Example 41 with AccessTokenResponse
use of org.keycloak.testsuite.util.OAuthClient.AccessTokenResponse in project keycloak by keycloak.
the class HoKTest method testIntrospectHoKAccessToken.
@Test
public void testIntrospectHoKAccessToken() throws Exception {
// get an access token with client certificate in mutual authenticate TLS
// mimic Client
oauth.doLogin("test-user@localhost", "password");
String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
EventRepresentation loginEvent = events.expectLogin().assertEvent();
AccessTokenResponse accessTokenResponse = null;
try (CloseableHttpClient client = MutualTLSUtils.newCloseableHttpClientWithDefaultKeyStoreAndTrustStore()) {
accessTokenResponse = oauth.doAccessTokenRequest(code, "password", client);
} catch (IOException ioe) {
throw new RuntimeException(ioe);
}
// Do token introspection
// mimic Resource Server
String tokenResponse;
try (CloseableHttpClient client = MutualTLSUtils.newCloseableHttpClientWithoutKeyStoreAndTrustStore()) {
tokenResponse = oauth.introspectTokenWithClientCredential("confidential-cli", "secret1", "access_token", accessTokenResponse.getAccessToken(), client);
} catch (IOException ioe) {
throw new RuntimeException(ioe);
}
TokenMetadataRepresentation rep = JsonSerialization.readValue(tokenResponse, TokenMetadataRepresentation.class);
JWSInput jws = new JWSInput(accessTokenResponse.getAccessToken());
AccessToken at = jws.readJsonContent(AccessToken.class);
jws = new JWSInput(accessTokenResponse.getRefreshToken());
RefreshToken rt = jws.readJsonContent(RefreshToken.class);
String certThumprintFromAccessToken = at.getCertConf().getCertThumbprint();
String certThumprintFromRefreshToken = rt.getCertConf().getCertThumbprint();
String certThumprintFromTokenIntrospection = rep.getCertConf().getCertThumbprint();
String certThumprintFromBoundClientCertificate = MutualTLSUtils.getThumbprintFromDefaultClientCert();
assertTrue(rep.isActive());
assertEquals("test-user@localhost", rep.getUserName());
assertEquals("test-app", rep.getClientId());
assertEquals(loginEvent.getUserId(), rep.getSubject());
assertEquals(certThumprintFromTokenIntrospection, certThumprintFromBoundClientCertificate);
assertEquals(certThumprintFromBoundClientCertificate, certThumprintFromAccessToken);
assertEquals(certThumprintFromAccessToken, certThumprintFromRefreshToken);
}
Also used :
CloseableHttpClient(org.apache.http.impl.client.CloseableHttpClient)
TokenMetadataRepresentation(org.keycloak.representations.oidc.TokenMetadataRepresentation)
RefreshToken(org.keycloak.representations.RefreshToken)
AccessToken(org.keycloak.representations.AccessToken)
EventRepresentation(org.keycloak.representations.idm.EventRepresentation)
IOException(java.io.IOException)
JWSInput(org.keycloak.jose.jws.JWSInput)
AccessTokenResponse(org.keycloak.testsuite.util.OAuthClient.AccessTokenResponse)
RefreshTokenTest(org.keycloak.testsuite.oauth.RefreshTokenTest)
AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest)
AbstractTestRealmKeycloakTest(org.keycloak.testsuite.AbstractTestRealmKeycloakTest)
Example 42 with AccessTokenResponse
use of org.keycloak.testsuite.util.OAuthClient.AccessTokenResponse in project keycloak by keycloak.
the class HoKTest method serviceAccountWithClientCertificate.
@Test
public void serviceAccountWithClientCertificate() throws Exception {
oauth.clientId("service-account-client");
AccessTokenResponse response;
Supplier<CloseableHttpClient> previous = oauth.getHttpClient();
try {
// Request without HoK should fail
oauth.httpClient(MutualTLSUtils::newCloseableHttpClientWithoutKeyStoreAndTrustStore);
response = oauth.doClientCredentialsGrantAccessTokenRequest("secret1");
assertEquals(400, response.getStatusCode());
assertEquals(OAuthErrorException.INVALID_REQUEST, response.getError());
assertEquals("Client Certification missing for MTLS HoK Token Binding", response.getErrorDescription());
// Request with HoK - success
oauth.httpClient(MutualTLSUtils::newCloseableHttpClientWithDefaultKeyStoreAndTrustStore);
response = oauth.doClientCredentialsGrantAccessTokenRequest("secret1");
assertEquals(200, response.getStatusCode());
// Success Pattern
verifyHoKTokenCertThumbPrint(response, MutualTLSUtils.getThumbprintFromDefaultClientCert(), false);
} catch (IOException ioe) {
throw new RuntimeException(ioe);
} finally {
oauth.httpClient(previous);
}
}
Also used :
CloseableHttpClient(org.apache.http.impl.client.CloseableHttpClient)
MutualTLSUtils(org.keycloak.testsuite.util.MutualTLSUtils)
IOException(java.io.IOException)
AccessTokenResponse(org.keycloak.testsuite.util.OAuthClient.AccessTokenResponse)
RefreshTokenTest(org.keycloak.testsuite.oauth.RefreshTokenTest)
AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest)
AbstractTestRealmKeycloakTest(org.keycloak.testsuite.AbstractTestRealmKeycloakTest)
Example 43 with AccessTokenResponse
use of org.keycloak.testsuite.util.OAuthClient.AccessTokenResponse in project keycloak by keycloak.
the class TokenRevocationTest method isTokenEnabled.
private void isTokenEnabled(AccessTokenResponse tokenResponse, String clientId) throws IOException {
String introspectionResponse = oauth.introspectAccessTokenWithClientCredential(clientId, "password", tokenResponse.getAccessToken());
TokenMetadataRepresentation rep = JsonSerialization.readValue(introspectionResponse, TokenMetadataRepresentation.class);
assertTrue(rep.isActive());
oauth.clientId(clientId);
OAuthClient.AccessTokenResponse tokenRefreshResponse = oauth.doRefreshTokenRequest(tokenResponse.getRefreshToken(), "password");
assertEquals(Status.OK.getStatusCode(), tokenRefreshResponse.getStatusCode());
}
Also used :
TokenMetadataRepresentation(org.keycloak.representations.oidc.TokenMetadataRepresentation)
OAuthClient(org.keycloak.testsuite.util.OAuthClient)
AccessTokenResponse(org.keycloak.testsuite.util.OAuthClient.AccessTokenResponse)
Example 44 with AccessTokenResponse
use of org.keycloak.testsuite.util.OAuthClient.AccessTokenResponse in project keycloak by keycloak.
the class TokenRevocationTest method isTokenDisabled.
private void isTokenDisabled(AccessTokenResponse tokenResponse, String clientId) throws IOException {
isAccessTokenDisabled(tokenResponse.getAccessToken(), clientId);
oauth.clientId(clientId);
OAuthClient.AccessTokenResponse tokenRefreshResponse = oauth.doRefreshTokenRequest(tokenResponse.getRefreshToken(), "password");
assertEquals(Status.BAD_REQUEST.getStatusCode(), tokenRefreshResponse.getStatusCode());
}
Also used :
OAuthClient(org.keycloak.testsuite.util.OAuthClient)
AccessTokenResponse(org.keycloak.testsuite.util.OAuthClient.AccessTokenResponse)
Example 45 with AccessTokenResponse
use of org.keycloak.testsuite.util.OAuthClient.AccessTokenResponse in project keycloak by keycloak.
the class IdTokenEncryptionTest method testIdTokenEncryptionWithoutEncryptionKEK.
@Test
@UncaughtServerErrorExpected
public void testIdTokenEncryptionWithoutEncryptionKEK() {
ClientResource clientResource = null;
ClientRepresentation clientRep = null;
try {
// generate and register signing/verifying key onto client, not encryption key
TestOIDCEndpointsApplicationResource oidcClientEndpointsResource = testingClient.testApp().oidcClientEndpoints();
oidcClientEndpointsResource.generateKeys(Algorithm.RS256);
clientResource = ApiUtil.findClientByClientId(adminClient.realm("test"), "test-app");
clientRep = clientResource.toRepresentation();
// set id token signature algorithm and encryption algorithms
OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setIdTokenSignedResponseAlg(Algorithm.RS256);
OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setIdTokenEncryptedResponseAlg(JWEConstants.RSA1_5);
OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setIdTokenEncryptedResponseEnc(JWEConstants.A128CBC_HS256);
// use and set jwks_url
OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setUseJwksUrl(true);
String jwksUrl = TestApplicationResourceUrls.clientJwksUri();
OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setJwksUrl(jwksUrl);
clientResource.update(clientRep);
// get id token but failed
OAuthClient.AuthorizationEndpointResponse response = oauth.doLogin("test-user@localhost", "password");
AccessTokenResponse atr = oauth.doAccessTokenRequest(response.getCode(), "password");
Assert.assertEquals(OAuthErrorException.INVALID_REQUEST, atr.getError());
Assert.assertEquals("can not get encryption KEK", atr.getErrorDescription());
} finally {
// Revert
clientResource = ApiUtil.findClientByClientId(adminClient.realm("test"), "test-app");
clientRep = clientResource.toRepresentation();
OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setIdTokenSignedResponseAlg(Algorithm.RS256);
OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setIdTokenEncryptedResponseAlg(null);
OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setIdTokenEncryptedResponseEnc(null);
// Revert jwks_url settings
OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setUseJwksUrl(false);
OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setJwksUrl(null);
clientResource.update(clientRep);
}
}
Also used :
TestOIDCEndpointsApplicationResource(org.keycloak.testsuite.client.resources.TestOIDCEndpointsApplicationResource)
OAuthClient(org.keycloak.testsuite.util.OAuthClient)
ClientResource(org.keycloak.admin.client.resource.ClientResource)
AccessTokenResponse(org.keycloak.testsuite.util.OAuthClient.AccessTokenResponse)
ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation)
AbstractAdminTest(org.keycloak.testsuite.admin.AbstractAdminTest)
Test(org.junit.Test)
AbstractTestRealmKeycloakTest(org.keycloak.testsuite.AbstractTestRealmKeycloakTest)
UncaughtServerErrorExpected(org.keycloak.testsuite.arquillian.annotation.UncaughtServerErrorExpected)
Aggregations
AccessTokenResponse (org.keycloak.testsuite.util.OAuthClient.AccessTokenResponse)45
Test (org.junit.Test)29
AbstractTestRealmKeycloakTest (org.keycloak.testsuite.AbstractTestRealmKeycloakTest)24
AccessToken (org.keycloak.representations.AccessToken)14
AbstractOIDCScopeTest (org.keycloak.testsuite.oidc.AbstractOIDCScopeTest)14
OIDCScopeTest (org.keycloak.testsuite.oidc.OIDCScopeTest)14
TokenMetadataRepresentation (org.keycloak.representations.oidc.TokenMetadataRepresentation)13
EventRepresentation (org.keycloak.representations.idm.EventRepresentation)12
AbstractKeycloakTest (org.keycloak.testsuite.AbstractKeycloakTest)10
IOException (java.io.IOException)9
CloseableHttpClient (org.apache.http.impl.client.CloseableHttpClient)9
RefreshTokenTest (org.keycloak.testsuite.oauth.RefreshTokenTest)9
OAuthClient (org.keycloak.testsuite.util.OAuthClient)8
ObjectMapper (com.fasterxml.jackson.databind.ObjectMapper)5
JsonNode (com.fasterxml.jackson.databind.JsonNode)4
RefreshToken (org.keycloak.representations.RefreshToken)4
Response (javax.ws.rs.core.Response)3
JWSInput (org.keycloak.jose.jws.JWSInput)3
ClientRepresentation (org.keycloak.representations.idm.ClientRepresentation)3
OAuth2ErrorRepresentation (org.keycloak.representations.idm.OAuth2ErrorRepresentation)3
