Example 51 with OIDCClientRepresentation
use of org.keycloak.representations.oidc.OIDCClientRepresentation in project keycloak by keycloak.
the class OIDCPairwiseClientRegistrationTest method createPairwiseClientWithRedirectsToMultipleHostsWithoutSectorIdentifierURI.
@Test
public void createPairwiseClientWithRedirectsToMultipleHostsWithoutSectorIdentifierURI() throws Exception {
OIDCClientRepresentation clientRep = createRep();
List<String> redirects = new ArrayList<>();
redirects.add("http://redirect1");
redirects.add("http://redirect2");
clientRep.setSubjectType("pairwise");
clientRep.setRedirectUris(redirects);
assertCreateFail(clientRep, 400, "Without a configured Sector Identifier URI, client redirect URIs must not contain multiple host components.");
}
Also used :
OIDCClientRepresentation(org.keycloak.representations.oidc.OIDCClientRepresentation)
ArrayList(java.util.ArrayList)
Test(org.junit.Test)
Example 52 with OIDCClientRepresentation
use of org.keycloak.representations.oidc.OIDCClientRepresentation in project keycloak by keycloak.
the class OIDCPairwiseClientRegistrationTest method refreshPairwiseToken.
@Test
public void refreshPairwiseToken() throws Exception {
// Create pairwise client
OIDCClientRepresentation pairwiseClient = createPairwise();
// Login to pairwise client
OAuthClient.AccessTokenResponse accessTokenResponse = login(pairwiseClient, "test-user@localhost", "password");
// Verify tokens
oauth.parseRefreshToken(accessTokenResponse.getAccessToken());
IDToken idToken = oauth.verifyIDToken(accessTokenResponse.getIdToken());
oauth.parseRefreshToken(accessTokenResponse.getRefreshToken());
// Refresh token
OAuthClient.AccessTokenResponse refreshTokenResponse = oauth.doRefreshTokenRequest(accessTokenResponse.getRefreshToken(), pairwiseClient.getClientSecret());
// Verify refreshed tokens
oauth.verifyToken(refreshTokenResponse.getAccessToken());
RefreshToken refreshedRefreshToken = oauth.parseRefreshToken(refreshTokenResponse.getRefreshToken());
IDToken refreshedIdToken = oauth.verifyIDToken(refreshTokenResponse.getIdToken());
// If an ID Token is returned as a result of a token refresh request, the following requirements apply:
// its iss Claim Value MUST be the same as in the ID Token issued when the original authentication occurred
Assert.assertEquals(idToken.getIssuer(), refreshedRefreshToken.getIssuer());
// its sub Claim Value MUST be the same as in the ID Token issued when the original authentication occurred
Assert.assertEquals(idToken.getSubject(), refreshedRefreshToken.getSubject());
// its iat Claim MUST represent the time that the new ID Token is issued
Assert.assertEquals(refreshedIdToken.getIssuedAt(), refreshedRefreshToken.getIssuedAt());
// if the ID Token contains an auth_time Claim, its value MUST represent the time of the original authentication
// - not the time that the new ID token is issued
Assert.assertEquals(idToken.getAuthTime(), refreshedIdToken.getAuthTime());
// its azp Claim Value MUST be the same as in the ID Token issued when the original authentication occurred; if
// no azp Claim was present in the original ID Token, one MUST NOT be present in the new ID Token
Assert.assertEquals(idToken.getIssuedFor(), refreshedIdToken.getIssuedFor());
}
Also used :
RefreshToken(org.keycloak.representations.RefreshToken)
OIDCClientRepresentation(org.keycloak.representations.oidc.OIDCClientRepresentation)
OAuthClient(org.keycloak.testsuite.util.OAuthClient)
IDToken(org.keycloak.representations.IDToken)
Test(org.junit.Test)
Example 53 with OIDCClientRepresentation
use of org.keycloak.representations.oidc.OIDCClientRepresentation in project keycloak by keycloak.
the class OIDCPairwiseClientRegistrationTest method refreshPairwiseTokenDeletedUser.
@Test
public void refreshPairwiseTokenDeletedUser() throws Exception {
String userId = createUser(REALM_NAME, "delete-me@localhost", "password");
// Create pairwise client
OIDCClientRepresentation pairwiseClient = createPairwise();
// Login to pairwise client
oauth.clientId(pairwiseClient.getClientId());
oauth.clientId(pairwiseClient.getClientId());
OAuthClient.AuthorizationEndpointResponse loginResponse = oauth.doLogin("delete-me@localhost", "password");
OAuthClient.AccessTokenResponse accessTokenResponse = oauth.doAccessTokenRequest(loginResponse.getCode(), pairwiseClient.getClientSecret());
assertEquals(200, accessTokenResponse.getStatusCode());
// Delete user
adminClient.realm(REALM_NAME).users().delete(userId);
OAuthClient.AccessTokenResponse refreshTokenResponse = oauth.doRefreshTokenRequest(accessTokenResponse.getRefreshToken(), pairwiseClient.getClientSecret());
assertEquals(400, refreshTokenResponse.getStatusCode());
assertEquals("invalid_grant", refreshTokenResponse.getError());
assertNull(refreshTokenResponse.getAccessToken());
assertNull(refreshTokenResponse.getIdToken());
assertNull(refreshTokenResponse.getRefreshToken());
}
Also used :
OIDCClientRepresentation(org.keycloak.representations.oidc.OIDCClientRepresentation)
OAuthClient(org.keycloak.testsuite.util.OAuthClient)
Test(org.junit.Test)
Example 54 with OIDCClientRepresentation
use of org.keycloak.representations.oidc.OIDCClientRepresentation in project keycloak by keycloak.
the class ClientPoliciesTest method testSecureClientRegisteringUriEnforceExecutor.
@Test
public void testSecureClientRegisteringUriEnforceExecutor() throws Exception {
// register profiles
String json = (new ClientProfilesBuilder()).addProfile((new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Ensimmainen Profiili").addExecutor(SecureClientUrisExecutorFactory.PROVIDER_ID, null).toRepresentation()).toString();
updateProfiles(json);
// register policies
json = (new ClientPoliciesBuilder()).addPolicy((new ClientPolicyBuilder()).createPolicy(POLICY_NAME, "Ensimmainen Politiikka", Boolean.TRUE).addCondition(ClientUpdaterContextConditionFactory.PROVIDER_ID, createClientUpdateContextConditionConfig(Arrays.asList(ClientUpdaterContextConditionFactory.BY_AUTHENTICATED_USER, ClientUpdaterContextConditionFactory.BY_INITIAL_ACCESS_TOKEN, ClientUpdaterContextConditionFactory.BY_REGISTRATION_ACCESS_TOKEN))).addProfile(PROFILE_NAME).toRepresentation()).toString();
updatePolicies(json);
try {
createClientDynamically(generateSuffixedName(CLIENT_NAME), (OIDCClientRepresentation clientRep) -> {
clientRep.setRedirectUris(Collections.singletonList("http://newredirect"));
});
fail();
} catch (ClientRegistrationException e) {
assertEquals(ERR_MSG_CLIENT_REG_FAIL, e.getMessage());
}
String cid = null;
String clientId = generateSuffixedName(CLIENT_NAME);
try {
cid = createClientByAdmin(clientId, (ClientRepresentation clientRep) -> {
clientRep.setServiceAccountsEnabled(Boolean.TRUE);
clientRep.setRedirectUris(null);
});
} catch (Exception e) {
fail();
}
updateClientByAdmin(cid, (ClientRepresentation clientRep) -> {
clientRep.setRedirectUris(null);
clientRep.setServiceAccountsEnabled(Boolean.FALSE);
});
assertEquals(false, getClientByAdmin(cid).isServiceAccountsEnabled());
// update policies
json = (new ClientPoliciesBuilder()).addPolicy((new ClientPolicyBuilder()).createPolicy(POLICY_NAME, "Paivitetyn Ensimmaisen Politiikka", Boolean.TRUE).addCondition(ClientUpdaterContextConditionFactory.PROVIDER_ID, createClientUpdateContextConditionConfig(Arrays.asList(ClientUpdaterContextConditionFactory.BY_AUTHENTICATED_USER, ClientUpdaterContextConditionFactory.BY_REGISTRATION_ACCESS_TOKEN))).addProfile(PROFILE_NAME).toRepresentation()).toString();
updatePolicies(json);
try {
updateClientDynamically(clientId, (OIDCClientRepresentation clientRep) -> {
clientRep.setRedirectUris(Collections.singletonList("https://newredirect/*"));
});
fail();
} catch (ClientRegistrationException e) {
assertEquals(ERR_MSG_CLIENT_REG_FAIL, e.getMessage());
}
try {
updateClientByAdmin(cid, (ClientRepresentation clientRep) -> {
// rootUrl
clientRep.setRootUrl("https://client.example.com/");
// adminUrl
clientRep.setAdminUrl("https://client.example.com/admin/");
// baseUrl
clientRep.setBaseUrl("https://client.example.com/base/");
// web origins
clientRep.setWebOrigins(Arrays.asList("https://valid.other.client.example.com/", "https://valid.another.client.example.com/"));
// backchannel logout URL
Map<String, String> attributes = Optional.ofNullable(clientRep.getAttributes()).orElse(new HashMap<>());
attributes.put(OIDCConfigAttributes.BACKCHANNEL_LOGOUT_URL, "https://client.example.com/logout/");
clientRep.setAttributes(attributes);
// OAuth2 : redirectUris
clientRep.setRedirectUris(Arrays.asList("https://client.example.com/redirect/", "https://client.example.com/callback/"));
// OAuth2 : jwks_uri
attributes.put(OIDCConfigAttributes.JWKS_URL, "https://client.example.com/jwks/");
clientRep.setAttributes(attributes);
// OIDD : requestUris
setAttributeMultivalued(clientRep, OIDCConfigAttributes.REQUEST_URIS, Arrays.asList("https://client.example.com/request/", "https://client.example.com/reqobj/"));
// CIBA Client Notification Endpoint
attributes.put(CibaConfig.CIBA_BACKCHANNEL_CLIENT_NOTIFICATION_ENDPOINT, "https://client.example.com/client-notification/");
clientRep.setAttributes(attributes);
});
} catch (Exception e) {
fail();
}
try {
updateClientByAdmin(cid, (ClientRepresentation clientRep) -> {
// rootUrl
clientRep.setRootUrl("http://client.example.com/*/");
});
fail();
} catch (ClientPolicyException e) {
assertEquals(OAuthErrorException.INVALID_CLIENT_METADATA, e.getError());
assertEquals("Invalid rootUrl", e.getErrorDetail());
}
try {
updateClientByAdmin(cid, (ClientRepresentation clientRep) -> {
// adminUrl
clientRep.setAdminUrl("http://client.example.com/admin/");
});
fail();
} catch (ClientPolicyException e) {
assertEquals(OAuthErrorException.INVALID_CLIENT_METADATA, e.getError());
assertEquals("Invalid adminUrl", e.getErrorDetail());
}
try {
updateClientByAdmin(cid, (ClientRepresentation clientRep) -> {
// baseUrl
clientRep.setBaseUrl("https://client.example.com/base/*");
});
fail();
} catch (ClientPolicyException e) {
assertEquals(OAuthErrorException.INVALID_CLIENT_METADATA, e.getError());
assertEquals("Invalid baseUrl", e.getErrorDetail());
}
try {
updateClientByAdmin(cid, (ClientRepresentation clientRep) -> {
// web origins
clientRep.setWebOrigins(Arrays.asList("http://valid.another.client.example.com/"));
});
fail();
} catch (ClientPolicyException e) {
assertEquals(OAuthErrorException.INVALID_CLIENT_METADATA, e.getError());
assertEquals("Invalid webOrigins", e.getErrorDetail());
}
try {
updateClientByAdmin(cid, (ClientRepresentation clientRep) -> {
// backchannel logout URL
Map<String, String> attributes = Optional.ofNullable(clientRep.getAttributes()).orElse(new HashMap<>());
attributes.put(OIDCConfigAttributes.BACKCHANNEL_LOGOUT_URL, "httpss://client.example.com/logout/");
clientRep.setAttributes(attributes);
});
fail();
} catch (ClientPolicyException e) {
assertEquals(OAuthErrorException.INVALID_CLIENT_METADATA, e.getError());
assertEquals("Invalid logoutUrl", e.getErrorDetail());
}
try {
updateClientByAdmin(cid, (ClientRepresentation clientRep) -> {
// OAuth2 : redirectUris
clientRep.setRedirectUris(Arrays.asList("https://client.example.com/redirect/", "ftp://client.example.com/callback/"));
});
fail();
} catch (ClientPolicyException e) {
assertEquals(OAuthErrorException.INVALID_CLIENT_METADATA, e.getError());
assertEquals("Invalid redirectUris", e.getErrorDetail());
}
try {
updateClientByAdmin(cid, (ClientRepresentation clientRep) -> {
// OAuth2 : jwks_uri
Map<String, String> attributes = Optional.ofNullable(clientRep.getAttributes()).orElse(new HashMap<>());
attributes.put(OIDCConfigAttributes.JWKS_URL, "http s://client.example.com/jwks/");
clientRep.setAttributes(attributes);
});
fail();
} catch (ClientPolicyException e) {
assertEquals(OAuthErrorException.INVALID_CLIENT_METADATA, e.getError());
assertEquals("Invalid jwksUri", e.getErrorDetail());
}
try {
updateClientByAdmin(cid, (ClientRepresentation clientRep) -> {
// OIDD : requestUris
setAttributeMultivalued(clientRep, OIDCConfigAttributes.REQUEST_URIS, Arrays.asList("https://client.example.com/request/*", "https://client.example.com/reqobj/"));
});
fail();
} catch (ClientPolicyException e) {
assertEquals(OAuthErrorException.INVALID_CLIENT_METADATA, e.getError());
assertEquals("Invalid requestUris", e.getErrorDetail());
}
try {
updateClientByAdmin(cid, (ClientRepresentation clientRep) -> {
// CIBA Client Notification Endpoint
Map<String, String> attributes = Optional.ofNullable(clientRep.getAttributes()).orElse(new HashMap<>());
attributes.put(CibaConfig.CIBA_BACKCHANNEL_CLIENT_NOTIFICATION_ENDPOINT, "http://client.example.com/client-notification/");
clientRep.setAttributes(attributes);
});
fail();
} catch (ClientPolicyException e) {
assertEquals(OAuthErrorException.INVALID_CLIENT_METADATA, e.getError());
assertEquals("Invalid cibaClientNotificationEndpoint", e.getErrorDetail());
}
}
Also used :
ClientProfileBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfileBuilder)
OIDCClientRepresentation(org.keycloak.representations.oidc.OIDCClientRepresentation)
ClientProfilesBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfilesBuilder)
ClientPoliciesBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPoliciesBuilder)
ClientPolicyBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPolicyBuilder)
ClientRegistrationException(org.keycloak.client.registration.ClientRegistrationException)
IOException(java.io.IOException)
ClientPolicyException(org.keycloak.services.clientpolicy.ClientPolicyException)
OAuthErrorException(org.keycloak.OAuthErrorException)
BadRequestException(javax.ws.rs.BadRequestException)
ClientRegistrationException(org.keycloak.client.registration.ClientRegistrationException)
OIDCClientRepresentation(org.keycloak.representations.oidc.OIDCClientRepresentation)
ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation)
ClientPolicyException(org.keycloak.services.clientpolicy.ClientPolicyException)
Test(org.junit.Test)
Example 55 with OIDCClientRepresentation
use of org.keycloak.representations.oidc.OIDCClientRepresentation in project keycloak by keycloak.
the class ClientPoliciesTest method testAuthzCodeFlowUnderMultiPhasePolicy.
@Test
public void testAuthzCodeFlowUnderMultiPhasePolicy() throws Exception {
setupPolicyAuthzCodeFlowUnderMultiPhasePolicy(POLICY_NAME);
String clientName = generateSuffixedName(CLIENT_NAME);
String clientId = createClientDynamically(clientName, (OIDCClientRepresentation clientRep) -> {
});
events.expect(EventType.CLIENT_REGISTER).client(clientId).user(Matchers.isEmptyOrNullString()).assertEvent();
OIDCClientRepresentation response = getClientDynamically(clientId);
String clientSecret = response.getClientSecret();
assertEquals(clientName, response.getClientName());
assertEquals(OIDCLoginProtocol.CLIENT_SECRET_BASIC, response.getTokenEndpointAuthMethod());
events.expect(EventType.CLIENT_INFO).client(clientId).user(Matchers.isEmptyOrNullString()).assertEvent();
adminClient.realm(REALM_NAME).clients().get(clientId).roles().create(RoleBuilder.create().name(SAMPLE_CLIENT_ROLE).build());
successfulLoginAndLogoutWithPKCE(response.getClientId(), clientSecret, TEST_USER_NAME, TEST_USER_PASSWORD);
}
Also used :
OIDCClientRepresentation(org.keycloak.representations.oidc.OIDCClientRepresentation)
Test(org.junit.Test)
Aggregations
OIDCClientRepresentation (org.keycloak.representations.oidc.OIDCClientRepresentation)118
Test (org.junit.Test)95
ClientRepresentation (org.keycloak.representations.idm.ClientRepresentation)44
AbstractClientPoliciesTest (org.keycloak.testsuite.client.AbstractClientPoliciesTest)22
ParResponse (org.keycloak.testsuite.util.OAuthClient.ParResponse)21
TestOIDCEndpointsApplicationResource (org.keycloak.testsuite.client.resources.TestOIDCEndpointsApplicationResource)16
OAuthClient (org.keycloak.testsuite.util.OAuthClient)16
OIDCAdvancedConfigWrapper (org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper)15
ClientRegistrationException (org.keycloak.client.registration.ClientRegistrationException)11
IOException (java.io.IOException)10
ClientResource (org.keycloak.admin.client.resource.ClientResource)9
ArrayList (java.util.ArrayList)8
ClientPoliciesBuilder (org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPoliciesBuilder)7
ClientPolicyBuilder (org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPolicyBuilder)7
ClientProfileBuilder (org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfileBuilder)7
ClientProfilesBuilder (org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfilesBuilder)7
AuthServerContainerExclude (org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude)6
ClientsResource (org.keycloak.admin.client.resource.ClientsResource)4
InputStream (java.io.InputStream)3
Produces (javax.ws.rs.Produces)3
