diff --git a/common/src/main/java/org/keycloak/common/util/UriUtils.java b/common/src/main/java/org/keycloak/common/util/UriUtils.java index bbe718835b..43c263e7b9 100755 --- a/common/src/main/java/org/keycloak/common/util/UriUtils.java +++ b/common/src/main/java/org/keycloak/common/util/UriUtils.java @@ -18,10 +18,14 @@ package org.keycloak.common.util; import java.io.UnsupportedEncodingException; +import java.net.MalformedURLException; import java.net.URI; +import java.net.URL; import java.net.URLDecoder; import java.util.regex.Pattern; +import org.keycloak.common.enums.SslRequired; + /** * @author Stian Thorgersen */ @@ -84,4 +88,28 @@ public class UriUtils { public static String stripQueryParam(String url, String name){ return url.replaceFirst("[\\?&]"+name+"=[^&]*$|"+name+"=[^&]*&", ""); } + + public static void checkUrl(SslRequired sslRequired, String url, String name) throws IllegalArgumentException{ + if (url == null) { + return; + } + + URL parsed; + + try { + parsed = new URL(url); + } catch (MalformedURLException e) { + throw new IllegalArgumentException("The url [" + name + "] is malformed", e); + } + + String protocol = parsed.getProtocol().toLowerCase(); + + if (!("http".equalsIgnoreCase(protocol) || "https".equalsIgnoreCase(protocol))) { + throw new IllegalArgumentException("Invalid protocol/scheme for url [" + name + "]"); + } + + if (!"https".equals(protocol) && sslRequired.isRequired(url)) { + throw new IllegalArgumentException("The url [" + name + "] requires secure connections"); + } + } } diff --git a/server-spi-private/src/main/java/org/keycloak/broker/provider/IdentityProviderFactory.java b/server-spi-private/src/main/java/org/keycloak/broker/provider/IdentityProviderFactory.java index c189316288..ad3b840295 100755 --- a/server-spi-private/src/main/java/org/keycloak/broker/provider/IdentityProviderFactory.java +++ b/server-spi-private/src/main/java/org/keycloak/broker/provider/IdentityProviderFactory.java @@ -54,4 +54,14 @@ public interface IdentityProviderFactory extends Pro * @return */ Map parseConfig(KeycloakSession session, InputStream inputStream); + + /** + *

Creates a provider specific {@link IdentityProviderModel} instance. + * + *

Providers may want to implement their own {@link IdentityProviderModel} type so that validations + * can be performed when managing the provider configuration + * + * @return the provider specific instance + */ + C createConfig(); } \ No newline at end of file diff --git a/server-spi-private/src/main/java/org/keycloak/models/utils/RepresentationToModel.java b/server-spi-private/src/main/java/org/keycloak/models/utils/RepresentationToModel.java index 7b455e7da2..9982bbe091 100755 --- a/server-spi-private/src/main/java/org/keycloak/models/utils/RepresentationToModel.java +++ b/server-spi-private/src/main/java/org/keycloak/models/utils/RepresentationToModel.java @@ -49,6 +49,9 @@ import org.keycloak.authorization.store.ResourceServerStore; import org.keycloak.authorization.store.ResourceStore; import org.keycloak.authorization.store.ScopeStore; import org.keycloak.authorization.store.StoreFactory; +import org.keycloak.broker.provider.IdentityProvider; +import org.keycloak.broker.provider.IdentityProviderFactory; +import org.keycloak.broker.social.SocialIdentityProvider; import org.keycloak.common.enums.SslRequired; import org.keycloak.common.util.MultivaluedHashMap; import org.keycloak.common.util.UriUtils; @@ -285,7 +288,7 @@ public class RepresentationToModel { DefaultRequiredActions.addActions(newRealm); } - importIdentityProviders(rep, newRealm); + importIdentityProviders(rep, newRealm, session); importIdentityProviderMappers(rep, newRealm); Map clientScopes = new HashMap<>(); @@ -1856,10 +1859,10 @@ public class RepresentationToModel { } } - private static void importIdentityProviders(RealmRepresentation rep, RealmModel newRealm) { + private static void importIdentityProviders(RealmRepresentation rep, RealmModel newRealm, KeycloakSession session) { if (rep.getIdentityProviders() != null) { for (IdentityProviderRepresentation representation : rep.getIdentityProviders()) { - newRealm.addIdentityProvider(toModel(newRealm, representation)); + newRealm.addIdentityProvider(toModel(newRealm, representation, session)); } } } @@ -1872,8 +1875,20 @@ public class RepresentationToModel { } } - public static IdentityProviderModel toModel(RealmModel realm, IdentityProviderRepresentation representation) { - IdentityProviderModel identityProviderModel = new IdentityProviderModel(); + public static IdentityProviderModel toModel(RealmModel realm, IdentityProviderRepresentation representation, KeycloakSession session) { + IdentityProviderFactory providerFactory = (IdentityProviderFactory) session.getKeycloakSessionFactory().getProviderFactory( + IdentityProvider.class, representation.getProviderId()); + + if (providerFactory == null) { + providerFactory = (IdentityProviderFactory) session.getKeycloakSessionFactory().getProviderFactory( + SocialIdentityProvider.class, representation.getProviderId()); + } + + if (providerFactory == null) { + throw new IllegalArgumentException("Invalid identity provider id [" + representation.getProviderId() + "]"); + } + + IdentityProviderModel identityProviderModel = providerFactory.createConfig(); identityProviderModel.setInternalId(representation.getInternalId()); identityProviderModel.setAlias(representation.getAlias()); @@ -1908,6 +1923,8 @@ public class RepresentationToModel { } identityProviderModel.setPostBrokerLoginFlowId(flowModel.getId()); } + + identityProviderModel.validate(realm); return identityProviderModel; } diff --git a/server-spi/src/main/java/org/keycloak/models/IdentityProviderModel.java b/server-spi/src/main/java/org/keycloak/models/IdentityProviderModel.java index 6fb5c59679..846df4e75f 100755 --- a/server-spi/src/main/java/org/keycloak/models/IdentityProviderModel.java +++ b/server-spi/src/main/java/org/keycloak/models/IdentityProviderModel.java @@ -196,5 +196,15 @@ public class IdentityProviderModel implements Serializable { public void setDisplayName(String displayName) { this.displayName = displayName; } - + + /** + *

Validates this configuration. + * + *

Sub-classes can override this method in order to enforce provider specific validations. + * + * @param realm the realm + */ + public void validate(RealmModel realm) { + + } } diff --git a/services/src/main/java/org/keycloak/broker/oidc/KeycloakOIDCIdentityProviderFactory.java b/services/src/main/java/org/keycloak/broker/oidc/KeycloakOIDCIdentityProviderFactory.java index 87e7b73ab4..48bfd82547 100755 --- a/services/src/main/java/org/keycloak/broker/oidc/KeycloakOIDCIdentityProviderFactory.java +++ b/services/src/main/java/org/keycloak/broker/oidc/KeycloakOIDCIdentityProviderFactory.java @@ -48,7 +48,10 @@ public class KeycloakOIDCIdentityProviderFactory extends AbstractIdentityProvide @Override public Map parseConfig(KeycloakSession session, InputStream inputStream) { return OIDCIdentityProviderFactory.parseOIDCConfig(session, inputStream); - } - } + @Override + public OIDCIdentityProviderConfig createConfig() { + return new OIDCIdentityProviderConfig(); + } +} diff --git a/services/src/main/java/org/keycloak/broker/oidc/OAuth2IdentityProviderConfig.java b/services/src/main/java/org/keycloak/broker/oidc/OAuth2IdentityProviderConfig.java index af26468a4a..5838376f50 100644 --- a/services/src/main/java/org/keycloak/broker/oidc/OAuth2IdentityProviderConfig.java +++ b/services/src/main/java/org/keycloak/broker/oidc/OAuth2IdentityProviderConfig.java @@ -16,7 +16,12 @@ */ package org.keycloak.broker.oidc; +import static org.keycloak.common.util.UriUtils.checkUrl; + +import org.keycloak.common.enums.SslRequired; import org.keycloak.models.IdentityProviderModel; +import org.keycloak.models.KeycloakSession; +import org.keycloak.models.RealmModel; import org.keycloak.protocol.oidc.OIDCLoginProtocol; /** @@ -28,6 +33,10 @@ public class OAuth2IdentityProviderConfig extends IdentityProviderModel { super(model); } + public OAuth2IdentityProviderConfig() { + super(); + } + public String getAuthorizationUrl() { return getConfig().get("authorizationUrl"); } @@ -123,4 +132,13 @@ public class OAuth2IdentityProviderConfig extends IdentityProviderModel { public void setForwardParameters(String forwardParameters) { getConfig().put("forwardParameters", forwardParameters); } + + @Override + public void validate(RealmModel realm) { + SslRequired sslRequired = realm.getSslRequired(); + + checkUrl(sslRequired, getAuthorizationUrl(), "authorization_url"); + checkUrl(sslRequired, getTokenUrl(), "token_url"); + checkUrl(sslRequired, getUserInfoUrl(), "userinfo_url"); + } } diff --git a/services/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProviderConfig.java b/services/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProviderConfig.java index bb3d286f60..002848fec9 100755 --- a/services/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProviderConfig.java +++ b/services/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProviderConfig.java @@ -16,7 +16,12 @@ */ package org.keycloak.broker.oidc; +import static org.keycloak.common.util.UriUtils.checkUrl; + +import org.keycloak.common.enums.SslRequired; import org.keycloak.models.IdentityProviderModel; +import org.keycloak.models.KeycloakSession; +import org.keycloak.models.RealmModel; /** * @author Pedro Igor @@ -33,6 +38,10 @@ public class OIDCIdentityProviderConfig extends OAuth2IdentityProviderConfig { super(identityProviderModel); } + public OIDCIdentityProviderConfig() { + super(); + } + public String getPrompt() { return getConfig().get("prompt"); } @@ -122,4 +131,12 @@ public class OIDCIdentityProviderConfig extends OAuth2IdentityProviderConfig { return 0; } } + + @Override + public void validate(RealmModel realm) { + super.validate(realm); + SslRequired sslRequired = realm.getSslRequired(); + checkUrl(sslRequired, getJwksUrl(), "jwks_url"); + checkUrl(sslRequired, getLogoutUrl(), "logout_url"); + } } diff --git a/services/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProviderFactory.java b/services/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProviderFactory.java index 346cf82da3..64a3ea2fb8 100755 --- a/services/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProviderFactory.java +++ b/services/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProviderFactory.java @@ -43,6 +43,11 @@ public class OIDCIdentityProviderFactory extends AbstractIdentityProviderFactory return new OIDCIdentityProvider(session, new OIDCIdentityProviderConfig(model)); } + @Override + public OIDCIdentityProviderConfig createConfig() { + return new OIDCIdentityProviderConfig(); + } + @Override public String getId() { return PROVIDER_ID; @@ -60,7 +65,7 @@ public class OIDCIdentityProviderFactory extends AbstractIdentityProviderFactory } catch (IOException e) { throw new RuntimeException("failed to load openid connect metadata", e); } - OIDCIdentityProviderConfig config = new OIDCIdentityProviderConfig(new IdentityProviderModel()); + OIDCIdentityProviderConfig config = new OIDCIdentityProviderConfig(); config.setIssuer(rep.getIssuer()); config.setLogoutUrl(rep.getLogoutEndpoint()); config.setAuthorizationUrl(rep.getAuthorizationEndpoint()); diff --git a/services/src/main/java/org/keycloak/broker/saml/SAMLIdentityProviderConfig.java b/services/src/main/java/org/keycloak/broker/saml/SAMLIdentityProviderConfig.java index 37fa434c58..f80da3db00 100755 --- a/services/src/main/java/org/keycloak/broker/saml/SAMLIdentityProviderConfig.java +++ b/services/src/main/java/org/keycloak/broker/saml/SAMLIdentityProviderConfig.java @@ -16,8 +16,13 @@ */ package org.keycloak.broker.saml; +import static org.keycloak.common.util.UriUtils.checkUrl; + +import org.keycloak.common.enums.SslRequired; import org.keycloak.models.IdentityProviderModel; +import org.keycloak.models.KeycloakSession; +import org.keycloak.models.RealmModel; import org.keycloak.protocol.saml.SamlPrincipalType; import org.keycloak.saml.common.util.XmlKeyInfoKeyNameTransformer; @@ -276,4 +281,11 @@ public class SAMLIdentityProviderConfig extends IdentityProviderModel { getConfig().put(PRINCIPAL_ATTRIBUTE, principalAttribute); } + @Override + public void validate(RealmModel realm) { + SslRequired sslRequired = realm.getSslRequired(); + + checkUrl(sslRequired, getSingleLogoutServiceUrl(), SINGLE_LOGOUT_SERVICE_URL); + checkUrl(sslRequired, getSingleSignOnServiceUrl(), SINGLE_SIGN_ON_SERVICE_URL); + } } diff --git a/services/src/main/java/org/keycloak/broker/saml/SAMLIdentityProviderFactory.java b/services/src/main/java/org/keycloak/broker/saml/SAMLIdentityProviderFactory.java index f538cc5ab0..e6cd566530 100755 --- a/services/src/main/java/org/keycloak/broker/saml/SAMLIdentityProviderFactory.java +++ b/services/src/main/java/org/keycloak/broker/saml/SAMLIdentityProviderFactory.java @@ -58,6 +58,11 @@ public class SAMLIdentityProviderFactory extends AbstractIdentityProviderFactory return new SAMLIdentityProvider(session, new SAMLIdentityProviderConfig(model), destinationValidator); } + @Override + public SAMLIdentityProviderConfig createConfig() { + return new SAMLIdentityProviderConfig(); + } + @Override public Map parseConfig(KeycloakSession session, InputStream inputStream) { try { diff --git a/services/src/main/java/org/keycloak/partialimport/IdentityProvidersPartialImport.java b/services/src/main/java/org/keycloak/partialimport/IdentityProvidersPartialImport.java index b68d116117..de3dbfd835 100644 --- a/services/src/main/java/org/keycloak/partialimport/IdentityProvidersPartialImport.java +++ b/services/src/main/java/org/keycloak/partialimport/IdentityProvidersPartialImport.java @@ -72,7 +72,7 @@ public class IdentityProvidersPartialImport extends AbstractPartialImportStian Thorgersen @@ -102,6 +111,9 @@ public class IdentityProviderTest extends AbstractAdminTest { + "vOU8TyqfZF5jpv0IcrviLl/DoFrbjByeHR+pu/vClcAOjL/u7oQELuuTfNsBI4tpexUj5G8q/YbEz0gk7idf" + "LXrAUVcsR73oTngrhRfwUSmPrjjK0kjcRb6HL9V/+wh3R/6mEd59U08ExT8N38rhmn0CI3ehMdebReprP7U8="; + @Rule + public ExpectedException expectedException = ExpectedException.none(); + @Test public void testFindAll() { create(createRep("google", "google")); @@ -143,6 +155,71 @@ public class IdentityProviderTest extends AbstractAdminTest { assertEquals(ComponentRepresentation.SECRET_VALUE, rep.getConfig().get("clientSecret")); } + @Test + public void failCreateInvalidUrl() { + RealmRepresentation realmRep = realm.toRepresentation(); + + realmRep.setSslRequired(SslRequired.ALL.name()); + + try { + realm.update(realmRep); + + IdentityProviderRepresentation newIdentityProvider = createRep("new-identity-provider", "oidc"); + + newIdentityProvider.getConfig().put("clientId", "clientId"); + newIdentityProvider.getConfig().put("clientSecret", "some secret value"); + + OIDCIdentityProviderConfigRep oidcConfig = new OIDCIdentityProviderConfigRep(newIdentityProvider); + + oidcConfig.setAuthorizationUrl("invalid://test"); + + try (Response response = this.realm.identityProviders().create(newIdentityProvider)) { + assertEquals(AUTH_SERVER_SSL_REQUIRED ? Response.Status.BAD_REQUEST.getStatusCode() : + Response.Status.CREATED.getStatusCode(), response.getStatus()); + } + + oidcConfig.setAuthorizationUrl(null); + oidcConfig.setTokenUrl("http://test"); + + try (Response response = this.realm.identityProviders().create(newIdentityProvider)) { + assertEquals(AUTH_SERVER_SSL_REQUIRED ? Response.Status.BAD_REQUEST.getStatusCode() : + Response.Status.CREATED.getStatusCode(), response.getStatus()); + } + + oidcConfig.setAuthorizationUrl(null); + oidcConfig.setTokenUrl(null); + oidcConfig.setJwksUrl("http://test"); + + try (Response response = this.realm.identityProviders().create(newIdentityProvider)) { + assertEquals(AUTH_SERVER_SSL_REQUIRED ? Response.Status.BAD_REQUEST.getStatusCode() : + Response.Status.CREATED.getStatusCode(), response.getStatus()); + } + + oidcConfig.setAuthorizationUrl(null); + oidcConfig.setTokenUrl(null); + oidcConfig.setJwksUrl(null); + oidcConfig.setLogoutUrl("http://test"); + + try (Response response = this.realm.identityProviders().create(newIdentityProvider)) { + assertEquals(AUTH_SERVER_SSL_REQUIRED ? Response.Status.BAD_REQUEST.getStatusCode() : + Response.Status.CREATED.getStatusCode(), response.getStatus()); + } + + oidcConfig.setAuthorizationUrl(null); + oidcConfig.setTokenUrl(null); + oidcConfig.setJwksUrl(null); + oidcConfig.setLogoutUrl(null); + oidcConfig.setUserInfoUrl("http://test"); + + try (Response response = this.realm.identityProviders().create(newIdentityProvider)) { + assertEquals(AUTH_SERVER_SSL_REQUIRED ? Response.Status.BAD_REQUEST.getStatusCode() : + Response.Status.CREATED.getStatusCode(), response.getStatus()); + } + } finally { + realmRep.setSslRequired(SslRequired.NONE.name()); + realm.update(realmRep); + } + } @Test public void testCreateWithBasicAuth() { @@ -258,6 +335,84 @@ public class IdentityProviderTest extends AbstractAdminTest { assertEquals("${vault.key}", testingClient.testing("admin-client-test").getIdentityProviderConfig("changed-alias").get("clientSecret")); } + @Test + public void failUpdateInvalidUrl() { + RealmRepresentation realmRep = realm.toRepresentation(); + + realmRep.setSslRequired(SslRequired.ALL.name()); + + try { + realm.update(realmRep); + + IdentityProviderRepresentation representation = createRep(UUID.randomUUID().toString(), "oidc"); + + representation.getConfig().put("clientId", "clientId"); + representation.getConfig().put("clientSecret", "some secret value"); + + try (Response response = realm.identityProviders().create(representation)) { + assertEquals(Response.Status.CREATED.getStatusCode(), response.getStatus()); + } + + IdentityProviderResource resource = this.realm.identityProviders().get(representation.getAlias()); + representation = resource.toRepresentation(); + + OIDCIdentityProviderConfigRep oidcConfig = new OIDCIdentityProviderConfigRep(representation); + + oidcConfig.setAuthorizationUrl("invalid://test"); + + this.expectedException.expect( + Matchers.allOf(Matchers.instanceOf(ClientErrorException.class), Matchers.hasProperty("response", + Matchers.hasProperty("status", Matchers.is( + Response.Status.BAD_REQUEST.getStatusCode()))))); + resource.update(representation); + + oidcConfig.setAuthorizationUrl(null); + oidcConfig.setTokenUrl("http://test"); + + this.expectedException.expect( + Matchers.allOf(Matchers.instanceOf(ClientErrorException.class), Matchers.hasProperty("response", + Matchers.hasProperty("status", Matchers.is( + Response.Status.BAD_REQUEST.getStatusCode()))))); + resource.update(representation); + + oidcConfig.setAuthorizationUrl(null); + oidcConfig.setTokenUrl(null); + oidcConfig.setJwksUrl("http://test"); + + this.expectedException.expect( + Matchers.allOf(Matchers.instanceOf(ClientErrorException.class), Matchers.hasProperty("response", + Matchers.hasProperty("status", Matchers.is( + Response.Status.BAD_REQUEST.getStatusCode()))))); + resource.update(representation); + + oidcConfig.setAuthorizationUrl(null); + oidcConfig.setTokenUrl(null); + oidcConfig.setJwksUrl(null); + oidcConfig.setLogoutUrl("http://test"); + + this.expectedException.expect( + Matchers.allOf(Matchers.instanceOf(ClientErrorException.class), Matchers.hasProperty("response", + Matchers.hasProperty("status", Matchers.is( + Response.Status.BAD_REQUEST.getStatusCode()))))); + resource.update(representation); + + oidcConfig.setAuthorizationUrl(null); + oidcConfig.setTokenUrl(null); + oidcConfig.setJwksUrl(null); + oidcConfig.setLogoutUrl(null); + oidcConfig.setUserInfoUrl("http://test"); + + this.expectedException.expect( + Matchers.allOf(Matchers.instanceOf(ClientErrorException.class), Matchers.hasProperty("response", + Matchers.hasProperty("status", Matchers.is( + Response.Status.BAD_REQUEST.getStatusCode()))))); + resource.update(representation); + } finally { + realmRep.setSslRequired(SslRequired.NONE.name()); + realm.update(realmRep); + } + } + @Test public void testRemove() { IdentityProviderRepresentation newIdentityProvider = createRep("remove-identity-provider", "saml"); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/PermissionsTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/PermissionsTest.java index 732f73f54f..f628175db7 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/PermissionsTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/PermissionsTest.java @@ -1658,8 +1658,8 @@ public class PermissionsTest extends AbstractKeycloakTest { }, Resource.IDENTITY_PROVIDER, false); invoke(new InvocationWithResponse() { public void invoke(RealmResource realm, AtomicReference response) { - response.set(realm.identityProviders().create(IdentityProviderBuilder.create().providerId("nosuch") - .displayName("nosuch-foo").alias("foo").build())); + response.set(realm.identityProviders().create(IdentityProviderBuilder.create().providerId("oidc") + .displayName("nosuch-foo").alias("foo").setAttribute("clientId", "foo").setAttribute("clientSecret", "foo").build())); } }, Resource.IDENTITY_PROVIDER, true); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/UserTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/UserTest.java index c8b06720df..6d45fb4fe8 100755 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/UserTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/UserTest.java @@ -708,7 +708,7 @@ public class UserTest extends AbstractAdminTest { IdentityProviderRepresentation rep = new IdentityProviderRepresentation(); rep.setAlias("social-provider-id"); - rep.setProviderId("social-provider-type"); + rep.setProviderId("oidc"); realm.identityProviders().create(rep); assertAdminEvents.assertEvent(realmId, OperationType.CREATE, AdminEventPaths.identityProviderPath(rep.getAlias()), rep, ResourceType.IDENTITY_PROVIDER); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/broker/KcOIDCBrokerWithSignatureTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/broker/KcOIDCBrokerWithSignatureTest.java index f98a5fc804..34292ee638 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/broker/KcOIDCBrokerWithSignatureTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/broker/KcOIDCBrokerWithSignatureTest.java @@ -279,7 +279,7 @@ public class KcOIDCBrokerWithSignatureTest extends AbstractBaseBrokerTest { // Update identityProvider to some bad JWKS_URL OIDCIdentityProviderConfigRep cfg = new OIDCIdentityProviderConfigRep(idpRep); - cfg.setJwksUrl("http://localhost:43214/non-existent"); + cfg.setJwksUrl("https://localhost:43214/non-existent"); updateIdentityProvider(idpRep); // Check that key is not cached anymore diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/broker/OIDCIdentityProviderConfigRep.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/broker/OIDCIdentityProviderConfigRep.java index da8622fa38..8d95be7ff7 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/broker/OIDCIdentityProviderConfigRep.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/broker/OIDCIdentityProviderConfigRep.java @@ -27,7 +27,7 @@ import org.keycloak.representations.idm.IdentityProviderRepresentation; * * @author Marek Posolda */ -class OIDCIdentityProviderConfigRep extends OIDCIdentityProviderConfig { +public class OIDCIdentityProviderConfigRep extends OIDCIdentityProviderConfig { private final IdentityProviderRepresentation rep; diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/cli/admin/KcAdmUpdateTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/cli/admin/KcAdmUpdateTest.java index c1bebe062c..49ff78d1ad 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/cli/admin/KcAdmUpdateTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/cli/admin/KcAdmUpdateTest.java @@ -43,8 +43,8 @@ public class KcAdmUpdateTest extends AbstractAdmCliTest { .providerId(SAMLIdentityProviderFactory.PROVIDER_ID) .alias("idpAlias") .displayName("SAML") - .setAttribute(SAMLIdentityProviderConfig.SINGLE_SIGN_ON_SERVICE_URL, "http://saml.idp/saml") - .setAttribute(SAMLIdentityProviderConfig.SINGLE_LOGOUT_SERVICE_URL, "http://saml.idp/saml") + .setAttribute(SAMLIdentityProviderConfig.SINGLE_SIGN_ON_SERVICE_URL, "https://saml.idp/saml") + .setAttribute(SAMLIdentityProviderConfig.SINGLE_LOGOUT_SERVICE_URL, "https://saml.idp/saml") .setAttribute(SAMLIdentityProviderConfig.NAME_ID_POLICY_FORMAT, "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress") .setAttribute(SAMLIdentityProviderConfig.POST_BINDING_RESPONSE, "false") .setAttribute(SAMLIdentityProviderConfig.POST_BINDING_AUTHN_REQUEST, "false") diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/saml/BrokerTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/saml/BrokerTest.java index 13ec90c7b9..954d3fc2d4 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/saml/BrokerTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/saml/BrokerTest.java @@ -91,7 +91,7 @@ public class BrokerTest extends AbstractSamlTest { final ResponseType res = new SAML2LoginResponseBuilder() .requestID(req.getID()) .destination(req.getAssertionConsumerServiceURL().toString()) - .issuer("http://saml.idp/saml") + .issuer("https://saml.idp/saml") .assertionExpiration(1000000) .subjectExpiration(1000000) .requestIssuer(getAuthServerRealmBase(REALM_NAME).toString()) @@ -118,7 +118,7 @@ public class BrokerTest extends AbstractSamlTest { AuthenticationExecutionInfoRepresentation reviewProfileAuthenticator = null; String firstBrokerLoginFlowAlias = null; - try (IdentityProviderCreator idp = new IdentityProviderCreator(realm, addIdentityProvider("http://saml.idp/saml"))) { + try (IdentityProviderCreator idp = new IdentityProviderCreator(realm, addIdentityProvider("https://saml.idp/saml"))) { IdentityProviderRepresentation idpRepresentation = idp.identityProvider().toRepresentation(); firstBrokerLoginFlowAlias = idpRepresentation.getFirstBrokerLoginFlowAlias(); List executions = realm.flows().getExecutions(firstBrokerLoginFlowAlias); @@ -168,7 +168,7 @@ public class BrokerTest extends AbstractSamlTest { public void testRedirectQueryParametersPreserved() throws IOException { final RealmResource realm = adminClient.realm(REALM_NAME); - try (IdentityProviderCreator idp = new IdentityProviderCreator(realm, addIdentityProvider("http://saml.idp/?service=name&serviceType=prod"))) { + try (IdentityProviderCreator idp = new IdentityProviderCreator(realm, addIdentityProvider("https://saml.idp/?service=name&serviceType=prod"))) { SAMLDocumentHolder samlResponse = new SamlClientBuilder() .authnRequest(getAuthServerSamlEndpoint(REALM_NAME), SAML_CLIENT_ID_SALES_POST, SAML_ASSERTION_CONSUMER_URL_SALES_POST, POST).build() .login().idp(SAML_BROKER_ALIAS).build() @@ -178,7 +178,7 @@ public class BrokerTest extends AbstractSamlTest { assertThat(samlResponse.getSamlObject(), Matchers.instanceOf(AuthnRequestType.class)); AuthnRequestType ar = (AuthnRequestType) samlResponse.getSamlObject(); - assertThat(ar.getDestination(), Matchers.equalTo(URI.create("http://saml.idp/?service=name&serviceType=prod"))); + assertThat(ar.getDestination(), Matchers.equalTo(URI.create("https://saml.idp/?service=name&serviceType=prod"))); Header[] headers = new SamlClientBuilder() .authnRequest(getAuthServerSamlEndpoint(REALM_NAME), SAML_CLIENT_ID_SALES_POST, SAML_ASSERTION_CONSUMER_URL_SALES_POST, POST).build() @@ -187,7 +187,7 @@ public class BrokerTest extends AbstractSamlTest { .executeAndTransform(resp -> resp.getHeaders(HttpHeaders.LOCATION)); assertThat(headers.length, Matchers.is(1)); - assertThat(headers[0].getValue(), Matchers.containsString("http://saml.idp/?service=name&serviceType=prod")); + assertThat(headers[0].getValue(), Matchers.containsString("https://saml.idp/?service=name&serviceType=prod")); assertThat(headers[0].getValue(), Matchers.containsString("SAMLRequest")); } } @@ -228,7 +228,7 @@ public class BrokerTest extends AbstractSamlTest { private void assertExpired(XMLGregorianCalendar notBefore, XMLGregorianCalendar notOnOrAfter, boolean shouldPass) throws Exception { Status expectedStatus = shouldPass ? Status.OK : Status.BAD_REQUEST; final RealmResource realm = adminClient.realm(REALM_NAME); - try (IdentityProviderCreator idp = new IdentityProviderCreator(realm, addIdentityProvider("http://saml.idp/"))) { + try (IdentityProviderCreator idp = new IdentityProviderCreator(realm, addIdentityProvider("https://saml.idp/"))) { new SamlClientBuilder() .authnRequest(getAuthServerSamlEndpoint(REALM_NAME), SAML_CLIENT_ID_SALES_POST, SAML_ASSERTION_CONSUMER_URL_SALES_POST, POST).build() .login().idp(SAML_BROKER_ALIAS).build() diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/saml/IdpInitiatedLoginTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/saml/IdpInitiatedLoginTest.java index 37f8ae3d15..cddd3a8a1a 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/saml/IdpInitiatedLoginTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/saml/IdpInitiatedLoginTest.java @@ -210,7 +210,7 @@ public class IdpInitiatedLoginTest extends AbstractSamlTest { IdentityProviderBuilder.create() .alias("saml-idp") .providerId("saml") - .setAttribute(SAMLIdentityProviderConfig.SINGLE_SIGN_ON_SERVICE_URL, "http://saml-idp-sso-service/") + .setAttribute(SAMLIdentityProviderConfig.SINGLE_SIGN_ON_SERVICE_URL, "https://saml-idp-sso-service/") .setAttribute(SAMLIdentityProviderConfig.POST_BINDING_AUTHN_REQUEST, "true") .build())) { new SamlClientBuilder() diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/saml/LogoutTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/saml/LogoutTest.java index e1fa36fc35..8dbae0fd8b 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/saml/LogoutTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/saml/LogoutTest.java @@ -75,9 +75,9 @@ public class LogoutTest extends AbstractSamlTest { private static final String SP_NAME_QUALIFIER = "spNameQualifier"; private static final String NAME_QUALIFIER = "nameQualifier"; - private static final String BROKER_SIGN_ON_SERVICE_URL = "http://saml.idp/saml"; - private static final String BROKER_LOGOUT_SERVICE_URL = "http://saml.idp/SLO/saml"; - private static final String BROKER_SERVICE_ID = "http://saml.idp/saml"; + private static final String BROKER_SIGN_ON_SERVICE_URL = "https://saml.idp/saml"; + private static final String BROKER_LOGOUT_SERVICE_URL = "https://saml.idp/SLO/saml"; + private static final String BROKER_SERVICE_ID = "https://saml.idp/saml"; private ClientRepresentation salesRep; private ClientRepresentation sales2Rep; diff --git a/testsuite/integration-arquillian/tests/base/src/test/resources/cli/idp-keycloak-9167.json b/testsuite/integration-arquillian/tests/base/src/test/resources/cli/idp-keycloak-9167.json index 58fd177e03..79c23c0982 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/resources/cli/idp-keycloak-9167.json +++ b/testsuite/integration-arquillian/tests/base/src/test/resources/cli/idp-keycloak-9167.json @@ -13,9 +13,9 @@ "config" : { "nameIDPolicyFormat" : "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", "postBindingResponse" : "false", - "singleLogoutServiceUrl" : "http://saml.idp/saml", + "singleLogoutServiceUrl" : "https://saml.idp/saml", "postBindingAuthnRequest" : "false", - "singleSignOnServiceUrl" : "http://saml.idp/saml", + "singleSignOnServiceUrl" : "https://saml.idp/saml", "backchannelSupported" : "false" } }