Examples with OIDCClientRepresentation org.keycloak.representations.oidc.OIDCClientRepresentation used on opensource projects

Example 11 with OIDCClientRepresentation

use of org.keycloak.representations.oidc.OIDCClientRepresentation in project keycloak by keycloak.

the class ClientRegistrationPoliciesTest method testAnonConsentRequired.

@Test
// We would need to do domain name -> ip address to set trusted host
@AuthServerContainerExclude(AuthServer.REMOTE)
public void testAnonConsentRequired() throws Exception {
    setTrustedHost("localhost");
    OIDCClientRepresentation client = create();
    // Assert new client has consent required
    String clientId = client.getClientId();
    ClientRepresentation clientRep = ApiUtil.findClientByClientId(realmResource(), clientId).toRepresentation();
    Assert.assertTrue(clientRep.isConsentRequired());
    // Try update with disabled consent required. Should fail
    clientRep.setConsentRequired(false);
    assertFail(ClientRegOp.UPDATE, clientRep, 403, "Not permitted to update consentRequired to false");
    // Try update with enabled consent required. Should pass
    clientRep.setConsentRequired(true);
    reg.update(clientRep);
}

Example 12 with OIDCClientRepresentation

use of org.keycloak.representations.oidc.OIDCClientRepresentation in project keycloak by keycloak.

the class ClientRegistrationPoliciesTest method testClientDisabledPolicy.

@Test
// We would need to do domain name -> ip address to set trusted host
@AuthServerContainerExclude(AuthServer.REMOTE)
public void testClientDisabledPolicy() throws Exception {
    setTrustedHost("localhost");
    // Assert new client is enabled
    OIDCClientRepresentation client = create();
    String clientId = client.getClientId();
    ClientRepresentation clientRep = ApiUtil.findClientByClientId(realmResource(), clientId).toRepresentation();
    Assert.assertTrue(clientRep.isEnabled());
    // Add client-disabled policy
    ComponentRepresentation rep = new ComponentRepresentation();
    rep.setName("Clients disabled");
    rep.setParentId(REALM_NAME);
    rep.setProviderId(ClientDisabledClientRegistrationPolicyFactory.PROVIDER_ID);
    rep.setProviderType(ClientRegistrationPolicy.class.getName());
    rep.setSubType(getPolicyAnon());
    Response response = realmResource().components().add(rep);
    String policyId = ApiUtil.getCreatedId(response);
    response.close();
    // Assert new client is disabled
    client = create();
    clientId = client.getClientId();
    clientRep = ApiUtil.findClientByClientId(realmResource(), clientId).toRepresentation();
    Assert.assertFalse(clientRep.isEnabled());
    // Try enable client. Should fail
    clientRep.setEnabled(true);
    assertFail(ClientRegOp.UPDATE, clientRep, 403, "Not permitted to enable client");
    // Try update disabled client. Should pass
    clientRep.setEnabled(false);
    reg.update(clientRep);
    // Revert
    realmResource().components().component(policyId).remove();
}

Example 13 with OIDCClientRepresentation

use of org.keycloak.representations.oidc.OIDCClientRepresentation in project keycloak by keycloak.

the class OIDCJwksClientRegistrationTest method createClientWithJWKS_generatedKid.

@Test
public void createClientWithJWKS_generatedKid() throws Exception {
    OIDCClientRepresentation clientRep = createRep();
    clientRep.setGrantTypes(Collections.singletonList(OAuth2Constants.CLIENT_CREDENTIALS));
    clientRep.setTokenEndpointAuthMethod(OIDCLoginProtocol.PRIVATE_KEY_JWT);
    // Generate keys for client
    TestOIDCEndpointsApplicationResource oidcClientEndpointsResource = testingClient.testApp().oidcClientEndpoints();
    Map<String, String> generatedKeys = oidcClientEndpointsResource.generateKeys("RS256");
    JSONWebKeySet keySet = oidcClientEndpointsResource.getJwks();
    clientRep.setJwks(keySet);
    OIDCClientRepresentation response = reg.oidc().create(clientRep);
    Assert.assertEquals(OIDCLoginProtocol.PRIVATE_KEY_JWT, response.getTokenEndpointAuthMethod());
    Assert.assertNull(response.getClientSecret());
    Assert.assertNull(response.getClientSecretExpiresAt());
    // Tries to authenticate client with privateKey JWT
    assertAuthenticateClientSuccess(generatedKeys, response, KEEP_GENERATED_KID);
}

Example 14 with OIDCClientRepresentation

use of org.keycloak.representations.oidc.OIDCClientRepresentation in project keycloak by keycloak.

the class OIDCJwksClientRegistrationTest method testTwoClientsWithSameKid.

@Test
public void testTwoClientsWithSameKid() throws Exception {
    // Create client with manually set "kid"
    OIDCClientRepresentation response = createClientWithManuallySetKid("a1");
    // Create client2
    OIDCClientRepresentation clientRep2 = createRep();
    clientRep2.setGrantTypes(Collections.singletonList(OAuth2Constants.CLIENT_CREDENTIALS));
    clientRep2.setTokenEndpointAuthMethod(OIDCLoginProtocol.PRIVATE_KEY_JWT);
    // Generate some random keys for client2
    KeyPairGenerator generator = KeyPairGenerator.getInstance("RSA");
    generator.initialize(2048);
    PublicKey client2PublicKey = generator.generateKeyPair().getPublic();
    // Set client2 with manually set "kid" to be same like kid of client1 (but keys for both clients are different)
    JSONWebKeySet keySet = new JSONWebKeySet();
    keySet.setKeys(new JWK[] { JWKBuilder.create().kid("a1").rs256(client2PublicKey) });
    clientRep2.setJwks(keySet);
    clientRep2 = reg.oidc().create(clientRep2);
    // Authenticate client1
    Map<String, String> generatedKeys = testingClient.testApp().oidcClientEndpoints().getKeysAsPem();
    assertAuthenticateClientSuccess(generatedKeys, response, "a1");
    // Assert item in publicKey cache for client1
    String expectedCacheKey = PublicKeyStorageUtils.getClientModelCacheKey(REALM_NAME, response.getClientId());
    Assert.assertTrue(testingClient.testing().cache(InfinispanConnectionProvider.KEYS_CACHE_NAME).contains(expectedCacheKey));
    // Assert it's not possible to authenticate as client2 with the same "kid" like client1
    assertAuthenticateClientError(generatedKeys, clientRep2, "a1");
}

Example 15 with OIDCClientRepresentation

use of org.keycloak.representations.oidc.OIDCClientRepresentation in project keycloak by keycloak.

the class OIDCJwksClientRegistrationTest method createClientWithJWKSURI_rotateClientKeys.

@Test
public void createClientWithJWKSURI_rotateClientKeys() throws Exception {
    OIDCClientRepresentation clientRep = createRep();
    clientRep.setGrantTypes(Collections.singletonList(OAuth2Constants.CLIENT_CREDENTIALS));
    clientRep.setTokenEndpointAuthMethod(OIDCLoginProtocol.PRIVATE_KEY_JWT);
    // Generate keys for client
    TestOIDCEndpointsApplicationResource oidcClientEndpointsResource = testingClient.testApp().oidcClientEndpoints();
    Map<String, String> generatedKeys = oidcClientEndpointsResource.generateKeys("RS256");
    clientRep.setJwksUri(TestApplicationResourceUrls.clientJwksUri());
    OIDCClientRepresentation response = reg.oidc().create(clientRep);
    Assert.assertEquals(OIDCLoginProtocol.PRIVATE_KEY_JWT, response.getTokenEndpointAuthMethod());
    Assert.assertNull(response.getClientSecret());
    Assert.assertNull(response.getClientSecretExpiresAt());
    Assert.assertEquals(response.getJwksUri(), TestApplicationResourceUrls.clientJwksUri());
    // Tries to authenticate client with privateKey JWT
    assertAuthenticateClientSuccess(generatedKeys, response, KEEP_GENERATED_KID);
    // Add new key to the jwks
    Map<String, String> generatedKeys2 = oidcClientEndpointsResource.generateKeys("RS256");
    // Error should happen. KeyStorageProvider won't yet download new keys because of timeout
    assertAuthenticateClientError(generatedKeys2, response, KEEP_GENERATED_KID);
    setTimeOffset(20);
    // Now new keys should be successfully downloaded
    assertAuthenticateClientSuccess(generatedKeys2, response, KEEP_GENERATED_KID);
}