use of org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfileBuilder in project keycloak by keycloak.
the class ClientPoliciesTest method testSecureSessionEnforceExecutor.
@Test
public void testSecureSessionEnforceExecutor() throws Exception {
// register profiles
String json = (new ClientProfilesBuilder()).addProfile((new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Den Forste Profilen").addExecutor(SecureSessionEnforceExecutorFactory.PROVIDER_ID, null).toRepresentation()).toString();
updateProfiles(json);
// register policies
String roleAlphaName = "sample-client-role-alpha";
String roleBetaName = "sample-client-role-beta";
json = (new ClientPoliciesBuilder()).addPolicy((new ClientPolicyBuilder()).createPolicy(POLICY_NAME, "Den Forste Politikken", Boolean.TRUE).addCondition(ClientRolesConditionFactory.PROVIDER_ID, createClientRolesConditionConfig(Arrays.asList(roleBetaName))).addProfile(PROFILE_NAME).toRepresentation()).toString();
updatePolicies(json);
String clientAlphaId = generateSuffixedName("Alpha-App");
String clientAlphaSecret = "secretAlpha";
String cAlphaId = createClientByAdmin(clientAlphaId, (ClientRepresentation clientRep) -> {
clientRep.setSecret(clientAlphaSecret);
});
adminClient.realm(REALM_NAME).clients().get(cAlphaId).roles().create(RoleBuilder.create().name(roleAlphaName).build());
String clientBetaId = generateSuffixedName("Beta-App");
String clientBetaSecret = "secretBeta";
String cBetaId = createClientByAdmin(clientBetaId, (ClientRepresentation clientRep) -> {
clientRep.setSecret(clientBetaSecret);
});
adminClient.realm(REALM_NAME).clients().get(cBetaId).roles().create(RoleBuilder.create().name(roleBetaName).build());
successfulLoginAndLogout(clientAlphaId, clientAlphaSecret);
oauth.openid(false);
successfulLoginAndLogout(clientAlphaId, clientAlphaSecret);
oauth.openid(true);
failLoginWithoutSecureSessionParameter(clientBetaId, ERR_MSG_MISSING_NONCE);
oauth.nonce("yesitisnonce");
successfulLoginAndLogout(clientBetaId, clientBetaSecret);
oauth.openid(false);
oauth.stateParamHardcoded(null);
failLoginWithoutSecureSessionParameter(clientBetaId, ERR_MSG_MISSING_STATE);
oauth.stateParamRandom();
successfulLoginAndLogout(clientBetaId, clientBetaSecret);
}
use of org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfileBuilder in project keycloak by keycloak.
the class ClientPoliciesTest method testHolderOfKeyEnforceExecutor.
@Test
public void testHolderOfKeyEnforceExecutor() throws Exception {
Assume.assumeTrue("This test must be executed with enabled TLS.", ServerURLs.AUTH_SERVER_SSL_REQUIRED);
// register profiles
String json = (new ClientProfilesBuilder()).addProfile((new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Az Elso Profil").addExecutor(HolderOfKeyEnforcerExecutorFactory.PROVIDER_ID, createHolderOfKeyEnforceExecutorConfig(Boolean.TRUE)).addExecutor(SecureSigningAlgorithmForSignedJwtExecutorFactory.PROVIDER_ID, createSecureSigningAlgorithmForSignedJwtEnforceExecutorConfig(Boolean.FALSE)).toRepresentation()).toString();
updateProfiles(json);
// register policies
json = (new ClientPoliciesBuilder()).addPolicy((new ClientPolicyBuilder()).createPolicy(POLICY_NAME, "Az Elso Politika", Boolean.TRUE).addCondition(AnyClientConditionFactory.PROVIDER_ID, createAnyClientConditionConfig()).addProfile(PROFILE_NAME).toRepresentation()).toString();
updatePolicies(json);
try (ClientAttributeUpdater cau = ClientAttributeUpdater.forClient(adminClient, REALM_NAME, TEST_CLIENT)) {
ClientRepresentation clientRep = cau.getResource().toRepresentation();
Assert.assertNotNull(clientRep);
OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setUseMtlsHoKToken(true);
cau.update();
checkMtlsFlow();
}
}
use of org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfileBuilder in project keycloak by keycloak.
the class ClientPoliciesTest method testSecureRequestObjectExecutor.
@Test
public void testSecureRequestObjectExecutor() throws Exception {
Integer availablePeriod = Integer.valueOf(SecureRequestObjectExecutor.DEFAULT_AVAILABLE_PERIOD + 400);
// register profiles
String json = (new ClientProfilesBuilder()).addProfile((new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Prvy Profil").addExecutor(SecureRequestObjectExecutorFactory.PROVIDER_ID, createSecureRequestObjectExecutorConfig(availablePeriod, null)).toRepresentation()).toString();
updateProfiles(json);
// register policies
json = (new ClientPoliciesBuilder()).addPolicy((new ClientPolicyBuilder()).createPolicy(POLICY_NAME, "Prva Politika", Boolean.TRUE).addCondition(ClientRolesConditionFactory.PROVIDER_ID, createClientRolesConditionConfig(Arrays.asList(SAMPLE_CLIENT_ROLE))).addProfile(PROFILE_NAME).toRepresentation()).toString();
updatePolicies(json);
String clientId = generateSuffixedName(CLIENT_NAME);
String clientSecret = "secret";
String cid = createClientByAdmin(clientId, (ClientRepresentation clientRep) -> {
clientRep.setSecret(clientSecret);
OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setRequestUris(Arrays.asList(TestApplicationResourceUrls.clientRequestUri()));
});
adminClient.realm(REALM_NAME).clients().get(cid).roles().create(RoleBuilder.create().name(SAMPLE_CLIENT_ROLE).build());
oauth.clientId(clientId);
AuthorizationEndpointRequestObject requestObject;
// check whether whether request object exists
oauth.request(null);
oauth.requestUri(null);
oauth.openLoginForm();
assertEquals(OAuthErrorException.INVALID_REQUEST, oauth.getCurrentQuery().get(OAuth2Constants.ERROR));
assertEquals("Missing parameter: 'request' or 'request_uri'", oauth.getCurrentQuery().get(OAuth2Constants.ERROR_DESCRIPTION));
// check whether request_uri is https scheme
// cannot test because existing AuthorizationEndpoint check and return error before executing client policy
// check whether request object can be retrieved from request_uri
// cannot test because existing AuthorizationEndpoint check and return error before executing client policy
// check whether request object can be parsed successfully
// cannot test because existing AuthorizationEndpoint check and return error before executing client policy
// check whether scope exists in both query parameter and request object
requestObject = createValidRequestObjectForSecureRequestObjectExecutor(clientId);
requestObject.setScope(null);
registerRequestObject(requestObject, clientId, Algorithm.ES256, true);
oauth.openLoginForm();
assertEquals(OAuthErrorException.INVALID_REQUEST, oauth.getCurrentQuery().get(OAuth2Constants.ERROR));
assertEquals("Invalid parameter. Parameters in 'request' object not matching with request parameters", oauth.getCurrentQuery().get(OAuth2Constants.ERROR_DESCRIPTION));
registerRequestObject(requestObject, clientId, Algorithm.ES256, true);
oauth.scope(null);
oauth.openid(false);
oauth.openLoginForm();
assertEquals(OAuthErrorException.INVALID_REQUEST, oauth.getCurrentQuery().get(OAuth2Constants.ERROR));
assertEquals("Parameter 'scope' missing in the request parameters or in 'request' object", oauth.getCurrentQuery().get(OAuth2Constants.ERROR_DESCRIPTION));
oauth.openid(true);
// check whether "exp" claim exists
requestObject = createValidRequestObjectForSecureRequestObjectExecutor(clientId);
requestObject.exp(null);
registerRequestObject(requestObject, clientId, Algorithm.ES256, false);
oauth.openLoginForm();
assertEquals(OAuthErrorException.INVALID_REQUEST_OBJECT, oauth.getCurrentQuery().get(OAuth2Constants.ERROR));
assertEquals("Missing parameter in the 'request' object: exp", oauth.getCurrentQuery().get(OAuth2Constants.ERROR_DESCRIPTION));
// check whether request object not expired
requestObject = createValidRequestObjectForSecureRequestObjectExecutor(clientId);
requestObject.exp(Long.valueOf(0));
registerRequestObject(requestObject, clientId, Algorithm.ES256, true);
oauth.openLoginForm();
assertEquals(OAuthErrorException.INVALID_REQUEST_OBJECT, oauth.getCurrentQuery().get(OAuth2Constants.ERROR));
assertEquals("Request Expired", oauth.getCurrentQuery().get(OAuth2Constants.ERROR_DESCRIPTION));
// check whether "nbf" claim exists
requestObject = createValidRequestObjectForSecureRequestObjectExecutor(clientId);
requestObject.nbf(null);
registerRequestObject(requestObject, clientId, Algorithm.ES256, false);
oauth.openLoginForm();
assertEquals(OAuthErrorException.INVALID_REQUEST_OBJECT, oauth.getCurrentQuery().get(OAuth2Constants.ERROR));
assertEquals("Missing parameter in the 'request' object: nbf", oauth.getCurrentQuery().get(OAuth2Constants.ERROR_DESCRIPTION));
// check whether request object not yet being processed
requestObject = createValidRequestObjectForSecureRequestObjectExecutor(clientId);
requestObject.nbf(requestObject.getNbf() + 600);
registerRequestObject(requestObject, clientId, Algorithm.ES256, false);
oauth.openLoginForm();
assertEquals(OAuthErrorException.INVALID_REQUEST_OBJECT, oauth.getCurrentQuery().get(OAuth2Constants.ERROR));
assertEquals("Request not yet being processed", oauth.getCurrentQuery().get(OAuth2Constants.ERROR_DESCRIPTION));
// check whether request object's available period is short
requestObject = createValidRequestObjectForSecureRequestObjectExecutor(clientId);
requestObject.exp(requestObject.getNbf() + availablePeriod.intValue() + 1);
registerRequestObject(requestObject, clientId, Algorithm.ES256, false);
oauth.openLoginForm();
assertEquals(OAuthErrorException.INVALID_REQUEST_OBJECT, oauth.getCurrentQuery().get(OAuth2Constants.ERROR));
assertEquals("Request's available period is long", oauth.getCurrentQuery().get(OAuth2Constants.ERROR_DESCRIPTION));
// check whether "aud" claim exists
requestObject = createValidRequestObjectForSecureRequestObjectExecutor(clientId);
requestObject.audience((String) null);
registerRequestObject(requestObject, clientId, Algorithm.ES256, false);
oauth.openLoginForm();
assertEquals(OAuthErrorException.INVALID_REQUEST_OBJECT, oauth.getCurrentQuery().get(OAuth2Constants.ERROR));
assertEquals("Missing parameter in the 'request' object: aud", oauth.getCurrentQuery().get(OAuth2Constants.ERROR_DESCRIPTION));
// check whether "aud" claim points to this keycloak as authz server
requestObject = createValidRequestObjectForSecureRequestObjectExecutor(clientId);
requestObject.audience(suiteContext.getAuthServerInfo().getContextRoot().toString());
registerRequestObject(requestObject, clientId, Algorithm.ES256, true);
oauth.openLoginForm();
assertEquals(OAuthErrorException.INVALID_REQUEST_URI, oauth.getCurrentQuery().get(OAuth2Constants.ERROR));
assertEquals("Invalid parameter in the 'request' object: aud", oauth.getCurrentQuery().get(OAuth2Constants.ERROR_DESCRIPTION));
// confirm whether all parameters in query string are included in the request object, and have the same values
// argument "request" are parameters overridden by parameters in request object
requestObject = createValidRequestObjectForSecureRequestObjectExecutor(clientId);
requestObject.setState("notmatchstate");
registerRequestObject(requestObject, clientId, Algorithm.ES256, false);
oauth.openLoginForm();
assertEquals(OAuthErrorException.INVALID_REQUEST, oauth.getCurrentQuery().get(OAuth2Constants.ERROR));
assertEquals("Invalid parameter. Parameters in 'request' object not matching with request parameters", oauth.getCurrentQuery().get(OAuth2Constants.ERROR_DESCRIPTION));
// valid request object
requestObject = createValidRequestObjectForSecureRequestObjectExecutor(clientId);
registerRequestObject(requestObject, clientId, Algorithm.ES256, true);
successfulLoginAndLogout(clientId, clientSecret);
// update profile : no configuration - "nbf" check and available period is 3600 sec
json = (new ClientProfilesBuilder()).addProfile((new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Prvy Profil").addExecutor(SecureRequestObjectExecutorFactory.PROVIDER_ID, null).toRepresentation()).toString();
updateProfiles(json);
// check whether "nbf" claim exists
requestObject = createValidRequestObjectForSecureRequestObjectExecutor(clientId);
requestObject.nbf(null);
registerRequestObject(requestObject, clientId, Algorithm.ES256, false);
oauth.openLoginForm();
assertEquals(OAuthErrorException.INVALID_REQUEST_OBJECT, oauth.getCurrentQuery().get(OAuth2Constants.ERROR));
assertEquals("Missing parameter in the 'request' object: nbf", oauth.getCurrentQuery().get(OAuth2Constants.ERROR_DESCRIPTION));
// check whether request object not yet being processed
requestObject = createValidRequestObjectForSecureRequestObjectExecutor(clientId);
requestObject.nbf(requestObject.getNbf() + 600);
registerRequestObject(requestObject, clientId, Algorithm.ES256, false);
oauth.openLoginForm();
assertEquals(OAuthErrorException.INVALID_REQUEST_OBJECT, oauth.getCurrentQuery().get(OAuth2Constants.ERROR));
assertEquals("Request not yet being processed", oauth.getCurrentQuery().get(OAuth2Constants.ERROR_DESCRIPTION));
// check whether request object's available period is short
requestObject = createValidRequestObjectForSecureRequestObjectExecutor(clientId);
requestObject.exp(requestObject.getNbf() + SecureRequestObjectExecutor.DEFAULT_AVAILABLE_PERIOD + 1);
registerRequestObject(requestObject, clientId, Algorithm.ES256, false);
oauth.openLoginForm();
assertEquals(OAuthErrorException.INVALID_REQUEST_OBJECT, oauth.getCurrentQuery().get(OAuth2Constants.ERROR));
assertEquals("Request's available period is long", oauth.getCurrentQuery().get(OAuth2Constants.ERROR_DESCRIPTION));
// update profile : not check "nbf"
json = (new ClientProfilesBuilder()).addProfile((new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Prvy Profil").addExecutor(SecureRequestObjectExecutorFactory.PROVIDER_ID, createSecureRequestObjectExecutorConfig(null, Boolean.FALSE)).toRepresentation()).toString();
updateProfiles(json);
// not check whether "nbf" claim exists
requestObject = createValidRequestObjectForSecureRequestObjectExecutor(clientId);
requestObject.nbf(null);
registerRequestObject(requestObject, clientId, Algorithm.ES256, false);
successfulLoginAndLogout(clientId, clientSecret);
// not check whether request object not yet being processed
requestObject = createValidRequestObjectForSecureRequestObjectExecutor(clientId);
requestObject.nbf(requestObject.getNbf() + 600);
registerRequestObject(requestObject, clientId, Algorithm.ES256, false);
successfulLoginAndLogout(clientId, clientSecret);
// not check whether request object's available period is short
requestObject = createValidRequestObjectForSecureRequestObjectExecutor(clientId);
requestObject.exp(requestObject.getNbf() + SecureRequestObjectExecutor.DEFAULT_AVAILABLE_PERIOD + 1);
registerRequestObject(requestObject, clientId, Algorithm.ES256, false);
successfulLoginAndLogout(clientId, clientSecret);
// update profile : force request object encryption
json = (new ClientProfilesBuilder()).addProfile((new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Prvy Profil").addExecutor(SecureRequestObjectExecutorFactory.PROVIDER_ID, createSecureRequestObjectExecutorConfig(null, null, true)).toRepresentation()).toString();
updateProfiles(json);
requestObject = createValidRequestObjectForSecureRequestObjectExecutor(clientId);
registerRequestObject(requestObject, clientId, Algorithm.ES256, false);
oauth.openLoginForm();
assertEquals(OAuthErrorException.INVALID_REQUEST_OBJECT, oauth.getCurrentQuery().get(OAuth2Constants.ERROR));
assertEquals("Request object not encrypted", oauth.getCurrentQuery().get(OAuth2Constants.ERROR_DESCRIPTION));
}
use of org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfileBuilder in project keycloak by keycloak.
the class ClientPoliciesTest method testConsentRequiredExecutorExecutor.
@Test
public void testConsentRequiredExecutorExecutor() throws Exception {
// register profiles
String json = (new ClientProfilesBuilder()).addProfile((new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Test Profile").addExecutor(ConsentRequiredExecutorFactory.PROVIDER_ID, createConsentRequiredExecutorConfig(true)).toRepresentation()).toString();
updateProfiles(json);
// register policies
json = (new ClientPoliciesBuilder()).addPolicy((new ClientPolicyBuilder()).createPolicy(POLICY_NAME, "Test Policy", Boolean.TRUE).addCondition(AnyClientConditionFactory.PROVIDER_ID, createAnyClientConditionConfig()).addProfile(PROFILE_NAME).toRepresentation()).toString();
updatePolicies(json);
// Client will be auto-configured to enable consentRequired
String clientId = generateSuffixedName("aaa-app");
String cid = createClientByAdmin(clientId, (ClientRepresentation clientRep) -> {
clientRep.setImplicitFlowEnabled(Boolean.FALSE);
clientRep.setConsentRequired(Boolean.FALSE);
});
ClientRepresentation clientRep = getClientByAdmin(cid);
assertEquals(Boolean.TRUE, clientRep.isConsentRequired());
// Client cannot be updated to disable consentRequired
updateClientByAdmin(cid, (ClientRepresentation cRep) -> {
cRep.setConsentRequired(Boolean.FALSE);
});
clientRep = getClientByAdmin(cid);
assertEquals(Boolean.TRUE, clientRep.isConsentRequired());
// Switch auto-configure to false. Auto-configuration won't happen, but validation will still be here, so should not be possible to disable consentRequired
json = (new ClientProfilesBuilder()).addProfile((new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Test Profile").addExecutor(ConsentRequiredExecutorFactory.PROVIDER_ID, createConsentRequiredExecutorConfig(false)).toRepresentation()).toString();
updateProfiles(json);
// Not possible to register client with consentRequired due the validation
try {
createClientByAdmin(clientId, (ClientRepresentation clientRep2) -> {
clientRep2.setConsentRequired(Boolean.FALSE);
});
fail();
} catch (ClientPolicyException cpe) {
assertEquals(Errors.INVALID_REGISTRATION, cpe.getError());
}
// Not possible to update existing client to consentRequired due the validation
try {
updateClientByAdmin(cid, (ClientRepresentation cRep) -> {
cRep.setConsentRequired(Boolean.FALSE);
});
fail();
} catch (ClientPolicyException cpe) {
assertEquals(Errors.INVALID_REGISTRATION, cpe.getError());
}
clientRep = getClientByAdmin(cid);
assertEquals(Boolean.TRUE, clientRep.isConsentRequired());
try {
updateClientByAdmin(cid, (ClientRepresentation cRep) -> {
cRep.setImplicitFlowEnabled(Boolean.TRUE);
});
clientRep = getClientByAdmin(cid);
assertEquals(Boolean.TRUE, clientRep.isImplicitFlowEnabled());
assertEquals(Boolean.TRUE, clientRep.isConsentRequired());
} catch (ClientPolicyException cpe) {
fail();
}
}
use of org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfileBuilder in project keycloak by keycloak.
the class ClientPoliciesTest method testSecureSigningAlgorithmEnforceExecutor.
@Test
public void testSecureSigningAlgorithmEnforceExecutor() throws Exception {
// register profiles
String json = (new ClientProfilesBuilder()).addProfile((new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Den Forsta Profilen").addExecutor(SecureSigningAlgorithmExecutorFactory.PROVIDER_ID, null).toRepresentation()).toString();
updateProfiles(json);
// register policies
json = (new ClientPoliciesBuilder()).addPolicy((new ClientPolicyBuilder()).createPolicy(POLICY_NAME, "Den Forsta Policyn", Boolean.TRUE).addCondition(ClientUpdaterContextConditionFactory.PROVIDER_ID, createClientUpdateContextConditionConfig(Arrays.asList(ClientUpdaterContextConditionFactory.BY_AUTHENTICATED_USER, ClientUpdaterContextConditionFactory.BY_INITIAL_ACCESS_TOKEN, ClientUpdaterContextConditionFactory.BY_REGISTRATION_ACCESS_TOKEN))).addProfile(PROFILE_NAME).toRepresentation()).toString();
updatePolicies(json);
// create by Admin REST API - fail
try {
createClientByAdmin(generateSuffixedName("App-by-Admin"), (ClientRepresentation clientRep) -> {
clientRep.setSecret("secret");
clientRep.setAttributes(new HashMap<>());
clientRep.getAttributes().put(OIDCConfigAttributes.USER_INFO_RESPONSE_SIGNATURE_ALG, Algorithm.none.name());
});
fail();
} catch (ClientPolicyException e) {
assertEquals(OAuthErrorException.INVALID_REQUEST, e.getMessage());
}
// create by Admin REST API - success
String cAppAdminId = createClientByAdmin(generateSuffixedName("App-by-Admin"), (ClientRepresentation clientRep) -> {
clientRep.setAttributes(new HashMap<>());
clientRep.getAttributes().put(OIDCConfigAttributes.USER_INFO_RESPONSE_SIGNATURE_ALG, org.keycloak.crypto.Algorithm.PS256);
clientRep.getAttributes().put(OIDCConfigAttributes.REQUEST_OBJECT_SIGNATURE_ALG, org.keycloak.crypto.Algorithm.ES256);
clientRep.getAttributes().put(OIDCConfigAttributes.ID_TOKEN_SIGNED_RESPONSE_ALG, org.keycloak.crypto.Algorithm.ES256);
clientRep.getAttributes().put(OIDCConfigAttributes.TOKEN_ENDPOINT_AUTH_SIGNING_ALG, org.keycloak.crypto.Algorithm.ES256);
clientRep.getAttributes().put(OIDCConfigAttributes.ACCESS_TOKEN_SIGNED_RESPONSE_ALG, org.keycloak.crypto.Algorithm.ES256);
});
// create by Admin REST API - success, PS256 enforced
String cAppAdmin2Id = createClientByAdmin(generateSuffixedName("App-by-Admin2"), (ClientRepresentation client2Rep) -> {
});
ClientRepresentation cRep2 = getClientByAdmin(cAppAdmin2Id);
assertEquals(org.keycloak.crypto.Algorithm.PS256, cRep2.getAttributes().get(OIDCConfigAttributes.USER_INFO_RESPONSE_SIGNATURE_ALG));
assertEquals(org.keycloak.crypto.Algorithm.PS256, cRep2.getAttributes().get(OIDCConfigAttributes.REQUEST_OBJECT_SIGNATURE_ALG));
assertEquals(org.keycloak.crypto.Algorithm.PS256, cRep2.getAttributes().get(OIDCConfigAttributes.ID_TOKEN_SIGNED_RESPONSE_ALG));
assertEquals(org.keycloak.crypto.Algorithm.PS256, cRep2.getAttributes().get(OIDCConfigAttributes.TOKEN_ENDPOINT_AUTH_SIGNING_ALG));
assertEquals(org.keycloak.crypto.Algorithm.PS256, cRep2.getAttributes().get(OIDCConfigAttributes.ACCESS_TOKEN_SIGNED_RESPONSE_ALG));
// update by Admin REST API - fail
try {
updateClientByAdmin(cAppAdminId, (ClientRepresentation clientRep) -> {
clientRep.setAttributes(new HashMap<>());
clientRep.getAttributes().put(OIDCConfigAttributes.ACCESS_TOKEN_SIGNED_RESPONSE_ALG, org.keycloak.crypto.Algorithm.RS512);
});
} catch (ClientPolicyException cpe) {
assertEquals(Errors.INVALID_REQUEST, cpe.getError());
}
ClientRepresentation cRep = getClientByAdmin(cAppAdminId);
assertEquals(org.keycloak.crypto.Algorithm.ES256, cRep.getAttributes().get(OIDCConfigAttributes.ACCESS_TOKEN_SIGNED_RESPONSE_ALG));
// update by Admin REST API - success
updateClientByAdmin(cAppAdminId, (ClientRepresentation clientRep) -> {
clientRep.setAttributes(new HashMap<>());
clientRep.getAttributes().put(OIDCConfigAttributes.ACCESS_TOKEN_SIGNED_RESPONSE_ALG, org.keycloak.crypto.Algorithm.PS384);
});
cRep = getClientByAdmin(cAppAdminId);
assertEquals(org.keycloak.crypto.Algorithm.PS384, cRep.getAttributes().get(OIDCConfigAttributes.ACCESS_TOKEN_SIGNED_RESPONSE_ALG));
// update profiles, ES256 enforced
json = (new ClientProfilesBuilder()).addProfile((new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Den Forsta Profilen").addExecutor(SecureSigningAlgorithmExecutorFactory.PROVIDER_ID, createSecureSigningAlgorithmEnforceExecutorConfig(org.keycloak.crypto.Algorithm.ES256)).toRepresentation()).toString();
updateProfiles(json);
// update by Admin REST API - success
updateClientByAdmin(cAppAdmin2Id, (ClientRepresentation client2Rep) -> {
client2Rep.getAttributes().remove(OIDCConfigAttributes.USER_INFO_RESPONSE_SIGNATURE_ALG);
client2Rep.getAttributes().remove(OIDCConfigAttributes.REQUEST_OBJECT_SIGNATURE_ALG);
client2Rep.getAttributes().remove(OIDCConfigAttributes.ID_TOKEN_SIGNED_RESPONSE_ALG);
client2Rep.getAttributes().remove(OIDCConfigAttributes.TOKEN_ENDPOINT_AUTH_SIGNING_ALG);
client2Rep.getAttributes().remove(OIDCConfigAttributes.ACCESS_TOKEN_SIGNED_RESPONSE_ALG);
});
cRep2 = getClientByAdmin(cAppAdmin2Id);
assertEquals(org.keycloak.crypto.Algorithm.ES256, cRep2.getAttributes().get(OIDCConfigAttributes.USER_INFO_RESPONSE_SIGNATURE_ALG));
assertEquals(org.keycloak.crypto.Algorithm.ES256, cRep2.getAttributes().get(OIDCConfigAttributes.REQUEST_OBJECT_SIGNATURE_ALG));
assertEquals(org.keycloak.crypto.Algorithm.ES256, cRep2.getAttributes().get(OIDCConfigAttributes.ID_TOKEN_SIGNED_RESPONSE_ALG));
assertEquals(org.keycloak.crypto.Algorithm.ES256, cRep2.getAttributes().get(OIDCConfigAttributes.TOKEN_ENDPOINT_AUTH_SIGNING_ALG));
assertEquals(org.keycloak.crypto.Algorithm.ES256, cRep2.getAttributes().get(OIDCConfigAttributes.ACCESS_TOKEN_SIGNED_RESPONSE_ALG));
// update profiles, fall back to PS256
json = (new ClientProfilesBuilder()).addProfile((new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Den Forsta Profilen").addExecutor(SecureSigningAlgorithmExecutorFactory.PROVIDER_ID, createSecureSigningAlgorithmEnforceExecutorConfig(org.keycloak.crypto.Algorithm.RS512)).toRepresentation()).toString();
updateProfiles(json);
// create dynamically - fail
try {
createClientByAdmin(generateSuffixedName("App-in-Dynamic"), (ClientRepresentation clientRep) -> {
clientRep.setSecret("secret");
clientRep.setAttributes(new HashMap<>());
clientRep.getAttributes().put(OIDCConfigAttributes.USER_INFO_RESPONSE_SIGNATURE_ALG, org.keycloak.crypto.Algorithm.RS384);
});
fail();
} catch (ClientPolicyException e) {
assertEquals(OAuthErrorException.INVALID_REQUEST, e.getMessage());
}
// create dynamically - success
String cAppDynamicClientId = createClientDynamically(generateSuffixedName("App-in-Dynamic"), (OIDCClientRepresentation clientRep) -> {
clientRep.setUserinfoSignedResponseAlg(org.keycloak.crypto.Algorithm.ES256);
clientRep.setRequestObjectSigningAlg(org.keycloak.crypto.Algorithm.ES256);
clientRep.setIdTokenSignedResponseAlg(org.keycloak.crypto.Algorithm.PS256);
clientRep.setTokenEndpointAuthSigningAlg(org.keycloak.crypto.Algorithm.PS256);
});
events.expect(EventType.CLIENT_REGISTER).client(cAppDynamicClientId).user(Matchers.isEmptyOrNullString()).assertEvent();
// update dynamically - fail
try {
updateClientDynamically(cAppDynamicClientId, (OIDCClientRepresentation clientRep) -> {
clientRep.setIdTokenSignedResponseAlg(org.keycloak.crypto.Algorithm.RS256);
});
fail();
} catch (ClientRegistrationException e) {
assertEquals(ERR_MSG_CLIENT_REG_FAIL, e.getMessage());
}
assertEquals(org.keycloak.crypto.Algorithm.PS256, getClientDynamically(cAppDynamicClientId).getIdTokenSignedResponseAlg());
// update dynamically - success
updateClientDynamically(cAppDynamicClientId, (OIDCClientRepresentation clientRep) -> {
clientRep.setIdTokenSignedResponseAlg(org.keycloak.crypto.Algorithm.ES384);
});
assertEquals(org.keycloak.crypto.Algorithm.ES384, getClientDynamically(cAppDynamicClientId).getIdTokenSignedResponseAlg());
// create dynamically - success, PS256 enforced
restartAuthenticatedClientRegistrationSetting();
String cAppDynamicClient2Id = createClientDynamically(generateSuffixedName("App-in-Dynamic"), (OIDCClientRepresentation client2Rep) -> {
});
OIDCClientRepresentation cAppDynamicClient2Rep = getClientDynamically(cAppDynamicClient2Id);
assertEquals(org.keycloak.crypto.Algorithm.PS256, cAppDynamicClient2Rep.getUserinfoSignedResponseAlg());
assertEquals(org.keycloak.crypto.Algorithm.PS256, cAppDynamicClient2Rep.getRequestObjectSigningAlg());
assertEquals(org.keycloak.crypto.Algorithm.PS256, cAppDynamicClient2Rep.getIdTokenSignedResponseAlg());
assertEquals(org.keycloak.crypto.Algorithm.PS256, cAppDynamicClient2Rep.getTokenEndpointAuthSigningAlg());
// update profiles, enforce ES256
json = (new ClientProfilesBuilder()).addProfile((new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Den Forsta Profilen").addExecutor(SecureSigningAlgorithmExecutorFactory.PROVIDER_ID, createSecureSigningAlgorithmEnforceExecutorConfig(org.keycloak.crypto.Algorithm.ES256)).toRepresentation()).toString();
updateProfiles(json);
// update dynamically - success, ES256 enforced
updateClientDynamically(cAppDynamicClient2Id, (OIDCClientRepresentation client2Rep) -> {
client2Rep.setUserinfoSignedResponseAlg(null);
client2Rep.setRequestObjectSigningAlg(null);
client2Rep.setIdTokenSignedResponseAlg(null);
client2Rep.setTokenEndpointAuthSigningAlg(null);
});
cAppDynamicClient2Rep = getClientDynamically(cAppDynamicClient2Id);
assertEquals(org.keycloak.crypto.Algorithm.ES256, cAppDynamicClient2Rep.getUserinfoSignedResponseAlg());
assertEquals(org.keycloak.crypto.Algorithm.ES256, cAppDynamicClient2Rep.getRequestObjectSigningAlg());
assertEquals(org.keycloak.crypto.Algorithm.ES256, cAppDynamicClient2Rep.getIdTokenSignedResponseAlg());
assertEquals(org.keycloak.crypto.Algorithm.ES256, cAppDynamicClient2Rep.getTokenEndpointAuthSigningAlg());
}
Aggregations