use of org.keycloak.representations.idm.ClientRepresentation in project keycloak by keycloak.
the class DemoServletsAdapterTest method testClientNotAuthenticatedInClientSecretJwtBySharedSecretOutOfSync.
@Test
public void testClientNotAuthenticatedInClientSecretJwtBySharedSecretOutOfSync() {
// JWS Client Assertion in client_secret_jwt
// http://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication
String targetClientId = "client-secret-jwt-secure-portal";
String expectedErrorString = "invalid_client_credentials";
ClientResource clientResource = ApiUtil.findClientResourceByClientId(testRealmResource(), targetClientId);
ClientRepresentation client = clientResource.toRepresentation();
client.setSecret("passwordChanged");
clientResource.update(client);
expectResultOfClientNotAuthenticatedInClientSecretJwt(targetClientId, expectedErrorString);
}
use of org.keycloak.representations.idm.ClientRepresentation in project keycloak by keycloak.
the class AbstractServletPolicyEnforcerTest method getClientResource.
private ClientResource getClientResource(String clientId) {
ClientsResource clients = this.realmsResouce().realm(REALM_NAME).clients();
ClientRepresentation resourceServer = clients.findByClientId(clientId).get(0);
return clients.get(resourceServer.getId());
}
use of org.keycloak.representations.idm.ClientRepresentation in project keycloak by keycloak.
the class AbstractClientRegistrationTest method createClient.
public ClientRepresentation createClient(ClientRepresentation client) throws ClientRegistrationException {
authManageClients();
ClientRepresentation response = reg.create(client);
reg.auth(null);
return response;
}
use of org.keycloak.representations.idm.ClientRepresentation in project keycloak by keycloak.
the class CIBATest method testBadBindingMessage.
// Corresponds to the test fapi-ciba-id1-ensure-authorization-request-with-potentially-bad-binding-message from the FAPI CIBA conformance testsuite
@Test
public void testBadBindingMessage() throws Exception {
ClientResource clientResource = null;
ClientRepresentation clientRep = null;
try {
final String username = "nutzername-schwarz";
clientResource = ApiUtil.findClientByClientId(adminClient.realm(TEST_REALM_NAME), TEST_CLIENT_NAME);
clientRep = clientResource.toRepresentation();
prepareCIBASettings(clientResource, clientRep);
// Binding message with non plain-text characters
String bindingMessage = "1234 \uD83D\uDC4D\uD83C\uDFFF 品川 Lor";
AuthenticationRequestAcknowledgement response = oauth.doBackchannelAuthenticationRequest(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, username, bindingMessage, null);
assertThat(response.getStatusCode(), is(equalTo(400)));
assertThat(response.getError(), is(OAuthErrorException.INVALID_BINDING_MESSAGE));
// Long binding message
bindingMessage = "Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud.";
response = oauth.doBackchannelAuthenticationRequest(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, username, bindingMessage, null);
assertThat(response.getStatusCode(), is(equalTo(400)));
assertThat(response.getError(), is(OAuthErrorException.INVALID_BINDING_MESSAGE));
// Empty binding message
bindingMessage = "";
response = oauth.doBackchannelAuthenticationRequest(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, username, bindingMessage, null);
assertThat(response.getStatusCode(), is(equalTo(400)));
assertThat(response.getError(), is(OAuthErrorException.INVALID_BINDING_MESSAGE));
// Valid binding message
bindingMessage = "Lorem_ipsum";
response = oauth.doBackchannelAuthenticationRequest(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, username, bindingMessage, null);
assertThat(response.getStatusCode(), is(equalTo(200)));
assertThat(response.getError(), is(nullValue()));
} finally {
revertCIBASettings(clientResource, clientRep);
}
}
use of org.keycloak.representations.idm.ClientRepresentation in project keycloak by keycloak.
the class CIBATest method testAttackerClientUseAuthReqIdInCallbackEndpoint.
// This tests that client should *not* be allowed to do whole CIBA flow by himself without any interaction from the user
@Test
public void testAttackerClientUseAuthReqIdInCallbackEndpoint() throws Exception {
ClientResource clientResource = null;
ClientRepresentation clientRep = null;
try {
final String username = "nutzername-rot";
final String bindingMessage = "BASTION";
// prepare CIBA settings
clientResource = ApiUtil.findClientByClientId(adminClient.realm(TEST_REALM_NAME), TEST_CLIENT_NAME);
clientRep = clientResource.toRepresentation();
prepareCIBASettings(clientResource, clientRep);
// client sends Backchannel Authentication Request
AuthenticationRequestAcknowledgement response = doBackchannelAuthenticationRequest(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, username, bindingMessage);
// This request should not ever pass. Client should not be allowed to send the successfull "approve" request to the BackchannelAuthenticationCallbackEndpoint
// with using the "authReqId" as a bearer token
int statusCode = oauth.doAuthenticationChannelCallback(response.getAuthReqId(), SUCCEED);
assertThat(statusCode, is(equalTo(403)));
// client sends TokenRequest - This should not pass and should return 400
OAuthClient.AccessTokenResponse tokenRes = oauth.doBackchannelAuthenticationTokenRequest(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, response.getAuthReqId());
assertThat(tokenRes.getStatusCode(), is(equalTo(400)));
assertThat(tokenRes.getError(), is(equalTo(OAuthErrorException.AUTHORIZATION_PENDING)));
} finally {
revertCIBASettings(clientResource, clientRep);
}
}
Aggregations