KEYCLOAK-8148 Duplication of listed roles assigned through groups in userinfo endpoint
This commit is contained in:
parent
00f4b54730
commit
3ca386f223
1 changed files with 43 additions and 2 deletions
|
@ -37,6 +37,7 @@ import org.keycloak.representations.AddressClaimSet;
|
||||||
import org.keycloak.representations.IDToken;
|
import org.keycloak.representations.IDToken;
|
||||||
import org.keycloak.representations.idm.ClientRepresentation;
|
import org.keycloak.representations.idm.ClientRepresentation;
|
||||||
import org.keycloak.representations.idm.ClientScopeRepresentation;
|
import org.keycloak.representations.idm.ClientScopeRepresentation;
|
||||||
|
import org.keycloak.representations.idm.GroupRepresentation;
|
||||||
import org.keycloak.representations.idm.ProtocolMapperRepresentation;
|
import org.keycloak.representations.idm.ProtocolMapperRepresentation;
|
||||||
import org.keycloak.representations.idm.RealmRepresentation;
|
import org.keycloak.representations.idm.RealmRepresentation;
|
||||||
import org.keycloak.representations.idm.UserRepresentation;
|
import org.keycloak.representations.idm.UserRepresentation;
|
||||||
|
@ -105,11 +106,15 @@ public class OIDCProtocolMappersTest extends AbstractKeycloakTest {
|
||||||
|
|
||||||
private void deleteMappers(ProtocolMappersResource protocolMappers) {
|
private void deleteMappers(ProtocolMappersResource protocolMappers) {
|
||||||
ProtocolMapperRepresentation mapper = ProtocolMapperUtil.getMapperByNameAndProtocol(protocolMappers, OIDCLoginProtocol.LOGIN_PROTOCOL, "Realm roles mapper");
|
ProtocolMapperRepresentation mapper = ProtocolMapperUtil.getMapperByNameAndProtocol(protocolMappers, OIDCLoginProtocol.LOGIN_PROTOCOL, "Realm roles mapper");
|
||||||
|
if (mapper != null) {
|
||||||
protocolMappers.delete(mapper.getId());
|
protocolMappers.delete(mapper.getId());
|
||||||
|
}
|
||||||
|
|
||||||
mapper = ProtocolMapperUtil.getMapperByNameAndProtocol(protocolMappers, OIDCLoginProtocol.LOGIN_PROTOCOL, "Client roles mapper");
|
mapper = ProtocolMapperUtil.getMapperByNameAndProtocol(protocolMappers, OIDCLoginProtocol.LOGIN_PROTOCOL, "Client roles mapper");
|
||||||
|
if (mapper != null) {
|
||||||
protocolMappers.delete(mapper.getId());
|
protocolMappers.delete(mapper.getId());
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public void addTestRealms(List<RealmRepresentation> testRealms) {
|
public void addTestRealms(List<RealmRepresentation> testRealms) {
|
||||||
|
@ -525,6 +530,42 @@ public class OIDCProtocolMappersTest extends AbstractKeycloakTest {
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
// KEYCLOAK-8148 -- Test the scenario where:
|
||||||
|
// -- user is member of 2 groups
|
||||||
|
// -- both groups have same role "customer-user" assigned
|
||||||
|
// -- User login. Role will appear just once in the token (not twice)
|
||||||
|
@Test
|
||||||
|
public void testRoleMapperWithRoleInheritedFromMoreGroups() throws Exception {
|
||||||
|
// Create client-mapper
|
||||||
|
String clientId = "test-app";
|
||||||
|
ProtocolMapperRepresentation clientMapper = ProtocolMapperUtil.createUserClientRoleMappingMapper(clientId, null, "Client roles mapper", "roles-custom.test-app", true, true);
|
||||||
|
|
||||||
|
ProtocolMappersResource protocolMappers = ApiUtil.findClientResourceByClientId(adminClient.realm("test"), clientId).getProtocolMappers();
|
||||||
|
protocolMappers.createMapper(Arrays.asList(clientMapper));
|
||||||
|
|
||||||
|
// Add user 'level2GroupUser' to the group 'level2Group2'
|
||||||
|
GroupRepresentation level2Group2 = adminClient.realm("test").getGroupByPath("/topGroup/level2group2");
|
||||||
|
UserResource level2GroupUser = ApiUtil.findUserByUsernameId(adminClient.realm("test"), "level2GroupUser");
|
||||||
|
level2GroupUser.joinGroup(level2Group2.getId());
|
||||||
|
|
||||||
|
oauth.clientId(clientId);
|
||||||
|
OAuthClient.AccessTokenResponse response = browserLogin("password", "level2GroupUser", "password");
|
||||||
|
IDToken idToken = oauth.verifyIDToken(response.getIdToken());
|
||||||
|
|
||||||
|
// Verify attribute is filled AND it is filled only once
|
||||||
|
Map<String, Object> roleMappings = (Map<String, Object>)idToken.getOtherClaims().get("roles-custom");
|
||||||
|
Assert.assertThat(roleMappings.keySet(), containsInAnyOrder(clientId));
|
||||||
|
String testAppScopeMappings = (String) roleMappings.get(clientId);
|
||||||
|
assertRolesString(testAppScopeMappings,
|
||||||
|
"customer-user" // from assignment to level2group or level2group2. It is filled just once
|
||||||
|
);
|
||||||
|
|
||||||
|
// Revert
|
||||||
|
level2GroupUser.leaveGroup(level2Group2.getId());
|
||||||
|
deleteMappers(protocolMappers);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void testUserGroupRoleToAttributeMappers() throws Exception {
|
public void testUserGroupRoleToAttributeMappers() throws Exception {
|
||||||
// Add mapper for realm roles
|
// Add mapper for realm roles
|
||||||
|
|
Loading…
Reference in a new issue