Example 11 with ProtocolMapperRepresentation
use of org.keycloak.representations.idm.ProtocolMapperRepresentation in project keycloak by keycloak.
the class ServiceAccountTest method clientCredentialsAuthSuccessWithoutRefreshToken_pairWiseSubject.
@Test
public void clientCredentialsAuthSuccessWithoutRefreshToken_pairWiseSubject() throws Exception {
// Add pairwise protocolMapper through admin REST endpoint
ProtocolMapperRepresentation pairwiseProtMapper = SHA256PairwiseSubMapper.createPairwiseMapper(null, null);
ClientManager.realm(adminClient.realm("test")).clientId("service-account-cl").addRedirectUris(oauth.getRedirectUri()).addProtocolMapper(pairwiseProtMapper);
clientCredentialsAuthSuccessWithoutRefreshTokenImpl();
ClientManager.realm(adminClient.realm("test")).clientId("service-account-cl").removeProtocolMapper(pairwiseProtMapper.getName());
}
Also used :
ProtocolMapperRepresentation(org.keycloak.representations.idm.ProtocolMapperRepresentation)
AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest)
Test(org.junit.Test)
Example 12 with ProtocolMapperRepresentation
use of org.keycloak.representations.idm.ProtocolMapperRepresentation in project keycloak by keycloak.
the class DescriptionConverter method toExternalResponse.
public static OIDCClientRepresentation toExternalResponse(KeycloakSession session, ClientRepresentation client, URI uri) {
OIDCClientRepresentation response = new OIDCClientRepresentation();
response.setClientId(client.getClientId());
if ("none".equals(client.getClientAuthenticatorType())) {
response.setTokenEndpointAuthMethod("none");
} else {
ClientAuthenticatorFactory clientAuth = (ClientAuthenticatorFactory) session.getKeycloakSessionFactory().getProviderFactory(ClientAuthenticator.class, client.getClientAuthenticatorType());
Set<String> oidcClientAuthMethods = clientAuth.getProtocolAuthenticatorMethods(OIDCLoginProtocol.LOGIN_PROTOCOL);
if (oidcClientAuthMethods != null && !oidcClientAuthMethods.isEmpty()) {
response.setTokenEndpointAuthMethod(oidcClientAuthMethods.iterator().next());
}
}
if (client.getClientAuthenticatorType().equals(ClientIdAndSecretAuthenticator.PROVIDER_ID)) {
response.setClientSecret(client.getSecret());
response.setClientSecretExpiresAt(0);
}
response.setClientName(client.getName());
response.setClientUri(client.getBaseUrl());
response.setRedirectUris(client.getRedirectUris());
response.setRegistrationAccessToken(client.getRegistrationAccessToken());
response.setRegistrationClientUri(uri.toString());
response.setResponseTypes(getOIDCResponseTypes(client));
response.setGrantTypes(getOIDCGrantTypes(client));
List<String> scopes = client.getOptionalClientScopes();
if (scopes != null)
response.setScope(scopes.stream().collect(Collectors.joining(" ")));
OIDCAdvancedConfigWrapper config = OIDCAdvancedConfigWrapper.fromClientRepresentation(client);
if (config.isUserInfoSignatureRequired()) {
response.setUserinfoSignedResponseAlg(config.getUserInfoSignedResponseAlg().toString());
}
if (config.getRequestObjectSignatureAlg() != null) {
response.setRequestObjectSigningAlg(config.getRequestObjectSignatureAlg().toString());
}
if (config.getRequestObjectEncryptionAlg() != null) {
response.setRequestObjectEncryptionAlg(config.getRequestObjectEncryptionAlg());
}
if (config.getRequestObjectEncryptionEnc() != null) {
response.setRequestObjectEncryptionEnc(config.getRequestObjectEncryptionEnc());
}
if (config.isUseJwksUrl()) {
response.setJwksUri(config.getJwksUrl());
}
if (config.isUseJwksString()) {
try {
response.setJwks(JsonSerialization.readValue(config.getJwksString(), JSONWebKeySet.class));
} catch (IOException e) {
throw new ClientRegistrationException("Illegal jwks format");
}
}
// https://tools.ietf.org/html/draft-ietf-oauth-mtls-08#section-6.5
if (config.isUseMtlsHokToken()) {
response.setTlsClientCertificateBoundAccessTokens(Boolean.TRUE);
} else {
response.setTlsClientCertificateBoundAccessTokens(Boolean.FALSE);
}
if (config.getTlsClientAuthSubjectDn() != null) {
response.setTlsClientAuthSubjectDn(config.getTlsClientAuthSubjectDn());
}
if (config.getIdTokenSignedResponseAlg() != null) {
response.setIdTokenSignedResponseAlg(config.getIdTokenSignedResponseAlg());
}
if (config.getIdTokenEncryptedResponseAlg() != null) {
response.setIdTokenEncryptedResponseAlg(config.getIdTokenEncryptedResponseAlg());
}
if (config.getIdTokenEncryptedResponseEnc() != null) {
response.setIdTokenEncryptedResponseEnc(config.getIdTokenEncryptedResponseEnc());
}
if (config.getAuthorizationSignedResponseAlg() != null) {
response.setAuthorizationSignedResponseAlg(config.getAuthorizationSignedResponseAlg());
}
if (config.getAuthorizationEncryptedResponseAlg() != null) {
response.setAuthorizationEncryptedResponseAlg(config.getAuthorizationEncryptedResponseAlg());
}
if (config.getAuthorizationEncryptedResponseEnc() != null) {
response.setAuthorizationEncryptedResponseEnc(config.getAuthorizationEncryptedResponseEnc());
}
if (config.getRequestUris() != null) {
response.setRequestUris(config.getRequestUris());
}
if (config.getTokenEndpointAuthSigningAlg() != null) {
response.setTokenEndpointAuthSigningAlg(config.getTokenEndpointAuthSigningAlg());
}
response.setBackchannelLogoutUri(config.getBackchannelLogoutUrl());
response.setBackchannelLogoutSessionRequired(config.isBackchannelLogoutSessionRequired());
response.setBackchannelLogoutSessionRequired(config.getBackchannelLogoutRevokeOfflineTokens());
if (client.getAttributes() != null) {
String mode = client.getAttributes().get(CibaConfig.CIBA_BACKCHANNEL_TOKEN_DELIVERY_MODE_PER_CLIENT);
if (StringUtil.isNotBlank(mode)) {
response.setBackchannelTokenDeliveryMode(mode);
}
String clientNotificationEndpoint = client.getAttributes().get(CibaConfig.CIBA_BACKCHANNEL_CLIENT_NOTIFICATION_ENDPOINT);
if (StringUtil.isNotBlank(clientNotificationEndpoint)) {
response.setBackchannelClientNotificationEndpoint(clientNotificationEndpoint);
}
String alg = client.getAttributes().get(CibaConfig.CIBA_BACKCHANNEL_AUTH_REQUEST_SIGNING_ALG);
if (StringUtil.isNotBlank(alg)) {
response.setBackchannelAuthenticationRequestSigningAlg(alg);
}
Boolean requirePushedAuthorizationRequests = Boolean.valueOf(client.getAttributes().get(ParConfig.REQUIRE_PUSHED_AUTHORIZATION_REQUESTS));
response.setRequirePushedAuthorizationRequests(requirePushedAuthorizationRequests.booleanValue());
}
List<ProtocolMapperRepresentation> foundPairwiseMappers = PairwiseSubMapperUtils.getPairwiseSubMappers(client);
SubjectType subjectType = foundPairwiseMappers.isEmpty() ? SubjectType.PUBLIC : SubjectType.PAIRWISE;
response.setSubjectType(subjectType.toString().toLowerCase());
if (subjectType.equals(SubjectType.PAIRWISE)) {
// Get sectorIdentifier from 1st found
String sectorIdentifierUri = PairwiseSubMapperHelper.getSectorIdentifierUri(foundPairwiseMappers.get(0));
response.setSectorIdentifierUri(sectorIdentifierUri);
}
response.setFrontChannelLogoutUri(config.getFrontChannelLogoutUrl());
List<String> defaultAcrValues = config.getAttributeMultivalued(Constants.DEFAULT_ACR_VALUES);
if (!defaultAcrValues.isEmpty()) {
response.setDefaultAcrValues(defaultAcrValues);
}
return response;
}
Also used :
OIDCAdvancedConfigWrapper(org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper)
JSONWebKeySet(org.keycloak.jose.jwk.JSONWebKeySet)
IOException(java.io.IOException)
SubjectType(org.keycloak.protocol.oidc.utils.SubjectType)
OIDCClientRepresentation(org.keycloak.representations.oidc.OIDCClientRepresentation)
ClientAuthenticatorFactory(org.keycloak.authentication.ClientAuthenticatorFactory)
ProtocolMapperRepresentation(org.keycloak.representations.idm.ProtocolMapperRepresentation)
JWTClientAuthenticator(org.keycloak.authentication.authenticators.client.JWTClientAuthenticator)
X509ClientAuthenticator(org.keycloak.authentication.authenticators.client.X509ClientAuthenticator)
ClientAuthenticator(org.keycloak.authentication.ClientAuthenticator)
ClientRegistrationException(org.keycloak.services.clientregistration.ClientRegistrationException)
Example 13 with ProtocolMapperRepresentation
use of org.keycloak.representations.idm.ProtocolMapperRepresentation in project keycloak by keycloak.
the class ProtocolMappersClientRegistrationPolicy method testMappers.
protected void testMappers(ClientRegistrationContext context) throws ClientRegistrationPolicyException {
List<ProtocolMapperRepresentation> protocolMappers = context.getClient().getProtocolMappers();
if (protocolMappers == null) {
return;
}
List<String> allowedMapperProviders = getAllowedMapperProviders();
for (ProtocolMapperRepresentation mapper : protocolMappers) {
String mapperType = mapper.getProtocolMapper();
if (!allowedMapperProviders.contains(mapperType)) {
ServicesLogger.LOGGER.clientRegistrationMapperNotAllowed(mapper.getName(), mapperType);
throw new ClientRegistrationPolicyException("ProtocolMapper type not allowed");
}
}
}
Also used :
ProtocolMapperRepresentation(org.keycloak.representations.idm.ProtocolMapperRepresentation)
ClientRegistrationPolicyException(org.keycloak.services.clientregistration.policy.ClientRegistrationPolicyException)
Example 14 with ProtocolMapperRepresentation
use of org.keycloak.representations.idm.ProtocolMapperRepresentation in project keycloak by keycloak.
the class OIDCClientRegistrationProvider method updatePairwiseSubMappers.
private void updatePairwiseSubMappers(ClientModel clientModel, SubjectType subjectType, String sectorIdentifierUri) {
if (subjectType == SubjectType.PAIRWISE) {
// See if we have existing pairwise mapper and update it. Otherwise create new
AtomicBoolean foundPairwise = new AtomicBoolean(false);
clientModel.getProtocolMappersStream().filter((ProtocolMapperModel mapping) -> {
if (mapping.getProtocolMapper().endsWith(AbstractPairwiseSubMapper.PROVIDER_ID_SUFFIX)) {
foundPairwise.set(true);
return true;
} else {
return false;
}
}).forEach((ProtocolMapperModel mapping) -> {
PairwiseSubMapperHelper.setSectorIdentifierUri(mapping, sectorIdentifierUri);
clientModel.updateProtocolMapper(mapping);
});
// We don't have existing pairwise mapper. So create new
if (!foundPairwise.get()) {
ProtocolMapperRepresentation newPairwise = SHA256PairwiseSubMapper.createPairwiseMapper(sectorIdentifierUri, null);
clientModel.addProtocolMapper(RepresentationToModel.toModel(newPairwise));
}
} else {
// Rather find and remove all pairwise mappers
clientModel.getProtocolMappersStream().filter(mapperRep -> mapperRep.getProtocolMapper().endsWith(AbstractPairwiseSubMapper.PROVIDER_ID_SUFFIX)).collect(Collectors.toList()).forEach(clientModel::removeProtocolMapper);
}
}
Also used :
AtomicBoolean(java.util.concurrent.atomic.AtomicBoolean)
ProtocolMapperRepresentation(org.keycloak.representations.idm.ProtocolMapperRepresentation)
ProtocolMapperModel(org.keycloak.models.ProtocolMapperModel)
Example 15 with ProtocolMapperRepresentation
use of org.keycloak.representations.idm.ProtocolMapperRepresentation in project keycloak by keycloak.
the class ClientScopeProtocolMapperTest method test06UpdateSamlMapper.
@Test
public void test06UpdateSamlMapper() {
ProtocolMapperRepresentation rep = makeSamlMapper("saml-role-name-mapper2");
Response resp = samlMappersRsc.createMapper(rep);
resp.close();
String createdId = ApiUtil.getCreatedId(resp);
assertAdminEvents.assertEvent(getRealmId(), OperationType.CREATE, AdminEventPaths.clientScopeProtocolMapperPath(samlClientScopeId, createdId), rep, ResourceType.PROTOCOL_MAPPER);
rep.getConfig().put("role", "account.manage-account");
rep.setId(createdId);
samlMappersRsc.update(createdId, rep);
assertAdminEvents.assertEvent(getRealmId(), OperationType.UPDATE, AdminEventPaths.clientScopeProtocolMapperPath(samlClientScopeId, createdId), rep, ResourceType.PROTOCOL_MAPPER);
ProtocolMapperRepresentation updated = samlMappersRsc.getMapperById(createdId);
assertEqualMappers(rep, updated);
}
Also used :
Response(javax.ws.rs.core.Response)
ProtocolMapperRepresentation(org.keycloak.representations.idm.ProtocolMapperRepresentation)
Test(org.junit.Test)
Aggregations
ProtocolMapperRepresentation (org.keycloak.representations.idm.ProtocolMapperRepresentation)107
Test (org.junit.Test)68
HashMap (java.util.HashMap)30
Response (javax.ws.rs.core.Response)30
ClientRepresentation (org.keycloak.representations.idm.ClientRepresentation)27
Map (java.util.Map)23
AbstractKeycloakTest (org.keycloak.testsuite.AbstractKeycloakTest)20
ClientResource (org.keycloak.admin.client.resource.ClientResource)19
OAuthClient (org.keycloak.testsuite.util.OAuthClient)17
RealmResource (org.keycloak.admin.client.resource.RealmResource)14
List (java.util.List)13
ProtocolMappersResource (org.keycloak.admin.client.resource.ProtocolMappersResource)12
IDToken (org.keycloak.representations.IDToken)12
Matchers.isEmptyOrNullString (org.hamcrest.Matchers.isEmptyOrNullString)11
ClientScopeRepresentation (org.keycloak.representations.idm.ClientScopeRepresentation)11
AuthServerContainerExclude (org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude)10
UserRepresentation (org.keycloak.representations.idm.UserRepresentation)8
ArrayList (java.util.ArrayList)7
LinkedList (java.util.LinkedList)7
AccessToken (org.keycloak.representations.AccessToken)7
