Example 1 with PkceGenerator
use of org.keycloak.testsuite.oidc.PkceGenerator in project keycloak by keycloak.
the class LoginStatusIframeEndpointTest method checkIframe.
@Test
public void checkIframe() throws IOException {
CookieStore cookieStore = new BasicCookieStore();
try (CloseableHttpClient client = HttpClients.custom().setDefaultCookieStore(cookieStore).build()) {
String redirectUri = URLEncoder.encode(suiteContext.getAuthServerInfo().getContextRoot() + "/auth/admin/master/console", "UTF-8");
PkceGenerator pkce = new PkceGenerator();
HttpGet get = new HttpGet(suiteContext.getAuthServerInfo().getContextRoot() + "/auth/realms/master/protocol/openid-connect/auth?response_type=code&client_id=" + Constants.ADMIN_CONSOLE_CLIENT_ID + "&redirect_uri=" + redirectUri + "&scope=openid&code_challenge_method=S256&code_challenge=" + pkce.getCodeChallenge());
CloseableHttpResponse response = client.execute(get);
String s = IOUtils.toString(response.getEntity().getContent(), "UTF-8");
response.close();
String action = ActionURIUtils.getActionURIFromPageSource(s);
HttpPost post = new HttpPost(action);
List<NameValuePair> params = new LinkedList<>();
params.add(new BasicNameValuePair("username", "admin"));
params.add(new BasicNameValuePair("password", "admin"));
post.setHeader("Content-Type", "application/x-www-form-urlencoded");
post.setEntity(new UrlEncodedFormEntity(params));
response = client.execute(post);
assertEquals("CP=\"This is not a P3P policy!\"", response.getFirstHeader("P3P").getValue());
Header setIdentityCookieHeader = null;
Header setSessionCookieHeader = null;
for (Header h : response.getAllHeaders()) {
if (h.getName().equals("Set-Cookie")) {
if (h.getValue().contains("KEYCLOAK_SESSION")) {
setSessionCookieHeader = h;
} else if (h.getValue().contains("KEYCLOAK_IDENTITY")) {
setIdentityCookieHeader = h;
}
}
}
assertNotNull(setIdentityCookieHeader);
assertTrue(setIdentityCookieHeader.getValue().contains("HttpOnly"));
assertNotNull(setSessionCookieHeader);
assertFalse(setSessionCookieHeader.getValue().contains("HttpOnly"));
response.close();
Cookie sessionCookie = null;
for (Cookie cookie : cookieStore.getCookies()) {
if (cookie.getName().equals("KEYCLOAK_SESSION")) {
sessionCookie = cookie;
break;
}
}
assertNotNull(sessionCookie);
get = new HttpGet(suiteContext.getAuthServerInfo().getContextRoot() + "/auth/realms/master/protocol/openid-connect/login-status-iframe.html");
response = client.execute(get);
assertEquals(200, response.getStatusLine().getStatusCode());
s = IOUtils.toString(response.getEntity().getContent(), "UTF-8");
assertTrue(s.contains("function getCookie()"));
assertEquals("CP=\"This is not a P3P policy!\"", response.getFirstHeader("P3P").getValue());
assertNull(response.getFirstHeader(BrowserSecurityHeaders.X_FRAME_OPTIONS.getHeaderName()));
assertEquals("frame-src 'self'; object-src 'none';", response.getFirstHeader(BrowserSecurityHeaders.CONTENT_SECURITY_POLICY.getHeaderName()).getValue());
assertEquals("none", response.getFirstHeader(BrowserSecurityHeaders.X_ROBOTS_TAG.getHeaderName()).getValue());
response.close();
get = new HttpGet(suiteContext.getAuthServerInfo().getContextRoot() + "/auth/realms/master/protocol/openid-connect/login-status-iframe.html/init");
response = client.execute(get);
assertEquals(403, response.getStatusLine().getStatusCode());
response.close();
get = new HttpGet(suiteContext.getAuthServerInfo().getContextRoot() + "/auth/realms/master/protocol/openid-connect/login-status-iframe.html/init?" + "client_id=invalid" + "&origin=" + suiteContext.getAuthServerInfo().getContextRoot());
response = client.execute(get);
assertEquals(403, response.getStatusLine().getStatusCode());
response.close();
get = new HttpGet(suiteContext.getAuthServerInfo().getContextRoot() + "/auth/realms/master/protocol/openid-connect/login-status-iframe.html/init?" + "client_id=" + Constants.ADMIN_CONSOLE_CLIENT_ID + "&origin=http://invalid");
response = client.execute(get);
assertEquals(403, response.getStatusLine().getStatusCode());
response.close();
get = new HttpGet(suiteContext.getAuthServerInfo().getContextRoot() + "/auth/realms/master/protocol/openid-connect/login-status-iframe.html/init?" + "client_id=" + Constants.ADMIN_CONSOLE_CLIENT_ID + "&origin=" + suiteContext.getAuthServerInfo().getContextRoot());
response = client.execute(get);
assertEquals(204, response.getStatusLine().getStatusCode());
response.close();
}
}
Also used :
Cookie(org.apache.http.cookie.Cookie)
CloseableHttpClient(org.apache.http.impl.client.CloseableHttpClient)
HttpPost(org.apache.http.client.methods.HttpPost)
BasicNameValuePair(org.apache.http.message.BasicNameValuePair)
NameValuePair(org.apache.http.NameValuePair)
HttpGet(org.apache.http.client.methods.HttpGet)
UrlEncodedFormEntity(org.apache.http.client.entity.UrlEncodedFormEntity)
LinkedList(java.util.LinkedList)
CookieStore(org.apache.http.client.CookieStore)
BasicCookieStore(org.apache.http.impl.client.BasicCookieStore)
BasicCookieStore(org.apache.http.impl.client.BasicCookieStore)
Header(org.apache.http.Header)
BasicNameValuePair(org.apache.http.message.BasicNameValuePair)
CloseableHttpResponse(org.apache.http.client.methods.CloseableHttpResponse)
PkceGenerator(org.keycloak.testsuite.oidc.PkceGenerator)
Test(org.junit.Test)
AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest)
Example 2 with PkceGenerator
use of org.keycloak.testsuite.oidc.PkceGenerator in project keycloak by keycloak.
the class OAuth2DeviceAuthorizationGrantTest method testPublicClientWithPKCESuccess.
@Test
public void testPublicClientWithPKCESuccess() throws Exception {
// Successful Device Authorization Request with PKCE from device
oauth.realm(REALM_NAME);
oauth.clientId(DEVICE_APP_PUBLIC);
PkceGenerator pkce = new PkceGenerator();
oauth.codeChallenge(pkce.getCodeChallenge());
oauth.codeChallengeMethod(OAuth2Constants.PKCE_METHOD_S256);
oauth.codeVerifier(pkce.getCodeVerifier());
OAuthClient.DeviceAuthorizationResponse response = oauth.doDeviceAuthorizationRequest(DEVICE_APP_PUBLIC, null);
Assert.assertEquals(200, response.getStatusCode());
assertNotNull(response.getDeviceCode());
assertNotNull(response.getUserCode());
assertNotNull(response.getVerificationUri());
assertNotNull(response.getVerificationUriComplete());
Assert.assertEquals(60, response.getExpiresIn());
Assert.assertEquals(5, response.getInterval());
openVerificationPage(response.getVerificationUriComplete());
// Do Login
oauth.fillLoginForm("device-login", "password");
// Consent
grantPage.accept();
// Token request from device
OAuthClient.AccessTokenResponse tokenResponse = oauth.doDeviceTokenRequest(DEVICE_APP_PUBLIC, null, response.getDeviceCode());
Assert.assertEquals(200, tokenResponse.getStatusCode());
String tokenString = tokenResponse.getAccessToken();
assertNotNull(tokenString);
AccessToken token = oauth.verifyToken(tokenString);
assertNotNull(token);
}
Also used :
OAuthClient(org.keycloak.testsuite.util.OAuthClient)
AccessToken(org.keycloak.representations.AccessToken)
PkceGenerator(org.keycloak.testsuite.oidc.PkceGenerator)
Test(org.junit.Test)
AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest)
Example 3 with PkceGenerator
use of org.keycloak.testsuite.oidc.PkceGenerator in project keycloak by keycloak.
the class OAuth2DeviceAuthorizationGrantTest method testPublicClientWithPKCEFail.
@Test
public void testPublicClientWithPKCEFail() throws Exception {
// Device Authorization Request with PKCE from device - device send false code_verifier
oauth.realm(REALM_NAME);
oauth.clientId(DEVICE_APP_PUBLIC);
PkceGenerator pkce = new PkceGenerator();
oauth.codeChallenge(pkce.getCodeChallenge());
oauth.codeChallengeMethod(OAuth2Constants.PKCE_METHOD_S256);
oauth.codeVerifier(pkce.getCodeVerifier() + "a");
OAuthClient.DeviceAuthorizationResponse response = oauth.doDeviceAuthorizationRequest(DEVICE_APP_PUBLIC, null);
Assert.assertEquals(200, response.getStatusCode());
assertNotNull(response.getDeviceCode());
assertNotNull(response.getUserCode());
assertNotNull(response.getVerificationUri());
assertNotNull(response.getVerificationUriComplete());
Assert.assertEquals(60, response.getExpiresIn());
Assert.assertEquals(5, response.getInterval());
openVerificationPage(response.getVerificationUriComplete());
// Do Login
oauth.fillLoginForm("device-login", "password");
// Consent
grantPage.accept();
// Token request from device
OAuthClient.AccessTokenResponse tokenResponse = oauth.doDeviceTokenRequest(DEVICE_APP_PUBLIC, null, response.getDeviceCode());
Assert.assertEquals(400, tokenResponse.getStatusCode());
Assert.assertEquals("invalid_grant", tokenResponse.getError());
Assert.assertEquals("PKCE verification failed", tokenResponse.getErrorDescription());
}
Also used :
OAuthClient(org.keycloak.testsuite.util.OAuthClient)
PkceGenerator(org.keycloak.testsuite.oidc.PkceGenerator)
Test(org.junit.Test)
AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest)
Aggregations
Test (org.junit.Test)3
AbstractKeycloakTest (org.keycloak.testsuite.AbstractKeycloakTest)3
PkceGenerator (org.keycloak.testsuite.oidc.PkceGenerator)3
OAuthClient (org.keycloak.testsuite.util.OAuthClient)2
LinkedList (java.util.LinkedList)1
Header (org.apache.http.Header)1
NameValuePair (org.apache.http.NameValuePair)1
CookieStore (org.apache.http.client.CookieStore)1
UrlEncodedFormEntity (org.apache.http.client.entity.UrlEncodedFormEntity)1
CloseableHttpResponse (org.apache.http.client.methods.CloseableHttpResponse)1
HttpGet (org.apache.http.client.methods.HttpGet)1
HttpPost (org.apache.http.client.methods.HttpPost)1
Cookie (org.apache.http.cookie.Cookie)1
BasicCookieStore (org.apache.http.impl.client.BasicCookieStore)1
CloseableHttpClient (org.apache.http.impl.client.CloseableHttpClient)1
BasicNameValuePair (org.apache.http.message.BasicNameValuePair)1
AccessToken (org.keycloak.representations.AccessToken)1
