Example 6 with TokenMetadataRepresentation
use of org.keycloak.representations.oidc.TokenMetadataRepresentation in project keycloak by keycloak.
the class TokenIntrospectionTest method testIntrospectWithSamlClient.
/**
* Test covers the same scenario from different endpoints like TokenEndpoint and LogoutEndpoint.
*/
@Test
public void testIntrospectWithSamlClient() throws Exception {
oauth.doLogin("test-user@localhost", "password");
String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
events.expectLogin().assertEvent();
AccessTokenResponse accessTokenResponse = oauth.doAccessTokenRequest(code, "password");
String tokenResponse = oauth.introspectAccessTokenWithClientCredential("saml-client", "secret2", accessTokenResponse.getAccessToken());
TokenMetadataRepresentation rep = JsonSerialization.readValue(tokenResponse, TokenMetadataRepresentation.class);
assertEquals(Errors.INVALID_CLIENT, rep.getOtherClaims().get("error"));
assertNull(rep.getSubject());
}
Also used :
TokenMetadataRepresentation(org.keycloak.representations.oidc.TokenMetadataRepresentation)
AccessTokenResponse(org.keycloak.testsuite.util.OAuthClient.AccessTokenResponse)
AbstractOIDCScopeTest(org.keycloak.testsuite.oidc.AbstractOIDCScopeTest)
OIDCScopeTest(org.keycloak.testsuite.oidc.OIDCScopeTest)
Test(org.junit.Test)
AbstractTestRealmKeycloakTest(org.keycloak.testsuite.AbstractTestRealmKeycloakTest)
Example 7 with TokenMetadataRepresentation
use of org.keycloak.representations.oidc.TokenMetadataRepresentation in project keycloak by keycloak.
the class AbstractClientPoliciesTest method doIntrospectAccessToken.
// OAuth2 protocol operation
protected void doIntrospectAccessToken(OAuthClient.AccessTokenResponse tokenRes, String username, String clientId, String clientSecret) throws IOException {
String tokenResponse = oauth.introspectAccessTokenWithClientCredential(clientId, clientSecret, tokenRes.getAccessToken());
JsonNode jsonNode = objectMapper.readTree(tokenResponse);
assertEquals(true, jsonNode.get("active").asBoolean());
assertEquals(username, jsonNode.get("username").asText());
assertEquals(clientId, jsonNode.get("client_id").asText());
TokenMetadataRepresentation rep = objectMapper.readValue(tokenResponse, TokenMetadataRepresentation.class);
assertEquals(true, rep.isActive());
assertEquals(clientId, rep.getClientId());
assertEquals(clientId, rep.getIssuedFor());
events.expect(EventType.INTROSPECT_TOKEN).client(clientId).user((String) null).clearDetails().assertEvent();
}
Also used :
TokenMetadataRepresentation(org.keycloak.representations.oidc.TokenMetadataRepresentation)
JsonNode(com.fasterxml.jackson.databind.JsonNode)
Example 8 with TokenMetadataRepresentation
use of org.keycloak.representations.oidc.TokenMetadataRepresentation in project keycloak by keycloak.
the class ClientPoliciesTest method checkMtlsFlow.
private void checkMtlsFlow() throws IOException {
// Check login.
OAuthClient.AuthorizationEndpointResponse loginResponse = oauth.doLogin(TEST_USER_NAME, TEST_USER_PASSWORD);
Assert.assertNull(loginResponse.getError());
String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
// Check token obtaining.
OAuthClient.AccessTokenResponse accessTokenResponse;
try (CloseableHttpClient client = MutualTLSUtils.newCloseableHttpClientWithDefaultKeyStoreAndTrustStore()) {
accessTokenResponse = oauth.doAccessTokenRequest(code, TEST_CLIENT_SECRET, client);
} catch (IOException ioe) {
throw new RuntimeException(ioe);
}
assertEquals(200, accessTokenResponse.getStatusCode());
// Check token refresh.
OAuthClient.AccessTokenResponse accessTokenResponseRefreshed;
try (CloseableHttpClient client = MutualTLSUtils.newCloseableHttpClientWithDefaultKeyStoreAndTrustStore()) {
accessTokenResponseRefreshed = oauth.doRefreshTokenRequest(accessTokenResponse.getRefreshToken(), TEST_CLIENT_SECRET, client);
} catch (IOException ioe) {
throw new RuntimeException(ioe);
}
assertEquals(200, accessTokenResponseRefreshed.getStatusCode());
// Check token introspection.
String tokenResponse;
try (CloseableHttpClient client = MutualTLSUtils.newCloseableHttpClientWithDefaultKeyStoreAndTrustStore()) {
tokenResponse = oauth.introspectTokenWithClientCredential(TEST_CLIENT, TEST_CLIENT_SECRET, "access_token", accessTokenResponse.getAccessToken(), client);
} catch (IOException ioe) {
throw new RuntimeException(ioe);
}
Assert.assertNotNull(tokenResponse);
TokenMetadataRepresentation tokenMetadataRepresentation = JsonSerialization.readValue(tokenResponse, TokenMetadataRepresentation.class);
Assert.assertTrue(tokenMetadataRepresentation.isActive());
// Check token revoke.
CloseableHttpResponse tokenRevokeResponse;
try (CloseableHttpClient client = MutualTLSUtils.newCloseableHttpClientWithDefaultKeyStoreAndTrustStore()) {
tokenRevokeResponse = oauth.doTokenRevoke(accessTokenResponse.getRefreshToken(), "refresh_token", TEST_CLIENT_SECRET, client);
} catch (IOException ioe) {
throw new RuntimeException(ioe);
}
assertEquals(200, tokenRevokeResponse.getStatusLine().getStatusCode());
// Check logout.
CloseableHttpResponse logoutResponse;
try (CloseableHttpClient client = MutualTLSUtils.newCloseableHttpClientWithDefaultKeyStoreAndTrustStore()) {
logoutResponse = oauth.doLogout(accessTokenResponse.getRefreshToken(), TEST_CLIENT_SECRET, client);
} catch (IOException ioe) {
throw new RuntimeException(ioe);
}
assertEquals(204, logoutResponse.getStatusLine().getStatusCode());
// Check login.
loginResponse = oauth.doLogin(TEST_USER_NAME, TEST_USER_PASSWORD);
Assert.assertNull(loginResponse.getError());
code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
// Check token obtaining without certificate
try (CloseableHttpClient client = MutualTLSUtils.newCloseableHttpClientWithoutKeyStoreAndTrustStore()) {
accessTokenResponse = oauth.doAccessTokenRequest(code, TEST_CLIENT_SECRET, client);
} catch (IOException ioe) {
throw new RuntimeException(ioe);
}
assertEquals(400, accessTokenResponse.getStatusCode());
assertEquals(OAuthErrorException.INVALID_GRANT, accessTokenResponse.getError());
// Check frontchannel logout and login.
oauth.openLogout();
loginResponse = oauth.doLogin(TEST_USER_NAME, TEST_USER_PASSWORD);
Assert.assertNull(loginResponse.getError());
code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
// Check token obtaining.
try (CloseableHttpClient client = MutualTLSUtils.newCloseableHttpClientWithDefaultKeyStoreAndTrustStore()) {
accessTokenResponse = oauth.doAccessTokenRequest(code, TEST_CLIENT_SECRET, client);
} catch (IOException ioe) {
throw new RuntimeException(ioe);
}
assertEquals(200, accessTokenResponse.getStatusCode());
// Check token refresh with other certificate
try (CloseableHttpClient client = MutualTLSUtils.newCloseableHttpClientWithOtherKeyStoreAndTrustStore()) {
accessTokenResponseRefreshed = oauth.doRefreshTokenRequest(accessTokenResponse.getRefreshToken(), TEST_CLIENT_SECRET, client);
} catch (IOException ioe) {
throw new RuntimeException(ioe);
}
assertEquals(400, accessTokenResponseRefreshed.getStatusCode());
assertEquals(OAuthErrorException.INVALID_GRANT, accessTokenResponseRefreshed.getError());
// Check token revoke with other certificate
try (CloseableHttpClient client = MutualTLSUtils.newCloseableHttpClientWithOtherKeyStoreAndTrustStore()) {
tokenRevokeResponse = oauth.doTokenRevoke(accessTokenResponse.getRefreshToken(), "refresh_token", TEST_CLIENT_SECRET, client);
} catch (IOException ioe) {
throw new RuntimeException(ioe);
}
assertEquals(401, tokenRevokeResponse.getStatusLine().getStatusCode());
// Check logout without certificate
try (CloseableHttpClient client = MutualTLSUtils.newCloseableHttpClientWithoutKeyStoreAndTrustStore()) {
logoutResponse = oauth.doLogout(accessTokenResponse.getRefreshToken(), TEST_CLIENT_SECRET, client);
} catch (IOException ioe) {
throw new RuntimeException(ioe);
}
assertEquals(401, logoutResponse.getStatusLine().getStatusCode());
// Check logout.
try (CloseableHttpClient client = MutualTLSUtils.newCloseableHttpClientWithDefaultKeyStoreAndTrustStore()) {
logoutResponse = oauth.doLogout(accessTokenResponse.getRefreshToken(), TEST_CLIENT_SECRET, client);
} catch (IOException ioe) {
throw new RuntimeException(ioe);
}
}
Also used :
CloseableHttpClient(org.apache.http.impl.client.CloseableHttpClient)
TokenMetadataRepresentation(org.keycloak.representations.oidc.TokenMetadataRepresentation)
OAuthClient(org.keycloak.testsuite.util.OAuthClient)
CloseableHttpResponse(org.apache.http.client.methods.CloseableHttpResponse)
IOException(java.io.IOException)
Example 9 with TokenMetadataRepresentation
use of org.keycloak.representations.oidc.TokenMetadataRepresentation in project keycloak by keycloak.
the class CIBATest method doIntrospectAccessTokenWithClientCredential.
private String doIntrospectAccessTokenWithClientCredential(OAuthClient.AccessTokenResponse tokenRes, String username) throws IOException {
String tokenResponse = oauth.introspectAccessTokenWithClientCredential(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, tokenRes.getAccessToken());
ObjectMapper objectMapper = new ObjectMapper();
JsonNode jsonNode = objectMapper.readTree(tokenResponse);
assertThat(jsonNode.get("active").asBoolean(), is(equalTo(true)));
assertThat(jsonNode.get("username").asText(), is(equalTo(username)));
assertThat(jsonNode.get("client_id").asText(), is(equalTo(TEST_CLIENT_NAME)));
TokenMetadataRepresentation rep = objectMapper.readValue(tokenResponse, TokenMetadataRepresentation.class);
assertThat(rep.isActive(), is(equalTo(true)));
assertThat(rep.getClientId(), is(equalTo(TEST_CLIENT_NAME)));
assertThat(rep.getIssuedFor(), is(equalTo(TEST_CLIENT_NAME)));
events.expect(EventType.INTROSPECT_TOKEN).user((String) null).clearDetails().assertEvent();
tokenResponse = oauth.introspectAccessTokenWithClientCredential(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, tokenRes.getRefreshToken());
jsonNode = objectMapper.readTree(tokenResponse);
assertThat(jsonNode.get("active").asBoolean(), is(equalTo(true)));
assertThat(jsonNode.get("client_id").asText(), is(equalTo(TEST_CLIENT_NAME)));
rep = objectMapper.readValue(tokenResponse, TokenMetadataRepresentation.class);
assertThat(rep.isActive(), is(equalTo(true)));
assertThat(rep.getClientId(), is(equalTo(TEST_CLIENT_NAME)));
assertThat(rep.getIssuedFor(), is(equalTo(TEST_CLIENT_NAME)));
assertThat(rep.getAudience()[0], is(equalTo(rep.getIssuer())));
events.expect(EventType.INTROSPECT_TOKEN).user((String) null).clearDetails().assertEvent();
tokenResponse = oauth.introspectAccessTokenWithClientCredential(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, tokenRes.getIdToken());
jsonNode = objectMapper.readTree(tokenResponse);
assertThat(jsonNode.get("active").asBoolean(), is(equalTo(true)));
assertThat(jsonNode.get("client_id").asText(), is(equalTo(TEST_CLIENT_NAME)));
rep = objectMapper.readValue(tokenResponse, TokenMetadataRepresentation.class);
assertThat(rep.isActive(), is(equalTo(true)));
assertThat(rep.getUserName(), is(equalTo(username)));
assertThat(rep.getClientId(), is(equalTo(TEST_CLIENT_NAME)));
assertThat(rep.getIssuedFor(), is(equalTo(TEST_CLIENT_NAME)));
assertThat(rep.getPreferredUsername(), is(equalTo(username)));
assertThat(rep.getAudience()[0], is(equalTo(rep.getIssuedFor())));
events.expect(EventType.INTROSPECT_TOKEN).user((String) null).clearDetails().assertEvent();
return tokenResponse;
}
Also used :
TokenMetadataRepresentation(org.keycloak.representations.oidc.TokenMetadataRepresentation)
JsonNode(com.fasterxml.jackson.databind.JsonNode)
Matchers.containsString(org.hamcrest.Matchers.containsString)
ObjectMapper(com.fasterxml.jackson.databind.ObjectMapper)
Example 10 with TokenMetadataRepresentation
use of org.keycloak.representations.oidc.TokenMetadataRepresentation in project keycloak by keycloak.
the class TokenIntrospectionTest method testIntrospectAccessTokenExpired.
@Test
public void testIntrospectAccessTokenExpired() throws Exception {
oauth.doLogin("test-user@localhost", "password");
String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
AccessTokenResponse accessTokenResponse = oauth.doAccessTokenRequest(code, "password");
setTimeOffset(adminClient.realm(oauth.getRealm()).toRepresentation().getAccessTokenLifespan() + 1);
String tokenResponse = oauth.introspectAccessTokenWithClientCredential("confidential-cli", "secret1", accessTokenResponse.getAccessToken());
TokenMetadataRepresentation rep = JsonSerialization.readValue(tokenResponse, TokenMetadataRepresentation.class);
assertFalse(rep.isActive());
assertNull(rep.getUserName());
assertNull(rep.getClientId());
assertNull(rep.getSubject());
}
Also used :
TokenMetadataRepresentation(org.keycloak.representations.oidc.TokenMetadataRepresentation)
AccessTokenResponse(org.keycloak.testsuite.util.OAuthClient.AccessTokenResponse)
AbstractOIDCScopeTest(org.keycloak.testsuite.oidc.AbstractOIDCScopeTest)
OIDCScopeTest(org.keycloak.testsuite.oidc.OIDCScopeTest)
Test(org.junit.Test)
AbstractTestRealmKeycloakTest(org.keycloak.testsuite.AbstractTestRealmKeycloakTest)
Aggregations
TokenMetadataRepresentation (org.keycloak.representations.oidc.TokenMetadataRepresentation)21
AccessTokenResponse (org.keycloak.testsuite.util.OAuthClient.AccessTokenResponse)14
Test (org.junit.Test)13
AbstractTestRealmKeycloakTest (org.keycloak.testsuite.AbstractTestRealmKeycloakTest)12
AbstractOIDCScopeTest (org.keycloak.testsuite.oidc.AbstractOIDCScopeTest)11
OIDCScopeTest (org.keycloak.testsuite.oidc.OIDCScopeTest)11
JsonNode (com.fasterxml.jackson.databind.JsonNode)6
ObjectMapper (com.fasterxml.jackson.databind.ObjectMapper)5
EventRepresentation (org.keycloak.representations.idm.EventRepresentation)5
OAuthClient (org.keycloak.testsuite.util.OAuthClient)3
IOException (java.io.IOException)2
CloseableHttpResponse (org.apache.http.client.methods.CloseableHttpResponse)2
CloseableHttpClient (org.apache.http.impl.client.CloseableHttpClient)2
JWSInput (org.keycloak.jose.jws.JWSInput)2
TextNode (com.fasterxml.jackson.databind.node.TextNode)1
ArrayList (java.util.ArrayList)1
NotAuthorizedException (javax.ws.rs.NotAuthorizedException)1
Response (javax.ws.rs.core.Response)1
Matchers.containsString (org.hamcrest.Matchers.containsString)1
Keycloak (org.keycloak.admin.client.Keycloak)1
