Examples with ClientScopeRepresentation org.keycloak.representations.idm.ClientScopeRepresentation used on opensource projects

Example 46 with ClientScopeRepresentation

use of org.keycloak.representations.idm.ClientScopeRepresentation in project keycloak by keycloak.

the class ClientRegistrationPoliciesTest method testClientScopesPolicyWithPermittedScope.

@Test
// We would need to do domain name -> ip address to set trusted host
@AuthServerContainerExclude(AuthServer.REMOTE)
public void testClientScopesPolicyWithPermittedScope() throws Exception {
    setTrustedHost("localhost");
    // Add some clientScope through Admin REST
    ClientScopeRepresentation clientScope = new ClientScopeRepresentation();
    clientScope.setName("foo");
    clientScope.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL);
    Response response = realmResource().clientScopes().create(clientScope);
    String clientScopeId = ApiUtil.getCreatedId(response);
    response.close();
    // I can't register new client with this scope
    ClientRepresentation clientRep = createRep("test-app");
    clientRep.setDefaultClientScopes(Collections.singletonList("foo"));
    assertFail(ClientRegOp.CREATE, clientRep, 403, "Not permitted to use specified clientScope");
    // Update the policy to allow the "foo" scope
    ComponentRepresentation clientScopesPolicyRep = findPolicyByProviderAndAuth(ClientScopesClientRegistrationPolicyFactory.PROVIDER_ID, getPolicyAnon());
    clientScopesPolicyRep.getConfig().putSingle(ClientScopesClientRegistrationPolicyFactory.ALLOWED_CLIENT_SCOPES, "foo");
    realmResource().components().component(clientScopesPolicyRep.getId()).update(clientScopesPolicyRep);
    // Check that I can register client now
    ClientRepresentation registeredClient = reg.create(clientRep);
    Assert.assertNotNull(registeredClient.getRegistrationAccessToken());
    // Revert client scope
    ApiUtil.findClientResourceByClientId(realmResource(), "test-app").remove();
    realmResource().clientScopes().get(clientScopeId).remove();
}

Example 47 with ClientScopeRepresentation

use of org.keycloak.representations.idm.ClientScopeRepresentation in project keycloak by keycloak.

the class ConsentsTest method testRetrieveConsentsForUserWithClientsWithGrantedOfflineAccess.

/**
 * KEYCLOAK-18954
 */
@Test
@AuthServerContainerExclude(AuthServer.REMOTE)
public void testRetrieveConsentsForUserWithClientsWithGrantedOfflineAccess() throws Exception {
    RealmResource providerRealm = adminClient.realm(providerRealmName());
    RealmRepresentation providerRealmRep = providerRealm.toRepresentation();
    providerRealmRep.setAccountTheme("keycloak");
    providerRealm.update(providerRealmRep);
    ClientRepresentation providerAccountRep = providerRealm.clients().findByClientId("account").get(0);
    // add offline_scope to default account-console client scope
    ClientScopeRepresentation offlineAccessScope = providerRealm.getDefaultOptionalClientScopes().stream().filter(csr -> csr.getName().equals(OAuth2Constants.OFFLINE_ACCESS)).findFirst().get();
    providerRealm.clients().get(providerAccountRep.getId()).removeOptionalClientScope(offlineAccessScope.getId());
    providerRealm.clients().get(providerAccountRep.getId()).addDefaultClientScope(offlineAccessScope.getId());
    // enable consent required to explicitly grant offline access
    providerAccountRep.setConsentRequired(true);
    // for offline token retrieval
    providerAccountRep.setDirectAccessGrantsEnabled(true);
    providerRealm.clients().get(providerAccountRep.getId()).update(providerAccountRep);
    List<UserRepresentation> searchResult = providerRealm.users().search(getUserLogin());
    UserRepresentation user = searchResult.get(0);
    driver.navigate().to(getAccountUrl(providerRealmName()));
    waitForPage("Sign in to provider");
    log.debug("Logging in");
    accountLoginPage.login(getUserLogin(), getUserPassword());
    waitForPage("grant access");
    log.debug("Grant consent for offline_access");
    Assert.assertTrue(consentPage.isCurrent());
    consentPage.confirm();
    waitForPage("keycloak account console");
    // disable consent required again to enable direct grant token retrieval.
    providerAccountRep.setConsentRequired(false);
    providerRealm.clients().get(providerAccountRep.getId()).update(providerAccountRep);
    log.debug("Obtain offline_token");
    OAuthClient.AccessTokenResponse response = oauth.realm(providerRealmRep.getRealm()).clientId(providerAccountRep.getClientId()).scope(OAuth2Constants.SCOPE_OPENID + " " + OAuth2Constants.SCOPE_PROFILE + " " + OAuth2Constants.OFFLINE_ACCESS).doGrantAccessTokenRequest(null, getUserLogin(), getUserPassword());
    assertNotNull(response.getRefreshToken());
    log.debug("Check for Offline Token in consents");
    List<Map<String, Object>> consents = providerRealm.users().get(user.getId()).getConsents();
    assertFalse("Consents should not be empty", consents.isEmpty());
    assertTrue(consents.toString().contains("Offline Token"));
}

Example 48 with ClientScopeRepresentation

use of org.keycloak.representations.idm.ClientScopeRepresentation in project keycloak by keycloak.

the class TokenIntrospectionTest method afterAbstractKeycloakTestRealmImport.

@Override
protected void afterAbstractKeycloakTestRealmImport() {
    ClientScopesResource clientScopesResource = testRealm().clientScopes();
    List<ClientScopeRepresentation> clientScopeRepresentations = clientScopesResource.findAll();
    for (ClientScopeRepresentation scope : clientScopeRepresentations) {
        List<ProtocolMapperRepresentation> mappers = scope.getProtocolMappers();
        if (mappers != null) {
            for (ProtocolMapperRepresentation mapper : mappers) {
                if ("username".equals(mapper.getName())) {
                    Map<String, String> config = mapper.getConfig();
                    config.put("user.attribute", "username");
                    config.put("claim.name", "preferred_username12");
                    clientScopesResource.get(scope.getId()).getProtocolMappers().update(mapper.getId(), mapper);
                }
            }
        }
    }
}

Example 49 with ClientScopeRepresentation

use of org.keycloak.representations.idm.ClientScopeRepresentation in project keycloak by keycloak.

the class OIDCScopeTest method testOptionalScopesWithConsentRequired.

@Test
public void testOptionalScopesWithConsentRequired() throws Exception {
    // Remove "displayOnConsentScreen" from address
    ClientScopeResource addressScope = ApiUtil.findClientScopeByName(testRealm(), "address");
    ClientScopeRepresentation addressScopeRep = addressScope.toRepresentation();
    addressScopeRep.getAttributes().put(ClientScopeModel.DISPLAY_ON_CONSENT_SCREEN, "false");
    addressScope.update(addressScopeRep);
    oauth.clientId("third-party");
    oauth.doLoginGrant("john", "password");
    grantPage.assertCurrent();
    grantPage.assertGrants(OAuthGrantPage.PROFILE_CONSENT_TEXT, OAuthGrantPage.EMAIL_CONSENT_TEXT, OAuthGrantPage.ROLES_CONSENT_TEXT);
    grantPage.accept();
    EventRepresentation loginEvent = events.expectLogin().user(userId).client("third-party").detail(Details.CONSENT, Details.CONSENT_VALUE_CONSENT_GRANTED).assertEvent();
    Tokens tokens = sendTokenRequest(loginEvent, userId, "openid email profile", "third-party");
    IDToken idToken = tokens.idToken;
    assertProfile(idToken, true);
    assertEmail(idToken, true);
    assertAddress(idToken, false);
    assertPhone(idToken, false);
    // Logout
    oauth.doLogout(tokens.refreshToken, "password");
    events.expectLogout(idToken.getSessionState()).client("third-party").user(userId).removeDetail(Details.REDIRECT_URI).assertEvent();
    // Login with optional scopes. Grant screen should have just "phone"
    oauth.scope("openid address phone");
    oauth.doLoginGrant("john", "password");
    grantPage.assertCurrent();
    grantPage.assertGrants(OAuthGrantPage.PHONE_CONSENT_TEXT);
    grantPage.accept();
    loginEvent = events.expectLogin().client("third-party").detail(Details.CONSENT, Details.CONSENT_VALUE_CONSENT_GRANTED).user(userId).assertEvent();
    tokens = sendTokenRequest(loginEvent, userId, "openid email profile address phone", "third-party");
    idToken = tokens.idToken;
    assertProfile(idToken, true);
    assertEmail(idToken, true);
    assertAddress(idToken, true);
    assertPhone(idToken, true);
    // Revert
    addressScopeRep.getAttributes().put(ClientScopeModel.DISPLAY_ON_CONSENT_SCREEN, "true");
    addressScope.update(addressScopeRep);
}

Example 50 with ClientScopeRepresentation

use of org.keycloak.representations.idm.ClientScopeRepresentation in project keycloak by keycloak.

the class OIDCScopeTest method testClientScopesPermissions.

// Test that clientScope is NOT applied in case that user is not member of any role scoped to the clientScope (including composite roles)
@Test
public void testClientScopesPermissions() {
    // Add 2 client scopes. Each with scope to 1 realm role
    ClientScopeRepresentation clientScope1 = new ClientScopeRepresentation();
    clientScope1.setName("scope-role-1");
    clientScope1.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL);
    Response response = testRealm().clientScopes().create(clientScope1);
    String scope1Id = ApiUtil.getCreatedId(response);
    getCleanup().addClientScopeId(scope1Id);
    response.close();
    ClientScopeRepresentation clientScopeParent = new ClientScopeRepresentation();
    clientScopeParent.setName("scope-role-parent");
    clientScopeParent.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL);
    response = testRealm().clientScopes().create(clientScopeParent);
    String scopeParentId = ApiUtil.getCreatedId(response);
    getCleanup().addClientScopeId(scopeParentId);
    response.close();
    RoleRepresentation role1 = testRealm().roles().get("role-1").toRepresentation();
    testRealm().clientScopes().get(scope1Id).getScopeMappings().realmLevel().add(Arrays.asList(role1));
    RoleRepresentation roleParent = testRealm().roles().get("role-parent").toRepresentation();
    testRealm().clientScopes().get(scopeParentId).getScopeMappings().realmLevel().add(Arrays.asList(roleParent));
    // Add client scopes to our client
    ClientResource testApp = ApiUtil.findClientByClientId(testRealm(), "test-app");
    ClientRepresentation testAppRep = testApp.toRepresentation();
    testApp.update(testAppRep);
    testApp.addDefaultClientScope(scope1Id);
    testApp.addDefaultClientScope(scopeParentId);
    // role-1-user will have clientScope "scope-role-1" and also "scope-role-parent" due the composite role
    testLoginAndClientScopesPermissions("role-1-user", "scope-role-1 scope-role-parent", "role-1");
    // role-2-user won't have any of the "scope-role-1" or "scope-role-parent" applied as he is not member of "role-1" nor "role-parent"
    testLoginAndClientScopesPermissions("role-2-user", "", "role-2");
    // role-parent-user will have clientScope "scope-role-1" (due the composite role) and also "scope-role-parent"
    testLoginAndClientScopesPermissions("role-parent-user", "scope-role-1 scope-role-parent", "role-1", "role-parent");
    // group-role-1-user will have clientScope "scope-role-1" and also "scope-role-parent" due the composite role and due the fact that he is member of group
    testLoginAndClientScopesPermissions("group-role-1-user", "scope-role-1 scope-role-parent", "role-1");
    // Revert
    testApp.removeOptionalClientScope(scope1Id);
    testApp.removeOptionalClientScope(scopeParentId);
}