Search in sources :

Example 11 with IDToken

use of org.keycloak.representations.IDToken in project keycloak by keycloak.

the class AccessTokenTest method testClientScope.

@Test
public void testClientScope() throws Exception {
    RealmResource realm = adminClient.realm("test");
    RoleRepresentation realmRole = new RoleRepresentation();
    realmRole.setName("realm-test-role");
    realm.roles().create(realmRole);
    realmRole = realm.roles().get("realm-test-role").toRepresentation();
    RoleRepresentation realmRole2 = new RoleRepresentation();
    realmRole2.setName("realm-test-role2");
    realm.roles().create(realmRole2);
    realmRole2 = realm.roles().get("realm-test-role2").toRepresentation();
    List<UserRepresentation> users = realm.users().search("test-user@localhost", -1, -1);
    assertEquals(1, users.size());
    UserRepresentation user = users.get(0);
    List<RoleRepresentation> addRoles = new LinkedList<>();
    addRoles.add(realmRole);
    addRoles.add(realmRole2);
    realm.users().get(user.getId()).roles().realmLevel().add(addRoles);
    ClientScopeRepresentation rep = new ClientScopeRepresentation();
    rep.setName("scope");
    rep.setProtocol("openid-connect");
    Response response = realm.clientScopes().create(rep);
    assertEquals(201, response.getStatus());
    URI scopeUri = response.getLocation();
    String clientScopeId = ApiUtil.getCreatedId(response);
    response.close();
    ClientScopeResource clientScopeResource = adminClient.proxy(ClientScopeResource.class, scopeUri);
    ProtocolMapperModel hard = HardcodedClaim.create("hard", "hard", "coded", "String", true, true);
    ProtocolMapperRepresentation mapper = ModelToRepresentation.toRepresentation(hard);
    response = clientScopeResource.getProtocolMappers().createMapper(mapper);
    assertEquals(201, response.getStatus());
    response.close();
    ClientRepresentation clientRep = ApiUtil.findClientByClientId(realm, "test-app").toRepresentation();
    realm.clients().get(clientRep.getId()).addDefaultClientScope(clientScopeId);
    clientRep.setFullScopeAllowed(false);
    realm.clients().get(clientRep.getId()).update(clientRep);
    {
        Client client = AdminClientUtil.createResteasyClient();
        UriBuilder builder = UriBuilder.fromUri(AUTH_SERVER_ROOT);
        URI grantUri = OIDCLoginProtocolService.tokenUrl(builder).build("test");
        WebTarget grantTarget = client.target(grantUri);
        response = executeGrantAccessTokenRequest(grantTarget);
        assertEquals(200, response.getStatus());
        org.keycloak.representations.AccessTokenResponse tokenResponse = response.readEntity(org.keycloak.representations.AccessTokenResponse.class);
        IDToken idToken = getIdToken(tokenResponse);
        assertEquals("coded", idToken.getOtherClaims().get("hard"));
        AccessToken accessToken = getAccessToken(tokenResponse);
        assertEquals("coded", accessToken.getOtherClaims().get("hard"));
        // check zero scope for client scope
        Assert.assertFalse(accessToken.getRealmAccess().getRoles().contains(realmRole.getName()));
        Assert.assertFalse(accessToken.getRealmAccess().getRoles().contains(realmRole2.getName()));
        response.close();
        client.close();
    }
    // test that scope is added
    List<RoleRepresentation> addRole1 = new LinkedList<>();
    addRole1.add(realmRole);
    clientScopeResource.getScopeMappings().realmLevel().add(addRole1);
    {
        Client client = AdminClientUtil.createResteasyClient();
        UriBuilder builder = UriBuilder.fromUri(AUTH_SERVER_ROOT);
        URI grantUri = OIDCLoginProtocolService.tokenUrl(builder).build("test");
        WebTarget grantTarget = client.target(grantUri);
        response = executeGrantAccessTokenRequest(grantTarget);
        assertEquals(200, response.getStatus());
        org.keycloak.representations.AccessTokenResponse tokenResponse = response.readEntity(org.keycloak.representations.AccessTokenResponse.class);
        AccessToken accessToken = getAccessToken(tokenResponse);
        // check single role in scope for client scope
        assertNotNull(accessToken.getRealmAccess());
        assertTrue(accessToken.getRealmAccess().getRoles().contains(realmRole.getName()));
        Assert.assertFalse(accessToken.getRealmAccess().getRoles().contains(realmRole2.getName()));
        response.close();
        client.close();
    }
    // test combined scopes
    List<RoleRepresentation> addRole2 = new LinkedList<>();
    addRole2.add(realmRole2);
    realm.clients().get(clientRep.getId()).getScopeMappings().realmLevel().add(addRole2);
    {
        Client client = AdminClientUtil.createResteasyClient();
        UriBuilder builder = UriBuilder.fromUri(AUTH_SERVER_ROOT);
        URI grantUri = OIDCLoginProtocolService.tokenUrl(builder).build("test");
        WebTarget grantTarget = client.target(grantUri);
        response = executeGrantAccessTokenRequest(grantTarget);
        assertEquals(200, response.getStatus());
        org.keycloak.representations.AccessTokenResponse tokenResponse = response.readEntity(org.keycloak.representations.AccessTokenResponse.class);
        AccessToken accessToken = getAccessToken(tokenResponse);
        // check zero scope for client scope
        assertNotNull(accessToken.getRealmAccess());
        assertTrue(accessToken.getRealmAccess().getRoles().contains(realmRole.getName()));
        assertTrue(accessToken.getRealmAccess().getRoles().contains(realmRole2.getName()));
        response.close();
        client.close();
    }
    // remove scopes and retest
    clientScopeResource.getScopeMappings().realmLevel().remove(addRole1);
    realm.clients().get(clientRep.getId()).getScopeMappings().realmLevel().remove(addRole2);
    {
        Client client = AdminClientUtil.createResteasyClient();
        UriBuilder builder = UriBuilder.fromUri(AUTH_SERVER_ROOT);
        URI grantUri = OIDCLoginProtocolService.tokenUrl(builder).build("test");
        WebTarget grantTarget = client.target(grantUri);
        response = executeGrantAccessTokenRequest(grantTarget);
        assertEquals(200, response.getStatus());
        org.keycloak.representations.AccessTokenResponse tokenResponse = response.readEntity(org.keycloak.representations.AccessTokenResponse.class);
        AccessToken accessToken = getAccessToken(tokenResponse);
        Assert.assertFalse(accessToken.getRealmAccess().getRoles().contains(realmRole.getName()));
        Assert.assertFalse(accessToken.getRealmAccess().getRoles().contains(realmRole2.getName()));
        response.close();
        client.close();
    }
    // test don't use client scope scope. Add roles back to the clientScope, but they won't be available
    realm.clients().get(clientRep.getId()).removeDefaultClientScope(clientScopeId);
    clientScopeResource.getScopeMappings().realmLevel().add(addRole1);
    clientScopeResource.getScopeMappings().realmLevel().add(addRole2);
    {
        Client client = AdminClientUtil.createResteasyClient();
        UriBuilder builder = UriBuilder.fromUri(AUTH_SERVER_ROOT);
        URI grantUri = OIDCLoginProtocolService.tokenUrl(builder).build("test");
        WebTarget grantTarget = client.target(grantUri);
        response = executeGrantAccessTokenRequest(grantTarget);
        assertEquals(200, response.getStatus());
        org.keycloak.representations.AccessTokenResponse tokenResponse = response.readEntity(org.keycloak.representations.AccessTokenResponse.class);
        AccessToken accessToken = getAccessToken(tokenResponse);
        Assert.assertFalse(accessToken.getRealmAccess().getRoles().contains(realmRole.getName()));
        Assert.assertFalse(accessToken.getRealmAccess().getRoles().contains(realmRole2.getName()));
        assertNull(accessToken.getOtherClaims().get("hard"));
        IDToken idToken = getIdToken(tokenResponse);
        assertNull(idToken.getOtherClaims().get("hard"));
        response.close();
        client.close();
    }
    // undo mappers
    realm.users().get(user.getId()).roles().realmLevel().remove(addRoles);
    realm.roles().get(realmRole.getName()).remove();
    realm.roles().get(realmRole2.getName()).remove();
    clientScopeResource.remove();
    {
        Client client = AdminClientUtil.createResteasyClient();
        UriBuilder builder = UriBuilder.fromUri(AUTH_SERVER_ROOT);
        URI grantUri = OIDCLoginProtocolService.tokenUrl(builder).build("test");
        WebTarget grantTarget = client.target(grantUri);
        response = executeGrantAccessTokenRequest(grantTarget);
        assertEquals(200, response.getStatus());
        org.keycloak.representations.AccessTokenResponse tokenResponse = response.readEntity(org.keycloak.representations.AccessTokenResponse.class);
        IDToken idToken = getIdToken(tokenResponse);
        assertNull(idToken.getOtherClaims().get("hard"));
        AccessToken accessToken = getAccessToken(tokenResponse);
        assertNull(accessToken.getOtherClaims().get("hard"));
        response.close();
        client.close();
    }
    events.clear();
}
Also used : RoleRepresentation(org.keycloak.representations.idm.RoleRepresentation) RealmResource(org.keycloak.admin.client.resource.RealmResource) URI(java.net.URI) LinkedList(java.util.LinkedList) ProtocolMapperModel(org.keycloak.models.ProtocolMapperModel) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) Response(javax.ws.rs.core.Response) ClientScopeResource(org.keycloak.admin.client.resource.ClientScopeResource) AccessToken(org.keycloak.representations.AccessToken) ProtocolMapperRepresentation(org.keycloak.representations.idm.ProtocolMapperRepresentation) ClientScopeRepresentation(org.keycloak.representations.idm.ClientScopeRepresentation) IDToken(org.keycloak.representations.IDToken) WebTarget(javax.ws.rs.client.WebTarget) OAuthClient(org.keycloak.testsuite.util.OAuthClient) Client(javax.ws.rs.client.Client) CloseableHttpClient(org.apache.http.impl.client.CloseableHttpClient) UriBuilder(javax.ws.rs.core.UriBuilder) UserRepresentation(org.keycloak.representations.idm.UserRepresentation) AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest) Test(org.junit.Test)

Example 12 with IDToken

use of org.keycloak.representations.IDToken in project keycloak by keycloak.

the class OIDCProtocolMappersTest method testUserRoleToAttributeMappersWithMultiValuedRoles.

/**
 * KEYCLOAK-4205
 * @throws Exception
 */
@Test
public void testUserRoleToAttributeMappersWithMultiValuedRoles() throws Exception {
    // Add mapper for realm roles
    ProtocolMapperRepresentation realmMapper = ProtocolMapperUtil.createUserRealmRoleMappingMapper("pref.", "Realm roles mapper", "roles-custom.realm", true, true, true);
    ProtocolMapperRepresentation clientMapper = ProtocolMapperUtil.createUserClientRoleMappingMapper("test-app", null, "Client roles mapper", "roles-custom.test-app", true, true, true);
    ProtocolMappersResource protocolMappers = ApiUtil.findClientResourceByClientId(adminClient.realm("test"), "test-app").getProtocolMappers();
    protocolMappers.createMapper(Arrays.asList(realmMapper, clientMapper));
    // Login user
    OAuthClient.AccessTokenResponse response = browserLogin("password", "test-user@localhost", "password");
    IDToken idToken = oauth.verifyIDToken(response.getIdToken());
    // Verify attribute is filled
    Map<String, Object> roleMappings = (Map<String, Object>) idToken.getOtherClaims().get("roles-custom");
    Assert.assertThat(roleMappings.keySet(), containsInAnyOrder("realm", "test-app"));
    Assert.assertThat(roleMappings.get("realm"), CoreMatchers.instanceOf(List.class));
    Assert.assertThat(roleMappings.get("test-app"), CoreMatchers.instanceOf(List.class));
    List<String> realmRoleMappings = (List<String>) roleMappings.get("realm");
    List<String> testAppMappings = (List<String>) roleMappings.get("test-app");
    assertRoles(realmRoleMappings, // from direct assignment in user definition
    "pref.user", // from direct assignment in user definition
    "pref.offline_access");
    assertRoles(testAppMappings, // from direct assignment in user definition
    "customer-user");
    // Revert
    deleteMappers(protocolMappers);
}
Also used : OAuthClient(org.keycloak.testsuite.util.OAuthClient) ProtocolMapperRepresentation(org.keycloak.representations.idm.ProtocolMapperRepresentation) IDToken(org.keycloak.representations.IDToken) List(java.util.List) Matchers.isEmptyOrNullString(org.hamcrest.Matchers.isEmptyOrNullString) Map(java.util.Map) HashMap(java.util.HashMap) ProtocolMappersResource(org.keycloak.admin.client.resource.ProtocolMappersResource) AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest) Test(org.junit.Test)

Example 13 with IDToken

use of org.keycloak.representations.IDToken in project keycloak by keycloak.

the class OIDCProtocolMappersTest method testUserGroupRoleToAttributeMappersScopedWithDifferentClient.

@Test
public void testUserGroupRoleToAttributeMappersScopedWithDifferentClient() throws Exception {
    final String clientId = "test-app-scope";
    final String diffClient = "test-app";
    final String realmName = "test";
    final ProtocolMapperRepresentation realmMapper = ProtocolMapperUtil.createUserRealmRoleMappingMapper("pref.", "Realm roles mapper", "roles-custom.realm", true, true);
    final ProtocolMapperRepresentation clientMapper = ProtocolMapperUtil.createUserClientRoleMappingMapper(diffClient, null, "Client roles mapper", "roles-custom.test-app", true, true);
    try (ClientAttributeUpdater cau = ClientAttributeUpdater.forClient(adminClient, realmName, clientId).setDirectAccessGrantsEnabled(true);
        ProtocolMappersUpdater protocolMappers = new ProtocolMappersUpdater(cau.getResource().getProtocolMappers())) {
        protocolMappers.add(realmMapper, clientMapper).update();
        // Login user
        oauth.clientId(clientId);
        OAuthClient.AccessTokenResponse response = browserLogin("password", "rich.roles@redhat.com", "password");
        IDToken idToken = oauth.verifyIDToken(response.getIdToken());
        // Verify attribute is filled
        Map<String, Object> roleMappings = (Map<String, Object>) idToken.getOtherClaims().get("roles-custom");
        assertNotNull(roleMappings);
        assertThat(roleMappings.keySet(), containsInAnyOrder("realm", diffClient));
        String realmRoleMappings = (String) roleMappings.get("realm");
        String testAppScopeMappings = (String) roleMappings.get(diffClient);
        assertRolesString(realmRoleMappings, "pref.admin", "pref.user", "pref.customer-user-premium");
        assertRolesString(testAppScopeMappings, "customer-admin-composite-role", "customer-admin");
    }
}
Also used : ClientAttributeUpdater(org.keycloak.testsuite.updaters.ClientAttributeUpdater) OAuthClient(org.keycloak.testsuite.util.OAuthClient) ProtocolMapperRepresentation(org.keycloak.representations.idm.ProtocolMapperRepresentation) ProtocolMappersUpdater(org.keycloak.testsuite.updaters.ProtocolMappersUpdater) IDToken(org.keycloak.representations.IDToken) Matchers.isEmptyOrNullString(org.hamcrest.Matchers.isEmptyOrNullString) Map(java.util.Map) HashMap(java.util.HashMap) AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest) Test(org.junit.Test)

Example 14 with IDToken

use of org.keycloak.representations.IDToken in project keycloak by keycloak.

the class OIDCProtocolMappersTest method testGroupAttributeUserOneGroupMultivalueAggregate.

@Test
public void testGroupAttributeUserOneGroupMultivalueAggregate() throws Exception {
    // get the user
    UserResource userResource = findUserByUsernameId(adminClient.realm("test"), "test-user@localhost");
    UserRepresentation user = userResource.toRepresentation();
    user.setAttributes(new HashMap<>());
    user.getAttributes().put("group-value", Arrays.asList("user-value1", "user-value2"));
    userResource.update(user);
    // create a group1 with two values
    GroupRepresentation group1 = new GroupRepresentation();
    group1.setName("group1");
    group1.setAttributes(new HashMap<>());
    group1.getAttributes().put("group-value", Arrays.asList("value1", "value2"));
    adminClient.realm("test").groups().add(group1);
    group1 = adminClient.realm("test").getGroupByPath("/group1");
    userResource.joinGroup(group1.getId());
    // create the attribute mapper
    ProtocolMappersResource protocolMappers = findClientResourceByClientId(adminClient.realm("test"), "test-app").getProtocolMappers();
    protocolMappers.createMapper(createClaimMapper("group-value", "group-value", "group-value", "String", true, true, true, true)).close();
    try {
        // test it
        OAuthClient.AccessTokenResponse response = browserLogin("password", "test-user@localhost", "password");
        IDToken idToken = oauth.verifyIDToken(response.getIdToken());
        assertNotNull(idToken.getOtherClaims());
        assertNotNull(idToken.getOtherClaims().get("group-value"));
        assertTrue(idToken.getOtherClaims().get("group-value") instanceof List);
        assertEquals(4, ((List) idToken.getOtherClaims().get("group-value")).size());
        assertTrue(((List) idToken.getOtherClaims().get("group-value")).contains("user-value1"));
        assertTrue(((List) idToken.getOtherClaims().get("group-value")).contains("user-value2"));
        assertTrue(((List) idToken.getOtherClaims().get("group-value")).contains("value1"));
        assertTrue(((List) idToken.getOtherClaims().get("group-value")).contains("value2"));
    } finally {
        // revert
        user.getAttributes().remove("group-value");
        userResource.update(user);
        userResource.leaveGroup(group1.getId());
        adminClient.realm("test").groups().group(group1.getId()).remove();
        deleteMappers(protocolMappers);
    }
}
Also used : GroupRepresentation(org.keycloak.representations.idm.GroupRepresentation) OAuthClient(org.keycloak.testsuite.util.OAuthClient) UserResource(org.keycloak.admin.client.resource.UserResource) IDToken(org.keycloak.representations.IDToken) List(java.util.List) ProtocolMappersResource(org.keycloak.admin.client.resource.ProtocolMappersResource) UserRepresentation(org.keycloak.representations.idm.UserRepresentation) AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest) Test(org.junit.Test)

Example 15 with IDToken

use of org.keycloak.representations.IDToken in project keycloak by keycloak.

the class OIDCProtocolMappersTest method testGroupAttributeOneGroupMultiValueNoAggregate.

@Test
public void testGroupAttributeOneGroupMultiValueNoAggregate() throws Exception {
    // get the user
    UserResource userResource = findUserByUsernameId(adminClient.realm("test"), "test-user@localhost");
    // create a group1 with two values
    GroupRepresentation group1 = new GroupRepresentation();
    group1.setName("group1");
    group1.setAttributes(new HashMap<>());
    group1.getAttributes().put("group-value", Arrays.asList("value1", "value2"));
    adminClient.realm("test").groups().add(group1);
    group1 = adminClient.realm("test").getGroupByPath("/group1");
    userResource.joinGroup(group1.getId());
    // create the attribute mapper
    ProtocolMappersResource protocolMappers = findClientResourceByClientId(adminClient.realm("test"), "test-app").getProtocolMappers();
    protocolMappers.createMapper(createClaimMapper("group-value", "group-value", "group-value", "String", true, true, true, false)).close();
    try {
        // test it
        OAuthClient.AccessTokenResponse response = browserLogin("password", "test-user@localhost", "password");
        IDToken idToken = oauth.verifyIDToken(response.getIdToken());
        assertNotNull(idToken.getOtherClaims());
        assertNotNull(idToken.getOtherClaims().get("group-value"));
        assertTrue(idToken.getOtherClaims().get("group-value") instanceof List);
        assertEquals(2, ((List) idToken.getOtherClaims().get("group-value")).size());
        assertTrue(((List) idToken.getOtherClaims().get("group-value")).contains("value1"));
        assertTrue(((List) idToken.getOtherClaims().get("group-value")).contains("value2"));
    } finally {
        // revert
        userResource.leaveGroup(group1.getId());
        adminClient.realm("test").groups().group(group1.getId()).remove();
        deleteMappers(protocolMappers);
    }
}
Also used : GroupRepresentation(org.keycloak.representations.idm.GroupRepresentation) OAuthClient(org.keycloak.testsuite.util.OAuthClient) UserResource(org.keycloak.admin.client.resource.UserResource) IDToken(org.keycloak.representations.IDToken) List(java.util.List) ProtocolMappersResource(org.keycloak.admin.client.resource.ProtocolMappersResource) AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest) Test(org.junit.Test)

Aggregations

IDToken (org.keycloak.representations.IDToken)89 Test (org.junit.Test)57 OAuthClient (org.keycloak.testsuite.util.OAuthClient)53 AbstractKeycloakTest (org.keycloak.testsuite.AbstractKeycloakTest)25 EventRepresentation (org.keycloak.representations.idm.EventRepresentation)23 ProtocolMappersResource (org.keycloak.admin.client.resource.ProtocolMappersResource)18 AccessToken (org.keycloak.representations.AccessToken)18 HashMap (java.util.HashMap)16 ClientRepresentation (org.keycloak.representations.idm.ClientRepresentation)16 ClientResource (org.keycloak.admin.client.resource.ClientResource)15 AbstractTestRealmKeycloakTest (org.keycloak.testsuite.AbstractTestRealmKeycloakTest)14 Matchers.isEmptyOrNullString (org.hamcrest.Matchers.isEmptyOrNullString)13 ProtocolMapperRepresentation (org.keycloak.representations.idm.ProtocolMapperRepresentation)12 List (java.util.List)11 Map (java.util.Map)11 UserResource (org.keycloak.admin.client.resource.UserResource)11 GroupRepresentation (org.keycloak.representations.idm.GroupRepresentation)10 OIDCClientRepresentation (org.keycloak.representations.oidc.OIDCClientRepresentation)10 AbstractAdminTest (org.keycloak.testsuite.admin.AbstractAdminTest)9 RefreshToken (org.keycloak.representations.RefreshToken)5