KEYCLOAK-18391 CIBATest failures
This commit is contained in:
Martin Bartoš
Pavel Drozd
parent
ca6b78b730
commit
9dc7300178
2 changed files with 182 additions and 137 deletions
|
|
@ -17,6 +17,7 @@
|
|||
|
||||
package org.keycloak.testsuite;
|
||||
|
||||
import org.hamcrest.MatcherAssert;
|
||||
import org.keycloak.common.util.MultivaluedHashMap;
|
||||
import org.keycloak.representations.idm.ClientRepresentation;
|
||||
import org.keycloak.representations.idm.ClientScopeRepresentation;
|
||||
|
|
@ -145,14 +146,18 @@ public class Assert extends org.junit.Assert {
|
|||
}
|
||||
|
||||
public static void assertExpiration(int actual, int expected) {
|
||||
org.junit.Assert.assertThat(actual, allOf(greaterThanOrEqualTo(expected - 50), lessThanOrEqualTo(expected)));
|
||||
assertExpiration((long) actual, (long) expected);
|
||||
}
|
||||
|
||||
public static void assertExpiration(long actual, long expected) {
|
||||
MatcherAssert.assertThat(actual, allOf(greaterThanOrEqualTo(expected - 50), lessThanOrEqualTo(expected)));
|
||||
}
|
||||
|
||||
public static void assertRoleAttributes(Map<String, List<String>> expected, Map<String, List<String>> actual) {
|
||||
assertThat(actual.keySet(), equalTo(expected.keySet()));
|
||||
MatcherAssert.assertThat(actual.keySet(), equalTo(expected.keySet()));
|
||||
for (String expectedKey : expected.keySet()) {
|
||||
assertThat(actual.get(expectedKey).size(), is(equalTo(expected.get(expectedKey).size())));
|
||||
assertThat(actual.get(expectedKey), containsInAnyOrder(expected.get(expectedKey).toArray()));
|
||||
MatcherAssert.assertThat(actual.get(expectedKey).size(), is(equalTo(expected.get(expectedKey).size())));
|
||||
MatcherAssert.assertThat(actual.get(expectedKey), containsInAnyOrder(expected.get(expectedKey).toArray()));
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -16,6 +16,7 @@
|
|||
*/
|
||||
package org.keycloak.testsuite.client;
|
||||
|
||||
import static org.hamcrest.MatcherAssert.assertThat;
|
||||
import static org.hamcrest.Matchers.equalTo;
|
||||
import static org.hamcrest.Matchers.is;
|
||||
import static org.hamcrest.Matchers.containsString;
|
||||
|
|
@ -24,12 +25,13 @@ import javax.ws.rs.core.Response.Status;
|
|||
|
||||
import org.apache.http.client.methods.CloseableHttpResponse;
|
||||
|
||||
import static org.hamcrest.Matchers.notNullValue;
|
||||
import static org.junit.Assert.assertEquals;
|
||||
import static org.junit.Assert.assertThat;
|
||||
import static org.junit.Assert.fail;
|
||||
import static org.keycloak.protocol.oidc.grants.ciba.channel.AuthenticationChannelResponse.Status.CANCELLED;
|
||||
import static org.keycloak.protocol.oidc.grants.ciba.channel.AuthenticationChannelResponse.Status.SUCCEED;
|
||||
import static org.keycloak.protocol.oidc.grants.ciba.channel.AuthenticationChannelResponse.Status.UNAUTHORIZED;
|
||||
import static org.keycloak.testsuite.Assert.assertExpiration;
|
||||
import static org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude.AuthServer.QUARKUS;
|
||||
import static org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude.AuthServer.REMOTE;
|
||||
|
||||
|
|
@ -71,6 +73,7 @@ import org.keycloak.protocol.oidc.grants.ciba.channel.AuthenticationChannelReque
|
|||
import org.keycloak.protocol.oidc.grants.ciba.channel.AuthenticationChannelResponse;
|
||||
import org.keycloak.representations.AccessToken;
|
||||
import org.keycloak.representations.IDToken;
|
||||
import org.keycloak.representations.JsonWebToken;
|
||||
import org.keycloak.representations.RefreshToken;
|
||||
import org.keycloak.representations.idm.ClientInitialAccessCreatePresentation;
|
||||
import org.keycloak.representations.idm.ClientInitialAccessPresentation;
|
||||
|
|
@ -219,9 +222,9 @@ public class CIBATest extends AbstractTestRealmKeycloakTest {
|
|||
|
||||
// attacker client Token Request
|
||||
OAuthClient.AccessTokenResponse tokenRes = oauth.doBackchannelAuthenticationTokenRequest(attackerClientName, attackerClientPassword, victimClientAuthReqId);
|
||||
Assert.assertThat(tokenRes.getStatusCode(), is(equalTo(400)));
|
||||
Assert.assertThat(tokenRes.getError(), is(equalTo(OAuthErrorException.INVALID_GRANT)));
|
||||
Assert.assertThat(tokenRes.getErrorDescription(), is(equalTo("unauthorized client")));
|
||||
assertThat(tokenRes.getStatusCode(), is(equalTo(400)));
|
||||
assertThat(tokenRes.getError(), is(equalTo(OAuthErrorException.INVALID_GRANT)));
|
||||
assertThat(tokenRes.getErrorDescription(), is(equalTo("unauthorized client")));
|
||||
} finally {
|
||||
revertCIBASettings(victimClientResource, victimClientRep);
|
||||
revertCIBASettings(attackerClientResource, attackerClientRep);
|
||||
|
|
@ -248,12 +251,12 @@ public class CIBATest extends AbstractTestRealmKeycloakTest {
|
|||
// This request should not ever pass. Client should not be allowed to send the successfull "approve" request to the BackchannelAuthenticationCallbackEndpoint
|
||||
// with using the "authReqId" as a bearer token
|
||||
int statusCode = oauth.doAuthenticationChannelCallback(response.getAuthReqId(), SUCCEED);
|
||||
Assert.assertThat(statusCode, is(equalTo(403)));
|
||||
assertThat(statusCode, is(equalTo(403)));
|
||||
|
||||
// client sends TokenRequest - This should not pass and should return 400
|
||||
OAuthClient.AccessTokenResponse tokenRes = oauth.doBackchannelAuthenticationTokenRequest(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, response.getAuthReqId());
|
||||
Assert.assertThat(tokenRes.getStatusCode(), is(equalTo(400)));
|
||||
Assert.assertThat(tokenRes.getError(), is(equalTo(OAuthErrorException.AUTHORIZATION_PENDING)));
|
||||
assertThat(tokenRes.getStatusCode(), is(equalTo(400)));
|
||||
assertThat(tokenRes.getError(), is(equalTo(OAuthErrorException.AUTHORIZATION_PENDING)));
|
||||
} finally {
|
||||
revertCIBASettings(clientResource, clientRep);
|
||||
}
|
||||
|
|
@ -275,13 +278,13 @@ public class CIBATest extends AbstractTestRealmKeycloakTest {
|
|||
|
||||
// user Backchannel Authentication Request
|
||||
AuthenticationRequestAcknowledgement response = oauth.doBackchannelAuthenticationRequest(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, username, signal, null);
|
||||
Assert.assertThat(response.getStatusCode(), is(equalTo(503)));
|
||||
assertThat(response.getStatusCode(), is(equalTo(503)));
|
||||
|
||||
// user Token Request
|
||||
OAuthClient.AccessTokenResponse tokenRes = oauth.doBackchannelAuthenticationTokenRequest(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, response.getAuthReqId());
|
||||
Assert.assertThat(tokenRes.getStatusCode(), is(equalTo(400)));
|
||||
Assert.assertThat(tokenRes.getError(), is(equalTo(OAuthErrorException.INVALID_GRANT)));
|
||||
Assert.assertThat(tokenRes.getErrorDescription(), is(equalTo("Invalid Auth Req ID")));
|
||||
assertThat(tokenRes.getStatusCode(), is(equalTo(400)));
|
||||
assertThat(tokenRes.getError(), is(equalTo(OAuthErrorException.INVALID_GRANT)));
|
||||
assertThat(tokenRes.getErrorDescription(), is(equalTo("Invalid Auth Req ID")));
|
||||
} finally {
|
||||
revertCIBASettings(clientResource, clientRep);
|
||||
}
|
||||
|
|
@ -302,8 +305,8 @@ public class CIBATest extends AbstractTestRealmKeycloakTest {
|
|||
|
||||
// user Backchannel Authentication Request
|
||||
AuthenticationRequestAcknowledgement response = oauth.doBackchannelAuthenticationRequest(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, username, null, "acr2");
|
||||
Assert.assertThat(response.getStatusCode(), is(equalTo(400)));
|
||||
Assert.assertThat(response.getError(), is(OAuthErrorException.INVALID_REQUEST));
|
||||
assertThat(response.getStatusCode(), is(equalTo(400)));
|
||||
assertThat(response.getError(), is(OAuthErrorException.INVALID_REQUEST));
|
||||
} finally {
|
||||
revertCIBASettings(clientResource, clientRep);
|
||||
}
|
||||
|
|
@ -325,8 +328,8 @@ public class CIBATest extends AbstractTestRealmKeycloakTest {
|
|||
|
||||
// user Backchannel Authentication Request
|
||||
AuthenticationRequestAcknowledgement response = oauth.doBackchannelAuthenticationRequest(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, username, bindingMessage, "urn:mace:incommon:iap:silver urn:mace:incommon:iap:gold");
|
||||
Assert.assertThat(response.getStatusCode(), is(equalTo(400)));
|
||||
Assert.assertThat(response.getError(), is(OAuthErrorException.INVALID_REQUEST));
|
||||
assertThat(response.getStatusCode(), is(equalTo(400)));
|
||||
assertThat(response.getError(), is(OAuthErrorException.INVALID_REQUEST));
|
||||
} finally {
|
||||
revertCIBASettings(clientResource, clientRep);
|
||||
}
|
||||
|
|
@ -348,8 +351,8 @@ public class CIBATest extends AbstractTestRealmKeycloakTest {
|
|||
|
||||
// user Backchannel Authentication Request
|
||||
AuthenticationRequestAcknowledgement response = oauth.doBackchannelAuthenticationRequest(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, username, bindingMessage, "ACR1");
|
||||
Assert.assertThat(response.getStatusCode(), is(equalTo(400)));
|
||||
Assert.assertThat(response.getError(), is(OAuthErrorException.INVALID_REQUEST));
|
||||
assertThat(response.getStatusCode(), is(equalTo(400)));
|
||||
assertThat(response.getError(), is(OAuthErrorException.INVALID_REQUEST));
|
||||
} finally {
|
||||
revertCIBASettings(clientResource, clientRep);
|
||||
}
|
||||
|
|
@ -372,8 +375,8 @@ public class CIBATest extends AbstractTestRealmKeycloakTest {
|
|||
|
||||
// user Backchannel Authentication Request
|
||||
AuthenticationRequestAcknowledgement response = oauth.doBackchannelAuthenticationRequest(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, username, null, null);
|
||||
Assert.assertThat(response.getStatusCode(), is(equalTo(400)));
|
||||
Assert.assertThat(response.getError(), is(OAuthErrorException.INVALID_REQUEST));
|
||||
assertThat(response.getStatusCode(), is(equalTo(400)));
|
||||
assertThat(response.getError(), is(OAuthErrorException.INVALID_REQUEST));
|
||||
} finally {
|
||||
revertCIBASettings(clientResource, clientRep);
|
||||
restoreCIBAPolicy();
|
||||
|
|
@ -401,15 +404,15 @@ public class CIBATest extends AbstractTestRealmKeycloakTest {
|
|||
|
||||
// user Authentication Channel Request
|
||||
TestAuthenticationChannelRequest authenticationChannelReq = doAuthenticationChannelRequest(bindingMessage);
|
||||
Assert.assertThat(authenticationChannelReq.getRequest().getScope(), is(containsString(OAuth2Constants.OFFLINE_ACCESS)));
|
||||
assertThat(authenticationChannelReq.getRequest().getScope(), is(containsString(OAuth2Constants.OFFLINE_ACCESS)));
|
||||
|
||||
// different user Authentication Channel completed
|
||||
// oauth.doAuthenticationChannelCallback(SECOND_TEST_CLIENT_NAME, SECOND_TEST_CLIENT_SECRET, usernameAuthenticated, authenticationChannelReq.getBearerToken(), SUCCEEDED);
|
||||
|
||||
// user Token Request
|
||||
OAuthClient.AccessTokenResponse tokenRes = oauth.doBackchannelAuthenticationTokenRequest(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, response.getAuthReqId());
|
||||
Assert.assertThat(tokenRes.getStatusCode(), is(equalTo(400)));
|
||||
Assert.assertThat(tokenRes.getError(), is(OAuthErrorException.INVALID_GRANT));
|
||||
assertThat(tokenRes.getStatusCode(), is(equalTo(400)));
|
||||
assertThat(tokenRes.getError(), is(OAuthErrorException.INVALID_GRANT));
|
||||
} finally {
|
||||
revertCIBASettings(clientResource, clientRep);
|
||||
}
|
||||
|
|
@ -434,7 +437,7 @@ public class CIBATest extends AbstractTestRealmKeycloakTest {
|
|||
|
||||
// user Authentication Channel Request
|
||||
TestAuthenticationChannelRequest authenticationChannelReq = doAuthenticationChannelRequest(bindingMessage);
|
||||
Assert.assertThat(authenticationChannelReq.getRequest().getScope(), is(containsString(OAuth2Constants.OFFLINE_ACCESS)));
|
||||
assertThat(authenticationChannelReq.getRequest().getScope(), is(containsString(OAuth2Constants.OFFLINE_ACCESS)));
|
||||
|
||||
// user Authentication Channel completed
|
||||
EventRepresentation loginEvent = doAuthenticationChannelCallback(authenticationChannelReq);
|
||||
|
|
@ -475,7 +478,7 @@ public class CIBATest extends AbstractTestRealmKeycloakTest {
|
|||
|
||||
// first user Backchannel Authentication Request
|
||||
AuthenticationRequestAcknowledgement response = doBackchannelAuthenticationRequest(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, firstUsername, "lbies8e");
|
||||
Assert.assertThat(response.getInterval(), is(equalTo(5)));
|
||||
assertThat(response.getInterval(), is(equalTo(5)));
|
||||
// dequeue user Authentication Channel Request by first user to revert the initial setting of the queue
|
||||
doAuthenticationChannelRequest("lbies8e");
|
||||
|
||||
|
|
@ -490,7 +493,7 @@ public class CIBATest extends AbstractTestRealmKeycloakTest {
|
|||
// first user Token Request
|
||||
// second user Backchannel Authentication Request
|
||||
response = doBackchannelAuthenticationRequest(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, secondUsername, "Keb9eser");
|
||||
Assert.assertThat(response.getInterval(), is(equalTo(10)));
|
||||
assertThat(response.getInterval(), is(equalTo(10)));
|
||||
// dequeue user Authentication Channel Request by second user to revert the initial setting of the queue
|
||||
doAuthenticationChannelRequest("Keb9eser");
|
||||
} finally {
|
||||
|
|
@ -522,20 +525,20 @@ public class CIBATest extends AbstractTestRealmKeycloakTest {
|
|||
|
||||
// user Authentication Channel Request
|
||||
TestAuthenticationChannelRequest authenticationChannelReq = doAuthenticationChannelRequest(bindingMessage);
|
||||
Assert.assertThat(authenticationChannelReq.getRequest().getBindingMessage(), is(equalTo(bindingMessage)));
|
||||
assertThat(authenticationChannelReq.getRequest().getBindingMessage(), is(equalTo(bindingMessage)));
|
||||
|
||||
// user Token Request
|
||||
OAuthClient.AccessTokenResponse tokenRes = oauth.doBackchannelAuthenticationTokenRequest(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, response.getAuthReqId());
|
||||
Assert.assertThat(tokenRes.getStatusCode(), is(equalTo(400)));
|
||||
Assert.assertThat(tokenRes.getError(), is(OAuthErrorException.AUTHORIZATION_PENDING)); // 10+5+5 sec
|
||||
assertThat(tokenRes.getStatusCode(), is(equalTo(400)));
|
||||
assertThat(tokenRes.getError(), is(OAuthErrorException.AUTHORIZATION_PENDING)); // 10+5+5 sec
|
||||
|
||||
tokenRes = oauth.doBackchannelAuthenticationTokenRequest(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, response.getAuthReqId());
|
||||
Assert.assertThat(tokenRes.getStatusCode(), is(equalTo(400)));
|
||||
Assert.assertThat(tokenRes.getError(), is(OAuthErrorException.SLOW_DOWN)); // 10+5+5 sec
|
||||
assertThat(tokenRes.getStatusCode(), is(equalTo(400)));
|
||||
assertThat(tokenRes.getError(), is(OAuthErrorException.SLOW_DOWN)); // 10+5+5 sec
|
||||
|
||||
tokenRes = oauth.doBackchannelAuthenticationTokenRequest(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, response.getAuthReqId());
|
||||
Assert.assertThat(tokenRes.getStatusCode(), is(equalTo(400)));
|
||||
Assert.assertThat(tokenRes.getError(), is(OAuthErrorException.SLOW_DOWN)); // 10+5+5+5 sec
|
||||
assertThat(tokenRes.getStatusCode(), is(equalTo(400)));
|
||||
assertThat(tokenRes.getError(), is(OAuthErrorException.SLOW_DOWN)); // 10+5+5+5 sec
|
||||
|
||||
// user Authentication Channel completed
|
||||
EventRepresentation loginEvent = doAuthenticationChannelCallback(authenticationChannelReq);
|
||||
|
|
@ -588,17 +591,17 @@ public class CIBATest extends AbstractTestRealmKeycloakTest {
|
|||
|
||||
// user Token Request but not yet user being authenticated
|
||||
OAuthClient.AccessTokenResponse tokenRes = oauth.doBackchannelAuthenticationTokenRequest(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, response.getAuthReqId());
|
||||
Assert.assertThat(tokenRes.getStatusCode(), is(equalTo(400)));
|
||||
Assert.assertThat(tokenRes.getError(), is(OAuthErrorException.AUTHORIZATION_PENDING));
|
||||
assertThat(tokenRes.getStatusCode(), is(equalTo(400)));
|
||||
assertThat(tokenRes.getError(), is(OAuthErrorException.AUTHORIZATION_PENDING));
|
||||
|
||||
// user Token Request but not yet user being authenticated
|
||||
tokenRes = oauth.doBackchannelAuthenticationTokenRequest(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, response.getAuthReqId());
|
||||
Assert.assertThat(tokenRes.getStatusCode(), is(equalTo(400)));
|
||||
Assert.assertThat(tokenRes.getError(), is(OAuthErrorException.SLOW_DOWN));
|
||||
assertThat(tokenRes.getStatusCode(), is(equalTo(400)));
|
||||
assertThat(tokenRes.getError(), is(OAuthErrorException.SLOW_DOWN));
|
||||
|
||||
// user Authentication Channel Request
|
||||
TestAuthenticationChannelRequest authenticationChannelReq = doAuthenticationChannelRequest(bindingMessage);
|
||||
Assert.assertThat(authenticationChannelReq.getRequest().getBindingMessage(), is(equalTo(bindingMessage)));
|
||||
assertThat(authenticationChannelReq.getRequest().getBindingMessage(), is(equalTo(bindingMessage)));
|
||||
|
||||
// user Authentication Channel completed
|
||||
EventRepresentation loginEvent = doAuthenticationChannelCallback(authenticationChannelReq);
|
||||
|
|
@ -644,10 +647,10 @@ public class CIBATest extends AbstractTestRealmKeycloakTest {
|
|||
|
||||
rep = testRealm().toRepresentation();
|
||||
attrMap = Optional.ofNullable(rep.getAttributes()).orElse(new HashMap<>());
|
||||
Assert.assertThat(attrMap.get(CibaConfig.CIBA_BACKCHANNEL_TOKEN_DELIVERY_MODE), is(equalTo("poll")));
|
||||
Assert.assertThat(Integer.parseInt(attrMap.get(CibaConfig.CIBA_EXPIRES_IN)), is(equalTo(120)));
|
||||
Assert.assertThat(Integer.parseInt(attrMap.get(CibaConfig.CIBA_INTERVAL)), is(equalTo(5)));
|
||||
Assert.assertThat(attrMap.get(CibaConfig.CIBA_AUTH_REQUESTED_USER_HINT), is(equalTo("login_hint")));
|
||||
assertThat(attrMap.get(CibaConfig.CIBA_BACKCHANNEL_TOKEN_DELIVERY_MODE), is(equalTo("poll")));
|
||||
assertThat(Integer.parseInt(attrMap.get(CibaConfig.CIBA_EXPIRES_IN)), is(equalTo(120)));
|
||||
assertThat(Integer.parseInt(attrMap.get(CibaConfig.CIBA_INTERVAL)), is(equalTo(5)));
|
||||
assertThat(attrMap.get(CibaConfig.CIBA_AUTH_REQUESTED_USER_HINT), is(equalTo("login_hint")));
|
||||
|
||||
// valid input
|
||||
rep = backupCIBAPolicy();
|
||||
|
|
@ -660,10 +663,10 @@ public class CIBATest extends AbstractTestRealmKeycloakTest {
|
|||
testRealm().update(rep);
|
||||
|
||||
rep = testRealm().toRepresentation();
|
||||
Assert.assertThat(attrMap.get(CibaConfig.CIBA_BACKCHANNEL_TOKEN_DELIVERY_MODE), is(equalTo("poll")));
|
||||
Assert.assertThat(Integer.parseInt(attrMap.get(CibaConfig.CIBA_EXPIRES_IN)), is(equalTo(736)));
|
||||
Assert.assertThat(Integer.parseInt(attrMap.get(CibaConfig.CIBA_INTERVAL)), is(equalTo(7)));
|
||||
Assert.assertThat(attrMap.get(CibaConfig.CIBA_AUTH_REQUESTED_USER_HINT), is(equalTo("login_hint")));
|
||||
assertThat(attrMap.get(CibaConfig.CIBA_BACKCHANNEL_TOKEN_DELIVERY_MODE), is(equalTo("poll")));
|
||||
assertThat(Integer.parseInt(attrMap.get(CibaConfig.CIBA_EXPIRES_IN)), is(equalTo(736)));
|
||||
assertThat(Integer.parseInt(attrMap.get(CibaConfig.CIBA_INTERVAL)), is(equalTo(7)));
|
||||
assertThat(attrMap.get(CibaConfig.CIBA_AUTH_REQUESTED_USER_HINT), is(equalTo("login_hint")));
|
||||
} finally {
|
||||
restoreCIBAPolicy();
|
||||
}
|
||||
|
|
@ -747,14 +750,15 @@ public class CIBATest extends AbstractTestRealmKeycloakTest {
|
|||
// client Authentication Channel Request
|
||||
TestAuthenticationChannelRequest clientAuthenticationChannelReq = doAuthenticationChannelRequest("asdfghjkl");
|
||||
Assert.assertTrue(clientAuthenticationChannelReq.getRequest().getConsentRequired());
|
||||
Assert.assertThat(clientAuthenticationChannelReq.getRequest().getScope(), is(containsString(OAuth2Constants.SCOPE_OPENID)));
|
||||
Assert.assertThat(clientAuthenticationChannelReq.getRequest().getScope(), is(containsString("email")));
|
||||
Assert.assertThat(clientAuthenticationChannelReq.getRequest().getScope(), is(containsString("profile")));
|
||||
Assert.assertThat(clientAuthenticationChannelReq.getRequest().getScope(), is(containsString("roles")));
|
||||
assertThat(clientAuthenticationChannelReq.getRequest().getScope(), is(containsString(OAuth2Constants.SCOPE_OPENID)));
|
||||
assertThat(clientAuthenticationChannelReq.getRequest().getScope(), is(containsString("email")));
|
||||
assertThat(clientAuthenticationChannelReq.getRequest().getScope(), is(containsString("profile")));
|
||||
assertThat(clientAuthenticationChannelReq.getRequest().getScope(), is(containsString("roles")));
|
||||
|
||||
// client Authentication Channel completed
|
||||
EventRepresentation clientloginEvent = doAuthenticationChannelCallback(clientAuthenticationChannelReq);
|
||||
String clientSessionId = clientloginEvent.getSessionId();
|
||||
|
||||
String clientSessionCodeId = clientloginEvent.getDetails().get(Details.CODE_ID);
|
||||
|
||||
// client Token Request
|
||||
|
|
@ -779,10 +783,16 @@ public class CIBATest extends AbstractTestRealmKeycloakTest {
|
|||
final String secondClientPassword = TEST_CLIENT_PASSWORD;
|
||||
String firstClientAuthReqId = null;
|
||||
String secondClientAuthReqId = null;
|
||||
|
||||
firstClientResource = ApiUtil.findClientByClientId(adminClient.realm(TEST_REALM_NAME), firstClientName);
|
||||
assertThat(firstClientResource, notNullValue());
|
||||
|
||||
firstClientRep = firstClientResource.toRepresentation();
|
||||
prepareCIBASettings(firstClientResource, firstClientRep);
|
||||
|
||||
secondClientResource = ApiUtil.findClientByClientId(adminClient.realm(TEST_REALM_NAME), secondClientName);
|
||||
assertThat(secondClientResource, notNullValue());
|
||||
|
||||
secondClientRep = secondClientResource.toRepresentation();
|
||||
prepareCIBASettings(secondClientResource, secondClientRep);
|
||||
|
||||
|
|
@ -795,8 +805,6 @@ public class CIBATest extends AbstractTestRealmKeycloakTest {
|
|||
|
||||
// first client Authentication Channel completed
|
||||
EventRepresentation firstClientloginEvent = doAuthenticationChannelCallback(firstClientAuthenticationChannelReq);
|
||||
String firstClientSessionId = null;
|
||||
String firstClientSessionCodeId = null;
|
||||
|
||||
// second client Backchannel Authentication Request
|
||||
response = doBackchannelAuthenticationRequest(secondClientName, secondClientPassword, username, "qwertyui");
|
||||
|
|
@ -807,8 +815,6 @@ public class CIBATest extends AbstractTestRealmKeycloakTest {
|
|||
|
||||
// second client Authentication Channel completed
|
||||
EventRepresentation secondClientloginEvent = doAuthenticationChannelCallback(secondClientAuthenticationChannelReq);
|
||||
String secondClientSessionId = null;
|
||||
String secondClientSessionCodeId = null;
|
||||
|
||||
// second client Token Request
|
||||
OAuthClient.AccessTokenResponse tokenRes = doBackchannelAuthenticationTokenRequest(secondClientName, secondClientPassword, username, secondClientAuthReqId);
|
||||
|
|
@ -831,6 +837,8 @@ public class CIBATest extends AbstractTestRealmKeycloakTest {
|
|||
|
||||
// prepare CIBA settings
|
||||
clientResource = ApiUtil.findClientByClientId(adminClient.realm(TEST_REALM_NAME), TEST_CLIENT_NAME);
|
||||
assertThat(clientResource, notNullValue());
|
||||
|
||||
clientRep = clientResource.toRepresentation();
|
||||
prepareCIBASettings(clientResource, clientRep);
|
||||
|
||||
|
|
@ -839,8 +847,8 @@ public class CIBATest extends AbstractTestRealmKeycloakTest {
|
|||
|
||||
// user Token Request before Authentication Channel completion
|
||||
OAuthClient.AccessTokenResponse tokenRes = oauth.doBackchannelAuthenticationTokenRequest(TEST_CLIENT_PASSWORD, response.getAuthReqId());
|
||||
Assert.assertThat(tokenRes.getStatusCode(), is(equalTo(400)));
|
||||
Assert.assertThat(tokenRes.getError(), is(OAuthErrorException.AUTHORIZATION_PENDING));
|
||||
assertThat(tokenRes.getStatusCode(), is(equalTo(400)));
|
||||
assertThat(tokenRes.getError(), is(OAuthErrorException.AUTHORIZATION_PENDING));
|
||||
|
||||
// user Authentication Channel Request
|
||||
TestAuthenticationChannelRequest authenticationChannelReq = doAuthenticationChannelRequest("kvoDKw98");
|
||||
|
|
@ -852,12 +860,13 @@ public class CIBATest extends AbstractTestRealmKeycloakTest {
|
|||
|
||||
// user Token Request after Authentication Channel completion
|
||||
tokenRes = oauth.doBackchannelAuthenticationTokenRequest(TEST_CLIENT_PASSWORD, response.getAuthReqId());
|
||||
Assert.assertThat(tokenRes.getStatusCode(), is(equalTo(200)));
|
||||
assertThat(tokenRes.getStatusCode(), is(equalTo(200)));
|
||||
|
||||
IDToken idToken = oauth.verifyIDToken(tokenRes.getIdToken());
|
||||
Assert.assertThat(idToken.getPreferredUsername(), is(equalTo(username)));
|
||||
assertThat(idToken.getPreferredUsername(), is(equalTo(username)));
|
||||
|
||||
AccessToken accessToken = oauth.verifyToken(tokenRes.getAccessToken());
|
||||
assertThat(accessToken, notNullValue());
|
||||
|
||||
} finally {
|
||||
revertCIBASettings(clientResource, clientRep);
|
||||
|
|
@ -873,6 +882,8 @@ public class CIBATest extends AbstractTestRealmKeycloakTest {
|
|||
|
||||
// prepare CIBA settings
|
||||
clientResource = ApiUtil.findClientByClientId(adminClient.realm(TEST_REALM_NAME), TEST_CLIENT_NAME);
|
||||
assertThat(clientResource, notNullValue());
|
||||
|
||||
clientRep = clientResource.toRepresentation();
|
||||
prepareCIBASettings(clientResource, clientRep);
|
||||
|
||||
|
|
@ -895,8 +906,8 @@ public class CIBATest extends AbstractTestRealmKeycloakTest {
|
|||
|
||||
// user Token Request before Authentication Channel completion
|
||||
OAuthClient.AccessTokenResponse tokenRes = oauth.doBackchannelAuthenticationTokenRequest(TEST_CLIENT_PASSWORD, response.getAuthReqId());
|
||||
Assert.assertThat(tokenRes.getStatusCode(), is(equalTo(400)));
|
||||
Assert.assertThat(tokenRes.getError(), is(OAuthErrorException.EXPIRED_TOKEN));
|
||||
assertThat(tokenRes.getStatusCode(), is(equalTo(400)));
|
||||
assertThat(tokenRes.getError(), is(OAuthErrorException.EXPIRED_TOKEN));
|
||||
|
||||
} finally {
|
||||
revertCIBASettings(clientResource, clientRep);
|
||||
|
|
@ -913,6 +924,8 @@ public class CIBATest extends AbstractTestRealmKeycloakTest {
|
|||
|
||||
// prepare CIBA settings
|
||||
clientResource = ApiUtil.findClientByClientId(adminClient.realm(TEST_REALM_NAME), TEST_CLIENT_NAME);
|
||||
assertThat(clientResource, notNullValue());
|
||||
|
||||
clientRep = clientResource.toRepresentation();
|
||||
prepareCIBASettings(clientResource, clientRep);
|
||||
|
||||
|
|
@ -931,8 +944,8 @@ public class CIBATest extends AbstractTestRealmKeycloakTest {
|
|||
setTimeOffset(70);
|
||||
|
||||
int statusCode = oauth.doAuthenticationChannelCallback(authenticationChannelReq.getBearerToken(), SUCCEED);
|
||||
Assert.assertThat(statusCode, is(equalTo(Status.FORBIDDEN.getStatusCode())));
|
||||
events.expect(EventType.LOGIN_ERROR).clearDetails().client((String) null).error(Errors.INVALID_TOKEN).user((String)null).session(CoreMatchers.nullValue(String.class)).assertEvent();
|
||||
assertThat(statusCode, is(equalTo(Status.FORBIDDEN.getStatusCode())));
|
||||
events.expect(EventType.LOGIN_ERROR).clearDetails().client((String) null).error(Errors.INVALID_TOKEN).user((String) null).session(CoreMatchers.nullValue(String.class)).assertEvent();
|
||||
} finally {
|
||||
revertCIBASettings(clientResource, clientRep);
|
||||
restoreCIBAPolicy();
|
||||
|
|
@ -948,6 +961,8 @@ public class CIBATest extends AbstractTestRealmKeycloakTest {
|
|||
|
||||
// prepare CIBA settings
|
||||
clientResource = ApiUtil.findClientByClientId(adminClient.realm(TEST_REALM_NAME), TEST_CLIENT_NAME);
|
||||
assertThat(clientResource, notNullValue());
|
||||
|
||||
clientRep = clientResource.toRepresentation();
|
||||
prepareCIBASettings(clientResource, clientRep);
|
||||
|
||||
|
|
@ -962,17 +977,17 @@ public class CIBATest extends AbstractTestRealmKeycloakTest {
|
|||
|
||||
// user Token Request
|
||||
OAuthClient.AccessTokenResponse tokenRes = oauth.doBackchannelAuthenticationTokenRequest(TEST_CLIENT_PASSWORD, response.getAuthReqId());
|
||||
Assert.assertThat(tokenRes.getStatusCode(), is(equalTo(200)));
|
||||
assertThat(tokenRes.getStatusCode(), is(equalTo(200)));
|
||||
|
||||
IDToken idToken = oauth.verifyIDToken(tokenRes.getIdToken());
|
||||
Assert.assertThat(idToken.getPreferredUsername(), is(equalTo(username)));
|
||||
assertThat(idToken.getPreferredUsername(), is(equalTo(username)));
|
||||
|
||||
AccessToken accessToken = oauth.verifyToken(tokenRes.getAccessToken());
|
||||
|
||||
// duplicate user Token Request
|
||||
tokenRes = oauth.doBackchannelAuthenticationTokenRequest(TEST_CLIENT_PASSWORD, response.getAuthReqId());
|
||||
Assert.assertThat(tokenRes.getStatusCode(), is(equalTo(400)));
|
||||
Assert.assertThat(tokenRes.getError(), is(OAuthErrorException.INVALID_GRANT));
|
||||
assertThat(tokenRes.getStatusCode(), is(equalTo(400)));
|
||||
assertThat(tokenRes.getError(), is(OAuthErrorException.INVALID_GRANT));
|
||||
|
||||
} finally {
|
||||
revertCIBASettings(clientResource, clientRep);
|
||||
|
|
@ -988,6 +1003,8 @@ public class CIBATest extends AbstractTestRealmKeycloakTest {
|
|||
|
||||
// prepare CIBA settings
|
||||
clientResource = ApiUtil.findClientByClientId(adminClient.realm(TEST_REALM_NAME), TEST_CLIENT_NAME);
|
||||
assertThat(clientResource, notNullValue());
|
||||
|
||||
clientRep = clientResource.toRepresentation();
|
||||
prepareCIBASettings(clientResource, clientRep);
|
||||
|
||||
|
|
@ -1002,8 +1019,8 @@ public class CIBATest extends AbstractTestRealmKeycloakTest {
|
|||
|
||||
// user Token Request
|
||||
OAuthClient.AccessTokenResponse tokenRes = oauth.doBackchannelAuthenticationTokenRequest(SECOND_TEST_CLIENT_NAME, SECOND_TEST_CLIENT_SECRET, response.getAuthReqId());
|
||||
Assert.assertThat(tokenRes.getStatusCode(), is(equalTo(400)));
|
||||
Assert.assertThat(tokenRes.getError(), is(OAuthErrorException.INVALID_GRANT));
|
||||
assertThat(tokenRes.getStatusCode(), is(equalTo(400)));
|
||||
assertThat(tokenRes.getError(), is(OAuthErrorException.INVALID_GRANT));
|
||||
|
||||
} finally {
|
||||
revertCIBASettings(clientResource, clientRep);
|
||||
|
|
@ -1046,6 +1063,8 @@ public class CIBATest extends AbstractTestRealmKeycloakTest {
|
|||
|
||||
// prepare CIBA settings with ciba grant deactivated
|
||||
clientResource = ApiUtil.findClientByClientId(adminClient.realm(TEST_REALM_NAME), TEST_CLIENT_NAME);
|
||||
assertThat(clientResource, notNullValue());
|
||||
|
||||
clientRep = clientResource.toRepresentation();
|
||||
Map<String, String> attributes = Optional.ofNullable(clientRep.getAttributes()).orElse(new HashMap<>());
|
||||
attributes.put(CibaConfig.CIBA_BACKCHANNEL_TOKEN_DELIVERY_MODE_PER_CLIENT, "poll");
|
||||
|
|
@ -1060,12 +1079,14 @@ public class CIBATest extends AbstractTestRealmKeycloakTest {
|
|||
|
||||
// user Backchannel Authentication Request
|
||||
AuthenticationRequestAcknowledgement response = oauth.doBackchannelAuthenticationRequest(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, username, "gilwekDe3", "acr2");
|
||||
Assert.assertThat(response.getStatusCode(), is(equalTo(400)));
|
||||
Assert.assertThat(response.getError(), is(OAuthErrorException.INVALID_GRANT));
|
||||
Assert.assertThat(response.getErrorDescription(), is("Client not allowed OIDC CIBA Grant"));
|
||||
assertThat(response.getStatusCode(), is(equalTo(400)));
|
||||
assertThat(response.getError(), is(OAuthErrorException.INVALID_GRANT));
|
||||
assertThat(response.getErrorDescription(), is("Client not allowed OIDC CIBA Grant"));
|
||||
|
||||
// activate ciba grant
|
||||
clientResource = ApiUtil.findClientByClientId(adminClient.realm(TEST_REALM_NAME), TEST_CLIENT_NAME);
|
||||
assertThat(clientResource, notNullValue());
|
||||
|
||||
clientRep = clientResource.toRepresentation();
|
||||
attributes = clientRep.getAttributes();
|
||||
attributes.put(CibaConfig.OIDC_CIBA_GRANT_ENABLED, Boolean.TRUE.toString());
|
||||
|
|
@ -1087,6 +1108,8 @@ public class CIBATest extends AbstractTestRealmKeycloakTest {
|
|||
|
||||
// deactivate ciba grant
|
||||
clientResource = ApiUtil.findClientByClientId(adminClient.realm(TEST_REALM_NAME), TEST_CLIENT_NAME);
|
||||
assertThat(clientResource, notNullValue());
|
||||
|
||||
clientRep = clientResource.toRepresentation();
|
||||
attributes = clientRep.getAttributes();
|
||||
attributes.put(CibaConfig.OIDC_CIBA_GRANT_ENABLED, Boolean.FALSE.toString());
|
||||
|
|
@ -1099,9 +1122,9 @@ public class CIBATest extends AbstractTestRealmKeycloakTest {
|
|||
|
||||
// user Token Request
|
||||
OAuthClient.AccessTokenResponse tokenRes = oauth.doBackchannelAuthenticationTokenRequest(SECOND_TEST_CLIENT_NAME, SECOND_TEST_CLIENT_SECRET, response.getAuthReqId());
|
||||
Assert.assertThat(tokenRes.getStatusCode(), is(equalTo(400)));
|
||||
Assert.assertThat(tokenRes.getError(), is(OAuthErrorException.INVALID_GRANT));
|
||||
Assert.assertThat(tokenRes.getErrorDescription(), is("Client not allowed OIDC CIBA Grant"));
|
||||
assertThat(tokenRes.getStatusCode(), is(equalTo(400)));
|
||||
assertThat(tokenRes.getError(), is(OAuthErrorException.INVALID_GRANT));
|
||||
assertThat(tokenRes.getErrorDescription(), is("Client not allowed OIDC CIBA Grant"));
|
||||
} finally {
|
||||
revertCIBASettings(clientResource, clientRep);
|
||||
}
|
||||
|
|
@ -1113,7 +1136,7 @@ public class CIBATest extends AbstractTestRealmKeycloakTest {
|
|||
});
|
||||
|
||||
OIDCClientRepresentation rep = getClientDynamically(clientId);
|
||||
Assert.assertTrue(!rep.getGrantTypes().contains(OAuth2Constants.CIBA_GRANT_TYPE));
|
||||
Assert.assertFalse(rep.getGrantTypes().contains(OAuth2Constants.CIBA_GRANT_TYPE));
|
||||
Assert.assertNull(rep.getBackchannelAuthenticationRequestSigningAlg());
|
||||
|
||||
updateClientDynamically(clientId, (OIDCClientRepresentation clientRep) -> {
|
||||
|
|
@ -1344,6 +1367,8 @@ public class CIBATest extends AbstractTestRealmKeycloakTest {
|
|||
|
||||
// prepare CIBA settings
|
||||
clientResource = ApiUtil.findClientByClientId(adminClient.realm(TEST_REALM_NAME), TEST_CLIENT_NAME);
|
||||
assertThat(clientResource, notNullValue());
|
||||
|
||||
clientRep = clientResource.toRepresentation();
|
||||
prepareCIBASettings(clientResource, clientRep);
|
||||
|
||||
|
|
@ -1358,8 +1383,8 @@ public class CIBATest extends AbstractTestRealmKeycloakTest {
|
|||
|
||||
// user Token Request
|
||||
OAuthClient.AccessTokenResponse tokenRes = oauth.doBackchannelAuthenticationTokenRequest(TEST_CLIENT_PASSWORD, response.getAuthReqId());
|
||||
Assert.assertThat(tokenRes.getStatusCode(), is(equalTo(statusTokenEndpont.getStatusCode())));
|
||||
Assert.assertThat(tokenRes.getError(), is(error));
|
||||
assertThat(tokenRes.getStatusCode(), is(equalTo(statusTokenEndpont.getStatusCode())));
|
||||
assertThat(tokenRes.getError(), is(error));
|
||||
|
||||
} finally {
|
||||
revertCIBASettings(clientResource, clientRep);
|
||||
|
|
@ -1411,7 +1436,7 @@ public class CIBATest extends AbstractTestRealmKeycloakTest {
|
|||
|
||||
private AuthenticationRequestAcknowledgement doBackchannelAuthenticationRequest(String clientId, String clientSecret, String username, String bindingMessage) throws Exception {
|
||||
AuthenticationRequestAcknowledgement response = oauth.doBackchannelAuthenticationRequest(clientId, clientSecret, username, bindingMessage, null);
|
||||
Assert.assertThat(response.getStatusCode(), is(equalTo(200)));
|
||||
assertThat(response.getStatusCode(), is(equalTo(200)));
|
||||
Assert.assertNotNull(response.getAuthReqId());
|
||||
return response;
|
||||
}
|
||||
|
|
@ -1425,7 +1450,7 @@ public class CIBATest extends AbstractTestRealmKeycloakTest {
|
|||
|
||||
private EventRepresentation doAuthenticationChannelCallback(TestAuthenticationChannelRequest request) throws Exception {
|
||||
int statusCode = oauth.doAuthenticationChannelCallback(request.getBearerToken(), SUCCEED);
|
||||
Assert.assertThat(statusCode, is(equalTo(200)));
|
||||
assertThat(statusCode, is(equalTo(200)));
|
||||
// check login event : ignore user id and other details except for username
|
||||
EventRepresentation representation = new EventRepresentation();
|
||||
|
||||
|
|
@ -1436,7 +1461,7 @@ public class CIBATest extends AbstractTestRealmKeycloakTest {
|
|||
|
||||
private EventRepresentation doAuthenticationChannelCallbackError(Status status, String clientId, TestAuthenticationChannelRequest authenticationChannelReq, AuthenticationChannelResponse.Status authStatus, String username, String error) throws Exception {
|
||||
int statusCode = oauth.doAuthenticationChannelCallback(authenticationChannelReq.getBearerToken(), authStatus);
|
||||
Assert.assertThat(statusCode, is(equalTo(status.getStatusCode())));
|
||||
assertThat(statusCode, is(equalTo(status.getStatusCode())));
|
||||
return events.expect(EventType.LOGIN_ERROR).clearDetails().client(clientId).error(error).user((String)null).session(CoreMatchers.nullValue(String.class)).assertEvent();
|
||||
}
|
||||
|
||||
|
|
@ -1446,20 +1471,20 @@ public class CIBATest extends AbstractTestRealmKeycloakTest {
|
|||
|
||||
private OAuthClient.AccessTokenResponse doBackchannelAuthenticationTokenRequest(String clientId, String clientSecret, String username, String authReqId) throws Exception {
|
||||
OAuthClient.AccessTokenResponse tokenRes = oauth.doBackchannelAuthenticationTokenRequest(clientId, clientSecret, authReqId);
|
||||
Assert.assertThat(tokenRes.getStatusCode(), is(equalTo(200)));
|
||||
assertThat(tokenRes.getStatusCode(), is(equalTo(200)));
|
||||
EventRepresentation event = events.expectAuthReqIdToToken(null, null).clearDetails().user(AssertEvents.isUUID()).client(clientId).assertEvent();
|
||||
|
||||
AccessToken accessToken = oauth.verifyToken(tokenRes.getAccessToken());
|
||||
Assert.assertThat(accessToken.getIssuedFor(), is(equalTo(clientId)));
|
||||
assertThat(accessToken.getIssuedFor(), is(equalTo(clientId)));
|
||||
|
||||
RefreshToken refreshToken = oauth.parseRefreshToken(tokenRes.getRefreshToken());
|
||||
Assert.assertThat(refreshToken.getIssuedFor(), is(equalTo(clientId)));
|
||||
Assert.assertThat(refreshToken.getAudience()[0], is(equalTo(refreshToken.getIssuer())));
|
||||
assertThat(refreshToken.getIssuedFor(), is(equalTo(clientId)));
|
||||
assertThat(refreshToken.getAudience()[0], is(equalTo(refreshToken.getIssuer())));
|
||||
|
||||
IDToken idToken = oauth.verifyIDToken(tokenRes.getIdToken());
|
||||
Assert.assertThat(idToken.getPreferredUsername(), is(equalTo(username)));
|
||||
Assert.assertThat(idToken.getIssuedFor(), is(equalTo(clientId)));
|
||||
Assert.assertThat(idToken.getAudience()[0], is(equalTo(idToken.getIssuedFor())));
|
||||
assertThat(idToken.getPreferredUsername(), is(equalTo(username)));
|
||||
assertThat(idToken.getIssuedFor(), is(equalTo(clientId)));
|
||||
assertThat(idToken.getAudience()[0], is(equalTo(idToken.getIssuedFor())));
|
||||
|
||||
return tokenRes;
|
||||
}
|
||||
|
|
@ -1468,92 +1493,105 @@ public class CIBATest extends AbstractTestRealmKeycloakTest {
|
|||
String tokenResponse = oauth.introspectAccessTokenWithClientCredential(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, tokenRes.getAccessToken());
|
||||
ObjectMapper objectMapper = new ObjectMapper();
|
||||
JsonNode jsonNode = objectMapper.readTree(tokenResponse);
|
||||
Assert.assertThat(jsonNode.get("active").asBoolean(), is(equalTo(true)));
|
||||
Assert.assertThat(jsonNode.get("username").asText(), is(equalTo(username)));
|
||||
Assert.assertThat(jsonNode.get("client_id").asText(), is(equalTo(TEST_CLIENT_NAME)));
|
||||
assertThat(jsonNode.get("active").asBoolean(), is(equalTo(true)));
|
||||
assertThat(jsonNode.get("username").asText(), is(equalTo(username)));
|
||||
assertThat(jsonNode.get("client_id").asText(), is(equalTo(TEST_CLIENT_NAME)));
|
||||
TokenMetadataRepresentation rep = objectMapper.readValue(tokenResponse, TokenMetadataRepresentation.class);
|
||||
Assert.assertThat(rep.isActive(), is(equalTo(true)));
|
||||
Assert.assertThat(rep.getClientId(), is(equalTo(TEST_CLIENT_NAME)));
|
||||
Assert.assertThat(rep.getIssuedFor(), is(equalTo(TEST_CLIENT_NAME)));
|
||||
events.expect(EventType.INTROSPECT_TOKEN).user((String)null).clearDetails().assertEvent();
|
||||
assertThat(rep.isActive(), is(equalTo(true)));
|
||||
assertThat(rep.getClientId(), is(equalTo(TEST_CLIENT_NAME)));
|
||||
assertThat(rep.getIssuedFor(), is(equalTo(TEST_CLIENT_NAME)));
|
||||
events.expect(EventType.INTROSPECT_TOKEN).user((String) null).clearDetails().assertEvent();
|
||||
|
||||
tokenResponse = oauth.introspectAccessTokenWithClientCredential(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, tokenRes.getRefreshToken());
|
||||
jsonNode = objectMapper.readTree(tokenResponse);
|
||||
Assert.assertThat(jsonNode.get("active").asBoolean(), is(equalTo(true)));
|
||||
Assert.assertThat(jsonNode.get("client_id").asText(), is(equalTo(TEST_CLIENT_NAME)));
|
||||
assertThat(jsonNode.get("active").asBoolean(), is(equalTo(true)));
|
||||
assertThat(jsonNode.get("client_id").asText(), is(equalTo(TEST_CLIENT_NAME)));
|
||||
rep = objectMapper.readValue(tokenResponse, TokenMetadataRepresentation.class);
|
||||
Assert.assertThat(rep.isActive(), is(equalTo(true)));
|
||||
Assert.assertThat(rep.getClientId(), is(equalTo(TEST_CLIENT_NAME)));
|
||||
Assert.assertThat(rep.getIssuedFor(), is(equalTo(TEST_CLIENT_NAME)));
|
||||
Assert.assertThat(rep.getAudience()[0], is(equalTo(rep.getIssuer())));
|
||||
events.expect(EventType.INTROSPECT_TOKEN).user((String)null).clearDetails().assertEvent();
|
||||
assertThat(rep.isActive(), is(equalTo(true)));
|
||||
assertThat(rep.getClientId(), is(equalTo(TEST_CLIENT_NAME)));
|
||||
assertThat(rep.getIssuedFor(), is(equalTo(TEST_CLIENT_NAME)));
|
||||
assertThat(rep.getAudience()[0], is(equalTo(rep.getIssuer())));
|
||||
events.expect(EventType.INTROSPECT_TOKEN).user((String) null).clearDetails().assertEvent();
|
||||
|
||||
tokenResponse = oauth.introspectAccessTokenWithClientCredential(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, tokenRes.getIdToken());
|
||||
jsonNode = objectMapper.readTree(tokenResponse);
|
||||
Assert.assertThat(jsonNode.get("active").asBoolean(), is(equalTo(true)));
|
||||
Assert.assertThat(jsonNode.get("client_id").asText(), is(equalTo(TEST_CLIENT_NAME)));
|
||||
assertThat(jsonNode.get("active").asBoolean(), is(equalTo(true)));
|
||||
assertThat(jsonNode.get("client_id").asText(), is(equalTo(TEST_CLIENT_NAME)));
|
||||
rep = objectMapper.readValue(tokenResponse, TokenMetadataRepresentation.class);
|
||||
Assert.assertThat(rep.isActive(), is(equalTo(true)));
|
||||
Assert.assertThat(rep.getUserName(), is(equalTo(username)));
|
||||
Assert.assertThat(rep.getClientId(), is(equalTo(TEST_CLIENT_NAME)));
|
||||
Assert.assertThat(rep.getIssuedFor(), is(equalTo(TEST_CLIENT_NAME)));
|
||||
Assert.assertThat(rep.getPreferredUsername(), is(equalTo(username)));
|
||||
Assert.assertThat(rep.getAudience()[0], is(equalTo(rep.getIssuedFor())));
|
||||
events.expect(EventType.INTROSPECT_TOKEN).user((String)null).clearDetails().assertEvent();
|
||||
assertThat(rep.isActive(), is(equalTo(true)));
|
||||
assertThat(rep.getUserName(), is(equalTo(username)));
|
||||
assertThat(rep.getClientId(), is(equalTo(TEST_CLIENT_NAME)));
|
||||
assertThat(rep.getIssuedFor(), is(equalTo(TEST_CLIENT_NAME)));
|
||||
assertThat(rep.getPreferredUsername(), is(equalTo(username)));
|
||||
assertThat(rep.getAudience()[0], is(equalTo(rep.getIssuedFor())));
|
||||
events.expect(EventType.INTROSPECT_TOKEN).user((String) null).clearDetails().assertEvent();
|
||||
|
||||
return tokenResponse;
|
||||
}
|
||||
|
||||
private OAuthClient.AccessTokenResponse doRefreshTokenRequest(String oldRefreshToken, String username, String sessionId, boolean isOfflineAccess) {
|
||||
OAuthClient.AccessTokenResponse tokenRes = oauth.doRefreshTokenRequest(oldRefreshToken, TEST_CLIENT_PASSWORD);
|
||||
Assert.assertThat(tokenRes.getStatusCode(), is(equalTo(200)));
|
||||
assertThat(tokenRes.getStatusCode(), is(equalTo(200)));
|
||||
|
||||
AccessToken accessToken = oauth.verifyToken(tokenRes.getAccessToken());
|
||||
Assert.assertThat(accessToken.getIssuedFor(), is(equalTo(TEST_CLIENT_NAME)));
|
||||
Assert.assertThat(accessToken.getExp().longValue(), is(equalTo(accessToken.getIat().longValue() + tokenRes.getExpiresIn())));
|
||||
assertThat(accessToken.getIssuedFor(), is(equalTo(TEST_CLIENT_NAME)));
|
||||
checkTokenExpiration(accessToken, tokenRes.getExpiresIn());
|
||||
|
||||
RefreshToken refreshToken = oauth.parseRefreshToken(tokenRes.getRefreshToken());
|
||||
Assert.assertThat(refreshToken.getIssuedFor(), is(equalTo(TEST_CLIENT_NAME)));
|
||||
Assert.assertThat(refreshToken.getAudience()[0], is(equalTo(refreshToken.getIssuer())));
|
||||
if(!isOfflineAccess) Assert.assertThat(refreshToken.getExp().longValue(), is(equalTo(refreshToken.getIat().longValue() + tokenRes.getRefreshExpiresIn())));
|
||||
assertThat(refreshToken.getIssuedFor(), is(equalTo(TEST_CLIENT_NAME)));
|
||||
assertThat(refreshToken.getAudience()[0], is(equalTo(refreshToken.getIssuer())));
|
||||
if (!isOfflineAccess) checkTokenExpiration(refreshToken, tokenRes.getRefreshExpiresIn());
|
||||
|
||||
IDToken idToken = oauth.verifyIDToken(tokenRes.getIdToken());
|
||||
Assert.assertThat(idToken.getPreferredUsername(), is(equalTo(username)));
|
||||
Assert.assertThat(idToken.getIssuedFor(), is(equalTo(TEST_CLIENT_NAME)));
|
||||
Assert.assertThat(idToken.getAudience()[0], is(equalTo(idToken.getIssuedFor())));
|
||||
Assert.assertThat(idToken.getExp().longValue(), is(equalTo(idToken.getIat().longValue() + tokenRes.getExpiresIn())));
|
||||
assertThat(idToken.getPreferredUsername(), is(equalTo(username)));
|
||||
assertThat(idToken.getIssuedFor(), is(equalTo(TEST_CLIENT_NAME)));
|
||||
assertThat(idToken.getAudience()[0], is(equalTo(idToken.getIssuedFor())));
|
||||
checkTokenExpiration(idToken, tokenRes.getExpiresIn());
|
||||
|
||||
events.expectRefresh(tokenRes.getRefreshToken(), sessionId).session(CoreMatchers.notNullValue(String.class)).user(AssertEvents.isUUID()).clearDetails().assertEvent();
|
||||
|
||||
return tokenRes;
|
||||
}
|
||||
|
||||
private EventRepresentation doLogoutByRefreshToken(String refreshToken, String sessionId, String userId, boolean isOfflineAccess) throws IOException{
|
||||
// KEYCLOAK-18391
|
||||
private void checkTokenExpiration(JsonWebToken token, long expiresIn) {
|
||||
assertThat(token, notNullValue());
|
||||
|
||||
final Long tokenExp = token.getExp();
|
||||
final Long tokenIat = token.getIat();
|
||||
|
||||
assertThat(tokenExp, notNullValue());
|
||||
assertThat(tokenIat, notNullValue());
|
||||
|
||||
assertExpiration(tokenExp, tokenIat + expiresIn);
|
||||
}
|
||||
|
||||
private EventRepresentation doLogoutByRefreshToken(String refreshToken, String sessionId, String userId, boolean isOfflineAccess) throws IOException {
|
||||
try (CloseableHttpResponse res = oauth.doLogout(refreshToken, TEST_CLIENT_PASSWORD)) {
|
||||
assertThat(res, Matchers.statusCodeIsHC(Status.NO_CONTENT));
|
||||
}
|
||||
|
||||
// confirm logged out
|
||||
OAuthClient.AccessTokenResponse tokenRes = oauth.doRefreshTokenRequest(refreshToken, TEST_CLIENT_PASSWORD);
|
||||
Assert.assertThat(tokenRes.getStatusCode(), is(equalTo(400)));
|
||||
Assert.assertThat(tokenRes.getError(), is(equalTo(OAuthErrorException.INVALID_GRANT)));
|
||||
if (isOfflineAccess) Assert.assertThat(tokenRes.getErrorDescription(), is(equalTo("Offline user session not found")));
|
||||
else Assert.assertThat(tokenRes.getErrorDescription(), is(equalTo("Session not active")));
|
||||
assertThat(tokenRes.getStatusCode(), is(equalTo(400)));
|
||||
assertThat(tokenRes.getError(), is(equalTo(OAuthErrorException.INVALID_GRANT)));
|
||||
if (isOfflineAccess) assertThat(tokenRes.getErrorDescription(), is(equalTo("Offline user session not found")));
|
||||
else assertThat(tokenRes.getErrorDescription(), is(equalTo("Session not active")));
|
||||
|
||||
return events.expectLogout(sessionId).client(TEST_CLIENT_NAME).user(AssertEvents.isUUID()).session(AssertEvents.isUUID()).clearDetails().assertEvent();
|
||||
}
|
||||
|
||||
private EventRepresentation doTokenRevokeByRefreshToken(String refreshToken, String sessionId, String userId, boolean isOfflineAccess) throws IOException{
|
||||
private EventRepresentation doTokenRevokeByRefreshToken(String refreshToken, String sessionId, String userId, boolean isOfflineAccess) throws IOException {
|
||||
try (CloseableHttpResponse res = oauth.doTokenRevoke(refreshToken, "refresh_token", TEST_CLIENT_PASSWORD)) {
|
||||
assertThat(res, Matchers.statusCodeIsHC(Status.OK));
|
||||
}
|
||||
|
||||
// confirm revocation
|
||||
OAuthClient.AccessTokenResponse tokenRes = oauth.doRefreshTokenRequest(refreshToken, TEST_CLIENT_PASSWORD);
|
||||
Assert.assertThat(tokenRes.getStatusCode(), is(equalTo(400)));
|
||||
Assert.assertThat(tokenRes.getError(), is(equalTo(OAuthErrorException.INVALID_GRANT)));
|
||||
if (isOfflineAccess) Assert.assertThat(tokenRes.getErrorDescription(), is(equalTo("Offline user session not found")));
|
||||
else Assert.assertThat(tokenRes.getErrorDescription(), is(equalTo("Session not active")));
|
||||
assertThat(tokenRes.getStatusCode(), is(equalTo(400)));
|
||||
assertThat(tokenRes.getError(), is(equalTo(OAuthErrorException.INVALID_GRANT)));
|
||||
if (isOfflineAccess) assertThat(tokenRes.getErrorDescription(), is(equalTo("Offline user session not found")));
|
||||
else assertThat(tokenRes.getErrorDescription(), is(equalTo("Session not active")));
|
||||
|
||||
return events.expect(EventType.REVOKE_GRANT).clearDetails().client(TEST_CLIENT_NAME).user(AssertEvents.isUUID()).assertEvent();
|
||||
}
|
||||
|
|
@ -1567,9 +1605,11 @@ public class CIBATest extends AbstractTestRealmKeycloakTest {
|
|||
|
||||
// prepare CIBA settings
|
||||
clientResource = ApiUtil.findClientByClientId(adminClient.realm(TEST_REALM_NAME), TEST_CLIENT_NAME);
|
||||
assertThat(clientResource, notNullValue());
|
||||
|
||||
clientRep = clientResource.toRepresentation();
|
||||
prepareCIBASettings(clientResource, clientRep);
|
||||
if(isOfflineAccess) oauth.scope(OAuth2Constants.OFFLINE_ACCESS);
|
||||
if (isOfflineAccess) oauth.scope(OAuth2Constants.OFFLINE_ACCESS);
|
||||
|
||||
// user Backchannel Authentication Request
|
||||
AuthenticationRequestAcknowledgement response = doBackchannelAuthenticationRequest(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, username, bindingMessage);
|
||||
|
|
@ -1577,9 +1617,9 @@ public class CIBATest extends AbstractTestRealmKeycloakTest {
|
|||
// user Authentication Channel Request
|
||||
TestAuthenticationChannelRequest testRequest = doAuthenticationChannelRequest(bindingMessage);
|
||||
AuthenticationChannelRequest authenticationChannelReq = testRequest.getRequest();
|
||||
Assert.assertThat(authenticationChannelReq.getBindingMessage(), is(equalTo(bindingMessage)));
|
||||
if (isOfflineAccess) Assert.assertThat(authenticationChannelReq.getScope(), is(containsString(OAuth2Constants.OFFLINE_ACCESS)));
|
||||
Assert.assertThat(authenticationChannelReq.getScope(), is(containsString(OAuth2Constants.SCOPE_OPENID)));
|
||||
assertThat(authenticationChannelReq.getBindingMessage(), is(equalTo(bindingMessage)));
|
||||
if (isOfflineAccess) assertThat(authenticationChannelReq.getScope(), is(containsString(OAuth2Constants.OFFLINE_ACCESS)));
|
||||
assertThat(authenticationChannelReq.getScope(), is(containsString(OAuth2Constants.SCOPE_OPENID)));
|
||||
|
||||
// user Authentication Channel completed
|
||||
EventRepresentation loginEvent = doAuthenticationChannelCallback(testRequest);
|
||||
|
|
|
|||
Loading…
Reference in a new issue