Examples with OIDCAdvancedConfigWrapper org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper used on opensource projects

Example 21 with OIDCAdvancedConfigWrapper

use of org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper in project keycloak by keycloak.

the class OIDCClientRegistrationTest method testClientWithoutRefreshToken.

@Test
public void testClientWithoutRefreshToken() throws Exception {
    OIDCClientRepresentation clientRep = null;
    OIDCClientRepresentation response = null;
    clientRep = createRep();
    clientRep.setGrantTypes(Arrays.asList(OAuth2Constants.AUTHORIZATION_CODE));
    response = reg.oidc().create(clientRep);
    // Test Keycloak representation
    ClientRepresentation kcClient = getClient(response.getClientId());
    OIDCAdvancedConfigWrapper config = OIDCAdvancedConfigWrapper.fromClientRepresentation(kcClient);
    Assert.assertFalse(config.isUseRefreshToken());
}

Example 22 with OIDCAdvancedConfigWrapper

use of org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper in project keycloak by keycloak.

the class DefaultTokenManager method initLogoutToken.

public LogoutToken initLogoutToken(ClientModel client, UserModel user, AuthenticatedClientSessionModel clientSession) {
    LogoutToken token = new LogoutToken();
    token.id(KeycloakModelUtils.generateId());
    token.issuedNow();
    token.issuer(clientSession.getNote(OIDCLoginProtocol.ISSUER));
    token.putEvents(TokenUtil.TOKEN_BACKCHANNEL_LOGOUT_EVENT, JsonSerialization.createObjectNode());
    token.addAudience(client.getClientId());
    OIDCAdvancedConfigWrapper oidcAdvancedConfigWrapper = OIDCAdvancedConfigWrapper.fromClientModel(client);
    if (oidcAdvancedConfigWrapper.isBackchannelLogoutSessionRequired()) {
        token.setSid(clientSession.getUserSession().getId());
    }
    if (oidcAdvancedConfigWrapper.getBackchannelLogoutRevokeOfflineTokens()) {
        token.putEvents(TokenUtil.TOKEN_BACKCHANNEL_LOGOUT_EVENT_REVOKE_OFFLINE_TOKENS, true);
    }
    token.setSubject(user.getId());
    return token;
}

Example 23 with OIDCAdvancedConfigWrapper

use of org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper in project keycloak by keycloak.

the class OIDCPublicKeyRotationAdapterTest method testClientWithJwksUri.

@Test
public void testClientWithJwksUri() throws Exception {
    // Set client to bad JWKS URI
    ClientResource clientResource = ApiUtil.findClientResourceByClientId(testRealmResource(), "secure-portal");
    ClientRepresentation client = clientResource.toRepresentation();
    OIDCAdvancedConfigWrapper wrapper = OIDCAdvancedConfigWrapper.fromClientRepresentation(client);
    wrapper.setUseJwksUrl(true);
    wrapper.setJwksUrl(securePortal + "/bad-jwks-url");
    clientResource.update(client);
    // Login should fail at the code-to-token
    securePortal.navigateTo();
    assertCurrentUrlStartsWithLoginUrlOf(testRealmPage);
    testRealmLoginPage.form().login("bburke@redhat.com", "password");
    String pageSource = driver.getPageSource();
    assertCurrentUrlStartsWith(securePortal);
    assertFalse(pageSource.contains("Bill Burke") && pageSource.contains("Stian Thorgersen"));
    // Set client to correct JWKS URI
    client = clientResource.toRepresentation();
    wrapper = OIDCAdvancedConfigWrapper.fromClientRepresentation(client);
    wrapper.setUseJwksUrl(true);
    wrapper.setJwksUrl(securePortal + "/" + AdapterConstants.K_JWKS);
    clientResource.update(client);
    // Login to secure-portal should be fine now. Client keys downloaded from JWKS URI
    securePortal.navigateTo();
    assertCurrentUrlEquals(securePortal);
    pageSource = driver.getPageSource();
    assertTrue(pageSource.contains("Bill Burke") && pageSource.contains("Stian Thorgersen"));
    // Logout
    String logoutUri = OIDCLoginProtocolService.logoutUrl(authServerPage.createUriBuilder()).queryParam(OAuth2Constants.REDIRECT_URI, securePortal.toString()).build("demo").toString();
    driver.navigate().to(logoutUri);
}

Example 24 with OIDCAdvancedConfigWrapper

use of org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper in project keycloak by keycloak.

the class FAPI1Test method testFAPIAdvancedClientRegistration.

@Test
public void testFAPIAdvancedClientRegistration() throws Exception {
    // Set "advanced" policy
    setupPolicyFAPIAdvancedForAllClient();
    // Register client with clientIdAndSecret - should fail
    try {
        createClientByAdmin("invalid", (ClientRepresentation clientRep) -> {
            clientRep.setClientAuthenticatorType(ClientIdAndSecretAuthenticator.PROVIDER_ID);
        });
        fail();
    } catch (ClientPolicyException e) {
        assertEquals(OAuthErrorException.INVALID_CLIENT_METADATA, e.getMessage());
    }
    // Register client with signedJWT - should fail
    try {
        createClientByAdmin("invalid", (ClientRepresentation clientRep) -> {
            clientRep.setClientAuthenticatorType(JWTClientSecretAuthenticator.PROVIDER_ID);
        });
        fail();
    } catch (ClientPolicyException e) {
        assertEquals(OAuthErrorException.INVALID_CLIENT_METADATA, e.getMessage());
    }
    // Register client with privateKeyJWT, but unsecured redirectUri - should fail
    try {
        createClientByAdmin("invalid", (ClientRepresentation clientRep) -> {
            clientRep.setClientAuthenticatorType(JWTClientAuthenticator.PROVIDER_ID);
            clientRep.setRedirectUris(Collections.singletonList("http://foo"));
        });
        fail();
    } catch (ClientPolicyException e) {
        assertEquals(OAuthErrorException.INVALID_CLIENT_METADATA, e.getMessage());
    }
    // Try to register client with "client-jwt" - should pass
    String clientUUID = createClientByAdmin("client-jwt", (ClientRepresentation clientRep) -> {
        clientRep.setClientAuthenticatorType(JWTClientAuthenticator.PROVIDER_ID);
    });
    ClientRepresentation client = getClientByAdmin(clientUUID);
    Assert.assertEquals(JWTClientAuthenticator.PROVIDER_ID, client.getClientAuthenticatorType());
    // Try to register client with "client-x509" - should pass
    clientUUID = createClientByAdmin("client-x509", (ClientRepresentation clientRep) -> {
        clientRep.setClientAuthenticatorType(X509ClientAuthenticator.PROVIDER_ID);
    });
    client = getClientByAdmin(clientUUID);
    Assert.assertEquals(X509ClientAuthenticator.PROVIDER_ID, client.getClientAuthenticatorType());
    // Try to register client with default authenticator - should pass. Client authenticator should be "client-jwt"
    clientUUID = createClientByAdmin("client-jwt-2", (ClientRepresentation clientRep) -> {
    });
    client = getClientByAdmin(clientUUID);
    Assert.assertEquals(JWTClientAuthenticator.PROVIDER_ID, client.getClientAuthenticatorType());
    // Check the Consent is enabled, Holder-of-key is enabled, fullScopeAllowed disabled and default signature algorithm.
    Assert.assertTrue(client.isConsentRequired());
    OIDCAdvancedConfigWrapper clientConfig = OIDCAdvancedConfigWrapper.fromClientRepresentation(client);
    Assert.assertTrue(clientConfig.isUseMtlsHokToken());
    Assert.assertEquals(Algorithm.PS256, clientConfig.getIdTokenSignedResponseAlg());
    Assert.assertEquals(Algorithm.PS256, clientConfig.getRequestObjectSignatureAlg().toString());
    Assert.assertFalse(client.isFullScopeAllowed());
}

Example 25 with OIDCAdvancedConfigWrapper

use of org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper in project keycloak by keycloak.

the class OIDCClientRegistrationTest method testClientWithoutGrantTypes.

@Test
public void testClientWithoutGrantTypes() throws Exception {
    OIDCClientRepresentation response = create();
    assertTrue(CollectionUtil.collectionEquals(Arrays.asList(OAuth2Constants.AUTHORIZATION_CODE, OAuth2Constants.REFRESH_TOKEN), response.getGrantTypes()));
    // Test Keycloak representation
    ClientRepresentation kcClient = getClient(response.getClientId());
    OIDCAdvancedConfigWrapper config = OIDCAdvancedConfigWrapper.fromClientRepresentation(kcClient);
    Assert.assertTrue(config.isUseRefreshToken());
}