Search in sources :

Example 51 with ClientPolicyException

use of org.keycloak.services.clientpolicy.ClientPolicyException in project keycloak by keycloak.

the class FAPICIBATest method testFAPIAdvancedClientRegistration.

@Test
public void testFAPIAdvancedClientRegistration() throws Exception {
    setupPolicyFAPICIBAForAllClient();
    // Register client with clientIdAndSecret - should fail
    try {
        createClientByAdmin("invalid", (ClientRepresentation clientRep) -> {
            clientRep.setClientAuthenticatorType(ClientIdAndSecretAuthenticator.PROVIDER_ID);
        });
        fail();
    } catch (ClientPolicyException e) {
        assertEquals(OAuthErrorException.INVALID_CLIENT_METADATA, e.getMessage());
    }
    // Register client with signedJWT - should fail
    try {
        createClientByAdmin("invalid", (ClientRepresentation clientRep) -> {
            clientRep.setClientAuthenticatorType(JWTClientSecretAuthenticator.PROVIDER_ID);
        });
        fail();
    } catch (ClientPolicyException e) {
        assertEquals(OAuthErrorException.INVALID_CLIENT_METADATA, e.getMessage());
    }
    // Register client with privateKeyJWT, but unsecured requestUri - should fail
    try {
        createClientByAdmin("invalid", (ClientRepresentation clientRep) -> {
            clientRep.setClientAuthenticatorType(JWTClientAuthenticator.PROVIDER_ID);
            OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setRequestUris(Collections.singletonList("http://foo"));
        });
        fail();
    } catch (ClientPolicyException e) {
        assertEquals(OAuthErrorException.INVALID_CLIENT_METADATA, e.getMessage());
    }
    // Try to register client with "client-jwt" - should pass
    String clientUUID = createClientByAdmin("client-jwt", (ClientRepresentation clientRep) -> {
        clientRep.setClientAuthenticatorType(JWTClientAuthenticator.PROVIDER_ID);
    });
    ClientRepresentation client = getClientByAdmin(clientUUID);
    Assert.assertEquals(JWTClientAuthenticator.PROVIDER_ID, client.getClientAuthenticatorType());
    // Try to register client with "client-x509" - should pass
    clientUUID = createClientByAdmin("client-x509", (ClientRepresentation clientRep) -> {
        clientRep.setClientAuthenticatorType(X509ClientAuthenticator.PROVIDER_ID);
    });
    client = getClientByAdmin(clientUUID);
    Assert.assertEquals(X509ClientAuthenticator.PROVIDER_ID, client.getClientAuthenticatorType());
    // Try to register client with default authenticator - should pass. Client authenticator should be "client-jwt"
    clientUUID = createClientByAdmin("client-jwt-2", (ClientRepresentation clientRep) -> {
    });
    client = getClientByAdmin(clientUUID);
    Assert.assertEquals(JWTClientAuthenticator.PROVIDER_ID, client.getClientAuthenticatorType());
    // Check the Consent is enabled, Holder-of-key is enabled, fullScopeAllowed disabled and default signature algorithm.
    Assert.assertTrue(client.isConsentRequired());
    OIDCAdvancedConfigWrapper clientConfig = OIDCAdvancedConfigWrapper.fromClientRepresentation(client);
    Assert.assertTrue(clientConfig.isUseMtlsHokToken());
    Assert.assertEquals(Algorithm.PS256, clientConfig.getIdTokenSignedResponseAlg());
    Assert.assertEquals(Algorithm.PS256, clientConfig.getRequestObjectSignatureAlg().toString());
    Assert.assertFalse(client.isFullScopeAllowed());
}
Also used : OIDCAdvancedConfigWrapper(org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper) Matchers.containsString(org.hamcrest.Matchers.containsString) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) ClientPolicyException(org.keycloak.services.clientpolicy.ClientPolicyException) Test(org.junit.Test)

Example 52 with ClientPolicyException

use of org.keycloak.services.clientpolicy.ClientPolicyException in project keycloak by keycloak.

the class HolderOfKeyEnforcerExecutor method checkTokenRefresh.

private void checkTokenRefresh(TokenRefreshContext context, HttpRequest request) throws ClientPolicyException {
    MultivaluedMap<String, String> formParameters = context.getParams();
    String encodedRefreshToken = formParameters.getFirst(OAuth2Constants.REFRESH_TOKEN);
    RefreshToken refreshToken = session.tokens().decode(encodedRefreshToken, RefreshToken.class);
    if (refreshToken == null) {
        // this executor does not treat this error case.
        return;
    }
    if (!MtlsHoKTokenUtil.verifyTokenBindingWithClientCertificate(refreshToken, request, session)) {
        throw new ClientPolicyException(OAuthErrorException.INVALID_GRANT, MtlsHoKTokenUtil.CERT_VERIFY_ERROR_DESC, Response.Status.BAD_REQUEST);
    }
}
Also used : RefreshToken(org.keycloak.representations.RefreshToken) ClientPolicyException(org.keycloak.services.clientpolicy.ClientPolicyException)

Example 53 with ClientPolicyException

use of org.keycloak.services.clientpolicy.ClientPolicyException in project keycloak by keycloak.

the class HolderOfKeyEnforcerExecutor method checkTokenRevoke.

private void checkTokenRevoke(TokenRevokeContext context, HttpRequest request) throws ClientPolicyException {
    MultivaluedMap<String, String> revokeParameters = context.getParams();
    String encodedRevokeToken = revokeParameters.getFirst("token");
    RefreshToken refreshToken = session.tokens().decode(encodedRevokeToken, RefreshToken.class);
    if (refreshToken == null) {
        // this executor does not treat this error case.
        return;
    }
    if (!MtlsHoKTokenUtil.verifyTokenBindingWithClientCertificate(refreshToken, request, session)) {
        throw new ClientPolicyException(Errors.NOT_ALLOWED, MtlsHoKTokenUtil.CERT_VERIFY_ERROR_DESC, Response.Status.UNAUTHORIZED);
    }
}
Also used : RefreshToken(org.keycloak.representations.RefreshToken) ClientPolicyException(org.keycloak.services.clientpolicy.ClientPolicyException)

Example 54 with ClientPolicyException

use of org.keycloak.services.clientpolicy.ClientPolicyException in project keycloak by keycloak.

the class HolderOfKeyEnforcerExecutor method executeOnEvent.

@Override
public void executeOnEvent(ClientPolicyContext context) throws ClientPolicyException {
    HttpRequest request = session.getContext().getContextObject(HttpRequest.class);
    switch(context.getEvent()) {
        case REGISTER:
        case UPDATE:
            ClientCRUDContext clientUpdateContext = (ClientCRUDContext) context;
            autoConfigure(clientUpdateContext.getProposedClientRepresentation());
            validate(clientUpdateContext.getProposedClientRepresentation());
            break;
        case TOKEN_REQUEST:
        case SERVICE_ACCOUNT_TOKEN_REQUEST:
        case BACKCHANNEL_TOKEN_REQUEST:
            AccessToken.CertConf certConf = MtlsHoKTokenUtil.bindTokenWithClientCertificate(request, session);
            if (certConf == null) {
                throw new ClientPolicyException(OAuthErrorException.INVALID_REQUEST, "Client Certification missing for MTLS HoK Token Binding");
            }
            break;
        case TOKEN_REFRESH:
            checkTokenRefresh((TokenRefreshContext) context, request);
            break;
        case TOKEN_REVOKE:
            checkTokenRevoke((TokenRevokeContext) context, request);
            break;
        case USERINFO_REQUEST:
            checkUserInfo((UserInfoRequestContext) context, request);
            break;
        case LOGOUT_REQUEST:
            checkLogout((LogoutRequestContext) context, request);
            break;
        default:
            return;
    }
}
Also used : HttpRequest(org.jboss.resteasy.spi.HttpRequest) ClientCRUDContext(org.keycloak.services.clientpolicy.context.ClientCRUDContext) AccessToken(org.keycloak.representations.AccessToken) ClientPolicyException(org.keycloak.services.clientpolicy.ClientPolicyException)

Example 55 with ClientPolicyException

use of org.keycloak.services.clientpolicy.ClientPolicyException in project keycloak by keycloak.

the class HolderOfKeyEnforcerExecutor method checkLogout.

private void checkLogout(LogoutRequestContext context, HttpRequest request) throws ClientPolicyException {
    MultivaluedMap<String, String> formParameters = context.getParams();
    String encodedRefreshToken = formParameters.getFirst(OAuth2Constants.REFRESH_TOKEN);
    RefreshToken refreshToken = session.tokens().decode(encodedRefreshToken, RefreshToken.class);
    if (refreshToken == null) {
        // this executor does not treat this error case.
        return;
    }
    if (!MtlsHoKTokenUtil.verifyTokenBindingWithClientCertificate(refreshToken, request, session)) {
        throw new ClientPolicyException(Errors.NOT_ALLOWED, MtlsHoKTokenUtil.CERT_VERIFY_ERROR_DESC, Response.Status.UNAUTHORIZED);
    }
}
Also used : RefreshToken(org.keycloak.representations.RefreshToken) ClientPolicyException(org.keycloak.services.clientpolicy.ClientPolicyException)

Aggregations

ClientPolicyException (org.keycloak.services.clientpolicy.ClientPolicyException)62 ClientRepresentation (org.keycloak.representations.idm.ClientRepresentation)23 Test (org.junit.Test)22 OIDCClientRepresentation (org.keycloak.representations.oidc.OIDCClientRepresentation)19 ClientPoliciesBuilder (org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPoliciesBuilder)14 ClientPolicyBuilder (org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPolicyBuilder)14 ClientProfileBuilder (org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfileBuilder)13 ClientProfilesBuilder (org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfilesBuilder)13 ClientModel (org.keycloak.models.ClientModel)11 ErrorResponseException (org.keycloak.services.ErrorResponseException)10 OAuthErrorException (org.keycloak.OAuthErrorException)9 UserSessionModel (org.keycloak.models.UserSessionModel)9 CorsErrorResponseException (org.keycloak.services.CorsErrorResponseException)9 UserModel (org.keycloak.models.UserModel)8 IOException (java.io.IOException)6 Consumes (javax.ws.rs.Consumes)6 POST (javax.ws.rs.POST)6 Response (javax.ws.rs.core.Response)6 ClientSessionContext (org.keycloak.models.ClientSessionContext)6 RegistrationAuth (org.keycloak.services.clientregistration.policy.RegistrationAuth)6