Example 11 with IdentityProviderRepresentation
use of org.keycloak.representations.idm.IdentityProviderRepresentation in project keycloak by keycloak.
the class KcOIDCBrokerWithSignatureTest method testSignatureVerificationHardcodedPublicKeyWithKeyIdSetExplicitly.
@Test
public void testSignatureVerificationHardcodedPublicKeyWithKeyIdSetExplicitly() throws Exception {
// Configure OIDC identity provider with JWKS URL
IdentityProviderRepresentation idpRep = getIdentityProvider();
OIDCIdentityProviderConfigRep cfg = new OIDCIdentityProviderConfigRep(idpRep);
cfg.setValidateSignature(true);
cfg.setUseJwksUrl(false);
KeysMetadataRepresentation.KeyMetadataRepresentation key = ApiUtil.findActiveSigningKey(providerRealm());
String pemData = key.getPublicKey();
cfg.setPublicKeySignatureVerifier(pemData);
String expectedKeyId = KeyUtils.createKeyId(PemUtils.decodePublicKey(pemData));
updateIdentityProvider(idpRep);
// Check that user is able to login
logInAsUserInIDPForFirstTime();
assertLoggedInAccountManagement();
logoutFromRealm(getConsumerRoot(), bc.consumerRealmName());
// Set key id to an invalid one
cfg.setPublicKeySignatureVerifierKeyId("invalid-key-id");
updateIdentityProvider(idpRep);
logInAsUserInIDP();
assertErrorPage("Unexpected error when authenticating with identity provider");
// Set key id to a valid one
cfg.setPublicKeySignatureVerifierKeyId(expectedKeyId);
updateIdentityProvider(idpRep);
logInAsUserInIDPWithReAuthenticate();
assertLoggedInAccountManagement();
logoutFromRealm(getConsumerRoot(), bc.consumerRealmName());
// Set key id to empty
cfg.setPublicKeySignatureVerifierKeyId("");
updateIdentityProvider(idpRep);
logInAsUserInIDP();
assertLoggedInAccountManagement();
logoutFromRealm(getConsumerRoot(), bc.consumerRealmName());
// Unset key id
cfg.setPublicKeySignatureVerifierKeyId(null);
updateIdentityProvider(idpRep);
logInAsUserInIDP();
assertLoggedInAccountManagement();
logoutFromRealm(getConsumerRoot(), bc.consumerRealmName());
}
Also used :
KeysMetadataRepresentation(org.keycloak.representations.idm.KeysMetadataRepresentation)
IdentityProviderRepresentation(org.keycloak.representations.idm.IdentityProviderRepresentation)
Test(org.junit.Test)
Example 12 with IdentityProviderRepresentation
use of org.keycloak.representations.idm.IdentityProviderRepresentation in project keycloak by keycloak.
the class KcOIDCBrokerWithSignatureTest method testPublicKeyCacheInvalidatedWhenProviderUpdated.
// Test that when I update identityProvier, then the record in publicKey cache is cleared and it's not possible to authenticate with it anymore
@Test
public void testPublicKeyCacheInvalidatedWhenProviderUpdated() throws Exception {
// Configure OIDC identity provider with JWKS URL
updateIdentityProviderWithJwksUrl();
// Check that user is able to login
logInAsUserInIDPForFirstTime();
assertLoggedInAccountManagement();
logoutFromRealm(getConsumerRoot(), bc.consumerRealmName());
// Check that key is cached
IdentityProviderRepresentation idpRep = getIdentityProvider();
String expectedCacheKey = PublicKeyStorageUtils.getIdpModelCacheKey(consumerRealm().toRepresentation().getId(), idpRep.getInternalId());
TestingCacheResource cache = testingClient.testing(bc.consumerRealmName()).cache(InfinispanConnectionProvider.KEYS_CACHE_NAME);
Assert.assertTrue(cache.contains(expectedCacheKey));
// Update identityProvider to some bad JWKS_URL
OIDCIdentityProviderConfigRep cfg = new OIDCIdentityProviderConfigRep(idpRep);
cfg.setJwksUrl("https://localhost:43214/non-existent");
updateIdentityProvider(idpRep);
// Check that key is not cached anymore
Assert.assertFalse(cache.contains(expectedCacheKey));
// Check that user is not able to login with IDP
setTimeOffset(20);
logInAsUserInIDP();
assertErrorPage("Unexpected error when authenticating with identity provider");
}
Also used :
TestingCacheResource(org.keycloak.testsuite.client.resources.TestingCacheResource)
IdentityProviderRepresentation(org.keycloak.representations.idm.IdentityProviderRepresentation)
Test(org.junit.Test)
Example 13 with IdentityProviderRepresentation
use of org.keycloak.representations.idm.IdentityProviderRepresentation in project keycloak by keycloak.
the class AbstractUserAttributeMapperTest method addIdentityProviderToConsumerRealm.
public void addIdentityProviderToConsumerRealm(IdentityProviderMapperSyncMode syncMode) {
IdentityProviderRepresentation idp = setupIdentityProvider();
IdentityProviderResource idpResource = realm.identityProviders().get(idp.getAlias());
for (IdentityProviderMapperRepresentation mapper : createIdentityProviderMappers(syncMode)) {
mapper.setIdentityProviderAlias(bc.getIDPAlias());
idpResource.addMapper(mapper).close();
}
}
Also used :
IdentityProviderMapperRepresentation(org.keycloak.representations.idm.IdentityProviderMapperRepresentation)
IdentityProviderResource(org.keycloak.admin.client.resource.IdentityProviderResource)
IdentityProviderRepresentation(org.keycloak.representations.idm.IdentityProviderRepresentation)
Example 14 with IdentityProviderRepresentation
use of org.keycloak.representations.idm.IdentityProviderRepresentation in project keycloak by keycloak.
the class AbstractUsernameTemplateMapperTest method loginAsUserTwiceWithMapper.
private void loginAsUserTwiceWithMapper(IdentityProviderMapperSyncMode syncMode, String userName, String updatedUserName, boolean updatingUserName) {
final IdentityProviderRepresentation idp = setupIdentityProvider();
createMapperInIdp(idp, syncMode);
// The ATTRIBUTE_TO_MAP_NAME gets mapped to a claim by the setup. It's value will always be an array, therefore the [] around the value
createUserInProviderRealm(ImmutableMap.<String, List<String>>builder().put(ATTRIBUTE_TO_MAP_NAME, ImmutableList.<String>builder().add(userName).build()).build());
logInAsUserInIDPForFirstTime();
String mappedUserName = String.format(getMapperTemplate(), userName);
findUser(bc.consumerRealmName(), mappedUserName, bc.getUserEmail());
logoutFromRealm(getConsumerRoot(), bc.consumerRealmName());
updateUser(updatedUserName);
logInAsUserInIDP();
String updatedMappedUserName = String.format(getMapperTemplate(), updatedUserName);
UserRepresentation user = findUser(bc.consumerRealmName(), updatingUserName ? updatedMappedUserName : mappedUserName, bc.getUserEmail());
if (updatingUserName) {
assertThat(user.getUsername(), is(updatedMappedUserName));
} else {
assertThat(user.getUsername(), is(mappedUserName));
}
}
Also used :
IdentityProviderRepresentation(org.keycloak.representations.idm.IdentityProviderRepresentation)
UserRepresentation(org.keycloak.representations.idm.UserRepresentation)
Example 15 with IdentityProviderRepresentation
use of org.keycloak.representations.idm.IdentityProviderRepresentation in project keycloak by keycloak.
the class BrokerTestTools method createKcOidcBroker.
public static void createKcOidcBroker(Keycloak adminClient, String childRealm, String idpRealm, String alias, boolean linkOnly) {
IdentityProviderRepresentation idp = createIdentityProvider(alias, IDP_OIDC_PROVIDER_ID);
idp.setLinkOnly(linkOnly);
idp.setStoreToken(true);
Map<String, String> config = idp.getConfig();
config.put("clientId", childRealm);
config.put("clientSecret", childRealm);
config.put("authorizationUrl", getProviderRoot() + "/auth/realms/" + idpRealm + "/protocol/openid-connect/auth");
config.put("tokenUrl", getProviderRoot() + "/auth/realms/" + idpRealm + "/protocol/openid-connect/token");
config.put("logoutUrl", getProviderRoot() + "/auth/realms/" + idpRealm + "/protocol/openid-connect/logout");
config.put("userInfoUrl", getProviderRoot() + "/auth/realms/" + idpRealm + "/protocol/openid-connect/userinfo");
config.put("backchannelSupported", "true");
adminClient.realm(childRealm).identityProviders().create(idp);
ClientRepresentation client = new ClientRepresentation();
client.setClientId(childRealm);
client.setName(childRealm);
client.setSecret(childRealm);
client.setEnabled(true);
client.setRedirectUris(Collections.singletonList(getConsumerRoot() + "/auth/realms/" + childRealm + "/broker/" + idpRealm + "/endpoint/*"));
client.setAdminUrl(getConsumerRoot() + "/auth/realms/" + childRealm + "/broker/" + idpRealm + "/endpoint");
adminClient.realm(idpRealm).clients().create(client);
}
Also used :
IdentityProviderRepresentation(org.keycloak.representations.idm.IdentityProviderRepresentation)
ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation)
Aggregations
IdentityProviderRepresentation (org.keycloak.representations.idm.IdentityProviderRepresentation)91
Test (org.junit.Test)45
IdentityProviderResource (org.keycloak.admin.client.resource.IdentityProviderResource)23
RealmResource (org.keycloak.admin.client.resource.RealmResource)22
UserRepresentation (org.keycloak.representations.idm.UserRepresentation)17
ClientRepresentation (org.keycloak.representations.idm.ClientRepresentation)16
Response (javax.ws.rs.core.Response)15
Matchers.containsString (org.hamcrest.Matchers.containsString)10
List (java.util.List)9
MultipartFormDataOutput (org.jboss.resteasy.plugins.providers.multipart.MultipartFormDataOutput)8
URL (java.net.URL)7
IdentityProviderMapperRepresentation (org.keycloak.representations.idm.IdentityProviderMapperRepresentation)7
OAuthClient (org.keycloak.testsuite.util.OAuthClient)7
IOException (java.io.IOException)6
URI (java.net.URI)6
Map (java.util.Map)6
Matchers.hasSize (org.hamcrest.Matchers.hasSize)6
Matchers.is (org.hamcrest.Matchers.is)6
SAMLIdentityProviderConfig (org.keycloak.broker.saml.SAMLIdentityProviderConfig)6
AttributeType (org.keycloak.dom.saml.v2.assertion.AttributeType)6
