Search in sources :

Example 51 with EventRepresentation

use of org.keycloak.representations.idm.EventRepresentation in project keycloak by keycloak.

the class OIDCScopeTest method testTwoRefreshTokensWithDifferentScopes.

// KEYCLOAK-6170
@Test
public void testTwoRefreshTokensWithDifferentScopes() {
    // Add 2 client scopes. Each with scope to 1 realm role
    ClientScopeRepresentation clientScope1 = new ClientScopeRepresentation();
    clientScope1.setName("scope-role-1");
    clientScope1.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL);
    Response response = testRealm().clientScopes().create(clientScope1);
    String scope1Id = ApiUtil.getCreatedId(response);
    getCleanup().addClientScopeId(scope1Id);
    response.close();
    ClientScopeRepresentation clientScope2 = new ClientScopeRepresentation();
    clientScope2.setName("scope-role-2");
    clientScope2.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL);
    response = testRealm().clientScopes().create(clientScope2);
    String scope2Id = ApiUtil.getCreatedId(response);
    getCleanup().addClientScopeId(scope2Id);
    response.close();
    RoleRepresentation role1 = testRealm().roles().get("role-1").toRepresentation();
    testRealm().clientScopes().get(scope1Id).getScopeMappings().realmLevel().add(Arrays.asList(role1));
    RoleRepresentation role2 = testRealm().roles().get("role-2").toRepresentation();
    testRealm().clientScopes().get(scope2Id).getScopeMappings().realmLevel().add(Arrays.asList(role2));
    // Add client scopes to our client. Disable fullScopeAllowed
    ClientResource testApp = ApiUtil.findClientByClientId(testRealm(), "test-app");
    ClientRepresentation testAppRep = testApp.toRepresentation();
    testAppRep.setFullScopeAllowed(false);
    testApp.update(testAppRep);
    testApp.addOptionalClientScope(scope1Id);
    testApp.addOptionalClientScope(scope2Id);
    // Login with scope-role-1. Save refresh token
    oauth.scope("scope-role-1");
    oauth.doLogin("john", "password");
    EventRepresentation loginEvent = events.expectLogin().user(userId).assertEvent();
    Tokens tokens1 = sendTokenRequest(loginEvent, userId, "openid email profile scope-role-1", "test-app");
    Assert.assertTrue(tokens1.accessToken.getRealmAccess().isUserInRole("role-1"));
    Assert.assertFalse(tokens1.accessToken.getRealmAccess().isUserInRole("role-2"));
    // SSO login with scope-role-2. Save refresh token
    oauth.scope("scope-role-2");
    oauth.openLoginForm();
    loginEvent = events.expectLogin().user(userId).removeDetail(Details.USERNAME).client("test-app").assertEvent();
    Tokens tokens2 = sendTokenRequest(loginEvent, userId, "openid email profile scope-role-2", "test-app");
    Assert.assertFalse(tokens2.accessToken.getRealmAccess().isUserInRole("role-1"));
    Assert.assertTrue(tokens2.accessToken.getRealmAccess().isUserInRole("role-2"));
    // Ensure I can refresh refreshToken1. Just role1 is present
    OAuthClient.AccessTokenResponse refreshResponse1 = oauth.doRefreshTokenRequest(tokens1.refreshToken, "password");
    Assert.assertEquals(200, refreshResponse1.getStatusCode());
    AccessToken accessToken1 = oauth.verifyToken(refreshResponse1.getAccessToken());
    Assert.assertTrue(accessToken1.getRealmAccess().isUserInRole("role-1"));
    Assert.assertFalse(accessToken1.getRealmAccess().isUserInRole("role-2"));
    // Ensure I can refresh refreshToken2. Just role2 is present
    OAuthClient.AccessTokenResponse refreshResponse2 = oauth.doRefreshTokenRequest(tokens2.refreshToken, "password");
    Assert.assertEquals(200, refreshResponse2.getStatusCode());
    AccessToken accessToken2 = oauth.verifyToken(refreshResponse2.getAccessToken());
    Assert.assertFalse(accessToken2.getRealmAccess().isUserInRole("role-1"));
    Assert.assertTrue(accessToken2.getRealmAccess().isUserInRole("role-2"));
    // Revert
    testAppRep.setFullScopeAllowed(true);
    testApp.update(testAppRep);
    testApp.removeOptionalClientScope(scope1Id);
    testApp.removeOptionalClientScope(scope2Id);
}
Also used : Response(javax.ws.rs.core.Response) RoleRepresentation(org.keycloak.representations.idm.RoleRepresentation) OAuthClient(org.keycloak.testsuite.util.OAuthClient) AccessToken(org.keycloak.representations.AccessToken) ClientScopeRepresentation(org.keycloak.representations.idm.ClientScopeRepresentation) EventRepresentation(org.keycloak.representations.idm.EventRepresentation) ClientResource(org.keycloak.admin.client.resource.ClientResource) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) Test(org.junit.Test)

Example 52 with EventRepresentation

use of org.keycloak.representations.idm.EventRepresentation in project keycloak by keycloak.

the class TokenIntrospectionTest method testIntrospectAccessToken.

private void testIntrospectAccessToken(String jwaAlgorithm) throws Exception {
    try {
        TokenSignatureUtil.changeClientAccessTokenSignatureProvider(ApiUtil.findClientByClientId(adminClient.realm("test"), "test-app"), jwaAlgorithm);
        oauth.doLogin("test-user@localhost", "password");
        String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
        EventRepresentation loginEvent = events.expectLogin().assertEvent();
        AccessTokenResponse accessTokenResponse = oauth.doAccessTokenRequest(code, "password");
        assertEquals(jwaAlgorithm, new JWSInput(accessTokenResponse.getAccessToken()).getHeader().getAlgorithm().name());
        String tokenResponse = oauth.introspectAccessTokenWithClientCredential("confidential-cli", "secret1", accessTokenResponse.getAccessToken());
        TokenMetadataRepresentation rep = JsonSerialization.readValue(tokenResponse, TokenMetadataRepresentation.class);
        assertTrue(rep.isActive());
        assertEquals("test-user@localhost", rep.getUserName());
        assertEquals("test-app", rep.getClientId());
        assertEquals(loginEvent.getUserId(), rep.getSubject());
        // Assert expected scope
        OIDCScopeTest.assertScopes("openid email profile", rep.getScope());
    } finally {
        TokenSignatureUtil.changeClientAccessTokenSignatureProvider(ApiUtil.findClientByClientId(adminClient.realm("test"), "test-app"), Algorithm.RS256);
    }
}
Also used : TokenMetadataRepresentation(org.keycloak.representations.oidc.TokenMetadataRepresentation) EventRepresentation(org.keycloak.representations.idm.EventRepresentation) JWSInput(org.keycloak.jose.jws.JWSInput) AccessTokenResponse(org.keycloak.testsuite.util.OAuthClient.AccessTokenResponse)

Example 53 with EventRepresentation

use of org.keycloak.representations.idm.EventRepresentation in project keycloak by keycloak.

the class TokenIntrospectionTest method testIntrospectRefreshToken.

@Test
public void testIntrospectRefreshToken() throws Exception {
    oauth.doLogin("test-user@localhost", "password");
    String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
    EventRepresentation loginEvent = events.expectLogin().assertEvent();
    String sessionId = loginEvent.getSessionId();
    AccessTokenResponse accessTokenResponse = oauth.doAccessTokenRequest(code, "password");
    String tokenResponse = oauth.introspectRefreshTokenWithClientCredential("confidential-cli", "secret1", accessTokenResponse.getRefreshToken());
    ObjectMapper objectMapper = new ObjectMapper();
    JsonNode jsonNode = objectMapper.readTree(tokenResponse);
    assertTrue(jsonNode.get("active").asBoolean());
    assertEquals(sessionId, jsonNode.get("session_state").asText());
    assertEquals("test-app", jsonNode.get("client_id").asText());
    assertTrue(jsonNode.has("exp"));
    assertTrue(jsonNode.has("iat"));
    assertFalse(jsonNode.has("nbf"));
    assertTrue(jsonNode.has("sub"));
    assertTrue(jsonNode.has("aud"));
    assertTrue(jsonNode.has("iss"));
    assertTrue(jsonNode.has("jti"));
    assertTrue(jsonNode.has("typ"));
    TokenMetadataRepresentation rep = objectMapper.readValue(tokenResponse, TokenMetadataRepresentation.class);
    assertTrue(rep.isActive());
    assertEquals("test-app", rep.getClientId());
    assertEquals(jsonNode.get("session_state").asText(), rep.getSessionState());
    assertEquals(jsonNode.get("exp").asInt(), rep.getExpiration());
    assertEquals(jsonNode.get("iat").asInt(), rep.getIssuedAt());
    assertEquals(jsonNode.get("nbf"), rep.getNbf());
    assertEquals(jsonNode.get("iss").asText(), rep.getIssuer());
    assertEquals(jsonNode.get("jti").asText(), rep.getId());
    assertEquals(jsonNode.get("typ").asText(), "Refresh");
}
Also used : TokenMetadataRepresentation(org.keycloak.representations.oidc.TokenMetadataRepresentation) EventRepresentation(org.keycloak.representations.idm.EventRepresentation) JsonNode(com.fasterxml.jackson.databind.JsonNode) AccessTokenResponse(org.keycloak.testsuite.util.OAuthClient.AccessTokenResponse) ObjectMapper(com.fasterxml.jackson.databind.ObjectMapper) AbstractOIDCScopeTest(org.keycloak.testsuite.oidc.AbstractOIDCScopeTest) OIDCScopeTest(org.keycloak.testsuite.oidc.OIDCScopeTest) Test(org.junit.Test) AbstractTestRealmKeycloakTest(org.keycloak.testsuite.AbstractTestRealmKeycloakTest)

Example 54 with EventRepresentation

use of org.keycloak.representations.idm.EventRepresentation in project keycloak by keycloak.

the class LoginEventsTest method eventAttributesTest.

@Test
public void eventAttributesTest() {
    badLogin();
    List<EventRepresentation> events = events();
    assertEquals(1, events.size());
    EventRepresentation event = events.get(0);
    assertTrue(event.getTime() > 0);
    assertNotNull(event.getIpAddress());
    assertEquals("LOGIN_ERROR", event.getType());
    assertEquals(realmName(), event.getRealmId());
    // no user for bad login
    assertNull(event.getUserId());
    // no session for bad login
    assertNull(event.getSessionId());
    assertEquals("user_not_found", event.getError());
    Map<String, String> details = event.getDetails();
    assertEquals("openid-connect", details.get("auth_method"));
    assertEquals("code", details.get("auth_type"));
    assertNotNull(details.get("redirect_uri"));
    assertNotNull(details.get("code_id"));
    assertEquals("bad", details.get("username"));
}
Also used : EventRepresentation(org.keycloak.representations.idm.EventRepresentation) Test(org.junit.Test)

Example 55 with EventRepresentation

use of org.keycloak.representations.idm.EventRepresentation in project keycloak by keycloak.

the class HoKTest method accessTokenRequestWithClientCertificate.

// Authorization Code Flow
// Bind HoK Token
@Test
public void accessTokenRequestWithClientCertificate() throws Exception {
    oauth.doLogin("test-user@localhost", "password");
    EventRepresentation loginEvent = events.expectLogin().assertEvent();
    String sessionId = loginEvent.getSessionId();
    String codeId = loginEvent.getDetails().get(Details.CODE_ID);
    String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
    AccessTokenResponse response;
    try (CloseableHttpClient client = MutualTLSUtils.newCloseableHttpClientWithDefaultKeyStoreAndTrustStore()) {
        response = oauth.doAccessTokenRequest(code, "password", client);
    } catch (IOException ioe) {
        throw new RuntimeException(ioe);
    }
    // Success Pattern
    expectSuccessfulResponseFromTokenEndpoint(sessionId, codeId, response);
    verifyHoKTokenDefaultCertThumbPrint(response);
}
Also used : CloseableHttpClient(org.apache.http.impl.client.CloseableHttpClient) EventRepresentation(org.keycloak.representations.idm.EventRepresentation) IOException(java.io.IOException) AccessTokenResponse(org.keycloak.testsuite.util.OAuthClient.AccessTokenResponse) RefreshTokenTest(org.keycloak.testsuite.oauth.RefreshTokenTest) AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest) AbstractTestRealmKeycloakTest(org.keycloak.testsuite.AbstractTestRealmKeycloakTest)

Aggregations

EventRepresentation (org.keycloak.representations.idm.EventRepresentation)164 Test (org.junit.Test)124 OAuthClient (org.keycloak.testsuite.util.OAuthClient)93 AbstractKeycloakTest (org.keycloak.testsuite.AbstractKeycloakTest)60 AbstractTestRealmKeycloakTest (org.keycloak.testsuite.AbstractTestRealmKeycloakTest)44 RefreshToken (org.keycloak.representations.RefreshToken)27 ClientResource (org.keycloak.admin.client.resource.ClientResource)26 AccessToken (org.keycloak.representations.AccessToken)26 ClientRepresentation (org.keycloak.representations.idm.ClientRepresentation)25 IDToken (org.keycloak.representations.IDToken)23 Matchers.containsString (org.hamcrest.Matchers.containsString)15 AbstractAdminTest (org.keycloak.testsuite.admin.AbstractAdminTest)15 Response (javax.ws.rs.core.Response)13 OIDCClientRepresentation (org.keycloak.representations.oidc.OIDCClientRepresentation)13 AccessTokenResponse (org.keycloak.testsuite.util.OAuthClient.AccessTokenResponse)12 IOException (java.io.IOException)11 RealmResource (org.keycloak.admin.client.resource.RealmResource)11 AssertEvents (org.keycloak.testsuite.AssertEvents)10 JWSInput (org.keycloak.jose.jws.JWSInput)9 TestAuthenticationChannelRequest (org.keycloak.testsuite.rest.representation.TestAuthenticationChannelRequest)9