Search in sources :

Example 6 with ClientPolicyException

use of org.keycloak.services.clientpolicy.ClientPolicyException in project keycloak by keycloak.

the class CIBATest method testSecureCibaAuthenticationRequestSigningAlgorithmEnforceExecutor.

@Test
public void testSecureCibaAuthenticationRequestSigningAlgorithmEnforceExecutor() throws Exception {
    // register profiles
    String json = (new ClientProfilesBuilder()).addProfile((new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Den Forsta Profilen").addExecutor(SecureCibaAuthenticationRequestSigningAlgorithmExecutorFactory.PROVIDER_ID, null).toRepresentation()).toString();
    updateProfiles(json);
    // register policies
    json = (new ClientPoliciesBuilder()).addPolicy((new ClientPolicyBuilder()).createPolicy(POLICY_NAME, "Den Forsta Policyn", Boolean.TRUE).addCondition(ClientUpdaterContextConditionFactory.PROVIDER_ID, createClientUpdateContextConditionConfig(Arrays.asList(ClientUpdaterContextConditionFactory.BY_AUTHENTICATED_USER, ClientUpdaterContextConditionFactory.BY_INITIAL_ACCESS_TOKEN, ClientUpdaterContextConditionFactory.BY_REGISTRATION_ACCESS_TOKEN))).addProfile(PROFILE_NAME).toRepresentation()).toString();
    updatePolicies(json);
    // create by Admin REST API - fail
    try {
        createClientByAdmin(generateSuffixedName("App-by-Admin"), (ClientRepresentation clientRep) -> {
            clientRep.setSecret("secret");
            clientRep.setAttributes(new HashMap<>());
            clientRep.getAttributes().put(CibaConfig.CIBA_BACKCHANNEL_AUTH_REQUEST_SIGNING_ALG, "none");
        });
        fail();
    } catch (ClientPolicyException e) {
        assertEquals(OAuthErrorException.INVALID_REQUEST, e.getMessage());
    }
    // create by Admin REST API - success
    String cAppAdminId = createClientByAdmin(generateSuffixedName("App-by-Admin"), (ClientRepresentation clientRep) -> {
        clientRep.setAttributes(new HashMap<>());
        clientRep.getAttributes().put(CibaConfig.CIBA_BACKCHANNEL_AUTH_REQUEST_SIGNING_ALG, org.keycloak.crypto.Algorithm.ES256);
    });
    ClientRepresentation cRep = getClientByAdmin(cAppAdminId);
    assertEquals(org.keycloak.crypto.Algorithm.ES256, cRep.getAttributes().get(CibaConfig.CIBA_BACKCHANNEL_AUTH_REQUEST_SIGNING_ALG));
    // create by Admin REST API - success, PS256 enforced
    String cAppAdmin2Id = createClientByAdmin(generateSuffixedName("App-by-Admin2"), (ClientRepresentation client2Rep) -> {
    });
    ClientRepresentation cRep2 = getClientByAdmin(cAppAdmin2Id);
    assertEquals(org.keycloak.crypto.Algorithm.PS256, cRep2.getAttributes().get(CibaConfig.CIBA_BACKCHANNEL_AUTH_REQUEST_SIGNING_ALG));
    // update by Admin REST API - fail
    try {
        updateClientByAdmin(cAppAdminId, (ClientRepresentation clientRep) -> {
            clientRep.setAttributes(new HashMap<>());
            clientRep.getAttributes().put(CibaConfig.CIBA_BACKCHANNEL_AUTH_REQUEST_SIGNING_ALG, org.keycloak.crypto.Algorithm.RS512);
        });
    } catch (ClientPolicyException cpe) {
        assertEquals(Errors.INVALID_REQUEST, cpe.getError());
    }
    cRep = getClientByAdmin(cAppAdminId);
    assertEquals(org.keycloak.crypto.Algorithm.ES256, cRep.getAttributes().get(CibaConfig.CIBA_BACKCHANNEL_AUTH_REQUEST_SIGNING_ALG));
    // update by Admin REST API - success
    updateClientByAdmin(cAppAdminId, (ClientRepresentation clientRep) -> {
        clientRep.setAttributes(new HashMap<>());
        clientRep.getAttributes().put(CibaConfig.CIBA_BACKCHANNEL_AUTH_REQUEST_SIGNING_ALG, org.keycloak.crypto.Algorithm.PS384);
    });
    cRep = getClientByAdmin(cAppAdminId);
    assertEquals(org.keycloak.crypto.Algorithm.PS384, cRep.getAttributes().get(CibaConfig.CIBA_BACKCHANNEL_AUTH_REQUEST_SIGNING_ALG));
    // update profiles, ES256 enforced
    json = (new ClientProfilesBuilder()).addProfile((new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Den Forsta Profilen").addExecutor(SecureCibaAuthenticationRequestSigningAlgorithmExecutorFactory.PROVIDER_ID, createSecureCibaAuthenticationRequestSigningAlgorithmExecutorConfig(org.keycloak.crypto.Algorithm.ES256)).toRepresentation()).toString();
    updateProfiles(json);
    // update by Admin REST API - success
    updateClientByAdmin(cAppAdmin2Id, (ClientRepresentation client2Rep) -> {
        client2Rep.getAttributes().remove(CibaConfig.CIBA_BACKCHANNEL_AUTH_REQUEST_SIGNING_ALG);
    });
    cRep2 = getClientByAdmin(cAppAdmin2Id);
    assertEquals(org.keycloak.crypto.Algorithm.ES256, cRep2.getAttributes().get(CibaConfig.CIBA_BACKCHANNEL_AUTH_REQUEST_SIGNING_ALG));
    // update profiles, fall back to PS256
    json = (new ClientProfilesBuilder()).addProfile((new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Den Forsta Profilen").addExecutor(SecureCibaAuthenticationRequestSigningAlgorithmExecutorFactory.PROVIDER_ID, createSecureCibaAuthenticationRequestSigningAlgorithmExecutorConfig(org.keycloak.crypto.Algorithm.RS512)).toRepresentation()).toString();
    updateProfiles(json);
    // create dynamically - fail
    try {
        createClientByAdmin(generateSuffixedName("App-in-Dynamic"), (ClientRepresentation clientRep) -> {
            clientRep.setSecret("secret");
            clientRep.setAttributes(new HashMap<>());
            clientRep.getAttributes().put(CibaConfig.CIBA_BACKCHANNEL_AUTH_REQUEST_SIGNING_ALG, org.keycloak.crypto.Algorithm.RS384);
        });
        fail();
    } catch (ClientPolicyException e) {
        assertEquals(OAuthErrorException.INVALID_REQUEST, e.getMessage());
    }
    // create dynamically - success
    String cAppDynamicClientId = createClientDynamically(generateSuffixedName("App-in-Dynamic"), (OIDCClientRepresentation clientRep) -> {
        clientRep.setBackchannelAuthenticationRequestSigningAlg(org.keycloak.crypto.Algorithm.ES256);
    });
    events.expect(EventType.CLIENT_REGISTER).client(cAppDynamicClientId).user(org.hamcrest.Matchers.isEmptyOrNullString()).assertEvent();
    // update dynamically - fail
    try {
        updateClientDynamically(cAppDynamicClientId, (OIDCClientRepresentation clientRep) -> {
            clientRep.setBackchannelAuthenticationRequestSigningAlg(org.keycloak.crypto.Algorithm.RS256);
        });
        fail();
    } catch (ClientRegistrationException e) {
        assertEquals(ERR_MSG_CLIENT_REG_FAIL, e.getMessage());
    }
    assertEquals(org.keycloak.crypto.Algorithm.ES256, getClientDynamically(cAppDynamicClientId).getBackchannelAuthenticationRequestSigningAlg());
    // update dynamically - success
    updateClientDynamically(cAppDynamicClientId, (OIDCClientRepresentation clientRep) -> {
        clientRep.setBackchannelAuthenticationRequestSigningAlg(org.keycloak.crypto.Algorithm.ES384);
    });
    assertEquals(org.keycloak.crypto.Algorithm.ES384, getClientDynamically(cAppDynamicClientId).getBackchannelAuthenticationRequestSigningAlg());
    // create dynamically - success, PS256 enforced
    restartAuthenticatedClientRegistrationSetting();
    String cAppDynamicClient2Id = createClientDynamically(generateSuffixedName("App-in-Dynamic"), (OIDCClientRepresentation client2Rep) -> {
    });
    OIDCClientRepresentation cAppDynamicClient2Rep = getClientDynamically(cAppDynamicClient2Id);
    assertEquals(org.keycloak.crypto.Algorithm.PS256, cAppDynamicClient2Rep.getBackchannelAuthenticationRequestSigningAlg());
    // update profiles, enforce ES256
    json = (new ClientProfilesBuilder()).addProfile((new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Den Forsta Profilen").addExecutor(SecureCibaAuthenticationRequestSigningAlgorithmExecutorFactory.PROVIDER_ID, createSecureCibaAuthenticationRequestSigningAlgorithmExecutorConfig(org.keycloak.crypto.Algorithm.ES256)).toRepresentation()).toString();
    updateProfiles(json);
    // update dynamically - success, ES256 enforced
    updateClientDynamically(cAppDynamicClient2Id, (OIDCClientRepresentation client2Rep) -> {
        client2Rep.setBackchannelAuthenticationRequestSigningAlg(null);
    });
    cAppDynamicClient2Rep = getClientDynamically(cAppDynamicClient2Id);
    assertEquals(org.keycloak.crypto.Algorithm.ES256, cAppDynamicClient2Rep.getBackchannelAuthenticationRequestSigningAlg());
}
Also used : ClientProfileBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfileBuilder) OIDCClientRepresentation(org.keycloak.representations.oidc.OIDCClientRepresentation) ClientProfilesBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfilesBuilder) ClientPoliciesBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPoliciesBuilder) ClientPolicyBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPolicyBuilder) ClientRegistrationException(org.keycloak.client.registration.ClientRegistrationException) Matchers.containsString(org.hamcrest.Matchers.containsString) OIDCClientRepresentation(org.keycloak.representations.oidc.OIDCClientRepresentation) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) ClientPolicyException(org.keycloak.services.clientpolicy.ClientPolicyException) Test(org.junit.Test)

Example 7 with ClientPolicyException

use of org.keycloak.services.clientpolicy.ClientPolicyException in project keycloak by keycloak.

the class ClientPoliciesTest method testAdminClientAutoConfiguredClientAuthType.

@Test
public void testAdminClientAutoConfiguredClientAuthType() throws Exception {
    // register profiles
    String json = (new ClientProfilesBuilder()).addProfile((new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Pershyy Profil").addExecutor(SecureClientAuthenticatorExecutorFactory.PROVIDER_ID, createSecureClientAuthenticatorExecutorConfig(Arrays.asList(JWTClientAuthenticator.PROVIDER_ID, JWTClientSecretAuthenticator.PROVIDER_ID, X509ClientAuthenticator.PROVIDER_ID), X509ClientAuthenticator.PROVIDER_ID)).toRepresentation()).toString();
    updateProfiles(json);
    // register policies
    json = (new ClientPoliciesBuilder()).addPolicy((new ClientPolicyBuilder()).createPolicy(POLICY_NAME, "Persha Polityka", Boolean.TRUE).addCondition(ClientUpdaterContextConditionFactory.PROVIDER_ID, createClientUpdateContextConditionConfig(Arrays.asList(ClientUpdaterContextConditionFactory.BY_AUTHENTICATED_USER))).addProfile(PROFILE_NAME).toRepresentation()).toString();
    updatePolicies(json);
    // Attempt to create client with set authenticator to ClientIdAndSecretAuthenticator. Should fail
    try {
        createClientByAdmin(generateSuffixedName(CLIENT_NAME), (ClientRepresentation clientRep) -> {
            clientRep.setClientAuthenticatorType(ClientIdAndSecretAuthenticator.PROVIDER_ID);
        });
        fail();
    } catch (ClientPolicyException e) {
        assertEquals(OAuthErrorException.INVALID_CLIENT_METADATA, e.getMessage());
    }
    // Attempt to create client without set authenticator. Default authenticator should be set
    String cId = createClientByAdmin(generateSuffixedName(CLIENT_NAME), (ClientRepresentation clientRep) -> {
    });
    assertEquals(X509ClientAuthenticator.PROVIDER_ID, getClientByAdmin(cId).getClientAuthenticatorType());
    // update profiles
    json = (new ClientProfilesBuilder()).addProfile((new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Pershyy Profil").addExecutor(SecureClientAuthenticatorExecutorFactory.PROVIDER_ID, createSecureClientAuthenticatorExecutorConfig(Arrays.asList(JWTClientAuthenticator.PROVIDER_ID, JWTClientSecretAuthenticator.PROVIDER_ID, X509ClientAuthenticator.PROVIDER_ID), JWTClientAuthenticator.PROVIDER_ID)).toRepresentation()).toString();
    updateProfiles(json);
    // It is allowed to update authenticator to one of allowed client authenticators. Default client authenticator is not explicitly set in this case
    updateClientByAdmin(cId, (ClientRepresentation clientRep) -> {
        clientRep.setClientAuthenticatorType(JWTClientSecretAuthenticator.PROVIDER_ID);
    });
    assertEquals(JWTClientSecretAuthenticator.PROVIDER_ID, getClientByAdmin(cId).getClientAuthenticatorType());
}
Also used : ClientProfileBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfileBuilder) ClientProfilesBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfilesBuilder) ClientPoliciesBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPoliciesBuilder) ClientPolicyBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPolicyBuilder) OIDCClientRepresentation(org.keycloak.representations.oidc.OIDCClientRepresentation) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) ClientPolicyException(org.keycloak.services.clientpolicy.ClientPolicyException) Test(org.junit.Test)

Example 8 with ClientPolicyException

use of org.keycloak.services.clientpolicy.ClientPolicyException in project keycloak by keycloak.

the class ClientPoliciesTest method testFullScopeDisabledExecutor.

@Test
public void testFullScopeDisabledExecutor() throws Exception {
    // register profiles - client autoConfigured to disable fullScopeAllowed
    String json = (new ClientProfilesBuilder()).addProfile((new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Test Profile").addExecutor(FullScopeDisabledExecutorFactory.PROVIDER_ID, createFullScopeDisabledExecutorConfig(true)).toRepresentation()).toString();
    updateProfiles(json);
    // register policies
    json = (new ClientPoliciesBuilder()).addPolicy((new ClientPolicyBuilder()).createPolicy(POLICY_NAME, "Test Policy", Boolean.TRUE).addCondition(AnyClientConditionFactory.PROVIDER_ID, createAnyClientConditionConfig()).addProfile(PROFILE_NAME).toRepresentation()).toString();
    updatePolicies(json);
    // Client will be auto-configured to disable fullScopeAllowed
    String clientId = generateSuffixedName("aaa-app");
    String cid = createClientByAdmin(clientId, (ClientRepresentation clientRep) -> {
        clientRep.setImplicitFlowEnabled(Boolean.FALSE);
        clientRep.setFullScopeAllowed(Boolean.TRUE);
    });
    ClientRepresentation clientRep = getClientByAdmin(cid);
    assertEquals(Boolean.FALSE, clientRep.isFullScopeAllowed());
    // Client cannot be updated to disable fullScopeAllowed
    updateClientByAdmin(cid, (ClientRepresentation cRep) -> {
        cRep.setFullScopeAllowed(Boolean.TRUE);
    });
    clientRep = getClientByAdmin(cid);
    assertEquals(Boolean.FALSE, clientRep.isFullScopeAllowed());
    // Switch auto-configure to false. Auto-configuration won't happen, but validation will still be here, so should not be possible to enable fullScopeAllowed
    json = (new ClientProfilesBuilder()).addProfile((new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Test Profile").addExecutor(FullScopeDisabledExecutorFactory.PROVIDER_ID, createFullScopeDisabledExecutorConfig(false)).toRepresentation()).toString();
    updateProfiles(json);
    // Not possible to register client with fullScopeAllowed due the validation
    try {
        createClientByAdmin(clientId, (ClientRepresentation clientRep2) -> {
            clientRep2.setFullScopeAllowed(Boolean.TRUE);
        });
        fail();
    } catch (ClientPolicyException cpe) {
        assertEquals(Errors.INVALID_REGISTRATION, cpe.getError());
    }
    // Not possible to update existing client to fullScopeAllowed due the validation
    try {
        updateClientByAdmin(cid, (ClientRepresentation cRep) -> {
            cRep.setFullScopeAllowed(Boolean.TRUE);
        });
        fail();
    } catch (ClientPolicyException cpe) {
        assertEquals(Errors.INVALID_REGISTRATION, cpe.getError());
    }
    clientRep = getClientByAdmin(cid);
    assertEquals(Boolean.FALSE, clientRep.isFullScopeAllowed());
    try {
        updateClientByAdmin(cid, (ClientRepresentation cRep) -> {
            cRep.setImplicitFlowEnabled(Boolean.TRUE);
        });
        clientRep = getClientByAdmin(cid);
        assertEquals(Boolean.TRUE, clientRep.isImplicitFlowEnabled());
        assertEquals(Boolean.FALSE, clientRep.isFullScopeAllowed());
    } catch (ClientPolicyException cpe) {
        fail();
    }
}
Also used : ClientProfileBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfileBuilder) ClientProfilesBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfilesBuilder) ClientPoliciesBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPoliciesBuilder) ClientPolicyBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPolicyBuilder) OIDCClientRepresentation(org.keycloak.representations.oidc.OIDCClientRepresentation) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) ClientPolicyException(org.keycloak.services.clientpolicy.ClientPolicyException) Test(org.junit.Test)

Example 9 with ClientPolicyException

use of org.keycloak.services.clientpolicy.ClientPolicyException in project keycloak by keycloak.

the class ClientPoliciesTest method testSecureResponseTypeExecutorAllowTokenResponseType.

@Test
public void testSecureResponseTypeExecutorAllowTokenResponseType() throws Exception {
    // register profiles
    String json = (new ClientProfilesBuilder()).addProfile((new ClientProfileBuilder()).createProfile(PROFILE_NAME, "O Primeiro Perfil").addExecutor(SecureResponseTypeExecutorFactory.PROVIDER_ID, createSecureResponseTypeExecutor(null, Boolean.TRUE)).toRepresentation()).toString();
    updateProfiles(json);
    // register policies
    json = (new ClientPoliciesBuilder()).addPolicy((new ClientPolicyBuilder()).createPolicy(POLICY_NAME, "Den Forsta Policyn", Boolean.TRUE).addCondition(ClientUpdaterContextConditionFactory.PROVIDER_ID, createClientUpdateContextConditionConfig(Arrays.asList(ClientUpdaterContextConditionFactory.BY_AUTHENTICATED_USER, ClientUpdaterContextConditionFactory.BY_INITIAL_ACCESS_TOKEN, ClientUpdaterContextConditionFactory.BY_REGISTRATION_ACCESS_TOKEN))).addCondition(ClientRolesConditionFactory.PROVIDER_ID, createClientRolesConditionConfig(Arrays.asList(SAMPLE_CLIENT_ROLE))).addProfile(PROFILE_NAME).toRepresentation()).toString();
    updatePolicies(json);
    // create by Admin REST API
    try {
        createClientByAdmin(generateSuffixedName("App-by-Admin"), (ClientRepresentation clientRep) -> {
            clientRep.setSecret("secret");
        });
        fail();
    } catch (ClientPolicyException e) {
        assertEquals(OAuthErrorException.INVALID_CLIENT_METADATA, e.getMessage());
    }
    // update profiles
    json = (new ClientProfilesBuilder()).addProfile((new ClientProfileBuilder()).createProfile(PROFILE_NAME, "O Primeiro Perfil").addExecutor(SecureResponseTypeExecutorFactory.PROVIDER_ID, createSecureResponseTypeExecutor(Boolean.TRUE, null)).toRepresentation()).toString();
    updateProfiles(json);
    String cId = null;
    String clientId = generateSuffixedName(CLIENT_NAME);
    String clientSecret = "secret";
    try {
        cId = createClientByAdmin(clientId, (ClientRepresentation clientRep) -> {
            clientRep.setSecret(clientSecret);
            clientRep.setStandardFlowEnabled(Boolean.TRUE);
            clientRep.setImplicitFlowEnabled(Boolean.TRUE);
            clientRep.setPublicClient(Boolean.FALSE);
        });
    } catch (ClientPolicyException e) {
        fail();
    }
    ClientRepresentation cRep = getClientByAdmin(cId);
    assertEquals(Boolean.TRUE.toString(), cRep.getAttributes().get(OIDCConfigAttributes.ID_TOKEN_AS_DETACHED_SIGNATURE));
    adminClient.realm(REALM_NAME).clients().get(cId).roles().create(RoleBuilder.create().name(SAMPLE_CLIENT_ROLE).build());
    oauth.clientId(clientId);
    oauth.openLoginForm();
    assertEquals(OAuthErrorException.INVALID_REQUEST, oauth.getCurrentQuery().get(OAuth2Constants.ERROR));
    assertEquals("invalid response_type", oauth.getCurrentQuery().get(OAuth2Constants.ERROR_DESCRIPTION));
    oauth.responseType(OIDCResponseType.CODE + " " + OIDCResponseType.ID_TOKEN);
    oauth.nonce("LIVieviDie028f");
    oauth.doLogin(TEST_USER_NAME, TEST_USER_PASSWORD);
    EventRepresentation loginEvent = events.expectLogin().client(clientId).assertEvent();
    String sessionId = loginEvent.getSessionId();
    String codeId = loginEvent.getDetails().get(Details.CODE_ID);
    String code = new OAuthClient.AuthorizationEndpointResponse(oauth).getCode();
    IDToken idToken = oauth.verifyIDToken(new OAuthClient.AuthorizationEndpointResponse(oauth).getIdToken());
    // confirm ID token as detached signature does not include authenticated user's claims
    Assert.assertNull(idToken.getEmailVerified());
    Assert.assertNull(idToken.getName());
    Assert.assertNull(idToken.getPreferredUsername());
    Assert.assertNull(idToken.getGivenName());
    Assert.assertNull(idToken.getFamilyName());
    Assert.assertNull(idToken.getEmail());
    assertEquals("LIVieviDie028f", idToken.getNonce());
    // confirm an access token not returned
    Assert.assertNull(new OAuthClient.AuthorizationEndpointResponse(oauth).getAccessToken());
    OAuthClient.AccessTokenResponse res = oauth.doAccessTokenRequest(code, clientSecret);
    assertEquals(200, res.getStatusCode());
    events.expectCodeToToken(codeId, sessionId).client(clientId).assertEvent();
    oauth.doLogout(res.getRefreshToken(), clientSecret);
    events.expectLogout(sessionId).client(clientId).clearDetails().assertEvent();
}
Also used : OAuthClient(org.keycloak.testsuite.util.OAuthClient) ClientProfilesBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfilesBuilder) ClientPoliciesBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPoliciesBuilder) EventRepresentation(org.keycloak.representations.idm.EventRepresentation) ClientPolicyBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPolicyBuilder) OIDCClientRepresentation(org.keycloak.representations.oidc.OIDCClientRepresentation) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) ClientPolicyException(org.keycloak.services.clientpolicy.ClientPolicyException) ClientProfileBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfileBuilder) IDToken(org.keycloak.representations.IDToken) Test(org.junit.Test)

Example 10 with ClientPolicyException

use of org.keycloak.services.clientpolicy.ClientPolicyException in project keycloak by keycloak.

the class FAPICIBATest method testFAPICIBASignatureAlgorithms.

@Test
public void testFAPICIBASignatureAlgorithms() throws Exception {
    setupPolicyFAPICIBAForAllClient();
    // Test that unsecured algorithm (RS256) is not possible
    try {
        createClientByAdmin("invalid", (ClientRepresentation clientRep) -> {
            clientRep.setClientAuthenticatorType(JWTClientAuthenticator.PROVIDER_ID);
            OIDCAdvancedConfigWrapper clientConfig = OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep);
            clientConfig.setIdTokenSignedResponseAlg(Algorithm.RS256);
        });
        fail();
    } catch (ClientPolicyException e) {
        assertEquals(OAuthErrorException.INVALID_REQUEST, e.getMessage());
    }
    // Test that secured algorithm is possible to explicitly set
    String clientUUID = createClientByAdmin("client-jwt", (ClientRepresentation clientRep) -> {
        clientRep.setClientAuthenticatorType(JWTClientAuthenticator.PROVIDER_ID);
        OIDCAdvancedConfigWrapper clientCfg = OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep);
        clientCfg.setIdTokenSignedResponseAlg(Algorithm.ES256);
        Map<String, String> attr = Optional.ofNullable(clientRep.getAttributes()).orElse(new HashMap<>());
        attr.put(CibaConfig.CIBA_BACKCHANNEL_AUTH_REQUEST_SIGNING_ALG, Algorithm.ES256);
        clientRep.setAttributes(attr);
    });
    ClientRepresentation client = getClientByAdmin(clientUUID);
    OIDCAdvancedConfigWrapper clientConfig = OIDCAdvancedConfigWrapper.fromClientRepresentation(client);
    Assert.assertEquals(Algorithm.ES256, clientConfig.getIdTokenSignedResponseAlg());
    Assert.assertEquals(Algorithm.PS256, clientConfig.getRequestObjectSignatureAlg().toString());
    Assert.assertEquals(Algorithm.ES256, client.getAttributes().get(CibaConfig.CIBA_BACKCHANNEL_AUTH_REQUEST_SIGNING_ALG));
    // Test default algorithms set everywhere
    clientUUID = createClientByAdmin("client-jwt-default-alg", (ClientRepresentation clientRep) -> {
        clientRep.setClientAuthenticatorType(JWTClientAuthenticator.PROVIDER_ID);
    });
    client = getClientByAdmin(clientUUID);
    clientConfig = OIDCAdvancedConfigWrapper.fromClientRepresentation(client);
    Assert.assertEquals(Algorithm.PS256, clientConfig.getIdTokenSignedResponseAlg());
    Assert.assertEquals(Algorithm.PS256, clientConfig.getRequestObjectSignatureAlg().toString());
    Assert.assertEquals(Algorithm.PS256, clientConfig.getUserInfoSignedResponseAlg().toString());
    Assert.assertEquals(Algorithm.PS256, clientConfig.getTokenEndpointAuthSigningAlg());
    Assert.assertEquals(Algorithm.PS256, client.getAttributes().get(OIDCConfigAttributes.ACCESS_TOKEN_SIGNED_RESPONSE_ALG));
    Assert.assertEquals(Algorithm.PS256, client.getAttributes().get(CibaConfig.CIBA_BACKCHANNEL_AUTH_REQUEST_SIGNING_ALG));
}
Also used : OIDCAdvancedConfigWrapper(org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper) Matchers.containsString(org.hamcrest.Matchers.containsString) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) ClientPolicyException(org.keycloak.services.clientpolicy.ClientPolicyException) Test(org.junit.Test)

Aggregations

ClientPolicyException (org.keycloak.services.clientpolicy.ClientPolicyException)62 ClientRepresentation (org.keycloak.representations.idm.ClientRepresentation)23 Test (org.junit.Test)22 OIDCClientRepresentation (org.keycloak.representations.oidc.OIDCClientRepresentation)19 ClientPoliciesBuilder (org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPoliciesBuilder)14 ClientPolicyBuilder (org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPolicyBuilder)14 ClientProfileBuilder (org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfileBuilder)13 ClientProfilesBuilder (org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfilesBuilder)13 ClientModel (org.keycloak.models.ClientModel)11 ErrorResponseException (org.keycloak.services.ErrorResponseException)10 OAuthErrorException (org.keycloak.OAuthErrorException)9 UserSessionModel (org.keycloak.models.UserSessionModel)9 CorsErrorResponseException (org.keycloak.services.CorsErrorResponseException)9 UserModel (org.keycloak.models.UserModel)8 IOException (java.io.IOException)6 Consumes (javax.ws.rs.Consumes)6 POST (javax.ws.rs.POST)6 Response (javax.ws.rs.core.Response)6 ClientSessionContext (org.keycloak.models.ClientSessionContext)6 RegistrationAuth (org.keycloak.services.clientregistration.policy.RegistrationAuth)6