Example 11 with ParResponse
use of org.keycloak.testsuite.util.OAuthClient.ParResponse in project keycloak by keycloak.
the class ParTest method testParCorsRequestWithInvalidUrlShouldFail.
// CORS test
@Test
public void testParCorsRequestWithInvalidUrlShouldFail() throws Exception {
try {
// create client dynamically
String clientId = createClientDynamically(generateSuffixedName(CLIENT_NAME), (OIDCClientRepresentation clientRep) -> {
clientRep.setRedirectUris(new ArrayList<String>(Arrays.asList(CLIENT_REDIRECT_URI, VALID_CORS_URL + "/realms/master/app")));
});
OIDCClientRepresentation oidcCRep = getClientDynamically(clientId);
String clientSecret = oidcCRep.getClientSecret();
assertEquals(Boolean.FALSE, oidcCRep.getRequirePushedAuthorizationRequests());
assertTrue(oidcCRep.getRedirectUris().contains(CLIENT_REDIRECT_URI));
assertEquals(OIDCLoginProtocol.CLIENT_SECRET_BASIC, oidcCRep.getTokenEndpointAuthMethod());
updateClientByAdmin(clientId, (ClientRepresentation cRep) -> {
cRep.setOrigin(VALID_CORS_URL);
});
// Pushed Authorization Request
oauth.clientId(clientId);
oauth.redirectUri(VALID_CORS_URL + "/realms/master/app");
oauth.origin(INVALID_CORS_URL);
ParResponse pResp = oauth.doPushedAuthorizationRequest(clientId, clientSecret, (CloseableHttpResponse c) -> {
assertNotCors(c);
});
assertEquals(201, pResp.getStatusCode());
String requestUri = pResp.getRequestUri();
doNormalAuthzProcess(requestUri, VALID_CORS_URL + "/realms/master/app", clientId, clientSecret);
} finally {
oauth.origin(null);
}
}
Also used :
ParResponse(org.keycloak.testsuite.util.OAuthClient.ParResponse)
OIDCClientRepresentation(org.keycloak.representations.oidc.OIDCClientRepresentation)
CloseableHttpResponse(org.apache.http.client.methods.CloseableHttpResponse)
OIDCClientRepresentation(org.keycloak.representations.oidc.OIDCClientRepresentation)
ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation)
AbstractClientPoliciesTest(org.keycloak.testsuite.client.AbstractClientPoliciesTest)
Test(org.junit.Test)
Example 12 with ParResponse
use of org.keycloak.testsuite.util.OAuthClient.ParResponse in project keycloak by keycloak.
the class ParTest method testFailureParIncludesInvalidRedirectUri.
// PAR including invalid redirect_uri
@Test
public void testFailureParIncludesInvalidRedirectUri() throws Exception {
// create client dynamically
String clientId = createClientDynamically(generateSuffixedName(CLIENT_NAME), (OIDCClientRepresentation clientRep) -> {
clientRep.setRequirePushedAuthorizationRequests(Boolean.TRUE);
clientRep.setRedirectUris(new ArrayList<String>(Arrays.asList(CLIENT_REDIRECT_URI)));
});
OIDCClientRepresentation oidcCRep = getClientDynamically(clientId);
String clientSecret = oidcCRep.getClientSecret();
assertEquals(Boolean.TRUE, oidcCRep.getRequirePushedAuthorizationRequests());
assertTrue(oidcCRep.getRedirectUris().contains(CLIENT_REDIRECT_URI));
// Pushed Authorization Request
oauth.clientId(clientId);
oauth.redirectUri(INVALID_CORS_URL);
ParResponse pResp = oauth.doPushedAuthorizationRequest(clientId, clientSecret);
assertEquals(400, pResp.getStatusCode());
assertEquals(OAuthErrorException.INVALID_REQUEST, pResp.getError());
assertEquals("Invalid parameter: redirect_uri", pResp.getErrorDescription());
}
Also used :
ParResponse(org.keycloak.testsuite.util.OAuthClient.ParResponse)
OIDCClientRepresentation(org.keycloak.representations.oidc.OIDCClientRepresentation)
AbstractClientPoliciesTest(org.keycloak.testsuite.client.AbstractClientPoliciesTest)
Test(org.junit.Test)
Example 13 with ParResponse
use of org.keycloak.testsuite.util.OAuthClient.ParResponse in project keycloak by keycloak.
the class ParTest method testIgnoreParameterIfNotSetinRequestObject.
@Test
public void testIgnoreParameterIfNotSetinRequestObject() throws Exception {
try {
// setup PAR realm settings
int requestUriLifespan = 45;
setParRealmSettings(requestUriLifespan);
// create client dynamically
String clientId = createClientDynamically(generateSuffixedName(CLIENT_NAME), (OIDCClientRepresentation clientRep) -> {
clientRep.setRequirePushedAuthorizationRequests(Boolean.TRUE);
clientRep.setRedirectUris(new ArrayList<>(Arrays.asList(CLIENT_REDIRECT_URI)));
});
oauth.clientId(clientId);
OIDCClientRepresentation oidcCRep = getClientDynamically(clientId);
String clientSecret = oidcCRep.getClientSecret();
assertEquals(Boolean.TRUE, oidcCRep.getRequirePushedAuthorizationRequests());
assertTrue(oidcCRep.getRedirectUris().contains(CLIENT_REDIRECT_URI));
assertEquals(OIDCLoginProtocol.CLIENT_SECRET_BASIC, oidcCRep.getTokenEndpointAuthMethod());
TestingOIDCEndpointsApplicationResource.AuthorizationEndpointRequestObject requestObject = new TestingOIDCEndpointsApplicationResource.AuthorizationEndpointRequestObject();
requestObject.id(KeycloakModelUtils.generateId());
requestObject.iat(Long.valueOf(Time.currentTime()));
requestObject.exp(requestObject.getIat() + Long.valueOf(300));
requestObject.nbf(requestObject.getIat());
requestObject.setClientId(oauth.getClientId());
requestObject.setResponseType("code");
requestObject.setRedirectUriParam(CLIENT_REDIRECT_URI);
requestObject.setScope("openid");
requestObject.setNonce(KeycloakModelUtils.generateId());
byte[] contentBytes = JsonSerialization.writeValueAsBytes(requestObject);
String encodedRequestObject = Base64Url.encode(contentBytes);
TestOIDCEndpointsApplicationResource client = testingClient.testApp().oidcClientEndpoints();
// use and set jwks_url
ClientResource clientResource = ApiUtil.findClientByClientId(adminClient.realm(oauth.getRealm()), oauth.getClientId());
ClientRepresentation clientRep = clientResource.toRepresentation();
OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setUseJwksUrl(true);
OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setJwksUrl(TestApplicationResourceUrls.clientJwksUri());
clientResource.update(clientRep);
client.generateKeys(org.keycloak.crypto.Algorithm.RS256);
client.registerOIDCRequest(encodedRequestObject, org.keycloak.crypto.Algorithm.RS256);
// do not send any other parameter but the request request parameter
oauth.request(client.getOIDCRequest());
oauth.responseType("code id_token");
oauth.redirectUri("http://invalid");
oauth.scope(null);
oauth.nonce("12345");
ParResponse pResp = oauth.doPushedAuthorizationRequest(clientId, clientSecret);
assertEquals(201, pResp.getStatusCode());
String requestUri = pResp.getRequestUri();
assertEquals(requestUriLifespan, pResp.getExpiresIn());
oauth.scope("invalid");
oauth.redirectUri("http://invalid");
oauth.responseType("invalid");
oauth.redirectUri(null);
oauth.nonce("12345");
oauth.request(null);
oauth.requestUri(requestUri);
String wrongState = oauth.stateParamRandom().getState();
oauth.stateParamHardcoded(wrongState);
OAuthClient.AuthorizationEndpointResponse loginResponse = oauth.doLogin(TEST_USER_NAME, TEST_USER_PASSWORD);
assertNull(loginResponse.getState());
assertNotEquals(requestObject.getState(), wrongState);
// Token Request
// get tokens, it needed. https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3
oauth.redirectUri(CLIENT_REDIRECT_URI);
OAuthClient.AccessTokenResponse res = oauth.doAccessTokenRequest(loginResponse.getCode(), clientSecret);
assertEquals(200, res.getStatusCode());
oauth.verifyToken(res.getAccessToken());
IDToken idToken = oauth.verifyIDToken(res.getIdToken());
assertEquals(requestObject.getNonce(), idToken.getNonce());
} finally {
restoreParRealmSettings();
}
}
Also used :
TestOIDCEndpointsApplicationResource(org.keycloak.testsuite.client.resources.TestOIDCEndpointsApplicationResource)
OAuthClient(org.keycloak.testsuite.util.OAuthClient)
OIDCClientRepresentation(org.keycloak.representations.oidc.OIDCClientRepresentation)
ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation)
ParResponse(org.keycloak.testsuite.util.OAuthClient.ParResponse)
OIDCClientRepresentation(org.keycloak.representations.oidc.OIDCClientRepresentation)
ClientResource(org.keycloak.admin.client.resource.ClientResource)
IDToken(org.keycloak.representations.IDToken)
TestingOIDCEndpointsApplicationResource(org.keycloak.testsuite.rest.resource.TestingOIDCEndpointsApplicationResource)
AbstractClientPoliciesTest(org.keycloak.testsuite.client.AbstractClientPoliciesTest)
Test(org.junit.Test)
Example 14 with ParResponse
use of org.keycloak.testsuite.util.OAuthClient.ParResponse in project keycloak by keycloak.
the class ParTest method testFailureParUsedByOtherClient.
// PAR request_uri used by other client
@Test
public void testFailureParUsedByOtherClient() throws Exception {
// create client dynamically
String victimClientId = createClientDynamically(generateSuffixedName(CLIENT_NAME), (OIDCClientRepresentation clientRep) -> {
clientRep.setRequirePushedAuthorizationRequests(Boolean.FALSE);
clientRep.setRedirectUris(new ArrayList<String>(Arrays.asList(CLIENT_REDIRECT_URI)));
});
OIDCClientRepresentation victimOidcCRep = getClientDynamically(victimClientId);
String victimClientSecret = victimOidcCRep.getClientSecret();
assertEquals(Boolean.FALSE, victimOidcCRep.getRequirePushedAuthorizationRequests());
assertTrue(victimOidcCRep.getRedirectUris().contains(CLIENT_REDIRECT_URI));
assertEquals(OIDCLoginProtocol.CLIENT_SECRET_BASIC, victimOidcCRep.getTokenEndpointAuthMethod());
authManageClients();
String attackerClientId = createClientDynamically(generateSuffixedName(CLIENT_NAME), (OIDCClientRepresentation clientRep) -> {
clientRep.setRequirePushedAuthorizationRequests(Boolean.TRUE);
clientRep.setRedirectUris(new ArrayList<String>(Arrays.asList(CLIENT_REDIRECT_URI)));
});
OIDCClientRepresentation attackerOidcCRep = getClientDynamically(attackerClientId);
assertEquals(Boolean.TRUE, attackerOidcCRep.getRequirePushedAuthorizationRequests());
assertTrue(attackerOidcCRep.getRedirectUris().contains(CLIENT_REDIRECT_URI));
assertEquals(OIDCLoginProtocol.CLIENT_SECRET_BASIC, attackerOidcCRep.getTokenEndpointAuthMethod());
// Pushed Authorization Request
oauth.clientId(victimClientId);
oauth.redirectUri(CLIENT_REDIRECT_URI);
ParResponse pResp = oauth.doPushedAuthorizationRequest(victimClientId, victimClientSecret);
assertEquals(201, pResp.getStatusCode());
String requestUri = pResp.getRequestUri();
// Authorization Request with request_uri of PAR
// remove parameters as query strings of uri
// used by other client
oauth.clientId(attackerClientId);
oauth.redirectUri(null);
oauth.scope(null);
oauth.responseType(null);
oauth.requestUri(requestUri);
String state = oauth.stateParamRandom().getState();
oauth.stateParamHardcoded(state);
UriBuilder b = UriBuilder.fromUri(oauth.getLoginFormUrl());
driver.navigate().to(b.build().toURL());
OAuthClient.AuthorizationEndpointResponse errorResponse = new OAuthClient.AuthorizationEndpointResponse(oauth);
Assert.assertFalse(errorResponse.isRedirected());
}
Also used :
ParResponse(org.keycloak.testsuite.util.OAuthClient.ParResponse)
OIDCClientRepresentation(org.keycloak.representations.oidc.OIDCClientRepresentation)
OAuthClient(org.keycloak.testsuite.util.OAuthClient)
UriBuilder(javax.ws.rs.core.UriBuilder)
AbstractClientPoliciesTest(org.keycloak.testsuite.client.AbstractClientPoliciesTest)
Test(org.junit.Test)
Example 15 with ParResponse
use of org.keycloak.testsuite.util.OAuthClient.ParResponse in project keycloak by keycloak.
the class ParTest method testSuccessfulMultipleParByMultipleClients.
// success with several clients conducting multiple authz requests + PAR simultaneously
@Test
public void testSuccessfulMultipleParByMultipleClients() throws Exception {
// create client dynamically
String clientId = createClientDynamically(generateSuffixedName(CLIENT_NAME), (OIDCClientRepresentation clientRep) -> {
clientRep.setRequirePushedAuthorizationRequests(Boolean.FALSE);
clientRep.setRedirectUris(new ArrayList<String>(Arrays.asList(CLIENT_REDIRECT_URI)));
});
OIDCClientRepresentation oidcCRep = getClientDynamically(clientId);
String clientSecret = oidcCRep.getClientSecret();
assertEquals(Boolean.FALSE, oidcCRep.getRequirePushedAuthorizationRequests());
assertTrue(oidcCRep.getRedirectUris().contains(CLIENT_REDIRECT_URI));
assertEquals(OIDCLoginProtocol.CLIENT_SECRET_BASIC, oidcCRep.getTokenEndpointAuthMethod());
// call it when several clients are created consecutively.
authManageClients();
String client2Id = createClientDynamically(generateSuffixedName(CLIENT_NAME), (OIDCClientRepresentation clientRep) -> {
clientRep.setRequirePushedAuthorizationRequests(Boolean.TRUE);
clientRep.setRedirectUris(new ArrayList<String>(Arrays.asList(CLIENT_REDIRECT_URI)));
});
OIDCClientRepresentation oidcC2Rep = getClientDynamically(client2Id);
String client2Secret = oidcC2Rep.getClientSecret();
assertEquals(Boolean.TRUE, oidcC2Rep.getRequirePushedAuthorizationRequests());
assertTrue(oidcC2Rep.getRedirectUris().contains(CLIENT_REDIRECT_URI));
assertEquals(OIDCLoginProtocol.CLIENT_SECRET_BASIC, oidcC2Rep.getTokenEndpointAuthMethod());
// Pushed Authorization Request #1
oauth.clientId(clientId);
oauth.redirectUri(CLIENT_REDIRECT_URI);
ParResponse pResp = oauth.doPushedAuthorizationRequest(clientId, clientSecret);
assertEquals(201, pResp.getStatusCode());
String requestUriOne = pResp.getRequestUri();
// Pushed Authorization Request #2
oauth.clientId(client2Id);
oauth.scope("microprofile-jwt" + " " + "profile");
oauth.redirectUri(CLIENT_REDIRECT_URI);
pResp = oauth.doPushedAuthorizationRequest(client2Id, client2Secret);
assertEquals(201, pResp.getStatusCode());
String requestUriTwo = pResp.getRequestUri();
// Authorization Request with request_uri of PAR #2
// remove parameters as query strings of uri
oauth.redirectUri(null);
oauth.scope(null);
oauth.responseType(null);
oauth.requestUri(requestUriTwo);
String state = oauth.stateParamRandom().getState();
oauth.stateParamHardcoded(state);
OAuthClient.AuthorizationEndpointResponse loginResponse = oauth.doLogin(TEST_USER2_NAME, TEST_USER2_PASSWORD);
assertEquals(state, loginResponse.getState());
String code = loginResponse.getCode();
String sessionId = loginResponse.getSessionState();
// Token Request #2
// get tokens, it needed. https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3
oauth.redirectUri(CLIENT_REDIRECT_URI);
OAuthClient.AccessTokenResponse res = oauth.doAccessTokenRequest(code, client2Secret);
assertEquals(200, res.getStatusCode());
AccessToken token = oauth.verifyToken(res.getAccessToken());
String userId = findUserByUsername(adminClient.realm(REALM_NAME), TEST_USER2_NAME).getId();
assertEquals(userId, token.getSubject());
assertEquals(sessionId, token.getSessionState());
Assert.assertNotEquals(TEST_USER2_NAME, token.getSubject());
assertEquals(client2Id, token.getIssuedFor());
assertTrue(token.getScope().contains("openid"));
assertTrue(token.getScope().contains("microprofile-jwt"));
assertTrue(token.getScope().contains("profile"));
// Logout
// same oauth instance is used so that this logout is needed to send authz request consecutively.
oauth.doLogout(res.getRefreshToken(), client2Secret);
// Authorization Request with request_uri of PAR #1
// remove parameters as query strings of uri
oauth.clientId(clientId);
oauth.redirectUri(null);
oauth.scope(null);
oauth.responseType(null);
oauth.requestUri(requestUriOne);
state = oauth.stateParamRandom().getState();
oauth.stateParamHardcoded(state);
loginResponse = oauth.doLogin(TEST_USER_NAME, TEST_USER_PASSWORD);
assertEquals(state, loginResponse.getState());
code = loginResponse.getCode();
sessionId = loginResponse.getSessionState();
// Token Request #1
// get tokens, it needed. https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3
oauth.redirectUri(CLIENT_REDIRECT_URI);
res = oauth.doAccessTokenRequest(code, clientSecret);
assertEquals(200, res.getStatusCode());
token = oauth.verifyToken(res.getAccessToken());
userId = findUserByUsername(adminClient.realm(REALM_NAME), TEST_USER_NAME).getId();
assertEquals(userId, token.getSubject());
assertEquals(sessionId, token.getSessionState());
Assert.assertNotEquals(TEST_USER_NAME, token.getSubject());
assertEquals(clientId, token.getIssuedFor());
assertFalse(token.getScope().contains("microprofile-jwt"));
assertTrue(token.getScope().contains("openid"));
}
Also used :
ParResponse(org.keycloak.testsuite.util.OAuthClient.ParResponse)
OIDCClientRepresentation(org.keycloak.representations.oidc.OIDCClientRepresentation)
OAuthClient(org.keycloak.testsuite.util.OAuthClient)
AccessToken(org.keycloak.representations.AccessToken)
AbstractClientPoliciesTest(org.keycloak.testsuite.client.AbstractClientPoliciesTest)
Test(org.junit.Test)
Aggregations
Test (org.junit.Test)21
OIDCClientRepresentation (org.keycloak.representations.oidc.OIDCClientRepresentation)21
AbstractClientPoliciesTest (org.keycloak.testsuite.client.AbstractClientPoliciesTest)21
ParResponse (org.keycloak.testsuite.util.OAuthClient.ParResponse)21
OAuthClient (org.keycloak.testsuite.util.OAuthClient)10
ClientRepresentation (org.keycloak.representations.idm.ClientRepresentation)8
ClientResource (org.keycloak.admin.client.resource.ClientResource)5
UriBuilder (javax.ws.rs.core.UriBuilder)4
TestOIDCEndpointsApplicationResource (org.keycloak.testsuite.client.resources.TestOIDCEndpointsApplicationResource)4
TestingOIDCEndpointsApplicationResource (org.keycloak.testsuite.rest.resource.TestingOIDCEndpointsApplicationResource)4
AccessToken (org.keycloak.representations.AccessToken)3
IDToken (org.keycloak.representations.IDToken)3
CloseableHttpResponse (org.apache.http.client.methods.CloseableHttpResponse)2
RefreshToken (org.keycloak.representations.RefreshToken)1
ClientPoliciesBuilder (org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPoliciesBuilder)1
ClientPolicyBuilder (org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPolicyBuilder)1
ClientProfileBuilder (org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfileBuilder)1
ClientProfilesBuilder (org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfilesBuilder)1
