Example 61 with RefreshToken
use of org.keycloak.representations.RefreshToken in project keycloak by keycloak.
the class HoKTest method refreshTokenRequestByRefreshTokenWithoutClientCertificate.
@Test
public void refreshTokenRequestByRefreshTokenWithoutClientCertificate() throws Exception {
oauth.doLogin("test-user@localhost", "password");
EventRepresentation loginEvent = events.expectLogin().assertEvent();
String sessionId = loginEvent.getSessionId();
String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
AccessTokenResponse tokenResponse = null;
tokenResponse = oauth.doAccessTokenRequest(code, "password");
verifyHoKTokenDefaultCertThumbPrint(tokenResponse);
AccessToken token = oauth.verifyToken(tokenResponse.getAccessToken());
String refreshTokenString = tokenResponse.getRefreshToken();
RefreshToken refreshToken = oauth.parseRefreshToken(refreshTokenString);
Assert.assertNotNull(refreshTokenString);
assertEquals("Bearer", tokenResponse.getTokenType());
Assert.assertThat(token.getExpiration() - getCurrentTime(), allOf(greaterThanOrEqualTo(200), lessThanOrEqualTo(350)));
int actual = refreshToken.getExpiration() - getCurrentTime();
Assert.assertThat(actual, allOf(greaterThanOrEqualTo(1799 - RefreshTokenTest.ALLOWED_CLOCK_SKEW), lessThanOrEqualTo(1800 + RefreshTokenTest.ALLOWED_CLOCK_SKEW)));
assertEquals(sessionId, refreshToken.getSessionState());
setTimeOffset(2);
AccessTokenResponse response = null;
try (CloseableHttpClient client = MutualTLSUtils.newCloseableHttpClientWithoutKeyStoreAndTrustStore()) {
response = oauth.doRefreshTokenRequest(refreshTokenString, "password", client);
} catch (IOException ioe) {
throw new RuntimeException(ioe);
}
// Error Pattern
assertEquals(401, response.getStatusCode());
assertEquals(OAuthErrorException.UNAUTHORIZED_CLIENT, response.getError());
assertEquals("Client certificate missing, or its thumbprint and one in the refresh token did NOT match", response.getErrorDescription());
}
Also used :
CloseableHttpClient(org.apache.http.impl.client.CloseableHttpClient)
RefreshToken(org.keycloak.representations.RefreshToken)
AccessToken(org.keycloak.representations.AccessToken)
EventRepresentation(org.keycloak.representations.idm.EventRepresentation)
IOException(java.io.IOException)
AccessTokenResponse(org.keycloak.testsuite.util.OAuthClient.AccessTokenResponse)
RefreshTokenTest(org.keycloak.testsuite.oauth.RefreshTokenTest)
AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest)
AbstractTestRealmKeycloakTest(org.keycloak.testsuite.AbstractTestRealmKeycloakTest)
Example 62 with RefreshToken
use of org.keycloak.representations.RefreshToken in project keycloak by keycloak.
the class HoKTest method verifyHoKTokenCertThumbPrint.
private void verifyHoKTokenCertThumbPrint(AccessTokenResponse response, String certThumbPrint, boolean checkRefreshToken) {
JWSInput jws = null;
AccessToken at = null;
try {
jws = new JWSInput(response.getAccessToken());
at = jws.readJsonContent(AccessToken.class);
} catch (JWSInputException e) {
Assert.fail(e.toString());
}
assertTrue(MessageDigest.isEqual(certThumbPrint.getBytes(), at.getCertConf().getCertThumbprint().getBytes()));
if (checkRefreshToken) {
RefreshToken rt = null;
try {
jws = new JWSInput(response.getRefreshToken());
rt = jws.readJsonContent(RefreshToken.class);
} catch (JWSInputException e) {
Assert.fail(e.toString());
}
assertTrue(MessageDigest.isEqual(certThumbPrint.getBytes(), rt.getCertConf().getCertThumbprint().getBytes()));
}
}
Also used :
RefreshToken(org.keycloak.representations.RefreshToken)
AccessToken(org.keycloak.representations.AccessToken)
JWSInputException(org.keycloak.jose.jws.JWSInputException)
JWSInput(org.keycloak.jose.jws.JWSInput)
Example 63 with RefreshToken
use of org.keycloak.representations.RefreshToken in project keycloak by keycloak.
the class HoKTest method testIntrospectHoKAccessToken.
@Test
public void testIntrospectHoKAccessToken() throws Exception {
// get an access token with client certificate in mutual authenticate TLS
// mimic Client
oauth.doLogin("test-user@localhost", "password");
String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
EventRepresentation loginEvent = events.expectLogin().assertEvent();
AccessTokenResponse accessTokenResponse = null;
try (CloseableHttpClient client = MutualTLSUtils.newCloseableHttpClientWithDefaultKeyStoreAndTrustStore()) {
accessTokenResponse = oauth.doAccessTokenRequest(code, "password", client);
} catch (IOException ioe) {
throw new RuntimeException(ioe);
}
// Do token introspection
// mimic Resource Server
String tokenResponse;
try (CloseableHttpClient client = MutualTLSUtils.newCloseableHttpClientWithoutKeyStoreAndTrustStore()) {
tokenResponse = oauth.introspectTokenWithClientCredential("confidential-cli", "secret1", "access_token", accessTokenResponse.getAccessToken(), client);
} catch (IOException ioe) {
throw new RuntimeException(ioe);
}
TokenMetadataRepresentation rep = JsonSerialization.readValue(tokenResponse, TokenMetadataRepresentation.class);
JWSInput jws = new JWSInput(accessTokenResponse.getAccessToken());
AccessToken at = jws.readJsonContent(AccessToken.class);
jws = new JWSInput(accessTokenResponse.getRefreshToken());
RefreshToken rt = jws.readJsonContent(RefreshToken.class);
String certThumprintFromAccessToken = at.getCertConf().getCertThumbprint();
String certThumprintFromRefreshToken = rt.getCertConf().getCertThumbprint();
String certThumprintFromTokenIntrospection = rep.getCertConf().getCertThumbprint();
String certThumprintFromBoundClientCertificate = MutualTLSUtils.getThumbprintFromDefaultClientCert();
assertTrue(rep.isActive());
assertEquals("test-user@localhost", rep.getUserName());
assertEquals("test-app", rep.getClientId());
assertEquals(loginEvent.getUserId(), rep.getSubject());
assertEquals(certThumprintFromTokenIntrospection, certThumprintFromBoundClientCertificate);
assertEquals(certThumprintFromBoundClientCertificate, certThumprintFromAccessToken);
assertEquals(certThumprintFromAccessToken, certThumprintFromRefreshToken);
}
Also used :
CloseableHttpClient(org.apache.http.impl.client.CloseableHttpClient)
TokenMetadataRepresentation(org.keycloak.representations.oidc.TokenMetadataRepresentation)
RefreshToken(org.keycloak.representations.RefreshToken)
AccessToken(org.keycloak.representations.AccessToken)
EventRepresentation(org.keycloak.representations.idm.EventRepresentation)
IOException(java.io.IOException)
JWSInput(org.keycloak.jose.jws.JWSInput)
AccessTokenResponse(org.keycloak.testsuite.util.OAuthClient.AccessTokenResponse)
RefreshTokenTest(org.keycloak.testsuite.oauth.RefreshTokenTest)
AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest)
AbstractTestRealmKeycloakTest(org.keycloak.testsuite.AbstractTestRealmKeycloakTest)
Example 64 with RefreshToken
use of org.keycloak.representations.RefreshToken in project keycloak by keycloak.
the class HolderOfKeyEnforcerExecutor method checkTokenRefresh.
private void checkTokenRefresh(TokenRefreshContext context, HttpRequest request) throws ClientPolicyException {
MultivaluedMap<String, String> formParameters = context.getParams();
String encodedRefreshToken = formParameters.getFirst(OAuth2Constants.REFRESH_TOKEN);
RefreshToken refreshToken = session.tokens().decode(encodedRefreshToken, RefreshToken.class);
if (refreshToken == null) {
// this executor does not treat this error case.
return;
}
if (!MtlsHoKTokenUtil.verifyTokenBindingWithClientCertificate(refreshToken, request, session)) {
throw new ClientPolicyException(OAuthErrorException.INVALID_GRANT, MtlsHoKTokenUtil.CERT_VERIFY_ERROR_DESC, Response.Status.BAD_REQUEST);
}
}
Also used :
RefreshToken(org.keycloak.representations.RefreshToken)
ClientPolicyException(org.keycloak.services.clientpolicy.ClientPolicyException)
Example 65 with RefreshToken
use of org.keycloak.representations.RefreshToken in project keycloak by keycloak.
the class HolderOfKeyEnforcerExecutor method checkTokenRevoke.
private void checkTokenRevoke(TokenRevokeContext context, HttpRequest request) throws ClientPolicyException {
MultivaluedMap<String, String> revokeParameters = context.getParams();
String encodedRevokeToken = revokeParameters.getFirst("token");
RefreshToken refreshToken = session.tokens().decode(encodedRevokeToken, RefreshToken.class);
if (refreshToken == null) {
// this executor does not treat this error case.
return;
}
if (!MtlsHoKTokenUtil.verifyTokenBindingWithClientCertificate(refreshToken, request, session)) {
throw new ClientPolicyException(Errors.NOT_ALLOWED, MtlsHoKTokenUtil.CERT_VERIFY_ERROR_DESC, Response.Status.UNAUTHORIZED);
}
}
Also used :
RefreshToken(org.keycloak.representations.RefreshToken)
ClientPolicyException(org.keycloak.services.clientpolicy.ClientPolicyException)
Aggregations
RefreshToken (org.keycloak.representations.RefreshToken)68
OAuthClient (org.keycloak.testsuite.util.OAuthClient)50
AccessToken (org.keycloak.representations.AccessToken)45
Test (org.junit.Test)34
AbstractKeycloakTest (org.keycloak.testsuite.AbstractKeycloakTest)29
EventRepresentation (org.keycloak.representations.idm.EventRepresentation)27
JWSInput (org.keycloak.jose.jws.JWSInput)10
ClientRepresentation (org.keycloak.representations.idm.ClientRepresentation)6
AbstractTestRealmKeycloakTest (org.keycloak.testsuite.AbstractTestRealmKeycloakTest)6
IOException (java.io.IOException)5
HttpResponse (org.apache.http.HttpResponse)5
JWSHeader (org.keycloak.jose.jws.JWSHeader)5
IDToken (org.keycloak.representations.IDToken)5
CloseableHttpResponse (org.apache.http.client.methods.CloseableHttpResponse)4
ClientResource (org.keycloak.admin.client.resource.ClientResource)4
OIDCClientRepresentation (org.keycloak.representations.oidc.OIDCClientRepresentation)4
ClientPolicyException (org.keycloak.services.clientpolicy.ClientPolicyException)4
AccessTokenResponse (org.keycloak.testsuite.util.OAuthClient.AccessTokenResponse)4
KeyPair (java.security.KeyPair)3
PrivateKey (java.security.PrivateKey)3
