Search in sources :

Example 71 with IDToken

use of org.keycloak.representations.IDToken in project keycloak by keycloak.

the class OIDCProtocolMappersTest method testUserGroupRoleToAttributeMappersNotScopedOtherApp.

@Test
public void testUserGroupRoleToAttributeMappersNotScopedOtherApp() throws Exception {
    String clientId = "test-app-authz";
    ProtocolMapperRepresentation realmMapper = ProtocolMapperUtil.createUserRealmRoleMappingMapper("pref.", "Realm roles mapper", "roles-custom.realm", true, true);
    ProtocolMapperRepresentation clientMapper = ProtocolMapperUtil.createUserClientRoleMappingMapper(clientId, null, "Client roles mapper", "roles-custom." + clientId, true, true);
    ProtocolMappersResource protocolMappers = ApiUtil.findClientResourceByClientId(adminClient.realm("test"), clientId).getProtocolMappers();
    protocolMappers.createMapper(Arrays.asList(realmMapper, clientMapper));
    // Login user
    ClientManager.realm(adminClient.realm("test")).clientId(clientId).directAccessGrant(true);
    oauth.clientId(clientId);
    String oldRedirectUri = oauth.getRedirectUri();
    oauth.redirectUri(UriUtils.getOrigin(oldRedirectUri) + "/test-app-authz");
    OAuthClient.AccessTokenResponse response = browserLogin("secret", "rich.roles@redhat.com", "password");
    IDToken idToken = oauth.verifyIDToken(response.getIdToken());
    // revert redirect_uri
    oauth.redirectUri(oldRedirectUri);
    // Verify attribute is filled
    Map<String, Object> roleMappings = (Map<String, Object>) idToken.getOtherClaims().get("roles-custom");
    Assert.assertThat(roleMappings.keySet(), containsInAnyOrder("realm"));
    String realmRoleMappings = (String) roleMappings.get("realm");
    String testAppAuthzMappings = (String) roleMappings.get(clientId);
    assertRolesString(realmRoleMappings, // from direct assignment to /roleRichGroup/level2group
    "pref.admin", // from parent group of /roleRichGroup/level2group, i.e. from /roleRichGroup
    "pref.user", // from client role customer-admin-composite-role - realm role for test-app
    "pref.customer-user-premium", // from parent group of /roleRichGroup/level2group, i.e. from /roleRichGroup
    "pref.realm-composite-role", // from realm role realm-composite-role
    "pref.sample-realm-role");
    // There is no client role defined for test-app-authz
    assertNull(testAppAuthzMappings);
    // Revert
    deleteMappers(protocolMappers);
}
Also used : OAuthClient(org.keycloak.testsuite.util.OAuthClient) ProtocolMapperRepresentation(org.keycloak.representations.idm.ProtocolMapperRepresentation) IDToken(org.keycloak.representations.IDToken) Matchers.isEmptyOrNullString(org.hamcrest.Matchers.isEmptyOrNullString) Map(java.util.Map) HashMap(java.util.HashMap) ProtocolMappersResource(org.keycloak.admin.client.resource.ProtocolMappersResource) AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest) Test(org.junit.Test)

Example 72 with IDToken

use of org.keycloak.representations.IDToken in project keycloak by keycloak.

the class OIDCProtocolMappersTest method testRolesAndAllowedOriginsRemovedFromAccessToken.

@Test
public void testRolesAndAllowedOriginsRemovedFromAccessToken() throws Exception {
    RealmResource realm = adminClient.realm("test");
    ClientScopeRepresentation allowedOriginsScope = ApiUtil.findClientScopeByName(realm, OIDCLoginProtocolFactory.WEB_ORIGINS_SCOPE).toRepresentation();
    ClientScopeRepresentation rolesScope = ApiUtil.findClientScopeByName(realm, OIDCLoginProtocolFactory.ROLES_SCOPE).toRepresentation();
    // Remove 'roles' and 'web-origins' scope from the client
    ClientResource testApp = ApiUtil.findClientByClientId(realm, "test-app");
    testApp.removeDefaultClientScope(allowedOriginsScope.getId());
    testApp.removeDefaultClientScope(rolesScope.getId());
    try {
        OAuthClient.AccessTokenResponse response = browserLogin("password", "test-user@localhost", "password");
        AccessToken accessToken = oauth.verifyToken(response.getAccessToken());
        // Assert web origins are not in the token
        Assert.assertNull(accessToken.getAllowedOrigins());
        // Assert roles are not in the token
        Assert.assertNull(accessToken.getRealmAccess());
        Assert.assertTrue(accessToken.getResourceAccess().isEmpty());
        // Assert client not in the token audience. Just in "issuedFor"
        Assert.assertEquals("test-app", accessToken.getIssuedFor());
        Assert.assertFalse(accessToken.hasAudience("test-app"));
        // Assert IDToken still has "test-app" as an audience
        IDToken idToken = oauth.verifyIDToken(response.getIdToken());
        Assert.assertEquals("test-app", idToken.getIssuedFor());
        Assert.assertTrue(idToken.hasAudience("test-app"));
    } finally {
        // Revert
        testApp.addDefaultClientScope(allowedOriginsScope.getId());
        testApp.addDefaultClientScope(rolesScope.getId());
    }
}
Also used : OAuthClient(org.keycloak.testsuite.util.OAuthClient) RealmResource(org.keycloak.admin.client.resource.RealmResource) AccessToken(org.keycloak.representations.AccessToken) ClientScopeRepresentation(org.keycloak.representations.idm.ClientScopeRepresentation) ClientResource(org.keycloak.admin.client.resource.ClientResource) IDToken(org.keycloak.representations.IDToken) AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest) Test(org.junit.Test)

Example 73 with IDToken

use of org.keycloak.representations.IDToken in project keycloak by keycloak.

the class OIDCProtocolMappersTest method testRoleMapperWithRoleInheritedFromMoreGroups.

// KEYCLOAK-8148 -- Test the scenario where:
// -- user is member of 2 groups
// -- both groups have same role "customer-user" assigned
// -- User login. Role will appear just once in the token (not twice)
@Test
public void testRoleMapperWithRoleInheritedFromMoreGroups() throws Exception {
    // Create client-mapper
    String clientId = "test-app";
    ProtocolMapperRepresentation clientMapper = ProtocolMapperUtil.createUserClientRoleMappingMapper(clientId, null, "Client roles mapper", "roles-custom.test-app", true, true);
    ProtocolMappersResource protocolMappers = ApiUtil.findClientResourceByClientId(adminClient.realm("test"), clientId).getProtocolMappers();
    protocolMappers.createMapper(Arrays.asList(clientMapper));
    // Add user 'level2GroupUser' to the group 'level2Group2'
    GroupRepresentation level2Group2 = adminClient.realm("test").getGroupByPath("/topGroup/level2group2");
    UserResource level2GroupUser = ApiUtil.findUserByUsernameId(adminClient.realm("test"), "level2GroupUser");
    level2GroupUser.joinGroup(level2Group2.getId());
    oauth.clientId(clientId);
    OAuthClient.AccessTokenResponse response = browserLogin("password", "level2GroupUser", "password");
    IDToken idToken = oauth.verifyIDToken(response.getIdToken());
    // Verify attribute is filled AND it is filled only once
    Map<String, Object> roleMappings = (Map<String, Object>) idToken.getOtherClaims().get("roles-custom");
    Assert.assertThat(roleMappings.keySet(), containsInAnyOrder(clientId));
    String testAppScopeMappings = (String) roleMappings.get(clientId);
    assertRolesString(testAppScopeMappings, // from assignment to level2group or level2group2. It is filled just once
    "customer-user");
    // Revert
    level2GroupUser.leaveGroup(level2Group2.getId());
    deleteMappers(protocolMappers);
}
Also used : GroupRepresentation(org.keycloak.representations.idm.GroupRepresentation) OAuthClient(org.keycloak.testsuite.util.OAuthClient) ProtocolMapperRepresentation(org.keycloak.representations.idm.ProtocolMapperRepresentation) UserResource(org.keycloak.admin.client.resource.UserResource) IDToken(org.keycloak.representations.IDToken) Matchers.isEmptyOrNullString(org.hamcrest.Matchers.isEmptyOrNullString) Map(java.util.Map) HashMap(java.util.HashMap) ProtocolMappersResource(org.keycloak.admin.client.resource.ProtocolMappersResource) AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest) Test(org.junit.Test)

Example 74 with IDToken

use of org.keycloak.representations.IDToken in project keycloak by keycloak.

the class OIDCProtocolMappersTest method testTokenPropertiesMapping.

@Test
@AuthServerContainerExclude(AuthServer.REMOTE)
public void testTokenPropertiesMapping() throws Exception {
    UserResource userResource = findUserByUsernameId(adminClient.realm("test"), "test-user@localhost");
    UserRepresentation user = userResource.toRepresentation();
    user.singleAttribute("userid", "123456789");
    user.getAttributes().put("useraud", Arrays.asList("test-app", "other"));
    userResource.update(user);
    // create a user attr mapping for some claims that exist as properties in the tokens
    ClientResource app = findClientResourceByClientId(adminClient.realm("test"), "test-app");
    app.getProtocolMappers().createMapper(createClaimMapper("userid-as-sub", "userid", "sub", "String", true, true, false)).close();
    app.getProtocolMappers().createMapper(createClaimMapper("useraud", "useraud", "aud", "String", true, true, true)).close();
    app.getProtocolMappers().createMapper(createHardcodedClaim("website-hardcoded", "website", "http://localhost", "String", true, true)).close();
    app.getProtocolMappers().createMapper(createHardcodedClaim("iat-hardcoded", "iat", "123", "long", true, false)).close();
    // login
    OAuthClient.AccessTokenResponse response = browserLogin("password", "test-user@localhost", "password");
    // assert mappers work as expected
    IDToken idToken = oauth.verifyIDToken(response.getIdToken());
    assertEquals(user.firstAttribute("userid"), idToken.getSubject());
    assertEquals("http://localhost", idToken.getWebsite());
    assertNotNull(idToken.getAudience());
    assertThat(Arrays.asList(idToken.getAudience()), hasItems("test-app", "other"));
    AccessToken accessToken = oauth.verifyToken(response.getAccessToken());
    assertEquals(user.firstAttribute("userid"), accessToken.getSubject());
    assertEquals("http://localhost", accessToken.getWebsite());
    assertNotNull(accessToken.getAudience());
    assertThat(Arrays.asList(accessToken.getAudience()), hasItems("test-app", "other"));
    // iat should not be modified
    assertNotEquals(123L, accessToken.getIat().longValue());
    // assert that tokens are also OK in the UserInfo response (hardcoded mappers in IDToken are in UserInfo)
    Client client = AdminClientUtil.createResteasyClient();
    try {
        Response userInfoResponse = UserInfoClientUtil.executeUserInfoRequest_getMethod(client, response.getAccessToken());
        UserInfo userInfo = userInfoResponse.readEntity(UserInfo.class);
        assertEquals(user.firstAttribute("userid"), userInfo.getSubject());
        assertEquals(user.getEmail(), userInfo.getEmail());
        assertEquals(user.getUsername(), userInfo.getPreferredUsername());
        assertEquals(user.getLastName(), userInfo.getFamilyName());
        assertEquals(user.getFirstName(), userInfo.getGivenName());
        assertEquals("http://localhost", userInfo.getWebsite());
        assertNotNull(accessToken.getAudience());
        assertThat(Arrays.asList(accessToken.getAudience()), hasItems("test-app", "other"));
    } finally {
        client.close();
    }
    // logout
    oauth.openLogout();
    // undo mappers
    app = findClientByClientId(adminClient.realm("test"), "test-app");
    ClientRepresentation clientRepresentation = app.toRepresentation();
    for (ProtocolMapperRepresentation model : clientRepresentation.getProtocolMappers()) {
        if (model.getName().equals("userid-as-sub") || model.getName().equals("website-hardcoded") || model.getName().equals("iat-hardcoded") || model.getName().equals("useraud")) {
            app.getProtocolMappers().delete(model.getId());
        }
    }
    events.clear();
}
Also used : Response(javax.ws.rs.core.Response) OAuthClient(org.keycloak.testsuite.util.OAuthClient) AccessToken(org.keycloak.representations.AccessToken) ProtocolMapperRepresentation(org.keycloak.representations.idm.ProtocolMapperRepresentation) UserResource(org.keycloak.admin.client.resource.UserResource) ClientResource(org.keycloak.admin.client.resource.ClientResource) IDToken(org.keycloak.representations.IDToken) UserInfo(org.keycloak.representations.UserInfo) OAuthClient(org.keycloak.testsuite.util.OAuthClient) Client(javax.ws.rs.client.Client) UserRepresentation(org.keycloak.representations.idm.UserRepresentation) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) AuthServerContainerExclude(org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude) AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest) Test(org.junit.Test)

Example 75 with IDToken

use of org.keycloak.representations.IDToken in project keycloak by keycloak.

the class OIDCProtocolMappersTest method testUserGroupRoleToAttributeMappersScopedClientNotSet.

@Test
public void testUserGroupRoleToAttributeMappersScopedClientNotSet() throws Exception {
    String clientId = "test-app-scope";
    ProtocolMapperRepresentation realmMapper = ProtocolMapperUtil.createUserRealmRoleMappingMapper("pref.", "Realm roles mapper", "roles-custom.realm", true, true);
    ProtocolMapperRepresentation clientMapper = ProtocolMapperUtil.createUserClientRoleMappingMapper(null, null, "Client roles mapper", "roles-custom.test-app-scope", true, true);
    ProtocolMappersResource protocolMappers = ApiUtil.findClientResourceByClientId(adminClient.realm("test"), clientId).getProtocolMappers();
    protocolMappers.createMapper(Arrays.asList(realmMapper, clientMapper));
    // Login user
    ClientManager.realm(adminClient.realm("test")).clientId(clientId).directAccessGrant(true);
    oauth.clientId(clientId);
    OAuthClient.AccessTokenResponse response = browserLogin("password", "rich.roles@redhat.com", "password");
    IDToken idToken = oauth.verifyIDToken(response.getIdToken());
    // Verify attribute is filled
    Map<String, Object> roleMappings = (Map<String, Object>) idToken.getOtherClaims().get("roles-custom");
    Assert.assertThat(roleMappings.keySet(), containsInAnyOrder("realm", clientId));
    String realmRoleMappings = (String) roleMappings.get("realm");
    String testAppScopeMappings = (String) roleMappings.get(clientId);
    assertRolesString(realmRoleMappings, // from direct assignment to /roleRichGroup/level2group
    "pref.admin", // from parent group of /roleRichGroup/level2group, i.e. from /roleRichGroup
    "pref.user", "pref.customer-user-premium");
    assertRolesString(testAppScopeMappings, // from direct assignment to roleRichUser, present as scope allows it
    "test-app-allowed-by-scope", // from direct assignment to /roleRichGroup/level2group, present as scope allows it
    "test-app-disallowed-by-scope");
    // Revert
    deleteMappers(protocolMappers);
}
Also used : OAuthClient(org.keycloak.testsuite.util.OAuthClient) ProtocolMapperRepresentation(org.keycloak.representations.idm.ProtocolMapperRepresentation) IDToken(org.keycloak.representations.IDToken) Matchers.isEmptyOrNullString(org.hamcrest.Matchers.isEmptyOrNullString) Map(java.util.Map) HashMap(java.util.HashMap) ProtocolMappersResource(org.keycloak.admin.client.resource.ProtocolMappersResource) AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest) Test(org.junit.Test)

Aggregations

IDToken (org.keycloak.representations.IDToken)89 Test (org.junit.Test)57 OAuthClient (org.keycloak.testsuite.util.OAuthClient)53 AbstractKeycloakTest (org.keycloak.testsuite.AbstractKeycloakTest)25 EventRepresentation (org.keycloak.representations.idm.EventRepresentation)23 ProtocolMappersResource (org.keycloak.admin.client.resource.ProtocolMappersResource)18 AccessToken (org.keycloak.representations.AccessToken)18 HashMap (java.util.HashMap)16 ClientRepresentation (org.keycloak.representations.idm.ClientRepresentation)16 ClientResource (org.keycloak.admin.client.resource.ClientResource)15 AbstractTestRealmKeycloakTest (org.keycloak.testsuite.AbstractTestRealmKeycloakTest)14 Matchers.isEmptyOrNullString (org.hamcrest.Matchers.isEmptyOrNullString)13 ProtocolMapperRepresentation (org.keycloak.representations.idm.ProtocolMapperRepresentation)12 List (java.util.List)11 Map (java.util.Map)11 UserResource (org.keycloak.admin.client.resource.UserResource)11 GroupRepresentation (org.keycloak.representations.idm.GroupRepresentation)10 OIDCClientRepresentation (org.keycloak.representations.oidc.OIDCClientRepresentation)10 AbstractAdminTest (org.keycloak.testsuite.admin.AbstractAdminTest)9 RefreshToken (org.keycloak.representations.RefreshToken)5