Search in sources :

Example 26 with EventRepresentation

use of org.keycloak.representations.idm.EventRepresentation in project keycloak by keycloak.

the class RefreshTokenTest method refreshTokenClientDisabled.

@Test
public void refreshTokenClientDisabled() throws Exception {
    oauth.doLogin("test-user@localhost", "password");
    EventRepresentation loginEvent = events.expectLogin().assertEvent();
    String sessionId = loginEvent.getSessionId();
    String codeId = loginEvent.getDetails().get(Details.CODE_ID);
    String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
    OAuthClient.AccessTokenResponse response = oauth.doAccessTokenRequest(code, "password");
    String refreshTokenString = response.getRefreshToken();
    RefreshToken refreshToken = oauth.parseRefreshToken(refreshTokenString);
    events.expectCodeToToken(codeId, sessionId).assertEvent();
    try {
        ClientManager.realm(adminClient.realm("test")).clientId(oauth.getClientId()).enabled(false);
        setTimeOffset(2);
        response = oauth.doRefreshTokenRequest(refreshTokenString, "password");
        assertEquals(400, response.getStatusCode());
        assertEquals("unauthorized_client", response.getError());
        events.expectRefresh(refreshToken.getId(), sessionId).user((String) null).session((String) null).clearDetails().error(Errors.CLIENT_DISABLED).assertEvent();
    } finally {
        ClientManager.realm(adminClient.realm("test")).clientId(oauth.getClientId()).enabled(true);
    }
}
Also used : RefreshToken(org.keycloak.representations.RefreshToken) OAuthClient(org.keycloak.testsuite.util.OAuthClient) EventRepresentation(org.keycloak.representations.idm.EventRepresentation) AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest) Test(org.junit.Test)

Example 27 with EventRepresentation

use of org.keycloak.representations.idm.EventRepresentation in project keycloak by keycloak.

the class OfflineTokenTest method browserOfflineTokenLogoutFollowedByLoginSameSession.

@Test
public void browserOfflineTokenLogoutFollowedByLoginSameSession() throws Exception {
    oauth.scope(OAuth2Constants.OFFLINE_ACCESS);
    oauth.clientId("offline-client");
    oauth.redirectUri(offlineClientAppUri);
    oauth.doLogin("test-user@localhost", "password");
    EventRepresentation loginEvent = events.expectLogin().client("offline-client").detail(Details.REDIRECT_URI, offlineClientAppUri).assertEvent();
    final String sessionId = loginEvent.getSessionId();
    String codeId = loginEvent.getDetails().get(Details.CODE_ID);
    String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
    OAuthClient.AccessTokenResponse tokenResponse = oauth.doAccessTokenRequest(code, "secret1");
    oauth.verifyToken(tokenResponse.getAccessToken());
    String offlineTokenString = tokenResponse.getRefreshToken();
    RefreshToken offlineToken = oauth.parseRefreshToken(offlineTokenString);
    events.expectCodeToToken(codeId, sessionId).client("offline-client").detail(Details.REFRESH_TOKEN_TYPE, TokenUtil.TOKEN_TYPE_OFFLINE).assertEvent();
    assertEquals(TokenUtil.TOKEN_TYPE_OFFLINE, offlineToken.getType());
    assertEquals(0, offlineToken.getExpiration());
    String offlineUserSessionId = testingClient.server().fetch((KeycloakSession session) -> session.sessions().getOfflineUserSession(session.realms().getRealmByName("test"), offlineToken.getSessionState()).getId(), String.class);
    // logout offline session
    try (CloseableHttpResponse logoutResponse = oauth.doLogout(offlineTokenString, "secret1")) {
        assertEquals(204, logoutResponse.getStatusLine().getStatusCode());
    }
    events.expectLogout(offlineUserSessionId).client("offline-client").removeDetail(Details.REDIRECT_URI).assertEvent();
    // Need to login again now
    oauth.doLogin("test-user@localhost", "password");
    String code2 = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
    OAuthClient.AccessTokenResponse tokenResponse2 = oauth.doAccessTokenRequest(code2, "secret1");
    assertEquals(200, tokenResponse2.getStatusCode());
    oauth.verifyToken(tokenResponse2.getAccessToken());
    String offlineTokenString2 = tokenResponse2.getRefreshToken();
    RefreshToken offlineToken2 = oauth.parseRefreshToken(offlineTokenString2);
    loginEvent = events.expectLogin().client("offline-client").detail(Details.REDIRECT_URI, offlineClientAppUri).assertEvent();
    codeId = loginEvent.getDetails().get(Details.CODE_ID);
    events.expectCodeToToken(codeId, offlineToken2.getSessionState()).client("offline-client").detail(Details.REFRESH_TOKEN_TYPE, TokenUtil.TOKEN_TYPE_OFFLINE).assertEvent();
    assertEquals(TokenUtil.TOKEN_TYPE_OFFLINE, offlineToken2.getType());
    assertEquals(0, offlineToken2.getExpiration());
    // Assert session changed
    assertNotEquals(offlineToken.getSessionState(), offlineToken2.getSessionState());
}
Also used : RefreshToken(org.keycloak.representations.RefreshToken) OAuthClient(org.keycloak.testsuite.util.OAuthClient) KeycloakSession(org.keycloak.models.KeycloakSession) EventRepresentation(org.keycloak.representations.idm.EventRepresentation) CloseableHttpResponse(org.apache.http.client.methods.CloseableHttpResponse) AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest) Test(org.junit.Test)

Example 28 with EventRepresentation

use of org.keycloak.representations.idm.EventRepresentation in project keycloak by keycloak.

the class OfflineTokenTest method testOfflineSessionExpiration.

private void testOfflineSessionExpiration(int idleTime, int maxLifespan, int offset) {
    int[] prev = null;
    try {
        prev = changeOfflineSessionSettings(true, maxLifespan, idleTime);
        oauth.scope(OAuth2Constants.OFFLINE_ACCESS);
        oauth.clientId("offline-client");
        oauth.redirectUri(offlineClientAppUri);
        oauth.doLogin("test-user@localhost", "password");
        EventRepresentation loginEvent = events.expectLogin().client("offline-client").detail(Details.REDIRECT_URI, offlineClientAppUri).assertEvent();
        final String sessionId = loginEvent.getSessionId();
        String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
        OAuthClient.AccessTokenResponse tokenResponse = oauth.doAccessTokenRequest(code, "secret1");
        String offlineTokenString = tokenResponse.getRefreshToken();
        RefreshToken offlineToken = oauth.parseRefreshToken(offlineTokenString);
        assertEquals(TokenUtil.TOKEN_TYPE_OFFLINE, offlineToken.getType());
        tokenResponse = oauth.doRefreshTokenRequest(offlineTokenString, "secret1");
        AccessToken refreshedToken = oauth.verifyToken(tokenResponse.getAccessToken());
        offlineTokenString = tokenResponse.getRefreshToken();
        offlineToken = oauth.parseRefreshToken(offlineTokenString);
        Assert.assertEquals(200, tokenResponse.getStatusCode());
        // wait to expire
        setTimeOffset(offset);
        tokenResponse = oauth.doRefreshTokenRequest(offlineTokenString, "secret1");
        Assert.assertEquals(400, tokenResponse.getStatusCode());
        assertEquals("invalid_grant", tokenResponse.getError());
        // Assert userSession expired
        testingClient.testing().removeExpired("test");
        try {
            testingClient.testing().removeUserSession("test", sessionId);
        } catch (NotFoundException nfe) {
        // Ignore
        }
        setTimeOffset(0);
    } finally {
        changeOfflineSessionSettings(false, prev[0], prev[1]);
    }
}
Also used : RefreshToken(org.keycloak.representations.RefreshToken) OAuthClient(org.keycloak.testsuite.util.OAuthClient) AccessToken(org.keycloak.representations.AccessToken) EventRepresentation(org.keycloak.representations.idm.EventRepresentation) NotFoundException(javax.ws.rs.NotFoundException)

Example 29 with EventRepresentation

use of org.keycloak.representations.idm.EventRepresentation in project keycloak by keycloak.

the class OfflineTokenTest method offlineTokenBrowserFlow.

@Test
public void offlineTokenBrowserFlow() throws Exception {
    oauth.scope(OAuth2Constants.OFFLINE_ACCESS);
    oauth.clientId("offline-client");
    oauth.redirectUri(offlineClientAppUri);
    oauth.doLogin("test-user@localhost", "password");
    EventRepresentation loginEvent = events.expectLogin().client("offline-client").detail(Details.REDIRECT_URI, offlineClientAppUri).assertEvent();
    final String sessionId = loginEvent.getSessionId();
    String codeId = loginEvent.getDetails().get(Details.CODE_ID);
    String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
    OAuthClient.AccessTokenResponse tokenResponse = oauth.doAccessTokenRequest(code, "secret1");
    AccessToken token = oauth.verifyToken(tokenResponse.getAccessToken());
    String offlineTokenString = tokenResponse.getRefreshToken();
    RefreshToken offlineToken = oauth.parseRefreshToken(offlineTokenString);
    events.expectCodeToToken(codeId, sessionId).client("offline-client").detail(Details.REFRESH_TOKEN_TYPE, TokenUtil.TOKEN_TYPE_OFFLINE).assertEvent();
    assertEquals(TokenUtil.TOKEN_TYPE_OFFLINE, offlineToken.getType());
    assertEquals(0, offlineToken.getExpiration());
    assertTrue(tokenResponse.getScope().contains(OAuth2Constants.OFFLINE_ACCESS));
    String newRefreshTokenString = testRefreshWithOfflineToken(token, offlineToken, offlineTokenString, sessionId, userId);
    // Change offset to very big value to ensure offline session expires
    setTimeOffset(3000000);
    OAuthClient.AccessTokenResponse response = oauth.doRefreshTokenRequest(newRefreshTokenString, "secret1");
    RefreshToken newRefreshToken = oauth.parseRefreshToken(newRefreshTokenString);
    Assert.assertEquals(400, response.getStatusCode());
    assertEquals("invalid_grant", response.getError());
    events.expectRefresh(offlineToken.getId(), newRefreshToken.getSessionState()).client("offline-client").error(Errors.INVALID_TOKEN).user(userId).clearDetails().assertEvent();
    setTimeOffset(0);
}
Also used : RefreshToken(org.keycloak.representations.RefreshToken) OAuthClient(org.keycloak.testsuite.util.OAuthClient) AccessToken(org.keycloak.representations.AccessToken) EventRepresentation(org.keycloak.representations.idm.EventRepresentation) AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest) Test(org.junit.Test)

Example 30 with EventRepresentation

use of org.keycloak.representations.idm.EventRepresentation in project keycloak by keycloak.

the class OfflineTokenTest method testRefreshWithOfflineToken.

private String testRefreshWithOfflineToken(AccessToken oldToken, RefreshToken offlineToken, String offlineTokenString, final String sessionId, String userId) {
    // Change offset to big value to ensure userSession expired
    setTimeOffset(99999);
    assertFalse(oldToken.isActive());
    assertTrue(offlineToken.isActive());
    // Assert userSession expired
    testingClient.testing().removeExpired("test");
    try {
        testingClient.testing().removeUserSession("test", sessionId);
    } catch (NotFoundException nfe) {
    // Ignore
    }
    OAuthClient.AccessTokenResponse response = oauth.doRefreshTokenRequest(offlineTokenString, "secret1");
    AccessToken refreshedToken = oauth.verifyToken(response.getAccessToken());
    Assert.assertEquals(200, response.getStatusCode());
    // Assert new refreshToken in the response
    String newRefreshToken = response.getRefreshToken();
    Assert.assertNotNull(newRefreshToken);
    Assert.assertNotEquals(oldToken.getId(), refreshedToken.getId());
    // Assert scope parameter contains "offline_access"
    assertTrue(response.getScope().contains(OAuth2Constants.OFFLINE_ACCESS));
    Assert.assertEquals(userId, refreshedToken.getSubject());
    assertTrue(refreshedToken.getRealmAccess().isUserInRole("user"));
    assertTrue(refreshedToken.getRealmAccess().isUserInRole(Constants.OFFLINE_ACCESS_ROLE));
    Assert.assertEquals(1, refreshedToken.getResourceAccess("test-app").getRoles().size());
    assertTrue(refreshedToken.getResourceAccess("test-app").isUserInRole("customer-user"));
    EventRepresentation refreshEvent = events.expectRefresh(offlineToken.getId(), sessionId).client("offline-client").user(userId).removeDetail(Details.UPDATED_REFRESH_TOKEN_ID).detail(Details.REFRESH_TOKEN_TYPE, TokenUtil.TOKEN_TYPE_OFFLINE).assertEvent();
    Assert.assertNotEquals(oldToken.getId(), refreshEvent.getDetails().get(Details.TOKEN_ID));
    setTimeOffset(0);
    return newRefreshToken;
}
Also used : OAuthClient(org.keycloak.testsuite.util.OAuthClient) AccessToken(org.keycloak.representations.AccessToken) EventRepresentation(org.keycloak.representations.idm.EventRepresentation) NotFoundException(javax.ws.rs.NotFoundException)

Aggregations

EventRepresentation (org.keycloak.representations.idm.EventRepresentation)164 Test (org.junit.Test)124 OAuthClient (org.keycloak.testsuite.util.OAuthClient)93 AbstractKeycloakTest (org.keycloak.testsuite.AbstractKeycloakTest)60 AbstractTestRealmKeycloakTest (org.keycloak.testsuite.AbstractTestRealmKeycloakTest)44 RefreshToken (org.keycloak.representations.RefreshToken)27 ClientResource (org.keycloak.admin.client.resource.ClientResource)26 AccessToken (org.keycloak.representations.AccessToken)26 ClientRepresentation (org.keycloak.representations.idm.ClientRepresentation)25 IDToken (org.keycloak.representations.IDToken)23 Matchers.containsString (org.hamcrest.Matchers.containsString)15 AbstractAdminTest (org.keycloak.testsuite.admin.AbstractAdminTest)15 Response (javax.ws.rs.core.Response)13 OIDCClientRepresentation (org.keycloak.representations.oidc.OIDCClientRepresentation)13 AccessTokenResponse (org.keycloak.testsuite.util.OAuthClient.AccessTokenResponse)12 IOException (java.io.IOException)11 RealmResource (org.keycloak.admin.client.resource.RealmResource)11 AssertEvents (org.keycloak.testsuite.AssertEvents)10 JWSInput (org.keycloak.jose.jws.JWSInput)9 TestAuthenticationChannelRequest (org.keycloak.testsuite.rest.representation.TestAuthenticationChannelRequest)9