Examples with TestAuthenticationChannelRequest org.keycloak.testsuite.rest.representation.TestAuthenticationChannelRequest used on opensource projects

Example 21 with TestAuthenticationChannelRequest

use of org.keycloak.testsuite.rest.representation.TestAuthenticationChannelRequest in project keycloak by keycloak.

the class CIBATest method testHolderOfKeyEnforceExecutor.

@Test
public void testHolderOfKeyEnforceExecutor() throws Exception {
    Assume.assumeTrue("This test must be executed with enabled TLS.", ServerURLs.AUTH_SERVER_SSL_REQUIRED);
    // register profiles
    String json = (new ClientProfilesBuilder()).addProfile((new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Az Elso Profil").addExecutor(HolderOfKeyEnforcerExecutorFactory.PROVIDER_ID, ClientPoliciesUtil.createHolderOfKeyEnforceExecutorConfig(Boolean.FALSE)).addExecutor(SecureSigningAlgorithmForSignedJwtExecutorFactory.PROVIDER_ID, ClientPoliciesUtil.createSecureSigningAlgorithmForSignedJwtEnforceExecutorConfig(Boolean.FALSE)).toRepresentation()).toString();
    updateProfiles(json);
    // register policies
    json = (new ClientPoliciesBuilder()).addPolicy((new ClientPolicyBuilder()).createPolicy(POLICY_NAME, "Az Elso Politika", Boolean.TRUE).addCondition(AnyClientConditionFactory.PROVIDER_ID, createAnyClientConditionConfig()).addProfile(PROFILE_NAME).toRepresentation()).toString();
    updatePolicies(json);
    ClientResource clientResource = null;
    ClientRepresentation clientRep = null;
    try {
        String username = "nutzername-rot";
        String bindingMessage = "ThisIsBindingMessage";
        Map<String, String> additionalParameters = new HashMap<>();
        additionalParameters.put("user_device", "mobile");
        // prepare CIBA settings
        clientResource = ApiUtil.findClientByClientId(adminClient.realm(TEST_REALM_NAME), TEST_CLIENT_NAME);
        clientRep = clientResource.toRepresentation();
        OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setUseMtlsHoKToken(true);
        clientResource.update(clientRep);
        prepareCIBASettings(clientResource, clientRep);
        // user Backchannel Authentication Request
        AuthenticationRequestAcknowledgement response = doBackchannelAuthenticationRequest(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, username, bindingMessage, null, additionalParameters);
        // user Authentication Channel Request
        TestAuthenticationChannelRequest testRequest = doAuthenticationChannelRequest(bindingMessage);
        AuthenticationChannelRequest authenticationChannelReq = testRequest.getRequest();
        assertThat(authenticationChannelReq.getBindingMessage(), is(equalTo(bindingMessage)));
        assertThat(authenticationChannelReq.getScope(), is(containsString(OAuth2Constants.SCOPE_OPENID)));
        assertThat(authenticationChannelReq.getAdditionalParameters().get("user_device"), is(equalTo("mobile")));
        // user Authentication Channel completed
        doAuthenticationChannelCallback(testRequest);
        // Token Request without MTLS
        OAuthClient.AccessTokenResponse tokenRes = oauth.doBackchannelAuthenticationTokenRequest(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, response.getAuthReqId());
        assertThat(tokenRes.getStatusCode(), is(equalTo(400)));
        assertThat(tokenRes.getError(), is(equalTo(OAuthErrorException.INVALID_GRANT)));
        assertThat(tokenRes.getErrorDescription(), is(equalTo("Client Certification missing for MTLS HoK Token Binding")));
        events.expect(EventType.AUTHREQID_TO_TOKEN_ERROR).clearDetails().user((String) null).client(TEST_CLIENT_NAME).error(OAuthErrorException.INVALID_REQUEST).assertEvent();
        // Check token obtaining.
        OAuthClient.AccessTokenResponse accessTokenResponse;
        try (CloseableHttpClient client = MutualTLSUtils.newCloseableHttpClientWithDefaultKeyStoreAndTrustStore()) {
            accessTokenResponse = doBackchannelAuthenticationTokenRequest(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, username, response.getAuthReqId(), client);
            AccessToken accessToken = oauth.verifyToken(accessTokenResponse.getAccessToken(), AccessToken.class);
            assertThat(accessTokenResponse.getStatusCode(), is(equalTo(200)));
            assertThat(accessToken.getCertConf().getCertThumbprint(), notNullValue());
        }
        // Check logout.
        CloseableHttpResponse logoutResponse;
        try (CloseableHttpClient client = MutualTLSUtils.newCloseableHttpClientWithDefaultKeyStoreAndTrustStore()) {
            logoutResponse = oauth.doLogout(accessTokenResponse.getRefreshToken(), TEST_CLIENT_SECRET, client);
        } catch (IOException ioe) {
            throw new RuntimeException(ioe);
        }
        assertEquals(204, logoutResponse.getStatusLine().getStatusCode());
    } finally {
        updatePolicies("{}");
        clientResource = ApiUtil.findClientByClientId(adminClient.realm(TEST_REALM_NAME), TEST_CLIENT_NAME);
        clientRep = clientResource.toRepresentation();
        OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setUseMtlsHoKToken(false);
        clientResource.update(clientRep);
        revertCIBASettings(clientResource, clientRep);
    }
}

Example 22 with TestAuthenticationChannelRequest

use of org.keycloak.testsuite.rest.representation.TestAuthenticationChannelRequest in project keycloak by keycloak.

the class CIBATest method testBackchannelAuthenticationFlowWithSignedAuthenticationRequest.

private void testBackchannelAuthenticationFlowWithSignedAuthenticationRequest(boolean useRequestUri, String sigAlg) throws Exception {
    ClientResource clientResource = null;
    ClientRepresentation clientRep = null;
    try {
        final String username = "nutzername-rot";
        final String bindingMessage = "BASTION";
        // prepare CIBA settings
        clientResource = ApiUtil.findClientByClientId(adminClient.realm(TEST_REALM_NAME), TEST_CLIENT_NAME);
        clientRep = clientResource.toRepresentation();
        prepareCIBASettings(clientResource, clientRep);
        AuthorizationEndpointRequestObject sharedAuthenticationRequest = createValidSharedAuthenticationRequest();
        sharedAuthenticationRequest.setLoginHint(username);
        sharedAuthenticationRequest.setBindingMessage(bindingMessage);
        registerSharedAuthenticationRequest(sharedAuthenticationRequest, TEST_CLIENT_NAME, sigAlg, useRequestUri);
        // user Backchannel Authentication Request
        AuthenticationRequestAcknowledgement response = doBackchannelAuthenticationRequest(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, null, null);
        // user Authentication Channel Request
        TestAuthenticationChannelRequest testRequest = doAuthenticationChannelRequest(bindingMessage);
        AuthenticationChannelRequest authenticationChannelReq = testRequest.getRequest();
        Assert.assertThat(authenticationChannelReq.getBindingMessage(), is(equalTo(bindingMessage)));
        Assert.assertThat(authenticationChannelReq.getScope(), is(containsString(OAuth2Constants.SCOPE_OPENID)));
        // user Authentication Channel completed
        EventRepresentation loginEvent = doAuthenticationChannelCallback(testRequest);
        String sessionId = loginEvent.getSessionId();
        String codeId = loginEvent.getDetails().get(Details.CODE_ID);
        String userId = loginEvent.getUserId();
        // user Token Request
        OAuthClient.AccessTokenResponse tokenRes = doBackchannelAuthenticationTokenRequest(username, response.getAuthReqId());
        // token introspection
        String tokenResponse = doIntrospectAccessTokenWithClientCredential(tokenRes, username);
        // token refresh
        tokenRes = doRefreshTokenRequest(tokenRes.getRefreshToken(), username, sessionId, false);
        // token introspection after token refresh
        tokenResponse = doIntrospectAccessTokenWithClientCredential(tokenRes, username);
        // logout by refresh token
        EventRepresentation logoutEvent = doLogoutByRefreshToken(tokenRes.getRefreshToken(), sessionId, userId, false);
    } finally {
        revertCIBASettings(clientResource, clientRep);
    }
}

Example 23 with TestAuthenticationChannelRequest

use of org.keycloak.testsuite.rest.representation.TestAuthenticationChannelRequest in project keycloak by keycloak.

the class CIBATest method testAttackerClientUseVictimAuthReqIdAttack.

@Test
public void testAttackerClientUseVictimAuthReqIdAttack() throws Exception {
    ClientResource victimClientResource = null;
    ClientResource attackerClientResource = null;
    ClientRepresentation victimClientRep = null;
    ClientRepresentation attackerClientRep = null;
    try {
        final String username = "nutzername-gelb";
        final String victimClientName = "test-app-scope";
        final String attackerClientName = TEST_CLIENT_NAME;
        final String victimClientPassword = "password";
        final String attackerClientPassword = TEST_CLIENT_PASSWORD;
        String victimClientAuthReqId = null;
        victimClientResource = ApiUtil.findClientByClientId(adminClient.realm(TEST_REALM_NAME), victimClientName);
        victimClientRep = victimClientResource.toRepresentation();
        prepareCIBASettings(victimClientResource, victimClientRep);
        attackerClientResource = ApiUtil.findClientByClientId(adminClient.realm(TEST_REALM_NAME), attackerClientName);
        attackerClientRep = attackerClientResource.toRepresentation();
        prepareCIBASettings(attackerClientResource, attackerClientRep);
        // victim client Backchannel Authentication Request
        AuthenticationRequestAcknowledgement response = doBackchannelAuthenticationRequest(victimClientName, victimClientPassword, username, "asdfghjkl");
        victimClientAuthReqId = response.getAuthReqId();
        // victim client Authentication Channel Request
        TestAuthenticationChannelRequest victimClientAuthenticationChannelReq = doAuthenticationChannelRequest("asdfghjkl");
        // victim client Authentication Channel completed
        doAuthenticationChannelCallback(victimClientAuthenticationChannelReq);
        // attacker client Token Request
        OAuthClient.AccessTokenResponse tokenRes = oauth.doBackchannelAuthenticationTokenRequest(attackerClientName, attackerClientPassword, victimClientAuthReqId);
        assertThat(tokenRes.getStatusCode(), is(equalTo(400)));
        assertThat(tokenRes.getError(), is(equalTo(OAuthErrorException.INVALID_GRANT)));
        assertThat(tokenRes.getErrorDescription(), is(equalTo("unauthorized client")));
    } finally {
        revertCIBASettings(victimClientResource, victimClientRep);
        revertCIBASettings(attackerClientResource, attackerClientRep);
    }
}

Example 24 with TestAuthenticationChannelRequest

use of org.keycloak.testsuite.rest.representation.TestAuthenticationChannelRequest in project keycloak by keycloak.

the class CIBATest method testBackchannelAuthenticationFlow.

private void testBackchannelAuthenticationFlow(boolean isOfflineAccess, String bindingMessage) throws Exception {
    ClientResource clientResource = null;
    ClientRepresentation clientRep = null;
    try {
        final String username = "nutzername-rot";
        Map<String, String> additionalParameters = new HashMap<>();
        additionalParameters.put("user_device", "mobile");
        // prepare CIBA settings
        clientResource = ApiUtil.findClientByClientId(adminClient.realm(TEST_REALM_NAME), TEST_CLIENT_NAME);
        assertThat(clientResource, notNullValue());
        clientRep = clientResource.toRepresentation();
        prepareCIBASettings(clientResource, clientRep);
        if (isOfflineAccess)
            oauth.scope(OAuth2Constants.OFFLINE_ACCESS);
        long startTime = Time.currentTime();
        // user Backchannel Authentication Request
        AuthenticationRequestAcknowledgement response = doBackchannelAuthenticationRequest(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, username, bindingMessage, null, additionalParameters);
        // user Authentication Channel Request
        TestAuthenticationChannelRequest testRequest = doAuthenticationChannelRequest(bindingMessage);
        AuthenticationChannelRequest authenticationChannelReq = testRequest.getRequest();
        assertThat(authenticationChannelReq.getBindingMessage(), is(equalTo(bindingMessage)));
        if (isOfflineAccess)
            assertThat(authenticationChannelReq.getScope(), is(containsString(OAuth2Constants.OFFLINE_ACCESS)));
        assertThat(authenticationChannelReq.getScope(), is(containsString(OAuth2Constants.SCOPE_OPENID)));
        assertThat(authenticationChannelReq.getAdditionalParameters().get("user_device"), is(equalTo("mobile")));
        // user Authentication Channel completed
        EventRepresentation loginEvent = doAuthenticationChannelCallback(testRequest);
        String sessionId = loginEvent.getSessionId();
        String codeId = loginEvent.getDetails().get(Details.CODE_ID);
        String userId = loginEvent.getUserId();
        // user Token Request
        OAuthClient.AccessTokenResponse tokenRes = doBackchannelAuthenticationTokenRequest(username, response.getAuthReqId());
        IDToken idToken = oauth.verifyIDToken(tokenRes.getIdToken());
        long currentTime = Time.currentTime();
        long authTime = idToken.getAuth_time().longValue();
        assertTrue(startTime - 5 <= authTime);
        assertTrue(authTime <= currentTime + 5);
        // token introspection
        String tokenResponse = doIntrospectAccessTokenWithClientCredential(tokenRes, username);
        // token refresh
        tokenRes = doRefreshTokenRequest(tokenRes.getRefreshToken(), username, sessionId, isOfflineAccess);
        // token introspection after token refresh
        tokenResponse = doIntrospectAccessTokenWithClientCredential(tokenRes, username);
        // logout by refresh token
        EventRepresentation logoutEvent = doLogoutByRefreshToken(tokenRes.getRefreshToken(), sessionId, userId, isOfflineAccess);
    } finally {
        revertCIBASettings(clientResource, clientRep);
    }
}

Example 25 with TestAuthenticationChannelRequest

use of org.keycloak.testsuite.rest.representation.TestAuthenticationChannelRequest in project keycloak by keycloak.

the class CIBATest method testAccessThrottling.

@Test
public void testAccessThrottling() throws Exception {
    ClientResource clientResource = null;
    ClientRepresentation clientRep = null;
    try {
        final String username = "nutzername-rot";
        final String bindingMessage = "BASTION";
        // prepare CIBA settings
        clientResource = ApiUtil.findClientByClientId(adminClient.realm(TEST_REALM_NAME), TEST_CLIENT_NAME);
        clientRep = clientResource.toRepresentation();
        prepareCIBASettings(clientResource, clientRep);
        RealmRepresentation rep = backupCIBAPolicy();
        Map<String, String> attrMap = Optional.ofNullable(rep.getAttributes()).orElse(new HashMap<>());
        attrMap.put(CibaConfig.CIBA_INTERVAL, String.valueOf(3));
        rep.setAttributes(attrMap);
        testRealm().update(rep);
        // user Backchannel Authentication Request
        AuthenticationRequestAcknowledgement response = doBackchannelAuthenticationRequest(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, username, bindingMessage);
        // user Authentication Channel Request
        TestAuthenticationChannelRequest authenticationChannelReq = doAuthenticationChannelRequest(bindingMessage);
        assertThat(authenticationChannelReq.getRequest().getBindingMessage(), is(equalTo(bindingMessage)));
        // user Token Request
        OAuthClient.AccessTokenResponse tokenRes = oauth.doBackchannelAuthenticationTokenRequest(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, response.getAuthReqId());
        assertThat(tokenRes.getStatusCode(), is(equalTo(400)));
        // 10+5+5 sec
        assertThat(tokenRes.getError(), is(OAuthErrorException.AUTHORIZATION_PENDING));
        tokenRes = oauth.doBackchannelAuthenticationTokenRequest(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, response.getAuthReqId());
        assertThat(tokenRes.getStatusCode(), is(equalTo(400)));
        // 10+5+5 sec
        assertThat(tokenRes.getError(), is(OAuthErrorException.SLOW_DOWN));
        tokenRes = oauth.doBackchannelAuthenticationTokenRequest(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, response.getAuthReqId());
        assertThat(tokenRes.getStatusCode(), is(equalTo(400)));
        // 10+5+5+5 sec
        assertThat(tokenRes.getError(), is(OAuthErrorException.SLOW_DOWN));
        // user Authentication Channel completed
        EventRepresentation loginEvent = doAuthenticationChannelCallback(authenticationChannelReq);
        String sessionId = loginEvent.getSessionId();
        String codeId = loginEvent.getDetails().get(Details.CODE_ID);
        String userId = loginEvent.getUserId();
        setTimeOffset(3);
        tokenRes = doBackchannelAuthenticationTokenRequest(username, response.getAuthReqId());
        // token introspection
        String tokenResponse = doIntrospectAccessTokenWithClientCredential(tokenRes, username);
        // token refresh
        tokenRes = doRefreshTokenRequest(tokenRes.getRefreshToken(), username, sessionId, false);
        // token introspection after token refresh
        tokenResponse = doIntrospectAccessTokenWithClientCredential(tokenRes, username);
        // revoke by refresh token
        EventRepresentation logoutEvent = doTokenRevokeByRefreshToken(tokenRes.getRefreshToken(), sessionId, userId, false);
    } finally {
        revertCIBASettings(clientResource, clientRep);
        restoreCIBAPolicy();
    }
}