Examples with AuthorizationResponse org.keycloak.representations.idm.authorization.AuthorizationResponse used on opensource projects

Search in sources :

Example 31 with AuthorizationResponse

use of org.keycloak.representations.idm.authorization.AuthorizationResponse in project keycloak by keycloak.

the class UserManagedAccessTest method testUserGrantsAccessToResourceWithoutScopes.

@Test
public void testUserGrantsAccessToResourceWithoutScopes() throws Exception {
    ResourcePermissionRepresentation permission = new ResourcePermissionRepresentation();
    resource = addResource("Resource A", "marta", true);
    permission.setName(resource.getName() + " Permission");
    permission.addResource(resource.getId());
    permission.addPolicy("Only Owner Policy");
    getClient(getRealm()).authorization().permissions().resource().create(permission).close();
    AuthorizationResponse response = authorize("marta", "password", "Resource A", new String[] {});
    String rpt = response.getToken();
    assertNotNull(rpt);
    assertFalse(response.isUpgraded());
    AccessToken accessToken = toAccessToken(rpt);
    AccessToken.Authorization authorization = accessToken.getAuthorization();
    assertNotNull(authorization);
    Collection<Permission> permissions = authorization.getPermissions();
    assertNotNull(permissions);
    assertPermissions(permissions, "Resource A");
    assertTrue(permissions.isEmpty());
    try {
        response = authorize("kolo", "password", resource.getId(), new String[] {});
        fail("User should have access to resource from another user");
    } catch (AuthorizationDeniedException ade) {
    }
    PermissionResource permissionResource = getAuthzClient().protection().permission();
    List<PermissionTicketRepresentation> permissionTickets = permissionResource.findByResource(resource.getId());
    assertFalse(permissionTickets.isEmpty());
    assertEquals(1, permissionTickets.size());
    for (PermissionTicketRepresentation ticket : permissionTickets) {
        assertFalse(ticket.isGranted());
        ticket.setGranted(true);
        permissionResource.update(ticket);
    }
    permissionTickets = permissionResource.findByResource(resource.getId());
    assertFalse(permissionTickets.isEmpty());
    assertEquals(1, permissionTickets.size());
    for (PermissionTicketRepresentation ticket : permissionTickets) {
        assertTrue(ticket.isGranted());
    }
    response = authorize("kolo", "password", resource.getId(), new String[] {});
    rpt = response.getToken();
    assertNotNull(rpt);
    assertFalse(response.isUpgraded());
    accessToken = toAccessToken(rpt);
    authorization = accessToken.getAuthorization();
    assertNotNull(authorization);
    permissions = authorization.getPermissions();
    assertNotNull(permissions);
    assertPermissions(permissions, resource.getName());
    assertTrue(permissions.isEmpty());
    response = authorize("kolo", "password", resource.getId(), new String[] {});
    rpt = response.getToken();
    assertNotNull(rpt);
    assertFalse(response.isUpgraded());
    accessToken = toAccessToken(rpt);
    authorization = accessToken.getAuthorization();
    assertNotNull(authorization);
    permissions = authorization.getPermissions();
    assertNotNull(permissions);
    assertPermissions(permissions, resource.getName());
    assertTrue(permissions.isEmpty());
    permissionTickets = permissionResource.findByResource(resource.getId());
    assertFalse(permissionTickets.isEmpty());
    assertEquals(1, permissionTickets.size());
    for (PermissionTicketRepresentation ticket : permissionTickets) {
        assertTrue(ticket.isGranted());
    }
    for (PermissionTicketRepresentation ticket : permissionTickets) {
        permissionResource.delete(ticket.getId());
    }
    permissionTickets = permissionResource.findByResource(resource.getId());
    assertEquals(0, permissionTickets.size());
}
Also used : AuthorizationDeniedException(org.keycloak.authorization.client.AuthorizationDeniedException) AccessToken(org.keycloak.representations.AccessToken) Permission(org.keycloak.representations.idm.authorization.Permission) PermissionTicketRepresentation(org.keycloak.representations.idm.authorization.PermissionTicketRepresentation) PermissionResource(org.keycloak.authorization.client.resource.PermissionResource) ResourcePermissionRepresentation(org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation) AuthorizationResponse(org.keycloak.representations.idm.authorization.AuthorizationResponse) Test(org.junit.Test)

Example 32 with AuthorizationResponse

use of org.keycloak.representations.idm.authorization.AuthorizationResponse in project keycloak by keycloak.

the class RegexPolicyTest method testWithExpectedUserAttribute.

@Test
public void testWithExpectedUserAttribute() {
    // Access Resource A with marta.
    AuthzClient authzClient = getAuthzClient();
    PermissionRequest request = new PermissionRequest("Resource A");
    String ticket = authzClient.protection().permission().create(request).getTicket();
    AuthorizationResponse response = authzClient.authorization("marta", "password").authorize(new AuthorizationRequest(ticket));
    assertNotNull(response.getToken());
    // Access Resource B with marta.
    request = new PermissionRequest("Resource B");
    ticket = authzClient.protection().permission().create(request).getTicket();
    response = authzClient.authorization("marta", "password").authorize(new AuthorizationRequest(ticket));
    assertNotNull(response.getToken());
}
Also used : PermissionRequest(org.keycloak.representations.idm.authorization.PermissionRequest) AuthzClient(org.keycloak.authorization.client.AuthzClient) AuthorizationRequest(org.keycloak.representations.idm.authorization.AuthorizationRequest) AuthorizationResponse(org.keycloak.representations.idm.authorization.AuthorizationResponse) Test(org.junit.Test)

Example 33 with AuthorizationResponse

use of org.keycloak.representations.idm.authorization.AuthorizationResponse in project keycloak by keycloak.

the class UmaPermissionTicketPushedClaimsTest method testEvaluatePermissionsWithPushedClaims.

@Test
public void testEvaluatePermissionsWithPushedClaims() throws Exception {
    ResourceRepresentation resource = addResource("Bank Account", "withdraw");
    JSPolicyRepresentation policy = new JSPolicyRepresentation();
    policy.setName("Withdraw Limit Policy");
    StringBuilder code = new StringBuilder();
    code.append("var context = $evaluation.getContext();");
    code.append("var attributes = context.getAttributes();");
    code.append("var withdrawValue = attributes.getValue('my.bank.account.withdraw.value');");
    code.append("if (withdrawValue && withdrawValue.asDouble(0) <= 100) {");
    code.append("   $evaluation.grant();");
    code.append("}");
    policy.setCode(code.toString());
    AuthorizationResource authorization = getClient(getRealm()).authorization();
    authorization.policies().js().create(policy).close();
    ScopePermissionRepresentation representation = new ScopePermissionRepresentation();
    representation.setName("Withdraw Permission");
    representation.addScope("withdraw");
    representation.addPolicy(policy.getName());
    authorization.permissions().scope().create(representation).close();
    AuthzClient authzClient = getAuthzClient();
    PermissionRequest permissionRequest = new PermissionRequest(resource.getId());
    permissionRequest.addScope("withdraw");
    permissionRequest.setClaim("my.bank.account.withdraw.value", "50.5");
    PermissionResponse response = authzClient.protection("marta", "password").permission().create(permissionRequest);
    AuthorizationRequest request = new AuthorizationRequest();
    request.setTicket(response.getTicket());
    request.setClaimToken(authzClient.obtainAccessToken("marta", "password").getToken());
    AuthorizationResponse authorizationResponse = authzClient.authorization().authorize(request);
    assertNotNull(authorizationResponse);
    assertNotNull(authorizationResponse.getToken());
    AccessToken token = toAccessToken(authorizationResponse.getToken());
    Collection<Permission> permissions = token.getAuthorization().getPermissions();
    assertEquals(1, permissions.size());
    Permission permission = permissions.iterator().next();
    Map<String, Set<String>> claims = permission.getClaims();
    assertNotNull(claims);
    assertThat(claims.get("my.bank.account.withdraw.value"), Matchers.containsInAnyOrder("50.5"));
    permissionRequest.setClaim("my.bank.account.withdraw.value", "100.5");
    response = authzClient.protection("marta", "password").permission().create(permissionRequest);
    request = new AuthorizationRequest();
    request.setTicket(response.getTicket());
    request.setClaimToken(authzClient.obtainAccessToken("marta", "password").getToken());
    try {
        authorizationResponse = authzClient.authorization().authorize(request);
        fail("Access should be denied");
    } catch (Exception ignore) {
    }
}
Also used : PermissionRequest(org.keycloak.representations.idm.authorization.PermissionRequest) AuthorizationRequest(org.keycloak.representations.idm.authorization.AuthorizationRequest) Set(java.util.Set) JSPolicyRepresentation(org.keycloak.representations.idm.authorization.JSPolicyRepresentation) PermissionResponse(org.keycloak.representations.idm.authorization.PermissionResponse) AuthorizationResource(org.keycloak.admin.client.resource.AuthorizationResource) ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation) AuthorizationResponse(org.keycloak.representations.idm.authorization.AuthorizationResponse) AuthzClient(org.keycloak.authorization.client.AuthzClient) AccessToken(org.keycloak.representations.AccessToken) Permission(org.keycloak.representations.idm.authorization.Permission) ScopePermissionRepresentation(org.keycloak.representations.idm.authorization.ScopePermissionRepresentation) Test(org.junit.Test)

Example 34 with AuthorizationResponse

use of org.keycloak.representations.idm.authorization.AuthorizationResponse in project keycloak by keycloak.

the class UserManagedPermissionServiceTest method testDoNotGrantPermissionWhenObtainAllEntitlements.

@Test
public void testDoNotGrantPermissionWhenObtainAllEntitlements() {
    ResourceRepresentation resource = new ResourceRepresentation();
    resource.setName("Resource A");
    resource.setOwnerManagedAccess(true);
    resource.setOwner("marta");
    resource.addScope("Scope A", "Scope B", "Scope C");
    resource = getAuthzClient().protection().resource().create(resource);
    UmaPermissionRepresentation permission = new UmaPermissionRepresentation();
    permission.setName("Custom User-Managed Permission");
    permission.addScope("Scope A", "Scope B");
    permission.addUser("kolo");
    ProtectionResource protection = getAuthzClient().protection("marta", "password");
    protection.policy(resource.getId()).create(permission);
    AuthorizationResource authorization = getAuthzClient().authorization("kolo", "password");
    AuthorizationRequest request = new AuthorizationRequest();
    request.addPermission(resource.getId(), "Scope A", "Scope B");
    AuthorizationResponse authzResponse = authorization.authorize(request);
    assertNotNull(authzResponse);
    AccessToken token = toAccessToken(authzResponse.getToken());
    assertNotNull(token.getAuthorization());
    Collection<Permission> permissions = token.getAuthorization().getPermissions();
    assertEquals(1, permissions.size());
    assertTrue(permissions.iterator().next().getScopes().containsAll(Arrays.asList("Scope A", "Scope B")));
    try {
        // policy engine does not evaluate custom policies when obtaining all entitlements
        getAuthzClient().authorization("kolo", "password").authorize();
        fail("User should not have permission");
    } catch (Exception e) {
        assertTrue(AuthorizationDeniedException.class.isInstance(e));
    }
}
Also used : ProtectionResource(org.keycloak.authorization.client.resource.ProtectionResource) AuthorizationRequest(org.keycloak.representations.idm.authorization.AuthorizationRequest) AccessToken(org.keycloak.representations.AccessToken) Permission(org.keycloak.representations.idm.authorization.Permission) UmaPermissionRepresentation(org.keycloak.representations.idm.authorization.UmaPermissionRepresentation) AuthorizationResource(org.keycloak.authorization.client.resource.AuthorizationResource) HttpResponseException(org.keycloak.authorization.client.util.HttpResponseException) AuthorizationDeniedException(org.keycloak.authorization.client.AuthorizationDeniedException) NotFoundException(javax.ws.rs.NotFoundException) ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation) AuthorizationResponse(org.keycloak.representations.idm.authorization.AuthorizationResponse) Test(org.junit.Test)

Example 35 with AuthorizationResponse

use of org.keycloak.representations.idm.authorization.AuthorizationResponse in project keycloak by keycloak.

the class KeycloakAdapterPolicyEnforcer method requestAuthorizationToken.

private AccessToken requestAuthorizationToken(PathConfig pathConfig, PolicyEnforcerConfig.MethodConfig methodConfig, OIDCHttpFacade httpFacade, Map<String, List<String>> claims) {
    if (getEnforcerConfig().getUserManagedAccess() != null) {
        return null;
    }
    try {
        KeycloakSecurityContext securityContext = httpFacade.getSecurityContext();
        String accessTokenString = securityContext.getTokenString();
        KeycloakDeployment deployment = getPolicyEnforcer().getDeployment();
        AccessToken accessToken = securityContext.getToken();
        AuthorizationRequest authzRequest = new AuthorizationRequest();
        if (isBearerAuthorization(httpFacade) || accessToken.getAuthorization() != null) {
            authzRequest.addPermission(pathConfig.getId(), methodConfig.getScopes());
        }
        if (!claims.isEmpty()) {
            authzRequest.setClaimTokenFormat("urn:ietf:params:oauth:token-type:jwt");
            authzRequest.setClaimToken(Base64.encodeBytes(JsonSerialization.writeValueAsBytes(claims)));
        }
        if (accessToken.getAuthorization() != null) {
            authzRequest.setRpt(accessTokenString);
        }
        LOGGER.debug("Obtaining authorization for authenticated user.");
        AuthorizationResponse authzResponse;
        if (isBearerAuthorization(httpFacade)) {
            authzRequest.setSubjectToken(accessTokenString);
            authzResponse = getAuthzClient().authorization().authorize(authzRequest);
        } else {
            authzResponse = getAuthzClient().authorization(accessTokenString).authorize(authzRequest);
        }
        if (authzResponse != null) {
            return AdapterTokenVerifier.verifyToken(authzResponse.getToken(), deployment);
        }
    } catch (AuthorizationDeniedException ignore) {
        LOGGER.debug("Authorization denied", ignore);
    } catch (Exception e) {
        LOGGER.debug("Authorization failed", e);
    }
    return null;
}
Also used : AuthorizationDeniedException(org.keycloak.authorization.client.AuthorizationDeniedException) AuthorizationRequest(org.keycloak.representations.idm.authorization.AuthorizationRequest) KeycloakSecurityContext(org.keycloak.KeycloakSecurityContext) AccessToken(org.keycloak.representations.AccessToken) KeycloakDeployment(org.keycloak.adapters.KeycloakDeployment) HttpResponseException(org.keycloak.authorization.client.util.HttpResponseException) AuthorizationDeniedException(org.keycloak.authorization.client.AuthorizationDeniedException) AuthorizationResponse(org.keycloak.representations.idm.authorization.AuthorizationResponse)

Aggregations

AuthorizationResponse (org.keycloak.representations.idm.authorization.AuthorizationResponse)69 Test (org.junit.Test)58 AccessToken (org.keycloak.representations.AccessToken)43 Permission (org.keycloak.representations.idm.authorization.Permission)43 AuthorizationRequest (org.keycloak.representations.idm.authorization.AuthorizationRequest)41 AuthzClient (org.keycloak.authorization.client.AuthzClient)35 ResourceRepresentation (org.keycloak.representations.idm.authorization.ResourceRepresentation)30 ResourcePermissionRepresentation (org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation)22 AuthorizationResource (org.keycloak.admin.client.resource.AuthorizationResource)20 ClientResource (org.keycloak.admin.client.resource.ClientResource)20 PermissionRequest (org.keycloak.representations.idm.authorization.PermissionRequest)20 AuthorizationDeniedException (org.keycloak.authorization.client.AuthorizationDeniedException)19 OAuthClient (org.keycloak.testsuite.util.OAuthClient)17 AccessTokenResponse (org.keycloak.representations.AccessTokenResponse)15 JSPolicyRepresentation (org.keycloak.representations.idm.authorization.JSPolicyRepresentation)14 PermissionResponse (org.keycloak.representations.idm.authorization.PermissionResponse)14 ScopePermissionRepresentation (org.keycloak.representations.idm.authorization.ScopePermissionRepresentation)14 Response (javax.ws.rs.core.Response)13 TokenIntrospectionResponse (org.keycloak.authorization.client.representation.TokenIntrospectionResponse)12 ArrayList (java.util.ArrayList)11
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial