Examples with ClientScopeRepresentation org.keycloak.representations.idm.ClientScopeRepresentation used on opensource projects

Example 51 with ClientScopeRepresentation

use of org.keycloak.representations.idm.ClientScopeRepresentation in project keycloak by keycloak.

the class AudienceTest method beforeTest.

@Before
public void beforeTest() {
    // Check if already exists
    ClientScopeResource clientScopeRes = ApiUtil.findClientScopeByName(testRealm(), "audience-scope");
    if (clientScopeRes != null) {
        return;
    }
    // Create client scope 'audience-scope' and add as optional scope to the 'test-app' client
    ClientScopeRepresentation clientScope = new ClientScopeRepresentation();
    clientScope.setName("audience-scope");
    clientScope.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL);
    Response resp = testRealm().clientScopes().create(clientScope);
    String clientScopeId = ApiUtil.getCreatedId(resp);
    resp.close();
    ClientResource client = ApiUtil.findClientByClientId(testRealm(), "test-app");
    client.addOptionalClientScope(clientScopeId);
}

Example 52 with ClientScopeRepresentation

use of org.keycloak.representations.idm.ClientScopeRepresentation in project keycloak by keycloak.

the class OfflineTokenTest method offlineTokenDisabledForClient.

@Test
public void offlineTokenDisabledForClient() throws Exception {
    // Remove offline-access scope from client
    ClientScopeRepresentation offlineScope = adminClient.realm("test").clientScopes().findAll().stream().filter((ClientScopeRepresentation clientScope) -> {
        return OAuth2Constants.OFFLINE_ACCESS.equals(clientScope.getName());
    }).findFirst().get();
    ClientManager.realm(adminClient.realm("test")).clientId("offline-client").fullScopeAllowed(false).removeClientScope(offlineScope.getId(), false);
    oauth.scope(OAuth2Constants.OFFLINE_ACCESS);
    oauth.clientId("offline-client");
    oauth.redirectUri(offlineClientAppUri);
    oauth.openLoginForm();
    assertTrue(driver.getCurrentUrl().contains("error_description=Invalid+scopes"));
    // Revert changes
    ClientManager.realm(adminClient.realm("test")).clientId("offline-client").fullScopeAllowed(true).addClientScope(offlineScope.getId(), false);
}

Example 53 with ClientScopeRepresentation

use of org.keycloak.representations.idm.ClientScopeRepresentation in project keycloak by keycloak.

the class OAuthGrantTest method oauthGrantDynamicScopeParamRequired.

@Test
@EnableFeature(value = Profile.Feature.DYNAMIC_SCOPES, skipRestart = true)
public void oauthGrantDynamicScopeParamRequired() {
    RealmResource appRealm = adminClient.realm(REALM_NAME);
    ClientResource thirdParty = findClientByClientId(appRealm, THIRD_PARTY_APP);
    // Create clientScope
    ClientScopeRepresentation scope = new ClientScopeRepresentation();
    scope.setName("foo-dynamic-scope");
    scope.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL);
    scope.setAttributes(new HashMap<String, String>() {

        {
            put(ClientScopeModel.IS_DYNAMIC_SCOPE, "true");
            put(ClientScopeModel.DYNAMIC_SCOPE_REGEXP, "foo-dynamic-scope:*");
        }
    });
    Response response = appRealm.clientScopes().create(scope);
    String dynamicFooScopeId = ApiUtil.getCreatedId(response);
    response.close();
    getCleanup().addClientScopeId(dynamicFooScopeId);
    // Add clientScope as optional to client
    thirdParty.addOptionalClientScope(dynamicFooScopeId);
    // Assert clientScope not on grant screen when not requested
    oauth.clientId(THIRD_PARTY_APP);
    oauth.scope("foo-dynamic-scope:withparam");
    oauth.doLogin("test-user@localhost", "password");
    grantPage.assertCurrent();
    List<String> grants = grantPage.getDisplayedGrants();
    Assert.assertTrue(grants.contains("foo-dynamic-scope: withparam"));
    grantPage.accept();
    EventRepresentation loginEvent = events.expectLogin().client(THIRD_PARTY_APP).detail(Details.CONSENT, Details.CONSENT_VALUE_CONSENT_GRANTED).assertEvent();
    String code = new OAuthClient.AuthorizationEndpointResponse(oauth).getCode();
    OAuthClient.AccessTokenResponse res = oauth.doAccessTokenRequest(code, "password");
    events.expectCodeToToken(loginEvent.getDetails().get(Details.CODE_ID), loginEvent.getSessionId()).client(THIRD_PARTY_APP).assertEvent();
    oauth.openLogout();
    events.expectLogout(loginEvent.getSessionId()).assertEvent();
    // login again to check whether the Dynamic scope and only the dynamic scope is requested again
    oauth.scope("foo-dynamic-scope:withparam");
    oauth.doLogin("test-user@localhost", "password");
    grantPage.assertCurrent();
    grants = grantPage.getDisplayedGrants();
    Assert.assertEquals(1, grants.size());
    Assert.assertTrue(grants.contains("foo-dynamic-scope: withparam"));
    grantPage.accept();
    events.expectLogin().client(THIRD_PARTY_APP).detail(Details.CONSENT, Details.CONSENT_VALUE_CONSENT_GRANTED).assertEvent();
    // Revoke
    accountAppsPage.open();
    accountAppsPage.revokeGrant(THIRD_PARTY_APP);
    events.expect(EventType.REVOKE_GRANT).client("account").detail(Details.REVOKED_CLIENT, THIRD_PARTY_APP).assertEvent();
    // cleanup
    oauth.scope(null);
    thirdParty.removeOptionalClientScope(dynamicFooScopeId);
}

Example 54 with ClientScopeRepresentation

use of org.keycloak.representations.idm.ClientScopeRepresentation in project keycloak by keycloak.

the class OAuthGrantTest method oauthGrantScopeParamRequired.

@Test
public void oauthGrantScopeParamRequired() throws Exception {
    RealmResource appRealm = adminClient.realm(REALM_NAME);
    ClientResource thirdParty = findClientByClientId(appRealm, THIRD_PARTY_APP);
    // Create clientScope
    ClientScopeRepresentation scope1 = new ClientScopeRepresentation();
    scope1.setName("foo-scope");
    scope1.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL);
    Response response = appRealm.clientScopes().create(scope1);
    String fooScopeId = ApiUtil.getCreatedId(response);
    response.close();
    getCleanup().addClientScopeId(fooScopeId);
    // Add clientScope as optional to client
    thirdParty.addOptionalClientScope(fooScopeId);
    // Assert clientScope not on grant screen when not requested
    oauth.clientId(THIRD_PARTY_APP);
    oauth.doLoginGrant("test-user@localhost", "password");
    grantPage.assertCurrent();
    List<String> grants = grantPage.getDisplayedGrants();
    Assert.assertFalse(grants.contains("foo-scope"));
    grantPage.cancel();
    events.expectLogin().client(THIRD_PARTY_APP).error("rejected_by_user").removeDetail(Details.CONSENT).session(Matchers.nullValue(String.class)).assertEvent();
    oauth.scope("foo-scope");
    oauth.doLoginGrant("test-user@localhost", "password");
    grantPage.assertCurrent();
    grants = grantPage.getDisplayedGrants();
    Assert.assertTrue(grants.contains("foo-scope"));
    grantPage.accept();
    events.expectLogin().client(THIRD_PARTY_APP).detail(Details.CONSENT, Details.CONSENT_VALUE_CONSENT_GRANTED).assertEvent();
    // Revoke
    accountAppsPage.open();
    accountAppsPage.revokeGrant(THIRD_PARTY_APP);
    events.expect(EventType.REVOKE_GRANT).client("account").detail(Details.REVOKED_CLIENT, THIRD_PARTY_APP).assertEvent();
    // cleanup
    oauth.scope(null);
    thirdParty.removeOptionalClientScope(fooScopeId);
}

Example 55 with ClientScopeRepresentation

use of org.keycloak.representations.idm.ClientScopeRepresentation in project keycloak by keycloak.

the class OAuthGrantTest method oauthGrantClientScopeMappers.

// KEYCLOAK-4326
@Test
public void oauthGrantClientScopeMappers() throws Exception {
    // Add client scope with some protocol mapper
    RealmResource appRealm = adminClient.realm(REALM_NAME);
    ClientScopeRepresentation scope1 = new ClientScopeRepresentation();
    scope1.setName("foo-addr");
    scope1.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL);
    Response response = appRealm.clientScopes().create(scope1);
    String fooScopeId = ApiUtil.getCreatedId(response);
    response.close();
    ProtocolMapperRepresentation protocolMapper = ProtocolMapperUtil.createAddressMapper(true, true, true);
    response = appRealm.clientScopes().get(fooScopeId).getProtocolMappers().createMapper(protocolMapper);
    response.close();
    // Add clientScope to client
    ClientResource thirdParty = findClientByClientId(appRealm, THIRD_PARTY_APP);
    thirdParty.addDefaultClientScope(fooScopeId);
    getCleanup().addClientScopeId(fooScopeId);
    // Login
    oauth.clientId(THIRD_PARTY_APP);
    oauth.doLoginGrant("test-user@localhost", "password");
    grantPage.assertCurrent();
    grantPage.assertGrants(OAuthGrantPage.EMAIL_CONSENT_TEXT, OAuthGrantPage.PROFILE_CONSENT_TEXT, OAuthGrantPage.ROLES_CONSENT_TEXT, "foo-addr");
    grantPage.accept();
    events.expectLogin().client(THIRD_PARTY_APP).detail(Details.CONSENT, Details.CONSENT_VALUE_CONSENT_GRANTED).assertEvent();
    // Go to user's application screen
    accountAppsPage.open();
    Assert.assertTrue(accountAppsPage.isCurrent());
    Map<String, AccountApplicationsPage.AppEntry> apps = accountAppsPage.getApplications();
    Assert.assertTrue(apps.containsKey("third-party"));
    Assert.assertTrue(apps.get("third-party").getClientScopesGranted().contains("foo-addr"));
    // Login as admin and see the consent screen of particular user
    UserResource user = ApiUtil.findUserByUsernameId(appRealm, "test-user@localhost");
    List<Map<String, Object>> consents = user.getConsents();
    Assert.assertEquals(1, consents.size());
    // Assert automatically logged another time
    oauth.openLoginForm();
    appPage.assertCurrent();
    events.expectLogin().detail(Details.AUTH_METHOD, OIDCLoginProtocol.LOGIN_PROTOCOL).detail(Details.CONSENT, Details.CONSENT_VALUE_PERSISTED_CONSENT).removeDetail(Details.USERNAME).client(THIRD_PARTY_APP).assertEvent();
    // Revoke
    accountAppsPage.open();
    accountAppsPage.revokeGrant(THIRD_PARTY_APP);
    events.expect(EventType.REVOKE_GRANT).client("account").detail(Details.REVOKED_CLIENT, THIRD_PARTY_APP).assertEvent();
    // Cleanup
    thirdParty.removeDefaultClientScope(fooScopeId);
}