Examples with ProtocolMapperRepresentation org.keycloak.representations.idm.ProtocolMapperRepresentation used on opensource projects

Search in sources :

Example 6 with ProtocolMapperRepresentation

use of org.keycloak.representations.idm.ProtocolMapperRepresentation in project keycloak by keycloak.

the class OIDCProtocolMappersTest method testUserRoleToAttributeMappersWithMultiValuedRoles.

/**
 * KEYCLOAK-4205
 * @throws Exception
 */
@Test
public void testUserRoleToAttributeMappersWithMultiValuedRoles() throws Exception {
    // Add mapper for realm roles
    ProtocolMapperRepresentation realmMapper = ProtocolMapperUtil.createUserRealmRoleMappingMapper("pref.", "Realm roles mapper", "roles-custom.realm", true, true, true);
    ProtocolMapperRepresentation clientMapper = ProtocolMapperUtil.createUserClientRoleMappingMapper("test-app", null, "Client roles mapper", "roles-custom.test-app", true, true, true);
    ProtocolMappersResource protocolMappers = ApiUtil.findClientResourceByClientId(adminClient.realm("test"), "test-app").getProtocolMappers();
    protocolMappers.createMapper(Arrays.asList(realmMapper, clientMapper));
    // Login user
    OAuthClient.AccessTokenResponse response = browserLogin("password", "test-user@localhost", "password");
    IDToken idToken = oauth.verifyIDToken(response.getIdToken());
    // Verify attribute is filled
    Map<String, Object> roleMappings = (Map<String, Object>) idToken.getOtherClaims().get("roles-custom");
    Assert.assertThat(roleMappings.keySet(), containsInAnyOrder("realm", "test-app"));
    Assert.assertThat(roleMappings.get("realm"), CoreMatchers.instanceOf(List.class));
    Assert.assertThat(roleMappings.get("test-app"), CoreMatchers.instanceOf(List.class));
    List<String> realmRoleMappings = (List<String>) roleMappings.get("realm");
    List<String> testAppMappings = (List<String>) roleMappings.get("test-app");
    assertRoles(realmRoleMappings, // from direct assignment in user definition
    "pref.user", // from direct assignment in user definition
    "pref.offline_access");
    assertRoles(testAppMappings, // from direct assignment in user definition
    "customer-user");
    // Revert
    deleteMappers(protocolMappers);
}
Also used : OAuthClient(org.keycloak.testsuite.util.OAuthClient) ProtocolMapperRepresentation(org.keycloak.representations.idm.ProtocolMapperRepresentation) IDToken(org.keycloak.representations.IDToken) List(java.util.List) Matchers.isEmptyOrNullString(org.hamcrest.Matchers.isEmptyOrNullString) Map(java.util.Map) HashMap(java.util.HashMap) ProtocolMappersResource(org.keycloak.admin.client.resource.ProtocolMappersResource) AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest) Test(org.junit.Test)

Example 7 with ProtocolMapperRepresentation

use of org.keycloak.representations.idm.ProtocolMapperRepresentation in project keycloak by keycloak.

the class OIDCProtocolMappersTest method testUserGroupRoleToAttributeMappersScopedWithDifferentClient.

@Test
public void testUserGroupRoleToAttributeMappersScopedWithDifferentClient() throws Exception {
    final String clientId = "test-app-scope";
    final String diffClient = "test-app";
    final String realmName = "test";
    final ProtocolMapperRepresentation realmMapper = ProtocolMapperUtil.createUserRealmRoleMappingMapper("pref.", "Realm roles mapper", "roles-custom.realm", true, true);
    final ProtocolMapperRepresentation clientMapper = ProtocolMapperUtil.createUserClientRoleMappingMapper(diffClient, null, "Client roles mapper", "roles-custom.test-app", true, true);
    try (ClientAttributeUpdater cau = ClientAttributeUpdater.forClient(adminClient, realmName, clientId).setDirectAccessGrantsEnabled(true);
        ProtocolMappersUpdater protocolMappers = new ProtocolMappersUpdater(cau.getResource().getProtocolMappers())) {
        protocolMappers.add(realmMapper, clientMapper).update();
        // Login user
        oauth.clientId(clientId);
        OAuthClient.AccessTokenResponse response = browserLogin("password", "rich.roles@redhat.com", "password");
        IDToken idToken = oauth.verifyIDToken(response.getIdToken());
        // Verify attribute is filled
        Map<String, Object> roleMappings = (Map<String, Object>) idToken.getOtherClaims().get("roles-custom");
        assertNotNull(roleMappings);
        assertThat(roleMappings.keySet(), containsInAnyOrder("realm", diffClient));
        String realmRoleMappings = (String) roleMappings.get("realm");
        String testAppScopeMappings = (String) roleMappings.get(diffClient);
        assertRolesString(realmRoleMappings, "pref.admin", "pref.user", "pref.customer-user-premium");
        assertRolesString(testAppScopeMappings, "customer-admin-composite-role", "customer-admin");
    }
}
Also used : ClientAttributeUpdater(org.keycloak.testsuite.updaters.ClientAttributeUpdater) OAuthClient(org.keycloak.testsuite.util.OAuthClient) ProtocolMapperRepresentation(org.keycloak.representations.idm.ProtocolMapperRepresentation) ProtocolMappersUpdater(org.keycloak.testsuite.updaters.ProtocolMappersUpdater) IDToken(org.keycloak.representations.IDToken) Matchers.isEmptyOrNullString(org.hamcrest.Matchers.isEmptyOrNullString) Map(java.util.Map) HashMap(java.util.HashMap) AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest) Test(org.junit.Test)

Example 8 with ProtocolMapperRepresentation

use of org.keycloak.representations.idm.ProtocolMapperRepresentation in project keycloak by keycloak.

the class OIDCProtocolMappersTest method testUserRolesMovedFromAccessTokenProperties.

// Test to update protocolMappers to not have roles on the default position (realm_access and resource_access properties)
@Test
@AuthServerContainerExclude(AuthServer.REMOTE)
public void testUserRolesMovedFromAccessTokenProperties() throws Exception {
    RealmResource realm = adminClient.realm("test");
    ClientScopeResource rolesScope = ApiUtil.findClientScopeByName(realm, OIDCLoginProtocolFactory.ROLES_SCOPE);
    // Update builtin protocolMappers to put roles to different position (claim "custom.roles") for both realm and client roles
    ProtocolMapperRepresentation realmRolesMapper = null;
    ProtocolMapperRepresentation clientRolesMapper = null;
    for (ProtocolMapperRepresentation rep : rolesScope.getProtocolMappers().getMappers()) {
        if (OIDCLoginProtocolFactory.REALM_ROLES.equals(rep.getName())) {
            realmRolesMapper = rep;
        } else if (OIDCLoginProtocolFactory.CLIENT_ROLES.equals(rep.getName())) {
            clientRolesMapper = rep;
        }
    }
    String realmRolesTokenClaimOrig = realmRolesMapper.getConfig().get(OIDCAttributeMapperHelper.TOKEN_CLAIM_NAME);
    String clientRolesTokenClaimOrig = clientRolesMapper.getConfig().get(OIDCAttributeMapperHelper.TOKEN_CLAIM_NAME);
    realmRolesMapper.getConfig().put(OIDCAttributeMapperHelper.TOKEN_CLAIM_NAME, "custom.roles");
    rolesScope.getProtocolMappers().update(realmRolesMapper.getId(), realmRolesMapper);
    clientRolesMapper.getConfig().put(OIDCAttributeMapperHelper.TOKEN_CLAIM_NAME, "custom.roles");
    rolesScope.getProtocolMappers().update(clientRolesMapper.getId(), clientRolesMapper);
    // Create some hardcoded role mapper
    Response resp = rolesScope.getProtocolMappers().createMapper(createHardcodedRole("hard-realm", "hardcoded"));
    String hardcodedMapperId = ApiUtil.getCreatedId(resp);
    resp.close();
    try {
        OAuthClient.AccessTokenResponse response = browserLogin("password", "test-user@localhost", "password");
        AccessToken accessToken = oauth.verifyToken(response.getAccessToken());
        // Assert roles are not on their original positions
        Assert.assertNull(accessToken.getRealmAccess());
        Assert.assertTrue(accessToken.getResourceAccess().isEmpty());
        // KEYCLOAK-8481 Assert that accessToken JSON doesn't have "realm_access" or "resource_access" fields in it
        String accessTokenJson = new String(new JWSInput(response.getAccessToken()).getContent(), StandardCharsets.UTF_8);
        Assert.assertFalse(accessTokenJson.contains("realm_access"));
        Assert.assertFalse(accessTokenJson.contains("resource_access"));
        // Assert both realm and client roles on the new position. Hardcoded role should be here as well
        Map<String, Object> cst1 = (Map<String, Object>) accessToken.getOtherClaims().get("custom");
        List<String> roles = (List<String>) cst1.get("roles");
        Assert.assertNames(roles, "offline_access", "user", "customer-user", "hardcoded", AccountRoles.VIEW_PROFILE, AccountRoles.MANAGE_ACCOUNT, AccountRoles.MANAGE_ACCOUNT_LINKS);
        // Assert audience
        Assert.assertNames(Arrays.asList(accessToken.getAudience()), "account");
    } finally {
        // Revert
        rolesScope.getProtocolMappers().delete(hardcodedMapperId);
        realmRolesMapper.getConfig().put(OIDCAttributeMapperHelper.TOKEN_CLAIM_NAME, realmRolesTokenClaimOrig);
        rolesScope.getProtocolMappers().update(realmRolesMapper.getId(), realmRolesMapper);
        clientRolesMapper.getConfig().put(OIDCAttributeMapperHelper.TOKEN_CLAIM_NAME, clientRolesTokenClaimOrig);
        rolesScope.getProtocolMappers().update(clientRolesMapper.getId(), clientRolesMapper);
    }
}
Also used : OAuthClient(org.keycloak.testsuite.util.OAuthClient) RealmResource(org.keycloak.admin.client.resource.RealmResource) Matchers.isEmptyOrNullString(org.hamcrest.Matchers.isEmptyOrNullString) JWSInput(org.keycloak.jose.jws.JWSInput) Response(javax.ws.rs.core.Response) ClientScopeResource(org.keycloak.admin.client.resource.ClientScopeResource) AccessToken(org.keycloak.representations.AccessToken) ProtocolMapperRepresentation(org.keycloak.representations.idm.ProtocolMapperRepresentation) List(java.util.List) Map(java.util.Map) HashMap(java.util.HashMap) AuthServerContainerExclude(org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude) AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest) Test(org.junit.Test)

Example 9 with ProtocolMapperRepresentation

use of org.keycloak.representations.idm.ProtocolMapperRepresentation in project keycloak by keycloak.

the class OIDCProtocolMappersTest method executeTokenMappersOnDynamicScopes.

@Test
@EnableFeature(value = Profile.Feature.DYNAMIC_SCOPES, skipRestart = true)
public void executeTokenMappersOnDynamicScopes() {
    ClientResource clientResource = findClientResourceByClientId(adminClient.realm("test"), "test-app");
    ClientScopeRepresentation scopeRep = new ClientScopeRepresentation();
    scopeRep.setName("dyn-scope-with-mapper");
    scopeRep.setProtocol("openid-connect");
    scopeRep.setAttributes(new HashMap<String, String>() {

        {
            put(ClientScopeModel.IS_DYNAMIC_SCOPE, "true");
            put(ClientScopeModel.DYNAMIC_SCOPE_REGEXP, "dyn-scope-with-mapper:*");
        }
    });
    // create the attribute mapper
    ProtocolMapperRepresentation protocolMapperRepresentation = createHardcodedClaim("dynamic-scope-hardcoded-mapper", "hardcoded-foo", "hardcoded-bar", "String", true, true);
    scopeRep.setProtocolMappers(Collections.singletonList(protocolMapperRepresentation));
    try (Response resp = adminClient.realm("test").clientScopes().create(scopeRep)) {
        assertEquals(201, resp.getStatus());
        String clientScopeId = ApiUtil.getCreatedId(resp);
        getCleanup().addClientScopeId(clientScopeId);
        clientResource.addOptionalClientScope(clientScopeId);
    }
    oauth.scope("openid dyn-scope-with-mapper:value");
    OAuthClient.AccessTokenResponse response = browserLogin("password", "test-user@localhost", "password");
    IDToken idToken = oauth.verifyIDToken(response.getIdToken());
    AccessToken accessToken = oauth.verifyToken(response.getAccessToken());
    assertNotNull(idToken.getOtherClaims());
    assertNotNull(idToken.getOtherClaims().get("hardcoded-foo"));
    assertTrue(idToken.getOtherClaims().get("hardcoded-foo") instanceof String);
    assertEquals("hardcoded-bar", idToken.getOtherClaims().get("hardcoded-foo"));
    assertNotNull(accessToken.getOtherClaims());
    assertNotNull(accessToken.getOtherClaims().get("hardcoded-foo"));
    assertTrue(accessToken.getOtherClaims().get("hardcoded-foo") instanceof String);
    assertEquals("hardcoded-bar", accessToken.getOtherClaims().get("hardcoded-foo"));
}
Also used : Response(javax.ws.rs.core.Response) OAuthClient(org.keycloak.testsuite.util.OAuthClient) AccessToken(org.keycloak.representations.AccessToken) ProtocolMapperRepresentation(org.keycloak.representations.idm.ProtocolMapperRepresentation) ClientScopeRepresentation(org.keycloak.representations.idm.ClientScopeRepresentation) ClientResource(org.keycloak.admin.client.resource.ClientResource) IDToken(org.keycloak.representations.IDToken) Matchers.isEmptyOrNullString(org.hamcrest.Matchers.isEmptyOrNullString) AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest) Test(org.junit.Test) EnableFeature(org.keycloak.testsuite.arquillian.annotation.EnableFeature)

Example 10 with ProtocolMapperRepresentation

use of org.keycloak.representations.idm.ProtocolMapperRepresentation in project keycloak by keycloak.

the class OIDCProtocolMappersTest method deleteMappers.

private void deleteMappers(ProtocolMappersResource protocolMappers) {
    ProtocolMapperRepresentation mapper = ProtocolMapperUtil.getMapperByNameAndProtocol(protocolMappers, OIDCLoginProtocol.LOGIN_PROTOCOL, "Realm roles mapper");
    if (mapper != null) {
        protocolMappers.delete(mapper.getId());
    }
    mapper = ProtocolMapperUtil.getMapperByNameAndProtocol(protocolMappers, OIDCLoginProtocol.LOGIN_PROTOCOL, "Client roles mapper");
    if (mapper != null) {
        protocolMappers.delete(mapper.getId());
    }
    mapper = ProtocolMapperUtil.getMapperByNameAndProtocol(protocolMappers, OIDCLoginProtocol.LOGIN_PROTOCOL, "group-value");
    if (mapper != null) {
        protocolMappers.delete(mapper.getId());
    }
}
Also used : ProtocolMapperRepresentation(org.keycloak.representations.idm.ProtocolMapperRepresentation)

Aggregations

ProtocolMapperRepresentation (org.keycloak.representations.idm.ProtocolMapperRepresentation)107 Test (org.junit.Test)68 HashMap (java.util.HashMap)30 Response (javax.ws.rs.core.Response)30 ClientRepresentation (org.keycloak.representations.idm.ClientRepresentation)27 Map (java.util.Map)23 AbstractKeycloakTest (org.keycloak.testsuite.AbstractKeycloakTest)20 ClientResource (org.keycloak.admin.client.resource.ClientResource)19 OAuthClient (org.keycloak.testsuite.util.OAuthClient)17 RealmResource (org.keycloak.admin.client.resource.RealmResource)14 List (java.util.List)13 ProtocolMappersResource (org.keycloak.admin.client.resource.ProtocolMappersResource)12 IDToken (org.keycloak.representations.IDToken)12 Matchers.isEmptyOrNullString (org.hamcrest.Matchers.isEmptyOrNullString)11 ClientScopeRepresentation (org.keycloak.representations.idm.ClientScopeRepresentation)11 AuthServerContainerExclude (org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude)10 UserRepresentation (org.keycloak.representations.idm.UserRepresentation)8 ArrayList (java.util.ArrayList)7 LinkedList (java.util.LinkedList)7 AccessToken (org.keycloak.representations.AccessToken)7
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial