use of org.keycloak.representations.IDToken in project keycloak by keycloak.
the class AccessTokenTest method testClientScope.
@Test
public void testClientScope() throws Exception {
RealmResource realm = adminClient.realm("test");
RoleRepresentation realmRole = new RoleRepresentation();
realmRole.setName("realm-test-role");
realm.roles().create(realmRole);
realmRole = realm.roles().get("realm-test-role").toRepresentation();
RoleRepresentation realmRole2 = new RoleRepresentation();
realmRole2.setName("realm-test-role2");
realm.roles().create(realmRole2);
realmRole2 = realm.roles().get("realm-test-role2").toRepresentation();
List<UserRepresentation> users = realm.users().search("test-user@localhost", -1, -1);
assertEquals(1, users.size());
UserRepresentation user = users.get(0);
List<RoleRepresentation> addRoles = new LinkedList<>();
addRoles.add(realmRole);
addRoles.add(realmRole2);
realm.users().get(user.getId()).roles().realmLevel().add(addRoles);
ClientScopeRepresentation rep = new ClientScopeRepresentation();
rep.setName("scope");
rep.setProtocol("openid-connect");
Response response = realm.clientScopes().create(rep);
assertEquals(201, response.getStatus());
URI scopeUri = response.getLocation();
String clientScopeId = ApiUtil.getCreatedId(response);
response.close();
ClientScopeResource clientScopeResource = adminClient.proxy(ClientScopeResource.class, scopeUri);
ProtocolMapperModel hard = HardcodedClaim.create("hard", "hard", "coded", "String", true, true);
ProtocolMapperRepresentation mapper = ModelToRepresentation.toRepresentation(hard);
response = clientScopeResource.getProtocolMappers().createMapper(mapper);
assertEquals(201, response.getStatus());
response.close();
ClientRepresentation clientRep = ApiUtil.findClientByClientId(realm, "test-app").toRepresentation();
realm.clients().get(clientRep.getId()).addDefaultClientScope(clientScopeId);
clientRep.setFullScopeAllowed(false);
realm.clients().get(clientRep.getId()).update(clientRep);
{
Client client = AdminClientUtil.createResteasyClient();
UriBuilder builder = UriBuilder.fromUri(AUTH_SERVER_ROOT);
URI grantUri = OIDCLoginProtocolService.tokenUrl(builder).build("test");
WebTarget grantTarget = client.target(grantUri);
response = executeGrantAccessTokenRequest(grantTarget);
assertEquals(200, response.getStatus());
org.keycloak.representations.AccessTokenResponse tokenResponse = response.readEntity(org.keycloak.representations.AccessTokenResponse.class);
IDToken idToken = getIdToken(tokenResponse);
assertEquals("coded", idToken.getOtherClaims().get("hard"));
AccessToken accessToken = getAccessToken(tokenResponse);
assertEquals("coded", accessToken.getOtherClaims().get("hard"));
// check zero scope for client scope
Assert.assertFalse(accessToken.getRealmAccess().getRoles().contains(realmRole.getName()));
Assert.assertFalse(accessToken.getRealmAccess().getRoles().contains(realmRole2.getName()));
response.close();
client.close();
}
// test that scope is added
List<RoleRepresentation> addRole1 = new LinkedList<>();
addRole1.add(realmRole);
clientScopeResource.getScopeMappings().realmLevel().add(addRole1);
{
Client client = AdminClientUtil.createResteasyClient();
UriBuilder builder = UriBuilder.fromUri(AUTH_SERVER_ROOT);
URI grantUri = OIDCLoginProtocolService.tokenUrl(builder).build("test");
WebTarget grantTarget = client.target(grantUri);
response = executeGrantAccessTokenRequest(grantTarget);
assertEquals(200, response.getStatus());
org.keycloak.representations.AccessTokenResponse tokenResponse = response.readEntity(org.keycloak.representations.AccessTokenResponse.class);
AccessToken accessToken = getAccessToken(tokenResponse);
// check single role in scope for client scope
assertNotNull(accessToken.getRealmAccess());
assertTrue(accessToken.getRealmAccess().getRoles().contains(realmRole.getName()));
Assert.assertFalse(accessToken.getRealmAccess().getRoles().contains(realmRole2.getName()));
response.close();
client.close();
}
// test combined scopes
List<RoleRepresentation> addRole2 = new LinkedList<>();
addRole2.add(realmRole2);
realm.clients().get(clientRep.getId()).getScopeMappings().realmLevel().add(addRole2);
{
Client client = AdminClientUtil.createResteasyClient();
UriBuilder builder = UriBuilder.fromUri(AUTH_SERVER_ROOT);
URI grantUri = OIDCLoginProtocolService.tokenUrl(builder).build("test");
WebTarget grantTarget = client.target(grantUri);
response = executeGrantAccessTokenRequest(grantTarget);
assertEquals(200, response.getStatus());
org.keycloak.representations.AccessTokenResponse tokenResponse = response.readEntity(org.keycloak.representations.AccessTokenResponse.class);
AccessToken accessToken = getAccessToken(tokenResponse);
// check zero scope for client scope
assertNotNull(accessToken.getRealmAccess());
assertTrue(accessToken.getRealmAccess().getRoles().contains(realmRole.getName()));
assertTrue(accessToken.getRealmAccess().getRoles().contains(realmRole2.getName()));
response.close();
client.close();
}
// remove scopes and retest
clientScopeResource.getScopeMappings().realmLevel().remove(addRole1);
realm.clients().get(clientRep.getId()).getScopeMappings().realmLevel().remove(addRole2);
{
Client client = AdminClientUtil.createResteasyClient();
UriBuilder builder = UriBuilder.fromUri(AUTH_SERVER_ROOT);
URI grantUri = OIDCLoginProtocolService.tokenUrl(builder).build("test");
WebTarget grantTarget = client.target(grantUri);
response = executeGrantAccessTokenRequest(grantTarget);
assertEquals(200, response.getStatus());
org.keycloak.representations.AccessTokenResponse tokenResponse = response.readEntity(org.keycloak.representations.AccessTokenResponse.class);
AccessToken accessToken = getAccessToken(tokenResponse);
Assert.assertFalse(accessToken.getRealmAccess().getRoles().contains(realmRole.getName()));
Assert.assertFalse(accessToken.getRealmAccess().getRoles().contains(realmRole2.getName()));
response.close();
client.close();
}
// test don't use client scope scope. Add roles back to the clientScope, but they won't be available
realm.clients().get(clientRep.getId()).removeDefaultClientScope(clientScopeId);
clientScopeResource.getScopeMappings().realmLevel().add(addRole1);
clientScopeResource.getScopeMappings().realmLevel().add(addRole2);
{
Client client = AdminClientUtil.createResteasyClient();
UriBuilder builder = UriBuilder.fromUri(AUTH_SERVER_ROOT);
URI grantUri = OIDCLoginProtocolService.tokenUrl(builder).build("test");
WebTarget grantTarget = client.target(grantUri);
response = executeGrantAccessTokenRequest(grantTarget);
assertEquals(200, response.getStatus());
org.keycloak.representations.AccessTokenResponse tokenResponse = response.readEntity(org.keycloak.representations.AccessTokenResponse.class);
AccessToken accessToken = getAccessToken(tokenResponse);
Assert.assertFalse(accessToken.getRealmAccess().getRoles().contains(realmRole.getName()));
Assert.assertFalse(accessToken.getRealmAccess().getRoles().contains(realmRole2.getName()));
assertNull(accessToken.getOtherClaims().get("hard"));
IDToken idToken = getIdToken(tokenResponse);
assertNull(idToken.getOtherClaims().get("hard"));
response.close();
client.close();
}
// undo mappers
realm.users().get(user.getId()).roles().realmLevel().remove(addRoles);
realm.roles().get(realmRole.getName()).remove();
realm.roles().get(realmRole2.getName()).remove();
clientScopeResource.remove();
{
Client client = AdminClientUtil.createResteasyClient();
UriBuilder builder = UriBuilder.fromUri(AUTH_SERVER_ROOT);
URI grantUri = OIDCLoginProtocolService.tokenUrl(builder).build("test");
WebTarget grantTarget = client.target(grantUri);
response = executeGrantAccessTokenRequest(grantTarget);
assertEquals(200, response.getStatus());
org.keycloak.representations.AccessTokenResponse tokenResponse = response.readEntity(org.keycloak.representations.AccessTokenResponse.class);
IDToken idToken = getIdToken(tokenResponse);
assertNull(idToken.getOtherClaims().get("hard"));
AccessToken accessToken = getAccessToken(tokenResponse);
assertNull(accessToken.getOtherClaims().get("hard"));
response.close();
client.close();
}
events.clear();
}
use of org.keycloak.representations.IDToken in project keycloak by keycloak.
the class OIDCProtocolMappersTest method testUserRoleToAttributeMappersWithMultiValuedRoles.
/**
* KEYCLOAK-4205
* @throws Exception
*/
@Test
public void testUserRoleToAttributeMappersWithMultiValuedRoles() throws Exception {
// Add mapper for realm roles
ProtocolMapperRepresentation realmMapper = ProtocolMapperUtil.createUserRealmRoleMappingMapper("pref.", "Realm roles mapper", "roles-custom.realm", true, true, true);
ProtocolMapperRepresentation clientMapper = ProtocolMapperUtil.createUserClientRoleMappingMapper("test-app", null, "Client roles mapper", "roles-custom.test-app", true, true, true);
ProtocolMappersResource protocolMappers = ApiUtil.findClientResourceByClientId(adminClient.realm("test"), "test-app").getProtocolMappers();
protocolMappers.createMapper(Arrays.asList(realmMapper, clientMapper));
// Login user
OAuthClient.AccessTokenResponse response = browserLogin("password", "test-user@localhost", "password");
IDToken idToken = oauth.verifyIDToken(response.getIdToken());
// Verify attribute is filled
Map<String, Object> roleMappings = (Map<String, Object>) idToken.getOtherClaims().get("roles-custom");
Assert.assertThat(roleMappings.keySet(), containsInAnyOrder("realm", "test-app"));
Assert.assertThat(roleMappings.get("realm"), CoreMatchers.instanceOf(List.class));
Assert.assertThat(roleMappings.get("test-app"), CoreMatchers.instanceOf(List.class));
List<String> realmRoleMappings = (List<String>) roleMappings.get("realm");
List<String> testAppMappings = (List<String>) roleMappings.get("test-app");
assertRoles(realmRoleMappings, // from direct assignment in user definition
"pref.user", // from direct assignment in user definition
"pref.offline_access");
assertRoles(testAppMappings, // from direct assignment in user definition
"customer-user");
// Revert
deleteMappers(protocolMappers);
}
use of org.keycloak.representations.IDToken in project keycloak by keycloak.
the class OIDCProtocolMappersTest method testUserGroupRoleToAttributeMappersScopedWithDifferentClient.
@Test
public void testUserGroupRoleToAttributeMappersScopedWithDifferentClient() throws Exception {
final String clientId = "test-app-scope";
final String diffClient = "test-app";
final String realmName = "test";
final ProtocolMapperRepresentation realmMapper = ProtocolMapperUtil.createUserRealmRoleMappingMapper("pref.", "Realm roles mapper", "roles-custom.realm", true, true);
final ProtocolMapperRepresentation clientMapper = ProtocolMapperUtil.createUserClientRoleMappingMapper(diffClient, null, "Client roles mapper", "roles-custom.test-app", true, true);
try (ClientAttributeUpdater cau = ClientAttributeUpdater.forClient(adminClient, realmName, clientId).setDirectAccessGrantsEnabled(true);
ProtocolMappersUpdater protocolMappers = new ProtocolMappersUpdater(cau.getResource().getProtocolMappers())) {
protocolMappers.add(realmMapper, clientMapper).update();
// Login user
oauth.clientId(clientId);
OAuthClient.AccessTokenResponse response = browserLogin("password", "rich.roles@redhat.com", "password");
IDToken idToken = oauth.verifyIDToken(response.getIdToken());
// Verify attribute is filled
Map<String, Object> roleMappings = (Map<String, Object>) idToken.getOtherClaims().get("roles-custom");
assertNotNull(roleMappings);
assertThat(roleMappings.keySet(), containsInAnyOrder("realm", diffClient));
String realmRoleMappings = (String) roleMappings.get("realm");
String testAppScopeMappings = (String) roleMappings.get(diffClient);
assertRolesString(realmRoleMappings, "pref.admin", "pref.user", "pref.customer-user-premium");
assertRolesString(testAppScopeMappings, "customer-admin-composite-role", "customer-admin");
}
}
use of org.keycloak.representations.IDToken in project keycloak by keycloak.
the class OIDCProtocolMappersTest method testGroupAttributeUserOneGroupMultivalueAggregate.
@Test
public void testGroupAttributeUserOneGroupMultivalueAggregate() throws Exception {
// get the user
UserResource userResource = findUserByUsernameId(adminClient.realm("test"), "test-user@localhost");
UserRepresentation user = userResource.toRepresentation();
user.setAttributes(new HashMap<>());
user.getAttributes().put("group-value", Arrays.asList("user-value1", "user-value2"));
userResource.update(user);
// create a group1 with two values
GroupRepresentation group1 = new GroupRepresentation();
group1.setName("group1");
group1.setAttributes(new HashMap<>());
group1.getAttributes().put("group-value", Arrays.asList("value1", "value2"));
adminClient.realm("test").groups().add(group1);
group1 = adminClient.realm("test").getGroupByPath("/group1");
userResource.joinGroup(group1.getId());
// create the attribute mapper
ProtocolMappersResource protocolMappers = findClientResourceByClientId(adminClient.realm("test"), "test-app").getProtocolMappers();
protocolMappers.createMapper(createClaimMapper("group-value", "group-value", "group-value", "String", true, true, true, true)).close();
try {
// test it
OAuthClient.AccessTokenResponse response = browserLogin("password", "test-user@localhost", "password");
IDToken idToken = oauth.verifyIDToken(response.getIdToken());
assertNotNull(idToken.getOtherClaims());
assertNotNull(idToken.getOtherClaims().get("group-value"));
assertTrue(idToken.getOtherClaims().get("group-value") instanceof List);
assertEquals(4, ((List) idToken.getOtherClaims().get("group-value")).size());
assertTrue(((List) idToken.getOtherClaims().get("group-value")).contains("user-value1"));
assertTrue(((List) idToken.getOtherClaims().get("group-value")).contains("user-value2"));
assertTrue(((List) idToken.getOtherClaims().get("group-value")).contains("value1"));
assertTrue(((List) idToken.getOtherClaims().get("group-value")).contains("value2"));
} finally {
// revert
user.getAttributes().remove("group-value");
userResource.update(user);
userResource.leaveGroup(group1.getId());
adminClient.realm("test").groups().group(group1.getId()).remove();
deleteMappers(protocolMappers);
}
}
use of org.keycloak.representations.IDToken in project keycloak by keycloak.
the class OIDCProtocolMappersTest method testGroupAttributeOneGroupMultiValueNoAggregate.
@Test
public void testGroupAttributeOneGroupMultiValueNoAggregate() throws Exception {
// get the user
UserResource userResource = findUserByUsernameId(adminClient.realm("test"), "test-user@localhost");
// create a group1 with two values
GroupRepresentation group1 = new GroupRepresentation();
group1.setName("group1");
group1.setAttributes(new HashMap<>());
group1.getAttributes().put("group-value", Arrays.asList("value1", "value2"));
adminClient.realm("test").groups().add(group1);
group1 = adminClient.realm("test").getGroupByPath("/group1");
userResource.joinGroup(group1.getId());
// create the attribute mapper
ProtocolMappersResource protocolMappers = findClientResourceByClientId(adminClient.realm("test"), "test-app").getProtocolMappers();
protocolMappers.createMapper(createClaimMapper("group-value", "group-value", "group-value", "String", true, true, true, false)).close();
try {
// test it
OAuthClient.AccessTokenResponse response = browserLogin("password", "test-user@localhost", "password");
IDToken idToken = oauth.verifyIDToken(response.getIdToken());
assertNotNull(idToken.getOtherClaims());
assertNotNull(idToken.getOtherClaims().get("group-value"));
assertTrue(idToken.getOtherClaims().get("group-value") instanceof List);
assertEquals(2, ((List) idToken.getOtherClaims().get("group-value")).size());
assertTrue(((List) idToken.getOtherClaims().get("group-value")).contains("value1"));
assertTrue(((List) idToken.getOtherClaims().get("group-value")).contains("value2"));
} finally {
// revert
userResource.leaveGroup(group1.getId());
adminClient.realm("test").groups().group(group1.getId()).remove();
deleteMappers(protocolMappers);
}
}
Aggregations