use of org.keycloak.representations.idm.ClientScopeRepresentation in project keycloak by keycloak.
the class AccessTokenTest method testClientScope.
@Test
public void testClientScope() throws Exception {
RealmResource realm = adminClient.realm("test");
RoleRepresentation realmRole = new RoleRepresentation();
realmRole.setName("realm-test-role");
realm.roles().create(realmRole);
realmRole = realm.roles().get("realm-test-role").toRepresentation();
RoleRepresentation realmRole2 = new RoleRepresentation();
realmRole2.setName("realm-test-role2");
realm.roles().create(realmRole2);
realmRole2 = realm.roles().get("realm-test-role2").toRepresentation();
List<UserRepresentation> users = realm.users().search("test-user@localhost", -1, -1);
assertEquals(1, users.size());
UserRepresentation user = users.get(0);
List<RoleRepresentation> addRoles = new LinkedList<>();
addRoles.add(realmRole);
addRoles.add(realmRole2);
realm.users().get(user.getId()).roles().realmLevel().add(addRoles);
ClientScopeRepresentation rep = new ClientScopeRepresentation();
rep.setName("scope");
rep.setProtocol("openid-connect");
Response response = realm.clientScopes().create(rep);
assertEquals(201, response.getStatus());
URI scopeUri = response.getLocation();
String clientScopeId = ApiUtil.getCreatedId(response);
response.close();
ClientScopeResource clientScopeResource = adminClient.proxy(ClientScopeResource.class, scopeUri);
ProtocolMapperModel hard = HardcodedClaim.create("hard", "hard", "coded", "String", true, true);
ProtocolMapperRepresentation mapper = ModelToRepresentation.toRepresentation(hard);
response = clientScopeResource.getProtocolMappers().createMapper(mapper);
assertEquals(201, response.getStatus());
response.close();
ClientRepresentation clientRep = ApiUtil.findClientByClientId(realm, "test-app").toRepresentation();
realm.clients().get(clientRep.getId()).addDefaultClientScope(clientScopeId);
clientRep.setFullScopeAllowed(false);
realm.clients().get(clientRep.getId()).update(clientRep);
{
Client client = AdminClientUtil.createResteasyClient();
UriBuilder builder = UriBuilder.fromUri(AUTH_SERVER_ROOT);
URI grantUri = OIDCLoginProtocolService.tokenUrl(builder).build("test");
WebTarget grantTarget = client.target(grantUri);
response = executeGrantAccessTokenRequest(grantTarget);
assertEquals(200, response.getStatus());
org.keycloak.representations.AccessTokenResponse tokenResponse = response.readEntity(org.keycloak.representations.AccessTokenResponse.class);
IDToken idToken = getIdToken(tokenResponse);
assertEquals("coded", idToken.getOtherClaims().get("hard"));
AccessToken accessToken = getAccessToken(tokenResponse);
assertEquals("coded", accessToken.getOtherClaims().get("hard"));
// check zero scope for client scope
Assert.assertFalse(accessToken.getRealmAccess().getRoles().contains(realmRole.getName()));
Assert.assertFalse(accessToken.getRealmAccess().getRoles().contains(realmRole2.getName()));
response.close();
client.close();
}
// test that scope is added
List<RoleRepresentation> addRole1 = new LinkedList<>();
addRole1.add(realmRole);
clientScopeResource.getScopeMappings().realmLevel().add(addRole1);
{
Client client = AdminClientUtil.createResteasyClient();
UriBuilder builder = UriBuilder.fromUri(AUTH_SERVER_ROOT);
URI grantUri = OIDCLoginProtocolService.tokenUrl(builder).build("test");
WebTarget grantTarget = client.target(grantUri);
response = executeGrantAccessTokenRequest(grantTarget);
assertEquals(200, response.getStatus());
org.keycloak.representations.AccessTokenResponse tokenResponse = response.readEntity(org.keycloak.representations.AccessTokenResponse.class);
AccessToken accessToken = getAccessToken(tokenResponse);
// check single role in scope for client scope
assertNotNull(accessToken.getRealmAccess());
assertTrue(accessToken.getRealmAccess().getRoles().contains(realmRole.getName()));
Assert.assertFalse(accessToken.getRealmAccess().getRoles().contains(realmRole2.getName()));
response.close();
client.close();
}
// test combined scopes
List<RoleRepresentation> addRole2 = new LinkedList<>();
addRole2.add(realmRole2);
realm.clients().get(clientRep.getId()).getScopeMappings().realmLevel().add(addRole2);
{
Client client = AdminClientUtil.createResteasyClient();
UriBuilder builder = UriBuilder.fromUri(AUTH_SERVER_ROOT);
URI grantUri = OIDCLoginProtocolService.tokenUrl(builder).build("test");
WebTarget grantTarget = client.target(grantUri);
response = executeGrantAccessTokenRequest(grantTarget);
assertEquals(200, response.getStatus());
org.keycloak.representations.AccessTokenResponse tokenResponse = response.readEntity(org.keycloak.representations.AccessTokenResponse.class);
AccessToken accessToken = getAccessToken(tokenResponse);
// check zero scope for client scope
assertNotNull(accessToken.getRealmAccess());
assertTrue(accessToken.getRealmAccess().getRoles().contains(realmRole.getName()));
assertTrue(accessToken.getRealmAccess().getRoles().contains(realmRole2.getName()));
response.close();
client.close();
}
// remove scopes and retest
clientScopeResource.getScopeMappings().realmLevel().remove(addRole1);
realm.clients().get(clientRep.getId()).getScopeMappings().realmLevel().remove(addRole2);
{
Client client = AdminClientUtil.createResteasyClient();
UriBuilder builder = UriBuilder.fromUri(AUTH_SERVER_ROOT);
URI grantUri = OIDCLoginProtocolService.tokenUrl(builder).build("test");
WebTarget grantTarget = client.target(grantUri);
response = executeGrantAccessTokenRequest(grantTarget);
assertEquals(200, response.getStatus());
org.keycloak.representations.AccessTokenResponse tokenResponse = response.readEntity(org.keycloak.representations.AccessTokenResponse.class);
AccessToken accessToken = getAccessToken(tokenResponse);
Assert.assertFalse(accessToken.getRealmAccess().getRoles().contains(realmRole.getName()));
Assert.assertFalse(accessToken.getRealmAccess().getRoles().contains(realmRole2.getName()));
response.close();
client.close();
}
// test don't use client scope scope. Add roles back to the clientScope, but they won't be available
realm.clients().get(clientRep.getId()).removeDefaultClientScope(clientScopeId);
clientScopeResource.getScopeMappings().realmLevel().add(addRole1);
clientScopeResource.getScopeMappings().realmLevel().add(addRole2);
{
Client client = AdminClientUtil.createResteasyClient();
UriBuilder builder = UriBuilder.fromUri(AUTH_SERVER_ROOT);
URI grantUri = OIDCLoginProtocolService.tokenUrl(builder).build("test");
WebTarget grantTarget = client.target(grantUri);
response = executeGrantAccessTokenRequest(grantTarget);
assertEquals(200, response.getStatus());
org.keycloak.representations.AccessTokenResponse tokenResponse = response.readEntity(org.keycloak.representations.AccessTokenResponse.class);
AccessToken accessToken = getAccessToken(tokenResponse);
Assert.assertFalse(accessToken.getRealmAccess().getRoles().contains(realmRole.getName()));
Assert.assertFalse(accessToken.getRealmAccess().getRoles().contains(realmRole2.getName()));
assertNull(accessToken.getOtherClaims().get("hard"));
IDToken idToken = getIdToken(tokenResponse);
assertNull(idToken.getOtherClaims().get("hard"));
response.close();
client.close();
}
// undo mappers
realm.users().get(user.getId()).roles().realmLevel().remove(addRoles);
realm.roles().get(realmRole.getName()).remove();
realm.roles().get(realmRole2.getName()).remove();
clientScopeResource.remove();
{
Client client = AdminClientUtil.createResteasyClient();
UriBuilder builder = UriBuilder.fromUri(AUTH_SERVER_ROOT);
URI grantUri = OIDCLoginProtocolService.tokenUrl(builder).build("test");
WebTarget grantTarget = client.target(grantUri);
response = executeGrantAccessTokenRequest(grantTarget);
assertEquals(200, response.getStatus());
org.keycloak.representations.AccessTokenResponse tokenResponse = response.readEntity(org.keycloak.representations.AccessTokenResponse.class);
IDToken idToken = getIdToken(tokenResponse);
assertNull(idToken.getOtherClaims().get("hard"));
AccessToken accessToken = getAccessToken(tokenResponse);
assertNull(accessToken.getOtherClaims().get("hard"));
response.close();
client.close();
}
events.clear();
}
use of org.keycloak.representations.idm.ClientScopeRepresentation in project keycloak by keycloak.
the class OIDCProtocolMappersTest method executeTokenMappersOnDynamicScopes.
@Test
@EnableFeature(value = Profile.Feature.DYNAMIC_SCOPES, skipRestart = true)
public void executeTokenMappersOnDynamicScopes() {
ClientResource clientResource = findClientResourceByClientId(adminClient.realm("test"), "test-app");
ClientScopeRepresentation scopeRep = new ClientScopeRepresentation();
scopeRep.setName("dyn-scope-with-mapper");
scopeRep.setProtocol("openid-connect");
scopeRep.setAttributes(new HashMap<String, String>() {
{
put(ClientScopeModel.IS_DYNAMIC_SCOPE, "true");
put(ClientScopeModel.DYNAMIC_SCOPE_REGEXP, "dyn-scope-with-mapper:*");
}
});
// create the attribute mapper
ProtocolMapperRepresentation protocolMapperRepresentation = createHardcodedClaim("dynamic-scope-hardcoded-mapper", "hardcoded-foo", "hardcoded-bar", "String", true, true);
scopeRep.setProtocolMappers(Collections.singletonList(protocolMapperRepresentation));
try (Response resp = adminClient.realm("test").clientScopes().create(scopeRep)) {
assertEquals(201, resp.getStatus());
String clientScopeId = ApiUtil.getCreatedId(resp);
getCleanup().addClientScopeId(clientScopeId);
clientResource.addOptionalClientScope(clientScopeId);
}
oauth.scope("openid dyn-scope-with-mapper:value");
OAuthClient.AccessTokenResponse response = browserLogin("password", "test-user@localhost", "password");
IDToken idToken = oauth.verifyIDToken(response.getIdToken());
AccessToken accessToken = oauth.verifyToken(response.getAccessToken());
assertNotNull(idToken.getOtherClaims());
assertNotNull(idToken.getOtherClaims().get("hardcoded-foo"));
assertTrue(idToken.getOtherClaims().get("hardcoded-foo") instanceof String);
assertEquals("hardcoded-bar", idToken.getOtherClaims().get("hardcoded-foo"));
assertNotNull(accessToken.getOtherClaims());
assertNotNull(accessToken.getOtherClaims().get("hardcoded-foo"));
assertTrue(accessToken.getOtherClaims().get("hardcoded-foo") instanceof String);
assertEquals("hardcoded-bar", accessToken.getOtherClaims().get("hardcoded-foo"));
}
use of org.keycloak.representations.idm.ClientScopeRepresentation in project keycloak by keycloak.
the class ResourceOwnerPasswordCredentialsGrantTest method grantAccessTokenWithDynamicScope.
@Test
@EnableFeature(value = Profile.Feature.DYNAMIC_SCOPES, skipRestart = true)
public void grantAccessTokenWithDynamicScope() throws Exception {
ClientScopeRepresentation clientScope = new ClientScopeRepresentation();
clientScope.setName("dynamic-scope");
clientScope.setAttributes(new HashMap<String, String>() {
{
put(ClientScopeModel.IS_DYNAMIC_SCOPE, "true");
put(ClientScopeModel.DYNAMIC_SCOPE_REGEXP, "dynamic-scope:*");
}
});
clientScope.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL);
RealmResource realmResource = adminClient.realm("test");
try (Response response = realmResource.clientScopes().create(clientScope)) {
String scopeId = ApiUtil.getCreatedId(response);
getCleanup().addClientScopeId(scopeId);
ClientResource resourceOwnerPublicClient = ApiUtil.findClientByClientId(realmResource, "resource-owner-public");
ClientRepresentation testAppRep = resourceOwnerPublicClient.toRepresentation();
resourceOwnerPublicClient.update(testAppRep);
resourceOwnerPublicClient.addOptionalClientScope(scopeId);
}
oauth.scope("dynamic-scope:123");
oauth.clientId("resource-owner-public");
OAuthClient.AccessTokenResponse response = oauth.doGrantAccessTokenRequest("secret", "direct-login", "password");
assertTrue(response.getScope().contains("dynamic-scope:123"));
assertEquals(200, response.getStatusCode());
AccessToken accessToken = oauth.verifyToken(response.getAccessToken());
RefreshToken refreshToken = oauth.parseRefreshToken(response.getRefreshToken());
events.expectLogin().client("resource-owner-public").user(userId).session(accessToken.getSessionState()).detail(Details.GRANT_TYPE, OAuth2Constants.PASSWORD).detail(Details.TOKEN_ID, accessToken.getId()).detail(Details.REFRESH_TOKEN_ID, refreshToken.getId()).detail(Details.USERNAME, "direct-login").removeDetail(Details.CODE_ID).removeDetail(Details.REDIRECT_URI).removeDetail(Details.CONSENT).assertEvent();
assertTrue(accessToken.getScope().contains("dynamic-scope:123"));
}
use of org.keycloak.representations.idm.ClientScopeRepresentation in project keycloak by keycloak.
the class OAuthGrantTest method oauthGrantOrderedClientScopes.
// KEYCLOAK-7470
@Test
public void oauthGrantOrderedClientScopes() throws Exception {
// Add GUI Order to client scopes --- email=1, profile=2
RealmResource appRealm = adminClient.realm(REALM_NAME);
ClientScopeResource emailScope = ApiUtil.findClientScopeByName(appRealm, "email");
ClientScopeRepresentation emailRep = emailScope.toRepresentation();
emailRep.getAttributes().put(ClientScopeModel.GUI_ORDER, "1");
emailScope.update(emailRep);
ClientScopeResource profileScope = ApiUtil.findClientScopeByName(appRealm, "profile");
ClientScopeRepresentation profileRep = profileScope.toRepresentation();
profileRep.getAttributes().put(ClientScopeModel.GUI_ORDER, "2");
profileScope.update(profileRep);
// Display consent screen --- assert email, then profile
oauth.clientId(THIRD_PARTY_APP);
oauth.doLoginGrant("test-user@localhost", "password");
grantPage.assertCurrent();
List<String> displayedScopes = grantPage.getDisplayedGrants();
Assert.assertEquals("Email address", displayedScopes.get(0));
Assert.assertEquals("User profile", displayedScopes.get(1));
grantPage.accept();
// Display account mgmt --- assert email, then profile
accountAppsPage.open();
displayedScopes = accountAppsPage.getApplications().get(THIRD_PARTY_APP).getClientScopesGranted();
Assert.assertEquals("Email address", displayedScopes.get(0));
Assert.assertEquals("User profile", displayedScopes.get(1));
// Update GUI Order --- email=3
emailRep = emailScope.toRepresentation();
emailRep.getAttributes().put(ClientScopeModel.GUI_ORDER, "3");
emailScope.update(emailRep);
// Display account mgmt --- assert profile, then email
accountAppsPage.open();
displayedScopes = accountAppsPage.getApplications().get(THIRD_PARTY_APP).getClientScopesGranted();
Assert.assertEquals("User profile", displayedScopes.get(0));
Assert.assertEquals("Email address", displayedScopes.get(1));
// Revoke grant and display consent screen --- assert profile, then email
accountAppsPage.revokeGrant(THIRD_PARTY_APP);
oauth.openLoginForm();
grantPage.assertCurrent();
displayedScopes = grantPage.getDisplayedGrants();
Assert.assertEquals("User profile", displayedScopes.get(0));
Assert.assertEquals("Email address", displayedScopes.get(1));
}
use of org.keycloak.representations.idm.ClientScopeRepresentation in project keycloak by keycloak.
the class OAuthScopeInTokenResponseTest method specifyMultipleExistingScopesTest.
@Test
public void specifyMultipleExistingScopesTest() throws Exception {
// Create client scope and add it as optional scope
ClientScopeRepresentation userScope = new ClientScopeRepresentation();
userScope.setName("user");
userScope.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL);
Response response = realmsResouce().realm("test").clientScopes().create(userScope);
String userScopeId = ApiUtil.getCreatedId(response);
getCleanup().addClientScopeId(userScopeId);
ApiUtil.findClientResourceByClientId(realmsResouce().realm("test"), "test-app").addOptionalClientScope(userScopeId);
String loginUser = "john-doh@localhost";
String loginPassword = "password";
String clientSecret = "password";
// Login without 'user' scope
String requestedScope = "address phone";
String expectedScope = "openid profile email address phone";
oauth.scope(requestedScope);
oauth.doLogin(loginUser, loginPassword);
String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
expectSuccessfulResponseFromTokenEndpoint(code, expectedScope, clientSecret);
// Login with 'user' scope
requestedScope = "user address phone";
expectedScope = "openid profile email user address phone";
oauth.scope(requestedScope);
oauth.doLogin(loginUser, loginPassword);
code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
expectSuccessfulResponseFromTokenEndpoint(code, expectedScope, clientSecret);
// Cleanup
ApiUtil.findClientResourceByClientId(realmsResouce().realm("test"), "test-app").removeOptionalClientScope(userScopeId);
}
Aggregations