use of org.keycloak.representations.idm.EventRepresentation in project keycloak by keycloak.
the class CIBATest method testBackchannelAuthenticationFlow.
private void testBackchannelAuthenticationFlow(boolean isOfflineAccess, String bindingMessage) throws Exception {
ClientResource clientResource = null;
ClientRepresentation clientRep = null;
try {
final String username = "nutzername-rot";
Map<String, String> additionalParameters = new HashMap<>();
additionalParameters.put("user_device", "mobile");
// prepare CIBA settings
clientResource = ApiUtil.findClientByClientId(adminClient.realm(TEST_REALM_NAME), TEST_CLIENT_NAME);
assertThat(clientResource, notNullValue());
clientRep = clientResource.toRepresentation();
prepareCIBASettings(clientResource, clientRep);
if (isOfflineAccess)
oauth.scope(OAuth2Constants.OFFLINE_ACCESS);
long startTime = Time.currentTime();
// user Backchannel Authentication Request
AuthenticationRequestAcknowledgement response = doBackchannelAuthenticationRequest(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, username, bindingMessage, null, additionalParameters);
// user Authentication Channel Request
TestAuthenticationChannelRequest testRequest = doAuthenticationChannelRequest(bindingMessage);
AuthenticationChannelRequest authenticationChannelReq = testRequest.getRequest();
assertThat(authenticationChannelReq.getBindingMessage(), is(equalTo(bindingMessage)));
if (isOfflineAccess)
assertThat(authenticationChannelReq.getScope(), is(containsString(OAuth2Constants.OFFLINE_ACCESS)));
assertThat(authenticationChannelReq.getScope(), is(containsString(OAuth2Constants.SCOPE_OPENID)));
assertThat(authenticationChannelReq.getAdditionalParameters().get("user_device"), is(equalTo("mobile")));
// user Authentication Channel completed
EventRepresentation loginEvent = doAuthenticationChannelCallback(testRequest);
String sessionId = loginEvent.getSessionId();
String codeId = loginEvent.getDetails().get(Details.CODE_ID);
String userId = loginEvent.getUserId();
// user Token Request
OAuthClient.AccessTokenResponse tokenRes = doBackchannelAuthenticationTokenRequest(username, response.getAuthReqId());
IDToken idToken = oauth.verifyIDToken(tokenRes.getIdToken());
long currentTime = Time.currentTime();
long authTime = idToken.getAuth_time().longValue();
assertTrue(startTime - 5 <= authTime);
assertTrue(authTime <= currentTime + 5);
// token introspection
String tokenResponse = doIntrospectAccessTokenWithClientCredential(tokenRes, username);
// token refresh
tokenRes = doRefreshTokenRequest(tokenRes.getRefreshToken(), username, sessionId, isOfflineAccess);
// token introspection after token refresh
tokenResponse = doIntrospectAccessTokenWithClientCredential(tokenRes, username);
// logout by refresh token
EventRepresentation logoutEvent = doLogoutByRefreshToken(tokenRes.getRefreshToken(), sessionId, userId, isOfflineAccess);
} finally {
revertCIBASettings(clientResource, clientRep);
}
}
use of org.keycloak.representations.idm.EventRepresentation in project keycloak by keycloak.
the class CIBATest method testAccessThrottling.
@Test
public void testAccessThrottling() throws Exception {
ClientResource clientResource = null;
ClientRepresentation clientRep = null;
try {
final String username = "nutzername-rot";
final String bindingMessage = "BASTION";
// prepare CIBA settings
clientResource = ApiUtil.findClientByClientId(adminClient.realm(TEST_REALM_NAME), TEST_CLIENT_NAME);
clientRep = clientResource.toRepresentation();
prepareCIBASettings(clientResource, clientRep);
RealmRepresentation rep = backupCIBAPolicy();
Map<String, String> attrMap = Optional.ofNullable(rep.getAttributes()).orElse(new HashMap<>());
attrMap.put(CibaConfig.CIBA_INTERVAL, String.valueOf(3));
rep.setAttributes(attrMap);
testRealm().update(rep);
// user Backchannel Authentication Request
AuthenticationRequestAcknowledgement response = doBackchannelAuthenticationRequest(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, username, bindingMessage);
// user Authentication Channel Request
TestAuthenticationChannelRequest authenticationChannelReq = doAuthenticationChannelRequest(bindingMessage);
assertThat(authenticationChannelReq.getRequest().getBindingMessage(), is(equalTo(bindingMessage)));
// user Token Request
OAuthClient.AccessTokenResponse tokenRes = oauth.doBackchannelAuthenticationTokenRequest(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, response.getAuthReqId());
assertThat(tokenRes.getStatusCode(), is(equalTo(400)));
// 10+5+5 sec
assertThat(tokenRes.getError(), is(OAuthErrorException.AUTHORIZATION_PENDING));
tokenRes = oauth.doBackchannelAuthenticationTokenRequest(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, response.getAuthReqId());
assertThat(tokenRes.getStatusCode(), is(equalTo(400)));
// 10+5+5 sec
assertThat(tokenRes.getError(), is(OAuthErrorException.SLOW_DOWN));
tokenRes = oauth.doBackchannelAuthenticationTokenRequest(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, response.getAuthReqId());
assertThat(tokenRes.getStatusCode(), is(equalTo(400)));
// 10+5+5+5 sec
assertThat(tokenRes.getError(), is(OAuthErrorException.SLOW_DOWN));
// user Authentication Channel completed
EventRepresentation loginEvent = doAuthenticationChannelCallback(authenticationChannelReq);
String sessionId = loginEvent.getSessionId();
String codeId = loginEvent.getDetails().get(Details.CODE_ID);
String userId = loginEvent.getUserId();
setTimeOffset(3);
tokenRes = doBackchannelAuthenticationTokenRequest(username, response.getAuthReqId());
// token introspection
String tokenResponse = doIntrospectAccessTokenWithClientCredential(tokenRes, username);
// token refresh
tokenRes = doRefreshTokenRequest(tokenRes.getRefreshToken(), username, sessionId, false);
// token introspection after token refresh
tokenResponse = doIntrospectAccessTokenWithClientCredential(tokenRes, username);
// revoke by refresh token
EventRepresentation logoutEvent = doTokenRevokeByRefreshToken(tokenRes.getRefreshToken(), sessionId, userId, false);
} finally {
revertCIBASettings(clientResource, clientRep);
restoreCIBAPolicy();
}
}
use of org.keycloak.representations.idm.EventRepresentation in project keycloak by keycloak.
the class TokenIntrospectionTest method testIntrospectAccessToken.
@Test
public void testIntrospectAccessToken() throws Exception {
oauth.doLogin("test-user@localhost", "password");
String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
EventRepresentation loginEvent = events.expectLogin().assertEvent();
AccessTokenResponse accessTokenResponse = oauth.doAccessTokenRequest(code, "password");
String tokenResponse = oauth.introspectAccessTokenWithClientCredential("confidential-cli", "secret1", accessTokenResponse.getAccessToken());
TokenMetadataRepresentation rep = JsonSerialization.readValue(tokenResponse, TokenMetadataRepresentation.class);
assertTrue(rep.isActive());
assertEquals("test-user@localhost", rep.getUserName());
assertEquals("test-app", rep.getClientId());
assertEquals(loginEvent.getUserId(), rep.getSubject());
// Assert expected scope
AbstractOIDCScopeTest.assertScopes("openid email profile", rep.getScope());
}
use of org.keycloak.representations.idm.EventRepresentation in project keycloak by keycloak.
the class TokenIntrospectionTest method testIntrospectAccessTokenUserDisabled.
@Test
public void testIntrospectAccessTokenUserDisabled() throws Exception {
oauth.doLogin("test-user@localhost", "password");
String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
AccessTokenResponse accessTokenResponse = oauth.doAccessTokenRequest(code, "password");
EventRepresentation loginEvent = events.expectLogin().assertEvent();
UserRepresentation userRep = new UserRepresentation();
try {
userRep.setEnabled(false);
adminClient.realm(oauth.getRealm()).users().get(loginEvent.getUserId()).update(userRep);
String tokenResponse = oauth.introspectAccessTokenWithClientCredential("confidential-cli", "secret1", accessTokenResponse.getAccessToken());
TokenMetadataRepresentation rep = JsonSerialization.readValue(tokenResponse, TokenMetadataRepresentation.class);
assertFalse(rep.isActive());
assertNull(rep.getUserName());
assertNull(rep.getClientId());
assertNull(rep.getSubject());
} finally {
userRep.setEnabled(true);
adminClient.realm(oauth.getRealm()).users().get(loginEvent.getUserId()).update(userRep);
}
}
use of org.keycloak.representations.idm.EventRepresentation in project keycloak by keycloak.
the class OIDCScopeTest method testOptionalScopesWithConsentRequired.
@Test
public void testOptionalScopesWithConsentRequired() throws Exception {
// Remove "displayOnConsentScreen" from address
ClientScopeResource addressScope = ApiUtil.findClientScopeByName(testRealm(), "address");
ClientScopeRepresentation addressScopeRep = addressScope.toRepresentation();
addressScopeRep.getAttributes().put(ClientScopeModel.DISPLAY_ON_CONSENT_SCREEN, "false");
addressScope.update(addressScopeRep);
oauth.clientId("third-party");
oauth.doLoginGrant("john", "password");
grantPage.assertCurrent();
grantPage.assertGrants(OAuthGrantPage.PROFILE_CONSENT_TEXT, OAuthGrantPage.EMAIL_CONSENT_TEXT, OAuthGrantPage.ROLES_CONSENT_TEXT);
grantPage.accept();
EventRepresentation loginEvent = events.expectLogin().user(userId).client("third-party").detail(Details.CONSENT, Details.CONSENT_VALUE_CONSENT_GRANTED).assertEvent();
Tokens tokens = sendTokenRequest(loginEvent, userId, "openid email profile", "third-party");
IDToken idToken = tokens.idToken;
assertProfile(idToken, true);
assertEmail(idToken, true);
assertAddress(idToken, false);
assertPhone(idToken, false);
// Logout
oauth.doLogout(tokens.refreshToken, "password");
events.expectLogout(idToken.getSessionState()).client("third-party").user(userId).removeDetail(Details.REDIRECT_URI).assertEvent();
// Login with optional scopes. Grant screen should have just "phone"
oauth.scope("openid address phone");
oauth.doLoginGrant("john", "password");
grantPage.assertCurrent();
grantPage.assertGrants(OAuthGrantPage.PHONE_CONSENT_TEXT);
grantPage.accept();
loginEvent = events.expectLogin().client("third-party").detail(Details.CONSENT, Details.CONSENT_VALUE_CONSENT_GRANTED).user(userId).assertEvent();
tokens = sendTokenRequest(loginEvent, userId, "openid email profile address phone", "third-party");
idToken = tokens.idToken;
assertProfile(idToken, true);
assertEmail(idToken, true);
assertAddress(idToken, true);
assertPhone(idToken, true);
// Revert
addressScopeRep.getAttributes().put(ClientScopeModel.DISPLAY_ON_CONSENT_SCREEN, "true");
addressScope.update(addressScopeRep);
}
Aggregations