use of org.keycloak.services.clientpolicy.ClientPolicyException in project keycloak by keycloak.
the class FAPICIBATest method testFAPIAdvancedClientRegistration.
@Test
public void testFAPIAdvancedClientRegistration() throws Exception {
setupPolicyFAPICIBAForAllClient();
// Register client with clientIdAndSecret - should fail
try {
createClientByAdmin("invalid", (ClientRepresentation clientRep) -> {
clientRep.setClientAuthenticatorType(ClientIdAndSecretAuthenticator.PROVIDER_ID);
});
fail();
} catch (ClientPolicyException e) {
assertEquals(OAuthErrorException.INVALID_CLIENT_METADATA, e.getMessage());
}
// Register client with signedJWT - should fail
try {
createClientByAdmin("invalid", (ClientRepresentation clientRep) -> {
clientRep.setClientAuthenticatorType(JWTClientSecretAuthenticator.PROVIDER_ID);
});
fail();
} catch (ClientPolicyException e) {
assertEquals(OAuthErrorException.INVALID_CLIENT_METADATA, e.getMessage());
}
// Register client with privateKeyJWT, but unsecured requestUri - should fail
try {
createClientByAdmin("invalid", (ClientRepresentation clientRep) -> {
clientRep.setClientAuthenticatorType(JWTClientAuthenticator.PROVIDER_ID);
OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setRequestUris(Collections.singletonList("http://foo"));
});
fail();
} catch (ClientPolicyException e) {
assertEquals(OAuthErrorException.INVALID_CLIENT_METADATA, e.getMessage());
}
// Try to register client with "client-jwt" - should pass
String clientUUID = createClientByAdmin("client-jwt", (ClientRepresentation clientRep) -> {
clientRep.setClientAuthenticatorType(JWTClientAuthenticator.PROVIDER_ID);
});
ClientRepresentation client = getClientByAdmin(clientUUID);
Assert.assertEquals(JWTClientAuthenticator.PROVIDER_ID, client.getClientAuthenticatorType());
// Try to register client with "client-x509" - should pass
clientUUID = createClientByAdmin("client-x509", (ClientRepresentation clientRep) -> {
clientRep.setClientAuthenticatorType(X509ClientAuthenticator.PROVIDER_ID);
});
client = getClientByAdmin(clientUUID);
Assert.assertEquals(X509ClientAuthenticator.PROVIDER_ID, client.getClientAuthenticatorType());
// Try to register client with default authenticator - should pass. Client authenticator should be "client-jwt"
clientUUID = createClientByAdmin("client-jwt-2", (ClientRepresentation clientRep) -> {
});
client = getClientByAdmin(clientUUID);
Assert.assertEquals(JWTClientAuthenticator.PROVIDER_ID, client.getClientAuthenticatorType());
// Check the Consent is enabled, Holder-of-key is enabled, fullScopeAllowed disabled and default signature algorithm.
Assert.assertTrue(client.isConsentRequired());
OIDCAdvancedConfigWrapper clientConfig = OIDCAdvancedConfigWrapper.fromClientRepresentation(client);
Assert.assertTrue(clientConfig.isUseMtlsHokToken());
Assert.assertEquals(Algorithm.PS256, clientConfig.getIdTokenSignedResponseAlg());
Assert.assertEquals(Algorithm.PS256, clientConfig.getRequestObjectSignatureAlg().toString());
Assert.assertFalse(client.isFullScopeAllowed());
}
use of org.keycloak.services.clientpolicy.ClientPolicyException in project keycloak by keycloak.
the class HolderOfKeyEnforcerExecutor method checkTokenRefresh.
private void checkTokenRefresh(TokenRefreshContext context, HttpRequest request) throws ClientPolicyException {
MultivaluedMap<String, String> formParameters = context.getParams();
String encodedRefreshToken = formParameters.getFirst(OAuth2Constants.REFRESH_TOKEN);
RefreshToken refreshToken = session.tokens().decode(encodedRefreshToken, RefreshToken.class);
if (refreshToken == null) {
// this executor does not treat this error case.
return;
}
if (!MtlsHoKTokenUtil.verifyTokenBindingWithClientCertificate(refreshToken, request, session)) {
throw new ClientPolicyException(OAuthErrorException.INVALID_GRANT, MtlsHoKTokenUtil.CERT_VERIFY_ERROR_DESC, Response.Status.BAD_REQUEST);
}
}
use of org.keycloak.services.clientpolicy.ClientPolicyException in project keycloak by keycloak.
the class HolderOfKeyEnforcerExecutor method checkTokenRevoke.
private void checkTokenRevoke(TokenRevokeContext context, HttpRequest request) throws ClientPolicyException {
MultivaluedMap<String, String> revokeParameters = context.getParams();
String encodedRevokeToken = revokeParameters.getFirst("token");
RefreshToken refreshToken = session.tokens().decode(encodedRevokeToken, RefreshToken.class);
if (refreshToken == null) {
// this executor does not treat this error case.
return;
}
if (!MtlsHoKTokenUtil.verifyTokenBindingWithClientCertificate(refreshToken, request, session)) {
throw new ClientPolicyException(Errors.NOT_ALLOWED, MtlsHoKTokenUtil.CERT_VERIFY_ERROR_DESC, Response.Status.UNAUTHORIZED);
}
}
use of org.keycloak.services.clientpolicy.ClientPolicyException in project keycloak by keycloak.
the class HolderOfKeyEnforcerExecutor method executeOnEvent.
@Override
public void executeOnEvent(ClientPolicyContext context) throws ClientPolicyException {
HttpRequest request = session.getContext().getContextObject(HttpRequest.class);
switch(context.getEvent()) {
case REGISTER:
case UPDATE:
ClientCRUDContext clientUpdateContext = (ClientCRUDContext) context;
autoConfigure(clientUpdateContext.getProposedClientRepresentation());
validate(clientUpdateContext.getProposedClientRepresentation());
break;
case TOKEN_REQUEST:
case SERVICE_ACCOUNT_TOKEN_REQUEST:
case BACKCHANNEL_TOKEN_REQUEST:
AccessToken.CertConf certConf = MtlsHoKTokenUtil.bindTokenWithClientCertificate(request, session);
if (certConf == null) {
throw new ClientPolicyException(OAuthErrorException.INVALID_REQUEST, "Client Certification missing for MTLS HoK Token Binding");
}
break;
case TOKEN_REFRESH:
checkTokenRefresh((TokenRefreshContext) context, request);
break;
case TOKEN_REVOKE:
checkTokenRevoke((TokenRevokeContext) context, request);
break;
case USERINFO_REQUEST:
checkUserInfo((UserInfoRequestContext) context, request);
break;
case LOGOUT_REQUEST:
checkLogout((LogoutRequestContext) context, request);
break;
default:
return;
}
}
use of org.keycloak.services.clientpolicy.ClientPolicyException in project keycloak by keycloak.
the class HolderOfKeyEnforcerExecutor method checkLogout.
private void checkLogout(LogoutRequestContext context, HttpRequest request) throws ClientPolicyException {
MultivaluedMap<String, String> formParameters = context.getParams();
String encodedRefreshToken = formParameters.getFirst(OAuth2Constants.REFRESH_TOKEN);
RefreshToken refreshToken = session.tokens().decode(encodedRefreshToken, RefreshToken.class);
if (refreshToken == null) {
// this executor does not treat this error case.
return;
}
if (!MtlsHoKTokenUtil.verifyTokenBindingWithClientCertificate(refreshToken, request, session)) {
throw new ClientPolicyException(Errors.NOT_ALLOWED, MtlsHoKTokenUtil.CERT_VERIFY_ERROR_DESC, Response.Status.UNAUTHORIZED);
}
}
Aggregations