Client registration service do not check client protocol for Bearer token

Closes #15612
2022-11-21 16:53:04 +02:00 · 2022-11-21 16:53:04 +02:00 · 085dd24875
commit 085dd24875
parent 28fc5b4574
3 changed files with 26 additions and 61 deletions
--- a/services/src/main/java/org/keycloak/services/clientregistration/ClientRegistrationAuth.java
+++ b/services/src/main/java/org/keycloak/services/clientregistration/ClientRegistrationAuth.java
@ -134,7 +134,6 @@ public class ClientRegistrationAuth {
        RegistrationAuth registrationAuth = RegistrationAuth.ANONYMOUS;

        if (isBearerToken()) {
-            checkClientProtocol();

            if (hasRole(AdminRoles.MANAGE_CLIENTS, AdminRoles.CREATE_CLIENT)) {
                registrationAuth = RegistrationAuth.AUTHENTICATED;
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/OIDCClientRegistrationTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/OIDCClientRegistrationTest.java
@ -586,32 +586,6 @@ public class OIDCClientRegistrationTest extends AbstractClientRegistrationTest {
        }
    }

-    @Test
-    public void testOIDCEndpointCreateWithSamlClient() throws Exception {
-        ClientsResource clientsResource = adminClient.realm(TEST).clients();
-        ClientRepresentation samlClient = clientsResource.findByClientId("saml-client").get(0);
-        String samlClientServiceId = clientsResource.get(samlClient.getId()).getServiceAccountUser().getId();
-
-        String realmManagementId = clientsResource.findByClientId("realm-management").get(0).getId();
-        RoleRepresentation role = clientsResource.get(realmManagementId).roles().get("create-client").toRepresentation();
-
-        adminClient.realm(TEST).users().get(samlClientServiceId).roles().clientLevel(realmManagementId).add(Arrays.asList(role));
-
-        String accessToken = oauth.clientId("saml-client").doClientCredentialsGrantAccessTokenRequest("secret").getAccessToken();
-        reg.auth(Auth.token(accessToken));
-
-        // change client to saml
-        samlClient.setProtocol("saml");
-        clientsResource.get(samlClient.getId()).update(samlClient);
-
-        OIDCClientRepresentation client = createRep();
-        assertCreateFail(client, 400, Errors.INVALID_CLIENT);
-
-        // revert client
-        samlClient.setProtocol("openid-connect");
-        clientsResource.get(samlClient.getId()).update(samlClient);
-    }
-
    @Test
    public void testOIDCEndpointGetWithSamlClient() throws Exception {
        OIDCClientRepresentation response = create();
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/SAMLClientRegistrationTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/SAMLClientRegistrationTest.java
@ -74,8 +74,29 @@ public class SAMLClientRegistrationTest extends AbstractClientRegistrationTest {
    @Test
    public void createClient() throws ClientRegistrationException, IOException {
        String entityDescriptor = IOUtils.toString(getClass().getResourceAsStream("/clientreg-test/saml-entity-descriptor.xml"));
-        ClientRepresentation response = reg.saml().create(entityDescriptor);
+        assertClientCreation(entityDescriptor);
+    }

+    @Test
+    public void testSAMLEndpointCreateWithOIDCClient() throws Exception {
+        ClientsResource clientsResource = adminClient.realm(TEST).clients();
+        ClientRepresentation oidcClient = clientsResource.findByClientId("oidc-client").get(0);
+        String oidcClientServiceId = clientsResource.get(oidcClient.getId()).getServiceAccountUser().getId();
+
+        String realmManagementId = clientsResource.findByClientId("realm-management").get(0).getId();
+        RoleRepresentation role = clientsResource.get(realmManagementId).roles().get("create-client").toRepresentation();
+
+        adminClient.realm(TEST).users().get(oidcClientServiceId).roles().clientLevel(realmManagementId).add(Arrays.asList(role));
+
+        String accessToken = oauth.clientId("oidc-client").doClientCredentialsGrantAccessTokenRequest("secret").getAccessToken();
+        reg.auth(Auth.token(accessToken));
+
+        String entityDescriptor = IOUtils.toString(getClass().getResourceAsStream("/clientreg-test/saml-entity-descriptor.xml"));
+        assertClientCreation(entityDescriptor);
+    }
+
+    private void assertClientCreation(String entityDescriptor) throws ClientRegistrationException {
+        ClientRepresentation response = reg.saml().create(entityDescriptor);
        assertThat(response.getRegistrationAccessToken(), notNullValue());
        assertThat(response.getClientId(), is("loadbalancer-9.siroe.com"));
        assertThat(response.getRedirectUris(), containsInAnyOrder(
@ -96,36 +117,7 @@ public class SAMLClientRegistrationTest extends AbstractClientRegistrationTest {
        Assert.assertEquals("urn:oid:2.5.4.42",mapper.getConfig().get(AttributeStatementHelper.SAML_ATTRIBUTE_NAME));
        Assert.assertEquals("givenName",mapper.getConfig().get(AttributeStatementHelper.FRIENDLY_NAME));
        Assert.assertEquals(AttributeStatementHelper.URI_REFERENCE,mapper.getConfig().get(AttributeStatementHelper.SAML_ATTRIBUTE_NAMEFORMAT));
-    }

-    @Test
-    public void testSAMLEndpointCreateWithOIDCClient() throws Exception {
-        ClientsResource clientsResource = adminClient.realm(TEST).clients();
-        ClientRepresentation oidcClient = clientsResource.findByClientId("oidc-client").get(0);
-        String oidcClientServiceId = clientsResource.get(oidcClient.getId()).getServiceAccountUser().getId();
-
-        String realmManagementId = clientsResource.findByClientId("realm-management").get(0).getId();
-        RoleRepresentation role = clientsResource.get(realmManagementId).roles().get("create-client").toRepresentation();
-
-        adminClient.realm(TEST).users().get(oidcClientServiceId).roles().clientLevel(realmManagementId).add(Arrays.asList(role));
-
-        String accessToken = oauth.clientId("oidc-client").doClientCredentialsGrantAccessTokenRequest("secret").getAccessToken();
-        reg.auth(Auth.token(accessToken));
-
-        String entityDescriptor = IOUtils.toString(getClass().getResourceAsStream("/clientreg-test/saml-entity-descriptor.xml"));
-        assertCreateFail(entityDescriptor, 400, Errors.INVALID_CLIENT);
-    }
-
-    private void assertCreateFail(String entityDescriptor, int expectedStatusCode, String expectedErrorContains) {
-        try {
-            reg.saml().create(entityDescriptor);
-            Assert.fail("Not expected to successfully register client");
-        } catch (ClientRegistrationException expected) {
-            HttpErrorException httpEx = (HttpErrorException) expected.getCause();
-            Assert.assertEquals(expectedStatusCode, httpEx.getStatusLine().getStatusCode());
-            if (expectedErrorContains != null) {
-                assertTrue("Error response doesn't contain expected text", httpEx.getErrorResponse().contains(expectedErrorContains));
-            }
-        }
+        adminClient.realm(REALM_NAME).clients().get(response.getId()).remove();
    }
 }