use of org.keycloak.representations.idm.EventRepresentation in project keycloak by keycloak.
the class CIBATest method testTokenRequestAfterIntervalButNotYetAuthenticated.
@Test
public void testTokenRequestAfterIntervalButNotYetAuthenticated() throws Exception {
ClientResource clientResource = null;
ClientRepresentation clientRep = null;
try {
final String username = "nutzername-rot";
final String bindingMessage = "BASTION";
// prepare CIBA settings
clientResource = ApiUtil.findClientByClientId(adminClient.realm(TEST_REALM_NAME), TEST_CLIENT_NAME);
clientRep = clientResource.toRepresentation();
prepareCIBASettings(clientResource, clientRep);
RealmRepresentation rep = backupCIBAPolicy();
Map<String, String> attrMap = Optional.ofNullable(rep.getAttributes()).orElse(new HashMap<>());
attrMap.put(CibaConfig.CIBA_INTERVAL, String.valueOf(5));
rep.setAttributes(attrMap);
testRealm().update(rep);
// user Backchannel Authentication Request
AuthenticationRequestAcknowledgement response = doBackchannelAuthenticationRequest(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, username, bindingMessage);
// user Token Request but not yet user being authenticated
OAuthClient.AccessTokenResponse tokenRes = oauth.doBackchannelAuthenticationTokenRequest(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, response.getAuthReqId());
assertThat(tokenRes.getStatusCode(), is(equalTo(400)));
assertThat(tokenRes.getError(), is(OAuthErrorException.AUTHORIZATION_PENDING));
// user Token Request but not yet user being authenticated
tokenRes = oauth.doBackchannelAuthenticationTokenRequest(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, response.getAuthReqId());
assertThat(tokenRes.getStatusCode(), is(equalTo(400)));
assertThat(tokenRes.getError(), is(OAuthErrorException.SLOW_DOWN));
// user Authentication Channel Request
TestAuthenticationChannelRequest authenticationChannelReq = doAuthenticationChannelRequest(bindingMessage);
assertThat(authenticationChannelReq.getRequest().getBindingMessage(), is(equalTo(bindingMessage)));
// user Authentication Channel completed
EventRepresentation loginEvent = doAuthenticationChannelCallback(authenticationChannelReq);
String sessionId = loginEvent.getSessionId();
String codeId = loginEvent.getDetails().get(Details.CODE_ID);
String userId = loginEvent.getUserId();
setTimeOffset(5);
// user Token Request again
tokenRes = doBackchannelAuthenticationTokenRequest(username, response.getAuthReqId());
// token introspection
String tokenResponse = doIntrospectAccessTokenWithClientCredential(tokenRes, username);
// token refresh
tokenRes = doRefreshTokenRequest(tokenRes.getRefreshToken(), username, sessionId, false);
// token introspection after token refresh
tokenResponse = doIntrospectAccessTokenWithClientCredential(tokenRes, username);
// revoke by refresh token
EventRepresentation logoutEvent = doTokenRevokeByRefreshToken(tokenRes.getRefreshToken(), sessionId, userId, false);
} finally {
revertCIBASettings(clientResource, clientRep);
restoreCIBAPolicy();
}
}
use of org.keycloak.representations.idm.EventRepresentation in project keycloak by keycloak.
the class CIBATest method testTokenRevocation.
@Test
public void testTokenRevocation() throws Exception {
ClientResource clientResource = null;
ClientRepresentation clientRep = null;
try {
final String username = "nutzername-rot";
final String bindingMessage = "BASTION";
// prepare CIBA settings
clientResource = ApiUtil.findClientByClientId(adminClient.realm(TEST_REALM_NAME), TEST_CLIENT_NAME);
clientRep = clientResource.toRepresentation();
prepareCIBASettings(clientResource, clientRep);
oauth.scope(OAuth2Constants.OFFLINE_ACCESS);
// user Backchannel Authentication Request
AuthenticationRequestAcknowledgement response = doBackchannelAuthenticationRequest(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, username, bindingMessage);
// user Authentication Channel Request
TestAuthenticationChannelRequest authenticationChannelReq = doAuthenticationChannelRequest(bindingMessage);
assertThat(authenticationChannelReq.getRequest().getScope(), is(containsString(OAuth2Constants.OFFLINE_ACCESS)));
// user Authentication Channel completed
EventRepresentation loginEvent = doAuthenticationChannelCallback(authenticationChannelReq);
String sessionId = loginEvent.getSessionId();
String codeId = loginEvent.getDetails().get(Details.CODE_ID);
String userId = loginEvent.getUserId();
// user Token Request
OAuthClient.AccessTokenResponse tokenRes = doBackchannelAuthenticationTokenRequest(username, response.getAuthReqId());
// token introspection
String tokenResponse = doIntrospectAccessTokenWithClientCredential(tokenRes, username);
// token refresh
tokenRes = doRefreshTokenRequest(tokenRes.getRefreshToken(), username, sessionId, true);
// token introspection after token refresh
tokenResponse = doIntrospectAccessTokenWithClientCredential(tokenRes, username);
// revoke by refresh token
EventRepresentation logoutEvent = doTokenRevokeByRefreshToken(tokenRes.getRefreshToken(), sessionId, userId, true);
} finally {
revertCIBASettings(clientResource, clientRep);
}
}
use of org.keycloak.representations.idm.EventRepresentation in project keycloak by keycloak.
the class CIBATest method verifyBackchannelAuthenticationTokenRequest.
private void verifyBackchannelAuthenticationTokenRequest(OAuthClient.AccessTokenResponse tokenRes, String clientId, String username) {
assertThat(tokenRes.getStatusCode(), is(equalTo(200)));
EventRepresentation event = events.expectAuthReqIdToToken(null, null).clearDetails().user(AssertEvents.isUUID()).client(clientId).assertEvent();
AccessToken accessToken = oauth.verifyToken(tokenRes.getAccessToken());
assertThat(accessToken.getIssuedFor(), is(equalTo(clientId)));
RefreshToken refreshToken = oauth.parseRefreshToken(tokenRes.getRefreshToken());
assertThat(refreshToken.getIssuedFor(), is(equalTo(clientId)));
assertThat(refreshToken.getAudience()[0], is(equalTo(refreshToken.getIssuer())));
IDToken idToken = oauth.verifyIDToken(tokenRes.getIdToken());
assertThat(idToken.getPreferredUsername(), is(equalTo(username)));
assertThat(idToken.getIssuedFor(), is(equalTo(clientId)));
assertThat(idToken.getAudience()[0], is(equalTo(idToken.getIssuedFor())));
}
use of org.keycloak.representations.idm.EventRepresentation in project keycloak by keycloak.
the class ClientPoliciesTest method successfulLoginAndLogoutWithPKCE.
private void successfulLoginAndLogoutWithPKCE(String clientId, String clientSecret, String userName, String userPassword) throws Exception {
oauth.clientId(clientId);
// 43
String codeVerifier = "1a345A7890123456r8901c3456789012b45K7890l23";
String codeChallenge = generateS256CodeChallenge(codeVerifier);
oauth.codeChallenge(codeChallenge);
oauth.codeChallengeMethod(OAuth2Constants.PKCE_METHOD_S256);
oauth.nonce("bjapewiziIE083d");
oauth.doLogin(userName, userPassword);
EventRepresentation loginEvent = events.expectLogin().client(clientId).assertEvent();
String sessionId = loginEvent.getSessionId();
String codeId = loginEvent.getDetails().get(Details.CODE_ID);
String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
oauth.codeVerifier(codeVerifier);
OAuthClient.AccessTokenResponse res = oauth.doAccessTokenRequest(code, clientSecret);
assertEquals(200, res.getStatusCode());
events.expectCodeToToken(codeId, sessionId).client(clientId).assertEvent();
AccessToken token = oauth.verifyToken(res.getAccessToken());
String userId = findUserByUsername(adminClient.realm(REALM_NAME), userName).getId();
assertEquals(userId, token.getSubject());
Assert.assertNotEquals(userName, token.getSubject());
assertEquals(sessionId, token.getSessionState());
assertEquals(clientId, token.getIssuedFor());
String refreshTokenString = res.getRefreshToken();
RefreshToken refreshToken = oauth.parseRefreshToken(refreshTokenString);
assertEquals(sessionId, refreshToken.getSessionState());
assertEquals(clientId, refreshToken.getIssuedFor());
OAuthClient.AccessTokenResponse refreshResponse = oauth.doRefreshTokenRequest(refreshTokenString, clientSecret);
assertEquals(200, refreshResponse.getStatusCode());
events.expectRefresh(refreshToken.getId(), sessionId).client(clientId).assertEvent();
AccessToken refreshedToken = oauth.verifyToken(refreshResponse.getAccessToken());
RefreshToken refreshedRefreshToken = oauth.parseRefreshToken(refreshResponse.getRefreshToken());
assertEquals(sessionId, refreshedToken.getSessionState());
assertEquals(sessionId, refreshedRefreshToken.getSessionState());
assertEquals(findUserByUsername(adminClient.realm(REALM_NAME), userName).getId(), refreshedToken.getSubject());
doIntrospectAccessToken(refreshResponse, userName, clientId, clientSecret);
doTokenRevoke(refreshResponse.getRefreshToken(), clientId, clientSecret, userId, false);
}
use of org.keycloak.representations.idm.EventRepresentation in project keycloak by keycloak.
the class ClientPoliciesTest method successfulLogin.
private OAuthClient.AccessTokenResponse successfulLogin(String clientId, String clientSecret) {
oauth.clientId(clientId);
oauth.doLogin(TEST_USER_NAME, TEST_USER_PASSWORD);
EventRepresentation loginEvent = events.expectLogin().client(clientId).assertEvent();
String sessionId = loginEvent.getSessionId();
String codeId = loginEvent.getDetails().get(Details.CODE_ID);
String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
OAuthClient.AccessTokenResponse res = oauth.doAccessTokenRequest(code, clientSecret);
assertEquals(200, res.getStatusCode());
events.expectCodeToToken(codeId, sessionId).client(clientId).assertEvent();
return res;
}
Aggregations