libre.sh/keycloak-scim
4
0
Fork 0
Code Issues 15 Pull requests Releases 1 Activity Actions

KEYCLOAK-8148 Duplication of listed roles assigned through groups in userinfo endpoint

Browse source
This commit is contained in:
mposolda 2018-10-05 22:24:58 +02:00 committed by Marek Posolda
parent 00f4b54730
commit 3ca386f223
1 changed files with 43 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

45
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/OIDCProtocolMappersTest.java
View file

@ -37,6 +37,7 @@ import org.keycloak.representations.AddressClaimSet;
import org.keycloak.representations.IDToken;
import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.representations.idm.ClientScopeRepresentation;
import org.keycloak.representations.idm.GroupRepresentation;
import org.keycloak.representations.idm.ProtocolMapperRepresentation;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.representations.idm.UserRepresentation;
@ -105,10 +106,14 @@ public class OIDCProtocolMappersTest extends AbstractKeycloakTest {
private void deleteMappers(ProtocolMappersResource protocolMappers) {
ProtocolMapperRepresentation mapper = ProtocolMapperUtil.getMapperByNameAndProtocol(protocolMappers, OIDCLoginProtocol.LOGIN_PROTOCOL, "Realm roles mapper");
protocolMappers.delete(mapper.getId());
if (mapper != null) {
protocolMappers.delete(mapper.getId());
}
mapper = ProtocolMapperUtil.getMapperByNameAndProtocol(protocolMappers, OIDCLoginProtocol.LOGIN_PROTOCOL, "Client roles mapper");
protocolMappers.delete(mapper.getId());
if (mapper != null) {
protocolMappers.delete(mapper.getId());
}
}
@Override
@ -525,6 +530,42 @@ public class OIDCProtocolMappersTest extends AbstractKeycloakTest {
}
// KEYCLOAK-8148 -- Test the scenario where:
// -- user is member of 2 groups
// -- both groups have same role "customer-user" assigned
// -- User login. Role will appear just once in the token (not twice)
@Test
public void testRoleMapperWithRoleInheritedFromMoreGroups() throws Exception {
// Create client-mapper
String clientId = "test-app";
ProtocolMapperRepresentation clientMapper = ProtocolMapperUtil.createUserClientRoleMappingMapper(clientId, null, "Client roles mapper", "roles-custom.test-app", true, true);
ProtocolMappersResource protocolMappers = ApiUtil.findClientResourceByClientId(adminClient.realm("test"), clientId).getProtocolMappers();
protocolMappers.createMapper(Arrays.asList(clientMapper));
// Add user 'level2GroupUser' to the group 'level2Group2'
GroupRepresentation level2Group2 = adminClient.realm("test").getGroupByPath("/topGroup/level2group2");
UserResource level2GroupUser = ApiUtil.findUserByUsernameId(adminClient.realm("test"), "level2GroupUser");
level2GroupUser.joinGroup(level2Group2.getId());
oauth.clientId(clientId);
OAuthClient.AccessTokenResponse response = browserLogin("password", "level2GroupUser", "password");
IDToken idToken = oauth.verifyIDToken(response.getIdToken());
// Verify attribute is filled AND it is filled only once
Map<String, Object> roleMappings = (Map<String, Object>)idToken.getOtherClaims().get("roles-custom");
Assert.assertThat(roleMappings.keySet(), containsInAnyOrder(clientId));
String testAppScopeMappings = (String) roleMappings.get(clientId);
assertRolesString(testAppScopeMappings,
"customer-user" // from assignment to level2group or level2group2. It is filled just once
);
// Revert
level2GroupUser.leaveGroup(level2Group2.getId());
deleteMappers(protocolMappers);
}
@Test
public void testUserGroupRoleToAttributeMappers() throws Exception {
// Add mapper for realm roles