Example 41 with AuthServerContainerExclude
use of org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude in project keycloak by keycloak.
the class ClientRegistrationPoliciesTest method testAnonConsentRequired.
@Test
// We would need to do domain name -> ip address to set trusted host
@AuthServerContainerExclude(AuthServer.REMOTE)
public void testAnonConsentRequired() throws Exception {
setTrustedHost("localhost");
OIDCClientRepresentation client = create();
// Assert new client has consent required
String clientId = client.getClientId();
ClientRepresentation clientRep = ApiUtil.findClientByClientId(realmResource(), clientId).toRepresentation();
Assert.assertTrue(clientRep.isConsentRequired());
// Try update with disabled consent required. Should fail
clientRep.setConsentRequired(false);
assertFail(ClientRegOp.UPDATE, clientRep, 403, "Not permitted to update consentRequired to false");
// Try update with enabled consent required. Should pass
clientRep.setConsentRequired(true);
reg.update(clientRep);
}
Also used :
OIDCClientRepresentation(org.keycloak.representations.oidc.OIDCClientRepresentation)
OIDCClientRepresentation(org.keycloak.representations.oidc.OIDCClientRepresentation)
ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation)
AuthServerContainerExclude(org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude)
Test(org.junit.Test)
Example 42 with AuthServerContainerExclude
use of org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude in project keycloak by keycloak.
the class ClientRegistrationPoliciesTest method testClientDisabledPolicy.
@Test
// We would need to do domain name -> ip address to set trusted host
@AuthServerContainerExclude(AuthServer.REMOTE)
public void testClientDisabledPolicy() throws Exception {
setTrustedHost("localhost");
// Assert new client is enabled
OIDCClientRepresentation client = create();
String clientId = client.getClientId();
ClientRepresentation clientRep = ApiUtil.findClientByClientId(realmResource(), clientId).toRepresentation();
Assert.assertTrue(clientRep.isEnabled());
// Add client-disabled policy
ComponentRepresentation rep = new ComponentRepresentation();
rep.setName("Clients disabled");
rep.setParentId(REALM_NAME);
rep.setProviderId(ClientDisabledClientRegistrationPolicyFactory.PROVIDER_ID);
rep.setProviderType(ClientRegistrationPolicy.class.getName());
rep.setSubType(getPolicyAnon());
Response response = realmResource().components().add(rep);
String policyId = ApiUtil.getCreatedId(response);
response.close();
// Assert new client is disabled
client = create();
clientId = client.getClientId();
clientRep = ApiUtil.findClientByClientId(realmResource(), clientId).toRepresentation();
Assert.assertFalse(clientRep.isEnabled());
// Try enable client. Should fail
clientRep.setEnabled(true);
assertFail(ClientRegOp.UPDATE, clientRep, 403, "Not permitted to enable client");
// Try update disabled client. Should pass
clientRep.setEnabled(false);
reg.update(clientRep);
// Revert
realmResource().components().component(policyId).remove();
}
Also used :
ComponentRepresentation(org.keycloak.representations.idm.ComponentRepresentation)
Response(javax.ws.rs.core.Response)
ClientRegistrationPolicy(org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy)
OIDCClientRepresentation(org.keycloak.representations.oidc.OIDCClientRepresentation)
OIDCClientRepresentation(org.keycloak.representations.oidc.OIDCClientRepresentation)
ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation)
AuthServerContainerExclude(org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude)
Test(org.junit.Test)
Example 43 with AuthServerContainerExclude
use of org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude in project keycloak by keycloak.
the class OIDCProtocolMappersTest method testUserRolesMovedFromAccessTokenProperties.
// Test to update protocolMappers to not have roles on the default position (realm_access and resource_access properties)
@Test
@AuthServerContainerExclude(AuthServer.REMOTE)
public void testUserRolesMovedFromAccessTokenProperties() throws Exception {
RealmResource realm = adminClient.realm("test");
ClientScopeResource rolesScope = ApiUtil.findClientScopeByName(realm, OIDCLoginProtocolFactory.ROLES_SCOPE);
// Update builtin protocolMappers to put roles to different position (claim "custom.roles") for both realm and client roles
ProtocolMapperRepresentation realmRolesMapper = null;
ProtocolMapperRepresentation clientRolesMapper = null;
for (ProtocolMapperRepresentation rep : rolesScope.getProtocolMappers().getMappers()) {
if (OIDCLoginProtocolFactory.REALM_ROLES.equals(rep.getName())) {
realmRolesMapper = rep;
} else if (OIDCLoginProtocolFactory.CLIENT_ROLES.equals(rep.getName())) {
clientRolesMapper = rep;
}
}
String realmRolesTokenClaimOrig = realmRolesMapper.getConfig().get(OIDCAttributeMapperHelper.TOKEN_CLAIM_NAME);
String clientRolesTokenClaimOrig = clientRolesMapper.getConfig().get(OIDCAttributeMapperHelper.TOKEN_CLAIM_NAME);
realmRolesMapper.getConfig().put(OIDCAttributeMapperHelper.TOKEN_CLAIM_NAME, "custom.roles");
rolesScope.getProtocolMappers().update(realmRolesMapper.getId(), realmRolesMapper);
clientRolesMapper.getConfig().put(OIDCAttributeMapperHelper.TOKEN_CLAIM_NAME, "custom.roles");
rolesScope.getProtocolMappers().update(clientRolesMapper.getId(), clientRolesMapper);
// Create some hardcoded role mapper
Response resp = rolesScope.getProtocolMappers().createMapper(createHardcodedRole("hard-realm", "hardcoded"));
String hardcodedMapperId = ApiUtil.getCreatedId(resp);
resp.close();
try {
OAuthClient.AccessTokenResponse response = browserLogin("password", "test-user@localhost", "password");
AccessToken accessToken = oauth.verifyToken(response.getAccessToken());
// Assert roles are not on their original positions
Assert.assertNull(accessToken.getRealmAccess());
Assert.assertTrue(accessToken.getResourceAccess().isEmpty());
// KEYCLOAK-8481 Assert that accessToken JSON doesn't have "realm_access" or "resource_access" fields in it
String accessTokenJson = new String(new JWSInput(response.getAccessToken()).getContent(), StandardCharsets.UTF_8);
Assert.assertFalse(accessTokenJson.contains("realm_access"));
Assert.assertFalse(accessTokenJson.contains("resource_access"));
// Assert both realm and client roles on the new position. Hardcoded role should be here as well
Map<String, Object> cst1 = (Map<String, Object>) accessToken.getOtherClaims().get("custom");
List<String> roles = (List<String>) cst1.get("roles");
Assert.assertNames(roles, "offline_access", "user", "customer-user", "hardcoded", AccountRoles.VIEW_PROFILE, AccountRoles.MANAGE_ACCOUNT, AccountRoles.MANAGE_ACCOUNT_LINKS);
// Assert audience
Assert.assertNames(Arrays.asList(accessToken.getAudience()), "account");
} finally {
// Revert
rolesScope.getProtocolMappers().delete(hardcodedMapperId);
realmRolesMapper.getConfig().put(OIDCAttributeMapperHelper.TOKEN_CLAIM_NAME, realmRolesTokenClaimOrig);
rolesScope.getProtocolMappers().update(realmRolesMapper.getId(), realmRolesMapper);
clientRolesMapper.getConfig().put(OIDCAttributeMapperHelper.TOKEN_CLAIM_NAME, clientRolesTokenClaimOrig);
rolesScope.getProtocolMappers().update(clientRolesMapper.getId(), clientRolesMapper);
}
}
Also used :
OAuthClient(org.keycloak.testsuite.util.OAuthClient)
RealmResource(org.keycloak.admin.client.resource.RealmResource)
Matchers.isEmptyOrNullString(org.hamcrest.Matchers.isEmptyOrNullString)
JWSInput(org.keycloak.jose.jws.JWSInput)
Response(javax.ws.rs.core.Response)
ClientScopeResource(org.keycloak.admin.client.resource.ClientScopeResource)
AccessToken(org.keycloak.representations.AccessToken)
ProtocolMapperRepresentation(org.keycloak.representations.idm.ProtocolMapperRepresentation)
List(java.util.List)
Map(java.util.Map)
HashMap(java.util.HashMap)
AuthServerContainerExclude(org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude)
AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest)
Test(org.junit.Test)
Example 44 with AuthServerContainerExclude
use of org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude in project keycloak by keycloak.
the class OAuthProofKeyForCodeExchangeTest method accessTokenRequestInPKCEValidPlainCodeChallengeMethod.
@Test
@AuthServerContainerExclude(AuthServer.REMOTE)
public void accessTokenRequestInPKCEValidPlainCodeChallengeMethod() throws Exception {
// test case : success : A-1-3
oauth.codeChallenge(".234567890-234567890~234567890_234567890123");
oauth.codeChallengeMethod(OAuth2Constants.PKCE_METHOD_PLAIN);
oauth.doLogin("test-user@localhost", "password");
EventRepresentation loginEvent = events.expectLogin().assertEvent();
String sessionId = loginEvent.getSessionId();
String codeId = loginEvent.getDetails().get(Details.CODE_ID);
String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
oauth.codeVerifier(".234567890-234567890~234567890_234567890123");
expectSuccessfulResponseFromTokenEndpoint(codeId, sessionId, code);
}
Also used :
EventRepresentation(org.keycloak.representations.idm.EventRepresentation)
AuthServerContainerExclude(org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude)
Test(org.junit.Test)
AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest)
Example 45 with AuthServerContainerExclude
use of org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude in project keycloak by keycloak.
the class OAuthProofKeyForCodeExchangeTest method accessTokenRequestValidPlainCodeChallengeMethodPkceEnforced.
@Test
// unstable
@AuthServerContainerExclude(AuthServer.REMOTE)
public // but: a value equal to or greater than <1799> <1798> was less than <1799>
void accessTokenRequestValidPlainCodeChallengeMethodPkceEnforced() throws Exception {
try {
setPkceActivationSettings("test-app", OAuth2Constants.PKCE_METHOD_PLAIN);
// 43
String codeVerifier = "12E45r78901d3456789G12y45G78901234B67v901u3";
String codeChallenge = codeVerifier;
oauth.codeChallenge(codeChallenge);
oauth.codeChallengeMethod(OAuth2Constants.PKCE_METHOD_PLAIN);
oauth.doLogin("test-user@localhost", "password");
EventRepresentation loginEvent = events.expectLogin().assertEvent();
String sessionId = loginEvent.getSessionId();
String codeId = loginEvent.getDetails().get(Details.CODE_ID);
String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
oauth.codeVerifier(codeVerifier);
expectSuccessfulResponseFromTokenEndpoint(codeId, sessionId, code);
} finally {
setPkceActivationSettings("test-app", null);
}
}
Also used :
EventRepresentation(org.keycloak.representations.idm.EventRepresentation)
AuthServerContainerExclude(org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude)
Test(org.junit.Test)
AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest)
Aggregations
Test (org.junit.Test)108
AuthServerContainerExclude (org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude)108
AbstractTestRealmKeycloakTest (org.keycloak.testsuite.AbstractTestRealmKeycloakTest)31
UserRepresentation (org.keycloak.representations.idm.UserRepresentation)30
ClientRepresentation (org.keycloak.representations.idm.ClientRepresentation)29
Matchers.containsString (org.hamcrest.Matchers.containsString)28
AbstractKeycloakTest (org.keycloak.testsuite.AbstractKeycloakTest)27
Response (javax.ws.rs.core.Response)24
UserResource (org.keycloak.admin.client.resource.UserResource)21
AbstractAuthenticationTest (org.keycloak.testsuite.admin.authentication.AbstractAuthenticationTest)21
SocialLoginTest (org.keycloak.testsuite.broker.SocialLoginTest)21
MimeMessage (javax.mail.internet.MimeMessage)14
OAuthClient (org.keycloak.testsuite.util.OAuthClient)14
OIDCClientRepresentation (org.keycloak.representations.oidc.OIDCClientRepresentation)13
ComponentRepresentation (org.keycloak.representations.idm.ComponentRepresentation)12
LinkedList (java.util.LinkedList)11
List (java.util.List)9
RealmRepresentation (org.keycloak.representations.idm.RealmRepresentation)9
HashMap (java.util.HashMap)8
IOException (java.io.IOException)7
