.jws.JWSInput in project keycloak by keycloak.

the class HoKTest method testIntrospectHoKAccessToken.

@Test
public void testIntrospectHoKAccessToken() throws Exception {
    // get an access token with client certificate in mutual authenticate TLS
    // mimic Client
    oauth.doLogin("test-user@localhost", "password");
    String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
    EventRepresentation loginEvent = events.expectLogin().assertEvent();
    AccessTokenResponse accessTokenResponse = null;
    try (CloseableHttpClient client = MutualTLSUtils.newCloseableHttpClientWithDefaultKeyStoreAndTrustStore()) {
        accessTokenResponse = oauth.doAccessTokenRequest(code, "password", client);
    } catch (IOException ioe) {
        throw new RuntimeException(ioe);
    }
    // Do token introspection
    // mimic Resource Server
    String tokenResponse;
    try (CloseableHttpClient client = MutualTLSUtils.newCloseableHttpClientWithoutKeyStoreAndTrustStore()) {
        tokenResponse = oauth.introspectTokenWithClientCredential("confidential-cli", "secret1", "access_token", accessTokenResponse.getAccessToken(), client);
    } catch (IOException ioe) {
        throw new RuntimeException(ioe);
    }
    TokenMetadataRepresentation rep = JsonSerialization.readValue(tokenResponse, TokenMetadataRepresentation.class);
    JWSInput jws = new JWSInput(accessTokenResponse.getAccessToken());
    AccessToken at = jws.readJsonContent(AccessToken.class);
    jws = new JWSInput(accessTokenResponse.getRefreshToken());
    RefreshToken rt = jws.readJsonContent(RefreshToken.class);
    String certThumprintFromAccessToken = at.getCertConf().getCertThumbprint();
    String certThumprintFromRefreshToken = rt.getCertConf().getCertThumbprint();
    String certThumprintFromTokenIntrospection = rep.getCertConf().getCertThumbprint();
    String certThumprintFromBoundClientCertificate = MutualTLSUtils.getThumbprintFromDefaultClientCert();
    assertTrue(rep.isActive());
    assertEquals("test-user@localhost", rep.getUserName());
    assertEquals("test-app", rep.getClientId());
    assertEquals(loginEvent.getUserId(), rep.getSubject());
    assertEquals(certThumprintFromTokenIntrospection, certThumprintFromBoundClientCertificate);
    assertEquals(certThumprintFromBoundClientCertificate, certThumprintFromAccessToken);
    assertEquals(certThumprintFromAccessToken, certThumprintFromRefreshToken);
}
Also used : CloseableHttpClient(org.apache.http.impl.client.CloseableHttpClient) TokenMetadataRepresentation(org.keycloak.representations.oidc.TokenMetadataRepresentation) RefreshToken(org.keycloak.representations.RefreshToken) AccessToken(org.keycloak.representations.AccessToken) EventRepresentation(org.keycloak.representations.idm.EventRepresentation) IOException(java.io.IOException) JWSInput(org.keycloak.jose.jws.JWSInput) AccessTokenResponse(org.keycloak.testsuite.util.OAuthClient.AccessTokenResponse) RefreshTokenTest(org.keycloak.testsuite.oauth.RefreshTokenTest) AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest) AbstractTestRealmKeycloakTest(org.keycloak.testsuite.AbstractTestRealmKeycloakTest)

Example 58 with JWSInput

use of org.keycloak.jose.jws.JWSInput in project keycloak by keycloak.

the class LogoutTest method testFrontChannelLogout.

@Test
public void testFrontChannelLogout() throws Exception {
    ClientsResource clients = adminClient.realm(oauth.getRealm()).clients();
    ClientRepresentation rep = clients.findByClientId(oauth.getClientId()).get(0);
    rep.setName("My Testing App");
    rep.setFrontchannelLogout(true);
    rep.getAttributes().put(OIDCConfigAttributes.FRONT_CHANNEL_LOGOUT_URI, oauth.APP_ROOT + "/admin/frontchannelLogout");
    clients.get(rep.getId()).update(rep);
    try {
        oauth.clientSessionState("client-session");
        oauth.doLogin("test-user@localhost", "password");
        String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
        OAuthClient.AccessTokenResponse tokenResponse = oauth.doAccessTokenRequest(code, "password");
        String idTokenString = tokenResponse.getIdToken();
        String logoutUrl = oauth.getLogoutUrl().idTokenHint(idTokenString).build();
        driver.navigate().to(logoutUrl);
        LogoutToken logoutToken = testingClient.testApp().getFrontChannelLogoutToken();
        Assert.assertNotNull(logoutToken);
        IDToken idToken = new JWSInput(idTokenString).readJsonContent(IDToken.class);
        Assert.assertEquals(logoutToken.getIssuer(), idToken.getIssuer());
        Assert.assertEquals(logoutToken.getSid(), idToken.getSessionId());
        assertTrue(driver.getTitle().equals("Logging out"));
        assertTrue(driver.getPageSource().contains("You are logging out from following apps"));
        assertTrue(driver.getPageSource().contains("My Testing App"));
    } finally {
        rep.setFrontchannelLogout(false);
        rep.getAttributes().put(OIDCConfigAttributes.FRONT_CHANNEL_LOGOUT_URI, "");
        clients.get(rep.getId()).update(rep);
    }
}
Also used : OAuthClient(org.keycloak.testsuite.util.OAuthClient) ClientsResource(org.keycloak.admin.client.resource.ClientsResource) LogoutToken(org.keycloak.representations.LogoutToken) IDToken(org.keycloak.representations.IDToken) JWSInput(org.keycloak.jose.jws.JWSInput) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) Test(org.junit.Test) AbstractTestRealmKeycloakTest(org.keycloak.testsuite.AbstractTestRealmKeycloakTest)

Example 59 with JWSInput

use of org.keycloak.jose.jws.JWSInput in project keycloak by keycloak.

the class LogoutTest method testFrontChannelLogoutWithPostLogoutRedirectUri.

@Test
public void testFrontChannelLogoutWithPostLogoutRedirectUri() throws Exception {
    ClientsResource clients = adminClient.realm(oauth.getRealm()).clients();
    ClientRepresentation rep = clients.findByClientId(oauth.getClientId()).get(0);
    rep.setFrontchannelLogout(true);
    rep.getAttributes().put(OIDCConfigAttributes.FRONT_CHANNEL_LOGOUT_URI, oauth.APP_ROOT + "/admin/frontchannelLogout");
    clients.get(rep.getId()).update(rep);
    try {
        oauth.clientSessionState("client-session");
        oauth.doLogin("test-user@localhost", "password");
        String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
        OAuthClient.AccessTokenResponse tokenResponse = oauth.doAccessTokenRequest(code, "password");
        String idTokenString = tokenResponse.getIdToken();
        String logoutUrl = oauth.getLogoutUrl().idTokenHint(idTokenString).postLogoutRedirectUri(oauth.APP_AUTH_ROOT).build();
        driver.navigate().to(logoutUrl);
        LogoutToken logoutToken = testingClient.testApp().getFrontChannelLogoutToken();
        Assert.assertNotNull(logoutToken);
        IDToken idToken = new JWSInput(idTokenString).readJsonContent(IDToken.class);
        Assert.assertEquals(logoutToken.getIssuer(), idToken.getIssuer());
        Assert.assertEquals(logoutToken.getSid(), idToken.getSessionId());
    } finally {
        rep.setFrontchannelLogout(false);
        rep.getAttributes().put(OIDCConfigAttributes.FRONT_CHANNEL_LOGOUT_URI, "");
        clients.get(rep.getId()).update(rep);
    }
}
Also used : OAuthClient(org.keycloak.testsuite.util.OAuthClient) ClientsResource(org.keycloak.admin.client.resource.ClientsResource) LogoutToken(org.keycloak.representations.LogoutToken) IDToken(org.keycloak.representations.IDToken) JWSInput(org.keycloak.jose.jws.JWSInput) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) Test(org.junit.Test) AbstractTestRealmKeycloakTest(org.keycloak.testsuite.AbstractTestRealmKeycloakTest)

Example 60 with JWSInput

use of org.keycloak.jose.jws.JWSInput in project keycloak by keycloak.

the class SecureSigningAlgorithmForSignedJwtExecutor method executeOnEvent.

@Override
public void executeOnEvent(ClientPolicyContext context) throws ClientPolicyException {
    switch(context.getEvent()) {
        case TOKEN_REQUEST:
        case SERVICE_ACCOUNT_TOKEN_REQUEST:
        case TOKEN_REFRESH:
        case TOKEN_REVOKE:
        case TOKEN_INTROSPECT:
        case LOGOUT_REQUEST:
            boolean isRequireClientAssertion = Optional.ofNullable(configuration.isRequireClientAssertion()).orElse(Boolean.FALSE).booleanValue();
            HttpRequest req = session.getContext().getContextObject(HttpRequest.class);
            String clientAssertion = req.getDecodedFormParameters().getFirst(OAuth2Constants.CLIENT_ASSERTION);
            if (!isRequireClientAssertion && ObjectUtil.isBlank(clientAssertion)) {
                break;
            }
            JWSInput jws = null;
            try {
                jws = new JWSInput(clientAssertion);
            } catch (JWSInputException e) {
                throw new ClientPolicyException(OAuthErrorException.INVALID_REQUEST, "not allowed input format.");
            }
            verifySecureSigningAlgorithm(jws.getHeader().getAlgorithm().name());
            break;
        default:
            return;
    }
}
Also used : HttpRequest(org.jboss.resteasy.spi.HttpRequest) JWSInputException(org.keycloak.jose.jws.JWSInputException) JWSInput(org.keycloak.jose.jws.JWSInput) ClientPolicyException(org.keycloak.services.clientpolicy.ClientPolicyException)

Aggregations

JWSInput (org.keycloak.jose.jws.JWSInput)62 AccessToken (org.keycloak.representations.AccessToken)29 OAuthClient (org.keycloak.testsuite.util.OAuthClient)20 JWSInputException (org.keycloak.jose.jws.JWSInputException)16 Test (org.junit.Test)15 JWSHeader (org.keycloak.jose.jws.JWSHeader)11 Response (javax.ws.rs.core.Response)10 RefreshToken (org.keycloak.representations.RefreshToken)10 EventRepresentation (org.keycloak.representations.idm.EventRepresentation)9 ClientRepresentation (org.keycloak.representations.idm.ClientRepresentation)8 IOException (java.io.IOException)7 VerificationException (org.keycloak.common.VerificationException)7 JsonWebToken (org.keycloak.representations.JsonWebToken)7 JsonNode (com.fasterxml.jackson.databind.JsonNode)5 PublicKey (java.security.PublicKey)5 AccessTokenResponse (org.keycloak.representations.AccessTokenResponse)5 Client (javax.ws.rs.client.Client)4 IDToken (org.keycloak.representations.IDToken)4 ObjectMapper (com.fasterxml.jackson.databind.ObjectMapper)3 List (java.util.List)3
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial