[KEYCLOAK-10808] - Do not show authorization tab when client is not confidential
This commit is contained in:
parent
fc9a0e1766
commit
5f5cb6cb7b
8 changed files with 41 additions and 14 deletions
|
@ -2634,6 +2634,9 @@ public class RepresentationToModel {
|
|||
}
|
||||
|
||||
public static ResourceServer createResourceServer(ClientModel client, KeycloakSession session, boolean addDefaultRoles) {
|
||||
if (client.isBearerOnly() || client.isPublicClient()) {
|
||||
throw new RuntimeException("Only confidential clients are allowed to set authorization settings");
|
||||
}
|
||||
AuthorizationProvider authorization = session.getProvider(AuthorizationProvider.class);
|
||||
UserModel serviceAccount = session.users().getServiceAccount(client);
|
||||
|
||||
|
|
|
@ -86,10 +86,9 @@ public class ResourceServerService {
|
|||
if (this.resourceServer == null) {
|
||||
this.resourceServer = RepresentationToModel.createResourceServer(client, session, true);
|
||||
createDefaultPermission(createDefaultResource(), createDefaultPolicy());
|
||||
audit(OperationType.CREATE, session.getContext().getUri(), newClient);
|
||||
}
|
||||
|
||||
audit(OperationType.CREATE, session.getContext().getUri(), newClient);
|
||||
|
||||
return resourceServer;
|
||||
}
|
||||
|
||||
|
|
|
@ -152,7 +152,6 @@ public class ClientResource {
|
|||
try {
|
||||
updateClientFromRep(rep, client, session);
|
||||
adminEvent.operation(OperationType.UPDATE).resourcePath(session.getContext().getUri()).representation(rep).success();
|
||||
updateAuthorizationSettings(rep);
|
||||
return Response.noContent().build();
|
||||
} catch (ModelDuplicateException e) {
|
||||
return ErrorResponse.exists("Client " + rep.getClientId() + " already exists");
|
||||
|
@ -685,7 +684,12 @@ public class ClientResource {
|
|||
auth.clients().requireManage(client);
|
||||
}
|
||||
|
||||
if ((rep.isBearerOnly() != null && rep.isBearerOnly()) || (rep.isPublicClient() != null && rep.isPublicClient())) {
|
||||
rep.setAuthorizationServicesEnabled(false);
|
||||
}
|
||||
|
||||
RepresentationToModel.updateClient(rep, client);
|
||||
updateAuthorizationSettings(rep);
|
||||
}
|
||||
|
||||
private void updateAuthorizationSettings(ClientRepresentation rep) {
|
||||
|
|
|
@ -101,9 +101,9 @@ public abstract class AbstractClientTest extends AbstractAuthTest {
|
|||
return createClient(clientRep);
|
||||
}
|
||||
|
||||
protected String createOidcBearerOnlyClientWithAuthz(String name) {
|
||||
protected String createOidcConfidentialClientWithAuthz(String name) {
|
||||
ClientRepresentation clientRep = createOidcClientRep(name);
|
||||
clientRep.setBearerOnly(Boolean.TRUE);
|
||||
clientRep.setBearerOnly(Boolean.FALSE);
|
||||
clientRep.setPublicClient(Boolean.FALSE);
|
||||
clientRep.setAuthorizationServicesEnabled(Boolean.TRUE);
|
||||
clientRep.setServiceAccountsEnabled(Boolean.TRUE);
|
||||
|
|
|
@ -138,15 +138,16 @@ public class InstallationTest extends AbstractClientTest {
|
|||
|
||||
@Test
|
||||
public void testOidcBearerOnlyWithAuthzJson() {
|
||||
oidcBearerOnlyClientWithAuthzId = createOidcBearerOnlyClientWithAuthz(OIDC_NAME_BEARER_ONLY_WITH_AUTHZ_NAME);
|
||||
oidcBearerOnlyClientWithAuthzId = createOidcConfidentialClientWithAuthz(OIDC_NAME_BEARER_ONLY_WITH_AUTHZ_NAME);
|
||||
oidcBearerOnlyClientWithAuthz = findClientResource(OIDC_NAME_BEARER_ONLY_WITH_AUTHZ_NAME);
|
||||
|
||||
String json = oidcBearerOnlyClientWithAuthz.getInstallationProvider("keycloak-oidc-keycloak-json");
|
||||
assertOidcInstallationConfig(json);
|
||||
assertThat(json, containsString("bearer-only"));
|
||||
assertThat(json, not(containsString("bearer-only")));
|
||||
assertThat(json, not(containsString("public-client")));
|
||||
assertThat(json, containsString("credentials"));
|
||||
assertThat(json, containsString("secret"));
|
||||
assertThat(json, containsString("policy-enforcer"));
|
||||
|
||||
removeClient(oidcBearerOnlyClientWithAuthzId);
|
||||
}
|
||||
|
|
|
@ -22,12 +22,11 @@ import static org.keycloak.testsuite.auth.page.login.Login.OIDC;
|
|||
|
||||
import org.jboss.arquillian.graphene.page.Page;
|
||||
import org.junit.Before;
|
||||
import org.junit.BeforeClass;
|
||||
import org.keycloak.representations.idm.ClientRepresentation;
|
||||
import org.keycloak.testsuite.ProfileAssume;
|
||||
import org.keycloak.testsuite.console.clients.AbstractClientTest;
|
||||
import org.keycloak.testsuite.console.page.clients.authorization.Authorization;
|
||||
import org.keycloak.testsuite.console.page.clients.settings.ClientSettings;
|
||||
import org.keycloak.testsuite.console.page.clients.settings.ClientSettingsForm;
|
||||
import org.openqa.selenium.By;
|
||||
|
||||
/**
|
||||
|
@ -56,6 +55,7 @@ public abstract class AbstractAuthorizationSettingsTest extends AbstractClientTe
|
|||
newClient.setRedirectUris(TEST_REDIRECT_URIs);
|
||||
newClient.setAuthorizationServicesEnabled(true);
|
||||
|
||||
clientSettingsPage.form().setAccessType(ClientSettingsForm.OidcAccessType.CONFIDENTIAL);
|
||||
clientSettingsPage.form().setRedirectUris(TEST_REDIRECT_URIs);
|
||||
clientSettingsPage.form().setAuthorizationSettingsEnabled(true);
|
||||
clientSettingsPage.form().save();
|
||||
|
|
|
@ -17,15 +17,12 @@
|
|||
package org.keycloak.testsuite.console.authorization;
|
||||
|
||||
import static org.junit.Assert.assertEquals;
|
||||
import static org.junit.Assert.assertFalse;
|
||||
import static org.junit.Assert.assertNotNull;
|
||||
import static org.junit.Assert.assertTrue;
|
||||
|
||||
import java.util.List;
|
||||
|
||||
import org.junit.Test;
|
||||
import org.keycloak.admin.client.resource.AuthorizationResource;
|
||||
import org.keycloak.representations.adapters.config.PolicyEnforcerConfig;
|
||||
import org.keycloak.representations.idm.ClientRepresentation;
|
||||
import org.keycloak.representations.idm.authorization.DecisionStrategy;
|
||||
import org.keycloak.representations.idm.authorization.PolicyRepresentation;
|
||||
import org.keycloak.representations.idm.authorization.ResourceRepresentation;
|
||||
|
@ -34,6 +31,8 @@ import org.keycloak.testsuite.console.page.clients.authorization.permission.Perm
|
|||
import org.keycloak.testsuite.console.page.clients.authorization.policy.Policies;
|
||||
import org.keycloak.testsuite.console.page.clients.authorization.resource.Resources;
|
||||
import org.keycloak.testsuite.console.page.clients.authorization.scope.Scopes;
|
||||
import org.keycloak.testsuite.console.page.clients.settings.ClientSettingsForm;
|
||||
import org.openqa.selenium.By;
|
||||
|
||||
/**
|
||||
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
|
||||
|
@ -51,6 +50,27 @@ public class DefaultAuthorizationSettingsTest extends AbstractAuthorizationSetti
|
|||
assertDefaultSettings();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testNotAvailableForNonConfidentialClients() {
|
||||
clientSettingsPage.navigateTo();
|
||||
clientSettingsPage.form().setAccessType(ClientSettingsForm.OidcAccessType.BEARER_ONLY);
|
||||
clientSettingsPage.form().save();
|
||||
assertAlertSuccess();
|
||||
assertTrue(driver.findElements(By.linkText("Authorization")).isEmpty());
|
||||
assertFalse(driver.findElements(By.xpath(".//div[@class='onoffswitch' and ./input[@id='authorizationServicesEnabled']]")).get(0).isDisplayed());
|
||||
clientSettingsPage.form().setAccessType(ClientSettingsForm.OidcAccessType.PUBLIC);
|
||||
clientSettingsPage.form().save();
|
||||
assertAlertSuccess();
|
||||
assertTrue(driver.findElements(By.linkText("Authorization")).isEmpty());
|
||||
assertFalse(driver.findElements(By.xpath(".//div[@class='onoffswitch' and ./input[@id='authorizationServicesEnabled']]")).get(0).isDisplayed());
|
||||
clientSettingsPage.navigateTo();
|
||||
clientSettingsPage.form().setAccessType(ClientSettingsForm.OidcAccessType.CONFIDENTIAL);
|
||||
clientSettingsPage.form().setAuthorizationSettingsEnabled(true);
|
||||
clientSettingsPage.form().save();
|
||||
authorizationPage.navigateTo();
|
||||
assertDefaultSettings();
|
||||
}
|
||||
|
||||
private void assertDefaultSettings() {
|
||||
AuthorizationSettingsForm settings = authorizationPage.settings();
|
||||
|
||||
|
|
|
@ -132,7 +132,7 @@
|
|||
<input ng-model="clientEdit.serviceAccountsEnabled" name="serviceAccountsEnabled" id="serviceAccountsEnabled" onoffswitch on-text="{{:: 'onText' | translate}}" off-text="{{:: 'offText' | translate}}"/>
|
||||
</div>
|
||||
</div>
|
||||
<div class="form-group" data-ng-show="protocol == 'openid-connect'">
|
||||
<div class="form-group" data-ng-show="protocol == 'openid-connect' && !clientEdit.publicClient && !clientEdit.bearerOnly">
|
||||
<label class="col-md-2 control-label" for="authorizationServicesEnabled">{{:: 'authz-authorization-services-enabled' | translate}}</label>
|
||||
<kc-tooltip>{{:: 'authz-authorization-services-enabled.tooltip' | translate}}</kc-tooltip>
|
||||
<div class="col-md-6">
|
||||
|
|
Loading…
Reference in a new issue