Example 31 with IDToken
use of org.keycloak.representations.IDToken in project keycloak by keycloak.
the class AuthorizationTokenResponseModeTest method authorizationRequestJWTResponseModeAccessTokenResponseType.
@Test
public void authorizationRequestJWTResponseModeAccessTokenResponseType() throws Exception {
ClientManager.realm(adminClient.realm("test")).clientId("test-app").implicitFlow(true);
// jwt response_mode. It should fallback to fragment.jwt when its hybrid flow
oauth.responseMode("jwt");
oauth.responseType("token id_token");
oauth.stateParamHardcoded("OpenIdConnect.AuthenticationProperties=2302984sdlk");
oauth.nonce("123456");
OAuthClient.AuthorizationEndpointResponse response = oauth.doLogin("test-user@localhost", "password");
assertTrue(response.isRedirected());
AuthorizationResponseToken responseToken = oauth.verifyAuthorizationResponseToken(response.getResponse());
assertEquals("test-app", responseToken.getAudience()[0]);
Assert.assertNull(responseToken.getOtherClaims().get("code"));
assertEquals("OpenIdConnect.AuthenticationProperties=2302984sdlk", responseToken.getOtherClaims().get("state"));
Assert.assertNull(responseToken.getOtherClaims().get("error"));
Assert.assertNotNull(responseToken.getOtherClaims().get("id_token"));
String idTokenEncoded = (String) responseToken.getOtherClaims().get("id_token");
IDToken idToken = oauth.verifyIDToken(idTokenEncoded);
assertEquals("123456", idToken.getNonce());
Assert.assertNotNull(responseToken.getOtherClaims().get("access_token"));
String accessTokenEncoded = (String) responseToken.getOtherClaims().get("access_token");
AccessToken accessToken = oauth.verifyToken(accessTokenEncoded);
assertEquals("123456", accessToken.getNonce());
URI currentUri = new URI(driver.getCurrentUrl());
Assert.assertNull(currentUri.getRawQuery());
Assert.assertNotNull(currentUri.getRawFragment());
}
Also used :
AuthorizationResponseToken(org.keycloak.representations.AuthorizationResponseToken)
OAuthClient(org.keycloak.testsuite.util.OAuthClient)
AccessToken(org.keycloak.representations.AccessToken)
IDToken(org.keycloak.representations.IDToken)
URI(java.net.URI)
Test(org.junit.Test)
AbstractTestRealmKeycloakTest(org.keycloak.testsuite.AbstractTestRealmKeycloakTest)
Example 32 with IDToken
use of org.keycloak.representations.IDToken in project keycloak by keycloak.
the class OIDCScopeTest method testClientDisplayedOnConsentScreen.
@Test
public void testClientDisplayedOnConsentScreen() throws Exception {
// Add "displayOnConsentScreen" to client
ClientResource thirdParty = ApiUtil.findClientByClientId(testRealm(), "third-party");
ClientRepresentation thirdPartyRep = thirdParty.toRepresentation();
thirdPartyRep.getAttributes().put(ClientScopeModel.DISPLAY_ON_CONSENT_SCREEN, "true");
thirdPartyRep.getAttributes().put(ClientScopeModel.CONSENT_SCREEN_TEXT, "ThirdParty permissions");
thirdParty.update(thirdPartyRep);
// Login. Client should be displayed on consent screen
oauth.clientId("third-party");
oauth.doLoginGrant("john", "password");
grantPage.assertCurrent();
grantPage.assertGrants(OAuthGrantPage.PROFILE_CONSENT_TEXT, OAuthGrantPage.EMAIL_CONSENT_TEXT, OAuthGrantPage.ROLES_CONSENT_TEXT, "ThirdParty permissions");
grantPage.accept();
EventRepresentation loginEvent = events.expectLogin().user(userId).client("third-party").detail(Details.CONSENT, Details.CONSENT_VALUE_CONSENT_GRANTED).assertEvent();
Tokens tokens = sendTokenRequest(loginEvent, userId, "openid email profile", "third-party");
IDToken idToken = tokens.idToken;
assertProfile(idToken, true);
assertEmail(idToken, true);
assertAddress(idToken, false);
assertPhone(idToken, false);
// Revert
thirdPartyRep.getAttributes().put(ClientScopeModel.DISPLAY_ON_CONSENT_SCREEN, "false");
thirdParty.update(thirdPartyRep);
}
Also used :
EventRepresentation(org.keycloak.representations.idm.EventRepresentation)
ClientResource(org.keycloak.admin.client.resource.ClientResource)
IDToken(org.keycloak.representations.IDToken)
ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation)
Test(org.junit.Test)
Example 33 with IDToken
use of org.keycloak.representations.IDToken in project keycloak by keycloak.
the class OIDCHybridResponseTypeCodeIDTokenAsDetachedSigTest method testAuthzResponseAndRetrieveIDTokens.
protected List<IDToken> testAuthzResponseAndRetrieveIDTokens(OAuthClient.AuthorizationEndpointResponse authzResponse, EventRepresentation loginEvent) {
Assert.assertEquals(OIDCResponseType.CODE + " " + OIDCResponseType.ID_TOKEN, loginEvent.getDetails().get(Details.RESPONSE_TYPE));
// IDToken from the authorization response
Assert.assertNull(authzResponse.getAccessToken());
String idTokenStr = authzResponse.getIdToken();
IDToken idToken = oauth.verifyIDToken(idTokenStr);
// confirm ID token as detached signature does not include authenticated user's claims
Assert.assertNull(idToken.getEmailVerified());
Assert.assertNull(idToken.getName());
Assert.assertNull(idToken.getPreferredUsername());
Assert.assertNull(idToken.getGivenName());
Assert.assertNull(idToken.getFamilyName());
Assert.assertNull(idToken.getEmail());
// Validate "at_hash"
Assert.assertNull(idToken.getAccessTokenHash());
// Validate "c_hash"
assertValidCodeHash(idToken.getCodeHash(), authzResponse.getCode());
// Financial API - Part 2: Read and Write API Security Profile
// http://openid.net/specs/openid-financial-api-part-2.html#authorization-server
// Validate "s_hash"
Assert.assertNotNull(idToken.getStateHash());
Assert.assertEquals(idToken.getStateHash(), HashUtils.oidcHash(getIdTokenSignatureAlgorithm(), authzResponse.getState()));
// Validate if token_type is null
Assert.assertNull(authzResponse.getTokenType());
// Validate if expires_in is null
Assert.assertNull(authzResponse.getExpiresIn());
// IDToken exchanged for the code
IDToken idToken2 = sendTokenRequestAndGetIDToken(loginEvent);
// confirm ordinal ID token includes authenticated user's claims
Assert.assertNotNull(idToken2.getEmailVerified());
Assert.assertNotNull(idToken2.getName());
Assert.assertNotNull(idToken2.getPreferredUsername());
Assert.assertNotNull(idToken2.getGivenName());
Assert.assertNotNull(idToken2.getFamilyName());
Assert.assertNotNull(idToken2.getEmail());
return Arrays.asList(idToken, idToken2);
}
Also used :
IDToken(org.keycloak.representations.IDToken)
Example 34 with IDToken
use of org.keycloak.representations.IDToken in project keycloak by keycloak.
the class OIDCHybridResponseTypeCodeIDTokenTest method testAuthzResponseAndRetrieveIDTokens.
protected List<IDToken> testAuthzResponseAndRetrieveIDTokens(OAuthClient.AuthorizationEndpointResponse authzResponse, EventRepresentation loginEvent) {
Assert.assertEquals(OIDCResponseType.CODE + " " + OIDCResponseType.ID_TOKEN, loginEvent.getDetails().get(Details.RESPONSE_TYPE));
// IDToken from the authorization response
Assert.assertNull(authzResponse.getAccessToken());
String idTokenStr = authzResponse.getIdToken();
IDToken idToken = oauth.verifyIDToken(idTokenStr);
// Validate "at_hash"
Assert.assertNull(idToken.getAccessTokenHash());
// Validate "c_hash"
assertValidCodeHash(idToken.getCodeHash(), authzResponse.getCode());
// Financial API - Part 2: Read and Write API Security Profile
// http://openid.net/specs/openid-financial-api-part-2.html#authorization-server
// Validate "s_hash"
Assert.assertNotNull(idToken.getStateHash());
Assert.assertEquals(idToken.getStateHash(), HashUtils.oidcHash(getIdTokenSignatureAlgorithm(), authzResponse.getState()));
// Validate if token_type is null
Assert.assertNull(authzResponse.getTokenType());
// Validate if expires_in is null
Assert.assertNull(authzResponse.getExpiresIn());
// IDToken exchanged for the code
IDToken idToken2 = sendTokenRequestAndGetIDToken(loginEvent);
return Arrays.asList(idToken, idToken2);
}
Also used :
IDToken(org.keycloak.representations.IDToken)
Example 35 with IDToken
use of org.keycloak.representations.IDToken in project keycloak by keycloak.
the class KcOidcBrokerNonceParameterTest method loginUser.
@Override
protected void loginUser() {
updateExecutions(AbstractBrokerTest::disableUpdateProfileOnFirstLogin);
oauth.realm(bc.consumerRealmName());
oauth.clientId("consumer-client");
oauth.nonce("123456");
OAuthClient.AuthorizationEndpointResponse authzResponse = oauth.doLoginSocial(bc.getIDPAlias(), bc.getUserLogin(), bc.getUserPassword());
String code = authzResponse.getCode();
OAuthClient.AccessTokenResponse response = oauth.doAccessTokenRequest(code, null);
IDToken idToken = toIdToken(response.getIdToken());
Assert.assertEquals("123456", idToken.getNonce());
}
Also used :
OAuthClient(org.keycloak.testsuite.util.OAuthClient)
IDToken(org.keycloak.representations.IDToken)
Aggregations
IDToken (org.keycloak.representations.IDToken)89
Test (org.junit.Test)57
OAuthClient (org.keycloak.testsuite.util.OAuthClient)53
AbstractKeycloakTest (org.keycloak.testsuite.AbstractKeycloakTest)25
EventRepresentation (org.keycloak.representations.idm.EventRepresentation)23
ProtocolMappersResource (org.keycloak.admin.client.resource.ProtocolMappersResource)18
AccessToken (org.keycloak.representations.AccessToken)18
HashMap (java.util.HashMap)16
ClientRepresentation (org.keycloak.representations.idm.ClientRepresentation)16
ClientResource (org.keycloak.admin.client.resource.ClientResource)15
AbstractTestRealmKeycloakTest (org.keycloak.testsuite.AbstractTestRealmKeycloakTest)14
Matchers.isEmptyOrNullString (org.hamcrest.Matchers.isEmptyOrNullString)13
ProtocolMapperRepresentation (org.keycloak.representations.idm.ProtocolMapperRepresentation)12
List (java.util.List)11
Map (java.util.Map)11
UserResource (org.keycloak.admin.client.resource.UserResource)11
GroupRepresentation (org.keycloak.representations.idm.GroupRepresentation)10
OIDCClientRepresentation (org.keycloak.representations.oidc.OIDCClientRepresentation)10
AbstractAdminTest (org.keycloak.testsuite.admin.AbstractAdminTest)9
RefreshToken (org.keycloak.representations.RefreshToken)5
