Example 56 with IDToken
use of org.keycloak.representations.IDToken in project keycloak by keycloak.
the class OIDCScopeTest method testOptionalScopesWithConsentRequired.
@Test
public void testOptionalScopesWithConsentRequired() throws Exception {
// Remove "displayOnConsentScreen" from address
ClientScopeResource addressScope = ApiUtil.findClientScopeByName(testRealm(), "address");
ClientScopeRepresentation addressScopeRep = addressScope.toRepresentation();
addressScopeRep.getAttributes().put(ClientScopeModel.DISPLAY_ON_CONSENT_SCREEN, "false");
addressScope.update(addressScopeRep);
oauth.clientId("third-party");
oauth.doLoginGrant("john", "password");
grantPage.assertCurrent();
grantPage.assertGrants(OAuthGrantPage.PROFILE_CONSENT_TEXT, OAuthGrantPage.EMAIL_CONSENT_TEXT, OAuthGrantPage.ROLES_CONSENT_TEXT);
grantPage.accept();
EventRepresentation loginEvent = events.expectLogin().user(userId).client("third-party").detail(Details.CONSENT, Details.CONSENT_VALUE_CONSENT_GRANTED).assertEvent();
Tokens tokens = sendTokenRequest(loginEvent, userId, "openid email profile", "third-party");
IDToken idToken = tokens.idToken;
assertProfile(idToken, true);
assertEmail(idToken, true);
assertAddress(idToken, false);
assertPhone(idToken, false);
// Logout
oauth.doLogout(tokens.refreshToken, "password");
events.expectLogout(idToken.getSessionState()).client("third-party").user(userId).removeDetail(Details.REDIRECT_URI).assertEvent();
// Login with optional scopes. Grant screen should have just "phone"
oauth.scope("openid address phone");
oauth.doLoginGrant("john", "password");
grantPage.assertCurrent();
grantPage.assertGrants(OAuthGrantPage.PHONE_CONSENT_TEXT);
grantPage.accept();
loginEvent = events.expectLogin().client("third-party").detail(Details.CONSENT, Details.CONSENT_VALUE_CONSENT_GRANTED).user(userId).assertEvent();
tokens = sendTokenRequest(loginEvent, userId, "openid email profile address phone", "third-party");
idToken = tokens.idToken;
assertProfile(idToken, true);
assertEmail(idToken, true);
assertAddress(idToken, true);
assertPhone(idToken, true);
// Revert
addressScopeRep.getAttributes().put(ClientScopeModel.DISPLAY_ON_CONSENT_SCREEN, "true");
addressScope.update(addressScopeRep);
}
Also used :
ClientScopeResource(org.keycloak.admin.client.resource.ClientScopeResource)
ClientScopeRepresentation(org.keycloak.representations.idm.ClientScopeRepresentation)
EventRepresentation(org.keycloak.representations.idm.EventRepresentation)
IDToken(org.keycloak.representations.IDToken)
Test(org.junit.Test)
Example 57 with IDToken
use of org.keycloak.representations.IDToken in project keycloak by keycloak.
the class OIDCScopeTest method testRemoveScopes.
@Test
public void testRemoveScopes() throws Exception {
// Add 'profile' as optional scope. Remove 'email' scope entirely
String profileScopeId = ApiUtil.findClientScopeByName(testRealm(), "profile").toRepresentation().getId();
String emailScopeId = ApiUtil.findClientScopeByName(testRealm(), "email").toRepresentation().getId();
ClientResource testApp = ApiUtil.findClientByClientId(testRealm(), "test-app");
testApp.removeDefaultClientScope(profileScopeId);
testApp.removeDefaultClientScope(emailScopeId);
testApp.addOptionalClientScope(profileScopeId);
// Login without scope parameter. Assert 'profile' and 'email' info not there
oauth.doLogin("john", "password");
EventRepresentation loginEvent = events.expectLogin().user(userId).assertEvent();
Tokens tokens = sendTokenRequest(loginEvent, userId, "openid", "test-app");
IDToken idToken = tokens.idToken;
assertProfile(idToken, false);
assertEmail(idToken, false);
assertAddress(idToken, false);
assertPhone(idToken, false);
// Logout
oauth.doLogout(tokens.refreshToken, "password");
events.expectLogout(idToken.getSessionState()).client("test-app").user(userId).removeDetail(Details.REDIRECT_URI).assertEvent();
// Login with scope parameter. Just 'profile' is there
oauth.scope("openid profile");
oauth.doLogin("john", "password");
loginEvent = events.expectLogin().user(userId).assertEvent();
tokens = sendTokenRequest(loginEvent, userId, "openid profile", "test-app");
idToken = tokens.idToken;
assertProfile(idToken, true);
assertEmail(idToken, false);
assertAddress(idToken, false);
assertPhone(idToken, false);
// Revert
testApp.removeOptionalClientScope(profileScopeId);
testApp.addDefaultClientScope(profileScopeId);
testApp.addDefaultClientScope(emailScopeId);
}
Also used :
EventRepresentation(org.keycloak.representations.idm.EventRepresentation)
ClientResource(org.keycloak.admin.client.resource.ClientResource)
IDToken(org.keycloak.representations.IDToken)
Test(org.junit.Test)
Example 58 with IDToken
use of org.keycloak.representations.IDToken in project keycloak by keycloak.
the class OIDCScopeTest method testBuiltinOptionalScopes.
@Test
public void testBuiltinOptionalScopes() throws Exception {
// Login. Assert that just 'profile' and 'email' data are there. 'Address' and 'phone' not
oauth.doLogin("john", "password");
EventRepresentation loginEvent = events.expectLogin().user(userId).assertEvent();
Tokens tokens = sendTokenRequest(loginEvent, userId, "openid email profile", "test-app");
IDToken idToken = tokens.idToken;
assertProfile(idToken, true);
assertEmail(idToken, true);
assertAddress(idToken, false);
assertPhone(idToken, false);
// check both idtoken and access token for microprofile claims.
assertMicroprofile(idToken, false);
assertMicroprofile(tokens.accessToken, false);
// Logout
oauth.doLogout(tokens.refreshToken, "password");
events.expectLogout(idToken.getSessionState()).client("test-app").user(userId).removeDetail(Details.REDIRECT_URI).assertEvent();
// Login with optional scopes. Assert that everything is there
oauth.scope("openid address phone microprofile-jwt");
oauth.doLogin("john", "password");
loginEvent = events.expectLogin().user(userId).assertEvent();
tokens = sendTokenRequest(loginEvent, userId, "openid email profile address phone microprofile-jwt", "test-app");
idToken = tokens.idToken;
assertProfile(idToken, true);
assertEmail(idToken, true);
assertAddress(idToken, true);
assertPhone(idToken, true);
assertMicroprofile(idToken, true);
assertMicroprofile(tokens.accessToken, true);
}
Also used :
EventRepresentation(org.keycloak.representations.idm.EventRepresentation)
IDToken(org.keycloak.representations.IDToken)
Test(org.junit.Test)
Example 59 with IDToken
use of org.keycloak.representations.IDToken in project keycloak by keycloak.
the class OIDCScopeTest method testRefreshTokenWithConsentRequired.
@Test
// TODO remove this (KEYCLOAK-16228)
@DisableFeature(value = Profile.Feature.ACCOUNT2, skipRestart = true)
public void testRefreshTokenWithConsentRequired() {
// Login with consentRequired
oauth.clientId("third-party");
oauth.doLoginGrant("john", "password");
grantPage.assertCurrent();
grantPage.assertGrants(OAuthGrantPage.PROFILE_CONSENT_TEXT, OAuthGrantPage.EMAIL_CONSENT_TEXT, OAuthGrantPage.ROLES_CONSENT_TEXT);
grantPage.accept();
EventRepresentation loginEvent = events.expectLogin().user(userId).client("third-party").detail(Details.CONSENT, Details.CONSENT_VALUE_CONSENT_GRANTED).assertEvent();
Tokens tokens = sendTokenRequest(loginEvent, userId, "openid email profile", "third-party");
IDToken idToken = tokens.idToken;
RefreshToken refreshToken1 = oauth.parseRefreshToken(tokens.refreshToken);
assertProfile(idToken, true);
assertEmail(idToken, true);
assertAddress(idToken, false);
assertPhone(idToken, false);
// Ensure that I can refresh token
OAuthClient.AccessTokenResponse refreshResponse = oauth.doRefreshTokenRequest(tokens.refreshToken, "password");
Assert.assertEquals(200, refreshResponse.getStatusCode());
idToken = oauth.verifyIDToken(refreshResponse.getIdToken());
assertProfile(idToken, true);
assertEmail(idToken, true);
assertAddress(idToken, false);
assertPhone(idToken, false);
events.expectRefresh(refreshToken1.getId(), idToken.getSessionState()).user(userId).client("third-party").assertEvent();
// Go to applications in account mgmt and revoke consent
accountAppsPage.open();
events.clear();
accountAppsPage.revokeGrant("third-party");
events.expect(EventType.REVOKE_GRANT).client("account").user(userId).detail(Details.REVOKED_CLIENT, "third-party").assertEvent();
// Ensure I can't refresh anymore
refreshResponse = oauth.doRefreshTokenRequest(refreshResponse.getRefreshToken(), "password");
assertEquals(400, refreshResponse.getStatusCode());
events.expectRefresh(refreshToken1.getId(), idToken.getSessionState()).client("third-party").user(userId).removeDetail(Details.TOKEN_ID).removeDetail(Details.REFRESH_TOKEN_ID).removeDetail(Details.UPDATED_REFRESH_TOKEN_ID).error("invalid_token").assertEvent();
}
Also used :
RefreshToken(org.keycloak.representations.RefreshToken)
OAuthClient(org.keycloak.testsuite.util.OAuthClient)
EventRepresentation(org.keycloak.representations.idm.EventRepresentation)
IDToken(org.keycloak.representations.IDToken)
DisableFeature(org.keycloak.testsuite.arquillian.annotation.DisableFeature)
Test(org.junit.Test)
Example 60 with IDToken
use of org.keycloak.representations.IDToken in project keycloak by keycloak.
the class AbstractOIDCResponseTypeTest method nonceAndSessionStateMatches.
@Test
public void nonceAndSessionStateMatches() {
EventRepresentation loginEvent = loginUser("abcdef123456");
OAuthClient.AuthorizationEndpointResponse authzResponse = new OAuthClient.AuthorizationEndpointResponse(oauth, isFragment());
Assert.assertNotNull(authzResponse.getSessionState());
List<IDToken> idTokens = testAuthzResponseAndRetrieveIDTokens(authzResponse, loginEvent);
for (IDToken idToken : idTokens) {
Assert.assertEquals("abcdef123456", idToken.getNonce());
Assert.assertEquals(authzResponse.getSessionState(), idToken.getSessionState());
}
}
Also used :
OAuthClient(org.keycloak.testsuite.util.OAuthClient)
EventRepresentation(org.keycloak.representations.idm.EventRepresentation)
IDToken(org.keycloak.representations.IDToken)
AbstractAdminTest(org.keycloak.testsuite.admin.AbstractAdminTest)
Test(org.junit.Test)
AbstractTestRealmKeycloakTest(org.keycloak.testsuite.AbstractTestRealmKeycloakTest)
Aggregations
IDToken (org.keycloak.representations.IDToken)89
Test (org.junit.Test)57
OAuthClient (org.keycloak.testsuite.util.OAuthClient)53
AbstractKeycloakTest (org.keycloak.testsuite.AbstractKeycloakTest)25
EventRepresentation (org.keycloak.representations.idm.EventRepresentation)23
ProtocolMappersResource (org.keycloak.admin.client.resource.ProtocolMappersResource)18
AccessToken (org.keycloak.representations.AccessToken)18
HashMap (java.util.HashMap)16
ClientRepresentation (org.keycloak.representations.idm.ClientRepresentation)16
ClientResource (org.keycloak.admin.client.resource.ClientResource)15
AbstractTestRealmKeycloakTest (org.keycloak.testsuite.AbstractTestRealmKeycloakTest)14
Matchers.isEmptyOrNullString (org.hamcrest.Matchers.isEmptyOrNullString)13
ProtocolMapperRepresentation (org.keycloak.representations.idm.ProtocolMapperRepresentation)12
List (java.util.List)11
Map (java.util.Map)11
UserResource (org.keycloak.admin.client.resource.UserResource)11
GroupRepresentation (org.keycloak.representations.idm.GroupRepresentation)10
OIDCClientRepresentation (org.keycloak.representations.oidc.OIDCClientRepresentation)10
AbstractAdminTest (org.keycloak.testsuite.admin.AbstractAdminTest)9
RefreshToken (org.keycloak.representations.RefreshToken)5
