Search in sources :

Example 31 with ClientRepresentation

use of org.keycloak.representations.idm.ClientRepresentation in project keycloak by keycloak.

the class CIBATest method testExtendedClientPolicyInterfacesForBackchannelTokenRequest.

@Test
public void testExtendedClientPolicyInterfacesForBackchannelTokenRequest() throws Exception {
    String clientId = generateSuffixedName("confidential-app");
    String clientSecret = "app-secret";
    createClientByAdmin(clientId, (ClientRepresentation clientRep) -> {
        clientRep.setSecret(clientSecret);
        clientRep.setStandardFlowEnabled(Boolean.TRUE);
        clientRep.setImplicitFlowEnabled(Boolean.TRUE);
        clientRep.setPublicClient(Boolean.FALSE);
        clientRep.setBearerOnly(Boolean.FALSE);
        Map<String, String> attributes = Optional.ofNullable(clientRep.getAttributes()).orElse(new HashMap<>());
        attributes.put(CibaConfig.CIBA_BACKCHANNEL_TOKEN_DELIVERY_MODE_PER_CLIENT, "poll");
        attributes.put(CibaConfig.OIDC_CIBA_GRANT_ENABLED, Boolean.TRUE.toString());
        clientRep.setAttributes(attributes);
    });
    final String bindingMessage = "BASTION";
    Map<String, String> additionalParameters = new HashMap<>();
    additionalParameters.put("user_device", "mobile");
    // user Backchannel Authentication Request
    AuthenticationRequestAcknowledgement response = oauth.doBackchannelAuthenticationRequest(clientId, clientSecret, TEST_USER_NAME, bindingMessage, null, null, additionalParameters);
    assertThat(response.getStatusCode(), is(equalTo(200)));
    Assert.assertNotNull(response.getAuthReqId());
    TestOIDCEndpointsApplicationResource oidcClientEndpointsResource = testingClient.testApp().oidcClientEndpoints();
    TestAuthenticationChannelRequest authenticationChannelReq = oidcClientEndpointsResource.getAuthenticationChannel(bindingMessage);
    int statusCode = oauth.doAuthenticationChannelCallback(authenticationChannelReq.getBearerToken(), SUCCEED);
    assertThat(statusCode, is(equalTo(200)));
    // register profiles
    String json = (new ClientProfilesBuilder()).addProfile((new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Den Forste Profilen").addExecutor(TestRaiseExeptionExecutorFactory.PROVIDER_ID, null).toRepresentation()).toString();
    updateProfiles(json);
    // register role policy
    String roleName = "sample-client-role-alpha";
    json = (new ClientPoliciesBuilder()).addPolicy((new ClientPolicyBuilder()).createPolicy(POLICY_NAME, "Den Forste Politikken", Boolean.TRUE).addCondition(ClientRolesConditionFactory.PROVIDER_ID, createClientRolesConditionConfig(Arrays.asList(roleName))).addProfile(PROFILE_NAME).toRepresentation()).toString();
    updatePolicies(json);
    // Add role to the client
    ClientResource clientResource = ApiUtil.findClientByClientId(adminClient.realm(REALM_NAME), clientId);
    clientResource.roles().create(RoleBuilder.create().name(roleName).build());
    OAuthClient.AccessTokenResponse tokenRes = oauth.doBackchannelAuthenticationTokenRequest(clientId, clientSecret, response.getAuthReqId());
    assertThat(tokenRes.getStatusCode(), is(equalTo(400)));
    assertThat(tokenRes.getError(), is(OAuthErrorException.INVALID_GRANT));
    assertThat(tokenRes.getErrorDescription(), is("Exception thrown intentionally"));
}
Also used : TestOIDCEndpointsApplicationResource(org.keycloak.testsuite.client.resources.TestOIDCEndpointsApplicationResource) HashMap(java.util.HashMap) OAuthClient(org.keycloak.testsuite.util.OAuthClient) ClientProfilesBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfilesBuilder) ClientPoliciesBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPoliciesBuilder) ClientPolicyBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPolicyBuilder) Matchers.containsString(org.hamcrest.Matchers.containsString) AuthenticationRequestAcknowledgement(org.keycloak.testsuite.util.OAuthClient.AuthenticationRequestAcknowledgement) OIDCClientRepresentation(org.keycloak.representations.oidc.OIDCClientRepresentation) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) ClientProfileBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfileBuilder) ClientResource(org.keycloak.admin.client.resource.ClientResource) TestAuthenticationChannelRequest(org.keycloak.testsuite.rest.representation.TestAuthenticationChannelRequest) Test(org.junit.Test)

Example 32 with ClientRepresentation

use of org.keycloak.representations.idm.ClientRepresentation in project keycloak by keycloak.

the class CIBATest method testBackchannelAuthenticationFlowWithInvalidSignedAuthenticationRequest.

private void testBackchannelAuthenticationFlowWithInvalidSignedAuthenticationRequest(boolean useRequestUri, String requestedSigAlg, String sigAlg, int statusCode, String error, String errorDescription, String clientId, String clientSecret) throws Exception {
    ClientResource clientResource = null;
    ClientRepresentation clientRep = null;
    try {
        final String username = "nutzername-rot";
        final String bindingMessage = "BASTION";
        // prepare CIBA settings
        clientResource = ApiUtil.findClientByClientId(adminClient.realm(TEST_REALM_NAME), clientId);
        clientRep = clientResource.toRepresentation();
        prepareCIBASettings(clientResource, clientRep);
        AuthorizationEndpointRequestObject sharedAuthenticationRequest = createValidSharedAuthenticationRequest();
        sharedAuthenticationRequest.setLoginHint(username);
        sharedAuthenticationRequest.setBindingMessage(bindingMessage);
        registerSharedAuthenticationRequest(sharedAuthenticationRequest, clientId, requestedSigAlg, sigAlg, useRequestUri, clientSecret);
        // user Backchannel Authentication Request
        AuthenticationRequestAcknowledgement response = oauth.doBackchannelAuthenticationRequest(clientId, clientSecret, null, null, null);
        Assert.assertThat(response.getStatusCode(), is(equalTo(statusCode)));
        Assert.assertThat(response.getError(), is(error));
        Assert.assertThat(response.getErrorDescription(), is(errorDescription));
    } finally {
        revertCIBASettings(clientResource, clientRep);
    }
}
Also used : AuthorizationEndpointRequestObject(org.keycloak.testsuite.rest.resource.TestingOIDCEndpointsApplicationResource.AuthorizationEndpointRequestObject) ClientResource(org.keycloak.admin.client.resource.ClientResource) Matchers.containsString(org.hamcrest.Matchers.containsString) AuthenticationRequestAcknowledgement(org.keycloak.testsuite.util.OAuthClient.AuthenticationRequestAcknowledgement) OIDCClientRepresentation(org.keycloak.representations.oidc.OIDCClientRepresentation) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation)

Example 33 with ClientRepresentation

use of org.keycloak.representations.idm.ClientRepresentation in project keycloak by keycloak.

the class CIBATest method testOtherClientSendTokenRequest.

@Test
public void testOtherClientSendTokenRequest() throws Exception {
    ClientResource clientResource = null;
    ClientRepresentation clientRep = null;
    try {
        final String username = "nutzername-rot";
        // prepare CIBA settings
        clientResource = ApiUtil.findClientByClientId(adminClient.realm(TEST_REALM_NAME), TEST_CLIENT_NAME);
        assertThat(clientResource, notNullValue());
        clientRep = clientResource.toRepresentation();
        prepareCIBASettings(clientResource, clientRep);
        // user Backchannel Authentication Request
        AuthenticationRequestAcknowledgement response = doBackchannelAuthenticationRequest(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, username, "ldkq366");
        // user Authentication Channel Request
        TestAuthenticationChannelRequest authenticationChannelReq = doAuthenticationChannelRequest("ldkq366");
        // user Authentication Channel completed
        doAuthenticationChannelCallback(authenticationChannelReq);
        // user Token Request
        OAuthClient.AccessTokenResponse tokenRes = oauth.doBackchannelAuthenticationTokenRequest(SECOND_TEST_CLIENT_NAME, SECOND_TEST_CLIENT_SECRET, response.getAuthReqId());
        assertThat(tokenRes.getStatusCode(), is(equalTo(400)));
        assertThat(tokenRes.getError(), is(OAuthErrorException.INVALID_GRANT));
    } finally {
        revertCIBASettings(clientResource, clientRep);
    }
}
Also used : OAuthClient(org.keycloak.testsuite.util.OAuthClient) ClientResource(org.keycloak.admin.client.resource.ClientResource) Matchers.containsString(org.hamcrest.Matchers.containsString) AuthenticationRequestAcknowledgement(org.keycloak.testsuite.util.OAuthClient.AuthenticationRequestAcknowledgement) TestAuthenticationChannelRequest(org.keycloak.testsuite.rest.representation.TestAuthenticationChannelRequest) OIDCClientRepresentation(org.keycloak.representations.oidc.OIDCClientRepresentation) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) Test(org.junit.Test)

Example 34 with ClientRepresentation

use of org.keycloak.representations.idm.ClientRepresentation in project keycloak by keycloak.

the class ClientPoliciesTest method addTestRealms.

@Override
public void addTestRealms(List<RealmRepresentation> testRealms) {
    RealmRepresentation realm = loadJson(getClass().getResourceAsStream("/testrealm.json"), RealmRepresentation.class);
    List<UserRepresentation> users = realm.getUsers();
    LinkedList<CredentialRepresentation> credentials = new LinkedList<>();
    CredentialRepresentation password = new CredentialRepresentation();
    password.setType(CredentialRepresentation.PASSWORD);
    password.setValue("password");
    credentials.add(password);
    UserRepresentation user = new UserRepresentation();
    user.setEnabled(true);
    user.setUsername("manage-clients");
    user.setCredentials(credentials);
    user.setClientRoles(Collections.singletonMap(Constants.REALM_MANAGEMENT_CLIENT_ID, Collections.singletonList(AdminRoles.MANAGE_CLIENTS)));
    users.add(user);
    user = new UserRepresentation();
    user.setEnabled(true);
    user.setUsername("create-clients");
    user.setCredentials(credentials);
    user.setClientRoles(Collections.singletonMap(Constants.REALM_MANAGEMENT_CLIENT_ID, Collections.singletonList(AdminRoles.CREATE_CLIENT)));
    // defined in testrealm.json
    user.setGroups(Arrays.asList("topGroup"));
    users.add(user);
    realm.setUsers(users);
    List<ClientRepresentation> clients = realm.getClients();
    ClientRepresentation app = ClientBuilder.create().id(KeycloakModelUtils.generateId()).clientId("test-device").secret("secret").attribute(OAuth2DeviceConfig.OAUTH2_DEVICE_AUTHORIZATION_GRANT_ENABLED, "true").build();
    clients.add(app);
    ClientRepresentation appPublic = ClientBuilder.create().id(KeycloakModelUtils.generateId()).publicClient().clientId(DEVICE_APP_PUBLIC).attribute(OAuth2DeviceConfig.OAUTH2_DEVICE_AUTHORIZATION_GRANT_ENABLED, "true").build();
    clients.add(appPublic);
    userId = KeycloakModelUtils.generateId();
    UserRepresentation deviceUser = UserBuilder.create().id(userId).username("device-login").email("device-login@localhost").password("password").build();
    users.add(deviceUser);
    testRealms.add(realm);
}
Also used : CredentialRepresentation(org.keycloak.representations.idm.CredentialRepresentation) RealmRepresentation(org.keycloak.representations.idm.RealmRepresentation) LinkedList(java.util.LinkedList) UserRepresentation(org.keycloak.representations.idm.UserRepresentation) OIDCClientRepresentation(org.keycloak.representations.oidc.OIDCClientRepresentation) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation)

Example 35 with ClientRepresentation

use of org.keycloak.representations.idm.ClientRepresentation in project keycloak by keycloak.

the class ClientPoliciesTest method testAdminClientAutoConfiguredClientAuthType.

@Test
public void testAdminClientAutoConfiguredClientAuthType() throws Exception {
    // register profiles
    String json = (new ClientProfilesBuilder()).addProfile((new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Pershyy Profil").addExecutor(SecureClientAuthenticatorExecutorFactory.PROVIDER_ID, createSecureClientAuthenticatorExecutorConfig(Arrays.asList(JWTClientAuthenticator.PROVIDER_ID, JWTClientSecretAuthenticator.PROVIDER_ID, X509ClientAuthenticator.PROVIDER_ID), X509ClientAuthenticator.PROVIDER_ID)).toRepresentation()).toString();
    updateProfiles(json);
    // register policies
    json = (new ClientPoliciesBuilder()).addPolicy((new ClientPolicyBuilder()).createPolicy(POLICY_NAME, "Persha Polityka", Boolean.TRUE).addCondition(ClientUpdaterContextConditionFactory.PROVIDER_ID, createClientUpdateContextConditionConfig(Arrays.asList(ClientUpdaterContextConditionFactory.BY_AUTHENTICATED_USER))).addProfile(PROFILE_NAME).toRepresentation()).toString();
    updatePolicies(json);
    // Attempt to create client with set authenticator to ClientIdAndSecretAuthenticator. Should fail
    try {
        createClientByAdmin(generateSuffixedName(CLIENT_NAME), (ClientRepresentation clientRep) -> {
            clientRep.setClientAuthenticatorType(ClientIdAndSecretAuthenticator.PROVIDER_ID);
        });
        fail();
    } catch (ClientPolicyException e) {
        assertEquals(OAuthErrorException.INVALID_CLIENT_METADATA, e.getMessage());
    }
    // Attempt to create client without set authenticator. Default authenticator should be set
    String cId = createClientByAdmin(generateSuffixedName(CLIENT_NAME), (ClientRepresentation clientRep) -> {
    });
    assertEquals(X509ClientAuthenticator.PROVIDER_ID, getClientByAdmin(cId).getClientAuthenticatorType());
    // update profiles
    json = (new ClientProfilesBuilder()).addProfile((new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Pershyy Profil").addExecutor(SecureClientAuthenticatorExecutorFactory.PROVIDER_ID, createSecureClientAuthenticatorExecutorConfig(Arrays.asList(JWTClientAuthenticator.PROVIDER_ID, JWTClientSecretAuthenticator.PROVIDER_ID, X509ClientAuthenticator.PROVIDER_ID), JWTClientAuthenticator.PROVIDER_ID)).toRepresentation()).toString();
    updateProfiles(json);
    // It is allowed to update authenticator to one of allowed client authenticators. Default client authenticator is not explicitly set in this case
    updateClientByAdmin(cId, (ClientRepresentation clientRep) -> {
        clientRep.setClientAuthenticatorType(JWTClientSecretAuthenticator.PROVIDER_ID);
    });
    assertEquals(JWTClientSecretAuthenticator.PROVIDER_ID, getClientByAdmin(cId).getClientAuthenticatorType());
}
Also used : ClientProfileBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfileBuilder) ClientProfilesBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfilesBuilder) ClientPoliciesBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPoliciesBuilder) ClientPolicyBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPolicyBuilder) OIDCClientRepresentation(org.keycloak.representations.oidc.OIDCClientRepresentation) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) ClientPolicyException(org.keycloak.services.clientpolicy.ClientPolicyException) Test(org.junit.Test)

Aggregations

ClientRepresentation (org.keycloak.representations.idm.ClientRepresentation)576 Test (org.junit.Test)359 ClientResource (org.keycloak.admin.client.resource.ClientResource)189 OIDCClientRepresentation (org.keycloak.representations.oidc.OIDCClientRepresentation)139 OAuthClient (org.keycloak.testsuite.util.OAuthClient)101 AbstractKeycloakTest (org.keycloak.testsuite.AbstractKeycloakTest)61 Response (javax.ws.rs.core.Response)59 Matchers.containsString (org.hamcrest.Matchers.containsString)58 RealmResource (org.keycloak.admin.client.resource.RealmResource)58 RealmRepresentation (org.keycloak.representations.idm.RealmRepresentation)58 UserRepresentation (org.keycloak.representations.idm.UserRepresentation)53 RoleRepresentation (org.keycloak.representations.idm.RoleRepresentation)43 AuthenticationRequestAcknowledgement (org.keycloak.testsuite.util.OAuthClient.AuthenticationRequestAcknowledgement)41 ClientsResource (org.keycloak.admin.client.resource.ClientsResource)38 AbstractTestRealmKeycloakTest (org.keycloak.testsuite.AbstractTestRealmKeycloakTest)38 ClientPoliciesBuilder (org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPoliciesBuilder)37 ClientPolicyBuilder (org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPolicyBuilder)37 ClientProfileBuilder (org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfileBuilder)37 ClientProfilesBuilder (org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfilesBuilder)37 HashMap (java.util.HashMap)33