Search in sources :

Example 36 with ClientProfileBuilder

use of org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfileBuilder in project keycloak by keycloak.

the class ClientPoliciesTest method testSecureSessionEnforceExecutor.

@Test
public void testSecureSessionEnforceExecutor() throws Exception {
    // register profiles
    String json = (new ClientProfilesBuilder()).addProfile((new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Den Forste Profilen").addExecutor(SecureSessionEnforceExecutorFactory.PROVIDER_ID, null).toRepresentation()).toString();
    updateProfiles(json);
    // register policies
    String roleAlphaName = "sample-client-role-alpha";
    String roleBetaName = "sample-client-role-beta";
    json = (new ClientPoliciesBuilder()).addPolicy((new ClientPolicyBuilder()).createPolicy(POLICY_NAME, "Den Forste Politikken", Boolean.TRUE).addCondition(ClientRolesConditionFactory.PROVIDER_ID, createClientRolesConditionConfig(Arrays.asList(roleBetaName))).addProfile(PROFILE_NAME).toRepresentation()).toString();
    updatePolicies(json);
    String clientAlphaId = generateSuffixedName("Alpha-App");
    String clientAlphaSecret = "secretAlpha";
    String cAlphaId = createClientByAdmin(clientAlphaId, (ClientRepresentation clientRep) -> {
        clientRep.setSecret(clientAlphaSecret);
    });
    adminClient.realm(REALM_NAME).clients().get(cAlphaId).roles().create(RoleBuilder.create().name(roleAlphaName).build());
    String clientBetaId = generateSuffixedName("Beta-App");
    String clientBetaSecret = "secretBeta";
    String cBetaId = createClientByAdmin(clientBetaId, (ClientRepresentation clientRep) -> {
        clientRep.setSecret(clientBetaSecret);
    });
    adminClient.realm(REALM_NAME).clients().get(cBetaId).roles().create(RoleBuilder.create().name(roleBetaName).build());
    successfulLoginAndLogout(clientAlphaId, clientAlphaSecret);
    oauth.openid(false);
    successfulLoginAndLogout(clientAlphaId, clientAlphaSecret);
    oauth.openid(true);
    failLoginWithoutSecureSessionParameter(clientBetaId, ERR_MSG_MISSING_NONCE);
    oauth.nonce("yesitisnonce");
    successfulLoginAndLogout(clientBetaId, clientBetaSecret);
    oauth.openid(false);
    oauth.stateParamHardcoded(null);
    failLoginWithoutSecureSessionParameter(clientBetaId, ERR_MSG_MISSING_STATE);
    oauth.stateParamRandom();
    successfulLoginAndLogout(clientBetaId, clientBetaSecret);
}
Also used : ClientProfileBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfileBuilder) ClientProfilesBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfilesBuilder) ClientPoliciesBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPoliciesBuilder) ClientPolicyBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPolicyBuilder) OIDCClientRepresentation(org.keycloak.representations.oidc.OIDCClientRepresentation) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) Test(org.junit.Test)

Example 37 with ClientProfileBuilder

use of org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfileBuilder in project keycloak by keycloak.

the class ClientPoliciesTest method testHolderOfKeyEnforceExecutor.

@Test
public void testHolderOfKeyEnforceExecutor() throws Exception {
    Assume.assumeTrue("This test must be executed with enabled TLS.", ServerURLs.AUTH_SERVER_SSL_REQUIRED);
    // register profiles
    String json = (new ClientProfilesBuilder()).addProfile((new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Az Elso Profil").addExecutor(HolderOfKeyEnforcerExecutorFactory.PROVIDER_ID, createHolderOfKeyEnforceExecutorConfig(Boolean.TRUE)).addExecutor(SecureSigningAlgorithmForSignedJwtExecutorFactory.PROVIDER_ID, createSecureSigningAlgorithmForSignedJwtEnforceExecutorConfig(Boolean.FALSE)).toRepresentation()).toString();
    updateProfiles(json);
    // register policies
    json = (new ClientPoliciesBuilder()).addPolicy((new ClientPolicyBuilder()).createPolicy(POLICY_NAME, "Az Elso Politika", Boolean.TRUE).addCondition(AnyClientConditionFactory.PROVIDER_ID, createAnyClientConditionConfig()).addProfile(PROFILE_NAME).toRepresentation()).toString();
    updatePolicies(json);
    try (ClientAttributeUpdater cau = ClientAttributeUpdater.forClient(adminClient, REALM_NAME, TEST_CLIENT)) {
        ClientRepresentation clientRep = cau.getResource().toRepresentation();
        Assert.assertNotNull(clientRep);
        OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setUseMtlsHoKToken(true);
        cau.update();
        checkMtlsFlow();
    }
}
Also used : ClientAttributeUpdater(org.keycloak.testsuite.updaters.ClientAttributeUpdater) ClientProfileBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfileBuilder) ClientProfilesBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfilesBuilder) ClientPoliciesBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPoliciesBuilder) ClientPolicyBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPolicyBuilder) OIDCClientRepresentation(org.keycloak.representations.oidc.OIDCClientRepresentation) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) Test(org.junit.Test)

Example 38 with ClientProfileBuilder

use of org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfileBuilder in project keycloak by keycloak.

the class ClientPoliciesTest method testSecureRequestObjectExecutor.

@Test
public void testSecureRequestObjectExecutor() throws Exception {
    Integer availablePeriod = Integer.valueOf(SecureRequestObjectExecutor.DEFAULT_AVAILABLE_PERIOD + 400);
    // register profiles
    String json = (new ClientProfilesBuilder()).addProfile((new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Prvy Profil").addExecutor(SecureRequestObjectExecutorFactory.PROVIDER_ID, createSecureRequestObjectExecutorConfig(availablePeriod, null)).toRepresentation()).toString();
    updateProfiles(json);
    // register policies
    json = (new ClientPoliciesBuilder()).addPolicy((new ClientPolicyBuilder()).createPolicy(POLICY_NAME, "Prva Politika", Boolean.TRUE).addCondition(ClientRolesConditionFactory.PROVIDER_ID, createClientRolesConditionConfig(Arrays.asList(SAMPLE_CLIENT_ROLE))).addProfile(PROFILE_NAME).toRepresentation()).toString();
    updatePolicies(json);
    String clientId = generateSuffixedName(CLIENT_NAME);
    String clientSecret = "secret";
    String cid = createClientByAdmin(clientId, (ClientRepresentation clientRep) -> {
        clientRep.setSecret(clientSecret);
        OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setRequestUris(Arrays.asList(TestApplicationResourceUrls.clientRequestUri()));
    });
    adminClient.realm(REALM_NAME).clients().get(cid).roles().create(RoleBuilder.create().name(SAMPLE_CLIENT_ROLE).build());
    oauth.clientId(clientId);
    AuthorizationEndpointRequestObject requestObject;
    // check whether whether request object exists
    oauth.request(null);
    oauth.requestUri(null);
    oauth.openLoginForm();
    assertEquals(OAuthErrorException.INVALID_REQUEST, oauth.getCurrentQuery().get(OAuth2Constants.ERROR));
    assertEquals("Missing parameter: 'request' or 'request_uri'", oauth.getCurrentQuery().get(OAuth2Constants.ERROR_DESCRIPTION));
    // check whether request_uri is https scheme
    // cannot test because existing AuthorizationEndpoint check and return error before executing client policy
    // check whether request object can be retrieved from request_uri
    // cannot test because existing AuthorizationEndpoint check and return error before executing client policy
    // check whether request object can be parsed successfully
    // cannot test because existing AuthorizationEndpoint check and return error before executing client policy
    // check whether scope exists in both query parameter and request object
    requestObject = createValidRequestObjectForSecureRequestObjectExecutor(clientId);
    requestObject.setScope(null);
    registerRequestObject(requestObject, clientId, Algorithm.ES256, true);
    oauth.openLoginForm();
    assertEquals(OAuthErrorException.INVALID_REQUEST, oauth.getCurrentQuery().get(OAuth2Constants.ERROR));
    assertEquals("Invalid parameter. Parameters in 'request' object not matching with request parameters", oauth.getCurrentQuery().get(OAuth2Constants.ERROR_DESCRIPTION));
    registerRequestObject(requestObject, clientId, Algorithm.ES256, true);
    oauth.scope(null);
    oauth.openid(false);
    oauth.openLoginForm();
    assertEquals(OAuthErrorException.INVALID_REQUEST, oauth.getCurrentQuery().get(OAuth2Constants.ERROR));
    assertEquals("Parameter 'scope' missing in the request parameters or in 'request' object", oauth.getCurrentQuery().get(OAuth2Constants.ERROR_DESCRIPTION));
    oauth.openid(true);
    // check whether "exp" claim exists
    requestObject = createValidRequestObjectForSecureRequestObjectExecutor(clientId);
    requestObject.exp(null);
    registerRequestObject(requestObject, clientId, Algorithm.ES256, false);
    oauth.openLoginForm();
    assertEquals(OAuthErrorException.INVALID_REQUEST_OBJECT, oauth.getCurrentQuery().get(OAuth2Constants.ERROR));
    assertEquals("Missing parameter in the 'request' object: exp", oauth.getCurrentQuery().get(OAuth2Constants.ERROR_DESCRIPTION));
    // check whether request object not expired
    requestObject = createValidRequestObjectForSecureRequestObjectExecutor(clientId);
    requestObject.exp(Long.valueOf(0));
    registerRequestObject(requestObject, clientId, Algorithm.ES256, true);
    oauth.openLoginForm();
    assertEquals(OAuthErrorException.INVALID_REQUEST_OBJECT, oauth.getCurrentQuery().get(OAuth2Constants.ERROR));
    assertEquals("Request Expired", oauth.getCurrentQuery().get(OAuth2Constants.ERROR_DESCRIPTION));
    // check whether "nbf" claim exists
    requestObject = createValidRequestObjectForSecureRequestObjectExecutor(clientId);
    requestObject.nbf(null);
    registerRequestObject(requestObject, clientId, Algorithm.ES256, false);
    oauth.openLoginForm();
    assertEquals(OAuthErrorException.INVALID_REQUEST_OBJECT, oauth.getCurrentQuery().get(OAuth2Constants.ERROR));
    assertEquals("Missing parameter in the 'request' object: nbf", oauth.getCurrentQuery().get(OAuth2Constants.ERROR_DESCRIPTION));
    // check whether request object not yet being processed
    requestObject = createValidRequestObjectForSecureRequestObjectExecutor(clientId);
    requestObject.nbf(requestObject.getNbf() + 600);
    registerRequestObject(requestObject, clientId, Algorithm.ES256, false);
    oauth.openLoginForm();
    assertEquals(OAuthErrorException.INVALID_REQUEST_OBJECT, oauth.getCurrentQuery().get(OAuth2Constants.ERROR));
    assertEquals("Request not yet being processed", oauth.getCurrentQuery().get(OAuth2Constants.ERROR_DESCRIPTION));
    // check whether request object's available period is short
    requestObject = createValidRequestObjectForSecureRequestObjectExecutor(clientId);
    requestObject.exp(requestObject.getNbf() + availablePeriod.intValue() + 1);
    registerRequestObject(requestObject, clientId, Algorithm.ES256, false);
    oauth.openLoginForm();
    assertEquals(OAuthErrorException.INVALID_REQUEST_OBJECT, oauth.getCurrentQuery().get(OAuth2Constants.ERROR));
    assertEquals("Request's available period is long", oauth.getCurrentQuery().get(OAuth2Constants.ERROR_DESCRIPTION));
    // check whether "aud" claim exists
    requestObject = createValidRequestObjectForSecureRequestObjectExecutor(clientId);
    requestObject.audience((String) null);
    registerRequestObject(requestObject, clientId, Algorithm.ES256, false);
    oauth.openLoginForm();
    assertEquals(OAuthErrorException.INVALID_REQUEST_OBJECT, oauth.getCurrentQuery().get(OAuth2Constants.ERROR));
    assertEquals("Missing parameter in the 'request' object: aud", oauth.getCurrentQuery().get(OAuth2Constants.ERROR_DESCRIPTION));
    // check whether "aud" claim points to this keycloak as authz server
    requestObject = createValidRequestObjectForSecureRequestObjectExecutor(clientId);
    requestObject.audience(suiteContext.getAuthServerInfo().getContextRoot().toString());
    registerRequestObject(requestObject, clientId, Algorithm.ES256, true);
    oauth.openLoginForm();
    assertEquals(OAuthErrorException.INVALID_REQUEST_URI, oauth.getCurrentQuery().get(OAuth2Constants.ERROR));
    assertEquals("Invalid parameter in the 'request' object: aud", oauth.getCurrentQuery().get(OAuth2Constants.ERROR_DESCRIPTION));
    // confirm whether all parameters in query string are included in the request object, and have the same values
    // argument "request" are parameters overridden by parameters in request object
    requestObject = createValidRequestObjectForSecureRequestObjectExecutor(clientId);
    requestObject.setState("notmatchstate");
    registerRequestObject(requestObject, clientId, Algorithm.ES256, false);
    oauth.openLoginForm();
    assertEquals(OAuthErrorException.INVALID_REQUEST, oauth.getCurrentQuery().get(OAuth2Constants.ERROR));
    assertEquals("Invalid parameter. Parameters in 'request' object not matching with request parameters", oauth.getCurrentQuery().get(OAuth2Constants.ERROR_DESCRIPTION));
    // valid request object
    requestObject = createValidRequestObjectForSecureRequestObjectExecutor(clientId);
    registerRequestObject(requestObject, clientId, Algorithm.ES256, true);
    successfulLoginAndLogout(clientId, clientSecret);
    // update profile : no configuration - "nbf" check and available period is 3600 sec
    json = (new ClientProfilesBuilder()).addProfile((new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Prvy Profil").addExecutor(SecureRequestObjectExecutorFactory.PROVIDER_ID, null).toRepresentation()).toString();
    updateProfiles(json);
    // check whether "nbf" claim exists
    requestObject = createValidRequestObjectForSecureRequestObjectExecutor(clientId);
    requestObject.nbf(null);
    registerRequestObject(requestObject, clientId, Algorithm.ES256, false);
    oauth.openLoginForm();
    assertEquals(OAuthErrorException.INVALID_REQUEST_OBJECT, oauth.getCurrentQuery().get(OAuth2Constants.ERROR));
    assertEquals("Missing parameter in the 'request' object: nbf", oauth.getCurrentQuery().get(OAuth2Constants.ERROR_DESCRIPTION));
    // check whether request object not yet being processed
    requestObject = createValidRequestObjectForSecureRequestObjectExecutor(clientId);
    requestObject.nbf(requestObject.getNbf() + 600);
    registerRequestObject(requestObject, clientId, Algorithm.ES256, false);
    oauth.openLoginForm();
    assertEquals(OAuthErrorException.INVALID_REQUEST_OBJECT, oauth.getCurrentQuery().get(OAuth2Constants.ERROR));
    assertEquals("Request not yet being processed", oauth.getCurrentQuery().get(OAuth2Constants.ERROR_DESCRIPTION));
    // check whether request object's available period is short
    requestObject = createValidRequestObjectForSecureRequestObjectExecutor(clientId);
    requestObject.exp(requestObject.getNbf() + SecureRequestObjectExecutor.DEFAULT_AVAILABLE_PERIOD + 1);
    registerRequestObject(requestObject, clientId, Algorithm.ES256, false);
    oauth.openLoginForm();
    assertEquals(OAuthErrorException.INVALID_REQUEST_OBJECT, oauth.getCurrentQuery().get(OAuth2Constants.ERROR));
    assertEquals("Request's available period is long", oauth.getCurrentQuery().get(OAuth2Constants.ERROR_DESCRIPTION));
    // update profile : not check "nbf"
    json = (new ClientProfilesBuilder()).addProfile((new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Prvy Profil").addExecutor(SecureRequestObjectExecutorFactory.PROVIDER_ID, createSecureRequestObjectExecutorConfig(null, Boolean.FALSE)).toRepresentation()).toString();
    updateProfiles(json);
    // not check whether "nbf" claim exists
    requestObject = createValidRequestObjectForSecureRequestObjectExecutor(clientId);
    requestObject.nbf(null);
    registerRequestObject(requestObject, clientId, Algorithm.ES256, false);
    successfulLoginAndLogout(clientId, clientSecret);
    // not check whether request object not yet being processed
    requestObject = createValidRequestObjectForSecureRequestObjectExecutor(clientId);
    requestObject.nbf(requestObject.getNbf() + 600);
    registerRequestObject(requestObject, clientId, Algorithm.ES256, false);
    successfulLoginAndLogout(clientId, clientSecret);
    // not check whether request object's available period is short
    requestObject = createValidRequestObjectForSecureRequestObjectExecutor(clientId);
    requestObject.exp(requestObject.getNbf() + SecureRequestObjectExecutor.DEFAULT_AVAILABLE_PERIOD + 1);
    registerRequestObject(requestObject, clientId, Algorithm.ES256, false);
    successfulLoginAndLogout(clientId, clientSecret);
    // update profile : force request object encryption
    json = (new ClientProfilesBuilder()).addProfile((new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Prvy Profil").addExecutor(SecureRequestObjectExecutorFactory.PROVIDER_ID, createSecureRequestObjectExecutorConfig(null, null, true)).toRepresentation()).toString();
    updateProfiles(json);
    requestObject = createValidRequestObjectForSecureRequestObjectExecutor(clientId);
    registerRequestObject(requestObject, clientId, Algorithm.ES256, false);
    oauth.openLoginForm();
    assertEquals(OAuthErrorException.INVALID_REQUEST_OBJECT, oauth.getCurrentQuery().get(OAuth2Constants.ERROR));
    assertEquals("Request object not encrypted", oauth.getCurrentQuery().get(OAuth2Constants.ERROR_DESCRIPTION));
}
Also used : ClientProfileBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfileBuilder) AuthorizationEndpointRequestObject(org.keycloak.testsuite.rest.resource.TestingOIDCEndpointsApplicationResource.AuthorizationEndpointRequestObject) ClientProfilesBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfilesBuilder) ClientPoliciesBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPoliciesBuilder) ClientPolicyBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPolicyBuilder) OIDCClientRepresentation(org.keycloak.representations.oidc.OIDCClientRepresentation) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) Test(org.junit.Test)

Example 39 with ClientProfileBuilder

use of org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfileBuilder in project keycloak by keycloak.

the class ClientPoliciesTest method testConsentRequiredExecutorExecutor.

@Test
public void testConsentRequiredExecutorExecutor() throws Exception {
    // register profiles
    String json = (new ClientProfilesBuilder()).addProfile((new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Test Profile").addExecutor(ConsentRequiredExecutorFactory.PROVIDER_ID, createConsentRequiredExecutorConfig(true)).toRepresentation()).toString();
    updateProfiles(json);
    // register policies
    json = (new ClientPoliciesBuilder()).addPolicy((new ClientPolicyBuilder()).createPolicy(POLICY_NAME, "Test Policy", Boolean.TRUE).addCondition(AnyClientConditionFactory.PROVIDER_ID, createAnyClientConditionConfig()).addProfile(PROFILE_NAME).toRepresentation()).toString();
    updatePolicies(json);
    // Client will be auto-configured to enable consentRequired
    String clientId = generateSuffixedName("aaa-app");
    String cid = createClientByAdmin(clientId, (ClientRepresentation clientRep) -> {
        clientRep.setImplicitFlowEnabled(Boolean.FALSE);
        clientRep.setConsentRequired(Boolean.FALSE);
    });
    ClientRepresentation clientRep = getClientByAdmin(cid);
    assertEquals(Boolean.TRUE, clientRep.isConsentRequired());
    // Client cannot be updated to disable consentRequired
    updateClientByAdmin(cid, (ClientRepresentation cRep) -> {
        cRep.setConsentRequired(Boolean.FALSE);
    });
    clientRep = getClientByAdmin(cid);
    assertEquals(Boolean.TRUE, clientRep.isConsentRequired());
    // Switch auto-configure to false. Auto-configuration won't happen, but validation will still be here, so should not be possible to disable consentRequired
    json = (new ClientProfilesBuilder()).addProfile((new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Test Profile").addExecutor(ConsentRequiredExecutorFactory.PROVIDER_ID, createConsentRequiredExecutorConfig(false)).toRepresentation()).toString();
    updateProfiles(json);
    // Not possible to register client with consentRequired due the validation
    try {
        createClientByAdmin(clientId, (ClientRepresentation clientRep2) -> {
            clientRep2.setConsentRequired(Boolean.FALSE);
        });
        fail();
    } catch (ClientPolicyException cpe) {
        assertEquals(Errors.INVALID_REGISTRATION, cpe.getError());
    }
    // Not possible to update existing client to consentRequired due the validation
    try {
        updateClientByAdmin(cid, (ClientRepresentation cRep) -> {
            cRep.setConsentRequired(Boolean.FALSE);
        });
        fail();
    } catch (ClientPolicyException cpe) {
        assertEquals(Errors.INVALID_REGISTRATION, cpe.getError());
    }
    clientRep = getClientByAdmin(cid);
    assertEquals(Boolean.TRUE, clientRep.isConsentRequired());
    try {
        updateClientByAdmin(cid, (ClientRepresentation cRep) -> {
            cRep.setImplicitFlowEnabled(Boolean.TRUE);
        });
        clientRep = getClientByAdmin(cid);
        assertEquals(Boolean.TRUE, clientRep.isImplicitFlowEnabled());
        assertEquals(Boolean.TRUE, clientRep.isConsentRequired());
    } catch (ClientPolicyException cpe) {
        fail();
    }
}
Also used : ClientProfileBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfileBuilder) ClientProfilesBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfilesBuilder) ClientPoliciesBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPoliciesBuilder) ClientPolicyBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPolicyBuilder) OIDCClientRepresentation(org.keycloak.representations.oidc.OIDCClientRepresentation) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) ClientPolicyException(org.keycloak.services.clientpolicy.ClientPolicyException) Test(org.junit.Test)

Example 40 with ClientProfileBuilder

use of org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfileBuilder in project keycloak by keycloak.

the class ClientPoliciesTest method testSecureSigningAlgorithmEnforceExecutor.

@Test
public void testSecureSigningAlgorithmEnforceExecutor() throws Exception {
    // register profiles
    String json = (new ClientProfilesBuilder()).addProfile((new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Den Forsta Profilen").addExecutor(SecureSigningAlgorithmExecutorFactory.PROVIDER_ID, null).toRepresentation()).toString();
    updateProfiles(json);
    // register policies
    json = (new ClientPoliciesBuilder()).addPolicy((new ClientPolicyBuilder()).createPolicy(POLICY_NAME, "Den Forsta Policyn", Boolean.TRUE).addCondition(ClientUpdaterContextConditionFactory.PROVIDER_ID, createClientUpdateContextConditionConfig(Arrays.asList(ClientUpdaterContextConditionFactory.BY_AUTHENTICATED_USER, ClientUpdaterContextConditionFactory.BY_INITIAL_ACCESS_TOKEN, ClientUpdaterContextConditionFactory.BY_REGISTRATION_ACCESS_TOKEN))).addProfile(PROFILE_NAME).toRepresentation()).toString();
    updatePolicies(json);
    // create by Admin REST API - fail
    try {
        createClientByAdmin(generateSuffixedName("App-by-Admin"), (ClientRepresentation clientRep) -> {
            clientRep.setSecret("secret");
            clientRep.setAttributes(new HashMap<>());
            clientRep.getAttributes().put(OIDCConfigAttributes.USER_INFO_RESPONSE_SIGNATURE_ALG, Algorithm.none.name());
        });
        fail();
    } catch (ClientPolicyException e) {
        assertEquals(OAuthErrorException.INVALID_REQUEST, e.getMessage());
    }
    // create by Admin REST API - success
    String cAppAdminId = createClientByAdmin(generateSuffixedName("App-by-Admin"), (ClientRepresentation clientRep) -> {
        clientRep.setAttributes(new HashMap<>());
        clientRep.getAttributes().put(OIDCConfigAttributes.USER_INFO_RESPONSE_SIGNATURE_ALG, org.keycloak.crypto.Algorithm.PS256);
        clientRep.getAttributes().put(OIDCConfigAttributes.REQUEST_OBJECT_SIGNATURE_ALG, org.keycloak.crypto.Algorithm.ES256);
        clientRep.getAttributes().put(OIDCConfigAttributes.ID_TOKEN_SIGNED_RESPONSE_ALG, org.keycloak.crypto.Algorithm.ES256);
        clientRep.getAttributes().put(OIDCConfigAttributes.TOKEN_ENDPOINT_AUTH_SIGNING_ALG, org.keycloak.crypto.Algorithm.ES256);
        clientRep.getAttributes().put(OIDCConfigAttributes.ACCESS_TOKEN_SIGNED_RESPONSE_ALG, org.keycloak.crypto.Algorithm.ES256);
    });
    // create by Admin REST API - success, PS256 enforced
    String cAppAdmin2Id = createClientByAdmin(generateSuffixedName("App-by-Admin2"), (ClientRepresentation client2Rep) -> {
    });
    ClientRepresentation cRep2 = getClientByAdmin(cAppAdmin2Id);
    assertEquals(org.keycloak.crypto.Algorithm.PS256, cRep2.getAttributes().get(OIDCConfigAttributes.USER_INFO_RESPONSE_SIGNATURE_ALG));
    assertEquals(org.keycloak.crypto.Algorithm.PS256, cRep2.getAttributes().get(OIDCConfigAttributes.REQUEST_OBJECT_SIGNATURE_ALG));
    assertEquals(org.keycloak.crypto.Algorithm.PS256, cRep2.getAttributes().get(OIDCConfigAttributes.ID_TOKEN_SIGNED_RESPONSE_ALG));
    assertEquals(org.keycloak.crypto.Algorithm.PS256, cRep2.getAttributes().get(OIDCConfigAttributes.TOKEN_ENDPOINT_AUTH_SIGNING_ALG));
    assertEquals(org.keycloak.crypto.Algorithm.PS256, cRep2.getAttributes().get(OIDCConfigAttributes.ACCESS_TOKEN_SIGNED_RESPONSE_ALG));
    // update by Admin REST API - fail
    try {
        updateClientByAdmin(cAppAdminId, (ClientRepresentation clientRep) -> {
            clientRep.setAttributes(new HashMap<>());
            clientRep.getAttributes().put(OIDCConfigAttributes.ACCESS_TOKEN_SIGNED_RESPONSE_ALG, org.keycloak.crypto.Algorithm.RS512);
        });
    } catch (ClientPolicyException cpe) {
        assertEquals(Errors.INVALID_REQUEST, cpe.getError());
    }
    ClientRepresentation cRep = getClientByAdmin(cAppAdminId);
    assertEquals(org.keycloak.crypto.Algorithm.ES256, cRep.getAttributes().get(OIDCConfigAttributes.ACCESS_TOKEN_SIGNED_RESPONSE_ALG));
    // update by Admin REST API - success
    updateClientByAdmin(cAppAdminId, (ClientRepresentation clientRep) -> {
        clientRep.setAttributes(new HashMap<>());
        clientRep.getAttributes().put(OIDCConfigAttributes.ACCESS_TOKEN_SIGNED_RESPONSE_ALG, org.keycloak.crypto.Algorithm.PS384);
    });
    cRep = getClientByAdmin(cAppAdminId);
    assertEquals(org.keycloak.crypto.Algorithm.PS384, cRep.getAttributes().get(OIDCConfigAttributes.ACCESS_TOKEN_SIGNED_RESPONSE_ALG));
    // update profiles, ES256 enforced
    json = (new ClientProfilesBuilder()).addProfile((new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Den Forsta Profilen").addExecutor(SecureSigningAlgorithmExecutorFactory.PROVIDER_ID, createSecureSigningAlgorithmEnforceExecutorConfig(org.keycloak.crypto.Algorithm.ES256)).toRepresentation()).toString();
    updateProfiles(json);
    // update by Admin REST API - success
    updateClientByAdmin(cAppAdmin2Id, (ClientRepresentation client2Rep) -> {
        client2Rep.getAttributes().remove(OIDCConfigAttributes.USER_INFO_RESPONSE_SIGNATURE_ALG);
        client2Rep.getAttributes().remove(OIDCConfigAttributes.REQUEST_OBJECT_SIGNATURE_ALG);
        client2Rep.getAttributes().remove(OIDCConfigAttributes.ID_TOKEN_SIGNED_RESPONSE_ALG);
        client2Rep.getAttributes().remove(OIDCConfigAttributes.TOKEN_ENDPOINT_AUTH_SIGNING_ALG);
        client2Rep.getAttributes().remove(OIDCConfigAttributes.ACCESS_TOKEN_SIGNED_RESPONSE_ALG);
    });
    cRep2 = getClientByAdmin(cAppAdmin2Id);
    assertEquals(org.keycloak.crypto.Algorithm.ES256, cRep2.getAttributes().get(OIDCConfigAttributes.USER_INFO_RESPONSE_SIGNATURE_ALG));
    assertEquals(org.keycloak.crypto.Algorithm.ES256, cRep2.getAttributes().get(OIDCConfigAttributes.REQUEST_OBJECT_SIGNATURE_ALG));
    assertEquals(org.keycloak.crypto.Algorithm.ES256, cRep2.getAttributes().get(OIDCConfigAttributes.ID_TOKEN_SIGNED_RESPONSE_ALG));
    assertEquals(org.keycloak.crypto.Algorithm.ES256, cRep2.getAttributes().get(OIDCConfigAttributes.TOKEN_ENDPOINT_AUTH_SIGNING_ALG));
    assertEquals(org.keycloak.crypto.Algorithm.ES256, cRep2.getAttributes().get(OIDCConfigAttributes.ACCESS_TOKEN_SIGNED_RESPONSE_ALG));
    // update profiles, fall back to PS256
    json = (new ClientProfilesBuilder()).addProfile((new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Den Forsta Profilen").addExecutor(SecureSigningAlgorithmExecutorFactory.PROVIDER_ID, createSecureSigningAlgorithmEnforceExecutorConfig(org.keycloak.crypto.Algorithm.RS512)).toRepresentation()).toString();
    updateProfiles(json);
    // create dynamically - fail
    try {
        createClientByAdmin(generateSuffixedName("App-in-Dynamic"), (ClientRepresentation clientRep) -> {
            clientRep.setSecret("secret");
            clientRep.setAttributes(new HashMap<>());
            clientRep.getAttributes().put(OIDCConfigAttributes.USER_INFO_RESPONSE_SIGNATURE_ALG, org.keycloak.crypto.Algorithm.RS384);
        });
        fail();
    } catch (ClientPolicyException e) {
        assertEquals(OAuthErrorException.INVALID_REQUEST, e.getMessage());
    }
    // create dynamically - success
    String cAppDynamicClientId = createClientDynamically(generateSuffixedName("App-in-Dynamic"), (OIDCClientRepresentation clientRep) -> {
        clientRep.setUserinfoSignedResponseAlg(org.keycloak.crypto.Algorithm.ES256);
        clientRep.setRequestObjectSigningAlg(org.keycloak.crypto.Algorithm.ES256);
        clientRep.setIdTokenSignedResponseAlg(org.keycloak.crypto.Algorithm.PS256);
        clientRep.setTokenEndpointAuthSigningAlg(org.keycloak.crypto.Algorithm.PS256);
    });
    events.expect(EventType.CLIENT_REGISTER).client(cAppDynamicClientId).user(Matchers.isEmptyOrNullString()).assertEvent();
    // update dynamically - fail
    try {
        updateClientDynamically(cAppDynamicClientId, (OIDCClientRepresentation clientRep) -> {
            clientRep.setIdTokenSignedResponseAlg(org.keycloak.crypto.Algorithm.RS256);
        });
        fail();
    } catch (ClientRegistrationException e) {
        assertEquals(ERR_MSG_CLIENT_REG_FAIL, e.getMessage());
    }
    assertEquals(org.keycloak.crypto.Algorithm.PS256, getClientDynamically(cAppDynamicClientId).getIdTokenSignedResponseAlg());
    // update dynamically - success
    updateClientDynamically(cAppDynamicClientId, (OIDCClientRepresentation clientRep) -> {
        clientRep.setIdTokenSignedResponseAlg(org.keycloak.crypto.Algorithm.ES384);
    });
    assertEquals(org.keycloak.crypto.Algorithm.ES384, getClientDynamically(cAppDynamicClientId).getIdTokenSignedResponseAlg());
    // create dynamically - success, PS256 enforced
    restartAuthenticatedClientRegistrationSetting();
    String cAppDynamicClient2Id = createClientDynamically(generateSuffixedName("App-in-Dynamic"), (OIDCClientRepresentation client2Rep) -> {
    });
    OIDCClientRepresentation cAppDynamicClient2Rep = getClientDynamically(cAppDynamicClient2Id);
    assertEquals(org.keycloak.crypto.Algorithm.PS256, cAppDynamicClient2Rep.getUserinfoSignedResponseAlg());
    assertEquals(org.keycloak.crypto.Algorithm.PS256, cAppDynamicClient2Rep.getRequestObjectSigningAlg());
    assertEquals(org.keycloak.crypto.Algorithm.PS256, cAppDynamicClient2Rep.getIdTokenSignedResponseAlg());
    assertEquals(org.keycloak.crypto.Algorithm.PS256, cAppDynamicClient2Rep.getTokenEndpointAuthSigningAlg());
    // update profiles, enforce ES256
    json = (new ClientProfilesBuilder()).addProfile((new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Den Forsta Profilen").addExecutor(SecureSigningAlgorithmExecutorFactory.PROVIDER_ID, createSecureSigningAlgorithmEnforceExecutorConfig(org.keycloak.crypto.Algorithm.ES256)).toRepresentation()).toString();
    updateProfiles(json);
    // update dynamically - success, ES256 enforced
    updateClientDynamically(cAppDynamicClient2Id, (OIDCClientRepresentation client2Rep) -> {
        client2Rep.setUserinfoSignedResponseAlg(null);
        client2Rep.setRequestObjectSigningAlg(null);
        client2Rep.setIdTokenSignedResponseAlg(null);
        client2Rep.setTokenEndpointAuthSigningAlg(null);
    });
    cAppDynamicClient2Rep = getClientDynamically(cAppDynamicClient2Id);
    assertEquals(org.keycloak.crypto.Algorithm.ES256, cAppDynamicClient2Rep.getUserinfoSignedResponseAlg());
    assertEquals(org.keycloak.crypto.Algorithm.ES256, cAppDynamicClient2Rep.getRequestObjectSigningAlg());
    assertEquals(org.keycloak.crypto.Algorithm.ES256, cAppDynamicClient2Rep.getIdTokenSignedResponseAlg());
    assertEquals(org.keycloak.crypto.Algorithm.ES256, cAppDynamicClient2Rep.getTokenEndpointAuthSigningAlg());
}
Also used : ClientProfileBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfileBuilder) OIDCClientRepresentation(org.keycloak.representations.oidc.OIDCClientRepresentation) ClientProfilesBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfilesBuilder) ClientPoliciesBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPoliciesBuilder) ClientPolicyBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPolicyBuilder) ClientRegistrationException(org.keycloak.client.registration.ClientRegistrationException) OIDCClientRepresentation(org.keycloak.representations.oidc.OIDCClientRepresentation) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) ClientPolicyException(org.keycloak.services.clientpolicy.ClientPolicyException) Test(org.junit.Test)

Aggregations

ClientProfileBuilder (org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfileBuilder)51 ClientProfilesBuilder (org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfilesBuilder)50 Test (org.junit.Test)47 ClientPoliciesBuilder (org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPoliciesBuilder)46 ClientPolicyBuilder (org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPolicyBuilder)46 OIDCClientRepresentation (org.keycloak.representations.oidc.OIDCClientRepresentation)41 ClientRepresentation (org.keycloak.representations.idm.ClientRepresentation)37 ClientPolicyException (org.keycloak.services.clientpolicy.ClientPolicyException)18 OAuthClient (org.keycloak.testsuite.util.OAuthClient)14 ClientResource (org.keycloak.admin.client.resource.ClientResource)10 Matchers.containsString (org.hamcrest.Matchers.containsString)9 ClientRegistrationException (org.keycloak.client.registration.ClientRegistrationException)9 IOException (java.io.IOException)8 BadRequestException (javax.ws.rs.BadRequestException)8 AuthenticationRequestAcknowledgement (org.keycloak.testsuite.util.OAuthClient.AuthenticationRequestAcknowledgement)8 OAuthErrorException (org.keycloak.OAuthErrorException)7 HashMap (java.util.HashMap)5 EventRepresentation (org.keycloak.representations.idm.EventRepresentation)4 TestAuthenticationChannelRequest (org.keycloak.testsuite.rest.representation.TestAuthenticationChannelRequest)4 AuthorizationEndpointRequestObject (org.keycloak.testsuite.rest.resource.TestingOIDCEndpointsApplicationResource.AuthorizationEndpointRequestObject)4