use of org.keycloak.representations.idm.EventRepresentation in project keycloak by keycloak.
the class OIDCScopeTest method testTwoRefreshTokensWithDifferentScopes.
// KEYCLOAK-6170
@Test
public void testTwoRefreshTokensWithDifferentScopes() {
// Add 2 client scopes. Each with scope to 1 realm role
ClientScopeRepresentation clientScope1 = new ClientScopeRepresentation();
clientScope1.setName("scope-role-1");
clientScope1.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL);
Response response = testRealm().clientScopes().create(clientScope1);
String scope1Id = ApiUtil.getCreatedId(response);
getCleanup().addClientScopeId(scope1Id);
response.close();
ClientScopeRepresentation clientScope2 = new ClientScopeRepresentation();
clientScope2.setName("scope-role-2");
clientScope2.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL);
response = testRealm().clientScopes().create(clientScope2);
String scope2Id = ApiUtil.getCreatedId(response);
getCleanup().addClientScopeId(scope2Id);
response.close();
RoleRepresentation role1 = testRealm().roles().get("role-1").toRepresentation();
testRealm().clientScopes().get(scope1Id).getScopeMappings().realmLevel().add(Arrays.asList(role1));
RoleRepresentation role2 = testRealm().roles().get("role-2").toRepresentation();
testRealm().clientScopes().get(scope2Id).getScopeMappings().realmLevel().add(Arrays.asList(role2));
// Add client scopes to our client. Disable fullScopeAllowed
ClientResource testApp = ApiUtil.findClientByClientId(testRealm(), "test-app");
ClientRepresentation testAppRep = testApp.toRepresentation();
testAppRep.setFullScopeAllowed(false);
testApp.update(testAppRep);
testApp.addOptionalClientScope(scope1Id);
testApp.addOptionalClientScope(scope2Id);
// Login with scope-role-1. Save refresh token
oauth.scope("scope-role-1");
oauth.doLogin("john", "password");
EventRepresentation loginEvent = events.expectLogin().user(userId).assertEvent();
Tokens tokens1 = sendTokenRequest(loginEvent, userId, "openid email profile scope-role-1", "test-app");
Assert.assertTrue(tokens1.accessToken.getRealmAccess().isUserInRole("role-1"));
Assert.assertFalse(tokens1.accessToken.getRealmAccess().isUserInRole("role-2"));
// SSO login with scope-role-2. Save refresh token
oauth.scope("scope-role-2");
oauth.openLoginForm();
loginEvent = events.expectLogin().user(userId).removeDetail(Details.USERNAME).client("test-app").assertEvent();
Tokens tokens2 = sendTokenRequest(loginEvent, userId, "openid email profile scope-role-2", "test-app");
Assert.assertFalse(tokens2.accessToken.getRealmAccess().isUserInRole("role-1"));
Assert.assertTrue(tokens2.accessToken.getRealmAccess().isUserInRole("role-2"));
// Ensure I can refresh refreshToken1. Just role1 is present
OAuthClient.AccessTokenResponse refreshResponse1 = oauth.doRefreshTokenRequest(tokens1.refreshToken, "password");
Assert.assertEquals(200, refreshResponse1.getStatusCode());
AccessToken accessToken1 = oauth.verifyToken(refreshResponse1.getAccessToken());
Assert.assertTrue(accessToken1.getRealmAccess().isUserInRole("role-1"));
Assert.assertFalse(accessToken1.getRealmAccess().isUserInRole("role-2"));
// Ensure I can refresh refreshToken2. Just role2 is present
OAuthClient.AccessTokenResponse refreshResponse2 = oauth.doRefreshTokenRequest(tokens2.refreshToken, "password");
Assert.assertEquals(200, refreshResponse2.getStatusCode());
AccessToken accessToken2 = oauth.verifyToken(refreshResponse2.getAccessToken());
Assert.assertFalse(accessToken2.getRealmAccess().isUserInRole("role-1"));
Assert.assertTrue(accessToken2.getRealmAccess().isUserInRole("role-2"));
// Revert
testAppRep.setFullScopeAllowed(true);
testApp.update(testAppRep);
testApp.removeOptionalClientScope(scope1Id);
testApp.removeOptionalClientScope(scope2Id);
}
use of org.keycloak.representations.idm.EventRepresentation in project keycloak by keycloak.
the class TokenIntrospectionTest method testIntrospectAccessToken.
private void testIntrospectAccessToken(String jwaAlgorithm) throws Exception {
try {
TokenSignatureUtil.changeClientAccessTokenSignatureProvider(ApiUtil.findClientByClientId(adminClient.realm("test"), "test-app"), jwaAlgorithm);
oauth.doLogin("test-user@localhost", "password");
String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
EventRepresentation loginEvent = events.expectLogin().assertEvent();
AccessTokenResponse accessTokenResponse = oauth.doAccessTokenRequest(code, "password");
assertEquals(jwaAlgorithm, new JWSInput(accessTokenResponse.getAccessToken()).getHeader().getAlgorithm().name());
String tokenResponse = oauth.introspectAccessTokenWithClientCredential("confidential-cli", "secret1", accessTokenResponse.getAccessToken());
TokenMetadataRepresentation rep = JsonSerialization.readValue(tokenResponse, TokenMetadataRepresentation.class);
assertTrue(rep.isActive());
assertEquals("test-user@localhost", rep.getUserName());
assertEquals("test-app", rep.getClientId());
assertEquals(loginEvent.getUserId(), rep.getSubject());
// Assert expected scope
OIDCScopeTest.assertScopes("openid email profile", rep.getScope());
} finally {
TokenSignatureUtil.changeClientAccessTokenSignatureProvider(ApiUtil.findClientByClientId(adminClient.realm("test"), "test-app"), Algorithm.RS256);
}
}
use of org.keycloak.representations.idm.EventRepresentation in project keycloak by keycloak.
the class TokenIntrospectionTest method testIntrospectRefreshToken.
@Test
public void testIntrospectRefreshToken() throws Exception {
oauth.doLogin("test-user@localhost", "password");
String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
EventRepresentation loginEvent = events.expectLogin().assertEvent();
String sessionId = loginEvent.getSessionId();
AccessTokenResponse accessTokenResponse = oauth.doAccessTokenRequest(code, "password");
String tokenResponse = oauth.introspectRefreshTokenWithClientCredential("confidential-cli", "secret1", accessTokenResponse.getRefreshToken());
ObjectMapper objectMapper = new ObjectMapper();
JsonNode jsonNode = objectMapper.readTree(tokenResponse);
assertTrue(jsonNode.get("active").asBoolean());
assertEquals(sessionId, jsonNode.get("session_state").asText());
assertEquals("test-app", jsonNode.get("client_id").asText());
assertTrue(jsonNode.has("exp"));
assertTrue(jsonNode.has("iat"));
assertFalse(jsonNode.has("nbf"));
assertTrue(jsonNode.has("sub"));
assertTrue(jsonNode.has("aud"));
assertTrue(jsonNode.has("iss"));
assertTrue(jsonNode.has("jti"));
assertTrue(jsonNode.has("typ"));
TokenMetadataRepresentation rep = objectMapper.readValue(tokenResponse, TokenMetadataRepresentation.class);
assertTrue(rep.isActive());
assertEquals("test-app", rep.getClientId());
assertEquals(jsonNode.get("session_state").asText(), rep.getSessionState());
assertEquals(jsonNode.get("exp").asInt(), rep.getExpiration());
assertEquals(jsonNode.get("iat").asInt(), rep.getIssuedAt());
assertEquals(jsonNode.get("nbf"), rep.getNbf());
assertEquals(jsonNode.get("iss").asText(), rep.getIssuer());
assertEquals(jsonNode.get("jti").asText(), rep.getId());
assertEquals(jsonNode.get("typ").asText(), "Refresh");
}
use of org.keycloak.representations.idm.EventRepresentation in project keycloak by keycloak.
the class LoginEventsTest method eventAttributesTest.
@Test
public void eventAttributesTest() {
badLogin();
List<EventRepresentation> events = events();
assertEquals(1, events.size());
EventRepresentation event = events.get(0);
assertTrue(event.getTime() > 0);
assertNotNull(event.getIpAddress());
assertEquals("LOGIN_ERROR", event.getType());
assertEquals(realmName(), event.getRealmId());
// no user for bad login
assertNull(event.getUserId());
// no session for bad login
assertNull(event.getSessionId());
assertEquals("user_not_found", event.getError());
Map<String, String> details = event.getDetails();
assertEquals("openid-connect", details.get("auth_method"));
assertEquals("code", details.get("auth_type"));
assertNotNull(details.get("redirect_uri"));
assertNotNull(details.get("code_id"));
assertEquals("bad", details.get("username"));
}
use of org.keycloak.representations.idm.EventRepresentation in project keycloak by keycloak.
the class HoKTest method accessTokenRequestWithClientCertificate.
// Authorization Code Flow
// Bind HoK Token
@Test
public void accessTokenRequestWithClientCertificate() throws Exception {
oauth.doLogin("test-user@localhost", "password");
EventRepresentation loginEvent = events.expectLogin().assertEvent();
String sessionId = loginEvent.getSessionId();
String codeId = loginEvent.getDetails().get(Details.CODE_ID);
String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
AccessTokenResponse response;
try (CloseableHttpClient client = MutualTLSUtils.newCloseableHttpClientWithDefaultKeyStoreAndTrustStore()) {
response = oauth.doAccessTokenRequest(code, "password", client);
} catch (IOException ioe) {
throw new RuntimeException(ioe);
}
// Success Pattern
expectSuccessfulResponseFromTokenEndpoint(sessionId, codeId, response);
verifyHoKTokenDefaultCertThumbPrint(response);
}
Aggregations