Search in sources :

Example 26 with ClientPolicyBuilder

use of org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPolicyBuilder in project keycloak by keycloak.

the class ClientPoliciesTest method testClientScopesCondition.

@Test
public void testClientScopesCondition() throws Exception {
    // register profiles
    String json = (new ClientProfilesBuilder()).addProfile((new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Het Eerste Profiel").addExecutor(PKCEEnforcerExecutorFactory.PROVIDER_ID, createPKCEEnforceExecutorConfig(Boolean.TRUE)).toRepresentation()).toString();
    updateProfiles(json);
    // register policies
    json = (new ClientPoliciesBuilder()).addPolicy((new ClientPolicyBuilder()).createPolicy(POLICY_NAME, "Het Eerste Beleid", Boolean.TRUE).addCondition(ClientScopesConditionFactory.PROVIDER_ID, createClientScopesConditionConfig(ClientScopesConditionFactory.OPTIONAL, Arrays.asList("offline_access", "microprofile-jwt"))).addProfile(PROFILE_NAME).toRepresentation()).toString();
    updatePolicies(json);
    String clientId = generateSuffixedName(CLIENT_NAME);
    String clientSecret = "secret";
    createClientByAdmin(clientId, (ClientRepresentation clientRep) -> {
        clientRep.setSecret(clientSecret);
    });
    try {
        oauth.scope("address" + " " + "phone");
        successfulLoginAndLogout(clientId, clientSecret);
        oauth.scope("microprofile-jwt" + " " + "profile");
        failLoginByNotFollowingPKCE(clientId);
        oauth.scope("microprofile-jwt" + " " + "profile");
        failLoginByNotFollowingPKCE(clientId);
        successfulLoginAndLogoutWithPKCE(clientId, clientSecret, TEST_USER_NAME, TEST_USER_PASSWORD);
    } catch (Exception e) {
        fail();
    }
}
Also used : ClientProfileBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfileBuilder) ClientProfilesBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfilesBuilder) ClientPoliciesBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPoliciesBuilder) ClientPolicyBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPolicyBuilder) IOException(java.io.IOException) ClientPolicyException(org.keycloak.services.clientpolicy.ClientPolicyException) OAuthErrorException(org.keycloak.OAuthErrorException) BadRequestException(javax.ws.rs.BadRequestException) ClientRegistrationException(org.keycloak.client.registration.ClientRegistrationException) OIDCClientRepresentation(org.keycloak.representations.oidc.OIDCClientRepresentation) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) Test(org.junit.Test)

Example 27 with ClientPolicyBuilder

use of org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPolicyBuilder in project keycloak by keycloak.

the class ClientPoliciesTest method testSecureClientRegisteringUriEnforceExecutor.

@Test
public void testSecureClientRegisteringUriEnforceExecutor() throws Exception {
    // register profiles
    String json = (new ClientProfilesBuilder()).addProfile((new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Ensimmainen Profiili").addExecutor(SecureClientUrisExecutorFactory.PROVIDER_ID, null).toRepresentation()).toString();
    updateProfiles(json);
    // register policies
    json = (new ClientPoliciesBuilder()).addPolicy((new ClientPolicyBuilder()).createPolicy(POLICY_NAME, "Ensimmainen Politiikka", Boolean.TRUE).addCondition(ClientUpdaterContextConditionFactory.PROVIDER_ID, createClientUpdateContextConditionConfig(Arrays.asList(ClientUpdaterContextConditionFactory.BY_AUTHENTICATED_USER, ClientUpdaterContextConditionFactory.BY_INITIAL_ACCESS_TOKEN, ClientUpdaterContextConditionFactory.BY_REGISTRATION_ACCESS_TOKEN))).addProfile(PROFILE_NAME).toRepresentation()).toString();
    updatePolicies(json);
    try {
        createClientDynamically(generateSuffixedName(CLIENT_NAME), (OIDCClientRepresentation clientRep) -> {
            clientRep.setRedirectUris(Collections.singletonList("http://newredirect"));
        });
        fail();
    } catch (ClientRegistrationException e) {
        assertEquals(ERR_MSG_CLIENT_REG_FAIL, e.getMessage());
    }
    String cid = null;
    String clientId = generateSuffixedName(CLIENT_NAME);
    try {
        cid = createClientByAdmin(clientId, (ClientRepresentation clientRep) -> {
            clientRep.setServiceAccountsEnabled(Boolean.TRUE);
            clientRep.setRedirectUris(null);
        });
    } catch (Exception e) {
        fail();
    }
    updateClientByAdmin(cid, (ClientRepresentation clientRep) -> {
        clientRep.setRedirectUris(null);
        clientRep.setServiceAccountsEnabled(Boolean.FALSE);
    });
    assertEquals(false, getClientByAdmin(cid).isServiceAccountsEnabled());
    // update policies
    json = (new ClientPoliciesBuilder()).addPolicy((new ClientPolicyBuilder()).createPolicy(POLICY_NAME, "Paivitetyn Ensimmaisen Politiikka", Boolean.TRUE).addCondition(ClientUpdaterContextConditionFactory.PROVIDER_ID, createClientUpdateContextConditionConfig(Arrays.asList(ClientUpdaterContextConditionFactory.BY_AUTHENTICATED_USER, ClientUpdaterContextConditionFactory.BY_REGISTRATION_ACCESS_TOKEN))).addProfile(PROFILE_NAME).toRepresentation()).toString();
    updatePolicies(json);
    try {
        updateClientDynamically(clientId, (OIDCClientRepresentation clientRep) -> {
            clientRep.setRedirectUris(Collections.singletonList("https://newredirect/*"));
        });
        fail();
    } catch (ClientRegistrationException e) {
        assertEquals(ERR_MSG_CLIENT_REG_FAIL, e.getMessage());
    }
    try {
        updateClientByAdmin(cid, (ClientRepresentation clientRep) -> {
            // rootUrl
            clientRep.setRootUrl("https://client.example.com/");
            // adminUrl
            clientRep.setAdminUrl("https://client.example.com/admin/");
            // baseUrl
            clientRep.setBaseUrl("https://client.example.com/base/");
            // web origins
            clientRep.setWebOrigins(Arrays.asList("https://valid.other.client.example.com/", "https://valid.another.client.example.com/"));
            // backchannel logout URL
            Map<String, String> attributes = Optional.ofNullable(clientRep.getAttributes()).orElse(new HashMap<>());
            attributes.put(OIDCConfigAttributes.BACKCHANNEL_LOGOUT_URL, "https://client.example.com/logout/");
            clientRep.setAttributes(attributes);
            // OAuth2 : redirectUris
            clientRep.setRedirectUris(Arrays.asList("https://client.example.com/redirect/", "https://client.example.com/callback/"));
            // OAuth2 : jwks_uri
            attributes.put(OIDCConfigAttributes.JWKS_URL, "https://client.example.com/jwks/");
            clientRep.setAttributes(attributes);
            // OIDD : requestUris
            setAttributeMultivalued(clientRep, OIDCConfigAttributes.REQUEST_URIS, Arrays.asList("https://client.example.com/request/", "https://client.example.com/reqobj/"));
            // CIBA Client Notification Endpoint
            attributes.put(CibaConfig.CIBA_BACKCHANNEL_CLIENT_NOTIFICATION_ENDPOINT, "https://client.example.com/client-notification/");
            clientRep.setAttributes(attributes);
        });
    } catch (Exception e) {
        fail();
    }
    try {
        updateClientByAdmin(cid, (ClientRepresentation clientRep) -> {
            // rootUrl
            clientRep.setRootUrl("http://client.example.com/*/");
        });
        fail();
    } catch (ClientPolicyException e) {
        assertEquals(OAuthErrorException.INVALID_CLIENT_METADATA, e.getError());
        assertEquals("Invalid rootUrl", e.getErrorDetail());
    }
    try {
        updateClientByAdmin(cid, (ClientRepresentation clientRep) -> {
            // adminUrl
            clientRep.setAdminUrl("http://client.example.com/admin/");
        });
        fail();
    } catch (ClientPolicyException e) {
        assertEquals(OAuthErrorException.INVALID_CLIENT_METADATA, e.getError());
        assertEquals("Invalid adminUrl", e.getErrorDetail());
    }
    try {
        updateClientByAdmin(cid, (ClientRepresentation clientRep) -> {
            // baseUrl
            clientRep.setBaseUrl("https://client.example.com/base/*");
        });
        fail();
    } catch (ClientPolicyException e) {
        assertEquals(OAuthErrorException.INVALID_CLIENT_METADATA, e.getError());
        assertEquals("Invalid baseUrl", e.getErrorDetail());
    }
    try {
        updateClientByAdmin(cid, (ClientRepresentation clientRep) -> {
            // web origins
            clientRep.setWebOrigins(Arrays.asList("http://valid.another.client.example.com/"));
        });
        fail();
    } catch (ClientPolicyException e) {
        assertEquals(OAuthErrorException.INVALID_CLIENT_METADATA, e.getError());
        assertEquals("Invalid webOrigins", e.getErrorDetail());
    }
    try {
        updateClientByAdmin(cid, (ClientRepresentation clientRep) -> {
            // backchannel logout URL
            Map<String, String> attributes = Optional.ofNullable(clientRep.getAttributes()).orElse(new HashMap<>());
            attributes.put(OIDCConfigAttributes.BACKCHANNEL_LOGOUT_URL, "httpss://client.example.com/logout/");
            clientRep.setAttributes(attributes);
        });
        fail();
    } catch (ClientPolicyException e) {
        assertEquals(OAuthErrorException.INVALID_CLIENT_METADATA, e.getError());
        assertEquals("Invalid logoutUrl", e.getErrorDetail());
    }
    try {
        updateClientByAdmin(cid, (ClientRepresentation clientRep) -> {
            // OAuth2 : redirectUris
            clientRep.setRedirectUris(Arrays.asList("https://client.example.com/redirect/", "ftp://client.example.com/callback/"));
        });
        fail();
    } catch (ClientPolicyException e) {
        assertEquals(OAuthErrorException.INVALID_CLIENT_METADATA, e.getError());
        assertEquals("Invalid redirectUris", e.getErrorDetail());
    }
    try {
        updateClientByAdmin(cid, (ClientRepresentation clientRep) -> {
            // OAuth2 : jwks_uri
            Map<String, String> attributes = Optional.ofNullable(clientRep.getAttributes()).orElse(new HashMap<>());
            attributes.put(OIDCConfigAttributes.JWKS_URL, "http s://client.example.com/jwks/");
            clientRep.setAttributes(attributes);
        });
        fail();
    } catch (ClientPolicyException e) {
        assertEquals(OAuthErrorException.INVALID_CLIENT_METADATA, e.getError());
        assertEquals("Invalid jwksUri", e.getErrorDetail());
    }
    try {
        updateClientByAdmin(cid, (ClientRepresentation clientRep) -> {
            // OIDD : requestUris
            setAttributeMultivalued(clientRep, OIDCConfigAttributes.REQUEST_URIS, Arrays.asList("https://client.example.com/request/*", "https://client.example.com/reqobj/"));
        });
        fail();
    } catch (ClientPolicyException e) {
        assertEquals(OAuthErrorException.INVALID_CLIENT_METADATA, e.getError());
        assertEquals("Invalid requestUris", e.getErrorDetail());
    }
    try {
        updateClientByAdmin(cid, (ClientRepresentation clientRep) -> {
            // CIBA Client Notification Endpoint
            Map<String, String> attributes = Optional.ofNullable(clientRep.getAttributes()).orElse(new HashMap<>());
            attributes.put(CibaConfig.CIBA_BACKCHANNEL_CLIENT_NOTIFICATION_ENDPOINT, "http://client.example.com/client-notification/");
            clientRep.setAttributes(attributes);
        });
        fail();
    } catch (ClientPolicyException e) {
        assertEquals(OAuthErrorException.INVALID_CLIENT_METADATA, e.getError());
        assertEquals("Invalid cibaClientNotificationEndpoint", e.getErrorDetail());
    }
}
Also used : ClientProfileBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfileBuilder) OIDCClientRepresentation(org.keycloak.representations.oidc.OIDCClientRepresentation) ClientProfilesBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfilesBuilder) ClientPoliciesBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPoliciesBuilder) ClientPolicyBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPolicyBuilder) ClientRegistrationException(org.keycloak.client.registration.ClientRegistrationException) IOException(java.io.IOException) ClientPolicyException(org.keycloak.services.clientpolicy.ClientPolicyException) OAuthErrorException(org.keycloak.OAuthErrorException) BadRequestException(javax.ws.rs.BadRequestException) ClientRegistrationException(org.keycloak.client.registration.ClientRegistrationException) OIDCClientRepresentation(org.keycloak.representations.oidc.OIDCClientRepresentation) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) ClientPolicyException(org.keycloak.services.clientpolicy.ClientPolicyException) Test(org.junit.Test)

Example 28 with ClientPolicyBuilder

use of org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPolicyBuilder in project keycloak by keycloak.

the class ClientPoliciesTest method testParSecureRequestObjectExecutor.

@Test
public void testParSecureRequestObjectExecutor() throws Exception {
    Integer availablePeriod = Integer.valueOf(SecureRequestObjectExecutor.DEFAULT_AVAILABLE_PERIOD + 400);
    // register profiles
    String json = (new ClientProfilesBuilder()).addProfile((new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Prvy Profil").addExecutor(SecureRequestObjectExecutorFactory.PROVIDER_ID, createSecureRequestObjectExecutorConfig(availablePeriod, true)).toRepresentation()).toString();
    updateProfiles(json);
    // register policies
    json = (new ClientPoliciesBuilder()).addPolicy((new ClientPolicyBuilder()).createPolicy(POLICY_NAME, "Prva Politika", Boolean.TRUE).addCondition(ClientRolesConditionFactory.PROVIDER_ID, createClientRolesConditionConfig(Arrays.asList(SAMPLE_CLIENT_ROLE))).addProfile(PROFILE_NAME).toRepresentation()).toString();
    updatePolicies(json);
    String clientId = generateSuffixedName(CLIENT_NAME);
    String clientSecret = "secret";
    String cid = createClientByAdmin(clientId, (ClientRepresentation clientRep) -> {
        clientRep.setSecret(clientSecret);
        OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setRequestUris(Arrays.asList(TestApplicationResourceUrls.clientRequestUri()));
    });
    oauth.realm(REALM_NAME);
    oauth.clientId(clientId);
    adminClient.realm(REALM_NAME).clients().get(cid).roles().create(RoleBuilder.create().name(SAMPLE_CLIENT_ROLE).build());
    AuthorizationEndpointRequestObject requestObject = createValidRequestObjectForSecureRequestObjectExecutor(clientId);
    oauth.request(signRequestObject(requestObject));
    OAuthClient.ParResponse pResp = oauth.doPushedAuthorizationRequest(clientId, clientSecret);
    assertEquals(201, pResp.getStatusCode());
    String requestUri = pResp.getRequestUri();
    oauth.scope(null);
    oauth.responseType(null);
    oauth.request(null);
    oauth.requestUri(requestUri);
    OAuthClient.AuthorizationEndpointResponse loginResponse = oauth.doLogin(TEST_USER_NAME, TEST_USER_PASSWORD);
    assertNotNull(loginResponse.getCode());
    oauth.openLogout();
    requestObject.exp(null);
    oauth.requestUri(null);
    oauth.request(signRequestObject(requestObject));
    pResp = oauth.doPushedAuthorizationRequest(clientId, clientSecret);
    requestUri = pResp.getRequestUri();
    oauth.request(null);
    oauth.requestUri(requestUri);
    oauth.openLoginForm();
    assertEquals(OAuthErrorException.INVALID_REQUEST_URI, oauth.getCurrentQuery().get(OAuth2Constants.ERROR));
    requestObject = createValidRequestObjectForSecureRequestObjectExecutor(clientId);
    requestObject.nbf(null);
    oauth.requestUri(null);
    oauth.request(signRequestObject(requestObject));
    pResp = oauth.doPushedAuthorizationRequest(clientId, clientSecret);
    requestUri = pResp.getRequestUri();
    oauth.request(null);
    oauth.requestUri(requestUri);
    oauth.openLoginForm();
    assertEquals(OAuthErrorException.INVALID_REQUEST_URI, oauth.getCurrentQuery().get(OAuth2Constants.ERROR));
    requestObject = createValidRequestObjectForSecureRequestObjectExecutor(clientId);
    requestObject.audience("https://www.other1.example.com/");
    oauth.request(signRequestObject(requestObject));
    oauth.requestUri(null);
    pResp = oauth.doPushedAuthorizationRequest(clientId, clientSecret);
    requestUri = pResp.getRequestUri();
    oauth.request(null);
    oauth.requestUri(requestUri);
    oauth.openLoginForm();
    assertEquals(OAuthErrorException.INVALID_REQUEST_URI, oauth.getCurrentQuery().get(OAuth2Constants.ERROR));
    requestObject = createValidRequestObjectForSecureRequestObjectExecutor(clientId);
    requestObject.setOtherClaims(OIDCLoginProtocol.REQUEST_URI_PARAM, "foo");
    oauth.request(signRequestObject(requestObject));
    oauth.requestUri(null);
    pResp = oauth.doPushedAuthorizationRequest(clientId, clientSecret);
    assertEquals(OAuthErrorException.INVALID_REQUEST_OBJECT, pResp.getError());
}
Also used : ClientProfileBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfileBuilder) OAuthClient(org.keycloak.testsuite.util.OAuthClient) AuthorizationEndpointRequestObject(org.keycloak.testsuite.rest.resource.TestingOIDCEndpointsApplicationResource.AuthorizationEndpointRequestObject) ClientProfilesBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfilesBuilder) ClientPoliciesBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPoliciesBuilder) ClientPolicyBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPolicyBuilder) OIDCClientRepresentation(org.keycloak.representations.oidc.OIDCClientRepresentation) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) Test(org.junit.Test)

Example 29 with ClientPolicyBuilder

use of org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPolicyBuilder in project keycloak by keycloak.

the class ClientPoliciesTest method testNegativeLogicCondition.

@Test
public void testNegativeLogicCondition() throws Exception {
    // register profiles
    String json = (new ClientProfilesBuilder()).addProfile((new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Den Forste Profilen").addExecutor(SecureSessionEnforceExecutorFactory.PROVIDER_ID, null).toRepresentation()).toString();
    updateProfiles(json);
    // register policies
    json = (new ClientPoliciesBuilder()).addPolicy((new ClientPolicyBuilder()).createPolicy(POLICY_NAME, "La Premiere Politique", Boolean.TRUE).addCondition(AnyClientConditionFactory.PROVIDER_ID, createAnyClientConditionConfig()).addProfile(PROFILE_NAME).toRepresentation()).toString();
    updatePolicies(json);
    String clientId = generateSuffixedName(CLIENT_NAME);
    String clientSecret = "secretBeta";
    createClientByAdmin(clientId, (ClientRepresentation clientRep) -> {
        clientRep.setSecret(clientSecret);
    });
    try {
        failLoginWithoutSecureSessionParameter(clientId, ERR_MSG_MISSING_NONCE);
        // update policies
        updatePolicy((new ClientPolicyBuilder()).createPolicy(POLICY_NAME, "La Premiere Politique", Boolean.TRUE).addCondition(AnyClientConditionFactory.PROVIDER_ID, createAnyClientConditionConfig(Boolean.TRUE)).addProfile(PROFILE_NAME).toRepresentation());
        successfulLoginAndLogout(clientId, clientSecret);
        // update policies
        updatePolicy((new ClientPolicyBuilder()).createPolicy(POLICY_NAME, "La Premiere Politique", Boolean.TRUE).addCondition(AnyClientConditionFactory.PROVIDER_ID, createAnyClientConditionConfig(Boolean.FALSE)).addProfile(PROFILE_NAME).toRepresentation());
        failLoginWithoutSecureSessionParameter(clientId, ERR_MSG_MISSING_NONCE);
    } catch (Exception e) {
        fail();
    }
}
Also used : ClientProfileBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfileBuilder) ClientProfilesBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfilesBuilder) ClientPoliciesBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPoliciesBuilder) ClientPolicyBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPolicyBuilder) IOException(java.io.IOException) ClientPolicyException(org.keycloak.services.clientpolicy.ClientPolicyException) OAuthErrorException(org.keycloak.OAuthErrorException) BadRequestException(javax.ws.rs.BadRequestException) ClientRegistrationException(org.keycloak.client.registration.ClientRegistrationException) OIDCClientRepresentation(org.keycloak.representations.oidc.OIDCClientRepresentation) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) Test(org.junit.Test)

Example 30 with ClientPolicyBuilder

use of org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPolicyBuilder in project keycloak by keycloak.

the class ClientPoliciesTest method testSecureResponseTypeExecutor.

@Test
public void testSecureResponseTypeExecutor() throws Exception {
    // register profiles
    String json = (new ClientProfilesBuilder()).addProfile((new ClientProfileBuilder()).createProfile(PROFILE_NAME, "O Primeiro Perfil").addExecutor(SecureResponseTypeExecutorFactory.PROVIDER_ID, null).toRepresentation()).toString();
    updateProfiles(json);
    // register policies
    json = (new ClientPoliciesBuilder()).addPolicy((new ClientPolicyBuilder()).createPolicy(POLICY_NAME, "A Primeira Politica", Boolean.TRUE).addCondition(ClientRolesConditionFactory.PROVIDER_ID, createClientRolesConditionConfig(Arrays.asList(SAMPLE_CLIENT_ROLE))).addProfile(PROFILE_NAME).toRepresentation()).toString();
    updatePolicies(json);
    String clientId = generateSuffixedName(CLIENT_NAME);
    String clientSecret = "secret";
    String cid = createClientByAdmin(clientId, (ClientRepresentation clientRep) -> {
        clientRep.setSecret(clientSecret);
        clientRep.setStandardFlowEnabled(Boolean.TRUE);
        clientRep.setImplicitFlowEnabled(Boolean.TRUE);
        clientRep.setPublicClient(Boolean.FALSE);
    });
    adminClient.realm(REALM_NAME).clients().get(cid).roles().create(RoleBuilder.create().name(SAMPLE_CLIENT_ROLE).build());
    oauth.clientId(clientId);
    oauth.openLoginForm();
    assertEquals(OAuthErrorException.INVALID_REQUEST, oauth.getCurrentQuery().get(OAuth2Constants.ERROR));
    assertEquals("invalid response_type", oauth.getCurrentQuery().get(OAuth2Constants.ERROR_DESCRIPTION));
    oauth.responseType(OIDCResponseType.CODE + " " + OIDCResponseType.ID_TOKEN);
    oauth.nonce("vbwe566fsfffds");
    oauth.doLogin(TEST_USER_NAME, TEST_USER_PASSWORD);
    EventRepresentation loginEvent = events.expectLogin().client(clientId).assertEvent();
    String sessionId = loginEvent.getSessionId();
    String codeId = loginEvent.getDetails().get(Details.CODE_ID);
    String code = new OAuthClient.AuthorizationEndpointResponse(oauth).getCode();
    OAuthClient.AccessTokenResponse res = oauth.doAccessTokenRequest(code, clientSecret);
    assertEquals(200, res.getStatusCode());
    events.expectCodeToToken(codeId, sessionId).client(clientId).assertEvent();
    oauth.doLogout(res.getRefreshToken(), clientSecret);
    events.expectLogout(sessionId).client(clientId).clearDetails().assertEvent();
    // update profiles
    json = (new ClientProfilesBuilder()).addProfile((new ClientProfileBuilder()).createProfile(PROFILE_NAME, "O Primeiro Perfil").addExecutor(SecureResponseTypeExecutorFactory.PROVIDER_ID, createSecureResponseTypeExecutor(Boolean.FALSE, Boolean.TRUE)).toRepresentation()).toString();
    updateProfiles(json);
    // token response type allowed
    oauth.responseType(OIDCResponseType.CODE + " " + OIDCResponseType.ID_TOKEN + " " + OIDCResponseType.TOKEN);
    oauth.nonce("cie8cjcwiw");
    oauth.doLogin(TEST_USER_NAME, TEST_USER_PASSWORD);
    loginEvent = events.expectLogin().client(clientId).assertEvent();
    sessionId = loginEvent.getSessionId();
    codeId = loginEvent.getDetails().get(Details.CODE_ID);
    code = new OAuthClient.AuthorizationEndpointResponse(oauth).getCode();
    res = oauth.doAccessTokenRequest(code, clientSecret);
    assertEquals(200, res.getStatusCode());
    events.expectCodeToToken(codeId, sessionId).client(clientId).assertEvent();
    oauth.doLogout(res.getRefreshToken(), clientSecret);
    events.expectLogout(sessionId).client(clientId).clearDetails().assertEvent();
    // shall allow code using response_mode jwt
    oauth.responseType(OIDCResponseType.CODE);
    oauth.responseMode("jwt");
    OAuthClient.AuthorizationEndpointResponse authzResponse = oauth.doLogin(TEST_USER_NAME, TEST_USER_PASSWORD);
    String jwsResponse = authzResponse.getResponse();
    AuthorizationResponseToken responseObject = oauth.verifyAuthorizationResponseToken(jwsResponse);
    code = (String) responseObject.getOtherClaims().get(OAuth2Constants.CODE);
    res = oauth.doAccessTokenRequest(code, clientSecret);
    assertEquals(200, res.getStatusCode());
    // update profiles
    json = (new ClientProfilesBuilder()).addProfile((new ClientProfileBuilder()).createProfile(PROFILE_NAME, "O Primeiro Perfil").addExecutor(SecureResponseTypeExecutorFactory.PROVIDER_ID, createSecureResponseTypeExecutor(Boolean.FALSE, Boolean.FALSE)).toRepresentation()).toString();
    updateProfiles(json);
    oauth.openLogout();
    // token response type allowed
    oauth.responseType(OIDCResponseType.CODE + " " + OIDCResponseType.ID_TOKEN + " " + OIDCResponseType.TOKEN);
    oauth.responseMode("jwt");
    oauth.openLoginForm();
    final JWSInput errorJws = new JWSInput(new OAuthClient.AuthorizationEndpointResponse(oauth).getResponse());
    JsonNode errorClaims = JsonSerialization.readValue(errorJws.getContent(), JsonNode.class);
    assertEquals(OAuthErrorException.INVALID_REQUEST, errorClaims.get("error").asText());
}
Also used : AuthorizationResponseToken(org.keycloak.representations.AuthorizationResponseToken) OAuthClient(org.keycloak.testsuite.util.OAuthClient) ClientProfilesBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfilesBuilder) ClientPoliciesBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPoliciesBuilder) EventRepresentation(org.keycloak.representations.idm.EventRepresentation) ClientPolicyBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPolicyBuilder) JsonNode(com.fasterxml.jackson.databind.JsonNode) JWSInput(org.keycloak.jose.jws.JWSInput) OIDCClientRepresentation(org.keycloak.representations.oidc.OIDCClientRepresentation) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) ClientProfileBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfileBuilder) Test(org.junit.Test)

Aggregations

ClientPoliciesBuilder (org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPoliciesBuilder)54 ClientPolicyBuilder (org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPolicyBuilder)54 Test (org.junit.Test)46 ClientProfileBuilder (org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfileBuilder)46 ClientProfilesBuilder (org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfilesBuilder)46 OIDCClientRepresentation (org.keycloak.representations.oidc.OIDCClientRepresentation)41 ClientRepresentation (org.keycloak.representations.idm.ClientRepresentation)37 ClientPolicyException (org.keycloak.services.clientpolicy.ClientPolicyException)19 OAuthClient (org.keycloak.testsuite.util.OAuthClient)14 Matchers.containsString (org.hamcrest.Matchers.containsString)10 ClientResource (org.keycloak.admin.client.resource.ClientResource)10 ClientRegistrationException (org.keycloak.client.registration.ClientRegistrationException)9 IOException (java.io.IOException)8 BadRequestException (javax.ws.rs.BadRequestException)8 AuthenticationRequestAcknowledgement (org.keycloak.testsuite.util.OAuthClient.AuthenticationRequestAcknowledgement)8 OAuthErrorException (org.keycloak.OAuthErrorException)7 HashMap (java.util.HashMap)5 EventRepresentation (org.keycloak.representations.idm.EventRepresentation)4 TestAuthenticationChannelRequest (org.keycloak.testsuite.rest.representation.TestAuthenticationChannelRequest)4 AuthorizationEndpointRequestObject (org.keycloak.testsuite.rest.resource.TestingOIDCEndpointsApplicationResource.AuthorizationEndpointRequestObject)4