Search in sources :

Example 66 with ClientRepresentation

use of org.keycloak.representations.idm.ClientRepresentation in project keycloak by keycloak.

the class UserInfoTest method testSuccessSignedResponse.

@Test
public void testSuccessSignedResponse() throws Exception {
    // Require signed userInfo request
    ClientResource clientResource = ApiUtil.findClientByClientId(adminClient.realm("test"), "test-app");
    ClientRepresentation clientRep = clientResource.toRepresentation();
    OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setUserInfoSignedResponseAlg(Algorithm.RS256);
    clientResource.update(clientRep);
    // test signed response
    Client client = AdminClientUtil.createResteasyClient();
    try {
        AccessTokenResponse accessTokenResponse = executeGrantAccessTokenRequest(client);
        Response response = UserInfoClientUtil.executeUserInfoRequest_getMethod(client, accessTokenResponse.getToken());
        events.expect(EventType.USER_INFO_REQUEST).session(Matchers.notNullValue(String.class)).detail(Details.AUTH_METHOD, Details.VALIDATE_ACCESS_TOKEN).detail(Details.USERNAME, "test-user@localhost").detail(Details.SIGNATURE_REQUIRED, "true").detail(Details.SIGNATURE_ALGORITHM, Algorithm.RS256.toString()).assertEvent();
        // Check signature and content
        PublicKey publicKey = PemUtils.decodePublicKey(ApiUtil.findActiveSigningKey(adminClient.realm("test")).getPublicKey());
        Assert.assertEquals(200, response.getStatus());
        Assert.assertEquals(response.getHeaderString(HttpHeaders.CONTENT_TYPE), MediaType.APPLICATION_JWT);
        String signedResponse = response.readEntity(String.class);
        response.close();
        JWSInput jwsInput = new JWSInput(signedResponse);
        Assert.assertTrue(RSAProvider.verify(jwsInput, publicKey));
        UserInfo userInfo = JsonSerialization.readValue(jwsInput.getContent(), UserInfo.class);
        Assert.assertNotNull(userInfo);
        Assert.assertNotNull(userInfo.getSubject());
        Assert.assertEquals("test-user@localhost", userInfo.getEmail());
        Assert.assertEquals("test-user@localhost", userInfo.getPreferredUsername());
        Assert.assertTrue(userInfo.hasAudience("test-app"));
        String expectedIssuer = Urls.realmIssuer(new URI(AUTH_SERVER_ROOT), "test");
        Assert.assertEquals(expectedIssuer, userInfo.getIssuer());
    } finally {
        client.close();
    }
    // Revert signed userInfo request
    OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setUserInfoSignedResponseAlg(null);
    clientResource.update(clientRep);
}
Also used : AccessTokenResponse(org.keycloak.representations.AccessTokenResponse) Response(javax.ws.rs.core.Response) PublicKey(java.security.PublicKey) ClientResource(org.keycloak.admin.client.resource.ClientResource) UserInfo(org.keycloak.representations.UserInfo) JWSInput(org.keycloak.jose.jws.JWSInput) OAuthClient(org.keycloak.testsuite.util.OAuthClient) Client(javax.ws.rs.client.Client) AccessTokenResponse(org.keycloak.representations.AccessTokenResponse) URI(java.net.URI) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest) Test(org.junit.Test)

Example 67 with ClientRepresentation

use of org.keycloak.representations.idm.ClientRepresentation in project keycloak by keycloak.

the class ArtifactBindingTest method testImportClientMultipleServicesWithDefault.

@Test
public void testImportClientMultipleServicesWithDefault() {
    Document doc = IOUtil.loadXML(ArtifactBindingTest.class.getResourceAsStream("/saml/sp-metadata-artifact-multiple-default.xml"));
    ClientRepresentation clientRep = adminClient.realm(REALM_NAME).convertClientDescription(IOUtil.documentToString(doc));
    assertThat(clientRep.getAttributes().get(SamlProtocol.SAML_ARTIFACT_RESOLUTION_SERVICE_URL_ATTRIBUTE), is("https://test.keycloak.com/auth/login/epd/callback/soap-9"));
    assertThat(clientRep.getAttributes().get(SamlProtocol.SAML_ASSERTION_CONSUMER_URL_ARTIFACT_ATTRIBUTE), Matchers.startsWith("https://test.keycloak.com/auth/login/epd/callback/http-artifact"));
}
Also used : Document(org.w3c.dom.Document) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) Test(org.junit.Test)

Example 68 with ClientRepresentation

use of org.keycloak.representations.idm.ClientRepresentation in project keycloak by keycloak.

the class ArtifactBindingTest method testImportClientArtifactResolutionSingleServices.

/**
 ********************** IMPORT CLIENT TESTS ***********************
 */
@Test
public void testImportClientArtifactResolutionSingleServices() {
    Document doc = IOUtil.loadXML(ArtifactBindingTest.class.getResourceAsStream("/saml/sp-metadata-artifact-simple.xml"));
    ClientRepresentation clientRep = adminClient.realm(REALM_NAME).convertClientDescription(IOUtil.documentToString(doc));
    assertThat(clientRep.getAttributes().get(SamlProtocol.SAML_ARTIFACT_RESOLUTION_SERVICE_URL_ATTRIBUTE), is("https://test.keycloak.com/auth/login/epd/callback/soap"));
    assertThat(clientRep.getAttributes().get(SamlProtocol.SAML_ASSERTION_CONSUMER_URL_ARTIFACT_ATTRIBUTE), is("https://test.keycloak.com/auth/login/epd/callback/http-artifact"));
}
Also used : Document(org.w3c.dom.Document) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) Test(org.junit.Test)

Example 69 with ClientRepresentation

use of org.keycloak.representations.idm.ClientRepresentation in project keycloak by keycloak.

the class ArtifactBindingTest method testImportClientMultipleServices.

@Test
public void testImportClientMultipleServices() {
    Document doc = IOUtil.loadXML(ArtifactBindingTest.class.getResourceAsStream("/saml/sp-metadata-artifact-multiple.xml"));
    ClientRepresentation clientRep = adminClient.realm(REALM_NAME).convertClientDescription(IOUtil.documentToString(doc));
    assertThat(clientRep.getAttributes().get(SamlProtocol.SAML_ARTIFACT_RESOLUTION_SERVICE_URL_ATTRIBUTE), is("https://test.keycloak.com/auth/login/epd/callback/soap-1"));
    assertThat(clientRep.getAttributes().get(SamlProtocol.SAML_ASSERTION_CONSUMER_URL_ARTIFACT_ATTRIBUTE), Matchers.startsWith("https://test.keycloak.com/auth/login/epd/callback/http-artifact"));
}
Also used : Document(org.w3c.dom.Document) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) Test(org.junit.Test)

Example 70 with ClientRepresentation

use of org.keycloak.representations.idm.ClientRepresentation in project keycloak by keycloak.

the class ArtifactBindingTest method testSessionStateDuringArtifactBindingLogoutWithOneClient.

// Won't work with openshift, because openshift wouldn't see ArtifactResolutionService
@AuthServerContainerExclude(AuthServerContainerExclude.AuthServer.REMOTE)
@Test
public void testSessionStateDuringArtifactBindingLogoutWithOneClient() {
    ClientRepresentation salesRep = adminClient.realm(REALM_NAME).clients().findByClientId(SAML_CLIENT_ID_SALES_POST).get(0);
    final String clientId = salesRep.getId();
    getCleanup().addCleanup(ClientAttributeUpdater.forClient(adminClient, REALM_NAME, SAML_CLIENT_ID_SALES_POST).setAttribute(SamlConfigAttributes.SAML_ARTIFACT_BINDING, "true").setAttribute(SamlProtocol.SAML_SINGLE_LOGOUT_SERVICE_URL_ARTIFACT_ATTRIBUTE, "http://url").setFrontchannelLogout(true).update());
    AtomicReference<String> userSessionId = new AtomicReference<>();
    SAMLDocumentHolder response = new SamlClientBuilder().authnRequest(getAuthServerSamlEndpoint(REALM_NAME), SAML_CLIENT_ID_SALES_POST, SAML_ASSERTION_CONSUMER_URL_SALES_POST, POST).build().login().user(bburkeUser).build().handleArtifact(getAuthServerSamlEndpoint(REALM_NAME), SAML_CLIENT_ID_SALES_POST).setBeforeStepChecks(new SessionStateChecker(testingClient.server()).storeUserSessionId(userSessionId).expectedState(UserSessionModel.State.LOGGED_IN).expectedClientSession(clientId).consumeUserSession(userSessionModel -> assertThat(userSessionModel, notNullValue())).consumeClientSession(clientId, userSessionModel -> assertThat(userSessionModel, notNullValue()))).build().logoutRequest(getAuthServerSamlEndpoint(REALM_NAME), SAML_CLIENT_ID_SALES_POST, POST).build().handleArtifact(getAuthServerSamlEndpoint(REALM_NAME), SAML_CLIENT_ID_SALES_POST).setBeforeStepChecks(new SessionStateChecker(testingClient.server()).expectedUserSession(userSessionId).expectedState(UserSessionModel.State.LOGGED_OUT_UNCONFIRMED).expectedNumberOfClientSessions(1).expectedAction(clientId, CommonClientSessionModel.Action.LOGGING_OUT)).setAfterStepChecks(new SessionStateChecker(testingClient.server()).consumeUserSession(userSessionModel -> assertThat(userSessionModel, nullValue())).setUserSessionProvider(session -> userSessionId.get())).build().doNotFollowRedirects().executeAndTransform(this::getArtifactResponse);
    assertThat(response.getSamlObject(), instanceOf(ArtifactResponseType.class));
    ArtifactResponseType artifactResponse = (ArtifactResponseType) response.getSamlObject();
    assertThat(artifactResponse, isSamlStatusResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
    assertThat(artifactResponse.getSignature(), nullValue());
    assertThat(artifactResponse.getAny(), not(instanceOf(ResponseType.class)));
    assertThat(artifactResponse.getAny(), not(instanceOf(ArtifactResponseType.class)));
    assertThat(artifactResponse.getAny(), not(instanceOf(NameIDMappingResponseType.class)));
    assertThat(artifactResponse.getAny(), instanceOf(StatusResponseType.class));
    StatusResponseType samlResponse = (StatusResponseType) artifactResponse.getAny();
    assertThat(samlResponse, isSamlStatusResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
}
Also used : SamlProtocolUtils(org.keycloak.protocol.saml.SamlProtocolUtils) AssertionUtil(org.keycloak.saml.processing.core.saml.v2.util.AssertionUtil) ClientAttributeUpdater(org.keycloak.testsuite.updaters.ClientAttributeUpdater) Matchers.statusCodeIsHC(org.keycloak.testsuite.util.Matchers.statusCodeIsHC) URISyntaxException(java.net.URISyntaxException) Matchers.not(org.hamcrest.Matchers.not) ARTIFACT_RESPONSE(org.keycloak.testsuite.util.SamlClient.Binding.ARTIFACT_RESPONSE) POST(org.keycloak.testsuite.util.SamlClient.Binding.POST) SAML2LogoutResponseBuilder(org.keycloak.saml.SAML2LogoutResponseBuilder) Matchers.isSamlLogoutRequest(org.keycloak.testsuite.util.Matchers.isSamlLogoutRequest) HandleArtifactStepBuilder(org.keycloak.testsuite.util.saml.HandleArtifactStepBuilder) EntityUtils(org.apache.http.util.EntityUtils) InfinispanTestTimeServiceRule(org.keycloak.testsuite.util.InfinispanTestTimeServiceRule) SAML2Object(org.keycloak.dom.saml.v2.SAML2Object) Matcher(java.util.regex.Matcher) ByteArrayInputStream(java.io.ByteArrayInputStream) Document(org.w3c.dom.Document) NameIDMappingResponseType(org.keycloak.dom.saml.v2.protocol.NameIDMappingResponseType) Matchers.nullValue(org.hamcrest.Matchers.nullValue) SamlClient(org.keycloak.testsuite.util.SamlClient) SamlUtils(org.keycloak.testsuite.util.SamlUtils) URI(java.net.URI) SAMLDocumentHolder(org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder) Matchers.isEmptyOrNullString(org.hamcrest.Matchers.isEmptyOrNullString) Awaitility.await(org.awaitility.Awaitility.await) Matchers.isSamlResponse(org.keycloak.testsuite.util.Matchers.isSamlResponse) Matchers.notNullValue(org.hamcrest.Matchers.notNullValue) ArtifactResponseType(org.keycloak.dom.saml.v2.protocol.ArtifactResponseType) SamlProtocol(org.keycloak.protocol.saml.SamlProtocol) RealmAttributeUpdater(org.keycloak.testsuite.updaters.RealmAttributeUpdater) IOUtil(org.keycloak.testsuite.utils.io.IOUtil) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) Matchers.instanceOf(org.hamcrest.Matchers.instanceOf) ParsingException(org.keycloak.saml.common.exceptions.ParsingException) Base64(java.util.Base64) Response(javax.ws.rs.core.Response) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) Matchers.equalTo(org.hamcrest.Matchers.equalTo) Matchers.isSamlStatusResponse(org.keycloak.testsuite.util.Matchers.isSamlStatusResponse) SamlMessageReceiver(org.keycloak.testsuite.util.saml.SamlMessageReceiver) Matchers.is(org.hamcrest.Matchers.is) Pattern(java.util.regex.Pattern) Matchers.containsString(org.hamcrest.Matchers.containsString) SamlUtils.getSPInstallationDescriptor(org.keycloak.testsuite.util.SamlUtils.getSPInstallationDescriptor) SamlClientBuilder(org.keycloak.testsuite.util.SamlClientBuilder) SAMLParser(org.keycloak.saml.processing.core.parsers.saml.SAMLParser) DOMSource(javax.xml.transform.dom.DOMSource) AuthServerContainerExclude(org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude) SAML2Request(org.keycloak.saml.processing.api.saml.v2.request.SAML2Request) MessageDigest(java.security.MessageDigest) GeneralConstants(org.keycloak.saml.common.constants.GeneralConstants) ResponseType(org.keycloak.dom.saml.v2.protocol.ResponseType) SamlConfigAttributes(org.keycloak.protocol.saml.SamlConfigAttributes) Matchers.bodyHC(org.keycloak.testsuite.util.Matchers.bodyHC) AtomicReference(java.util.concurrent.atomic.AtomicReference) ArtifactBindingUtils(org.keycloak.protocol.saml.util.ArtifactBindingUtils) REDIRECT(org.keycloak.testsuite.util.SamlClient.Binding.REDIRECT) ProcessingException(org.keycloak.saml.common.exceptions.ProcessingException) CloseableHttpResponse(org.apache.http.client.methods.CloseableHttpResponse) MatcherAssert.assertThat(org.hamcrest.MatcherAssert.assertThat) CommonClientSessionModel(org.keycloak.sessions.CommonClientSessionModel) Soap(org.keycloak.protocol.saml.profile.util.Soap) Charsets(com.google.common.base.Charsets) SPSSODescriptorType(org.keycloak.dom.saml.v2.metadata.SPSSODescriptorType) JBossSAMLURIConstants(org.keycloak.saml.common.constants.JBossSAMLURIConstants) Matchers(org.hamcrest.Matchers) Test(org.junit.Test) IOException(java.io.IOException) UserSessionModel(org.keycloak.models.UserSessionModel) StatusResponseType(org.keycloak.dom.saml.v2.protocol.StatusResponseType) TimeUnit(java.util.concurrent.TimeUnit) Rule(org.junit.Rule) SamlDeployment(org.keycloak.adapters.saml.SamlDeployment) SessionStateChecker(org.keycloak.testsuite.util.saml.SessionStateChecker) LogoutRequestType(org.keycloak.dom.saml.v2.protocol.LogoutRequestType) SAMLDocumentHolder(org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder) SamlClientBuilder(org.keycloak.testsuite.util.SamlClientBuilder) AtomicReference(java.util.concurrent.atomic.AtomicReference) ArtifactResponseType(org.keycloak.dom.saml.v2.protocol.ArtifactResponseType) Matchers.isEmptyOrNullString(org.hamcrest.Matchers.isEmptyOrNullString) Matchers.containsString(org.hamcrest.Matchers.containsString) SessionStateChecker(org.keycloak.testsuite.util.saml.SessionStateChecker) StatusResponseType(org.keycloak.dom.saml.v2.protocol.StatusResponseType) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) AuthServerContainerExclude(org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude) Test(org.junit.Test)

Aggregations

ClientRepresentation (org.keycloak.representations.idm.ClientRepresentation)576 Test (org.junit.Test)359 ClientResource (org.keycloak.admin.client.resource.ClientResource)189 OIDCClientRepresentation (org.keycloak.representations.oidc.OIDCClientRepresentation)139 OAuthClient (org.keycloak.testsuite.util.OAuthClient)101 AbstractKeycloakTest (org.keycloak.testsuite.AbstractKeycloakTest)61 Response (javax.ws.rs.core.Response)59 Matchers.containsString (org.hamcrest.Matchers.containsString)58 RealmResource (org.keycloak.admin.client.resource.RealmResource)58 RealmRepresentation (org.keycloak.representations.idm.RealmRepresentation)58 UserRepresentation (org.keycloak.representations.idm.UserRepresentation)53 RoleRepresentation (org.keycloak.representations.idm.RoleRepresentation)43 AuthenticationRequestAcknowledgement (org.keycloak.testsuite.util.OAuthClient.AuthenticationRequestAcknowledgement)41 ClientsResource (org.keycloak.admin.client.resource.ClientsResource)38 AbstractTestRealmKeycloakTest (org.keycloak.testsuite.AbstractTestRealmKeycloakTest)38 ClientPoliciesBuilder (org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPoliciesBuilder)37 ClientPolicyBuilder (org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPolicyBuilder)37 ClientProfileBuilder (org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfileBuilder)37 ClientProfilesBuilder (org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfilesBuilder)37 HashMap (java.util.HashMap)33