libre.sh/keycloak-scim
4
0
Fork 0
Code Issues 15 Pull requests Releases 1 Activity Actions

Deprecated org.keycloak.jose.jws.Algorithm is used in OIDCAdvancedConfigWrapper

Browse source 
Closes #11394
This commit is contained in:
Takashi Norimatsu 2022-04-22 14:33:14 +09:00 committed by Marek Posolda
parent 06b6e7ed7b
commit 7fa24d247a
11 changed files with 149 additions and 160 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

25
services/src/main/java/org/keycloak/protocol/oidc/OIDCAdvancedConfigWrapper.java
View file

@ -20,15 +20,10 @@ package org.keycloak.protocol.oidc;
import static org.keycloak.protocol.oidc.OIDCConfigAttributes.USE_LOWER_CASE_IN_TOKEN_RESPONSE;
import org.keycloak.authentication.authenticators.client.X509ClientAuthenticator;
import org.keycloak.jose.jws.Algorithm;
import org.keycloak.models.ClientModel;
import org.keycloak.models.Constants;
import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.utils.StringUtil;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
/**
@ -49,14 +44,12 @@ public class OIDCAdvancedConfigWrapper extends AbstractClientConfigWrapper {
}
public Algorithm getUserInfoSignedResponseAlg() {
String alg = getAttribute(OIDCConfigAttributes.USER_INFO_RESPONSE_SIGNATURE_ALG);
return alg==null ? null : Enum.valueOf(Algorithm.class, alg);
public String getUserInfoSignedResponseAlg() {
return getAttribute(OIDCConfigAttributes.USER_INFO_RESPONSE_SIGNATURE_ALG);
}
public void setUserInfoSignedResponseAlg(Algorithm alg) {
String algStr = alg==null ? null : alg.toString();
setAttribute(OIDCConfigAttributes.USER_INFO_RESPONSE_SIGNATURE_ALG, algStr);
public void setUserInfoSignedResponseAlg(String algorithm) {
setAttribute(OIDCConfigAttributes.USER_INFO_RESPONSE_SIGNATURE_ALG, algorithm);
}
public boolean isUserInfoSignatureRequired() {
@ -83,14 +76,12 @@ public class OIDCAdvancedConfigWrapper extends AbstractClientConfigWrapper {
return getUserInfoEncryptedResponseAlg() != null;
}
public Algorithm getRequestObjectSignatureAlg() {
String alg = getAttribute(OIDCConfigAttributes.REQUEST_OBJECT_SIGNATURE_ALG);
return alg==null ? null : Enum.valueOf(Algorithm.class, alg);
public String getRequestObjectSignatureAlg() {
return getAttribute(OIDCConfigAttributes.REQUEST_OBJECT_SIGNATURE_ALG);
}
public void setRequestObjectSignatureAlg(Algorithm alg) {
String algStr = alg==null ? null : alg.toString();
setAttribute(OIDCConfigAttributes.REQUEST_OBJECT_SIGNATURE_ALG, algStr);
public void setRequestObjectSignatureAlg(String algorithm) {
setAttribute(OIDCConfigAttributes.REQUEST_OBJECT_SIGNATURE_ALG, algorithm);
}
public void setRequestObjectEncryptionAlg(String algorithm) {

2
services/src/main/java/org/keycloak/protocol/oidc/endpoints/UserInfoEndpoint.java
View file

@ -270,7 +270,7 @@ public class UserInfoEndpoint {
}
}
event.detail(Details.SIGNATURE_REQUIRED, "true");
event.detail(Details.SIGNATURE_ALGORITHM, cfg.getUserInfoSignedResponseAlg().toString());
event.detail(Details.SIGNATURE_ALGORITHM, cfg.getUserInfoSignedResponseAlg());
} else if (cfg.isUserInfoEncryptionRequired()) {
try {
responseBuilder = Response.ok(jweFromContent(JsonSerialization.writeValueAsString(claims), null))

4
services/src/main/java/org/keycloak/protocol/oidc/endpoints/request/AuthzEndpointRequestObjectParser.java
View file

@ -101,10 +101,10 @@ public class AuthzEndpointRequestObjectParser extends AuthzEndpointRequestParser
throw new RuntimeException("Request object signed algorithm not specified");
}
Algorithm requestedSignatureAlgorithm = OIDCAdvancedConfigWrapper.fromClientModel(clientModel)
String requestedSignatureAlgorithm = OIDCAdvancedConfigWrapper.fromClientModel(clientModel)
.getRequestObjectSignatureAlg();
if (requestedSignatureAlgorithm != null && !requestedSignatureAlgorithm.name().equals(headerAlgorithm)) {
if (requestedSignatureAlgorithm != null && !requestedSignatureAlgorithm.equals(headerAlgorithm)) {
throw new RuntimeException(
"Request object signed with different algorithm than client requested algorithm");
}

10
services/src/main/java/org/keycloak/services/clientregistration/oidc/DescriptionConverter.java
View file

@ -133,13 +133,11 @@ public class DescriptionConverter {
OIDCAdvancedConfigWrapper configWrapper = OIDCAdvancedConfigWrapper.fromClientRepresentation(client);
if (clientOIDC.getUserinfoSignedResponseAlg() != null) {
Algorithm algorithm = Enum.valueOf(Algorithm.class, clientOIDC.getUserinfoSignedResponseAlg());
configWrapper.setUserInfoSignedResponseAlg(algorithm);
configWrapper.setUserInfoSignedResponseAlg(clientOIDC.getUserinfoSignedResponseAlg());
}
if (clientOIDC.getRequestObjectSigningAlg() != null) {
Algorithm algorithm = Enum.valueOf(Algorithm.class, clientOIDC.getRequestObjectSigningAlg());
configWrapper.setRequestObjectSignatureAlg(algorithm);
configWrapper.setRequestObjectSignatureAlg(clientOIDC.getRequestObjectSigningAlg());
}
if (clientOIDC.getUserinfoEncryptedResponseAlg() != null) {
@ -347,7 +345,7 @@ public class DescriptionConverter {
OIDCAdvancedConfigWrapper config = OIDCAdvancedConfigWrapper.fromClientRepresentation(client);
if (config.isUserInfoSignatureRequired()) {
response.setUserinfoSignedResponseAlg(config.getUserInfoSignedResponseAlg().toString());
response.setUserinfoSignedResponseAlg(config.getUserInfoSignedResponseAlg());
}
if (config.getUserInfoEncryptedResponseAlg() != null) {
response.setUserinfoEncryptedResponseAlg(config.getUserInfoEncryptedResponseAlg());
@ -356,7 +354,7 @@ public class DescriptionConverter {
response.setUserinfoEncryptedResponseEnc(config.getUserInfoEncryptedResponseEnc());
}
if (config.getRequestObjectSignatureAlg() != null) {
response.setRequestObjectSigningAlg(config.getRequestObjectSignatureAlg().toString());
response.setRequestObjectSigningAlg(config.getRequestObjectSignatureAlg());
}
if (config.getRequestObjectEncryptionAlg() != null) {
response.setRequestObjectEncryptionAlg(config.getRequestObjectEncryptionAlg());

26
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/AbstractClientPoliciesTest.java
View file

@ -79,10 +79,10 @@ import org.keycloak.common.util.KeycloakUriBuilder;
import org.keycloak.common.util.Time;
import org.keycloak.common.util.UriUtils;
import org.keycloak.constants.ServiceUrlConstants;
import org.keycloak.crypto.Algorithm;
import org.keycloak.crypto.KeyType;
import org.keycloak.crypto.SignatureSignerContext;
import org.keycloak.events.EventType;
import org.keycloak.jose.jws.Algorithm;
import org.keycloak.jose.jws.JWSBuilder;
import org.keycloak.models.AdminRoles;
import org.keycloak.models.Constants;
@ -419,17 +419,17 @@ public abstract class AbstractClientPoliciesTest extends AbstractKeycloakTest {
private String getKeyAlgorithmFromJwaAlgorithm(String jwaAlgorithm) {
String keyAlg = null;
switch (jwaAlgorithm) {
case org.keycloak.crypto.Algorithm.RS256:
case org.keycloak.crypto.Algorithm.RS384:
case org.keycloak.crypto.Algorithm.RS512:
case org.keycloak.crypto.Algorithm.PS256:
case org.keycloak.crypto.Algorithm.PS384:
case org.keycloak.crypto.Algorithm.PS512:
case Algorithm.RS256:
case Algorithm.RS384:
case Algorithm.RS512:
case Algorithm.PS256:
case Algorithm.PS384:
case Algorithm.PS512:
keyAlg = KeyType.RSA;
break;
case org.keycloak.crypto.Algorithm.ES256:
case org.keycloak.crypto.Algorithm.ES384:
case org.keycloak.crypto.Algorithm.ES512:
case Algorithm.ES256:
case Algorithm.ES384:
case Algorithm.ES512:
keyAlg = KeyType.EC;
break;
default :
@ -556,7 +556,7 @@ public abstract class AbstractClientPoliciesTest extends AbstractKeycloakTest {
return requestObject;
}
protected void registerRequestObject(AuthorizationEndpointRequestObject requestObject, String clientId, Algorithm sigAlg, boolean isUseRequestUri) throws URISyntaxException, IOException {
protected void registerRequestObject(AuthorizationEndpointRequestObject requestObject, String clientId, String sigAlg, boolean isUseRequestUri) throws URISyntaxException, IOException {
TestOIDCEndpointsApplicationResource oidcClientEndpointsResource = testingClient.testApp().oidcClientEndpoints();
// Set required signature for request_uri
@ -572,12 +572,12 @@ public abstract class AbstractClientPoliciesTest extends AbstractKeycloakTest {
oidcClientEndpointsResource = testingClient.testApp().oidcClientEndpoints();
// generate and register client keypair
oidcClientEndpointsResource.generateKeys(sigAlg.name());
oidcClientEndpointsResource.generateKeys(sigAlg);
// register request object
byte[] contentBytes = JsonSerialization.writeValueAsBytes(requestObject);
String encodedRequestObject = Base64Url.encode(contentBytes);
oidcClientEndpointsResource.registerOIDCRequest(encodedRequestObject, sigAlg.name());
oidcClientEndpointsResource.registerOIDCRequest(encodedRequestObject, sigAlg);
if (isUseRequestUri) {
oauth.request(null);

108
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/ClientPoliciesTest.java
View file

@ -55,10 +55,10 @@ import org.keycloak.client.registration.ClientRegistrationException;
import org.keycloak.common.Profile;
import org.keycloak.common.util.Base64Url;
import org.keycloak.common.util.Time;
import org.keycloak.crypto.Algorithm;
import org.keycloak.events.Details;
import org.keycloak.events.Errors;
import org.keycloak.events.EventType;
import org.keycloak.jose.jws.Algorithm;
import org.keycloak.jose.jws.JWSInput;
import org.keycloak.models.AdminRoles;
import org.keycloak.models.CibaConfig;
@ -1556,8 +1556,8 @@ public class ClientPoliciesTest extends AbstractClientPoliciesTest {
OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setUseJwksUrl(true);
OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setJwksUrl(TestApplicationResourceUrls.clientJwksUri());
clientResource.update(clientRep);
client.generateKeys(org.keycloak.crypto.Algorithm.PS256);
client.registerOIDCRequest(encodedRequestObject, org.keycloak.crypto.Algorithm.PS256);
client.generateKeys(Algorithm.PS256);
client.registerOIDCRequest(encodedRequestObject, Algorithm.PS256);
// do not send any other parameter but the request request parameter
String oidcRequest = client.getOIDCRequest();
@ -1647,7 +1647,7 @@ public class ClientPoliciesTest extends AbstractClientPoliciesTest {
createClientByAdmin(generateSuffixedName("App-by-Admin"), (ClientRepresentation clientRep) -> {
clientRep.setSecret("secret");
clientRep.setAttributes(new HashMap<>());
clientRep.getAttributes().put(OIDCConfigAttributes.USER_INFO_RESPONSE_SIGNATURE_ALG, Algorithm.none.name());
clientRep.getAttributes().put(OIDCConfigAttributes.USER_INFO_RESPONSE_SIGNATURE_ALG, "none");
});
fail();
} catch (ClientPolicyException e) {
@ -1657,48 +1657,48 @@ public class ClientPoliciesTest extends AbstractClientPoliciesTest {
// create by Admin REST API - success
String cAppAdminId = createClientByAdmin(generateSuffixedName("App-by-Admin"), (ClientRepresentation clientRep) -> {
clientRep.setAttributes(new HashMap<>());
clientRep.getAttributes().put(OIDCConfigAttributes.USER_INFO_RESPONSE_SIGNATURE_ALG, org.keycloak.crypto.Algorithm.PS256);
clientRep.getAttributes().put(OIDCConfigAttributes.REQUEST_OBJECT_SIGNATURE_ALG, org.keycloak.crypto.Algorithm.ES256);
clientRep.getAttributes().put(OIDCConfigAttributes.ID_TOKEN_SIGNED_RESPONSE_ALG, org.keycloak.crypto.Algorithm.ES256);
clientRep.getAttributes().put(OIDCConfigAttributes.TOKEN_ENDPOINT_AUTH_SIGNING_ALG, org.keycloak.crypto.Algorithm.ES256);
clientRep.getAttributes().put(OIDCConfigAttributes.ACCESS_TOKEN_SIGNED_RESPONSE_ALG, org.keycloak.crypto.Algorithm.ES256);
clientRep.getAttributes().put(OIDCConfigAttributes.USER_INFO_RESPONSE_SIGNATURE_ALG, Algorithm.PS256);
clientRep.getAttributes().put(OIDCConfigAttributes.REQUEST_OBJECT_SIGNATURE_ALG, Algorithm.ES256);
clientRep.getAttributes().put(OIDCConfigAttributes.ID_TOKEN_SIGNED_RESPONSE_ALG, Algorithm.ES256);
clientRep.getAttributes().put(OIDCConfigAttributes.TOKEN_ENDPOINT_AUTH_SIGNING_ALG, Algorithm.ES256);
clientRep.getAttributes().put(OIDCConfigAttributes.ACCESS_TOKEN_SIGNED_RESPONSE_ALG, Algorithm.ES256);
});
// create by Admin REST API - success, PS256 enforced
String cAppAdmin2Id = createClientByAdmin(generateSuffixedName("App-by-Admin2"), (ClientRepresentation client2Rep) -> {
});
ClientRepresentation cRep2 = getClientByAdmin(cAppAdmin2Id);
assertEquals(org.keycloak.crypto.Algorithm.PS256, cRep2.getAttributes().get(OIDCConfigAttributes.USER_INFO_RESPONSE_SIGNATURE_ALG));
assertEquals(org.keycloak.crypto.Algorithm.PS256, cRep2.getAttributes().get(OIDCConfigAttributes.REQUEST_OBJECT_SIGNATURE_ALG));
assertEquals(org.keycloak.crypto.Algorithm.PS256, cRep2.getAttributes().get(OIDCConfigAttributes.ID_TOKEN_SIGNED_RESPONSE_ALG));
assertEquals(org.keycloak.crypto.Algorithm.PS256, cRep2.getAttributes().get(OIDCConfigAttributes.TOKEN_ENDPOINT_AUTH_SIGNING_ALG));
assertEquals(org.keycloak.crypto.Algorithm.PS256, cRep2.getAttributes().get(OIDCConfigAttributes.ACCESS_TOKEN_SIGNED_RESPONSE_ALG));
assertEquals(Algorithm.PS256, cRep2.getAttributes().get(OIDCConfigAttributes.USER_INFO_RESPONSE_SIGNATURE_ALG));
assertEquals(Algorithm.PS256, cRep2.getAttributes().get(OIDCConfigAttributes.REQUEST_OBJECT_SIGNATURE_ALG));
assertEquals(Algorithm.PS256, cRep2.getAttributes().get(OIDCConfigAttributes.ID_TOKEN_SIGNED_RESPONSE_ALG));
assertEquals(Algorithm.PS256, cRep2.getAttributes().get(OIDCConfigAttributes.TOKEN_ENDPOINT_AUTH_SIGNING_ALG));
assertEquals(Algorithm.PS256, cRep2.getAttributes().get(OIDCConfigAttributes.ACCESS_TOKEN_SIGNED_RESPONSE_ALG));
// update by Admin REST API - fail
try {
updateClientByAdmin(cAppAdminId, (ClientRepresentation clientRep) -> {
clientRep.setAttributes(new HashMap<>());
clientRep.getAttributes().put(OIDCConfigAttributes.ACCESS_TOKEN_SIGNED_RESPONSE_ALG, org.keycloak.crypto.Algorithm.RS512);
clientRep.getAttributes().put(OIDCConfigAttributes.ACCESS_TOKEN_SIGNED_RESPONSE_ALG, Algorithm.RS512);
});
} catch (ClientPolicyException cpe) {
assertEquals(Errors.INVALID_REQUEST, cpe.getError());
}
ClientRepresentation cRep = getClientByAdmin(cAppAdminId);
assertEquals(org.keycloak.crypto.Algorithm.ES256, cRep.getAttributes().get(OIDCConfigAttributes.ACCESS_TOKEN_SIGNED_RESPONSE_ALG));
assertEquals(Algorithm.ES256, cRep.getAttributes().get(OIDCConfigAttributes.ACCESS_TOKEN_SIGNED_RESPONSE_ALG));
// update by Admin REST API - success
updateClientByAdmin(cAppAdminId, (ClientRepresentation clientRep) -> {
clientRep.setAttributes(new HashMap<>());
clientRep.getAttributes().put(OIDCConfigAttributes.ACCESS_TOKEN_SIGNED_RESPONSE_ALG, org.keycloak.crypto.Algorithm.PS384);
clientRep.getAttributes().put(OIDCConfigAttributes.ACCESS_TOKEN_SIGNED_RESPONSE_ALG, Algorithm.PS384);
});
cRep = getClientByAdmin(cAppAdminId);
assertEquals(org.keycloak.crypto.Algorithm.PS384, cRep.getAttributes().get(OIDCConfigAttributes.ACCESS_TOKEN_SIGNED_RESPONSE_ALG));
assertEquals(Algorithm.PS384, cRep.getAttributes().get(OIDCConfigAttributes.ACCESS_TOKEN_SIGNED_RESPONSE_ALG));
// update profiles, ES256 enforced
json = (new ClientProfilesBuilder()).addProfile(
(new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Den Forsta Profilen")
.addExecutor(SecureSigningAlgorithmExecutorFactory.PROVIDER_ID,
createSecureSigningAlgorithmEnforceExecutorConfig(org.keycloak.crypto.Algorithm.ES256))
createSecureSigningAlgorithmEnforceExecutorConfig(Algorithm.ES256))
.toRepresentation()
).toString();
updateProfiles(json);
@ -1712,17 +1712,17 @@ public class ClientPoliciesTest extends AbstractClientPoliciesTest {
client2Rep.getAttributes().remove(OIDCConfigAttributes.ACCESS_TOKEN_SIGNED_RESPONSE_ALG);
});
cRep2 = getClientByAdmin(cAppAdmin2Id);
assertEquals(org.keycloak.crypto.Algorithm.ES256, cRep2.getAttributes().get(OIDCConfigAttributes.USER_INFO_RESPONSE_SIGNATURE_ALG));
assertEquals(org.keycloak.crypto.Algorithm.ES256, cRep2.getAttributes().get(OIDCConfigAttributes.REQUEST_OBJECT_SIGNATURE_ALG));
assertEquals(org.keycloak.crypto.Algorithm.ES256, cRep2.getAttributes().get(OIDCConfigAttributes.ID_TOKEN_SIGNED_RESPONSE_ALG));
assertEquals(org.keycloak.crypto.Algorithm.ES256, cRep2.getAttributes().get(OIDCConfigAttributes.TOKEN_ENDPOINT_AUTH_SIGNING_ALG));
assertEquals(org.keycloak.crypto.Algorithm.ES256, cRep2.getAttributes().get(OIDCConfigAttributes.ACCESS_TOKEN_SIGNED_RESPONSE_ALG));
assertEquals(Algorithm.ES256, cRep2.getAttributes().get(OIDCConfigAttributes.USER_INFO_RESPONSE_SIGNATURE_ALG));
assertEquals(Algorithm.ES256, cRep2.getAttributes().get(OIDCConfigAttributes.REQUEST_OBJECT_SIGNATURE_ALG));
assertEquals(Algorithm.ES256, cRep2.getAttributes().get(OIDCConfigAttributes.ID_TOKEN_SIGNED_RESPONSE_ALG));
assertEquals(Algorithm.ES256, cRep2.getAttributes().get(OIDCConfigAttributes.TOKEN_ENDPOINT_AUTH_SIGNING_ALG));
assertEquals(Algorithm.ES256, cRep2.getAttributes().get(OIDCConfigAttributes.ACCESS_TOKEN_SIGNED_RESPONSE_ALG));
// update profiles, fall back to PS256
json = (new ClientProfilesBuilder()).addProfile(
(new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Den Forsta Profilen")
.addExecutor(SecureSigningAlgorithmExecutorFactory.PROVIDER_ID,
createSecureSigningAlgorithmEnforceExecutorConfig(org.keycloak.crypto.Algorithm.RS512))
createSecureSigningAlgorithmEnforceExecutorConfig(Algorithm.RS512))
.toRepresentation()
).toString();
updateProfiles(json);
@ -1732,7 +1732,7 @@ public class ClientPoliciesTest extends AbstractClientPoliciesTest {
createClientByAdmin(generateSuffixedName("App-in-Dynamic"), (ClientRepresentation clientRep) -> {
clientRep.setSecret("secret");
clientRep.setAttributes(new HashMap<>());
clientRep.getAttributes().put(OIDCConfigAttributes.USER_INFO_RESPONSE_SIGNATURE_ALG, org.keycloak.crypto.Algorithm.RS384);
clientRep.getAttributes().put(OIDCConfigAttributes.USER_INFO_RESPONSE_SIGNATURE_ALG, Algorithm.RS384);
});
fail();
} catch (ClientPolicyException e) {
@ -1741,45 +1741,45 @@ public class ClientPoliciesTest extends AbstractClientPoliciesTest {
// create dynamically - success
String cAppDynamicClientId = createClientDynamically(generateSuffixedName("App-in-Dynamic"), (OIDCClientRepresentation clientRep) -> {
clientRep.setUserinfoSignedResponseAlg(org.keycloak.crypto.Algorithm.ES256);
clientRep.setRequestObjectSigningAlg(org.keycloak.crypto.Algorithm.ES256);
clientRep.setIdTokenSignedResponseAlg(org.keycloak.crypto.Algorithm.PS256);
clientRep.setTokenEndpointAuthSigningAlg(org.keycloak.crypto.Algorithm.PS256);
clientRep.setUserinfoSignedResponseAlg(Algorithm.ES256);
clientRep.setRequestObjectSigningAlg(Algorithm.ES256);
clientRep.setIdTokenSignedResponseAlg(Algorithm.PS256);
clientRep.setTokenEndpointAuthSigningAlg(Algorithm.PS256);
});
events.expect(EventType.CLIENT_REGISTER).client(cAppDynamicClientId).user(Matchers.isEmptyOrNullString()).assertEvent();
// update dynamically - fail
try {
updateClientDynamically(cAppDynamicClientId, (OIDCClientRepresentation clientRep) -> {
clientRep.setIdTokenSignedResponseAlg(org.keycloak.crypto.Algorithm.RS256);
clientRep.setIdTokenSignedResponseAlg(Algorithm.RS256);
});
fail();
} catch (ClientRegistrationException e) {
assertEquals(ERR_MSG_CLIENT_REG_FAIL, e.getMessage());
}
assertEquals(org.keycloak.crypto.Algorithm.PS256, getClientDynamically(cAppDynamicClientId).getIdTokenSignedResponseAlg());
assertEquals(Algorithm.PS256, getClientDynamically(cAppDynamicClientId).getIdTokenSignedResponseAlg());
// update dynamically - success
updateClientDynamically(cAppDynamicClientId, (OIDCClientRepresentation clientRep) -> {
clientRep.setIdTokenSignedResponseAlg(org.keycloak.crypto.Algorithm.ES384);
clientRep.setIdTokenSignedResponseAlg(Algorithm.ES384);
});
assertEquals(org.keycloak.crypto.Algorithm.ES384, getClientDynamically(cAppDynamicClientId).getIdTokenSignedResponseAlg());
assertEquals(Algorithm.ES384, getClientDynamically(cAppDynamicClientId).getIdTokenSignedResponseAlg());
// create dynamically - success, PS256 enforced
restartAuthenticatedClientRegistrationSetting();
String cAppDynamicClient2Id = createClientDynamically(generateSuffixedName("App-in-Dynamic"), (OIDCClientRepresentation client2Rep) -> {
});
OIDCClientRepresentation cAppDynamicClient2Rep = getClientDynamically(cAppDynamicClient2Id);
assertEquals(org.keycloak.crypto.Algorithm.PS256, cAppDynamicClient2Rep.getUserinfoSignedResponseAlg());
assertEquals(org.keycloak.crypto.Algorithm.PS256, cAppDynamicClient2Rep.getRequestObjectSigningAlg());
assertEquals(org.keycloak.crypto.Algorithm.PS256, cAppDynamicClient2Rep.getIdTokenSignedResponseAlg());
assertEquals(org.keycloak.crypto.Algorithm.PS256, cAppDynamicClient2Rep.getTokenEndpointAuthSigningAlg());
assertEquals(Algorithm.PS256, cAppDynamicClient2Rep.getUserinfoSignedResponseAlg());
assertEquals(Algorithm.PS256, cAppDynamicClient2Rep.getRequestObjectSigningAlg());
assertEquals(Algorithm.PS256, cAppDynamicClient2Rep.getIdTokenSignedResponseAlg());
assertEquals(Algorithm.PS256, cAppDynamicClient2Rep.getTokenEndpointAuthSigningAlg());
// update profiles, enforce ES256
json = (new ClientProfilesBuilder()).addProfile(
(new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Den Forsta Profilen")
.addExecutor(SecureSigningAlgorithmExecutorFactory.PROVIDER_ID,
createSecureSigningAlgorithmEnforceExecutorConfig(org.keycloak.crypto.Algorithm.ES256))
createSecureSigningAlgorithmEnforceExecutorConfig(Algorithm.ES256))
.toRepresentation()
).toString();
updateProfiles(json);
@ -1792,10 +1792,10 @@ public class ClientPoliciesTest extends AbstractClientPoliciesTest {
client2Rep.setTokenEndpointAuthSigningAlg(null);
});
cAppDynamicClient2Rep = getClientDynamically(cAppDynamicClient2Id);
assertEquals(org.keycloak.crypto.Algorithm.ES256, cAppDynamicClient2Rep.getUserinfoSignedResponseAlg());
assertEquals(org.keycloak.crypto.Algorithm.ES256, cAppDynamicClient2Rep.getRequestObjectSigningAlg());
assertEquals(org.keycloak.crypto.Algorithm.ES256, cAppDynamicClient2Rep.getIdTokenSignedResponseAlg());
assertEquals(org.keycloak.crypto.Algorithm.ES256, cAppDynamicClient2Rep.getTokenEndpointAuthSigningAlg());
assertEquals(Algorithm.ES256, cAppDynamicClient2Rep.getUserinfoSignedResponseAlg());
assertEquals(Algorithm.ES256, cAppDynamicClient2Rep.getRequestObjectSigningAlg());
assertEquals(Algorithm.ES256, cAppDynamicClient2Rep.getIdTokenSignedResponseAlg());
assertEquals(Algorithm.ES256, cAppDynamicClient2Rep.getTokenEndpointAuthSigningAlg());
}
@Test
@ -2086,7 +2086,7 @@ public class ClientPoliciesTest extends AbstractClientPoliciesTest {
clientRep.setSecret("secret");
clientRep.setClientAuthenticatorType(JWTClientAuthenticator.PROVIDER_ID);
clientRep.setAttributes(new HashMap<>());
clientRep.getAttributes().put(OIDCConfigAttributes.TOKEN_ENDPOINT_AUTH_SIGNING_ALG, org.keycloak.crypto.Algorithm.ES256);
clientRep.getAttributes().put(OIDCConfigAttributes.TOKEN_ENDPOINT_AUTH_SIGNING_ALG, Algorithm.ES256);
});
adminClient.realm(REALM_NAME).clients().get(cid).roles().create(RoleBuilder.create().name(roleAlphaName).build());
adminClient.realm(REALM_NAME).clients().get(cid).roles().create(RoleBuilder.create().name(roleCommonName).build());
@ -2095,11 +2095,11 @@ public class ClientPoliciesTest extends AbstractClientPoliciesTest {
ClientResource clientResource = ApiUtil.findClientByClientId(adminClient.realm(REALM_NAME), clientId);
ClientRepresentation clientRep = clientResource.toRepresentation();
KeyPair keyPair = setupJwksUrl(org.keycloak.crypto.Algorithm.ES256, clientRep, clientResource);
KeyPair keyPair = setupJwksUrl(Algorithm.ES256, clientRep, clientResource);
PublicKey publicKey = keyPair.getPublic();
PrivateKey privateKey = keyPair.getPrivate();
String signedJwt = createSignedRequestToken(clientId, privateKey, publicKey, org.keycloak.crypto.Algorithm.ES256);
String signedJwt = createSignedRequestToken(clientId, privateKey, publicKey, Algorithm.ES256);
oauth.clientId(clientId);
oauth.doLogin(TEST_USER_NAME, TEST_USER_PASSWORD);
@ -2123,27 +2123,27 @@ public class ClientPoliciesTest extends AbstractClientPoliciesTest {
.assertEvent();
// refresh token
signedJwt = createSignedRequestToken(clientId, privateKey, publicKey, org.keycloak.crypto.Algorithm.ES256);
signedJwt = createSignedRequestToken(clientId, privateKey, publicKey, Algorithm.ES256);
OAuthClient.AccessTokenResponse refreshedResponse = doRefreshTokenRequestWithSignedJWT(response.getRefreshToken(), signedJwt);
assertEquals(200, refreshedResponse.getStatusCode());
// introspect token
signedJwt = createSignedRequestToken(clientId, privateKey, publicKey, org.keycloak.crypto.Algorithm.ES256);
signedJwt = createSignedRequestToken(clientId, privateKey, publicKey, Algorithm.ES256);
HttpResponse tokenIntrospectionResponse = doTokenIntrospectionWithSignedJWT("access_token", refreshedResponse.getAccessToken(), signedJwt);
assertEquals(200, tokenIntrospectionResponse.getStatusLine().getStatusCode());
// revoke token
signedJwt = createSignedRequestToken(clientId, privateKey, publicKey, org.keycloak.crypto.Algorithm.ES256);
signedJwt = createSignedRequestToken(clientId, privateKey, publicKey, Algorithm.ES256);
HttpResponse revokeTokenResponse = doTokenRevokeWithSignedJWT("refresh_toke", refreshedResponse.getRefreshToken(), signedJwt);
assertEquals(200, revokeTokenResponse.getStatusLine().getStatusCode());
signedJwt = createSignedRequestToken(clientId, privateKey, publicKey, org.keycloak.crypto.Algorithm.ES256);
signedJwt = createSignedRequestToken(clientId, privateKey, publicKey, Algorithm.ES256);
OAuthClient.AccessTokenResponse tokenRes = doRefreshTokenRequestWithSignedJWT(refreshedResponse.getRefreshToken(), signedJwt);
assertEquals(400, tokenRes.getStatusCode());
assertEquals(OAuthErrorException.INVALID_GRANT, tokenRes.getError());
// logout
signedJwt = createSignedRequestToken(clientId, privateKey, publicKey, org.keycloak.crypto.Algorithm.ES256);
signedJwt = createSignedRequestToken(clientId, privateKey, publicKey, Algorithm.ES256);
HttpResponse logoutResponse = doLogoutWithSignedJWT(refreshedResponse.getRefreshToken(), signedJwt);
assertEquals(204, logoutResponse.getStatusLine().getStatusCode());
}
@ -2177,7 +2177,7 @@ public class ClientPoliciesTest extends AbstractClientPoliciesTest {
clientRep.setSecret("secret");
clientRep.setClientAuthenticatorType(JWTClientAuthenticator.PROVIDER_ID);
clientRep.setAttributes(new HashMap<>());
clientRep.getAttributes().put(OIDCConfigAttributes.TOKEN_ENDPOINT_AUTH_SIGNING_ALG, org.keycloak.crypto.Algorithm.RS256);
clientRep.getAttributes().put(OIDCConfigAttributes.TOKEN_ENDPOINT_AUTH_SIGNING_ALG, Algorithm.RS256);
});
adminClient.realm(REALM_NAME).clients().get(cid).roles().create(RoleBuilder.create().name(roleAlphaName).build());
adminClient.realm(REALM_NAME).clients().get(cid).roles().create(RoleBuilder.create().name(roleCommonName).build());
@ -2185,11 +2185,11 @@ public class ClientPoliciesTest extends AbstractClientPoliciesTest {
ClientResource clientResource = ApiUtil.findClientByClientId(adminClient.realm(REALM_NAME), clientId);
ClientRepresentation clientRep = clientResource.toRepresentation();
KeyPair keyPair = setupJwksUrl(org.keycloak.crypto.Algorithm.RS256, clientRep, clientResource);
KeyPair keyPair = setupJwksUrl(Algorithm.RS256, clientRep, clientResource);
PublicKey publicKey = keyPair.getPublic();
PrivateKey privateKey = keyPair.getPrivate();
String signedJwt = createSignedRequestToken(clientId, privateKey, publicKey, org.keycloak.crypto.Algorithm.RS256);
String signedJwt = createSignedRequestToken(clientId, privateKey, publicKey, Algorithm.RS256);
oauth.clientId(clientId);
oauth.doLogin(TEST_USER_NAME, TEST_USER_PASSWORD);

16
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/FAPI1Test.java
View file

@ -434,7 +434,7 @@ public class FAPI1Test extends AbstractClientPoliciesTest {
OIDCAdvancedConfigWrapper clientConfig = OIDCAdvancedConfigWrapper.fromClientRepresentation(client);
Assert.assertTrue(clientConfig.isUseMtlsHokToken());
Assert.assertEquals(Algorithm.PS256, clientConfig.getIdTokenSignedResponseAlg());
Assert.assertEquals(Algorithm.PS256, clientConfig.getRequestObjectSignatureAlg().toString());
Assert.assertEquals(Algorithm.PS256, clientConfig.getRequestObjectSignatureAlg());
Assert.assertFalse(client.isFullScopeAllowed());
}
@ -497,7 +497,7 @@ public class FAPI1Test extends AbstractClientPoliciesTest {
ClientRepresentation client = getClientByAdmin(clientUUID);
OIDCAdvancedConfigWrapper clientConfig = OIDCAdvancedConfigWrapper.fromClientRepresentation(client);
Assert.assertEquals(Algorithm.ES256, clientConfig.getIdTokenSignedResponseAlg());
Assert.assertEquals(Algorithm.PS256, clientConfig.getRequestObjectSignatureAlg().toString());
Assert.assertEquals(Algorithm.PS256, clientConfig.getRequestObjectSignatureAlg());
// Test default algorithms set everywhere
clientUUID = createClientByAdmin("client-jwt-default-alg", (ClientRepresentation clientRep) -> {
@ -507,7 +507,7 @@ public class FAPI1Test extends AbstractClientPoliciesTest {
clientConfig = OIDCAdvancedConfigWrapper.fromClientRepresentation(client);
Assert.assertEquals(Algorithm.PS256, clientConfig.getIdTokenSignedResponseAlg());
Assert.assertEquals(Algorithm.PS256, clientConfig.getRequestObjectSignatureAlg().toString());
Assert.assertEquals(Algorithm.PS256, clientConfig.getUserInfoSignedResponseAlg().toString());
Assert.assertEquals(Algorithm.PS256, clientConfig.getUserInfoSignedResponseAlg());
Assert.assertEquals(Algorithm.PS256, clientConfig.getTokenEndpointAuthSigningAlg());
Assert.assertEquals(Algorithm.PS256, client.getAttributes().get(OIDCConfigAttributes.ACCESS_TOKEN_SIGNED_RESPONSE_ALG));
@ -541,14 +541,14 @@ public class FAPI1Test extends AbstractClientPoliciesTest {
// Create request without 'nbf' . Should fail in FAPI1 advanced client policy
TestingOIDCEndpointsApplicationResource.AuthorizationEndpointRequestObject requestObject = createValidRequestObjectForSecureRequestObjectExecutor("foo");
requestObject.nbf(null);
registerRequestObject(requestObject, "foo", org.keycloak.jose.jws.Algorithm.PS256, true);
registerRequestObject(requestObject, "foo", Algorithm.PS256, true);
oauth.openLoginForm();
assertRedirectedToClientWithError(OAuthErrorException.INVALID_REQUEST_URI,false, "Missing parameter in the 'request' object: nbf");
// Create valid request object - more extensive testing of 'request' object is in ClientPoliciesTest.testSecureRequestObjectExecutor()
requestObject = createValidRequestObjectForSecureRequestObjectExecutor("foo");
requestObject.setNonce("123456"); // Nonce from method "checkNonceAndStateForCurrentClientDuringLogin()"
registerRequestObject(requestObject, "foo", org.keycloak.jose.jws.Algorithm.PS256, true);
registerRequestObject(requestObject, "foo", Algorithm.PS256, true);
// Check response type
oauth.openLoginForm();
@ -557,14 +557,14 @@ public class FAPI1Test extends AbstractClientPoliciesTest {
// Add the response_Type including token. Should fail
oauth.responseType(OIDCResponseType.CODE + " " + OIDCResponseType.ID_TOKEN + " " + OIDCResponseType.TOKEN);
requestObject.setResponseType(OIDCResponseType.CODE + " " + OIDCResponseType.ID_TOKEN + " " + OIDCResponseType.TOKEN);
registerRequestObject(requestObject, "foo", org.keycloak.jose.jws.Algorithm.PS256, true);
registerRequestObject(requestObject, "foo", Algorithm.PS256, true);
oauth.openLoginForm();
assertRedirectedToClientWithError(OAuthErrorException.INVALID_REQUEST,true, "invalid response_type");
// Set correct response_type for FAPI 1 Advanced
oauth.responseType(OIDCResponseType.CODE + " " + OIDCResponseType.ID_TOKEN);
requestObject.setResponseType(OIDCResponseType.CODE + " " + OIDCResponseType.ID_TOKEN);
registerRequestObject(requestObject, "foo", org.keycloak.jose.jws.Algorithm.PS256, true);
registerRequestObject(requestObject, "foo", Algorithm.PS256, true);
oauth.openLoginForm();
loginPage.assertCurrent();
@ -637,7 +637,7 @@ public class FAPI1Test extends AbstractClientPoliciesTest {
requestObject.setNonce("123456"); // Nonce from method "checkNonceAndStateForCurrentClientDuringLogin()"
oauth.responseType(OIDCResponseType.CODE + " " + OIDCResponseType.ID_TOKEN);
requestObject.setResponseType(OIDCResponseType.CODE + " " + OIDCResponseType.ID_TOKEN);
registerRequestObject(requestObject, "foo", org.keycloak.jose.jws.Algorithm.PS256, true);
registerRequestObject(requestObject, "foo", Algorithm.PS256, true);
oauth.openLoginForm();
loginPage.assertCurrent();

6
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/FAPICIBATest.java
View file

@ -209,7 +209,7 @@ public class FAPICIBATest extends AbstractClientPoliciesTest {
OIDCAdvancedConfigWrapper clientConfig = OIDCAdvancedConfigWrapper.fromClientRepresentation(client);
Assert.assertTrue(clientConfig.isUseMtlsHokToken());
Assert.assertEquals(Algorithm.PS256, clientConfig.getIdTokenSignedResponseAlg());
Assert.assertEquals(Algorithm.PS256, clientConfig.getRequestObjectSignatureAlg().toString());
Assert.assertEquals(Algorithm.PS256, clientConfig.getRequestObjectSignatureAlg());
Assert.assertFalse(client.isFullScopeAllowed());
}
@ -241,7 +241,7 @@ public class FAPICIBATest extends AbstractClientPoliciesTest {
ClientRepresentation client = getClientByAdmin(clientUUID);
OIDCAdvancedConfigWrapper clientConfig = OIDCAdvancedConfigWrapper.fromClientRepresentation(client);
Assert.assertEquals(Algorithm.ES256, clientConfig.getIdTokenSignedResponseAlg());
Assert.assertEquals(Algorithm.PS256, clientConfig.getRequestObjectSignatureAlg().toString());
Assert.assertEquals(Algorithm.PS256, clientConfig.getRequestObjectSignatureAlg());
Assert.assertEquals(Algorithm.ES256, client.getAttributes().get(CibaConfig.CIBA_BACKCHANNEL_AUTH_REQUEST_SIGNING_ALG));
// Test default algorithms set everywhere
@ -252,7 +252,7 @@ public class FAPICIBATest extends AbstractClientPoliciesTest {
clientConfig = OIDCAdvancedConfigWrapper.fromClientRepresentation(client);
Assert.assertEquals(Algorithm.PS256, clientConfig.getIdTokenSignedResponseAlg());
Assert.assertEquals(Algorithm.PS256, clientConfig.getRequestObjectSignatureAlg().toString());
Assert.assertEquals(Algorithm.PS256, clientConfig.getUserInfoSignedResponseAlg().toString());
Assert.assertEquals(Algorithm.PS256, clientConfig.getUserInfoSignedResponseAlg());
Assert.assertEquals(Algorithm.PS256, clientConfig.getTokenEndpointAuthSigningAlg());
Assert.assertEquals(Algorithm.PS256, client.getAttributes().get(OIDCConfigAttributes.ACCESS_TOKEN_SIGNED_RESPONSE_ALG));
Assert.assertEquals(Algorithm.PS256, client.getAttributes().get(CibaConfig.CIBA_BACKCHANNEL_AUTH_REQUEST_SIGNING_ALG));

34
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/OIDCClientRegistrationTest.java
View file

@ -28,9 +28,9 @@ import org.keycloak.client.registration.Auth;
import org.keycloak.client.registration.ClientRegistrationException;
import org.keycloak.client.registration.HttpErrorException;
import org.keycloak.common.util.CollectionUtil;
import org.keycloak.crypto.Algorithm;
import org.keycloak.events.Errors;
import org.keycloak.jose.jwe.JWEConstants;
import org.keycloak.jose.jws.Algorithm;
import org.keycloak.models.CibaConfig;
import org.keycloak.models.Constants;
import org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper;
@ -222,12 +222,12 @@ public class OIDCClientRegistrationTest extends AbstractClientRegistrationTest {
OIDCClientRepresentation response = null;
try {
clientRep = createRep();
clientRep.setUserinfoSignedResponseAlg(Algorithm.ES256.toString());
clientRep.setRequestObjectSigningAlg(Algorithm.ES256.toString());
clientRep.setUserinfoSignedResponseAlg(Algorithm.ES256);
clientRep.setRequestObjectSigningAlg(Algorithm.ES256);
response = reg.oidc().create(clientRep);
Assert.assertEquals(Algorithm.ES256.toString(), response.getUserinfoSignedResponseAlg());
Assert.assertEquals(Algorithm.ES256.toString(), response.getRequestObjectSigningAlg());
Assert.assertEquals(Algorithm.ES256, response.getUserinfoSignedResponseAlg());
Assert.assertEquals(Algorithm.ES256, response.getRequestObjectSigningAlg());
Assert.assertNotNull(response.getClientSecret());
// Test Keycloak representation
@ -237,11 +237,11 @@ public class OIDCClientRegistrationTest extends AbstractClientRegistrationTest {
Assert.assertEquals(config.getRequestObjectSignatureAlg(), Algorithm.ES256);
// update (ES256 to PS256)
clientRep.setUserinfoSignedResponseAlg(Algorithm.PS256.toString());
clientRep.setRequestObjectSigningAlg(Algorithm.PS256.toString());
clientRep.setUserinfoSignedResponseAlg(Algorithm.PS256);
clientRep.setRequestObjectSigningAlg(Algorithm.PS256);
response = reg.oidc().create(clientRep);
Assert.assertEquals(Algorithm.PS256.toString(), response.getUserinfoSignedResponseAlg());
Assert.assertEquals(Algorithm.PS256.toString(), response.getRequestObjectSigningAlg());
Assert.assertEquals(Algorithm.PS256, response.getUserinfoSignedResponseAlg());
Assert.assertEquals(Algorithm.PS256, response.getRequestObjectSigningAlg());
// keycloak representation
kcClient = getClient(response.getClientId());
@ -250,8 +250,8 @@ public class OIDCClientRegistrationTest extends AbstractClientRegistrationTest {
Assert.assertEquals(config.getRequestObjectSignatureAlg(), Algorithm.PS256);
} finally {
// back to RS256 for other tests
clientRep.setUserinfoSignedResponseAlg(Algorithm.RS256.toString());
clientRep.setRequestObjectSigningAlg(Algorithm.RS256.toString());
clientRep.setUserinfoSignedResponseAlg(Algorithm.RS256);
clientRep.setRequestObjectSigningAlg(Algorithm.RS256);
response = reg.oidc().create(clientRep);
}
}
@ -422,14 +422,14 @@ public class OIDCClientRegistrationTest extends AbstractClientRegistrationTest {
OIDCClientRepresentation updated = null;
try {
OIDCClientRepresentation clientRep = createRep();
clientRep.setTokenEndpointAuthSigningAlg(Algorithm.ES256.toString());
clientRep.setTokenEndpointAuthSigningAlg(Algorithm.ES256);
response = reg.oidc().create(clientRep);
Assert.assertEquals(Algorithm.ES256.toString(), response.getTokenEndpointAuthSigningAlg());
Assert.assertEquals(Algorithm.ES256, response.getTokenEndpointAuthSigningAlg());
ClientRepresentation kcClient = getClient(response.getClientId());
OIDCAdvancedConfigWrapper config = OIDCAdvancedConfigWrapper.fromClientRepresentation(kcClient);
Assert.assertEquals(Algorithm.ES256.toString(), config.getTokenEndpointAuthSigningAlg());
Assert.assertEquals(Algorithm.ES256, config.getTokenEndpointAuthSigningAlg());
reg.auth(Auth.token(response));
response.setTokenEndpointAuthSigningAlg(null);
@ -453,14 +453,14 @@ public class OIDCClientRegistrationTest extends AbstractClientRegistrationTest {
OIDCClientRepresentation updated = null;
try {
OIDCClientRepresentation clientRep = createRep();
clientRep.setAuthorizationSignedResponseAlg(Algorithm.PS256.toString());
clientRep.setAuthorizationSignedResponseAlg(Algorithm.PS256);
response = reg.oidc().create(clientRep);
Assert.assertEquals(Algorithm.PS256.toString(), response.getAuthorizationSignedResponseAlg());
Assert.assertEquals(Algorithm.PS256, response.getAuthorizationSignedResponseAlg());
ClientRepresentation kcClient = getClient(response.getClientId());
OIDCAdvancedConfigWrapper config = OIDCAdvancedConfigWrapper.fromClientRepresentation(kcClient);
Assert.assertEquals(Algorithm.PS256.toString(), config.getAuthorizationSignedResponseAlg());
Assert.assertEquals(Algorithm.PS256, config.getAuthorizationSignedResponseAlg());
reg.auth(Auth.token(response));
response.setAuthorizationSignedResponseAlg(null);

54
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/OIDCAdvancedRequestParamsTest.java
View file

@ -36,6 +36,7 @@ import org.keycloak.common.util.Base64Url;
import org.keycloak.common.util.MultivaluedHashMap;
import org.keycloak.common.util.Time;
import org.keycloak.common.util.UriUtils;
import org.keycloak.crypto.Algorithm;
import org.keycloak.crypto.KeyUse;
import org.keycloak.events.Details;
import org.keycloak.events.EventType;
@ -45,7 +46,6 @@ import org.keycloak.jose.jwe.JWEException;
import org.keycloak.jose.jwe.JWEHeader;
import org.keycloak.jose.jwk.JSONWebKeySet;
import org.keycloak.jose.jwk.JWK;
import org.keycloak.jose.jws.Algorithm;
import org.keycloak.jose.jws.JWSBuilder;
import org.keycloak.keys.Attributes;
import org.keycloak.keys.KeyProvider;
@ -527,7 +527,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
// Set up a request object
TestOIDCEndpointsApplicationResource oidcClientEndpointsResource = testingClient.testApp().oidcClientEndpoints();
oidcClientEndpointsResource.setOIDCRequest("test", "test-app", oauth.getRedirectUri(), "10", "mystate2", Algorithm.none.toString());
oidcClientEndpointsResource.setOIDCRequest("test", "test-app", oauth.getRedirectUri(), "10", "mystate2", "none");
// Send request object in "request" param
oauth.request(oidcClientEndpointsResource.getOIDCRequest());
@ -549,7 +549,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
// Set up a request object
TestOIDCEndpointsApplicationResource oidcClientEndpointsResource = testingClient.testApp().oidcClientEndpoints();
oidcClientEndpointsResource.setOIDCRequest("test", "test-app", oauth.getRedirectUri(), "10", "mystate2", Algorithm.none.toString());
oidcClientEndpointsResource.setOIDCRequest("test", "test-app", oauth.getRedirectUri(), "10", "mystate2", "none");
// Send request object reference in "request_uri" param
oauth.requestUri(TestApplicationResourceUrls.clientRequestUri());
@ -591,7 +591,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
// Set up a request object
TestOIDCEndpointsApplicationResource oidcClientEndpointsResource = testingClient.testApp().oidcClientEndpoints();
oidcClientEndpointsResource.setOIDCRequest("test", "test-app", oauth.getRedirectUri(), "10", "mystate2", Algorithm.none.toString());
oidcClientEndpointsResource.setOIDCRequest("test", "test-app", oauth.getRedirectUri(), "10", "mystate2", "none");
// Send request object in "request" param
oauth.request(oidcClientEndpointsResource.getOIDCRequest());
@ -617,7 +617,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
// Set up a request object
TestOIDCEndpointsApplicationResource oidcClientEndpointsResource = testingClient.testApp().oidcClientEndpoints();
oidcClientEndpointsResource.setOIDCRequest("test", "test-app", oauth.getRedirectUri(), "10", "mystate2", Algorithm.none.toString());
oidcClientEndpointsResource.setOIDCRequest("test", "test-app", oauth.getRedirectUri(), "10", "mystate2", "none");
// Send request object reference in "request_uri" param
oauth.requestUri(TestApplicationResourceUrls.clientRequestUri());
@ -663,7 +663,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
// Set up a request object
TestOIDCEndpointsApplicationResource oidcClientEndpointsResource = testingClient.testApp().oidcClientEndpoints();
oidcClientEndpointsResource.setOIDCRequest("test", "test-app", oauth.getRedirectUri(), "10", "mystate2", Algorithm.none.toString());
oidcClientEndpointsResource.setOIDCRequest("test", "test-app", oauth.getRedirectUri(), "10", "mystate2", "none");
// Send request object in "request" param
oauth.request(oidcClientEndpointsResource.getOIDCRequest());
@ -689,7 +689,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
// Set up a request object
TestOIDCEndpointsApplicationResource oidcClientEndpointsResource = testingClient.testApp().oidcClientEndpoints();
oidcClientEndpointsResource.setOIDCRequest("test", "test-app", oauth.getRedirectUri(), "10", Algorithm.none.toString());
oidcClientEndpointsResource.setOIDCRequest("test", "test-app", oauth.getRedirectUri(), "10", "none");
// Send request object reference in "request_uri" param
oauth.requestUri(TestApplicationResourceUrls.clientRequestUri());
@ -734,7 +734,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
// Set up a request object
TestOIDCEndpointsApplicationResource oidcClientEndpointsResource = testingClient.testApp().oidcClientEndpoints();
oidcClientEndpointsResource.setOIDCRequest("test", "test-app", oauth.getRedirectUri(), "10", Algorithm.none.toString());
oidcClientEndpointsResource.setOIDCRequest("test", "test-app", oauth.getRedirectUri(), "10", "none");
// Send request object in "request" param
oauth.request(oidcClientEndpointsResource.getOIDCRequest());
@ -759,7 +759,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
// Set up a request object
TestOIDCEndpointsApplicationResource oidcClientEndpointsResource = testingClient.testApp().oidcClientEndpoints();
oidcClientEndpointsResource.setOIDCRequest("test", "test-app", oauth.getRedirectUri(), "10", "mystate2", Algorithm.none.toString());
oidcClientEndpointsResource.setOIDCRequest("test", "test-app", oauth.getRedirectUri(), "10", "mystate2", "none");
// Send request object reference in "request_uri" param
oauth.requestUri(TestApplicationResourceUrls.clientRequestUri());
@ -782,7 +782,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
TestOIDCEndpointsApplicationResource oidcClientEndpointsResource = testingClient.testApp().oidcClientEndpoints();
// Send request object with invalid redirect uri.
oidcClientEndpointsResource.setOIDCRequest("test", "test-app", "http://invalid", null, Algorithm.none.toString());
oidcClientEndpointsResource.setOIDCRequest("test", "test-app", "http://invalid", null, "none");
String requestStr = oidcClientEndpointsResource.getOIDCRequest();
oauth.request(requestStr);
@ -792,7 +792,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
// Assert the value from request object has bigger priority then from the query parameter.
oauth.redirectUri("http://invalid");
oidcClientEndpointsResource.setOIDCRequest("test", "test-app", validRedirectUri, "10", "mystate2", Algorithm.none.toString());
oidcClientEndpointsResource.setOIDCRequest("test", "test-app", validRedirectUri, "10", "mystate2", "none");
requestStr = oidcClientEndpointsResource.getOIDCRequest();
oauth.request(requestStr);
@ -808,7 +808,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
TestOIDCEndpointsApplicationResource oidcClientEndpointsResource = testingClient.testApp().oidcClientEndpoints();
// Send request object with invalid redirect uri.
oidcClientEndpointsResource.setOIDCRequest("test", "test-app", "http://invalid", null, "mystate1", Algorithm.none.toString());
oidcClientEndpointsResource.setOIDCRequest("test", "test-app", "http://invalid", null, "mystate1", "none");
oauth.requestUri(TestApplicationResourceUrls.clientRequestUri());
oauth.openLoginForm();
@ -817,7 +817,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
// Assert the value from request object has bigger priority then from the query parameter.
oauth.redirectUri("http://invalid");
oidcClientEndpointsResource.setOIDCRequest("test", "test-app", validRedirectUri, "10", "mystate1", Algorithm.none.toString());
oidcClientEndpointsResource.setOIDCRequest("test", "test-app", validRedirectUri, "10", "mystate1", "none");
OAuthClient.AuthorizationEndpointResponse response = oauth.doLogin("test-user@localhost", "password");
Assert.assertNotNull(response.getCode());
@ -829,7 +829,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
public void requestUriParamWithAllowedRequestUris() throws Exception {
String validRedirectUri = oauth.getRedirectUri();
TestOIDCEndpointsApplicationResource oidcClientEndpointsResource = testingClient.testApp().oidcClientEndpoints();
oidcClientEndpointsResource.setOIDCRequest("test", "test-app", validRedirectUri, "10", "mystate1", Algorithm.none.toString());
oidcClientEndpointsResource.setOIDCRequest("test", "test-app", validRedirectUri, "10", "mystate1", "none");
ClientManager.ClientManagerBuilder clientMgrBuilder = ClientManager.realm(adminClient.realm("test")).clientId("test-app");
oauth.requestUri(TestApplicationResourceUrls.clientRequestUri());
@ -902,7 +902,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
clientResource.update(clientRep);
// Verify unsigned request_uri will fail
oidcClientEndpointsResource.setOIDCRequest("test", "test-app", validRedirectUri, "10", Algorithm.none.toString());
oidcClientEndpointsResource.setOIDCRequest("test", "test-app", validRedirectUri, "10", "none");
oauth.requestUri(TestApplicationResourceUrls.clientRequestUri());
oauth.openLoginForm();
Assert.assertTrue(errorPage.isCurrent());
@ -912,7 +912,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
String clientPublicKeyPem = oidcClientEndpointsResource.generateKeys("RS256").get(TestingOIDCEndpointsApplicationResource.PUBLIC_KEY);
// Verify signed request_uri will fail due to failed signature validation
oidcClientEndpointsResource.setOIDCRequest("test", "test-app", validRedirectUri, "10", "mystate3", Algorithm.RS256.toString());
oidcClientEndpointsResource.setOIDCRequest("test", "test-app", validRedirectUri, "10", "mystate3", Algorithm.RS256);
oauth.openLoginForm();
Assert.assertTrue(errorPage.isCurrent());
assertEquals("Invalid Request", errorPage.getError());
@ -939,7 +939,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
clientResource.update(clientRep);
}
private void requestUriParamSignedIn(Algorithm expectedAlgorithm, Algorithm actualAlgorithm) throws Exception {
private void requestUriParamSignedIn(String expectedAlgorithm, String actualAlgorithm) throws Exception {
ClientResource clientResource = null;
ClientRepresentation clientRep = null;
try {
@ -953,10 +953,10 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
clientResource.update(clientRep);
// generate and register client keypair
if (Algorithm.none != actualAlgorithm) oidcClientEndpointsResource.generateKeys(actualAlgorithm.name());
if ("none" != actualAlgorithm) oidcClientEndpointsResource.generateKeys(actualAlgorithm);
// register request object
oidcClientEndpointsResource.setOIDCRequest("test", "test-app", validRedirectUri, "10", "mystate3", actualAlgorithm.name());
oidcClientEndpointsResource.setOIDCRequest("test", "test-app", validRedirectUri, "10", "mystate3", actualAlgorithm);
// use and set jwks_url
clientResource = ApiUtil.findClientByClientId(adminClient.realm("test"), "test-app");
@ -970,7 +970,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
setTimeOffset(20);
oauth.requestUri(TestApplicationResourceUrls.clientRequestUri());
if (expectedAlgorithm == null || expectedAlgorithm == actualAlgorithm) {
if (expectedAlgorithm == null || expectedAlgorithm.equals(actualAlgorithm)) {
// Check signed request_uri will pass
OAuthClient.AuthorizationEndpointResponse response = oauth.doLogin("test-user@localhost", "password");
Assert.assertNotNull(response.getCode());
@ -1002,13 +1002,13 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
@Test
public void requestUriParamSignedExpectedNoneActualES256() throws Exception {
// will fail
requestUriParamSignedIn(Algorithm.none, Algorithm.ES256);
requestUriParamSignedIn("none", Algorithm.ES256);
}
@Test
public void requestUriParamSignedExpectedNoneActualNone() throws Exception {
// will success
requestUriParamSignedIn(Algorithm.none, Algorithm.none);
requestUriParamSignedIn("none", "none");
}
@Test
@ -1371,7 +1371,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
if (keyId == null) {
KeysMetadataRepresentation.KeyMetadataRepresentation encKey = KeyUtils
.getActiveEncKey(testRealm().keys().getKeyMetadata(),
org.keycloak.crypto.Algorithm.PS256);
Algorithm.PS256);
keyId = encKey.getKid();
}
@ -1400,7 +1400,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
@Test
public void testRealmPublicKeyEncryptedRequestObjectUsingKid() throws Exception {
KeysMetadataRepresentation.KeyMetadataRepresentation encKey = KeyUtils.getActiveEncKey(testRealm().keys().getKeyMetadata(),
org.keycloak.crypto.Algorithm.RS256);
Algorithm.RS256);
JWEHeader jweHeader = new JWEHeader(RSA_OAEP, JWEConstants.A128CBC_HS256, null, encKey.getKid());
assertRequestObjectEncryption(jweHeader);
}
@ -1426,8 +1426,8 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setUseJwksUrl(true);
OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setJwksUrl(TestApplicationResourceUrls.clientJwksUri());
clientResource.update(clientRep);
client.generateKeys(org.keycloak.crypto.Algorithm.RS256);
client.registerOIDCRequest(encodedRequestObject, org.keycloak.crypto.Algorithm.RS256);
client.generateKeys(Algorithm.RS256);
client.registerOIDCRequest(encodedRequestObject, Algorithm.RS256);
String oidcRequest = client.getOIDCRequest();
return oidcRequest;
@ -1457,7 +1457,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
if (keyId == null) {
KeysMetadataRepresentation.KeyMetadataRepresentation encKey = KeyUtils.getActiveEncKey(testRealm().keys().getKeyMetadata(),
org.keycloak.crypto.Algorithm.PS256);
Algorithm.PS256);
keyId = encKey.getKid();
}

24
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/UserInfoTest.java
View file

@ -34,6 +34,7 @@ import org.keycloak.common.util.PemUtils;
import org.keycloak.common.util.Time;
import org.keycloak.crypto.AesCbcHmacShaContentEncryptionProvider;
import org.keycloak.crypto.AesGcmContentEncryptionProvider;
import org.keycloak.crypto.Algorithm;
import org.keycloak.crypto.RsaCekManagementProvider;
import org.keycloak.events.Details;
import org.keycloak.events.Errors;
@ -44,7 +45,6 @@ import org.keycloak.jose.jwe.JWEException;
import org.keycloak.jose.jwe.JWEHeader;
import org.keycloak.jose.jwe.alg.JWEAlgorithmProvider;
import org.keycloak.jose.jwe.enc.JWEEncryptionProvider;
import org.keycloak.jose.jws.Algorithm;
import org.keycloak.jose.jws.JWSInput;
import org.keycloak.jose.jws.JWSInputException;
import org.keycloak.jose.jws.crypto.RSAProvider;
@ -265,27 +265,27 @@ public class UserInfoTest extends AbstractKeycloakTest {
@Test
public void testSuccessEncryptedResponseSigAlgPS384AlgRSA_OAEPEncA256GCM() throws Exception {
testUserInfoSignatureAndEncryption(org.keycloak.crypto.Algorithm.PS384, JWEConstants.RSA_OAEP, JWEConstants.A256GCM);
testUserInfoSignatureAndEncryption(Algorithm.PS384, JWEConstants.RSA_OAEP, JWEConstants.A256GCM);
}
@Test
public void testSuccessEncryptedResponseSigAlgRS256AlgRSA_OAEP256EncA192CBC_HS384() throws Exception {
testUserInfoSignatureAndEncryption(org.keycloak.crypto.Algorithm.RS256, JWEConstants.RSA_OAEP_256, JWEConstants.A192CBC_HS384);
testUserInfoSignatureAndEncryption(Algorithm.RS256, JWEConstants.RSA_OAEP_256, JWEConstants.A192CBC_HS384);
}
@Test
public void testSuccessEncryptedResponseSigAlgES512AlgRSA1_5EncDefault() throws Exception {
testUserInfoSignatureAndEncryption(org.keycloak.crypto.Algorithm.ES512, JWEConstants.RSA1_5, null);
testUserInfoSignatureAndEncryption(Algorithm.ES512, JWEConstants.RSA1_5, null);
}
@Test
public void testSuccessEncryptedResponseSigAlgES384AlgRSA_OAEPEncA128GCM() throws Exception {
testUserInfoSignatureAndEncryption(org.keycloak.crypto.Algorithm.ES384, JWEConstants.RSA_OAEP, JWEConstants.A128GCM);
testUserInfoSignatureAndEncryption(Algorithm.ES384, JWEConstants.RSA_OAEP, JWEConstants.A128GCM);
}
@Test
public void testSuccessEncryptedResponseSigAlgPS256AlgRSA_OAEP256EncA256CBC_HS512() throws Exception {
testUserInfoSignatureAndEncryption(org.keycloak.crypto.Algorithm.PS256, JWEConstants.RSA_OAEP_256, JWEConstants.A256CBC_HS512);
testUserInfoSignatureAndEncryption(Algorithm.PS256, JWEConstants.RSA_OAEP_256, JWEConstants.A256CBC_HS512);
}
@Test
@ -305,7 +305,7 @@ public class UserInfoTest extends AbstractKeycloakTest {
clientRep = clientResource.toRepresentation();
// set UserInfo response signature algorithm and encryption algorithms
if(sigAlgorithm != null) {
OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setUserInfoSignedResponseAlg(Enum.valueOf(Algorithm.class, sigAlgorithm));
OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setUserInfoSignedResponseAlg(sigAlgorithm);
}
OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setUserInfoEncryptedResponseAlg(algAlgorithm);
OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setUserInfoEncryptedResponseEnc(encAlgorithm);
@ -440,7 +440,7 @@ public class UserInfoTest extends AbstractKeycloakTest {
.detail(Details.AUTH_METHOD, Details.VALIDATE_ACCESS_TOKEN)
.detail(Details.USERNAME, "test-user@localhost")
.detail(Details.SIGNATURE_REQUIRED, "true")
.detail(Details.SIGNATURE_ALGORITHM, Algorithm.RS256.toString())
.detail(Details.SIGNATURE_ALGORITHM, Algorithm.RS256)
.assertEvent();
// Check signature and content
@ -808,7 +808,7 @@ public class UserInfoTest extends AbstractKeycloakTest {
return UserInfoClientUtil.testSuccessfulUserInfoResponse(response, "test-user@localhost", "test-user@localhost");
}
private void testSuccessSignedResponse(Algorithm sigAlg) throws Exception {
private void testSuccessSignedResponse(String sigAlg) throws Exception {
try {
// Require signed userInfo request
@ -830,7 +830,7 @@ public class UserInfoTest extends AbstractKeycloakTest {
.detail(Details.AUTH_METHOD, Details.VALIDATE_ACCESS_TOKEN)
.detail(Details.USERNAME, "test-user@localhost")
.detail(Details.SIGNATURE_REQUIRED, "true")
.detail(Details.SIGNATURE_ALGORITHM, sigAlg.toString())
.detail(Details.SIGNATURE_ALGORITHM, sigAlg)
.assertEvent();
Assert.assertEquals(200, response.getStatus());
@ -840,7 +840,7 @@ public class UserInfoTest extends AbstractKeycloakTest {
JWSInput jwsInput = new JWSInput(signedResponse);
assertEquals(sigAlg.toString(), jwsInput.getHeader().getAlgorithm().name());
assertEquals(sigAlg, jwsInput.getHeader().getAlgorithm().name());
UserInfo userInfo = JsonSerialization.readValue(jwsInput.getContent(), UserInfo.class);
@ -861,7 +861,7 @@ public class UserInfoTest extends AbstractKeycloakTest {
OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setUserInfoSignedResponseAlg(null);
clientResource.update(clientRep);
} finally {
TokenSignatureUtil.changeRealmTokenSignatureProvider(adminClient, org.keycloak.crypto.Algorithm.RS256);
TokenSignatureUtil.changeRealmTokenSignatureProvider(adminClient, Algorithm.RS256);
}
}