use of org.keycloak.representations.idm.ClientRepresentation in project keycloak by keycloak.
the class AbstractClientRegistrationTest method createClient.
public ClientRepresentation createClient(ClientRepresentation client) throws ClientRegistrationException {
authManageClients();
ClientRepresentation response = reg.create(client);
reg.auth(null);
return response;
}
use of org.keycloak.representations.idm.ClientRepresentation in project keycloak by keycloak.
the class CIBATest method testBadBindingMessage.
// Corresponds to the test fapi-ciba-id1-ensure-authorization-request-with-potentially-bad-binding-message from the FAPI CIBA conformance testsuite
@Test
public void testBadBindingMessage() throws Exception {
ClientResource clientResource = null;
ClientRepresentation clientRep = null;
try {
final String username = "nutzername-schwarz";
clientResource = ApiUtil.findClientByClientId(adminClient.realm(TEST_REALM_NAME), TEST_CLIENT_NAME);
clientRep = clientResource.toRepresentation();
prepareCIBASettings(clientResource, clientRep);
// Binding message with non plain-text characters
String bindingMessage = "1234 \uD83D\uDC4D\uD83C\uDFFF 品川 Lor";
AuthenticationRequestAcknowledgement response = oauth.doBackchannelAuthenticationRequest(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, username, bindingMessage, null);
assertThat(response.getStatusCode(), is(equalTo(400)));
assertThat(response.getError(), is(OAuthErrorException.INVALID_BINDING_MESSAGE));
// Long binding message
bindingMessage = "Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud.";
response = oauth.doBackchannelAuthenticationRequest(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, username, bindingMessage, null);
assertThat(response.getStatusCode(), is(equalTo(400)));
assertThat(response.getError(), is(OAuthErrorException.INVALID_BINDING_MESSAGE));
// Empty binding message
bindingMessage = "";
response = oauth.doBackchannelAuthenticationRequest(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, username, bindingMessage, null);
assertThat(response.getStatusCode(), is(equalTo(400)));
assertThat(response.getError(), is(OAuthErrorException.INVALID_BINDING_MESSAGE));
// Valid binding message
bindingMessage = "Lorem_ipsum";
response = oauth.doBackchannelAuthenticationRequest(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, username, bindingMessage, null);
assertThat(response.getStatusCode(), is(equalTo(200)));
assertThat(response.getError(), is(nullValue()));
} finally {
revertCIBASettings(clientResource, clientRep);
}
}
use of org.keycloak.representations.idm.ClientRepresentation in project keycloak by keycloak.
the class CIBATest method testAttackerClientUseAuthReqIdInCallbackEndpoint.
// This tests that client should *not* be allowed to do whole CIBA flow by himself without any interaction from the user
@Test
public void testAttackerClientUseAuthReqIdInCallbackEndpoint() throws Exception {
ClientResource clientResource = null;
ClientRepresentation clientRep = null;
try {
final String username = "nutzername-rot";
final String bindingMessage = "BASTION";
// prepare CIBA settings
clientResource = ApiUtil.findClientByClientId(adminClient.realm(TEST_REALM_NAME), TEST_CLIENT_NAME);
clientRep = clientResource.toRepresentation();
prepareCIBASettings(clientResource, clientRep);
// client sends Backchannel Authentication Request
AuthenticationRequestAcknowledgement response = doBackchannelAuthenticationRequest(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, username, bindingMessage);
// This request should not ever pass. Client should not be allowed to send the successfull "approve" request to the BackchannelAuthenticationCallbackEndpoint
// with using the "authReqId" as a bearer token
int statusCode = oauth.doAuthenticationChannelCallback(response.getAuthReqId(), SUCCEED);
assertThat(statusCode, is(equalTo(403)));
// client sends TokenRequest - This should not pass and should return 400
OAuthClient.AccessTokenResponse tokenRes = oauth.doBackchannelAuthenticationTokenRequest(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, response.getAuthReqId());
assertThat(tokenRes.getStatusCode(), is(equalTo(400)));
assertThat(tokenRes.getError(), is(equalTo(OAuthErrorException.AUTHORIZATION_PENDING)));
} finally {
revertCIBASettings(clientResource, clientRep);
}
}
use of org.keycloak.representations.idm.ClientRepresentation in project keycloak by keycloak.
the class CIBATest method testDuplicatedTokenRequestWithSameAuthReqId.
@Test
public void testDuplicatedTokenRequestWithSameAuthReqId() throws Exception {
ClientResource clientResource = null;
ClientRepresentation clientRep = null;
try {
final String username = "nutzername-gelb";
// prepare CIBA settings
clientResource = ApiUtil.findClientByClientId(adminClient.realm(TEST_REALM_NAME), TEST_CLIENT_NAME);
assertThat(clientResource, notNullValue());
clientRep = clientResource.toRepresentation();
prepareCIBASettings(clientResource, clientRep);
// user Backchannel Authentication Request
AuthenticationRequestAcknowledgement response = doBackchannelAuthenticationRequest(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, username, "kciwje86");
// user Authentication Channel Request
TestAuthenticationChannelRequest authenticationChannelReq = doAuthenticationChannelRequest("kciwje86");
// user Authentication Channel completed
doAuthenticationChannelCallback(authenticationChannelReq);
// user Token Request
OAuthClient.AccessTokenResponse tokenRes = oauth.doBackchannelAuthenticationTokenRequest(TEST_CLIENT_PASSWORD, response.getAuthReqId());
assertThat(tokenRes.getStatusCode(), is(equalTo(200)));
IDToken idToken = oauth.verifyIDToken(tokenRes.getIdToken());
assertThat(idToken.getPreferredUsername(), is(equalTo(username)));
AccessToken accessToken = oauth.verifyToken(tokenRes.getAccessToken());
// duplicate user Token Request
tokenRes = oauth.doBackchannelAuthenticationTokenRequest(TEST_CLIENT_PASSWORD, response.getAuthReqId());
assertThat(tokenRes.getStatusCode(), is(equalTo(400)));
assertThat(tokenRes.getError(), is(OAuthErrorException.INVALID_GRANT));
} finally {
revertCIBASettings(clientResource, clientRep);
}
}
use of org.keycloak.representations.idm.ClientRepresentation in project keycloak by keycloak.
the class CIBATest method testCibaGrantDeactivated.
@Test
public void testCibaGrantDeactivated() throws Exception {
ClientResource clientResource = null;
ClientRepresentation clientRep = null;
try {
final String username = "nutzername-rot";
// prepare CIBA settings with ciba grant deactivated
clientResource = ApiUtil.findClientByClientId(adminClient.realm(TEST_REALM_NAME), TEST_CLIENT_NAME);
assertThat(clientResource, notNullValue());
clientRep = clientResource.toRepresentation();
Map<String, String> attributes = Optional.ofNullable(clientRep.getAttributes()).orElse(new HashMap<>());
attributes.put(CibaConfig.CIBA_BACKCHANNEL_TOKEN_DELIVERY_MODE_PER_CLIENT, "poll");
attributes.put(CibaConfig.OIDC_CIBA_GRANT_ENABLED, null);
attributes.put(CibaConfig.CIBA_BACKCHANNEL_AUTH_REQUEST_SIGNING_ALG, Algorithm.RS256);
clientRep.setAttributes(attributes);
clientResource.update(clientRep);
// clientResource = ApiUtil.findClientByClientId(adminClient.realm(TEST_REALM_NAME), TEST_CLIENT_NAME);
clientRep = clientResource.toRepresentation();
Assert.assertNull(clientRep.getAttributes().get(CibaConfig.OIDC_CIBA_GRANT_ENABLED));
Assert.assertThat(clientRep.getAttributes().get(CibaConfig.CIBA_BACKCHANNEL_AUTH_REQUEST_SIGNING_ALG), is(Algorithm.RS256));
// user Backchannel Authentication Request
AuthenticationRequestAcknowledgement response = oauth.doBackchannelAuthenticationRequest(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, username, "gilwekDe3", "acr2");
assertThat(response.getStatusCode(), is(equalTo(401)));
assertThat(response.getError(), is(OAuthErrorException.INVALID_GRANT));
assertThat(response.getErrorDescription(), is("Client not allowed OIDC CIBA Grant"));
// activate ciba grant
clientResource = ApiUtil.findClientByClientId(adminClient.realm(TEST_REALM_NAME), TEST_CLIENT_NAME);
assertThat(clientResource, notNullValue());
clientRep = clientResource.toRepresentation();
attributes = clientRep.getAttributes();
attributes.put(CibaConfig.OIDC_CIBA_GRANT_ENABLED, Boolean.TRUE.toString());
attributes.put(CibaConfig.CIBA_BACKCHANNEL_AUTH_REQUEST_SIGNING_ALG, Algorithm.ES256);
clientRep.setAttributes(attributes);
clientResource.update(clientRep);
clientRep = clientResource.toRepresentation();
Assert.assertThat(clientRep.getAttributes().get(CibaConfig.OIDC_CIBA_GRANT_ENABLED), is(Boolean.TRUE.toString()));
Assert.assertThat(clientRep.getAttributes().get(CibaConfig.CIBA_BACKCHANNEL_AUTH_REQUEST_SIGNING_ALG), is(Algorithm.ES256));
// user Backchannel Authentication Request
response = doBackchannelAuthenticationRequest(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, username, "Fkb4T3s");
// user Authentication Channel Request
TestAuthenticationChannelRequest authenticationChannelReq = doAuthenticationChannelRequest("Fkb4T3s");
// user Authentication Channel completed
doAuthenticationChannelCallback(authenticationChannelReq);
// deactivate ciba grant
clientResource = ApiUtil.findClientByClientId(adminClient.realm(TEST_REALM_NAME), TEST_CLIENT_NAME);
assertThat(clientResource, notNullValue());
clientRep = clientResource.toRepresentation();
attributes = clientRep.getAttributes();
attributes.put(CibaConfig.OIDC_CIBA_GRANT_ENABLED, Boolean.FALSE.toString());
attributes.put(CibaConfig.CIBA_BACKCHANNEL_AUTH_REQUEST_SIGNING_ALG, "none");
clientRep.setAttributes(attributes);
clientResource.update(clientRep);
clientRep = clientResource.toRepresentation();
Assert.assertThat(clientRep.getAttributes().get(CibaConfig.OIDC_CIBA_GRANT_ENABLED), is(Boolean.FALSE.toString()));
Assert.assertThat(clientRep.getAttributes().get(CibaConfig.CIBA_BACKCHANNEL_AUTH_REQUEST_SIGNING_ALG), is("none"));
// user Token Request
OAuthClient.AccessTokenResponse tokenRes = oauth.doBackchannelAuthenticationTokenRequest(SECOND_TEST_CLIENT_NAME, SECOND_TEST_CLIENT_SECRET, response.getAuthReqId());
assertThat(tokenRes.getStatusCode(), is(equalTo(400)));
assertThat(tokenRes.getError(), is(OAuthErrorException.INVALID_GRANT));
assertThat(tokenRes.getErrorDescription(), is("Client not allowed OIDC CIBA Grant"));
} finally {
revertCIBASettings(clientResource, clientRep);
}
}
Aggregations