Search in sources :

Example 16 with OIDCConfigurationRepresentation

use of org.keycloak.protocol.oidc.representations.OIDCConfigurationRepresentation in project keycloak by keycloak.

the class OIDCWellKnownProviderTest method testIssuerMatches.

@Test
public void testIssuerMatches() throws Exception {
    OAuthClient.AuthorizationEndpointResponse authzResp = oauth.doLogin("test-user@localhost", "password");
    OAuthClient.AccessTokenResponse response = oauth.doAccessTokenRequest(authzResp.getCode(), "password");
    assertEquals(200, response.getStatusCode());
    IDToken idToken = oauth.verifyIDToken(response.getIdToken());
    Client client = AdminClientUtil.createResteasyClient();
    try {
        OIDCConfigurationRepresentation oidcConfig = getOIDCDiscoveryRepresentation(client, OAuthClient.AUTH_SERVER_ROOT);
        // assert issuer matches
        assertEquals(idToken.getIssuer(), oidcConfig.getIssuer());
    } finally {
        client.close();
    }
}
Also used : OAuthClient(org.keycloak.testsuite.util.OAuthClient) IDToken(org.keycloak.representations.IDToken) OAuthClient(org.keycloak.testsuite.util.OAuthClient) Client(javax.ws.rs.client.Client) CloseableHttpClient(org.apache.http.impl.client.CloseableHttpClient) OIDCConfigurationRepresentation(org.keycloak.protocol.oidc.representations.OIDCConfigurationRepresentation) AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest) AbstractAdminTest(org.keycloak.testsuite.admin.AbstractAdminTest) BrowserFlowTest(org.keycloak.testsuite.forms.BrowserFlowTest) Test(org.junit.Test) LevelOfAssuranceFlowTest(org.keycloak.testsuite.forms.LevelOfAssuranceFlowTest)

Example 17 with OIDCConfigurationRepresentation

use of org.keycloak.protocol.oidc.representations.OIDCConfigurationRepresentation in project keycloak by keycloak.

the class OIDCWellKnownProviderTest method testDiscovery.

@Test
public void testDiscovery() {
    Client client = AdminClientUtil.createResteasyClient();
    try {
        OIDCConfigurationRepresentation oidcConfig = getOIDCDiscoveryRepresentation(client, OAuthClient.AUTH_SERVER_ROOT);
        // URIs are filled
        assertEquals(oidcConfig.getAuthorizationEndpoint(), OIDCLoginProtocolService.authUrl(UriBuilder.fromUri(OAuthClient.AUTH_SERVER_ROOT)).build("test").toString());
        assertEquals(oidcConfig.getTokenEndpoint(), oauth.getAccessTokenUrl());
        assertEquals(oidcConfig.getUserinfoEndpoint(), OIDCLoginProtocolService.userInfoUrl(UriBuilder.fromUri(OAuthClient.AUTH_SERVER_ROOT)).build("test").toString());
        assertEquals(oidcConfig.getJwksUri(), oauth.getCertsUrl("test"));
        String registrationUri = UriBuilder.fromUri(OAuthClient.AUTH_SERVER_ROOT).path(RealmsResource.class).path(RealmsResource.class, "getClientsService").path(ClientRegistrationService.class, "provider").build("test", OIDCClientRegistrationProviderFactory.ID).toString();
        assertEquals(oidcConfig.getRegistrationEndpoint(), registrationUri);
        // Support standard + implicit + hybrid flow
        assertContains(oidcConfig.getResponseTypesSupported(), OAuth2Constants.CODE, OIDCResponseType.ID_TOKEN, "id_token token", "code id_token", "code token", "code id_token token");
        assertContains(oidcConfig.getGrantTypesSupported(), OAuth2Constants.AUTHORIZATION_CODE, OAuth2Constants.IMPLICIT, OAuth2Constants.DEVICE_CODE_GRANT_TYPE);
        assertContains(oidcConfig.getResponseModesSupported(), "query", "fragment", "form_post", "jwt", "query.jwt", "fragment.jwt", "form_post.jwt");
        Assert.assertNames(oidcConfig.getSubjectTypesSupported(), "pairwise", "public");
        // Signature algorithms
        Assert.assertNames(oidcConfig.getIdTokenSigningAlgValuesSupported(), Algorithm.PS256, Algorithm.PS384, Algorithm.PS512, Algorithm.RS256, Algorithm.RS384, Algorithm.RS512, Algorithm.ES256, Algorithm.ES384, Algorithm.ES512, Algorithm.HS256, Algorithm.HS384, Algorithm.HS512);
        Assert.assertNames(oidcConfig.getUserInfoSigningAlgValuesSupported(), "none", Algorithm.PS256, Algorithm.PS384, Algorithm.PS512, Algorithm.RS256, Algorithm.RS384, Algorithm.RS512, Algorithm.ES256, Algorithm.ES384, Algorithm.ES512, Algorithm.HS256, Algorithm.HS384, Algorithm.HS512);
        Assert.assertNames(oidcConfig.getRequestObjectSigningAlgValuesSupported(), "none", Algorithm.PS256, Algorithm.PS384, Algorithm.PS512, Algorithm.RS256, Algorithm.RS384, Algorithm.RS512, Algorithm.ES256, Algorithm.ES384, Algorithm.ES512, Algorithm.HS256, Algorithm.HS384, Algorithm.HS512);
        Assert.assertNames(oidcConfig.getAuthorizationSigningAlgValuesSupported(), Algorithm.PS256, Algorithm.PS384, Algorithm.PS512, Algorithm.RS256, Algorithm.RS384, Algorithm.RS512, Algorithm.ES256, Algorithm.ES384, Algorithm.ES512, Algorithm.HS256, Algorithm.HS384, Algorithm.HS512);
        // request object encryption algorithms
        Assert.assertNames(oidcConfig.getRequestObjectEncryptionAlgValuesSupported(), JWEConstants.RSA_OAEP, JWEConstants.RSA_OAEP_256, JWEConstants.RSA1_5);
        Assert.assertNames(oidcConfig.getRequestObjectEncryptionEncValuesSupported(), JWEConstants.A256GCM, JWEConstants.A192GCM, JWEConstants.A128GCM, JWEConstants.A128CBC_HS256, JWEConstants.A192CBC_HS384, JWEConstants.A256CBC_HS512);
        // Encryption algorithms
        Assert.assertNames(oidcConfig.getIdTokenEncryptionAlgValuesSupported(), JWEConstants.RSA1_5, JWEConstants.RSA_OAEP, JWEConstants.RSA_OAEP_256);
        Assert.assertNames(oidcConfig.getIdTokenEncryptionEncValuesSupported(), JWEConstants.A128CBC_HS256, JWEConstants.A128GCM, JWEConstants.A192CBC_HS384, JWEConstants.A192GCM, JWEConstants.A256CBC_HS512, JWEConstants.A256GCM);
        Assert.assertNames(oidcConfig.getAuthorizationEncryptionAlgValuesSupported(), JWEConstants.RSA1_5, JWEConstants.RSA_OAEP, JWEConstants.RSA_OAEP_256);
        Assert.assertNames(oidcConfig.getAuthorizationEncryptionEncValuesSupported(), JWEConstants.A128CBC_HS256, JWEConstants.A128GCM, JWEConstants.A192CBC_HS384, JWEConstants.A192GCM, JWEConstants.A256CBC_HS512, JWEConstants.A256GCM);
        // Client authentication
        Assert.assertNames(oidcConfig.getTokenEndpointAuthMethodsSupported(), "client_secret_basic", "client_secret_post", "private_key_jwt", "client_secret_jwt", "tls_client_auth");
        Assert.assertNames(oidcConfig.getTokenEndpointAuthSigningAlgValuesSupported(), Algorithm.PS256, Algorithm.PS384, Algorithm.PS512, Algorithm.RS256, Algorithm.RS384, Algorithm.RS512, Algorithm.ES256, Algorithm.ES384, Algorithm.ES512, Algorithm.HS256, Algorithm.HS384, Algorithm.HS512);
        // NOTE: Those are overriden in "oidc-well-known-config-override.json" and they are tested in testDefaultProviderCustomizations
        // Assert.assertNames(oidcConfig.getIntrospectionEndpointAuthMethodsSupported(), "private_key_jwt", "client_secret_jwt", "tls_client_auth", "custom_nonexisting_authenticator");
        Assert.assertNames(oidcConfig.getIntrospectionEndpointAuthSigningAlgValuesSupported(), Algorithm.PS256, Algorithm.PS384, Algorithm.PS512, Algorithm.RS256, Algorithm.RS384, Algorithm.RS512, Algorithm.ES256, Algorithm.ES384, Algorithm.ES512, Algorithm.HS256, Algorithm.HS384, Algorithm.HS512);
        // Claims
        assertContains(oidcConfig.getClaimsSupported(), IDToken.NAME, IDToken.EMAIL, IDToken.PREFERRED_USERNAME, IDToken.FAMILY_NAME, IDToken.ACR);
        Assert.assertNames(oidcConfig.getClaimTypesSupported(), "normal");
        Assert.assertTrue(oidcConfig.getClaimsParameterSupported());
        // Scopes supported
        assertScopesSupportedMatchesWithRealm(oidcConfig);
        // Request and Request_Uri
        Assert.assertTrue(oidcConfig.getRequestParameterSupported());
        Assert.assertTrue(oidcConfig.getRequestUriParameterSupported());
        Assert.assertTrue(oidcConfig.getRequireRequestUriRegistration());
        // KEYCLOAK-7451 OAuth Authorization Server Metadata for Proof Key for Code Exchange
        // PKCE support
        Assert.assertNames(oidcConfig.getCodeChallengeMethodsSupported(), OAuth2Constants.PKCE_METHOD_PLAIN, OAuth2Constants.PKCE_METHOD_S256);
        // KEYCLOAK-6771 Certificate Bound Token
        // https://tools.ietf.org/html/draft-ietf-oauth-mtls-08#section-6.2
        Assert.assertTrue(oidcConfig.getTlsClientCertificateBoundAccessTokens());
        MTLSEndpointAliases mtlsEndpointAliases = oidcConfig.getMtlsEndpointAliases();
        Assert.assertEquals(oidcConfig.getTokenEndpoint(), mtlsEndpointAliases.getTokenEndpoint());
        Assert.assertEquals(oidcConfig.getRevocationEndpoint(), mtlsEndpointAliases.getRevocationEndpoint());
        // CIBA
        assertEquals(oidcConfig.getBackchannelAuthenticationEndpoint(), oauth.getBackchannelAuthenticationUrl());
        assertContains(oidcConfig.getGrantTypesSupported(), OAuth2Constants.CIBA_GRANT_TYPE);
        Assert.assertNames(oidcConfig.getBackchannelTokenDeliveryModesSupported(), "poll", "ping");
        Assert.assertNames(oidcConfig.getBackchannelAuthenticationRequestSigningAlgValuesSupported(), Algorithm.PS256, Algorithm.PS384, Algorithm.PS512, Algorithm.RS256, Algorithm.RS384, Algorithm.RS512, Algorithm.ES256, Algorithm.ES384, Algorithm.ES512);
        Assert.assertTrue(oidcConfig.getBackchannelLogoutSupported());
        Assert.assertTrue(oidcConfig.getBackchannelLogoutSessionSupported());
        // Token Revocation
        assertEquals(oidcConfig.getRevocationEndpoint(), oauth.getTokenRevocationUrl());
        Assert.assertNames(oidcConfig.getRevocationEndpointAuthMethodsSupported(), "client_secret_basic", "client_secret_post", "private_key_jwt", "client_secret_jwt", "tls_client_auth");
        Assert.assertNames(oidcConfig.getRevocationEndpointAuthSigningAlgValuesSupported(), Algorithm.PS256, Algorithm.PS384, Algorithm.PS512, Algorithm.RS256, Algorithm.RS384, Algorithm.RS512, Algorithm.ES256, Algorithm.ES384, Algorithm.ES512, Algorithm.HS256, Algorithm.HS384, Algorithm.HS512);
        assertEquals(oidcConfig.getDeviceAuthorizationEndpoint(), oauth.getDeviceAuthorizationUrl());
        // Pushed Authorization Request (PAR)
        assertEquals(oauth.getParEndpointUrl(), oidcConfig.getPushedAuthorizationRequestEndpoint());
        assertEquals(Boolean.FALSE, oidcConfig.getRequirePushedAuthorizationRequests());
        // frontchannel logout
        assertTrue(oidcConfig.getFrontChannelLogoutSessionSupported());
        assertTrue(oidcConfig.getFrontChannelLogoutSupported());
    } finally {
        client.close();
    }
}
Also used : RealmsResource(org.keycloak.services.resources.RealmsResource) MTLSEndpointAliases(org.keycloak.protocol.oidc.representations.MTLSEndpointAliases) OAuthClient(org.keycloak.testsuite.util.OAuthClient) Client(javax.ws.rs.client.Client) CloseableHttpClient(org.apache.http.impl.client.CloseableHttpClient) OIDCConfigurationRepresentation(org.keycloak.protocol.oidc.representations.OIDCConfigurationRepresentation) AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest) AbstractAdminTest(org.keycloak.testsuite.admin.AbstractAdminTest) BrowserFlowTest(org.keycloak.testsuite.forms.BrowserFlowTest) Test(org.junit.Test) LevelOfAssuranceFlowTest(org.keycloak.testsuite.forms.LevelOfAssuranceFlowTest)

Example 18 with OIDCConfigurationRepresentation

use of org.keycloak.protocol.oidc.representations.OIDCConfigurationRepresentation in project keycloak by keycloak.

the class OIDCWellKnownProviderTest method testAcrValuesSupported.

@Test
@AuthServerContainerExclude(REMOTE)
public void testAcrValuesSupported() throws IOException {
    Client client = AdminClientUtil.createResteasyClient();
    try {
        // Default values when no "acr-to-loa" mapping and no authentication flow configured
        OIDCConfigurationRepresentation oidcConfig = getOIDCDiscoveryRepresentation(client, OAuthClient.AUTH_SERVER_ROOT);
        Assert.assertNames(oidcConfig.getAcrValuesSupported(), "0", "1");
        // Update authentication flow and see it uses "acr" values from it
        LevelOfAssuranceFlowTest.configureStepUpFlow(testingClient);
        oidcConfig = getOIDCDiscoveryRepresentation(client, OAuthClient.AUTH_SERVER_ROOT);
        Assert.assertNames(oidcConfig.getAcrValuesSupported(), "0", "1", "2", "3");
        // Configure "ACR-To-Loa" mapping and check it has both configured values and numbers from authentication flow
        RealmResource testRealm = adminClient.realm("test");
        RealmRepresentation realmRep = testRealm.toRepresentation();
        Map<String, Integer> acrToLoa = new HashMap<>();
        acrToLoa.put("poor", 0);
        acrToLoa.put("silver", 1);
        acrToLoa.put("gold", 2);
        String acrToLoaAttr = JsonSerialization.writeValueAsString(acrToLoa);
        realmRep.getAttributes().put(Constants.ACR_LOA_MAP, acrToLoaAttr);
        testRealm.update(realmRep);
        oidcConfig = getOIDCDiscoveryRepresentation(client, OAuthClient.AUTH_SERVER_ROOT);
        Assert.assertNames(oidcConfig.getAcrValuesSupported(), "poor", "silver", "gold", "0", "1", "2", "3");
        // Use mappings even with values not included in the authentication flow
        acrToLoa = new HashMap<>();
        acrToLoa.put("poor", 0);
        acrToLoa.put("silver", 1);
        acrToLoa.put("gold", 2);
        acrToLoa.put("platinum", 3);
        acrToLoa.put("diamond", 4);
        acrToLoaAttr = JsonSerialization.writeValueAsString(acrToLoa);
        realmRep.getAttributes().put(Constants.ACR_LOA_MAP, acrToLoaAttr);
        testRealm.update(realmRep);
        oidcConfig = getOIDCDiscoveryRepresentation(client, OAuthClient.AUTH_SERVER_ROOT);
        Assert.assertNames(oidcConfig.getAcrValuesSupported(), "poor", "silver", "gold", "platinum", "diamond", "0", "1", "2", "3");
        // Revert realm and flow
        realmRep.getAttributes().remove(Constants.ACR_LOA_MAP);
        testRealm.update(realmRep);
        BrowserFlowTest.revertFlows(testRealm, "browser -  Level of Authentication FLow");
    } finally {
        client.close();
    }
}
Also used : HashMap(java.util.HashMap) RealmResource(org.keycloak.admin.client.resource.RealmResource) RealmRepresentation(org.keycloak.representations.idm.RealmRepresentation) OAuthClient(org.keycloak.testsuite.util.OAuthClient) Client(javax.ws.rs.client.Client) CloseableHttpClient(org.apache.http.impl.client.CloseableHttpClient) OIDCConfigurationRepresentation(org.keycloak.protocol.oidc.representations.OIDCConfigurationRepresentation) AuthServerContainerExclude(org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude) AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest) AbstractAdminTest(org.keycloak.testsuite.admin.AbstractAdminTest) BrowserFlowTest(org.keycloak.testsuite.forms.BrowserFlowTest) Test(org.junit.Test) LevelOfAssuranceFlowTest(org.keycloak.testsuite.forms.LevelOfAssuranceFlowTest)

Aggregations

OIDCConfigurationRepresentation (org.keycloak.protocol.oidc.representations.OIDCConfigurationRepresentation)18 Test (org.junit.Test)8 CloseableHttpClient (org.apache.http.impl.client.CloseableHttpClient)7 AbstractKeycloakTest (org.keycloak.testsuite.AbstractKeycloakTest)6 AbstractAdminTest (org.keycloak.testsuite.admin.AbstractAdminTest)6 BrowserFlowTest (org.keycloak.testsuite.forms.BrowserFlowTest)6 LevelOfAssuranceFlowTest (org.keycloak.testsuite.forms.LevelOfAssuranceFlowTest)6 Client (javax.ws.rs.client.Client)5 OAuthClient (org.keycloak.testsuite.util.OAuthClient)5 JSONWebKeySet (org.keycloak.jose.jwk.JSONWebKeySet)4 MTLSEndpointAliases (org.keycloak.protocol.oidc.representations.MTLSEndpointAliases)3 URI (java.net.URI)2 PublicKey (java.security.PublicKey)2 UriBuilder (javax.ws.rs.core.UriBuilder)2 JWE (org.keycloak.jose.jwe.JWE)2 RealmModel (org.keycloak.models.RealmModel)2 KeysMetadataRepresentation (org.keycloak.representations.idm.KeysMetadataRepresentation)2 RealmRepresentation (org.keycloak.representations.idm.RealmRepresentation)2 RealmsResource (org.keycloak.services.resources.RealmsResource)2 AbstractTestRealmKeycloakTest (org.keycloak.testsuite.AbstractTestRealmKeycloakTest)2