diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/AbstractAuthzTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/AbstractAuthzTest.java index 00917cd6d7..02d18653de 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/AbstractAuthzTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/AbstractAuthzTest.java @@ -1,6 +1,10 @@ package org.keycloak.testsuite.authz; import org.junit.BeforeClass; +import org.keycloak.authorization.client.representation.EntitlementResponse; +import org.keycloak.jose.jws.JWSInput; +import org.keycloak.jose.jws.JWSInputException; +import org.keycloak.representations.AccessToken; import org.keycloak.testsuite.AbstractKeycloakTest; import org.keycloak.testsuite.ProfileAssume; @@ -13,4 +17,15 @@ public abstract class AbstractAuthzTest extends AbstractKeycloakTest { public static void enabled() { ProfileAssume.assumePreview(); } + + protected AccessToken toAccessToken(String rpt) { + AccessToken accessToken; + + try { + accessToken = new JWSInput(rpt).readJsonContent(AccessToken.class); + } catch (JWSInputException cause) { + throw new RuntimeException("Failed to deserialize RPT", cause); + } + return accessToken; + } } diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/RequireUmaAuthorizationScopeTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/AuthorizationAPITest.java similarity index 84% rename from testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/RequireUmaAuthorizationScopeTest.java rename to testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/AuthorizationAPITest.java index 0b24c2aeaf..5529cfd442 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/RequireUmaAuthorizationScopeTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/AuthorizationAPITest.java @@ -39,13 +39,14 @@ import org.keycloak.authorization.client.representation.AuthorizationRequest; import org.keycloak.authorization.client.representation.AuthorizationResponse; import org.keycloak.authorization.client.representation.PermissionRequest; import org.keycloak.authorization.client.util.HttpResponseException; +import org.keycloak.representations.AccessToken; import org.keycloak.representations.idm.RealmRepresentation; import org.keycloak.representations.idm.RoleRepresentation; import org.keycloak.representations.idm.authorization.JSPolicyRepresentation; import org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation; import org.keycloak.representations.idm.authorization.ResourceRepresentation; -import org.keycloak.testsuite.AbstractKeycloakTest; import org.keycloak.testsuite.util.ClientBuilder; +import org.keycloak.testsuite.util.OAuthClient; import org.keycloak.testsuite.util.RealmBuilder; import org.keycloak.testsuite.util.RoleBuilder; import org.keycloak.testsuite.util.RolesBuilder; @@ -55,7 +56,7 @@ import org.keycloak.util.JsonSerialization; /** * @author Pedro Igor */ -public class RequireUmaAuthorizationScopeTest extends AbstractAuthzTest { +public class AuthorizationAPITest extends AbstractAuthzTest { @Override public void addTestRealms(List testRealms) { @@ -69,6 +70,11 @@ public class RequireUmaAuthorizationScopeTest extends AbstractAuthzTest { .redirectUris("http://localhost/resource-server-test") .defaultRoles("uma_protection") .directAccessGrants()) + .client(ClientBuilder.create().clientId("test-client") + .secret("secret") + .authorizationServicesEnabled(true) + .redirectUris("http://localhost/test-client") + .directAccessGrants()) .build()); } @@ -143,6 +149,22 @@ public class RequireUmaAuthorizationScopeTest extends AbstractAuthzTest { failAccessTokenWithoutUmaAuthorization(); } + @Test + public void testResourceServerAsAudience() throws Exception { + AuthzClient authzClient = getAuthzClient(); + PermissionRequest request = new PermissionRequest(); + + request.setResourceSetName("Resource A"); + + String accessToken = new OAuthClient().realm("authz-test").clientId("test-client").doGrantAccessTokenRequest("secret", "marta", "password").getAccessToken(); + String ticket = authzClient.protection().permission().forResource(request).getTicket(); + AuthorizationResponse response = authzClient.authorization(accessToken).authorize(new AuthorizationRequest(ticket)); + + assertNotNull(response.getRpt()); + AccessToken rpt = toAccessToken(response.getRpt()); + assertEquals("resource-server-test", rpt.getAudience()[0]); + } + private RealmResource getRealm() throws Exception { return adminClient.realm("authz-test"); } diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/EntitlementAPITest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/EntitlementAPITest.java index 2145c6f82e..c0a8868c2b 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/EntitlementAPITest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/EntitlementAPITest.java @@ -41,6 +41,7 @@ import org.keycloak.authorization.client.representation.EntitlementResponse; import org.keycloak.authorization.client.representation.PermissionRequest; import org.keycloak.jose.jws.JWSInput; import org.keycloak.jose.jws.JWSInputException; +import org.keycloak.protocol.oidc.utils.OIDCResponseType; import org.keycloak.representations.AccessToken; import org.keycloak.representations.idm.RealmRepresentation; import org.keycloak.representations.idm.authorization.JSPolicyRepresentation; @@ -49,6 +50,7 @@ import org.keycloak.representations.idm.authorization.ResourcePermissionRepresen import org.keycloak.representations.idm.authorization.ResourceRepresentation; import org.keycloak.testsuite.AbstractKeycloakTest; import org.keycloak.testsuite.util.ClientBuilder; +import org.keycloak.testsuite.util.OAuthClient; import org.keycloak.testsuite.util.RealmBuilder; import org.keycloak.testsuite.util.RoleBuilder; import org.keycloak.testsuite.util.RolesBuilder; @@ -74,6 +76,11 @@ public class EntitlementAPITest extends AbstractAuthzTest { .redirectUris("http://localhost/resource-server-test") .defaultRoles("uma_protection") .directAccessGrants()) + .client(ClientBuilder.create().clientId("test-client") + .secret("secret") + .authorizationServicesEnabled(true) + .redirectUris("http://localhost/test-client") + .directAccessGrants()) .build()); } @@ -155,7 +162,7 @@ public class EntitlementAPITest extends AbstractAuthzTest { request.setMetadata(metadata); EntitlementResponse response = getAuthzClient().entitlement(authzClient.obtainAccessToken("marta", "password").getToken()).get("resource-server-test", request); - AccessToken rpt = toAccessToken(response); + AccessToken rpt = toAccessToken(response.getRpt()); List permissions = rpt.getAuthorization().getPermissions(); @@ -175,7 +182,7 @@ public class EntitlementAPITest extends AbstractAuthzTest { request.setRpt(response.getRpt()); response = getAuthzClient().entitlement(authzClient.obtainAccessToken("marta", "password").getToken()).get("resource-server-test", request); - rpt = toAccessToken(response); + rpt = toAccessToken(response.getRpt()); permissions = rpt.getAuthorization().getPermissions(); @@ -199,7 +206,7 @@ public class EntitlementAPITest extends AbstractAuthzTest { request.setRpt(response.getRpt()); response = getAuthzClient().entitlement(authzClient.obtainAccessToken("marta", "password").getToken()).get("resource-server-test", request); - rpt = toAccessToken(response); + rpt = toAccessToken(response.getRpt()); permissions = rpt.getAuthorization().getPermissions(); @@ -222,7 +229,7 @@ public class EntitlementAPITest extends AbstractAuthzTest { request.setRpt(response.getRpt()); response = getAuthzClient().entitlement(authzClient.obtainAccessToken("marta", "password").getToken()).get("resource-server-test", request); - rpt = toAccessToken(response); + rpt = toAccessToken(response.getRpt()); permissions = rpt.getAuthorization().getPermissions(); @@ -234,8 +241,21 @@ public class EntitlementAPITest extends AbstractAuthzTest { assertEquals("Resource 12", permissions.get(4).getResourceSetName()); } + @Test + public void testResourceServerAsAudience() throws Exception { + EntitlementRequest request = new EntitlementRequest(); + + request.addPermission(new PermissionRequest("Resource 1")); + + String accessToken = new OAuthClient().realm("authz-test").clientId("test-client").doGrantAccessTokenRequest("secret", "marta", "password").getAccessToken(); + EntitlementResponse response = getAuthzClient().entitlement(accessToken).get("resource-server-test", request); + AccessToken rpt = toAccessToken(response.getRpt()); + + assertEquals("resource-server-test", rpt.getAudience()[0]); + } + private void assertResponse(AuthorizationRequestMetadata metadata, Supplier responseSupplier) { - AccessToken.Authorization authorization = toAccessToken(responseSupplier.get()).getAuthorization(); + AccessToken.Authorization authorization = toAccessToken(responseSupplier.get().getRpt()).getAuthorization(); List permissions = authorization.getPermissions(); @@ -251,17 +271,6 @@ public class EntitlementAPITest extends AbstractAuthzTest { } } - private AccessToken toAccessToken(EntitlementResponse response) { - AccessToken accessToken; - - try { - accessToken = new JWSInput(response.getRpt()).readJsonContent(AccessToken.class); - } catch (JWSInputException cause) { - throw new RuntimeException("Failed to deserialize RPT", cause); - } - return accessToken; - } - private RealmResource getRealm() throws Exception { return adminClient.realm("authz-test"); }