Search in sources :

Example 96 with EventRepresentation

use of org.keycloak.representations.idm.EventRepresentation in project keycloak by keycloak.

the class CIBATest method testBackchannelAuthenticationFlow.

private void testBackchannelAuthenticationFlow(boolean isOfflineAccess, String bindingMessage) throws Exception {
    ClientResource clientResource = null;
    ClientRepresentation clientRep = null;
    try {
        final String username = "nutzername-rot";
        Map<String, String> additionalParameters = new HashMap<>();
        additionalParameters.put("user_device", "mobile");
        // prepare CIBA settings
        clientResource = ApiUtil.findClientByClientId(adminClient.realm(TEST_REALM_NAME), TEST_CLIENT_NAME);
        assertThat(clientResource, notNullValue());
        clientRep = clientResource.toRepresentation();
        prepareCIBASettings(clientResource, clientRep);
        if (isOfflineAccess)
            oauth.scope(OAuth2Constants.OFFLINE_ACCESS);
        long startTime = Time.currentTime();
        // user Backchannel Authentication Request
        AuthenticationRequestAcknowledgement response = doBackchannelAuthenticationRequest(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, username, bindingMessage, null, additionalParameters);
        // user Authentication Channel Request
        TestAuthenticationChannelRequest testRequest = doAuthenticationChannelRequest(bindingMessage);
        AuthenticationChannelRequest authenticationChannelReq = testRequest.getRequest();
        assertThat(authenticationChannelReq.getBindingMessage(), is(equalTo(bindingMessage)));
        if (isOfflineAccess)
            assertThat(authenticationChannelReq.getScope(), is(containsString(OAuth2Constants.OFFLINE_ACCESS)));
        assertThat(authenticationChannelReq.getScope(), is(containsString(OAuth2Constants.SCOPE_OPENID)));
        assertThat(authenticationChannelReq.getAdditionalParameters().get("user_device"), is(equalTo("mobile")));
        // user Authentication Channel completed
        EventRepresentation loginEvent = doAuthenticationChannelCallback(testRequest);
        String sessionId = loginEvent.getSessionId();
        String codeId = loginEvent.getDetails().get(Details.CODE_ID);
        String userId = loginEvent.getUserId();
        // user Token Request
        OAuthClient.AccessTokenResponse tokenRes = doBackchannelAuthenticationTokenRequest(username, response.getAuthReqId());
        IDToken idToken = oauth.verifyIDToken(tokenRes.getIdToken());
        long currentTime = Time.currentTime();
        long authTime = idToken.getAuth_time().longValue();
        assertTrue(startTime - 5 <= authTime);
        assertTrue(authTime <= currentTime + 5);
        // token introspection
        String tokenResponse = doIntrospectAccessTokenWithClientCredential(tokenRes, username);
        // token refresh
        tokenRes = doRefreshTokenRequest(tokenRes.getRefreshToken(), username, sessionId, isOfflineAccess);
        // token introspection after token refresh
        tokenResponse = doIntrospectAccessTokenWithClientCredential(tokenRes, username);
        // logout by refresh token
        EventRepresentation logoutEvent = doLogoutByRefreshToken(tokenRes.getRefreshToken(), sessionId, userId, isOfflineAccess);
    } finally {
        revertCIBASettings(clientResource, clientRep);
    }
}
Also used : HashMap(java.util.HashMap) OAuthClient(org.keycloak.testsuite.util.OAuthClient) EventRepresentation(org.keycloak.representations.idm.EventRepresentation) Matchers.containsString(org.hamcrest.Matchers.containsString) AuthenticationRequestAcknowledgement(org.keycloak.testsuite.util.OAuthClient.AuthenticationRequestAcknowledgement) OIDCClientRepresentation(org.keycloak.representations.oidc.OIDCClientRepresentation) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) ClientResource(org.keycloak.admin.client.resource.ClientResource) AuthenticationChannelRequest(org.keycloak.protocol.oidc.grants.ciba.channel.AuthenticationChannelRequest) TestAuthenticationChannelRequest(org.keycloak.testsuite.rest.representation.TestAuthenticationChannelRequest) IDToken(org.keycloak.representations.IDToken) TestAuthenticationChannelRequest(org.keycloak.testsuite.rest.representation.TestAuthenticationChannelRequest)

Example 97 with EventRepresentation

use of org.keycloak.representations.idm.EventRepresentation in project keycloak by keycloak.

the class CIBATest method testAccessThrottling.

@Test
public void testAccessThrottling() throws Exception {
    ClientResource clientResource = null;
    ClientRepresentation clientRep = null;
    try {
        final String username = "nutzername-rot";
        final String bindingMessage = "BASTION";
        // prepare CIBA settings
        clientResource = ApiUtil.findClientByClientId(adminClient.realm(TEST_REALM_NAME), TEST_CLIENT_NAME);
        clientRep = clientResource.toRepresentation();
        prepareCIBASettings(clientResource, clientRep);
        RealmRepresentation rep = backupCIBAPolicy();
        Map<String, String> attrMap = Optional.ofNullable(rep.getAttributes()).orElse(new HashMap<>());
        attrMap.put(CibaConfig.CIBA_INTERVAL, String.valueOf(3));
        rep.setAttributes(attrMap);
        testRealm().update(rep);
        // user Backchannel Authentication Request
        AuthenticationRequestAcknowledgement response = doBackchannelAuthenticationRequest(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, username, bindingMessage);
        // user Authentication Channel Request
        TestAuthenticationChannelRequest authenticationChannelReq = doAuthenticationChannelRequest(bindingMessage);
        assertThat(authenticationChannelReq.getRequest().getBindingMessage(), is(equalTo(bindingMessage)));
        // user Token Request
        OAuthClient.AccessTokenResponse tokenRes = oauth.doBackchannelAuthenticationTokenRequest(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, response.getAuthReqId());
        assertThat(tokenRes.getStatusCode(), is(equalTo(400)));
        // 10+5+5 sec
        assertThat(tokenRes.getError(), is(OAuthErrorException.AUTHORIZATION_PENDING));
        tokenRes = oauth.doBackchannelAuthenticationTokenRequest(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, response.getAuthReqId());
        assertThat(tokenRes.getStatusCode(), is(equalTo(400)));
        // 10+5+5 sec
        assertThat(tokenRes.getError(), is(OAuthErrorException.SLOW_DOWN));
        tokenRes = oauth.doBackchannelAuthenticationTokenRequest(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, response.getAuthReqId());
        assertThat(tokenRes.getStatusCode(), is(equalTo(400)));
        // 10+5+5+5 sec
        assertThat(tokenRes.getError(), is(OAuthErrorException.SLOW_DOWN));
        // user Authentication Channel completed
        EventRepresentation loginEvent = doAuthenticationChannelCallback(authenticationChannelReq);
        String sessionId = loginEvent.getSessionId();
        String codeId = loginEvent.getDetails().get(Details.CODE_ID);
        String userId = loginEvent.getUserId();
        setTimeOffset(3);
        tokenRes = doBackchannelAuthenticationTokenRequest(username, response.getAuthReqId());
        // token introspection
        String tokenResponse = doIntrospectAccessTokenWithClientCredential(tokenRes, username);
        // token refresh
        tokenRes = doRefreshTokenRequest(tokenRes.getRefreshToken(), username, sessionId, false);
        // token introspection after token refresh
        tokenResponse = doIntrospectAccessTokenWithClientCredential(tokenRes, username);
        // revoke by refresh token
        EventRepresentation logoutEvent = doTokenRevokeByRefreshToken(tokenRes.getRefreshToken(), sessionId, userId, false);
    } finally {
        revertCIBASettings(clientResource, clientRep);
        restoreCIBAPolicy();
    }
}
Also used : OAuthClient(org.keycloak.testsuite.util.OAuthClient) RealmRepresentation(org.keycloak.representations.idm.RealmRepresentation) EventRepresentation(org.keycloak.representations.idm.EventRepresentation) ClientResource(org.keycloak.admin.client.resource.ClientResource) Matchers.containsString(org.hamcrest.Matchers.containsString) AuthenticationRequestAcknowledgement(org.keycloak.testsuite.util.OAuthClient.AuthenticationRequestAcknowledgement) TestAuthenticationChannelRequest(org.keycloak.testsuite.rest.representation.TestAuthenticationChannelRequest) OIDCClientRepresentation(org.keycloak.representations.oidc.OIDCClientRepresentation) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) Test(org.junit.Test)

Example 98 with EventRepresentation

use of org.keycloak.representations.idm.EventRepresentation in project keycloak by keycloak.

the class TokenIntrospectionTest method testIntrospectAccessToken.

@Test
public void testIntrospectAccessToken() throws Exception {
    oauth.doLogin("test-user@localhost", "password");
    String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
    EventRepresentation loginEvent = events.expectLogin().assertEvent();
    AccessTokenResponse accessTokenResponse = oauth.doAccessTokenRequest(code, "password");
    String tokenResponse = oauth.introspectAccessTokenWithClientCredential("confidential-cli", "secret1", accessTokenResponse.getAccessToken());
    TokenMetadataRepresentation rep = JsonSerialization.readValue(tokenResponse, TokenMetadataRepresentation.class);
    assertTrue(rep.isActive());
    assertEquals("test-user@localhost", rep.getUserName());
    assertEquals("test-app", rep.getClientId());
    assertEquals(loginEvent.getUserId(), rep.getSubject());
    // Assert expected scope
    AbstractOIDCScopeTest.assertScopes("openid email profile", rep.getScope());
}
Also used : TokenMetadataRepresentation(org.keycloak.representations.oidc.TokenMetadataRepresentation) EventRepresentation(org.keycloak.representations.idm.EventRepresentation) AccessTokenResponse(org.keycloak.testsuite.util.OAuthClient.AccessTokenResponse) AbstractOIDCScopeTest(org.keycloak.testsuite.oidc.AbstractOIDCScopeTest) OIDCScopeTest(org.keycloak.testsuite.oidc.OIDCScopeTest) Test(org.junit.Test) AbstractTestRealmKeycloakTest(org.keycloak.testsuite.AbstractTestRealmKeycloakTest)

Example 99 with EventRepresentation

use of org.keycloak.representations.idm.EventRepresentation in project keycloak by keycloak.

the class TokenIntrospectionTest method testIntrospectAccessTokenUserDisabled.

@Test
public void testIntrospectAccessTokenUserDisabled() throws Exception {
    oauth.doLogin("test-user@localhost", "password");
    String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
    AccessTokenResponse accessTokenResponse = oauth.doAccessTokenRequest(code, "password");
    EventRepresentation loginEvent = events.expectLogin().assertEvent();
    UserRepresentation userRep = new UserRepresentation();
    try {
        userRep.setEnabled(false);
        adminClient.realm(oauth.getRealm()).users().get(loginEvent.getUserId()).update(userRep);
        String tokenResponse = oauth.introspectAccessTokenWithClientCredential("confidential-cli", "secret1", accessTokenResponse.getAccessToken());
        TokenMetadataRepresentation rep = JsonSerialization.readValue(tokenResponse, TokenMetadataRepresentation.class);
        assertFalse(rep.isActive());
        assertNull(rep.getUserName());
        assertNull(rep.getClientId());
        assertNull(rep.getSubject());
    } finally {
        userRep.setEnabled(true);
        adminClient.realm(oauth.getRealm()).users().get(loginEvent.getUserId()).update(userRep);
    }
}
Also used : TokenMetadataRepresentation(org.keycloak.representations.oidc.TokenMetadataRepresentation) EventRepresentation(org.keycloak.representations.idm.EventRepresentation) AccessTokenResponse(org.keycloak.testsuite.util.OAuthClient.AccessTokenResponse) UserRepresentation(org.keycloak.representations.idm.UserRepresentation) AbstractOIDCScopeTest(org.keycloak.testsuite.oidc.AbstractOIDCScopeTest) OIDCScopeTest(org.keycloak.testsuite.oidc.OIDCScopeTest) Test(org.junit.Test) AbstractTestRealmKeycloakTest(org.keycloak.testsuite.AbstractTestRealmKeycloakTest)

Example 100 with EventRepresentation

use of org.keycloak.representations.idm.EventRepresentation in project keycloak by keycloak.

the class OIDCScopeTest method testOptionalScopesWithConsentRequired.

@Test
public void testOptionalScopesWithConsentRequired() throws Exception {
    // Remove "displayOnConsentScreen" from address
    ClientScopeResource addressScope = ApiUtil.findClientScopeByName(testRealm(), "address");
    ClientScopeRepresentation addressScopeRep = addressScope.toRepresentation();
    addressScopeRep.getAttributes().put(ClientScopeModel.DISPLAY_ON_CONSENT_SCREEN, "false");
    addressScope.update(addressScopeRep);
    oauth.clientId("third-party");
    oauth.doLoginGrant("john", "password");
    grantPage.assertCurrent();
    grantPage.assertGrants(OAuthGrantPage.PROFILE_CONSENT_TEXT, OAuthGrantPage.EMAIL_CONSENT_TEXT, OAuthGrantPage.ROLES_CONSENT_TEXT);
    grantPage.accept();
    EventRepresentation loginEvent = events.expectLogin().user(userId).client("third-party").detail(Details.CONSENT, Details.CONSENT_VALUE_CONSENT_GRANTED).assertEvent();
    Tokens tokens = sendTokenRequest(loginEvent, userId, "openid email profile", "third-party");
    IDToken idToken = tokens.idToken;
    assertProfile(idToken, true);
    assertEmail(idToken, true);
    assertAddress(idToken, false);
    assertPhone(idToken, false);
    // Logout
    oauth.doLogout(tokens.refreshToken, "password");
    events.expectLogout(idToken.getSessionState()).client("third-party").user(userId).removeDetail(Details.REDIRECT_URI).assertEvent();
    // Login with optional scopes. Grant screen should have just "phone"
    oauth.scope("openid address phone");
    oauth.doLoginGrant("john", "password");
    grantPage.assertCurrent();
    grantPage.assertGrants(OAuthGrantPage.PHONE_CONSENT_TEXT);
    grantPage.accept();
    loginEvent = events.expectLogin().client("third-party").detail(Details.CONSENT, Details.CONSENT_VALUE_CONSENT_GRANTED).user(userId).assertEvent();
    tokens = sendTokenRequest(loginEvent, userId, "openid email profile address phone", "third-party");
    idToken = tokens.idToken;
    assertProfile(idToken, true);
    assertEmail(idToken, true);
    assertAddress(idToken, true);
    assertPhone(idToken, true);
    // Revert
    addressScopeRep.getAttributes().put(ClientScopeModel.DISPLAY_ON_CONSENT_SCREEN, "true");
    addressScope.update(addressScopeRep);
}
Also used : ClientScopeResource(org.keycloak.admin.client.resource.ClientScopeResource) ClientScopeRepresentation(org.keycloak.representations.idm.ClientScopeRepresentation) EventRepresentation(org.keycloak.representations.idm.EventRepresentation) IDToken(org.keycloak.representations.IDToken) Test(org.junit.Test)

Aggregations

EventRepresentation (org.keycloak.representations.idm.EventRepresentation)164 Test (org.junit.Test)124 OAuthClient (org.keycloak.testsuite.util.OAuthClient)93 AbstractKeycloakTest (org.keycloak.testsuite.AbstractKeycloakTest)60 AbstractTestRealmKeycloakTest (org.keycloak.testsuite.AbstractTestRealmKeycloakTest)44 RefreshToken (org.keycloak.representations.RefreshToken)27 ClientResource (org.keycloak.admin.client.resource.ClientResource)26 AccessToken (org.keycloak.representations.AccessToken)26 ClientRepresentation (org.keycloak.representations.idm.ClientRepresentation)25 IDToken (org.keycloak.representations.IDToken)23 Matchers.containsString (org.hamcrest.Matchers.containsString)15 AbstractAdminTest (org.keycloak.testsuite.admin.AbstractAdminTest)15 Response (javax.ws.rs.core.Response)13 OIDCClientRepresentation (org.keycloak.representations.oidc.OIDCClientRepresentation)13 AccessTokenResponse (org.keycloak.testsuite.util.OAuthClient.AccessTokenResponse)12 IOException (java.io.IOException)11 RealmResource (org.keycloak.admin.client.resource.RealmResource)11 AssertEvents (org.keycloak.testsuite.AssertEvents)10 JWSInput (org.keycloak.jose.jws.JWSInput)9 TestAuthenticationChannelRequest (org.keycloak.testsuite.rest.representation.TestAuthenticationChannelRequest)9