diff --git a/services/src/main/java/org/keycloak/protocol/oidc/OIDCAdvancedConfigWrapper.java b/services/src/main/java/org/keycloak/protocol/oidc/OIDCAdvancedConfigWrapper.java index 53d8296ef0..6c32895ee2 100644 --- a/services/src/main/java/org/keycloak/protocol/oidc/OIDCAdvancedConfigWrapper.java +++ b/services/src/main/java/org/keycloak/protocol/oidc/OIDCAdvancedConfigWrapper.java @@ -20,15 +20,10 @@ package org.keycloak.protocol.oidc; import static org.keycloak.protocol.oidc.OIDCConfigAttributes.USE_LOWER_CASE_IN_TOKEN_RESPONSE; import org.keycloak.authentication.authenticators.client.X509ClientAuthenticator; -import org.keycloak.jose.jws.Algorithm; import org.keycloak.models.ClientModel; -import org.keycloak.models.Constants; import org.keycloak.representations.idm.ClientRepresentation; import org.keycloak.utils.StringUtil; -import java.util.Arrays; -import java.util.Collections; -import java.util.HashMap; import java.util.List; /** @@ -49,14 +44,12 @@ public class OIDCAdvancedConfigWrapper extends AbstractClientConfigWrapper { } - public Algorithm getUserInfoSignedResponseAlg() { - String alg = getAttribute(OIDCConfigAttributes.USER_INFO_RESPONSE_SIGNATURE_ALG); - return alg==null ? null : Enum.valueOf(Algorithm.class, alg); + public String getUserInfoSignedResponseAlg() { + return getAttribute(OIDCConfigAttributes.USER_INFO_RESPONSE_SIGNATURE_ALG); } - public void setUserInfoSignedResponseAlg(Algorithm alg) { - String algStr = alg==null ? null : alg.toString(); - setAttribute(OIDCConfigAttributes.USER_INFO_RESPONSE_SIGNATURE_ALG, algStr); + public void setUserInfoSignedResponseAlg(String algorithm) { + setAttribute(OIDCConfigAttributes.USER_INFO_RESPONSE_SIGNATURE_ALG, algorithm); } public boolean isUserInfoSignatureRequired() { @@ -83,14 +76,12 @@ public class OIDCAdvancedConfigWrapper extends AbstractClientConfigWrapper { return getUserInfoEncryptedResponseAlg() != null; } - public Algorithm getRequestObjectSignatureAlg() { - String alg = getAttribute(OIDCConfigAttributes.REQUEST_OBJECT_SIGNATURE_ALG); - return alg==null ? null : Enum.valueOf(Algorithm.class, alg); + public String getRequestObjectSignatureAlg() { + return getAttribute(OIDCConfigAttributes.REQUEST_OBJECT_SIGNATURE_ALG); } - public void setRequestObjectSignatureAlg(Algorithm alg) { - String algStr = alg==null ? null : alg.toString(); - setAttribute(OIDCConfigAttributes.REQUEST_OBJECT_SIGNATURE_ALG, algStr); + public void setRequestObjectSignatureAlg(String algorithm) { + setAttribute(OIDCConfigAttributes.REQUEST_OBJECT_SIGNATURE_ALG, algorithm); } public void setRequestObjectEncryptionAlg(String algorithm) { diff --git a/services/src/main/java/org/keycloak/protocol/oidc/endpoints/UserInfoEndpoint.java b/services/src/main/java/org/keycloak/protocol/oidc/endpoints/UserInfoEndpoint.java index 2de14f72de..3f48bc7a70 100755 --- a/services/src/main/java/org/keycloak/protocol/oidc/endpoints/UserInfoEndpoint.java +++ b/services/src/main/java/org/keycloak/protocol/oidc/endpoints/UserInfoEndpoint.java @@ -270,7 +270,7 @@ public class UserInfoEndpoint { } } event.detail(Details.SIGNATURE_REQUIRED, "true"); - event.detail(Details.SIGNATURE_ALGORITHM, cfg.getUserInfoSignedResponseAlg().toString()); + event.detail(Details.SIGNATURE_ALGORITHM, cfg.getUserInfoSignedResponseAlg()); } else if (cfg.isUserInfoEncryptionRequired()) { try { responseBuilder = Response.ok(jweFromContent(JsonSerialization.writeValueAsString(claims), null)) diff --git a/services/src/main/java/org/keycloak/protocol/oidc/endpoints/request/AuthzEndpointRequestObjectParser.java b/services/src/main/java/org/keycloak/protocol/oidc/endpoints/request/AuthzEndpointRequestObjectParser.java index 231e14b239..ef0db1d299 100644 --- a/services/src/main/java/org/keycloak/protocol/oidc/endpoints/request/AuthzEndpointRequestObjectParser.java +++ b/services/src/main/java/org/keycloak/protocol/oidc/endpoints/request/AuthzEndpointRequestObjectParser.java @@ -101,10 +101,10 @@ public class AuthzEndpointRequestObjectParser extends AuthzEndpointRequestParser throw new RuntimeException("Request object signed algorithm not specified"); } - Algorithm requestedSignatureAlgorithm = OIDCAdvancedConfigWrapper.fromClientModel(clientModel) + String requestedSignatureAlgorithm = OIDCAdvancedConfigWrapper.fromClientModel(clientModel) .getRequestObjectSignatureAlg(); - if (requestedSignatureAlgorithm != null && !requestedSignatureAlgorithm.name().equals(headerAlgorithm)) { + if (requestedSignatureAlgorithm != null && !requestedSignatureAlgorithm.equals(headerAlgorithm)) { throw new RuntimeException( "Request object signed with different algorithm than client requested algorithm"); } diff --git a/services/src/main/java/org/keycloak/services/clientregistration/oidc/DescriptionConverter.java b/services/src/main/java/org/keycloak/services/clientregistration/oidc/DescriptionConverter.java index cf894c7332..19529bb752 100755 --- a/services/src/main/java/org/keycloak/services/clientregistration/oidc/DescriptionConverter.java +++ b/services/src/main/java/org/keycloak/services/clientregistration/oidc/DescriptionConverter.java @@ -133,13 +133,11 @@ public class DescriptionConverter { OIDCAdvancedConfigWrapper configWrapper = OIDCAdvancedConfigWrapper.fromClientRepresentation(client); if (clientOIDC.getUserinfoSignedResponseAlg() != null) { - Algorithm algorithm = Enum.valueOf(Algorithm.class, clientOIDC.getUserinfoSignedResponseAlg()); - configWrapper.setUserInfoSignedResponseAlg(algorithm); + configWrapper.setUserInfoSignedResponseAlg(clientOIDC.getUserinfoSignedResponseAlg()); } if (clientOIDC.getRequestObjectSigningAlg() != null) { - Algorithm algorithm = Enum.valueOf(Algorithm.class, clientOIDC.getRequestObjectSigningAlg()); - configWrapper.setRequestObjectSignatureAlg(algorithm); + configWrapper.setRequestObjectSignatureAlg(clientOIDC.getRequestObjectSigningAlg()); } if (clientOIDC.getUserinfoEncryptedResponseAlg() != null) { @@ -347,7 +345,7 @@ public class DescriptionConverter { OIDCAdvancedConfigWrapper config = OIDCAdvancedConfigWrapper.fromClientRepresentation(client); if (config.isUserInfoSignatureRequired()) { - response.setUserinfoSignedResponseAlg(config.getUserInfoSignedResponseAlg().toString()); + response.setUserinfoSignedResponseAlg(config.getUserInfoSignedResponseAlg()); } if (config.getUserInfoEncryptedResponseAlg() != null) { response.setUserinfoEncryptedResponseAlg(config.getUserInfoEncryptedResponseAlg()); @@ -356,7 +354,7 @@ public class DescriptionConverter { response.setUserinfoEncryptedResponseEnc(config.getUserInfoEncryptedResponseEnc()); } if (config.getRequestObjectSignatureAlg() != null) { - response.setRequestObjectSigningAlg(config.getRequestObjectSignatureAlg().toString()); + response.setRequestObjectSigningAlg(config.getRequestObjectSignatureAlg()); } if (config.getRequestObjectEncryptionAlg() != null) { response.setRequestObjectEncryptionAlg(config.getRequestObjectEncryptionAlg()); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/AbstractClientPoliciesTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/AbstractClientPoliciesTest.java index cd38685047..5ea941ba71 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/AbstractClientPoliciesTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/AbstractClientPoliciesTest.java @@ -79,10 +79,10 @@ import org.keycloak.common.util.KeycloakUriBuilder; import org.keycloak.common.util.Time; import org.keycloak.common.util.UriUtils; import org.keycloak.constants.ServiceUrlConstants; +import org.keycloak.crypto.Algorithm; import org.keycloak.crypto.KeyType; import org.keycloak.crypto.SignatureSignerContext; import org.keycloak.events.EventType; -import org.keycloak.jose.jws.Algorithm; import org.keycloak.jose.jws.JWSBuilder; import org.keycloak.models.AdminRoles; import org.keycloak.models.Constants; @@ -419,17 +419,17 @@ public abstract class AbstractClientPoliciesTest extends AbstractKeycloakTest { private String getKeyAlgorithmFromJwaAlgorithm(String jwaAlgorithm) { String keyAlg = null; switch (jwaAlgorithm) { - case org.keycloak.crypto.Algorithm.RS256: - case org.keycloak.crypto.Algorithm.RS384: - case org.keycloak.crypto.Algorithm.RS512: - case org.keycloak.crypto.Algorithm.PS256: - case org.keycloak.crypto.Algorithm.PS384: - case org.keycloak.crypto.Algorithm.PS512: + case Algorithm.RS256: + case Algorithm.RS384: + case Algorithm.RS512: + case Algorithm.PS256: + case Algorithm.PS384: + case Algorithm.PS512: keyAlg = KeyType.RSA; break; - case org.keycloak.crypto.Algorithm.ES256: - case org.keycloak.crypto.Algorithm.ES384: - case org.keycloak.crypto.Algorithm.ES512: + case Algorithm.ES256: + case Algorithm.ES384: + case Algorithm.ES512: keyAlg = KeyType.EC; break; default : @@ -556,7 +556,7 @@ public abstract class AbstractClientPoliciesTest extends AbstractKeycloakTest { return requestObject; } - protected void registerRequestObject(AuthorizationEndpointRequestObject requestObject, String clientId, Algorithm sigAlg, boolean isUseRequestUri) throws URISyntaxException, IOException { + protected void registerRequestObject(AuthorizationEndpointRequestObject requestObject, String clientId, String sigAlg, boolean isUseRequestUri) throws URISyntaxException, IOException { TestOIDCEndpointsApplicationResource oidcClientEndpointsResource = testingClient.testApp().oidcClientEndpoints(); // Set required signature for request_uri @@ -572,12 +572,12 @@ public abstract class AbstractClientPoliciesTest extends AbstractKeycloakTest { oidcClientEndpointsResource = testingClient.testApp().oidcClientEndpoints(); // generate and register client keypair - oidcClientEndpointsResource.generateKeys(sigAlg.name()); + oidcClientEndpointsResource.generateKeys(sigAlg); // register request object byte[] contentBytes = JsonSerialization.writeValueAsBytes(requestObject); String encodedRequestObject = Base64Url.encode(contentBytes); - oidcClientEndpointsResource.registerOIDCRequest(encodedRequestObject, sigAlg.name()); + oidcClientEndpointsResource.registerOIDCRequest(encodedRequestObject, sigAlg); if (isUseRequestUri) { oauth.request(null); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/ClientPoliciesTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/ClientPoliciesTest.java index add0ee020e..401f778f99 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/ClientPoliciesTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/ClientPoliciesTest.java @@ -55,10 +55,10 @@ import org.keycloak.client.registration.ClientRegistrationException; import org.keycloak.common.Profile; import org.keycloak.common.util.Base64Url; import org.keycloak.common.util.Time; +import org.keycloak.crypto.Algorithm; import org.keycloak.events.Details; import org.keycloak.events.Errors; import org.keycloak.events.EventType; -import org.keycloak.jose.jws.Algorithm; import org.keycloak.jose.jws.JWSInput; import org.keycloak.models.AdminRoles; import org.keycloak.models.CibaConfig; @@ -1556,8 +1556,8 @@ public class ClientPoliciesTest extends AbstractClientPoliciesTest { OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setUseJwksUrl(true); OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setJwksUrl(TestApplicationResourceUrls.clientJwksUri()); clientResource.update(clientRep); - client.generateKeys(org.keycloak.crypto.Algorithm.PS256); - client.registerOIDCRequest(encodedRequestObject, org.keycloak.crypto.Algorithm.PS256); + client.generateKeys(Algorithm.PS256); + client.registerOIDCRequest(encodedRequestObject, Algorithm.PS256); // do not send any other parameter but the request request parameter String oidcRequest = client.getOIDCRequest(); @@ -1647,7 +1647,7 @@ public class ClientPoliciesTest extends AbstractClientPoliciesTest { createClientByAdmin(generateSuffixedName("App-by-Admin"), (ClientRepresentation clientRep) -> { clientRep.setSecret("secret"); clientRep.setAttributes(new HashMap<>()); - clientRep.getAttributes().put(OIDCConfigAttributes.USER_INFO_RESPONSE_SIGNATURE_ALG, Algorithm.none.name()); + clientRep.getAttributes().put(OIDCConfigAttributes.USER_INFO_RESPONSE_SIGNATURE_ALG, "none"); }); fail(); } catch (ClientPolicyException e) { @@ -1657,48 +1657,48 @@ public class ClientPoliciesTest extends AbstractClientPoliciesTest { // create by Admin REST API - success String cAppAdminId = createClientByAdmin(generateSuffixedName("App-by-Admin"), (ClientRepresentation clientRep) -> { clientRep.setAttributes(new HashMap<>()); - clientRep.getAttributes().put(OIDCConfigAttributes.USER_INFO_RESPONSE_SIGNATURE_ALG, org.keycloak.crypto.Algorithm.PS256); - clientRep.getAttributes().put(OIDCConfigAttributes.REQUEST_OBJECT_SIGNATURE_ALG, org.keycloak.crypto.Algorithm.ES256); - clientRep.getAttributes().put(OIDCConfigAttributes.ID_TOKEN_SIGNED_RESPONSE_ALG, org.keycloak.crypto.Algorithm.ES256); - clientRep.getAttributes().put(OIDCConfigAttributes.TOKEN_ENDPOINT_AUTH_SIGNING_ALG, org.keycloak.crypto.Algorithm.ES256); - clientRep.getAttributes().put(OIDCConfigAttributes.ACCESS_TOKEN_SIGNED_RESPONSE_ALG, org.keycloak.crypto.Algorithm.ES256); + clientRep.getAttributes().put(OIDCConfigAttributes.USER_INFO_RESPONSE_SIGNATURE_ALG, Algorithm.PS256); + clientRep.getAttributes().put(OIDCConfigAttributes.REQUEST_OBJECT_SIGNATURE_ALG, Algorithm.ES256); + clientRep.getAttributes().put(OIDCConfigAttributes.ID_TOKEN_SIGNED_RESPONSE_ALG, Algorithm.ES256); + clientRep.getAttributes().put(OIDCConfigAttributes.TOKEN_ENDPOINT_AUTH_SIGNING_ALG, Algorithm.ES256); + clientRep.getAttributes().put(OIDCConfigAttributes.ACCESS_TOKEN_SIGNED_RESPONSE_ALG, Algorithm.ES256); }); // create by Admin REST API - success, PS256 enforced String cAppAdmin2Id = createClientByAdmin(generateSuffixedName("App-by-Admin2"), (ClientRepresentation client2Rep) -> { }); ClientRepresentation cRep2 = getClientByAdmin(cAppAdmin2Id); - assertEquals(org.keycloak.crypto.Algorithm.PS256, cRep2.getAttributes().get(OIDCConfigAttributes.USER_INFO_RESPONSE_SIGNATURE_ALG)); - assertEquals(org.keycloak.crypto.Algorithm.PS256, cRep2.getAttributes().get(OIDCConfigAttributes.REQUEST_OBJECT_SIGNATURE_ALG)); - assertEquals(org.keycloak.crypto.Algorithm.PS256, cRep2.getAttributes().get(OIDCConfigAttributes.ID_TOKEN_SIGNED_RESPONSE_ALG)); - assertEquals(org.keycloak.crypto.Algorithm.PS256, cRep2.getAttributes().get(OIDCConfigAttributes.TOKEN_ENDPOINT_AUTH_SIGNING_ALG)); - assertEquals(org.keycloak.crypto.Algorithm.PS256, cRep2.getAttributes().get(OIDCConfigAttributes.ACCESS_TOKEN_SIGNED_RESPONSE_ALG)); + assertEquals(Algorithm.PS256, cRep2.getAttributes().get(OIDCConfigAttributes.USER_INFO_RESPONSE_SIGNATURE_ALG)); + assertEquals(Algorithm.PS256, cRep2.getAttributes().get(OIDCConfigAttributes.REQUEST_OBJECT_SIGNATURE_ALG)); + assertEquals(Algorithm.PS256, cRep2.getAttributes().get(OIDCConfigAttributes.ID_TOKEN_SIGNED_RESPONSE_ALG)); + assertEquals(Algorithm.PS256, cRep2.getAttributes().get(OIDCConfigAttributes.TOKEN_ENDPOINT_AUTH_SIGNING_ALG)); + assertEquals(Algorithm.PS256, cRep2.getAttributes().get(OIDCConfigAttributes.ACCESS_TOKEN_SIGNED_RESPONSE_ALG)); // update by Admin REST API - fail try { updateClientByAdmin(cAppAdminId, (ClientRepresentation clientRep) -> { clientRep.setAttributes(new HashMap<>()); - clientRep.getAttributes().put(OIDCConfigAttributes.ACCESS_TOKEN_SIGNED_RESPONSE_ALG, org.keycloak.crypto.Algorithm.RS512); + clientRep.getAttributes().put(OIDCConfigAttributes.ACCESS_TOKEN_SIGNED_RESPONSE_ALG, Algorithm.RS512); }); } catch (ClientPolicyException cpe) { assertEquals(Errors.INVALID_REQUEST, cpe.getError()); } ClientRepresentation cRep = getClientByAdmin(cAppAdminId); - assertEquals(org.keycloak.crypto.Algorithm.ES256, cRep.getAttributes().get(OIDCConfigAttributes.ACCESS_TOKEN_SIGNED_RESPONSE_ALG)); + assertEquals(Algorithm.ES256, cRep.getAttributes().get(OIDCConfigAttributes.ACCESS_TOKEN_SIGNED_RESPONSE_ALG)); // update by Admin REST API - success updateClientByAdmin(cAppAdminId, (ClientRepresentation clientRep) -> { clientRep.setAttributes(new HashMap<>()); - clientRep.getAttributes().put(OIDCConfigAttributes.ACCESS_TOKEN_SIGNED_RESPONSE_ALG, org.keycloak.crypto.Algorithm.PS384); + clientRep.getAttributes().put(OIDCConfigAttributes.ACCESS_TOKEN_SIGNED_RESPONSE_ALG, Algorithm.PS384); }); cRep = getClientByAdmin(cAppAdminId); - assertEquals(org.keycloak.crypto.Algorithm.PS384, cRep.getAttributes().get(OIDCConfigAttributes.ACCESS_TOKEN_SIGNED_RESPONSE_ALG)); + assertEquals(Algorithm.PS384, cRep.getAttributes().get(OIDCConfigAttributes.ACCESS_TOKEN_SIGNED_RESPONSE_ALG)); // update profiles, ES256 enforced json = (new ClientProfilesBuilder()).addProfile( (new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Den Forsta Profilen") .addExecutor(SecureSigningAlgorithmExecutorFactory.PROVIDER_ID, - createSecureSigningAlgorithmEnforceExecutorConfig(org.keycloak.crypto.Algorithm.ES256)) + createSecureSigningAlgorithmEnforceExecutorConfig(Algorithm.ES256)) .toRepresentation() ).toString(); updateProfiles(json); @@ -1712,17 +1712,17 @@ public class ClientPoliciesTest extends AbstractClientPoliciesTest { client2Rep.getAttributes().remove(OIDCConfigAttributes.ACCESS_TOKEN_SIGNED_RESPONSE_ALG); }); cRep2 = getClientByAdmin(cAppAdmin2Id); - assertEquals(org.keycloak.crypto.Algorithm.ES256, cRep2.getAttributes().get(OIDCConfigAttributes.USER_INFO_RESPONSE_SIGNATURE_ALG)); - assertEquals(org.keycloak.crypto.Algorithm.ES256, cRep2.getAttributes().get(OIDCConfigAttributes.REQUEST_OBJECT_SIGNATURE_ALG)); - assertEquals(org.keycloak.crypto.Algorithm.ES256, cRep2.getAttributes().get(OIDCConfigAttributes.ID_TOKEN_SIGNED_RESPONSE_ALG)); - assertEquals(org.keycloak.crypto.Algorithm.ES256, cRep2.getAttributes().get(OIDCConfigAttributes.TOKEN_ENDPOINT_AUTH_SIGNING_ALG)); - assertEquals(org.keycloak.crypto.Algorithm.ES256, cRep2.getAttributes().get(OIDCConfigAttributes.ACCESS_TOKEN_SIGNED_RESPONSE_ALG)); + assertEquals(Algorithm.ES256, cRep2.getAttributes().get(OIDCConfigAttributes.USER_INFO_RESPONSE_SIGNATURE_ALG)); + assertEquals(Algorithm.ES256, cRep2.getAttributes().get(OIDCConfigAttributes.REQUEST_OBJECT_SIGNATURE_ALG)); + assertEquals(Algorithm.ES256, cRep2.getAttributes().get(OIDCConfigAttributes.ID_TOKEN_SIGNED_RESPONSE_ALG)); + assertEquals(Algorithm.ES256, cRep2.getAttributes().get(OIDCConfigAttributes.TOKEN_ENDPOINT_AUTH_SIGNING_ALG)); + assertEquals(Algorithm.ES256, cRep2.getAttributes().get(OIDCConfigAttributes.ACCESS_TOKEN_SIGNED_RESPONSE_ALG)); // update profiles, fall back to PS256 json = (new ClientProfilesBuilder()).addProfile( (new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Den Forsta Profilen") .addExecutor(SecureSigningAlgorithmExecutorFactory.PROVIDER_ID, - createSecureSigningAlgorithmEnforceExecutorConfig(org.keycloak.crypto.Algorithm.RS512)) + createSecureSigningAlgorithmEnforceExecutorConfig(Algorithm.RS512)) .toRepresentation() ).toString(); updateProfiles(json); @@ -1732,7 +1732,7 @@ public class ClientPoliciesTest extends AbstractClientPoliciesTest { createClientByAdmin(generateSuffixedName("App-in-Dynamic"), (ClientRepresentation clientRep) -> { clientRep.setSecret("secret"); clientRep.setAttributes(new HashMap<>()); - clientRep.getAttributes().put(OIDCConfigAttributes.USER_INFO_RESPONSE_SIGNATURE_ALG, org.keycloak.crypto.Algorithm.RS384); + clientRep.getAttributes().put(OIDCConfigAttributes.USER_INFO_RESPONSE_SIGNATURE_ALG, Algorithm.RS384); }); fail(); } catch (ClientPolicyException e) { @@ -1741,45 +1741,45 @@ public class ClientPoliciesTest extends AbstractClientPoliciesTest { // create dynamically - success String cAppDynamicClientId = createClientDynamically(generateSuffixedName("App-in-Dynamic"), (OIDCClientRepresentation clientRep) -> { - clientRep.setUserinfoSignedResponseAlg(org.keycloak.crypto.Algorithm.ES256); - clientRep.setRequestObjectSigningAlg(org.keycloak.crypto.Algorithm.ES256); - clientRep.setIdTokenSignedResponseAlg(org.keycloak.crypto.Algorithm.PS256); - clientRep.setTokenEndpointAuthSigningAlg(org.keycloak.crypto.Algorithm.PS256); + clientRep.setUserinfoSignedResponseAlg(Algorithm.ES256); + clientRep.setRequestObjectSigningAlg(Algorithm.ES256); + clientRep.setIdTokenSignedResponseAlg(Algorithm.PS256); + clientRep.setTokenEndpointAuthSigningAlg(Algorithm.PS256); }); events.expect(EventType.CLIENT_REGISTER).client(cAppDynamicClientId).user(Matchers.isEmptyOrNullString()).assertEvent(); // update dynamically - fail try { updateClientDynamically(cAppDynamicClientId, (OIDCClientRepresentation clientRep) -> { - clientRep.setIdTokenSignedResponseAlg(org.keycloak.crypto.Algorithm.RS256); + clientRep.setIdTokenSignedResponseAlg(Algorithm.RS256); }); fail(); } catch (ClientRegistrationException e) { assertEquals(ERR_MSG_CLIENT_REG_FAIL, e.getMessage()); } - assertEquals(org.keycloak.crypto.Algorithm.PS256, getClientDynamically(cAppDynamicClientId).getIdTokenSignedResponseAlg()); + assertEquals(Algorithm.PS256, getClientDynamically(cAppDynamicClientId).getIdTokenSignedResponseAlg()); // update dynamically - success updateClientDynamically(cAppDynamicClientId, (OIDCClientRepresentation clientRep) -> { - clientRep.setIdTokenSignedResponseAlg(org.keycloak.crypto.Algorithm.ES384); + clientRep.setIdTokenSignedResponseAlg(Algorithm.ES384); }); - assertEquals(org.keycloak.crypto.Algorithm.ES384, getClientDynamically(cAppDynamicClientId).getIdTokenSignedResponseAlg()); + assertEquals(Algorithm.ES384, getClientDynamically(cAppDynamicClientId).getIdTokenSignedResponseAlg()); // create dynamically - success, PS256 enforced restartAuthenticatedClientRegistrationSetting(); String cAppDynamicClient2Id = createClientDynamically(generateSuffixedName("App-in-Dynamic"), (OIDCClientRepresentation client2Rep) -> { }); OIDCClientRepresentation cAppDynamicClient2Rep = getClientDynamically(cAppDynamicClient2Id); - assertEquals(org.keycloak.crypto.Algorithm.PS256, cAppDynamicClient2Rep.getUserinfoSignedResponseAlg()); - assertEquals(org.keycloak.crypto.Algorithm.PS256, cAppDynamicClient2Rep.getRequestObjectSigningAlg()); - assertEquals(org.keycloak.crypto.Algorithm.PS256, cAppDynamicClient2Rep.getIdTokenSignedResponseAlg()); - assertEquals(org.keycloak.crypto.Algorithm.PS256, cAppDynamicClient2Rep.getTokenEndpointAuthSigningAlg()); + assertEquals(Algorithm.PS256, cAppDynamicClient2Rep.getUserinfoSignedResponseAlg()); + assertEquals(Algorithm.PS256, cAppDynamicClient2Rep.getRequestObjectSigningAlg()); + assertEquals(Algorithm.PS256, cAppDynamicClient2Rep.getIdTokenSignedResponseAlg()); + assertEquals(Algorithm.PS256, cAppDynamicClient2Rep.getTokenEndpointAuthSigningAlg()); // update profiles, enforce ES256 json = (new ClientProfilesBuilder()).addProfile( (new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Den Forsta Profilen") .addExecutor(SecureSigningAlgorithmExecutorFactory.PROVIDER_ID, - createSecureSigningAlgorithmEnforceExecutorConfig(org.keycloak.crypto.Algorithm.ES256)) + createSecureSigningAlgorithmEnforceExecutorConfig(Algorithm.ES256)) .toRepresentation() ).toString(); updateProfiles(json); @@ -1792,10 +1792,10 @@ public class ClientPoliciesTest extends AbstractClientPoliciesTest { client2Rep.setTokenEndpointAuthSigningAlg(null); }); cAppDynamicClient2Rep = getClientDynamically(cAppDynamicClient2Id); - assertEquals(org.keycloak.crypto.Algorithm.ES256, cAppDynamicClient2Rep.getUserinfoSignedResponseAlg()); - assertEquals(org.keycloak.crypto.Algorithm.ES256, cAppDynamicClient2Rep.getRequestObjectSigningAlg()); - assertEquals(org.keycloak.crypto.Algorithm.ES256, cAppDynamicClient2Rep.getIdTokenSignedResponseAlg()); - assertEquals(org.keycloak.crypto.Algorithm.ES256, cAppDynamicClient2Rep.getTokenEndpointAuthSigningAlg()); + assertEquals(Algorithm.ES256, cAppDynamicClient2Rep.getUserinfoSignedResponseAlg()); + assertEquals(Algorithm.ES256, cAppDynamicClient2Rep.getRequestObjectSigningAlg()); + assertEquals(Algorithm.ES256, cAppDynamicClient2Rep.getIdTokenSignedResponseAlg()); + assertEquals(Algorithm.ES256, cAppDynamicClient2Rep.getTokenEndpointAuthSigningAlg()); } @Test @@ -2086,7 +2086,7 @@ public class ClientPoliciesTest extends AbstractClientPoliciesTest { clientRep.setSecret("secret"); clientRep.setClientAuthenticatorType(JWTClientAuthenticator.PROVIDER_ID); clientRep.setAttributes(new HashMap<>()); - clientRep.getAttributes().put(OIDCConfigAttributes.TOKEN_ENDPOINT_AUTH_SIGNING_ALG, org.keycloak.crypto.Algorithm.ES256); + clientRep.getAttributes().put(OIDCConfigAttributes.TOKEN_ENDPOINT_AUTH_SIGNING_ALG, Algorithm.ES256); }); adminClient.realm(REALM_NAME).clients().get(cid).roles().create(RoleBuilder.create().name(roleAlphaName).build()); adminClient.realm(REALM_NAME).clients().get(cid).roles().create(RoleBuilder.create().name(roleCommonName).build()); @@ -2095,11 +2095,11 @@ public class ClientPoliciesTest extends AbstractClientPoliciesTest { ClientResource clientResource = ApiUtil.findClientByClientId(adminClient.realm(REALM_NAME), clientId); ClientRepresentation clientRep = clientResource.toRepresentation(); - KeyPair keyPair = setupJwksUrl(org.keycloak.crypto.Algorithm.ES256, clientRep, clientResource); + KeyPair keyPair = setupJwksUrl(Algorithm.ES256, clientRep, clientResource); PublicKey publicKey = keyPair.getPublic(); PrivateKey privateKey = keyPair.getPrivate(); - String signedJwt = createSignedRequestToken(clientId, privateKey, publicKey, org.keycloak.crypto.Algorithm.ES256); + String signedJwt = createSignedRequestToken(clientId, privateKey, publicKey, Algorithm.ES256); oauth.clientId(clientId); oauth.doLogin(TEST_USER_NAME, TEST_USER_PASSWORD); @@ -2123,27 +2123,27 @@ public class ClientPoliciesTest extends AbstractClientPoliciesTest { .assertEvent(); // refresh token - signedJwt = createSignedRequestToken(clientId, privateKey, publicKey, org.keycloak.crypto.Algorithm.ES256); + signedJwt = createSignedRequestToken(clientId, privateKey, publicKey, Algorithm.ES256); OAuthClient.AccessTokenResponse refreshedResponse = doRefreshTokenRequestWithSignedJWT(response.getRefreshToken(), signedJwt); assertEquals(200, refreshedResponse.getStatusCode()); // introspect token - signedJwt = createSignedRequestToken(clientId, privateKey, publicKey, org.keycloak.crypto.Algorithm.ES256); + signedJwt = createSignedRequestToken(clientId, privateKey, publicKey, Algorithm.ES256); HttpResponse tokenIntrospectionResponse = doTokenIntrospectionWithSignedJWT("access_token", refreshedResponse.getAccessToken(), signedJwt); assertEquals(200, tokenIntrospectionResponse.getStatusLine().getStatusCode()); // revoke token - signedJwt = createSignedRequestToken(clientId, privateKey, publicKey, org.keycloak.crypto.Algorithm.ES256); + signedJwt = createSignedRequestToken(clientId, privateKey, publicKey, Algorithm.ES256); HttpResponse revokeTokenResponse = doTokenRevokeWithSignedJWT("refresh_toke", refreshedResponse.getRefreshToken(), signedJwt); assertEquals(200, revokeTokenResponse.getStatusLine().getStatusCode()); - signedJwt = createSignedRequestToken(clientId, privateKey, publicKey, org.keycloak.crypto.Algorithm.ES256); + signedJwt = createSignedRequestToken(clientId, privateKey, publicKey, Algorithm.ES256); OAuthClient.AccessTokenResponse tokenRes = doRefreshTokenRequestWithSignedJWT(refreshedResponse.getRefreshToken(), signedJwt); assertEquals(400, tokenRes.getStatusCode()); assertEquals(OAuthErrorException.INVALID_GRANT, tokenRes.getError()); // logout - signedJwt = createSignedRequestToken(clientId, privateKey, publicKey, org.keycloak.crypto.Algorithm.ES256); + signedJwt = createSignedRequestToken(clientId, privateKey, publicKey, Algorithm.ES256); HttpResponse logoutResponse = doLogoutWithSignedJWT(refreshedResponse.getRefreshToken(), signedJwt); assertEquals(204, logoutResponse.getStatusLine().getStatusCode()); } @@ -2177,7 +2177,7 @@ public class ClientPoliciesTest extends AbstractClientPoliciesTest { clientRep.setSecret("secret"); clientRep.setClientAuthenticatorType(JWTClientAuthenticator.PROVIDER_ID); clientRep.setAttributes(new HashMap<>()); - clientRep.getAttributes().put(OIDCConfigAttributes.TOKEN_ENDPOINT_AUTH_SIGNING_ALG, org.keycloak.crypto.Algorithm.RS256); + clientRep.getAttributes().put(OIDCConfigAttributes.TOKEN_ENDPOINT_AUTH_SIGNING_ALG, Algorithm.RS256); }); adminClient.realm(REALM_NAME).clients().get(cid).roles().create(RoleBuilder.create().name(roleAlphaName).build()); adminClient.realm(REALM_NAME).clients().get(cid).roles().create(RoleBuilder.create().name(roleCommonName).build()); @@ -2185,11 +2185,11 @@ public class ClientPoliciesTest extends AbstractClientPoliciesTest { ClientResource clientResource = ApiUtil.findClientByClientId(adminClient.realm(REALM_NAME), clientId); ClientRepresentation clientRep = clientResource.toRepresentation(); - KeyPair keyPair = setupJwksUrl(org.keycloak.crypto.Algorithm.RS256, clientRep, clientResource); + KeyPair keyPair = setupJwksUrl(Algorithm.RS256, clientRep, clientResource); PublicKey publicKey = keyPair.getPublic(); PrivateKey privateKey = keyPair.getPrivate(); - String signedJwt = createSignedRequestToken(clientId, privateKey, publicKey, org.keycloak.crypto.Algorithm.RS256); + String signedJwt = createSignedRequestToken(clientId, privateKey, publicKey, Algorithm.RS256); oauth.clientId(clientId); oauth.doLogin(TEST_USER_NAME, TEST_USER_PASSWORD); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/FAPI1Test.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/FAPI1Test.java index a56c2641ac..065cdcf76e 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/FAPI1Test.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/FAPI1Test.java @@ -434,7 +434,7 @@ public class FAPI1Test extends AbstractClientPoliciesTest { OIDCAdvancedConfigWrapper clientConfig = OIDCAdvancedConfigWrapper.fromClientRepresentation(client); Assert.assertTrue(clientConfig.isUseMtlsHokToken()); Assert.assertEquals(Algorithm.PS256, clientConfig.getIdTokenSignedResponseAlg()); - Assert.assertEquals(Algorithm.PS256, clientConfig.getRequestObjectSignatureAlg().toString()); + Assert.assertEquals(Algorithm.PS256, clientConfig.getRequestObjectSignatureAlg()); Assert.assertFalse(client.isFullScopeAllowed()); } @@ -497,7 +497,7 @@ public class FAPI1Test extends AbstractClientPoliciesTest { ClientRepresentation client = getClientByAdmin(clientUUID); OIDCAdvancedConfigWrapper clientConfig = OIDCAdvancedConfigWrapper.fromClientRepresentation(client); Assert.assertEquals(Algorithm.ES256, clientConfig.getIdTokenSignedResponseAlg()); - Assert.assertEquals(Algorithm.PS256, clientConfig.getRequestObjectSignatureAlg().toString()); + Assert.assertEquals(Algorithm.PS256, clientConfig.getRequestObjectSignatureAlg()); // Test default algorithms set everywhere clientUUID = createClientByAdmin("client-jwt-default-alg", (ClientRepresentation clientRep) -> { @@ -507,7 +507,7 @@ public class FAPI1Test extends AbstractClientPoliciesTest { clientConfig = OIDCAdvancedConfigWrapper.fromClientRepresentation(client); Assert.assertEquals(Algorithm.PS256, clientConfig.getIdTokenSignedResponseAlg()); Assert.assertEquals(Algorithm.PS256, clientConfig.getRequestObjectSignatureAlg().toString()); - Assert.assertEquals(Algorithm.PS256, clientConfig.getUserInfoSignedResponseAlg().toString()); + Assert.assertEquals(Algorithm.PS256, clientConfig.getUserInfoSignedResponseAlg()); Assert.assertEquals(Algorithm.PS256, clientConfig.getTokenEndpointAuthSigningAlg()); Assert.assertEquals(Algorithm.PS256, client.getAttributes().get(OIDCConfigAttributes.ACCESS_TOKEN_SIGNED_RESPONSE_ALG)); @@ -541,14 +541,14 @@ public class FAPI1Test extends AbstractClientPoliciesTest { // Create request without 'nbf' . Should fail in FAPI1 advanced client policy TestingOIDCEndpointsApplicationResource.AuthorizationEndpointRequestObject requestObject = createValidRequestObjectForSecureRequestObjectExecutor("foo"); requestObject.nbf(null); - registerRequestObject(requestObject, "foo", org.keycloak.jose.jws.Algorithm.PS256, true); + registerRequestObject(requestObject, "foo", Algorithm.PS256, true); oauth.openLoginForm(); assertRedirectedToClientWithError(OAuthErrorException.INVALID_REQUEST_URI,false, "Missing parameter in the 'request' object: nbf"); // Create valid request object - more extensive testing of 'request' object is in ClientPoliciesTest.testSecureRequestObjectExecutor() requestObject = createValidRequestObjectForSecureRequestObjectExecutor("foo"); requestObject.setNonce("123456"); // Nonce from method "checkNonceAndStateForCurrentClientDuringLogin()" - registerRequestObject(requestObject, "foo", org.keycloak.jose.jws.Algorithm.PS256, true); + registerRequestObject(requestObject, "foo", Algorithm.PS256, true); // Check response type oauth.openLoginForm(); @@ -557,14 +557,14 @@ public class FAPI1Test extends AbstractClientPoliciesTest { // Add the response_Type including token. Should fail oauth.responseType(OIDCResponseType.CODE + " " + OIDCResponseType.ID_TOKEN + " " + OIDCResponseType.TOKEN); requestObject.setResponseType(OIDCResponseType.CODE + " " + OIDCResponseType.ID_TOKEN + " " + OIDCResponseType.TOKEN); - registerRequestObject(requestObject, "foo", org.keycloak.jose.jws.Algorithm.PS256, true); + registerRequestObject(requestObject, "foo", Algorithm.PS256, true); oauth.openLoginForm(); assertRedirectedToClientWithError(OAuthErrorException.INVALID_REQUEST,true, "invalid response_type"); // Set correct response_type for FAPI 1 Advanced oauth.responseType(OIDCResponseType.CODE + " " + OIDCResponseType.ID_TOKEN); requestObject.setResponseType(OIDCResponseType.CODE + " " + OIDCResponseType.ID_TOKEN); - registerRequestObject(requestObject, "foo", org.keycloak.jose.jws.Algorithm.PS256, true); + registerRequestObject(requestObject, "foo", Algorithm.PS256, true); oauth.openLoginForm(); loginPage.assertCurrent(); @@ -637,7 +637,7 @@ public class FAPI1Test extends AbstractClientPoliciesTest { requestObject.setNonce("123456"); // Nonce from method "checkNonceAndStateForCurrentClientDuringLogin()" oauth.responseType(OIDCResponseType.CODE + " " + OIDCResponseType.ID_TOKEN); requestObject.setResponseType(OIDCResponseType.CODE + " " + OIDCResponseType.ID_TOKEN); - registerRequestObject(requestObject, "foo", org.keycloak.jose.jws.Algorithm.PS256, true); + registerRequestObject(requestObject, "foo", Algorithm.PS256, true); oauth.openLoginForm(); loginPage.assertCurrent(); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/FAPICIBATest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/FAPICIBATest.java index 0bc4617a8a..a5431f899c 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/FAPICIBATest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/FAPICIBATest.java @@ -209,7 +209,7 @@ public class FAPICIBATest extends AbstractClientPoliciesTest { OIDCAdvancedConfigWrapper clientConfig = OIDCAdvancedConfigWrapper.fromClientRepresentation(client); Assert.assertTrue(clientConfig.isUseMtlsHokToken()); Assert.assertEquals(Algorithm.PS256, clientConfig.getIdTokenSignedResponseAlg()); - Assert.assertEquals(Algorithm.PS256, clientConfig.getRequestObjectSignatureAlg().toString()); + Assert.assertEquals(Algorithm.PS256, clientConfig.getRequestObjectSignatureAlg()); Assert.assertFalse(client.isFullScopeAllowed()); } @@ -241,7 +241,7 @@ public class FAPICIBATest extends AbstractClientPoliciesTest { ClientRepresentation client = getClientByAdmin(clientUUID); OIDCAdvancedConfigWrapper clientConfig = OIDCAdvancedConfigWrapper.fromClientRepresentation(client); Assert.assertEquals(Algorithm.ES256, clientConfig.getIdTokenSignedResponseAlg()); - Assert.assertEquals(Algorithm.PS256, clientConfig.getRequestObjectSignatureAlg().toString()); + Assert.assertEquals(Algorithm.PS256, clientConfig.getRequestObjectSignatureAlg()); Assert.assertEquals(Algorithm.ES256, client.getAttributes().get(CibaConfig.CIBA_BACKCHANNEL_AUTH_REQUEST_SIGNING_ALG)); // Test default algorithms set everywhere @@ -252,7 +252,7 @@ public class FAPICIBATest extends AbstractClientPoliciesTest { clientConfig = OIDCAdvancedConfigWrapper.fromClientRepresentation(client); Assert.assertEquals(Algorithm.PS256, clientConfig.getIdTokenSignedResponseAlg()); Assert.assertEquals(Algorithm.PS256, clientConfig.getRequestObjectSignatureAlg().toString()); - Assert.assertEquals(Algorithm.PS256, clientConfig.getUserInfoSignedResponseAlg().toString()); + Assert.assertEquals(Algorithm.PS256, clientConfig.getUserInfoSignedResponseAlg()); Assert.assertEquals(Algorithm.PS256, clientConfig.getTokenEndpointAuthSigningAlg()); Assert.assertEquals(Algorithm.PS256, client.getAttributes().get(OIDCConfigAttributes.ACCESS_TOKEN_SIGNED_RESPONSE_ALG)); Assert.assertEquals(Algorithm.PS256, client.getAttributes().get(CibaConfig.CIBA_BACKCHANNEL_AUTH_REQUEST_SIGNING_ALG)); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/OIDCClientRegistrationTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/OIDCClientRegistrationTest.java index 2750a2b605..894f79cdb3 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/OIDCClientRegistrationTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/OIDCClientRegistrationTest.java @@ -28,9 +28,9 @@ import org.keycloak.client.registration.Auth; import org.keycloak.client.registration.ClientRegistrationException; import org.keycloak.client.registration.HttpErrorException; import org.keycloak.common.util.CollectionUtil; +import org.keycloak.crypto.Algorithm; import org.keycloak.events.Errors; import org.keycloak.jose.jwe.JWEConstants; -import org.keycloak.jose.jws.Algorithm; import org.keycloak.models.CibaConfig; import org.keycloak.models.Constants; import org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper; @@ -222,12 +222,12 @@ public class OIDCClientRegistrationTest extends AbstractClientRegistrationTest { OIDCClientRepresentation response = null; try { clientRep = createRep(); - clientRep.setUserinfoSignedResponseAlg(Algorithm.ES256.toString()); - clientRep.setRequestObjectSigningAlg(Algorithm.ES256.toString()); + clientRep.setUserinfoSignedResponseAlg(Algorithm.ES256); + clientRep.setRequestObjectSigningAlg(Algorithm.ES256); response = reg.oidc().create(clientRep); - Assert.assertEquals(Algorithm.ES256.toString(), response.getUserinfoSignedResponseAlg()); - Assert.assertEquals(Algorithm.ES256.toString(), response.getRequestObjectSigningAlg()); + Assert.assertEquals(Algorithm.ES256, response.getUserinfoSignedResponseAlg()); + Assert.assertEquals(Algorithm.ES256, response.getRequestObjectSigningAlg()); Assert.assertNotNull(response.getClientSecret()); // Test Keycloak representation @@ -237,11 +237,11 @@ public class OIDCClientRegistrationTest extends AbstractClientRegistrationTest { Assert.assertEquals(config.getRequestObjectSignatureAlg(), Algorithm.ES256); // update (ES256 to PS256) - clientRep.setUserinfoSignedResponseAlg(Algorithm.PS256.toString()); - clientRep.setRequestObjectSigningAlg(Algorithm.PS256.toString()); + clientRep.setUserinfoSignedResponseAlg(Algorithm.PS256); + clientRep.setRequestObjectSigningAlg(Algorithm.PS256); response = reg.oidc().create(clientRep); - Assert.assertEquals(Algorithm.PS256.toString(), response.getUserinfoSignedResponseAlg()); - Assert.assertEquals(Algorithm.PS256.toString(), response.getRequestObjectSigningAlg()); + Assert.assertEquals(Algorithm.PS256, response.getUserinfoSignedResponseAlg()); + Assert.assertEquals(Algorithm.PS256, response.getRequestObjectSigningAlg()); // keycloak representation kcClient = getClient(response.getClientId()); @@ -250,8 +250,8 @@ public class OIDCClientRegistrationTest extends AbstractClientRegistrationTest { Assert.assertEquals(config.getRequestObjectSignatureAlg(), Algorithm.PS256); } finally { // back to RS256 for other tests - clientRep.setUserinfoSignedResponseAlg(Algorithm.RS256.toString()); - clientRep.setRequestObjectSigningAlg(Algorithm.RS256.toString()); + clientRep.setUserinfoSignedResponseAlg(Algorithm.RS256); + clientRep.setRequestObjectSigningAlg(Algorithm.RS256); response = reg.oidc().create(clientRep); } } @@ -422,14 +422,14 @@ public class OIDCClientRegistrationTest extends AbstractClientRegistrationTest { OIDCClientRepresentation updated = null; try { OIDCClientRepresentation clientRep = createRep(); - clientRep.setTokenEndpointAuthSigningAlg(Algorithm.ES256.toString()); + clientRep.setTokenEndpointAuthSigningAlg(Algorithm.ES256); response = reg.oidc().create(clientRep); - Assert.assertEquals(Algorithm.ES256.toString(), response.getTokenEndpointAuthSigningAlg()); + Assert.assertEquals(Algorithm.ES256, response.getTokenEndpointAuthSigningAlg()); ClientRepresentation kcClient = getClient(response.getClientId()); OIDCAdvancedConfigWrapper config = OIDCAdvancedConfigWrapper.fromClientRepresentation(kcClient); - Assert.assertEquals(Algorithm.ES256.toString(), config.getTokenEndpointAuthSigningAlg()); + Assert.assertEquals(Algorithm.ES256, config.getTokenEndpointAuthSigningAlg()); reg.auth(Auth.token(response)); response.setTokenEndpointAuthSigningAlg(null); @@ -453,14 +453,14 @@ public class OIDCClientRegistrationTest extends AbstractClientRegistrationTest { OIDCClientRepresentation updated = null; try { OIDCClientRepresentation clientRep = createRep(); - clientRep.setAuthorizationSignedResponseAlg(Algorithm.PS256.toString()); + clientRep.setAuthorizationSignedResponseAlg(Algorithm.PS256); response = reg.oidc().create(clientRep); - Assert.assertEquals(Algorithm.PS256.toString(), response.getAuthorizationSignedResponseAlg()); + Assert.assertEquals(Algorithm.PS256, response.getAuthorizationSignedResponseAlg()); ClientRepresentation kcClient = getClient(response.getClientId()); OIDCAdvancedConfigWrapper config = OIDCAdvancedConfigWrapper.fromClientRepresentation(kcClient); - Assert.assertEquals(Algorithm.PS256.toString(), config.getAuthorizationSignedResponseAlg()); + Assert.assertEquals(Algorithm.PS256, config.getAuthorizationSignedResponseAlg()); reg.auth(Auth.token(response)); response.setAuthorizationSignedResponseAlg(null); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/OIDCAdvancedRequestParamsTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/OIDCAdvancedRequestParamsTest.java index be348a240f..4f1fe22702 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/OIDCAdvancedRequestParamsTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/OIDCAdvancedRequestParamsTest.java @@ -36,6 +36,7 @@ import org.keycloak.common.util.Base64Url; import org.keycloak.common.util.MultivaluedHashMap; import org.keycloak.common.util.Time; import org.keycloak.common.util.UriUtils; +import org.keycloak.crypto.Algorithm; import org.keycloak.crypto.KeyUse; import org.keycloak.events.Details; import org.keycloak.events.EventType; @@ -45,7 +46,6 @@ import org.keycloak.jose.jwe.JWEException; import org.keycloak.jose.jwe.JWEHeader; import org.keycloak.jose.jwk.JSONWebKeySet; import org.keycloak.jose.jwk.JWK; -import org.keycloak.jose.jws.Algorithm; import org.keycloak.jose.jws.JWSBuilder; import org.keycloak.keys.Attributes; import org.keycloak.keys.KeyProvider; @@ -527,7 +527,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest // Set up a request object TestOIDCEndpointsApplicationResource oidcClientEndpointsResource = testingClient.testApp().oidcClientEndpoints(); - oidcClientEndpointsResource.setOIDCRequest("test", "test-app", oauth.getRedirectUri(), "10", "mystate2", Algorithm.none.toString()); + oidcClientEndpointsResource.setOIDCRequest("test", "test-app", oauth.getRedirectUri(), "10", "mystate2", "none"); // Send request object in "request" param oauth.request(oidcClientEndpointsResource.getOIDCRequest()); @@ -549,7 +549,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest // Set up a request object TestOIDCEndpointsApplicationResource oidcClientEndpointsResource = testingClient.testApp().oidcClientEndpoints(); - oidcClientEndpointsResource.setOIDCRequest("test", "test-app", oauth.getRedirectUri(), "10", "mystate2", Algorithm.none.toString()); + oidcClientEndpointsResource.setOIDCRequest("test", "test-app", oauth.getRedirectUri(), "10", "mystate2", "none"); // Send request object reference in "request_uri" param oauth.requestUri(TestApplicationResourceUrls.clientRequestUri()); @@ -591,7 +591,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest // Set up a request object TestOIDCEndpointsApplicationResource oidcClientEndpointsResource = testingClient.testApp().oidcClientEndpoints(); - oidcClientEndpointsResource.setOIDCRequest("test", "test-app", oauth.getRedirectUri(), "10", "mystate2", Algorithm.none.toString()); + oidcClientEndpointsResource.setOIDCRequest("test", "test-app", oauth.getRedirectUri(), "10", "mystate2", "none"); // Send request object in "request" param oauth.request(oidcClientEndpointsResource.getOIDCRequest()); @@ -617,7 +617,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest // Set up a request object TestOIDCEndpointsApplicationResource oidcClientEndpointsResource = testingClient.testApp().oidcClientEndpoints(); - oidcClientEndpointsResource.setOIDCRequest("test", "test-app", oauth.getRedirectUri(), "10", "mystate2", Algorithm.none.toString()); + oidcClientEndpointsResource.setOIDCRequest("test", "test-app", oauth.getRedirectUri(), "10", "mystate2", "none"); // Send request object reference in "request_uri" param oauth.requestUri(TestApplicationResourceUrls.clientRequestUri()); @@ -663,7 +663,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest // Set up a request object TestOIDCEndpointsApplicationResource oidcClientEndpointsResource = testingClient.testApp().oidcClientEndpoints(); - oidcClientEndpointsResource.setOIDCRequest("test", "test-app", oauth.getRedirectUri(), "10", "mystate2", Algorithm.none.toString()); + oidcClientEndpointsResource.setOIDCRequest("test", "test-app", oauth.getRedirectUri(), "10", "mystate2", "none"); // Send request object in "request" param oauth.request(oidcClientEndpointsResource.getOIDCRequest()); @@ -689,7 +689,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest // Set up a request object TestOIDCEndpointsApplicationResource oidcClientEndpointsResource = testingClient.testApp().oidcClientEndpoints(); - oidcClientEndpointsResource.setOIDCRequest("test", "test-app", oauth.getRedirectUri(), "10", Algorithm.none.toString()); + oidcClientEndpointsResource.setOIDCRequest("test", "test-app", oauth.getRedirectUri(), "10", "none"); // Send request object reference in "request_uri" param oauth.requestUri(TestApplicationResourceUrls.clientRequestUri()); @@ -734,7 +734,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest // Set up a request object TestOIDCEndpointsApplicationResource oidcClientEndpointsResource = testingClient.testApp().oidcClientEndpoints(); - oidcClientEndpointsResource.setOIDCRequest("test", "test-app", oauth.getRedirectUri(), "10", Algorithm.none.toString()); + oidcClientEndpointsResource.setOIDCRequest("test", "test-app", oauth.getRedirectUri(), "10", "none"); // Send request object in "request" param oauth.request(oidcClientEndpointsResource.getOIDCRequest()); @@ -759,7 +759,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest // Set up a request object TestOIDCEndpointsApplicationResource oidcClientEndpointsResource = testingClient.testApp().oidcClientEndpoints(); - oidcClientEndpointsResource.setOIDCRequest("test", "test-app", oauth.getRedirectUri(), "10", "mystate2", Algorithm.none.toString()); + oidcClientEndpointsResource.setOIDCRequest("test", "test-app", oauth.getRedirectUri(), "10", "mystate2", "none"); // Send request object reference in "request_uri" param oauth.requestUri(TestApplicationResourceUrls.clientRequestUri()); @@ -782,7 +782,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest TestOIDCEndpointsApplicationResource oidcClientEndpointsResource = testingClient.testApp().oidcClientEndpoints(); // Send request object with invalid redirect uri. - oidcClientEndpointsResource.setOIDCRequest("test", "test-app", "http://invalid", null, Algorithm.none.toString()); + oidcClientEndpointsResource.setOIDCRequest("test", "test-app", "http://invalid", null, "none"); String requestStr = oidcClientEndpointsResource.getOIDCRequest(); oauth.request(requestStr); @@ -792,7 +792,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest // Assert the value from request object has bigger priority then from the query parameter. oauth.redirectUri("http://invalid"); - oidcClientEndpointsResource.setOIDCRequest("test", "test-app", validRedirectUri, "10", "mystate2", Algorithm.none.toString()); + oidcClientEndpointsResource.setOIDCRequest("test", "test-app", validRedirectUri, "10", "mystate2", "none"); requestStr = oidcClientEndpointsResource.getOIDCRequest(); oauth.request(requestStr); @@ -808,7 +808,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest TestOIDCEndpointsApplicationResource oidcClientEndpointsResource = testingClient.testApp().oidcClientEndpoints(); // Send request object with invalid redirect uri. - oidcClientEndpointsResource.setOIDCRequest("test", "test-app", "http://invalid", null, "mystate1", Algorithm.none.toString()); + oidcClientEndpointsResource.setOIDCRequest("test", "test-app", "http://invalid", null, "mystate1", "none"); oauth.requestUri(TestApplicationResourceUrls.clientRequestUri()); oauth.openLoginForm(); @@ -817,7 +817,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest // Assert the value from request object has bigger priority then from the query parameter. oauth.redirectUri("http://invalid"); - oidcClientEndpointsResource.setOIDCRequest("test", "test-app", validRedirectUri, "10", "mystate1", Algorithm.none.toString()); + oidcClientEndpointsResource.setOIDCRequest("test", "test-app", validRedirectUri, "10", "mystate1", "none"); OAuthClient.AuthorizationEndpointResponse response = oauth.doLogin("test-user@localhost", "password"); Assert.assertNotNull(response.getCode()); @@ -829,7 +829,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest public void requestUriParamWithAllowedRequestUris() throws Exception { String validRedirectUri = oauth.getRedirectUri(); TestOIDCEndpointsApplicationResource oidcClientEndpointsResource = testingClient.testApp().oidcClientEndpoints(); - oidcClientEndpointsResource.setOIDCRequest("test", "test-app", validRedirectUri, "10", "mystate1", Algorithm.none.toString()); + oidcClientEndpointsResource.setOIDCRequest("test", "test-app", validRedirectUri, "10", "mystate1", "none"); ClientManager.ClientManagerBuilder clientMgrBuilder = ClientManager.realm(adminClient.realm("test")).clientId("test-app"); oauth.requestUri(TestApplicationResourceUrls.clientRequestUri()); @@ -902,7 +902,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest clientResource.update(clientRep); // Verify unsigned request_uri will fail - oidcClientEndpointsResource.setOIDCRequest("test", "test-app", validRedirectUri, "10", Algorithm.none.toString()); + oidcClientEndpointsResource.setOIDCRequest("test", "test-app", validRedirectUri, "10", "none"); oauth.requestUri(TestApplicationResourceUrls.clientRequestUri()); oauth.openLoginForm(); Assert.assertTrue(errorPage.isCurrent()); @@ -912,7 +912,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest String clientPublicKeyPem = oidcClientEndpointsResource.generateKeys("RS256").get(TestingOIDCEndpointsApplicationResource.PUBLIC_KEY); // Verify signed request_uri will fail due to failed signature validation - oidcClientEndpointsResource.setOIDCRequest("test", "test-app", validRedirectUri, "10", "mystate3", Algorithm.RS256.toString()); + oidcClientEndpointsResource.setOIDCRequest("test", "test-app", validRedirectUri, "10", "mystate3", Algorithm.RS256); oauth.openLoginForm(); Assert.assertTrue(errorPage.isCurrent()); assertEquals("Invalid Request", errorPage.getError()); @@ -939,7 +939,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest clientResource.update(clientRep); } - private void requestUriParamSignedIn(Algorithm expectedAlgorithm, Algorithm actualAlgorithm) throws Exception { + private void requestUriParamSignedIn(String expectedAlgorithm, String actualAlgorithm) throws Exception { ClientResource clientResource = null; ClientRepresentation clientRep = null; try { @@ -953,10 +953,10 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest clientResource.update(clientRep); // generate and register client keypair - if (Algorithm.none != actualAlgorithm) oidcClientEndpointsResource.generateKeys(actualAlgorithm.name()); + if ("none" != actualAlgorithm) oidcClientEndpointsResource.generateKeys(actualAlgorithm); // register request object - oidcClientEndpointsResource.setOIDCRequest("test", "test-app", validRedirectUri, "10", "mystate3", actualAlgorithm.name()); + oidcClientEndpointsResource.setOIDCRequest("test", "test-app", validRedirectUri, "10", "mystate3", actualAlgorithm); // use and set jwks_url clientResource = ApiUtil.findClientByClientId(adminClient.realm("test"), "test-app"); @@ -970,7 +970,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest setTimeOffset(20); oauth.requestUri(TestApplicationResourceUrls.clientRequestUri()); - if (expectedAlgorithm == null || expectedAlgorithm == actualAlgorithm) { + if (expectedAlgorithm == null || expectedAlgorithm.equals(actualAlgorithm)) { // Check signed request_uri will pass OAuthClient.AuthorizationEndpointResponse response = oauth.doLogin("test-user@localhost", "password"); Assert.assertNotNull(response.getCode()); @@ -1002,13 +1002,13 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest @Test public void requestUriParamSignedExpectedNoneActualES256() throws Exception { // will fail - requestUriParamSignedIn(Algorithm.none, Algorithm.ES256); + requestUriParamSignedIn("none", Algorithm.ES256); } @Test public void requestUriParamSignedExpectedNoneActualNone() throws Exception { // will success - requestUriParamSignedIn(Algorithm.none, Algorithm.none); + requestUriParamSignedIn("none", "none"); } @Test @@ -1371,7 +1371,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest if (keyId == null) { KeysMetadataRepresentation.KeyMetadataRepresentation encKey = KeyUtils .getActiveEncKey(testRealm().keys().getKeyMetadata(), - org.keycloak.crypto.Algorithm.PS256); + Algorithm.PS256); keyId = encKey.getKid(); } @@ -1400,7 +1400,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest @Test public void testRealmPublicKeyEncryptedRequestObjectUsingKid() throws Exception { KeysMetadataRepresentation.KeyMetadataRepresentation encKey = KeyUtils.getActiveEncKey(testRealm().keys().getKeyMetadata(), - org.keycloak.crypto.Algorithm.RS256); + Algorithm.RS256); JWEHeader jweHeader = new JWEHeader(RSA_OAEP, JWEConstants.A128CBC_HS256, null, encKey.getKid()); assertRequestObjectEncryption(jweHeader); } @@ -1426,8 +1426,8 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setUseJwksUrl(true); OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setJwksUrl(TestApplicationResourceUrls.clientJwksUri()); clientResource.update(clientRep); - client.generateKeys(org.keycloak.crypto.Algorithm.RS256); - client.registerOIDCRequest(encodedRequestObject, org.keycloak.crypto.Algorithm.RS256); + client.generateKeys(Algorithm.RS256); + client.registerOIDCRequest(encodedRequestObject, Algorithm.RS256); String oidcRequest = client.getOIDCRequest(); return oidcRequest; @@ -1457,7 +1457,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest if (keyId == null) { KeysMetadataRepresentation.KeyMetadataRepresentation encKey = KeyUtils.getActiveEncKey(testRealm().keys().getKeyMetadata(), - org.keycloak.crypto.Algorithm.PS256); + Algorithm.PS256); keyId = encKey.getKid(); } diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/UserInfoTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/UserInfoTest.java index 8f4bdc160a..5c4edf11f9 100755 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/UserInfoTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/UserInfoTest.java @@ -34,6 +34,7 @@ import org.keycloak.common.util.PemUtils; import org.keycloak.common.util.Time; import org.keycloak.crypto.AesCbcHmacShaContentEncryptionProvider; import org.keycloak.crypto.AesGcmContentEncryptionProvider; +import org.keycloak.crypto.Algorithm; import org.keycloak.crypto.RsaCekManagementProvider; import org.keycloak.events.Details; import org.keycloak.events.Errors; @@ -44,7 +45,6 @@ import org.keycloak.jose.jwe.JWEException; import org.keycloak.jose.jwe.JWEHeader; import org.keycloak.jose.jwe.alg.JWEAlgorithmProvider; import org.keycloak.jose.jwe.enc.JWEEncryptionProvider; -import org.keycloak.jose.jws.Algorithm; import org.keycloak.jose.jws.JWSInput; import org.keycloak.jose.jws.JWSInputException; import org.keycloak.jose.jws.crypto.RSAProvider; @@ -265,27 +265,27 @@ public class UserInfoTest extends AbstractKeycloakTest { @Test public void testSuccessEncryptedResponseSigAlgPS384AlgRSA_OAEPEncA256GCM() throws Exception { - testUserInfoSignatureAndEncryption(org.keycloak.crypto.Algorithm.PS384, JWEConstants.RSA_OAEP, JWEConstants.A256GCM); + testUserInfoSignatureAndEncryption(Algorithm.PS384, JWEConstants.RSA_OAEP, JWEConstants.A256GCM); } @Test public void testSuccessEncryptedResponseSigAlgRS256AlgRSA_OAEP256EncA192CBC_HS384() throws Exception { - testUserInfoSignatureAndEncryption(org.keycloak.crypto.Algorithm.RS256, JWEConstants.RSA_OAEP_256, JWEConstants.A192CBC_HS384); + testUserInfoSignatureAndEncryption(Algorithm.RS256, JWEConstants.RSA_OAEP_256, JWEConstants.A192CBC_HS384); } @Test public void testSuccessEncryptedResponseSigAlgES512AlgRSA1_5EncDefault() throws Exception { - testUserInfoSignatureAndEncryption(org.keycloak.crypto.Algorithm.ES512, JWEConstants.RSA1_5, null); + testUserInfoSignatureAndEncryption(Algorithm.ES512, JWEConstants.RSA1_5, null); } @Test public void testSuccessEncryptedResponseSigAlgES384AlgRSA_OAEPEncA128GCM() throws Exception { - testUserInfoSignatureAndEncryption(org.keycloak.crypto.Algorithm.ES384, JWEConstants.RSA_OAEP, JWEConstants.A128GCM); + testUserInfoSignatureAndEncryption(Algorithm.ES384, JWEConstants.RSA_OAEP, JWEConstants.A128GCM); } @Test public void testSuccessEncryptedResponseSigAlgPS256AlgRSA_OAEP256EncA256CBC_HS512() throws Exception { - testUserInfoSignatureAndEncryption(org.keycloak.crypto.Algorithm.PS256, JWEConstants.RSA_OAEP_256, JWEConstants.A256CBC_HS512); + testUserInfoSignatureAndEncryption(Algorithm.PS256, JWEConstants.RSA_OAEP_256, JWEConstants.A256CBC_HS512); } @Test @@ -305,7 +305,7 @@ public class UserInfoTest extends AbstractKeycloakTest { clientRep = clientResource.toRepresentation(); // set UserInfo response signature algorithm and encryption algorithms if(sigAlgorithm != null) { - OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setUserInfoSignedResponseAlg(Enum.valueOf(Algorithm.class, sigAlgorithm)); + OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setUserInfoSignedResponseAlg(sigAlgorithm); } OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setUserInfoEncryptedResponseAlg(algAlgorithm); OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setUserInfoEncryptedResponseEnc(encAlgorithm); @@ -440,7 +440,7 @@ public class UserInfoTest extends AbstractKeycloakTest { .detail(Details.AUTH_METHOD, Details.VALIDATE_ACCESS_TOKEN) .detail(Details.USERNAME, "test-user@localhost") .detail(Details.SIGNATURE_REQUIRED, "true") - .detail(Details.SIGNATURE_ALGORITHM, Algorithm.RS256.toString()) + .detail(Details.SIGNATURE_ALGORITHM, Algorithm.RS256) .assertEvent(); // Check signature and content @@ -808,7 +808,7 @@ public class UserInfoTest extends AbstractKeycloakTest { return UserInfoClientUtil.testSuccessfulUserInfoResponse(response, "test-user@localhost", "test-user@localhost"); } - private void testSuccessSignedResponse(Algorithm sigAlg) throws Exception { + private void testSuccessSignedResponse(String sigAlg) throws Exception { try { // Require signed userInfo request @@ -830,7 +830,7 @@ public class UserInfoTest extends AbstractKeycloakTest { .detail(Details.AUTH_METHOD, Details.VALIDATE_ACCESS_TOKEN) .detail(Details.USERNAME, "test-user@localhost") .detail(Details.SIGNATURE_REQUIRED, "true") - .detail(Details.SIGNATURE_ALGORITHM, sigAlg.toString()) + .detail(Details.SIGNATURE_ALGORITHM, sigAlg) .assertEvent(); Assert.assertEquals(200, response.getStatus()); @@ -840,7 +840,7 @@ public class UserInfoTest extends AbstractKeycloakTest { JWSInput jwsInput = new JWSInput(signedResponse); - assertEquals(sigAlg.toString(), jwsInput.getHeader().getAlgorithm().name()); + assertEquals(sigAlg, jwsInput.getHeader().getAlgorithm().name()); UserInfo userInfo = JsonSerialization.readValue(jwsInput.getContent(), UserInfo.class); @@ -861,7 +861,7 @@ public class UserInfoTest extends AbstractKeycloakTest { OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setUserInfoSignedResponseAlg(null); clientResource.update(clientRep); } finally { - TokenSignatureUtil.changeRealmTokenSignatureProvider(adminClient, org.keycloak.crypto.Algorithm.RS256); + TokenSignatureUtil.changeRealmTokenSignatureProvider(adminClient, Algorithm.RS256); } }