Search in sources :

Example 36 with ClientRepresentation

use of org.keycloak.representations.idm.ClientRepresentation in project keycloak by keycloak.

the class ClientPoliciesTest method testConditionWithoutNoConfiguration.

@Test
public void testConditionWithoutNoConfiguration() throws Exception {
    // register profiles
    String json = (new ClientProfilesBuilder()).addProfile((new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Die Erste Politik").addExecutor(SecureClientAuthenticatorExecutorFactory.PROVIDER_ID, null).toRepresentation()).toString();
    updateProfiles(json);
    // register policies
    json = (new ClientPoliciesBuilder()).addPolicy((new ClientPolicyBuilder()).createPolicy("MyPolicy-ClientAccessTypeCondition", "Die Erste Politik", Boolean.TRUE).addCondition(ClientAccessTypeConditionFactory.PROVIDER_ID, null).addProfile(PROFILE_NAME).toRepresentation()).addPolicy((new ClientPolicyBuilder()).createPolicy("MyPolicy-ClientUpdateSourceGroupsCondition", "Die Zweite Politik", Boolean.TRUE).addCondition(ClientUpdaterSourceGroupsConditionFactory.PROVIDER_ID, null).addProfile(PROFILE_NAME).toRepresentation()).addPolicy((new ClientPolicyBuilder()).createPolicy("MyPolicy-ClientUpdateSourceRolesCondition", "Die Dritte Politik", Boolean.TRUE).addCondition(ClientUpdaterSourceRolesConditionFactory.PROVIDER_ID, null).addProfile(PROFILE_NAME).toRepresentation()).addPolicy((new ClientPolicyBuilder()).createPolicy("MyPolicy-ClientUpdateContextCondition", "Die Vierte Politik", Boolean.TRUE).addCondition(ClientUpdaterContextConditionFactory.PROVIDER_ID, null).addProfile(PROFILE_NAME).toRepresentation()).toString();
    updatePolicies(json);
    String clientId = generateSuffixedName(CLIENT_NAME);
    String clientSecret = "secret";
    createClientByAdmin(clientId, (ClientRepresentation clientRep) -> {
        clientRep.setSecret(clientSecret);
        clientRep.setBearerOnly(Boolean.FALSE);
        clientRep.setPublicClient(Boolean.FALSE);
    });
    successfulLoginAndLogout(clientId, clientSecret);
}
Also used : ClientProfileBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfileBuilder) ClientProfilesBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfilesBuilder) ClientPoliciesBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPoliciesBuilder) ClientPolicyBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPolicyBuilder) OIDCClientRepresentation(org.keycloak.representations.oidc.OIDCClientRepresentation) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) Test(org.junit.Test)

Example 37 with ClientRepresentation

use of org.keycloak.representations.idm.ClientRepresentation in project keycloak by keycloak.

the class ClientPoliciesTest method testFullScopeDisabledExecutor.

@Test
public void testFullScopeDisabledExecutor() throws Exception {
    // register profiles - client autoConfigured to disable fullScopeAllowed
    String json = (new ClientProfilesBuilder()).addProfile((new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Test Profile").addExecutor(FullScopeDisabledExecutorFactory.PROVIDER_ID, createFullScopeDisabledExecutorConfig(true)).toRepresentation()).toString();
    updateProfiles(json);
    // register policies
    json = (new ClientPoliciesBuilder()).addPolicy((new ClientPolicyBuilder()).createPolicy(POLICY_NAME, "Test Policy", Boolean.TRUE).addCondition(AnyClientConditionFactory.PROVIDER_ID, createAnyClientConditionConfig()).addProfile(PROFILE_NAME).toRepresentation()).toString();
    updatePolicies(json);
    // Client will be auto-configured to disable fullScopeAllowed
    String clientId = generateSuffixedName("aaa-app");
    String cid = createClientByAdmin(clientId, (ClientRepresentation clientRep) -> {
        clientRep.setImplicitFlowEnabled(Boolean.FALSE);
        clientRep.setFullScopeAllowed(Boolean.TRUE);
    });
    ClientRepresentation clientRep = getClientByAdmin(cid);
    assertEquals(Boolean.FALSE, clientRep.isFullScopeAllowed());
    // Client cannot be updated to disable fullScopeAllowed
    updateClientByAdmin(cid, (ClientRepresentation cRep) -> {
        cRep.setFullScopeAllowed(Boolean.TRUE);
    });
    clientRep = getClientByAdmin(cid);
    assertEquals(Boolean.FALSE, clientRep.isFullScopeAllowed());
    // Switch auto-configure to false. Auto-configuration won't happen, but validation will still be here, so should not be possible to enable fullScopeAllowed
    json = (new ClientProfilesBuilder()).addProfile((new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Test Profile").addExecutor(FullScopeDisabledExecutorFactory.PROVIDER_ID, createFullScopeDisabledExecutorConfig(false)).toRepresentation()).toString();
    updateProfiles(json);
    // Not possible to register client with fullScopeAllowed due the validation
    try {
        createClientByAdmin(clientId, (ClientRepresentation clientRep2) -> {
            clientRep2.setFullScopeAllowed(Boolean.TRUE);
        });
        fail();
    } catch (ClientPolicyException cpe) {
        assertEquals(Errors.INVALID_REGISTRATION, cpe.getError());
    }
    // Not possible to update existing client to fullScopeAllowed due the validation
    try {
        updateClientByAdmin(cid, (ClientRepresentation cRep) -> {
            cRep.setFullScopeAllowed(Boolean.TRUE);
        });
        fail();
    } catch (ClientPolicyException cpe) {
        assertEquals(Errors.INVALID_REGISTRATION, cpe.getError());
    }
    clientRep = getClientByAdmin(cid);
    assertEquals(Boolean.FALSE, clientRep.isFullScopeAllowed());
    try {
        updateClientByAdmin(cid, (ClientRepresentation cRep) -> {
            cRep.setImplicitFlowEnabled(Boolean.TRUE);
        });
        clientRep = getClientByAdmin(cid);
        assertEquals(Boolean.TRUE, clientRep.isImplicitFlowEnabled());
        assertEquals(Boolean.FALSE, clientRep.isFullScopeAllowed());
    } catch (ClientPolicyException cpe) {
        fail();
    }
}
Also used : ClientProfileBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfileBuilder) ClientProfilesBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfilesBuilder) ClientPoliciesBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPoliciesBuilder) ClientPolicyBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPolicyBuilder) OIDCClientRepresentation(org.keycloak.representations.oidc.OIDCClientRepresentation) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) ClientPolicyException(org.keycloak.services.clientpolicy.ClientPolicyException) Test(org.junit.Test)

Example 38 with ClientRepresentation

use of org.keycloak.representations.idm.ClientRepresentation in project keycloak by keycloak.

the class ClientPoliciesTest method testSecureResponseTypeExecutorAllowTokenResponseType.

@Test
public void testSecureResponseTypeExecutorAllowTokenResponseType() throws Exception {
    // register profiles
    String json = (new ClientProfilesBuilder()).addProfile((new ClientProfileBuilder()).createProfile(PROFILE_NAME, "O Primeiro Perfil").addExecutor(SecureResponseTypeExecutorFactory.PROVIDER_ID, createSecureResponseTypeExecutor(null, Boolean.TRUE)).toRepresentation()).toString();
    updateProfiles(json);
    // register policies
    json = (new ClientPoliciesBuilder()).addPolicy((new ClientPolicyBuilder()).createPolicy(POLICY_NAME, "Den Forsta Policyn", Boolean.TRUE).addCondition(ClientUpdaterContextConditionFactory.PROVIDER_ID, createClientUpdateContextConditionConfig(Arrays.asList(ClientUpdaterContextConditionFactory.BY_AUTHENTICATED_USER, ClientUpdaterContextConditionFactory.BY_INITIAL_ACCESS_TOKEN, ClientUpdaterContextConditionFactory.BY_REGISTRATION_ACCESS_TOKEN))).addCondition(ClientRolesConditionFactory.PROVIDER_ID, createClientRolesConditionConfig(Arrays.asList(SAMPLE_CLIENT_ROLE))).addProfile(PROFILE_NAME).toRepresentation()).toString();
    updatePolicies(json);
    // create by Admin REST API
    try {
        createClientByAdmin(generateSuffixedName("App-by-Admin"), (ClientRepresentation clientRep) -> {
            clientRep.setSecret("secret");
        });
        fail();
    } catch (ClientPolicyException e) {
        assertEquals(OAuthErrorException.INVALID_CLIENT_METADATA, e.getMessage());
    }
    // update profiles
    json = (new ClientProfilesBuilder()).addProfile((new ClientProfileBuilder()).createProfile(PROFILE_NAME, "O Primeiro Perfil").addExecutor(SecureResponseTypeExecutorFactory.PROVIDER_ID, createSecureResponseTypeExecutor(Boolean.TRUE, null)).toRepresentation()).toString();
    updateProfiles(json);
    String cId = null;
    String clientId = generateSuffixedName(CLIENT_NAME);
    String clientSecret = "secret";
    try {
        cId = createClientByAdmin(clientId, (ClientRepresentation clientRep) -> {
            clientRep.setSecret(clientSecret);
            clientRep.setStandardFlowEnabled(Boolean.TRUE);
            clientRep.setImplicitFlowEnabled(Boolean.TRUE);
            clientRep.setPublicClient(Boolean.FALSE);
        });
    } catch (ClientPolicyException e) {
        fail();
    }
    ClientRepresentation cRep = getClientByAdmin(cId);
    assertEquals(Boolean.TRUE.toString(), cRep.getAttributes().get(OIDCConfigAttributes.ID_TOKEN_AS_DETACHED_SIGNATURE));
    adminClient.realm(REALM_NAME).clients().get(cId).roles().create(RoleBuilder.create().name(SAMPLE_CLIENT_ROLE).build());
    oauth.clientId(clientId);
    oauth.openLoginForm();
    assertEquals(OAuthErrorException.INVALID_REQUEST, oauth.getCurrentQuery().get(OAuth2Constants.ERROR));
    assertEquals("invalid response_type", oauth.getCurrentQuery().get(OAuth2Constants.ERROR_DESCRIPTION));
    oauth.responseType(OIDCResponseType.CODE + " " + OIDCResponseType.ID_TOKEN);
    oauth.nonce("LIVieviDie028f");
    oauth.doLogin(TEST_USER_NAME, TEST_USER_PASSWORD);
    EventRepresentation loginEvent = events.expectLogin().client(clientId).assertEvent();
    String sessionId = loginEvent.getSessionId();
    String codeId = loginEvent.getDetails().get(Details.CODE_ID);
    String code = new OAuthClient.AuthorizationEndpointResponse(oauth).getCode();
    IDToken idToken = oauth.verifyIDToken(new OAuthClient.AuthorizationEndpointResponse(oauth).getIdToken());
    // confirm ID token as detached signature does not include authenticated user's claims
    Assert.assertNull(idToken.getEmailVerified());
    Assert.assertNull(idToken.getName());
    Assert.assertNull(idToken.getPreferredUsername());
    Assert.assertNull(idToken.getGivenName());
    Assert.assertNull(idToken.getFamilyName());
    Assert.assertNull(idToken.getEmail());
    assertEquals("LIVieviDie028f", idToken.getNonce());
    // confirm an access token not returned
    Assert.assertNull(new OAuthClient.AuthorizationEndpointResponse(oauth).getAccessToken());
    OAuthClient.AccessTokenResponse res = oauth.doAccessTokenRequest(code, clientSecret);
    assertEquals(200, res.getStatusCode());
    events.expectCodeToToken(codeId, sessionId).client(clientId).assertEvent();
    oauth.doLogout(res.getRefreshToken(), clientSecret);
    events.expectLogout(sessionId).client(clientId).clearDetails().assertEvent();
}
Also used : OAuthClient(org.keycloak.testsuite.util.OAuthClient) ClientProfilesBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfilesBuilder) ClientPoliciesBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPoliciesBuilder) EventRepresentation(org.keycloak.representations.idm.EventRepresentation) ClientPolicyBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPolicyBuilder) OIDCClientRepresentation(org.keycloak.representations.oidc.OIDCClientRepresentation) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) ClientPolicyException(org.keycloak.services.clientpolicy.ClientPolicyException) ClientProfileBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfileBuilder) IDToken(org.keycloak.representations.IDToken) Test(org.junit.Test)

Example 39 with ClientRepresentation

use of org.keycloak.representations.idm.ClientRepresentation in project keycloak by keycloak.

the class ClientRegistrationPoliciesTest method testProtocolMappersUpdate.

@Test
// We would need to do domain name -> ip address to set trusted host
@AuthServerContainerExclude(AuthServer.REMOTE)
public void testProtocolMappersUpdate() throws Exception {
    setTrustedHost("localhost");
    // Check I can add client with allowed protocolMappers
    ProtocolMapperRepresentation protocolMapper = new ProtocolMapperRepresentation();
    protocolMapper.setName("Full name");
    protocolMapper.setProtocolMapper(FullNameMapper.PROVIDER_ID);
    protocolMapper.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL);
    ClientRepresentation clientRep = createRep("test-app");
    clientRep.setProtocolMappers(Collections.singletonList(protocolMapper));
    ClientRepresentation registeredClient = reg.create(clientRep);
    reg.auth(Auth.token(registeredClient));
    // Add some disallowed protocolMapper
    registeredClient.getProtocolMappers().add(createHardcodedMapperRep());
    // Check I can't update client because of protocolMapper
    assertFail(ClientRegOp.UPDATE, registeredClient, 403, "ProtocolMapper type not allowed");
    // Remove "bad" protocolMapper
    registeredClient.getProtocolMappers().removeIf((ProtocolMapperRepresentation mapper) -> {
        return mapper.getProtocolMapper().equals(HardcodedRole.PROVIDER_ID);
    });
    // Check I can update client now
    reg.update(registeredClient);
    // Revert client
    ApiUtil.findClientResourceByClientId(realmResource(), "test-app").remove();
}
Also used : ProtocolMapperRepresentation(org.keycloak.representations.idm.ProtocolMapperRepresentation) OIDCClientRepresentation(org.keycloak.representations.oidc.OIDCClientRepresentation) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) AuthServerContainerExclude(org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude) Test(org.junit.Test)

Example 40 with ClientRepresentation

use of org.keycloak.representations.idm.ClientRepresentation in project keycloak by keycloak.

the class ClientRegistrationTester method main.

public static void main(String[] args) throws ClientRegistrationException {
    ClientRepresentation rep = createRep1();
    ClientRegistration reg = ClientRegistration.create().url("http://localhost:8081/auth", "test").build();
    try {
        ClientRepresentation createdRep = reg.create(rep);
        System.out.println("Created client: " + createdRep.getClientId());
    } catch (ClientRegistrationException ex) {
        HttpErrorException httpEx = (HttpErrorException) ex.getCause();
        System.err.println("HttpException when registering client. Status=" + httpEx.getStatusLine().getStatusCode() + ", Details=" + httpEx.getErrorResponse());
    }
}
Also used : ClientRegistration(org.keycloak.client.registration.ClientRegistration) ClientRegistrationException(org.keycloak.client.registration.ClientRegistrationException) HttpErrorException(org.keycloak.client.registration.HttpErrorException) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation)

Aggregations

ClientRepresentation (org.keycloak.representations.idm.ClientRepresentation)576 Test (org.junit.Test)359 ClientResource (org.keycloak.admin.client.resource.ClientResource)189 OIDCClientRepresentation (org.keycloak.representations.oidc.OIDCClientRepresentation)139 OAuthClient (org.keycloak.testsuite.util.OAuthClient)101 AbstractKeycloakTest (org.keycloak.testsuite.AbstractKeycloakTest)61 Response (javax.ws.rs.core.Response)59 Matchers.containsString (org.hamcrest.Matchers.containsString)58 RealmResource (org.keycloak.admin.client.resource.RealmResource)58 RealmRepresentation (org.keycloak.representations.idm.RealmRepresentation)58 UserRepresentation (org.keycloak.representations.idm.UserRepresentation)53 RoleRepresentation (org.keycloak.representations.idm.RoleRepresentation)43 AuthenticationRequestAcknowledgement (org.keycloak.testsuite.util.OAuthClient.AuthenticationRequestAcknowledgement)41 ClientsResource (org.keycloak.admin.client.resource.ClientsResource)38 AbstractTestRealmKeycloakTest (org.keycloak.testsuite.AbstractTestRealmKeycloakTest)38 ClientPoliciesBuilder (org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPoliciesBuilder)37 ClientPolicyBuilder (org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPolicyBuilder)37 ClientProfileBuilder (org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfileBuilder)37 ClientProfilesBuilder (org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfilesBuilder)37 HashMap (java.util.HashMap)33