use of org.keycloak.representations.idm.EventRepresentation in project keycloak by keycloak.
the class RefreshTokenTest method refreshTokenClientDisabled.
@Test
public void refreshTokenClientDisabled() throws Exception {
oauth.doLogin("test-user@localhost", "password");
EventRepresentation loginEvent = events.expectLogin().assertEvent();
String sessionId = loginEvent.getSessionId();
String codeId = loginEvent.getDetails().get(Details.CODE_ID);
String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
OAuthClient.AccessTokenResponse response = oauth.doAccessTokenRequest(code, "password");
String refreshTokenString = response.getRefreshToken();
RefreshToken refreshToken = oauth.parseRefreshToken(refreshTokenString);
events.expectCodeToToken(codeId, sessionId).assertEvent();
try {
ClientManager.realm(adminClient.realm("test")).clientId(oauth.getClientId()).enabled(false);
setTimeOffset(2);
response = oauth.doRefreshTokenRequest(refreshTokenString, "password");
assertEquals(400, response.getStatusCode());
assertEquals("unauthorized_client", response.getError());
events.expectRefresh(refreshToken.getId(), sessionId).user((String) null).session((String) null).clearDetails().error(Errors.CLIENT_DISABLED).assertEvent();
} finally {
ClientManager.realm(adminClient.realm("test")).clientId(oauth.getClientId()).enabled(true);
}
}
use of org.keycloak.representations.idm.EventRepresentation in project keycloak by keycloak.
the class OfflineTokenTest method browserOfflineTokenLogoutFollowedByLoginSameSession.
@Test
public void browserOfflineTokenLogoutFollowedByLoginSameSession() throws Exception {
oauth.scope(OAuth2Constants.OFFLINE_ACCESS);
oauth.clientId("offline-client");
oauth.redirectUri(offlineClientAppUri);
oauth.doLogin("test-user@localhost", "password");
EventRepresentation loginEvent = events.expectLogin().client("offline-client").detail(Details.REDIRECT_URI, offlineClientAppUri).assertEvent();
final String sessionId = loginEvent.getSessionId();
String codeId = loginEvent.getDetails().get(Details.CODE_ID);
String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
OAuthClient.AccessTokenResponse tokenResponse = oauth.doAccessTokenRequest(code, "secret1");
oauth.verifyToken(tokenResponse.getAccessToken());
String offlineTokenString = tokenResponse.getRefreshToken();
RefreshToken offlineToken = oauth.parseRefreshToken(offlineTokenString);
events.expectCodeToToken(codeId, sessionId).client("offline-client").detail(Details.REFRESH_TOKEN_TYPE, TokenUtil.TOKEN_TYPE_OFFLINE).assertEvent();
assertEquals(TokenUtil.TOKEN_TYPE_OFFLINE, offlineToken.getType());
assertEquals(0, offlineToken.getExpiration());
String offlineUserSessionId = testingClient.server().fetch((KeycloakSession session) -> session.sessions().getOfflineUserSession(session.realms().getRealmByName("test"), offlineToken.getSessionState()).getId(), String.class);
// logout offline session
try (CloseableHttpResponse logoutResponse = oauth.doLogout(offlineTokenString, "secret1")) {
assertEquals(204, logoutResponse.getStatusLine().getStatusCode());
}
events.expectLogout(offlineUserSessionId).client("offline-client").removeDetail(Details.REDIRECT_URI).assertEvent();
// Need to login again now
oauth.doLogin("test-user@localhost", "password");
String code2 = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
OAuthClient.AccessTokenResponse tokenResponse2 = oauth.doAccessTokenRequest(code2, "secret1");
assertEquals(200, tokenResponse2.getStatusCode());
oauth.verifyToken(tokenResponse2.getAccessToken());
String offlineTokenString2 = tokenResponse2.getRefreshToken();
RefreshToken offlineToken2 = oauth.parseRefreshToken(offlineTokenString2);
loginEvent = events.expectLogin().client("offline-client").detail(Details.REDIRECT_URI, offlineClientAppUri).assertEvent();
codeId = loginEvent.getDetails().get(Details.CODE_ID);
events.expectCodeToToken(codeId, offlineToken2.getSessionState()).client("offline-client").detail(Details.REFRESH_TOKEN_TYPE, TokenUtil.TOKEN_TYPE_OFFLINE).assertEvent();
assertEquals(TokenUtil.TOKEN_TYPE_OFFLINE, offlineToken2.getType());
assertEquals(0, offlineToken2.getExpiration());
// Assert session changed
assertNotEquals(offlineToken.getSessionState(), offlineToken2.getSessionState());
}
use of org.keycloak.representations.idm.EventRepresentation in project keycloak by keycloak.
the class OfflineTokenTest method testOfflineSessionExpiration.
private void testOfflineSessionExpiration(int idleTime, int maxLifespan, int offset) {
int[] prev = null;
try {
prev = changeOfflineSessionSettings(true, maxLifespan, idleTime);
oauth.scope(OAuth2Constants.OFFLINE_ACCESS);
oauth.clientId("offline-client");
oauth.redirectUri(offlineClientAppUri);
oauth.doLogin("test-user@localhost", "password");
EventRepresentation loginEvent = events.expectLogin().client("offline-client").detail(Details.REDIRECT_URI, offlineClientAppUri).assertEvent();
final String sessionId = loginEvent.getSessionId();
String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
OAuthClient.AccessTokenResponse tokenResponse = oauth.doAccessTokenRequest(code, "secret1");
String offlineTokenString = tokenResponse.getRefreshToken();
RefreshToken offlineToken = oauth.parseRefreshToken(offlineTokenString);
assertEquals(TokenUtil.TOKEN_TYPE_OFFLINE, offlineToken.getType());
tokenResponse = oauth.doRefreshTokenRequest(offlineTokenString, "secret1");
AccessToken refreshedToken = oauth.verifyToken(tokenResponse.getAccessToken());
offlineTokenString = tokenResponse.getRefreshToken();
offlineToken = oauth.parseRefreshToken(offlineTokenString);
Assert.assertEquals(200, tokenResponse.getStatusCode());
// wait to expire
setTimeOffset(offset);
tokenResponse = oauth.doRefreshTokenRequest(offlineTokenString, "secret1");
Assert.assertEquals(400, tokenResponse.getStatusCode());
assertEquals("invalid_grant", tokenResponse.getError());
// Assert userSession expired
testingClient.testing().removeExpired("test");
try {
testingClient.testing().removeUserSession("test", sessionId);
} catch (NotFoundException nfe) {
// Ignore
}
setTimeOffset(0);
} finally {
changeOfflineSessionSettings(false, prev[0], prev[1]);
}
}
use of org.keycloak.representations.idm.EventRepresentation in project keycloak by keycloak.
the class OfflineTokenTest method offlineTokenBrowserFlow.
@Test
public void offlineTokenBrowserFlow() throws Exception {
oauth.scope(OAuth2Constants.OFFLINE_ACCESS);
oauth.clientId("offline-client");
oauth.redirectUri(offlineClientAppUri);
oauth.doLogin("test-user@localhost", "password");
EventRepresentation loginEvent = events.expectLogin().client("offline-client").detail(Details.REDIRECT_URI, offlineClientAppUri).assertEvent();
final String sessionId = loginEvent.getSessionId();
String codeId = loginEvent.getDetails().get(Details.CODE_ID);
String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
OAuthClient.AccessTokenResponse tokenResponse = oauth.doAccessTokenRequest(code, "secret1");
AccessToken token = oauth.verifyToken(tokenResponse.getAccessToken());
String offlineTokenString = tokenResponse.getRefreshToken();
RefreshToken offlineToken = oauth.parseRefreshToken(offlineTokenString);
events.expectCodeToToken(codeId, sessionId).client("offline-client").detail(Details.REFRESH_TOKEN_TYPE, TokenUtil.TOKEN_TYPE_OFFLINE).assertEvent();
assertEquals(TokenUtil.TOKEN_TYPE_OFFLINE, offlineToken.getType());
assertEquals(0, offlineToken.getExpiration());
assertTrue(tokenResponse.getScope().contains(OAuth2Constants.OFFLINE_ACCESS));
String newRefreshTokenString = testRefreshWithOfflineToken(token, offlineToken, offlineTokenString, sessionId, userId);
// Change offset to very big value to ensure offline session expires
setTimeOffset(3000000);
OAuthClient.AccessTokenResponse response = oauth.doRefreshTokenRequest(newRefreshTokenString, "secret1");
RefreshToken newRefreshToken = oauth.parseRefreshToken(newRefreshTokenString);
Assert.assertEquals(400, response.getStatusCode());
assertEquals("invalid_grant", response.getError());
events.expectRefresh(offlineToken.getId(), newRefreshToken.getSessionState()).client("offline-client").error(Errors.INVALID_TOKEN).user(userId).clearDetails().assertEvent();
setTimeOffset(0);
}
use of org.keycloak.representations.idm.EventRepresentation in project keycloak by keycloak.
the class OfflineTokenTest method testRefreshWithOfflineToken.
private String testRefreshWithOfflineToken(AccessToken oldToken, RefreshToken offlineToken, String offlineTokenString, final String sessionId, String userId) {
// Change offset to big value to ensure userSession expired
setTimeOffset(99999);
assertFalse(oldToken.isActive());
assertTrue(offlineToken.isActive());
// Assert userSession expired
testingClient.testing().removeExpired("test");
try {
testingClient.testing().removeUserSession("test", sessionId);
} catch (NotFoundException nfe) {
// Ignore
}
OAuthClient.AccessTokenResponse response = oauth.doRefreshTokenRequest(offlineTokenString, "secret1");
AccessToken refreshedToken = oauth.verifyToken(response.getAccessToken());
Assert.assertEquals(200, response.getStatusCode());
// Assert new refreshToken in the response
String newRefreshToken = response.getRefreshToken();
Assert.assertNotNull(newRefreshToken);
Assert.assertNotEquals(oldToken.getId(), refreshedToken.getId());
// Assert scope parameter contains "offline_access"
assertTrue(response.getScope().contains(OAuth2Constants.OFFLINE_ACCESS));
Assert.assertEquals(userId, refreshedToken.getSubject());
assertTrue(refreshedToken.getRealmAccess().isUserInRole("user"));
assertTrue(refreshedToken.getRealmAccess().isUserInRole(Constants.OFFLINE_ACCESS_ROLE));
Assert.assertEquals(1, refreshedToken.getResourceAccess("test-app").getRoles().size());
assertTrue(refreshedToken.getResourceAccess("test-app").isUserInRole("customer-user"));
EventRepresentation refreshEvent = events.expectRefresh(offlineToken.getId(), sessionId).client("offline-client").user(userId).removeDetail(Details.UPDATED_REFRESH_TOKEN_ID).detail(Details.REFRESH_TOKEN_TYPE, TokenUtil.TOKEN_TYPE_OFFLINE).assertEvent();
Assert.assertNotEquals(oldToken.getId(), refreshEvent.getDetails().get(Details.TOKEN_ID));
setTimeOffset(0);
return newRefreshToken;
}
Aggregations