use of org.keycloak.representations.idm.ClientRepresentation in project keycloak by keycloak.
the class ClientPoliciesTest method testConditionWithoutNoConfiguration.
@Test
public void testConditionWithoutNoConfiguration() throws Exception {
// register profiles
String json = (new ClientProfilesBuilder()).addProfile((new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Die Erste Politik").addExecutor(SecureClientAuthenticatorExecutorFactory.PROVIDER_ID, null).toRepresentation()).toString();
updateProfiles(json);
// register policies
json = (new ClientPoliciesBuilder()).addPolicy((new ClientPolicyBuilder()).createPolicy("MyPolicy-ClientAccessTypeCondition", "Die Erste Politik", Boolean.TRUE).addCondition(ClientAccessTypeConditionFactory.PROVIDER_ID, null).addProfile(PROFILE_NAME).toRepresentation()).addPolicy((new ClientPolicyBuilder()).createPolicy("MyPolicy-ClientUpdateSourceGroupsCondition", "Die Zweite Politik", Boolean.TRUE).addCondition(ClientUpdaterSourceGroupsConditionFactory.PROVIDER_ID, null).addProfile(PROFILE_NAME).toRepresentation()).addPolicy((new ClientPolicyBuilder()).createPolicy("MyPolicy-ClientUpdateSourceRolesCondition", "Die Dritte Politik", Boolean.TRUE).addCondition(ClientUpdaterSourceRolesConditionFactory.PROVIDER_ID, null).addProfile(PROFILE_NAME).toRepresentation()).addPolicy((new ClientPolicyBuilder()).createPolicy("MyPolicy-ClientUpdateContextCondition", "Die Vierte Politik", Boolean.TRUE).addCondition(ClientUpdaterContextConditionFactory.PROVIDER_ID, null).addProfile(PROFILE_NAME).toRepresentation()).toString();
updatePolicies(json);
String clientId = generateSuffixedName(CLIENT_NAME);
String clientSecret = "secret";
createClientByAdmin(clientId, (ClientRepresentation clientRep) -> {
clientRep.setSecret(clientSecret);
clientRep.setBearerOnly(Boolean.FALSE);
clientRep.setPublicClient(Boolean.FALSE);
});
successfulLoginAndLogout(clientId, clientSecret);
}
use of org.keycloak.representations.idm.ClientRepresentation in project keycloak by keycloak.
the class ClientPoliciesTest method testFullScopeDisabledExecutor.
@Test
public void testFullScopeDisabledExecutor() throws Exception {
// register profiles - client autoConfigured to disable fullScopeAllowed
String json = (new ClientProfilesBuilder()).addProfile((new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Test Profile").addExecutor(FullScopeDisabledExecutorFactory.PROVIDER_ID, createFullScopeDisabledExecutorConfig(true)).toRepresentation()).toString();
updateProfiles(json);
// register policies
json = (new ClientPoliciesBuilder()).addPolicy((new ClientPolicyBuilder()).createPolicy(POLICY_NAME, "Test Policy", Boolean.TRUE).addCondition(AnyClientConditionFactory.PROVIDER_ID, createAnyClientConditionConfig()).addProfile(PROFILE_NAME).toRepresentation()).toString();
updatePolicies(json);
// Client will be auto-configured to disable fullScopeAllowed
String clientId = generateSuffixedName("aaa-app");
String cid = createClientByAdmin(clientId, (ClientRepresentation clientRep) -> {
clientRep.setImplicitFlowEnabled(Boolean.FALSE);
clientRep.setFullScopeAllowed(Boolean.TRUE);
});
ClientRepresentation clientRep = getClientByAdmin(cid);
assertEquals(Boolean.FALSE, clientRep.isFullScopeAllowed());
// Client cannot be updated to disable fullScopeAllowed
updateClientByAdmin(cid, (ClientRepresentation cRep) -> {
cRep.setFullScopeAllowed(Boolean.TRUE);
});
clientRep = getClientByAdmin(cid);
assertEquals(Boolean.FALSE, clientRep.isFullScopeAllowed());
// Switch auto-configure to false. Auto-configuration won't happen, but validation will still be here, so should not be possible to enable fullScopeAllowed
json = (new ClientProfilesBuilder()).addProfile((new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Test Profile").addExecutor(FullScopeDisabledExecutorFactory.PROVIDER_ID, createFullScopeDisabledExecutorConfig(false)).toRepresentation()).toString();
updateProfiles(json);
// Not possible to register client with fullScopeAllowed due the validation
try {
createClientByAdmin(clientId, (ClientRepresentation clientRep2) -> {
clientRep2.setFullScopeAllowed(Boolean.TRUE);
});
fail();
} catch (ClientPolicyException cpe) {
assertEquals(Errors.INVALID_REGISTRATION, cpe.getError());
}
// Not possible to update existing client to fullScopeAllowed due the validation
try {
updateClientByAdmin(cid, (ClientRepresentation cRep) -> {
cRep.setFullScopeAllowed(Boolean.TRUE);
});
fail();
} catch (ClientPolicyException cpe) {
assertEquals(Errors.INVALID_REGISTRATION, cpe.getError());
}
clientRep = getClientByAdmin(cid);
assertEquals(Boolean.FALSE, clientRep.isFullScopeAllowed());
try {
updateClientByAdmin(cid, (ClientRepresentation cRep) -> {
cRep.setImplicitFlowEnabled(Boolean.TRUE);
});
clientRep = getClientByAdmin(cid);
assertEquals(Boolean.TRUE, clientRep.isImplicitFlowEnabled());
assertEquals(Boolean.FALSE, clientRep.isFullScopeAllowed());
} catch (ClientPolicyException cpe) {
fail();
}
}
use of org.keycloak.representations.idm.ClientRepresentation in project keycloak by keycloak.
the class ClientPoliciesTest method testSecureResponseTypeExecutorAllowTokenResponseType.
@Test
public void testSecureResponseTypeExecutorAllowTokenResponseType() throws Exception {
// register profiles
String json = (new ClientProfilesBuilder()).addProfile((new ClientProfileBuilder()).createProfile(PROFILE_NAME, "O Primeiro Perfil").addExecutor(SecureResponseTypeExecutorFactory.PROVIDER_ID, createSecureResponseTypeExecutor(null, Boolean.TRUE)).toRepresentation()).toString();
updateProfiles(json);
// register policies
json = (new ClientPoliciesBuilder()).addPolicy((new ClientPolicyBuilder()).createPolicy(POLICY_NAME, "Den Forsta Policyn", Boolean.TRUE).addCondition(ClientUpdaterContextConditionFactory.PROVIDER_ID, createClientUpdateContextConditionConfig(Arrays.asList(ClientUpdaterContextConditionFactory.BY_AUTHENTICATED_USER, ClientUpdaterContextConditionFactory.BY_INITIAL_ACCESS_TOKEN, ClientUpdaterContextConditionFactory.BY_REGISTRATION_ACCESS_TOKEN))).addCondition(ClientRolesConditionFactory.PROVIDER_ID, createClientRolesConditionConfig(Arrays.asList(SAMPLE_CLIENT_ROLE))).addProfile(PROFILE_NAME).toRepresentation()).toString();
updatePolicies(json);
// create by Admin REST API
try {
createClientByAdmin(generateSuffixedName("App-by-Admin"), (ClientRepresentation clientRep) -> {
clientRep.setSecret("secret");
});
fail();
} catch (ClientPolicyException e) {
assertEquals(OAuthErrorException.INVALID_CLIENT_METADATA, e.getMessage());
}
// update profiles
json = (new ClientProfilesBuilder()).addProfile((new ClientProfileBuilder()).createProfile(PROFILE_NAME, "O Primeiro Perfil").addExecutor(SecureResponseTypeExecutorFactory.PROVIDER_ID, createSecureResponseTypeExecutor(Boolean.TRUE, null)).toRepresentation()).toString();
updateProfiles(json);
String cId = null;
String clientId = generateSuffixedName(CLIENT_NAME);
String clientSecret = "secret";
try {
cId = createClientByAdmin(clientId, (ClientRepresentation clientRep) -> {
clientRep.setSecret(clientSecret);
clientRep.setStandardFlowEnabled(Boolean.TRUE);
clientRep.setImplicitFlowEnabled(Boolean.TRUE);
clientRep.setPublicClient(Boolean.FALSE);
});
} catch (ClientPolicyException e) {
fail();
}
ClientRepresentation cRep = getClientByAdmin(cId);
assertEquals(Boolean.TRUE.toString(), cRep.getAttributes().get(OIDCConfigAttributes.ID_TOKEN_AS_DETACHED_SIGNATURE));
adminClient.realm(REALM_NAME).clients().get(cId).roles().create(RoleBuilder.create().name(SAMPLE_CLIENT_ROLE).build());
oauth.clientId(clientId);
oauth.openLoginForm();
assertEquals(OAuthErrorException.INVALID_REQUEST, oauth.getCurrentQuery().get(OAuth2Constants.ERROR));
assertEquals("invalid response_type", oauth.getCurrentQuery().get(OAuth2Constants.ERROR_DESCRIPTION));
oauth.responseType(OIDCResponseType.CODE + " " + OIDCResponseType.ID_TOKEN);
oauth.nonce("LIVieviDie028f");
oauth.doLogin(TEST_USER_NAME, TEST_USER_PASSWORD);
EventRepresentation loginEvent = events.expectLogin().client(clientId).assertEvent();
String sessionId = loginEvent.getSessionId();
String codeId = loginEvent.getDetails().get(Details.CODE_ID);
String code = new OAuthClient.AuthorizationEndpointResponse(oauth).getCode();
IDToken idToken = oauth.verifyIDToken(new OAuthClient.AuthorizationEndpointResponse(oauth).getIdToken());
// confirm ID token as detached signature does not include authenticated user's claims
Assert.assertNull(idToken.getEmailVerified());
Assert.assertNull(idToken.getName());
Assert.assertNull(idToken.getPreferredUsername());
Assert.assertNull(idToken.getGivenName());
Assert.assertNull(idToken.getFamilyName());
Assert.assertNull(idToken.getEmail());
assertEquals("LIVieviDie028f", idToken.getNonce());
// confirm an access token not returned
Assert.assertNull(new OAuthClient.AuthorizationEndpointResponse(oauth).getAccessToken());
OAuthClient.AccessTokenResponse res = oauth.doAccessTokenRequest(code, clientSecret);
assertEquals(200, res.getStatusCode());
events.expectCodeToToken(codeId, sessionId).client(clientId).assertEvent();
oauth.doLogout(res.getRefreshToken(), clientSecret);
events.expectLogout(sessionId).client(clientId).clearDetails().assertEvent();
}
use of org.keycloak.representations.idm.ClientRepresentation in project keycloak by keycloak.
the class ClientRegistrationPoliciesTest method testProtocolMappersUpdate.
@Test
// We would need to do domain name -> ip address to set trusted host
@AuthServerContainerExclude(AuthServer.REMOTE)
public void testProtocolMappersUpdate() throws Exception {
setTrustedHost("localhost");
// Check I can add client with allowed protocolMappers
ProtocolMapperRepresentation protocolMapper = new ProtocolMapperRepresentation();
protocolMapper.setName("Full name");
protocolMapper.setProtocolMapper(FullNameMapper.PROVIDER_ID);
protocolMapper.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL);
ClientRepresentation clientRep = createRep("test-app");
clientRep.setProtocolMappers(Collections.singletonList(protocolMapper));
ClientRepresentation registeredClient = reg.create(clientRep);
reg.auth(Auth.token(registeredClient));
// Add some disallowed protocolMapper
registeredClient.getProtocolMappers().add(createHardcodedMapperRep());
// Check I can't update client because of protocolMapper
assertFail(ClientRegOp.UPDATE, registeredClient, 403, "ProtocolMapper type not allowed");
// Remove "bad" protocolMapper
registeredClient.getProtocolMappers().removeIf((ProtocolMapperRepresentation mapper) -> {
return mapper.getProtocolMapper().equals(HardcodedRole.PROVIDER_ID);
});
// Check I can update client now
reg.update(registeredClient);
// Revert client
ApiUtil.findClientResourceByClientId(realmResource(), "test-app").remove();
}
use of org.keycloak.representations.idm.ClientRepresentation in project keycloak by keycloak.
the class ClientRegistrationTester method main.
public static void main(String[] args) throws ClientRegistrationException {
ClientRepresentation rep = createRep1();
ClientRegistration reg = ClientRegistration.create().url("http://localhost:8081/auth", "test").build();
try {
ClientRepresentation createdRep = reg.create(rep);
System.out.println("Created client: " + createdRep.getClientId());
} catch (ClientRegistrationException ex) {
HttpErrorException httpEx = (HttpErrorException) ex.getCause();
System.err.println("HttpException when registering client. Status=" + httpEx.getStatusLine().getStatusCode() + ", Details=" + httpEx.getErrorResponse());
}
}
Aggregations