use of org.keycloak.representations.idm.ClientRepresentation in project keycloak by keycloak.
the class CIBATest method testExtendedClientPolicyInterfacesForBackchannelTokenRequest.
@Test
public void testExtendedClientPolicyInterfacesForBackchannelTokenRequest() throws Exception {
String clientId = generateSuffixedName("confidential-app");
String clientSecret = "app-secret";
createClientByAdmin(clientId, (ClientRepresentation clientRep) -> {
clientRep.setSecret(clientSecret);
clientRep.setStandardFlowEnabled(Boolean.TRUE);
clientRep.setImplicitFlowEnabled(Boolean.TRUE);
clientRep.setPublicClient(Boolean.FALSE);
clientRep.setBearerOnly(Boolean.FALSE);
Map<String, String> attributes = Optional.ofNullable(clientRep.getAttributes()).orElse(new HashMap<>());
attributes.put(CibaConfig.CIBA_BACKCHANNEL_TOKEN_DELIVERY_MODE_PER_CLIENT, "poll");
attributes.put(CibaConfig.OIDC_CIBA_GRANT_ENABLED, Boolean.TRUE.toString());
clientRep.setAttributes(attributes);
});
final String bindingMessage = "BASTION";
Map<String, String> additionalParameters = new HashMap<>();
additionalParameters.put("user_device", "mobile");
// user Backchannel Authentication Request
AuthenticationRequestAcknowledgement response = oauth.doBackchannelAuthenticationRequest(clientId, clientSecret, TEST_USER_NAME, bindingMessage, null, null, additionalParameters);
assertThat(response.getStatusCode(), is(equalTo(200)));
Assert.assertNotNull(response.getAuthReqId());
TestOIDCEndpointsApplicationResource oidcClientEndpointsResource = testingClient.testApp().oidcClientEndpoints();
TestAuthenticationChannelRequest authenticationChannelReq = oidcClientEndpointsResource.getAuthenticationChannel(bindingMessage);
int statusCode = oauth.doAuthenticationChannelCallback(authenticationChannelReq.getBearerToken(), SUCCEED);
assertThat(statusCode, is(equalTo(200)));
// register profiles
String json = (new ClientProfilesBuilder()).addProfile((new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Den Forste Profilen").addExecutor(TestRaiseExeptionExecutorFactory.PROVIDER_ID, null).toRepresentation()).toString();
updateProfiles(json);
// register role policy
String roleName = "sample-client-role-alpha";
json = (new ClientPoliciesBuilder()).addPolicy((new ClientPolicyBuilder()).createPolicy(POLICY_NAME, "Den Forste Politikken", Boolean.TRUE).addCondition(ClientRolesConditionFactory.PROVIDER_ID, createClientRolesConditionConfig(Arrays.asList(roleName))).addProfile(PROFILE_NAME).toRepresentation()).toString();
updatePolicies(json);
// Add role to the client
ClientResource clientResource = ApiUtil.findClientByClientId(adminClient.realm(REALM_NAME), clientId);
clientResource.roles().create(RoleBuilder.create().name(roleName).build());
OAuthClient.AccessTokenResponse tokenRes = oauth.doBackchannelAuthenticationTokenRequest(clientId, clientSecret, response.getAuthReqId());
assertThat(tokenRes.getStatusCode(), is(equalTo(400)));
assertThat(tokenRes.getError(), is(OAuthErrorException.INVALID_GRANT));
assertThat(tokenRes.getErrorDescription(), is("Exception thrown intentionally"));
}
use of org.keycloak.representations.idm.ClientRepresentation in project keycloak by keycloak.
the class CIBATest method testBackchannelAuthenticationFlowWithInvalidSignedAuthenticationRequest.
private void testBackchannelAuthenticationFlowWithInvalidSignedAuthenticationRequest(boolean useRequestUri, String requestedSigAlg, String sigAlg, int statusCode, String error, String errorDescription, String clientId, String clientSecret) throws Exception {
ClientResource clientResource = null;
ClientRepresentation clientRep = null;
try {
final String username = "nutzername-rot";
final String bindingMessage = "BASTION";
// prepare CIBA settings
clientResource = ApiUtil.findClientByClientId(adminClient.realm(TEST_REALM_NAME), clientId);
clientRep = clientResource.toRepresentation();
prepareCIBASettings(clientResource, clientRep);
AuthorizationEndpointRequestObject sharedAuthenticationRequest = createValidSharedAuthenticationRequest();
sharedAuthenticationRequest.setLoginHint(username);
sharedAuthenticationRequest.setBindingMessage(bindingMessage);
registerSharedAuthenticationRequest(sharedAuthenticationRequest, clientId, requestedSigAlg, sigAlg, useRequestUri, clientSecret);
// user Backchannel Authentication Request
AuthenticationRequestAcknowledgement response = oauth.doBackchannelAuthenticationRequest(clientId, clientSecret, null, null, null);
Assert.assertThat(response.getStatusCode(), is(equalTo(statusCode)));
Assert.assertThat(response.getError(), is(error));
Assert.assertThat(response.getErrorDescription(), is(errorDescription));
} finally {
revertCIBASettings(clientResource, clientRep);
}
}
use of org.keycloak.representations.idm.ClientRepresentation in project keycloak by keycloak.
the class CIBATest method testOtherClientSendTokenRequest.
@Test
public void testOtherClientSendTokenRequest() throws Exception {
ClientResource clientResource = null;
ClientRepresentation clientRep = null;
try {
final String username = "nutzername-rot";
// prepare CIBA settings
clientResource = ApiUtil.findClientByClientId(adminClient.realm(TEST_REALM_NAME), TEST_CLIENT_NAME);
assertThat(clientResource, notNullValue());
clientRep = clientResource.toRepresentation();
prepareCIBASettings(clientResource, clientRep);
// user Backchannel Authentication Request
AuthenticationRequestAcknowledgement response = doBackchannelAuthenticationRequest(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, username, "ldkq366");
// user Authentication Channel Request
TestAuthenticationChannelRequest authenticationChannelReq = doAuthenticationChannelRequest("ldkq366");
// user Authentication Channel completed
doAuthenticationChannelCallback(authenticationChannelReq);
// user Token Request
OAuthClient.AccessTokenResponse tokenRes = oauth.doBackchannelAuthenticationTokenRequest(SECOND_TEST_CLIENT_NAME, SECOND_TEST_CLIENT_SECRET, response.getAuthReqId());
assertThat(tokenRes.getStatusCode(), is(equalTo(400)));
assertThat(tokenRes.getError(), is(OAuthErrorException.INVALID_GRANT));
} finally {
revertCIBASettings(clientResource, clientRep);
}
}
use of org.keycloak.representations.idm.ClientRepresentation in project keycloak by keycloak.
the class ClientPoliciesTest method addTestRealms.
@Override
public void addTestRealms(List<RealmRepresentation> testRealms) {
RealmRepresentation realm = loadJson(getClass().getResourceAsStream("/testrealm.json"), RealmRepresentation.class);
List<UserRepresentation> users = realm.getUsers();
LinkedList<CredentialRepresentation> credentials = new LinkedList<>();
CredentialRepresentation password = new CredentialRepresentation();
password.setType(CredentialRepresentation.PASSWORD);
password.setValue("password");
credentials.add(password);
UserRepresentation user = new UserRepresentation();
user.setEnabled(true);
user.setUsername("manage-clients");
user.setCredentials(credentials);
user.setClientRoles(Collections.singletonMap(Constants.REALM_MANAGEMENT_CLIENT_ID, Collections.singletonList(AdminRoles.MANAGE_CLIENTS)));
users.add(user);
user = new UserRepresentation();
user.setEnabled(true);
user.setUsername("create-clients");
user.setCredentials(credentials);
user.setClientRoles(Collections.singletonMap(Constants.REALM_MANAGEMENT_CLIENT_ID, Collections.singletonList(AdminRoles.CREATE_CLIENT)));
// defined in testrealm.json
user.setGroups(Arrays.asList("topGroup"));
users.add(user);
realm.setUsers(users);
List<ClientRepresentation> clients = realm.getClients();
ClientRepresentation app = ClientBuilder.create().id(KeycloakModelUtils.generateId()).clientId("test-device").secret("secret").attribute(OAuth2DeviceConfig.OAUTH2_DEVICE_AUTHORIZATION_GRANT_ENABLED, "true").build();
clients.add(app);
ClientRepresentation appPublic = ClientBuilder.create().id(KeycloakModelUtils.generateId()).publicClient().clientId(DEVICE_APP_PUBLIC).attribute(OAuth2DeviceConfig.OAUTH2_DEVICE_AUTHORIZATION_GRANT_ENABLED, "true").build();
clients.add(appPublic);
userId = KeycloakModelUtils.generateId();
UserRepresentation deviceUser = UserBuilder.create().id(userId).username("device-login").email("device-login@localhost").password("password").build();
users.add(deviceUser);
testRealms.add(realm);
}
use of org.keycloak.representations.idm.ClientRepresentation in project keycloak by keycloak.
the class ClientPoliciesTest method testAdminClientAutoConfiguredClientAuthType.
@Test
public void testAdminClientAutoConfiguredClientAuthType() throws Exception {
// register profiles
String json = (new ClientProfilesBuilder()).addProfile((new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Pershyy Profil").addExecutor(SecureClientAuthenticatorExecutorFactory.PROVIDER_ID, createSecureClientAuthenticatorExecutorConfig(Arrays.asList(JWTClientAuthenticator.PROVIDER_ID, JWTClientSecretAuthenticator.PROVIDER_ID, X509ClientAuthenticator.PROVIDER_ID), X509ClientAuthenticator.PROVIDER_ID)).toRepresentation()).toString();
updateProfiles(json);
// register policies
json = (new ClientPoliciesBuilder()).addPolicy((new ClientPolicyBuilder()).createPolicy(POLICY_NAME, "Persha Polityka", Boolean.TRUE).addCondition(ClientUpdaterContextConditionFactory.PROVIDER_ID, createClientUpdateContextConditionConfig(Arrays.asList(ClientUpdaterContextConditionFactory.BY_AUTHENTICATED_USER))).addProfile(PROFILE_NAME).toRepresentation()).toString();
updatePolicies(json);
// Attempt to create client with set authenticator to ClientIdAndSecretAuthenticator. Should fail
try {
createClientByAdmin(generateSuffixedName(CLIENT_NAME), (ClientRepresentation clientRep) -> {
clientRep.setClientAuthenticatorType(ClientIdAndSecretAuthenticator.PROVIDER_ID);
});
fail();
} catch (ClientPolicyException e) {
assertEquals(OAuthErrorException.INVALID_CLIENT_METADATA, e.getMessage());
}
// Attempt to create client without set authenticator. Default authenticator should be set
String cId = createClientByAdmin(generateSuffixedName(CLIENT_NAME), (ClientRepresentation clientRep) -> {
});
assertEquals(X509ClientAuthenticator.PROVIDER_ID, getClientByAdmin(cId).getClientAuthenticatorType());
// update profiles
json = (new ClientProfilesBuilder()).addProfile((new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Pershyy Profil").addExecutor(SecureClientAuthenticatorExecutorFactory.PROVIDER_ID, createSecureClientAuthenticatorExecutorConfig(Arrays.asList(JWTClientAuthenticator.PROVIDER_ID, JWTClientSecretAuthenticator.PROVIDER_ID, X509ClientAuthenticator.PROVIDER_ID), JWTClientAuthenticator.PROVIDER_ID)).toRepresentation()).toString();
updateProfiles(json);
// It is allowed to update authenticator to one of allowed client authenticators. Default client authenticator is not explicitly set in this case
updateClientByAdmin(cId, (ClientRepresentation clientRep) -> {
clientRep.setClientAuthenticatorType(JWTClientSecretAuthenticator.PROVIDER_ID);
});
assertEquals(JWTClientSecretAuthenticator.PROVIDER_ID, getClientByAdmin(cId).getClientAuthenticatorType());
}
Aggregations