Example 21 with ClientPolicyException
use of org.keycloak.services.clientpolicy.ClientPolicyException in project keycloak by keycloak.
the class AuthorizationEndpoint method process.
private Response process(MultivaluedMap<String, String> params) {
String clientId = AuthorizationEndpointRequestParserProcessor.getClientId(event, session, params);
checkSsl();
checkRealm();
checkClient(clientId);
request = AuthorizationEndpointRequestParserProcessor.parseRequest(event, session, client, params);
AuthorizationEndpointChecker checker = new AuthorizationEndpointChecker().event(event).client(client).realm(realm).request(request).session(session).params(params);
try {
checker.checkRedirectUri();
this.redirectUri = checker.getRedirectUri();
} catch (AuthorizationEndpointChecker.AuthorizationCheckException ex) {
ex.throwAsErrorPageException(authenticationSession);
}
try {
checker.checkResponseType();
this.parsedResponseType = checker.getParsedResponseType();
this.parsedResponseMode = checker.getParsedResponseMode();
} catch (AuthorizationEndpointChecker.AuthorizationCheckException ex) {
OIDCResponseMode responseMode = checker.getParsedResponseMode() != null ? checker.getParsedResponseMode() : OIDCResponseMode.QUERY;
return redirectErrorToClient(responseMode, ex.getError(), ex.getErrorDescription());
}
if (action == null) {
action = AuthorizationEndpoint.Action.CODE;
}
try {
checker.checkParRequired();
checker.checkInvalidRequestMessage();
checker.checkOIDCRequest();
checker.checkValidScope();
checker.checkOIDCParams();
checker.checkPKCEParams();
} catch (AuthorizationEndpointChecker.AuthorizationCheckException ex) {
return redirectErrorToClient(parsedResponseMode, ex.getError(), ex.getErrorDescription());
}
try {
session.clientPolicy().triggerOnEvent(new AuthorizationRequestContext(parsedResponseType, request, redirectUri, params));
} catch (ClientPolicyException cpe) {
return redirectErrorToClient(parsedResponseMode, cpe.getError(), cpe.getErrorDetail());
}
authenticationSession = createAuthenticationSession(client, request.getState());
updateAuthenticationSession();
// So back button doesn't work
CacheControlUtil.noBackButtonCacheControlHeader();
switch(action) {
case REGISTER:
return buildRegister();
case FORGOT_CREDENTIALS:
return buildForgotCredential();
case CODE:
return buildAuthorizationCodeAuthorizationResponse();
}
throw new RuntimeException("Unknown action " + action);
}
Also used :
OIDCResponseMode(org.keycloak.protocol.oidc.utils.OIDCResponseMode)
AuthorizationRequestContext(org.keycloak.services.clientpolicy.context.AuthorizationRequestContext)
ClientPolicyException(org.keycloak.services.clientpolicy.ClientPolicyException)
Example 22 with ClientPolicyException
use of org.keycloak.services.clientpolicy.ClientPolicyException in project keycloak by keycloak.
the class FAPI1Test method testFAPIBaselineClientAuthenticator.
@Test
public void testFAPIBaselineClientAuthenticator() throws Exception {
setupPolicyFAPIBaselineForAllClient();
// Try to register client with clientIdAndSecret - should fail
try {
createClientByAdmin("invalid", (ClientRepresentation clientRep) -> {
clientRep.setClientAuthenticatorType(ClientIdAndSecretAuthenticator.PROVIDER_ID);
});
fail();
} catch (ClientPolicyException e) {
assertEquals(OAuthErrorException.INVALID_CLIENT_METADATA, e.getMessage());
}
// Try to register client with "client-jwt" - should pass
String clientUUID = createClientByAdmin("client-jwt", (ClientRepresentation clientRep) -> {
clientRep.setClientAuthenticatorType(JWTClientAuthenticator.PROVIDER_ID);
});
ClientRepresentation client = getClientByAdmin(clientUUID);
Assert.assertEquals(JWTClientAuthenticator.PROVIDER_ID, client.getClientAuthenticatorType());
// Try to register client with "client-secret-jwt" - should pass
clientUUID = createClientByAdmin("client-secret-jwt", (ClientRepresentation clientRep) -> {
clientRep.setClientAuthenticatorType(JWTClientSecretAuthenticator.PROVIDER_ID);
});
client = getClientByAdmin(clientUUID);
Assert.assertEquals(JWTClientSecretAuthenticator.PROVIDER_ID, client.getClientAuthenticatorType());
// Try to register client with "client-x509" - should pass
clientUUID = createClientByAdmin("client-x509", (ClientRepresentation clientRep) -> {
clientRep.setClientAuthenticatorType(X509ClientAuthenticator.PROVIDER_ID);
});
client = getClientByAdmin(clientUUID);
Assert.assertEquals(X509ClientAuthenticator.PROVIDER_ID, client.getClientAuthenticatorType());
// Try to register client with default authenticator - should pass. Client authenticator should be "client-jwt"
clientUUID = createClientByAdmin("client-jwt-2", (ClientRepresentation clientRep) -> {
});
client = getClientByAdmin(clientUUID);
Assert.assertEquals(JWTClientAuthenticator.PROVIDER_ID, client.getClientAuthenticatorType());
// Check the Consent is enabled, PKCS set to S256
Assert.assertTrue(client.isConsentRequired());
Assert.assertEquals(OAuth2Constants.PKCE_METHOD_S256, OIDCAdvancedConfigWrapper.fromClientRepresentation(client).getPkceCodeChallengeMethod());
}
Also used :
OIDCClientRepresentation(org.keycloak.representations.oidc.OIDCClientRepresentation)
ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation)
ClientPolicyException(org.keycloak.services.clientpolicy.ClientPolicyException)
Test(org.junit.Test)
Example 23 with ClientPolicyException
use of org.keycloak.services.clientpolicy.ClientPolicyException in project keycloak by keycloak.
the class FAPI1Test method testFAPIAdvancedSignatureAlgorithms.
@Test
public void testFAPIAdvancedSignatureAlgorithms() throws Exception {
// Set "advanced" policy
setupPolicyFAPIAdvancedForAllClient();
// Test that unsecured algorithm (RS256) is not possible
try {
createClientByAdmin("invalid", (ClientRepresentation clientRep) -> {
clientRep.setClientAuthenticatorType(JWTClientAuthenticator.PROVIDER_ID);
OIDCAdvancedConfigWrapper clientConfig = OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep);
clientConfig.setIdTokenSignedResponseAlg(Algorithm.RS256);
});
fail();
} catch (ClientPolicyException e) {
assertEquals(OAuthErrorException.INVALID_REQUEST, e.getMessage());
}
// Test that secured algorithm is possible to explicitly set
String clientUUID = createClientByAdmin("client-jwt", (ClientRepresentation clientRep) -> {
clientRep.setClientAuthenticatorType(JWTClientAuthenticator.PROVIDER_ID);
OIDCAdvancedConfigWrapper clientCfg = OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep);
clientCfg.setIdTokenSignedResponseAlg(Algorithm.ES256);
});
ClientRepresentation client = getClientByAdmin(clientUUID);
OIDCAdvancedConfigWrapper clientConfig = OIDCAdvancedConfigWrapper.fromClientRepresentation(client);
Assert.assertEquals(Algorithm.ES256, clientConfig.getIdTokenSignedResponseAlg());
Assert.assertEquals(Algorithm.PS256, clientConfig.getRequestObjectSignatureAlg().toString());
// Test default algorithms set everywhere
clientUUID = createClientByAdmin("client-jwt-default-alg", (ClientRepresentation clientRep) -> {
clientRep.setClientAuthenticatorType(JWTClientAuthenticator.PROVIDER_ID);
});
client = getClientByAdmin(clientUUID);
clientConfig = OIDCAdvancedConfigWrapper.fromClientRepresentation(client);
Assert.assertEquals(Algorithm.PS256, clientConfig.getIdTokenSignedResponseAlg());
Assert.assertEquals(Algorithm.PS256, clientConfig.getRequestObjectSignatureAlg().toString());
Assert.assertEquals(Algorithm.PS256, clientConfig.getUserInfoSignedResponseAlg().toString());
Assert.assertEquals(Algorithm.PS256, clientConfig.getTokenEndpointAuthSigningAlg());
Assert.assertEquals(Algorithm.PS256, client.getAttributes().get(OIDCConfigAttributes.ACCESS_TOKEN_SIGNED_RESPONSE_ALG));
}
Also used :
OIDCAdvancedConfigWrapper(org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper)
OIDCClientRepresentation(org.keycloak.representations.oidc.OIDCClientRepresentation)
ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation)
ClientPolicyException(org.keycloak.services.clientpolicy.ClientPolicyException)
Test(org.junit.Test)
Example 24 with ClientPolicyException
use of org.keycloak.services.clientpolicy.ClientPolicyException in project keycloak by keycloak.
the class AbstractClientPoliciesTest method processClientPolicyExceptionByAdmin.
private void processClientPolicyExceptionByAdmin(BadRequestException bre) throws ClientPolicyException {
Response resp = bre.getResponse();
if (resp.getStatus() != Response.Status.BAD_REQUEST.getStatusCode()) {
resp.close();
return;
}
String respBody = resp.readEntity(String.class);
Map<String, String> responseJson = null;
try {
responseJson = JsonSerialization.readValue(respBody, Map.class);
} catch (IOException e) {
fail();
}
throw new ClientPolicyException(responseJson.get(OAuth2Constants.ERROR), responseJson.get(OAuth2Constants.ERROR_DESCRIPTION));
}
Also used :
HttpResponse(org.apache.http.HttpResponse)
Response(javax.ws.rs.core.Response)
CloseableHttpResponse(org.apache.http.client.methods.CloseableHttpResponse)
IOException(java.io.IOException)
Map(java.util.Map)
ClientPolicyException(org.keycloak.services.clientpolicy.ClientPolicyException)
Example 25 with ClientPolicyException
use of org.keycloak.services.clientpolicy.ClientPolicyException in project keycloak by keycloak.
the class ClientPoliciesLoadUpdateTest method testOverwriteBuiltinProfileNotAllowed.
@Test
public void testOverwriteBuiltinProfileNotAllowed() throws Exception {
// register profiles
String json = (new ClientProfilesBuilder()).addProfile((new ClientProfileBuilder()).createProfile(FAPI1_BASELINE_PROFILE_NAME, "Pershyy Profil").addExecutor(SecureClientAuthenticatorExecutorFactory.PROVIDER_ID, createSecureClientAuthenticatorExecutorConfig(Arrays.asList(JWTClientAuthenticator.PROVIDER_ID, JWTClientSecretAuthenticator.PROVIDER_ID, X509ClientAuthenticator.PROVIDER_ID), X509ClientAuthenticator.PROVIDER_ID)).toRepresentation()).toRepresentation().toString();
try {
updateProfiles(json);
fail();
} catch (ClientPolicyException cpe) {
assertEquals("update profiles failed", cpe.getError());
}
}
Also used :
ClientProfileBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfileBuilder)
ClientProfilesBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfilesBuilder)
ClientPolicyException(org.keycloak.services.clientpolicy.ClientPolicyException)
Test(org.junit.Test)
Aggregations
ClientPolicyException (org.keycloak.services.clientpolicy.ClientPolicyException)62
ClientRepresentation (org.keycloak.representations.idm.ClientRepresentation)23
Test (org.junit.Test)22
OIDCClientRepresentation (org.keycloak.representations.oidc.OIDCClientRepresentation)19
ClientPoliciesBuilder (org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPoliciesBuilder)14
ClientPolicyBuilder (org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPolicyBuilder)14
ClientProfileBuilder (org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfileBuilder)13
ClientProfilesBuilder (org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfilesBuilder)13
ClientModel (org.keycloak.models.ClientModel)11
ErrorResponseException (org.keycloak.services.ErrorResponseException)10
OAuthErrorException (org.keycloak.OAuthErrorException)9
UserSessionModel (org.keycloak.models.UserSessionModel)9
CorsErrorResponseException (org.keycloak.services.CorsErrorResponseException)9
UserModel (org.keycloak.models.UserModel)8
IOException (java.io.IOException)6
Consumes (javax.ws.rs.Consumes)6
POST (javax.ws.rs.POST)6
Response (javax.ws.rs.core.Response)6
ClientSessionContext (org.keycloak.models.ClientSessionContext)6
RegistrationAuth (org.keycloak.services.clientregistration.policy.RegistrationAuth)6
