From 9dc7300178a43adc6b5975e6f597f77212da7893 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Barto=C5=A1?= Date: Mon, 28 Jun 2021 09:07:20 +0200 Subject: [PATCH] KEYCLOAK-18391 CIBATest failures --- .../java/org/keycloak/testsuite/Assert.java | 13 +- .../keycloak/testsuite/client/CIBATest.java | 306 ++++++++++-------- 2 files changed, 182 insertions(+), 137 deletions(-) diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/Assert.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/Assert.java index 4c98aba945..5d428fe9cf 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/Assert.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/Assert.java @@ -17,6 +17,7 @@ package org.keycloak.testsuite; +import org.hamcrest.MatcherAssert; import org.keycloak.common.util.MultivaluedHashMap; import org.keycloak.representations.idm.ClientRepresentation; import org.keycloak.representations.idm.ClientScopeRepresentation; @@ -145,14 +146,18 @@ public class Assert extends org.junit.Assert { } public static void assertExpiration(int actual, int expected) { - org.junit.Assert.assertThat(actual, allOf(greaterThanOrEqualTo(expected - 50), lessThanOrEqualTo(expected))); + assertExpiration((long) actual, (long) expected); + } + + public static void assertExpiration(long actual, long expected) { + MatcherAssert.assertThat(actual, allOf(greaterThanOrEqualTo(expected - 50), lessThanOrEqualTo(expected))); } public static void assertRoleAttributes(Map> expected, Map> actual) { - assertThat(actual.keySet(), equalTo(expected.keySet())); + MatcherAssert.assertThat(actual.keySet(), equalTo(expected.keySet())); for (String expectedKey : expected.keySet()) { - assertThat(actual.get(expectedKey).size(), is(equalTo(expected.get(expectedKey).size()))); - assertThat(actual.get(expectedKey), containsInAnyOrder(expected.get(expectedKey).toArray())); + MatcherAssert.assertThat(actual.get(expectedKey).size(), is(equalTo(expected.get(expectedKey).size()))); + MatcherAssert.assertThat(actual.get(expectedKey), containsInAnyOrder(expected.get(expectedKey).toArray())); } } } diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/CIBATest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/CIBATest.java index d18fbd2c53..992ad5ece5 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/CIBATest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/CIBATest.java @@ -16,6 +16,7 @@ */ package org.keycloak.testsuite.client; +import static org.hamcrest.MatcherAssert.assertThat; import static org.hamcrest.Matchers.equalTo; import static org.hamcrest.Matchers.is; import static org.hamcrest.Matchers.containsString; @@ -24,12 +25,13 @@ import javax.ws.rs.core.Response.Status; import org.apache.http.client.methods.CloseableHttpResponse; +import static org.hamcrest.Matchers.notNullValue; import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertThat; import static org.junit.Assert.fail; import static org.keycloak.protocol.oidc.grants.ciba.channel.AuthenticationChannelResponse.Status.CANCELLED; import static org.keycloak.protocol.oidc.grants.ciba.channel.AuthenticationChannelResponse.Status.SUCCEED; import static org.keycloak.protocol.oidc.grants.ciba.channel.AuthenticationChannelResponse.Status.UNAUTHORIZED; +import static org.keycloak.testsuite.Assert.assertExpiration; import static org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude.AuthServer.QUARKUS; import static org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude.AuthServer.REMOTE; @@ -71,6 +73,7 @@ import org.keycloak.protocol.oidc.grants.ciba.channel.AuthenticationChannelReque import org.keycloak.protocol.oidc.grants.ciba.channel.AuthenticationChannelResponse; import org.keycloak.representations.AccessToken; import org.keycloak.representations.IDToken; +import org.keycloak.representations.JsonWebToken; import org.keycloak.representations.RefreshToken; import org.keycloak.representations.idm.ClientInitialAccessCreatePresentation; import org.keycloak.representations.idm.ClientInitialAccessPresentation; @@ -219,9 +222,9 @@ public class CIBATest extends AbstractTestRealmKeycloakTest { // attacker client Token Request OAuthClient.AccessTokenResponse tokenRes = oauth.doBackchannelAuthenticationTokenRequest(attackerClientName, attackerClientPassword, victimClientAuthReqId); - Assert.assertThat(tokenRes.getStatusCode(), is(equalTo(400))); - Assert.assertThat(tokenRes.getError(), is(equalTo(OAuthErrorException.INVALID_GRANT))); - Assert.assertThat(tokenRes.getErrorDescription(), is(equalTo("unauthorized client"))); + assertThat(tokenRes.getStatusCode(), is(equalTo(400))); + assertThat(tokenRes.getError(), is(equalTo(OAuthErrorException.INVALID_GRANT))); + assertThat(tokenRes.getErrorDescription(), is(equalTo("unauthorized client"))); } finally { revertCIBASettings(victimClientResource, victimClientRep); revertCIBASettings(attackerClientResource, attackerClientRep); @@ -248,12 +251,12 @@ public class CIBATest extends AbstractTestRealmKeycloakTest { // This request should not ever pass. Client should not be allowed to send the successfull "approve" request to the BackchannelAuthenticationCallbackEndpoint // with using the "authReqId" as a bearer token int statusCode = oauth.doAuthenticationChannelCallback(response.getAuthReqId(), SUCCEED); - Assert.assertThat(statusCode, is(equalTo(403))); + assertThat(statusCode, is(equalTo(403))); // client sends TokenRequest - This should not pass and should return 400 OAuthClient.AccessTokenResponse tokenRes = oauth.doBackchannelAuthenticationTokenRequest(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, response.getAuthReqId()); - Assert.assertThat(tokenRes.getStatusCode(), is(equalTo(400))); - Assert.assertThat(tokenRes.getError(), is(equalTo(OAuthErrorException.AUTHORIZATION_PENDING))); + assertThat(tokenRes.getStatusCode(), is(equalTo(400))); + assertThat(tokenRes.getError(), is(equalTo(OAuthErrorException.AUTHORIZATION_PENDING))); } finally { revertCIBASettings(clientResource, clientRep); } @@ -275,13 +278,13 @@ public class CIBATest extends AbstractTestRealmKeycloakTest { // user Backchannel Authentication Request AuthenticationRequestAcknowledgement response = oauth.doBackchannelAuthenticationRequest(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, username, signal, null); - Assert.assertThat(response.getStatusCode(), is(equalTo(503))); + assertThat(response.getStatusCode(), is(equalTo(503))); // user Token Request OAuthClient.AccessTokenResponse tokenRes = oauth.doBackchannelAuthenticationTokenRequest(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, response.getAuthReqId()); - Assert.assertThat(tokenRes.getStatusCode(), is(equalTo(400))); - Assert.assertThat(tokenRes.getError(), is(equalTo(OAuthErrorException.INVALID_GRANT))); - Assert.assertThat(tokenRes.getErrorDescription(), is(equalTo("Invalid Auth Req ID"))); + assertThat(tokenRes.getStatusCode(), is(equalTo(400))); + assertThat(tokenRes.getError(), is(equalTo(OAuthErrorException.INVALID_GRANT))); + assertThat(tokenRes.getErrorDescription(), is(equalTo("Invalid Auth Req ID"))); } finally { revertCIBASettings(clientResource, clientRep); } @@ -302,8 +305,8 @@ public class CIBATest extends AbstractTestRealmKeycloakTest { // user Backchannel Authentication Request AuthenticationRequestAcknowledgement response = oauth.doBackchannelAuthenticationRequest(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, username, null, "acr2"); - Assert.assertThat(response.getStatusCode(), is(equalTo(400))); - Assert.assertThat(response.getError(), is(OAuthErrorException.INVALID_REQUEST)); + assertThat(response.getStatusCode(), is(equalTo(400))); + assertThat(response.getError(), is(OAuthErrorException.INVALID_REQUEST)); } finally { revertCIBASettings(clientResource, clientRep); } @@ -325,8 +328,8 @@ public class CIBATest extends AbstractTestRealmKeycloakTest { // user Backchannel Authentication Request AuthenticationRequestAcknowledgement response = oauth.doBackchannelAuthenticationRequest(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, username, bindingMessage, "urn:mace:incommon:iap:silver urn:mace:incommon:iap:gold"); - Assert.assertThat(response.getStatusCode(), is(equalTo(400))); - Assert.assertThat(response.getError(), is(OAuthErrorException.INVALID_REQUEST)); + assertThat(response.getStatusCode(), is(equalTo(400))); + assertThat(response.getError(), is(OAuthErrorException.INVALID_REQUEST)); } finally { revertCIBASettings(clientResource, clientRep); } @@ -348,8 +351,8 @@ public class CIBATest extends AbstractTestRealmKeycloakTest { // user Backchannel Authentication Request AuthenticationRequestAcknowledgement response = oauth.doBackchannelAuthenticationRequest(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, username, bindingMessage, "ACR1"); - Assert.assertThat(response.getStatusCode(), is(equalTo(400))); - Assert.assertThat(response.getError(), is(OAuthErrorException.INVALID_REQUEST)); + assertThat(response.getStatusCode(), is(equalTo(400))); + assertThat(response.getError(), is(OAuthErrorException.INVALID_REQUEST)); } finally { revertCIBASettings(clientResource, clientRep); } @@ -372,8 +375,8 @@ public class CIBATest extends AbstractTestRealmKeycloakTest { // user Backchannel Authentication Request AuthenticationRequestAcknowledgement response = oauth.doBackchannelAuthenticationRequest(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, username, null, null); - Assert.assertThat(response.getStatusCode(), is(equalTo(400))); - Assert.assertThat(response.getError(), is(OAuthErrorException.INVALID_REQUEST)); + assertThat(response.getStatusCode(), is(equalTo(400))); + assertThat(response.getError(), is(OAuthErrorException.INVALID_REQUEST)); } finally { revertCIBASettings(clientResource, clientRep); restoreCIBAPolicy(); @@ -401,15 +404,15 @@ public class CIBATest extends AbstractTestRealmKeycloakTest { // user Authentication Channel Request TestAuthenticationChannelRequest authenticationChannelReq = doAuthenticationChannelRequest(bindingMessage); - Assert.assertThat(authenticationChannelReq.getRequest().getScope(), is(containsString(OAuth2Constants.OFFLINE_ACCESS))); + assertThat(authenticationChannelReq.getRequest().getScope(), is(containsString(OAuth2Constants.OFFLINE_ACCESS))); // different user Authentication Channel completed // oauth.doAuthenticationChannelCallback(SECOND_TEST_CLIENT_NAME, SECOND_TEST_CLIENT_SECRET, usernameAuthenticated, authenticationChannelReq.getBearerToken(), SUCCEEDED); // user Token Request OAuthClient.AccessTokenResponse tokenRes = oauth.doBackchannelAuthenticationTokenRequest(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, response.getAuthReqId()); - Assert.assertThat(tokenRes.getStatusCode(), is(equalTo(400))); - Assert.assertThat(tokenRes.getError(), is(OAuthErrorException.INVALID_GRANT)); + assertThat(tokenRes.getStatusCode(), is(equalTo(400))); + assertThat(tokenRes.getError(), is(OAuthErrorException.INVALID_GRANT)); } finally { revertCIBASettings(clientResource, clientRep); } @@ -434,7 +437,7 @@ public class CIBATest extends AbstractTestRealmKeycloakTest { // user Authentication Channel Request TestAuthenticationChannelRequest authenticationChannelReq = doAuthenticationChannelRequest(bindingMessage); - Assert.assertThat(authenticationChannelReq.getRequest().getScope(), is(containsString(OAuth2Constants.OFFLINE_ACCESS))); + assertThat(authenticationChannelReq.getRequest().getScope(), is(containsString(OAuth2Constants.OFFLINE_ACCESS))); // user Authentication Channel completed EventRepresentation loginEvent = doAuthenticationChannelCallback(authenticationChannelReq); @@ -475,7 +478,7 @@ public class CIBATest extends AbstractTestRealmKeycloakTest { // first user Backchannel Authentication Request AuthenticationRequestAcknowledgement response = doBackchannelAuthenticationRequest(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, firstUsername, "lbies8e"); - Assert.assertThat(response.getInterval(), is(equalTo(5))); + assertThat(response.getInterval(), is(equalTo(5))); // dequeue user Authentication Channel Request by first user to revert the initial setting of the queue doAuthenticationChannelRequest("lbies8e"); @@ -490,7 +493,7 @@ public class CIBATest extends AbstractTestRealmKeycloakTest { // first user Token Request // second user Backchannel Authentication Request response = doBackchannelAuthenticationRequest(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, secondUsername, "Keb9eser"); - Assert.assertThat(response.getInterval(), is(equalTo(10))); + assertThat(response.getInterval(), is(equalTo(10))); // dequeue user Authentication Channel Request by second user to revert the initial setting of the queue doAuthenticationChannelRequest("Keb9eser"); } finally { @@ -522,20 +525,20 @@ public class CIBATest extends AbstractTestRealmKeycloakTest { // user Authentication Channel Request TestAuthenticationChannelRequest authenticationChannelReq = doAuthenticationChannelRequest(bindingMessage); - Assert.assertThat(authenticationChannelReq.getRequest().getBindingMessage(), is(equalTo(bindingMessage))); + assertThat(authenticationChannelReq.getRequest().getBindingMessage(), is(equalTo(bindingMessage))); // user Token Request OAuthClient.AccessTokenResponse tokenRes = oauth.doBackchannelAuthenticationTokenRequest(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, response.getAuthReqId()); - Assert.assertThat(tokenRes.getStatusCode(), is(equalTo(400))); - Assert.assertThat(tokenRes.getError(), is(OAuthErrorException.AUTHORIZATION_PENDING)); // 10+5+5 sec + assertThat(tokenRes.getStatusCode(), is(equalTo(400))); + assertThat(tokenRes.getError(), is(OAuthErrorException.AUTHORIZATION_PENDING)); // 10+5+5 sec tokenRes = oauth.doBackchannelAuthenticationTokenRequest(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, response.getAuthReqId()); - Assert.assertThat(tokenRes.getStatusCode(), is(equalTo(400))); - Assert.assertThat(tokenRes.getError(), is(OAuthErrorException.SLOW_DOWN)); // 10+5+5 sec + assertThat(tokenRes.getStatusCode(), is(equalTo(400))); + assertThat(tokenRes.getError(), is(OAuthErrorException.SLOW_DOWN)); // 10+5+5 sec tokenRes = oauth.doBackchannelAuthenticationTokenRequest(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, response.getAuthReqId()); - Assert.assertThat(tokenRes.getStatusCode(), is(equalTo(400))); - Assert.assertThat(tokenRes.getError(), is(OAuthErrorException.SLOW_DOWN)); // 10+5+5+5 sec + assertThat(tokenRes.getStatusCode(), is(equalTo(400))); + assertThat(tokenRes.getError(), is(OAuthErrorException.SLOW_DOWN)); // 10+5+5+5 sec // user Authentication Channel completed EventRepresentation loginEvent = doAuthenticationChannelCallback(authenticationChannelReq); @@ -588,17 +591,17 @@ public class CIBATest extends AbstractTestRealmKeycloakTest { // user Token Request but not yet user being authenticated OAuthClient.AccessTokenResponse tokenRes = oauth.doBackchannelAuthenticationTokenRequest(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, response.getAuthReqId()); - Assert.assertThat(tokenRes.getStatusCode(), is(equalTo(400))); - Assert.assertThat(tokenRes.getError(), is(OAuthErrorException.AUTHORIZATION_PENDING)); + assertThat(tokenRes.getStatusCode(), is(equalTo(400))); + assertThat(tokenRes.getError(), is(OAuthErrorException.AUTHORIZATION_PENDING)); // user Token Request but not yet user being authenticated tokenRes = oauth.doBackchannelAuthenticationTokenRequest(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, response.getAuthReqId()); - Assert.assertThat(tokenRes.getStatusCode(), is(equalTo(400))); - Assert.assertThat(tokenRes.getError(), is(OAuthErrorException.SLOW_DOWN)); + assertThat(tokenRes.getStatusCode(), is(equalTo(400))); + assertThat(tokenRes.getError(), is(OAuthErrorException.SLOW_DOWN)); // user Authentication Channel Request TestAuthenticationChannelRequest authenticationChannelReq = doAuthenticationChannelRequest(bindingMessage); - Assert.assertThat(authenticationChannelReq.getRequest().getBindingMessage(), is(equalTo(bindingMessage))); + assertThat(authenticationChannelReq.getRequest().getBindingMessage(), is(equalTo(bindingMessage))); // user Authentication Channel completed EventRepresentation loginEvent = doAuthenticationChannelCallback(authenticationChannelReq); @@ -644,10 +647,10 @@ public class CIBATest extends AbstractTestRealmKeycloakTest { rep = testRealm().toRepresentation(); attrMap = Optional.ofNullable(rep.getAttributes()).orElse(new HashMap<>()); - Assert.assertThat(attrMap.get(CibaConfig.CIBA_BACKCHANNEL_TOKEN_DELIVERY_MODE), is(equalTo("poll"))); - Assert.assertThat(Integer.parseInt(attrMap.get(CibaConfig.CIBA_EXPIRES_IN)), is(equalTo(120))); - Assert.assertThat(Integer.parseInt(attrMap.get(CibaConfig.CIBA_INTERVAL)), is(equalTo(5))); - Assert.assertThat(attrMap.get(CibaConfig.CIBA_AUTH_REQUESTED_USER_HINT), is(equalTo("login_hint"))); + assertThat(attrMap.get(CibaConfig.CIBA_BACKCHANNEL_TOKEN_DELIVERY_MODE), is(equalTo("poll"))); + assertThat(Integer.parseInt(attrMap.get(CibaConfig.CIBA_EXPIRES_IN)), is(equalTo(120))); + assertThat(Integer.parseInt(attrMap.get(CibaConfig.CIBA_INTERVAL)), is(equalTo(5))); + assertThat(attrMap.get(CibaConfig.CIBA_AUTH_REQUESTED_USER_HINT), is(equalTo("login_hint"))); // valid input rep = backupCIBAPolicy(); @@ -660,10 +663,10 @@ public class CIBATest extends AbstractTestRealmKeycloakTest { testRealm().update(rep); rep = testRealm().toRepresentation(); - Assert.assertThat(attrMap.get(CibaConfig.CIBA_BACKCHANNEL_TOKEN_DELIVERY_MODE), is(equalTo("poll"))); - Assert.assertThat(Integer.parseInt(attrMap.get(CibaConfig.CIBA_EXPIRES_IN)), is(equalTo(736))); - Assert.assertThat(Integer.parseInt(attrMap.get(CibaConfig.CIBA_INTERVAL)), is(equalTo(7))); - Assert.assertThat(attrMap.get(CibaConfig.CIBA_AUTH_REQUESTED_USER_HINT), is(equalTo("login_hint"))); + assertThat(attrMap.get(CibaConfig.CIBA_BACKCHANNEL_TOKEN_DELIVERY_MODE), is(equalTo("poll"))); + assertThat(Integer.parseInt(attrMap.get(CibaConfig.CIBA_EXPIRES_IN)), is(equalTo(736))); + assertThat(Integer.parseInt(attrMap.get(CibaConfig.CIBA_INTERVAL)), is(equalTo(7))); + assertThat(attrMap.get(CibaConfig.CIBA_AUTH_REQUESTED_USER_HINT), is(equalTo("login_hint"))); } finally { restoreCIBAPolicy(); } @@ -747,14 +750,15 @@ public class CIBATest extends AbstractTestRealmKeycloakTest { // client Authentication Channel Request TestAuthenticationChannelRequest clientAuthenticationChannelReq = doAuthenticationChannelRequest("asdfghjkl"); Assert.assertTrue(clientAuthenticationChannelReq.getRequest().getConsentRequired()); - Assert.assertThat(clientAuthenticationChannelReq.getRequest().getScope(), is(containsString(OAuth2Constants.SCOPE_OPENID))); - Assert.assertThat(clientAuthenticationChannelReq.getRequest().getScope(), is(containsString("email"))); - Assert.assertThat(clientAuthenticationChannelReq.getRequest().getScope(), is(containsString("profile"))); - Assert.assertThat(clientAuthenticationChannelReq.getRequest().getScope(), is(containsString("roles"))); + assertThat(clientAuthenticationChannelReq.getRequest().getScope(), is(containsString(OAuth2Constants.SCOPE_OPENID))); + assertThat(clientAuthenticationChannelReq.getRequest().getScope(), is(containsString("email"))); + assertThat(clientAuthenticationChannelReq.getRequest().getScope(), is(containsString("profile"))); + assertThat(clientAuthenticationChannelReq.getRequest().getScope(), is(containsString("roles"))); // client Authentication Channel completed EventRepresentation clientloginEvent = doAuthenticationChannelCallback(clientAuthenticationChannelReq); String clientSessionId = clientloginEvent.getSessionId(); + String clientSessionCodeId = clientloginEvent.getDetails().get(Details.CODE_ID); // client Token Request @@ -779,10 +783,16 @@ public class CIBATest extends AbstractTestRealmKeycloakTest { final String secondClientPassword = TEST_CLIENT_PASSWORD; String firstClientAuthReqId = null; String secondClientAuthReqId = null; + firstClientResource = ApiUtil.findClientByClientId(adminClient.realm(TEST_REALM_NAME), firstClientName); + assertThat(firstClientResource, notNullValue()); + firstClientRep = firstClientResource.toRepresentation(); prepareCIBASettings(firstClientResource, firstClientRep); + secondClientResource = ApiUtil.findClientByClientId(adminClient.realm(TEST_REALM_NAME), secondClientName); + assertThat(secondClientResource, notNullValue()); + secondClientRep = secondClientResource.toRepresentation(); prepareCIBASettings(secondClientResource, secondClientRep); @@ -795,8 +805,6 @@ public class CIBATest extends AbstractTestRealmKeycloakTest { // first client Authentication Channel completed EventRepresentation firstClientloginEvent = doAuthenticationChannelCallback(firstClientAuthenticationChannelReq); - String firstClientSessionId = null; - String firstClientSessionCodeId = null; // second client Backchannel Authentication Request response = doBackchannelAuthenticationRequest(secondClientName, secondClientPassword, username, "qwertyui"); @@ -807,8 +815,6 @@ public class CIBATest extends AbstractTestRealmKeycloakTest { // second client Authentication Channel completed EventRepresentation secondClientloginEvent = doAuthenticationChannelCallback(secondClientAuthenticationChannelReq); - String secondClientSessionId = null; - String secondClientSessionCodeId = null; // second client Token Request OAuthClient.AccessTokenResponse tokenRes = doBackchannelAuthenticationTokenRequest(secondClientName, secondClientPassword, username, secondClientAuthReqId); @@ -831,6 +837,8 @@ public class CIBATest extends AbstractTestRealmKeycloakTest { // prepare CIBA settings clientResource = ApiUtil.findClientByClientId(adminClient.realm(TEST_REALM_NAME), TEST_CLIENT_NAME); + assertThat(clientResource, notNullValue()); + clientRep = clientResource.toRepresentation(); prepareCIBASettings(clientResource, clientRep); @@ -839,8 +847,8 @@ public class CIBATest extends AbstractTestRealmKeycloakTest { // user Token Request before Authentication Channel completion OAuthClient.AccessTokenResponse tokenRes = oauth.doBackchannelAuthenticationTokenRequest(TEST_CLIENT_PASSWORD, response.getAuthReqId()); - Assert.assertThat(tokenRes.getStatusCode(), is(equalTo(400))); - Assert.assertThat(tokenRes.getError(), is(OAuthErrorException.AUTHORIZATION_PENDING)); + assertThat(tokenRes.getStatusCode(), is(equalTo(400))); + assertThat(tokenRes.getError(), is(OAuthErrorException.AUTHORIZATION_PENDING)); // user Authentication Channel Request TestAuthenticationChannelRequest authenticationChannelReq = doAuthenticationChannelRequest("kvoDKw98"); @@ -852,12 +860,13 @@ public class CIBATest extends AbstractTestRealmKeycloakTest { // user Token Request after Authentication Channel completion tokenRes = oauth.doBackchannelAuthenticationTokenRequest(TEST_CLIENT_PASSWORD, response.getAuthReqId()); - Assert.assertThat(tokenRes.getStatusCode(), is(equalTo(200))); + assertThat(tokenRes.getStatusCode(), is(equalTo(200))); IDToken idToken = oauth.verifyIDToken(tokenRes.getIdToken()); - Assert.assertThat(idToken.getPreferredUsername(), is(equalTo(username))); + assertThat(idToken.getPreferredUsername(), is(equalTo(username))); AccessToken accessToken = oauth.verifyToken(tokenRes.getAccessToken()); + assertThat(accessToken, notNullValue()); } finally { revertCIBASettings(clientResource, clientRep); @@ -873,6 +882,8 @@ public class CIBATest extends AbstractTestRealmKeycloakTest { // prepare CIBA settings clientResource = ApiUtil.findClientByClientId(adminClient.realm(TEST_REALM_NAME), TEST_CLIENT_NAME); + assertThat(clientResource, notNullValue()); + clientRep = clientResource.toRepresentation(); prepareCIBASettings(clientResource, clientRep); @@ -895,8 +906,8 @@ public class CIBATest extends AbstractTestRealmKeycloakTest { // user Token Request before Authentication Channel completion OAuthClient.AccessTokenResponse tokenRes = oauth.doBackchannelAuthenticationTokenRequest(TEST_CLIENT_PASSWORD, response.getAuthReqId()); - Assert.assertThat(tokenRes.getStatusCode(), is(equalTo(400))); - Assert.assertThat(tokenRes.getError(), is(OAuthErrorException.EXPIRED_TOKEN)); + assertThat(tokenRes.getStatusCode(), is(equalTo(400))); + assertThat(tokenRes.getError(), is(OAuthErrorException.EXPIRED_TOKEN)); } finally { revertCIBASettings(clientResource, clientRep); @@ -913,6 +924,8 @@ public class CIBATest extends AbstractTestRealmKeycloakTest { // prepare CIBA settings clientResource = ApiUtil.findClientByClientId(adminClient.realm(TEST_REALM_NAME), TEST_CLIENT_NAME); + assertThat(clientResource, notNullValue()); + clientRep = clientResource.toRepresentation(); prepareCIBASettings(clientResource, clientRep); @@ -931,8 +944,8 @@ public class CIBATest extends AbstractTestRealmKeycloakTest { setTimeOffset(70); int statusCode = oauth.doAuthenticationChannelCallback(authenticationChannelReq.getBearerToken(), SUCCEED); - Assert.assertThat(statusCode, is(equalTo(Status.FORBIDDEN.getStatusCode()))); - events.expect(EventType.LOGIN_ERROR).clearDetails().client((String) null).error(Errors.INVALID_TOKEN).user((String)null).session(CoreMatchers.nullValue(String.class)).assertEvent(); + assertThat(statusCode, is(equalTo(Status.FORBIDDEN.getStatusCode()))); + events.expect(EventType.LOGIN_ERROR).clearDetails().client((String) null).error(Errors.INVALID_TOKEN).user((String) null).session(CoreMatchers.nullValue(String.class)).assertEvent(); } finally { revertCIBASettings(clientResource, clientRep); restoreCIBAPolicy(); @@ -948,6 +961,8 @@ public class CIBATest extends AbstractTestRealmKeycloakTest { // prepare CIBA settings clientResource = ApiUtil.findClientByClientId(adminClient.realm(TEST_REALM_NAME), TEST_CLIENT_NAME); + assertThat(clientResource, notNullValue()); + clientRep = clientResource.toRepresentation(); prepareCIBASettings(clientResource, clientRep); @@ -962,17 +977,17 @@ public class CIBATest extends AbstractTestRealmKeycloakTest { // user Token Request OAuthClient.AccessTokenResponse tokenRes = oauth.doBackchannelAuthenticationTokenRequest(TEST_CLIENT_PASSWORD, response.getAuthReqId()); - Assert.assertThat(tokenRes.getStatusCode(), is(equalTo(200))); + assertThat(tokenRes.getStatusCode(), is(equalTo(200))); IDToken idToken = oauth.verifyIDToken(tokenRes.getIdToken()); - Assert.assertThat(idToken.getPreferredUsername(), is(equalTo(username))); + assertThat(idToken.getPreferredUsername(), is(equalTo(username))); AccessToken accessToken = oauth.verifyToken(tokenRes.getAccessToken()); // duplicate user Token Request tokenRes = oauth.doBackchannelAuthenticationTokenRequest(TEST_CLIENT_PASSWORD, response.getAuthReqId()); - Assert.assertThat(tokenRes.getStatusCode(), is(equalTo(400))); - Assert.assertThat(tokenRes.getError(), is(OAuthErrorException.INVALID_GRANT)); + assertThat(tokenRes.getStatusCode(), is(equalTo(400))); + assertThat(tokenRes.getError(), is(OAuthErrorException.INVALID_GRANT)); } finally { revertCIBASettings(clientResource, clientRep); @@ -988,6 +1003,8 @@ public class CIBATest extends AbstractTestRealmKeycloakTest { // prepare CIBA settings clientResource = ApiUtil.findClientByClientId(adminClient.realm(TEST_REALM_NAME), TEST_CLIENT_NAME); + assertThat(clientResource, notNullValue()); + clientRep = clientResource.toRepresentation(); prepareCIBASettings(clientResource, clientRep); @@ -1002,8 +1019,8 @@ public class CIBATest extends AbstractTestRealmKeycloakTest { // user Token Request OAuthClient.AccessTokenResponse tokenRes = oauth.doBackchannelAuthenticationTokenRequest(SECOND_TEST_CLIENT_NAME, SECOND_TEST_CLIENT_SECRET, response.getAuthReqId()); - Assert.assertThat(tokenRes.getStatusCode(), is(equalTo(400))); - Assert.assertThat(tokenRes.getError(), is(OAuthErrorException.INVALID_GRANT)); + assertThat(tokenRes.getStatusCode(), is(equalTo(400))); + assertThat(tokenRes.getError(), is(OAuthErrorException.INVALID_GRANT)); } finally { revertCIBASettings(clientResource, clientRep); @@ -1046,6 +1063,8 @@ public class CIBATest extends AbstractTestRealmKeycloakTest { // prepare CIBA settings with ciba grant deactivated clientResource = ApiUtil.findClientByClientId(adminClient.realm(TEST_REALM_NAME), TEST_CLIENT_NAME); + assertThat(clientResource, notNullValue()); + clientRep = clientResource.toRepresentation(); Map attributes = Optional.ofNullable(clientRep.getAttributes()).orElse(new HashMap<>()); attributes.put(CibaConfig.CIBA_BACKCHANNEL_TOKEN_DELIVERY_MODE_PER_CLIENT, "poll"); @@ -1060,12 +1079,14 @@ public class CIBATest extends AbstractTestRealmKeycloakTest { // user Backchannel Authentication Request AuthenticationRequestAcknowledgement response = oauth.doBackchannelAuthenticationRequest(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, username, "gilwekDe3", "acr2"); - Assert.assertThat(response.getStatusCode(), is(equalTo(400))); - Assert.assertThat(response.getError(), is(OAuthErrorException.INVALID_GRANT)); - Assert.assertThat(response.getErrorDescription(), is("Client not allowed OIDC CIBA Grant")); + assertThat(response.getStatusCode(), is(equalTo(400))); + assertThat(response.getError(), is(OAuthErrorException.INVALID_GRANT)); + assertThat(response.getErrorDescription(), is("Client not allowed OIDC CIBA Grant")); // activate ciba grant clientResource = ApiUtil.findClientByClientId(adminClient.realm(TEST_REALM_NAME), TEST_CLIENT_NAME); + assertThat(clientResource, notNullValue()); + clientRep = clientResource.toRepresentation(); attributes = clientRep.getAttributes(); attributes.put(CibaConfig.OIDC_CIBA_GRANT_ENABLED, Boolean.TRUE.toString()); @@ -1087,6 +1108,8 @@ public class CIBATest extends AbstractTestRealmKeycloakTest { // deactivate ciba grant clientResource = ApiUtil.findClientByClientId(adminClient.realm(TEST_REALM_NAME), TEST_CLIENT_NAME); + assertThat(clientResource, notNullValue()); + clientRep = clientResource.toRepresentation(); attributes = clientRep.getAttributes(); attributes.put(CibaConfig.OIDC_CIBA_GRANT_ENABLED, Boolean.FALSE.toString()); @@ -1099,9 +1122,9 @@ public class CIBATest extends AbstractTestRealmKeycloakTest { // user Token Request OAuthClient.AccessTokenResponse tokenRes = oauth.doBackchannelAuthenticationTokenRequest(SECOND_TEST_CLIENT_NAME, SECOND_TEST_CLIENT_SECRET, response.getAuthReqId()); - Assert.assertThat(tokenRes.getStatusCode(), is(equalTo(400))); - Assert.assertThat(tokenRes.getError(), is(OAuthErrorException.INVALID_GRANT)); - Assert.assertThat(tokenRes.getErrorDescription(), is("Client not allowed OIDC CIBA Grant")); + assertThat(tokenRes.getStatusCode(), is(equalTo(400))); + assertThat(tokenRes.getError(), is(OAuthErrorException.INVALID_GRANT)); + assertThat(tokenRes.getErrorDescription(), is("Client not allowed OIDC CIBA Grant")); } finally { revertCIBASettings(clientResource, clientRep); } @@ -1113,7 +1136,7 @@ public class CIBATest extends AbstractTestRealmKeycloakTest { }); OIDCClientRepresentation rep = getClientDynamically(clientId); - Assert.assertTrue(!rep.getGrantTypes().contains(OAuth2Constants.CIBA_GRANT_TYPE)); + Assert.assertFalse(rep.getGrantTypes().contains(OAuth2Constants.CIBA_GRANT_TYPE)); Assert.assertNull(rep.getBackchannelAuthenticationRequestSigningAlg()); updateClientDynamically(clientId, (OIDCClientRepresentation clientRep) -> { @@ -1344,6 +1367,8 @@ public class CIBATest extends AbstractTestRealmKeycloakTest { // prepare CIBA settings clientResource = ApiUtil.findClientByClientId(adminClient.realm(TEST_REALM_NAME), TEST_CLIENT_NAME); + assertThat(clientResource, notNullValue()); + clientRep = clientResource.toRepresentation(); prepareCIBASettings(clientResource, clientRep); @@ -1358,8 +1383,8 @@ public class CIBATest extends AbstractTestRealmKeycloakTest { // user Token Request OAuthClient.AccessTokenResponse tokenRes = oauth.doBackchannelAuthenticationTokenRequest(TEST_CLIENT_PASSWORD, response.getAuthReqId()); - Assert.assertThat(tokenRes.getStatusCode(), is(equalTo(statusTokenEndpont.getStatusCode()))); - Assert.assertThat(tokenRes.getError(), is(error)); + assertThat(tokenRes.getStatusCode(), is(equalTo(statusTokenEndpont.getStatusCode()))); + assertThat(tokenRes.getError(), is(error)); } finally { revertCIBASettings(clientResource, clientRep); @@ -1411,7 +1436,7 @@ public class CIBATest extends AbstractTestRealmKeycloakTest { private AuthenticationRequestAcknowledgement doBackchannelAuthenticationRequest(String clientId, String clientSecret, String username, String bindingMessage) throws Exception { AuthenticationRequestAcknowledgement response = oauth.doBackchannelAuthenticationRequest(clientId, clientSecret, username, bindingMessage, null); - Assert.assertThat(response.getStatusCode(), is(equalTo(200))); + assertThat(response.getStatusCode(), is(equalTo(200))); Assert.assertNotNull(response.getAuthReqId()); return response; } @@ -1425,7 +1450,7 @@ public class CIBATest extends AbstractTestRealmKeycloakTest { private EventRepresentation doAuthenticationChannelCallback(TestAuthenticationChannelRequest request) throws Exception { int statusCode = oauth.doAuthenticationChannelCallback(request.getBearerToken(), SUCCEED); - Assert.assertThat(statusCode, is(equalTo(200))); + assertThat(statusCode, is(equalTo(200))); // check login event : ignore user id and other details except for username EventRepresentation representation = new EventRepresentation(); @@ -1436,7 +1461,7 @@ public class CIBATest extends AbstractTestRealmKeycloakTest { private EventRepresentation doAuthenticationChannelCallbackError(Status status, String clientId, TestAuthenticationChannelRequest authenticationChannelReq, AuthenticationChannelResponse.Status authStatus, String username, String error) throws Exception { int statusCode = oauth.doAuthenticationChannelCallback(authenticationChannelReq.getBearerToken(), authStatus); - Assert.assertThat(statusCode, is(equalTo(status.getStatusCode()))); + assertThat(statusCode, is(equalTo(status.getStatusCode()))); return events.expect(EventType.LOGIN_ERROR).clearDetails().client(clientId).error(error).user((String)null).session(CoreMatchers.nullValue(String.class)).assertEvent(); } @@ -1446,20 +1471,20 @@ public class CIBATest extends AbstractTestRealmKeycloakTest { private OAuthClient.AccessTokenResponse doBackchannelAuthenticationTokenRequest(String clientId, String clientSecret, String username, String authReqId) throws Exception { OAuthClient.AccessTokenResponse tokenRes = oauth.doBackchannelAuthenticationTokenRequest(clientId, clientSecret, authReqId); - Assert.assertThat(tokenRes.getStatusCode(), is(equalTo(200))); + assertThat(tokenRes.getStatusCode(), is(equalTo(200))); EventRepresentation event = events.expectAuthReqIdToToken(null, null).clearDetails().user(AssertEvents.isUUID()).client(clientId).assertEvent(); AccessToken accessToken = oauth.verifyToken(tokenRes.getAccessToken()); - Assert.assertThat(accessToken.getIssuedFor(), is(equalTo(clientId))); + assertThat(accessToken.getIssuedFor(), is(equalTo(clientId))); RefreshToken refreshToken = oauth.parseRefreshToken(tokenRes.getRefreshToken()); - Assert.assertThat(refreshToken.getIssuedFor(), is(equalTo(clientId))); - Assert.assertThat(refreshToken.getAudience()[0], is(equalTo(refreshToken.getIssuer()))); + assertThat(refreshToken.getIssuedFor(), is(equalTo(clientId))); + assertThat(refreshToken.getAudience()[0], is(equalTo(refreshToken.getIssuer()))); IDToken idToken = oauth.verifyIDToken(tokenRes.getIdToken()); - Assert.assertThat(idToken.getPreferredUsername(), is(equalTo(username))); - Assert.assertThat(idToken.getIssuedFor(), is(equalTo(clientId))); - Assert.assertThat(idToken.getAudience()[0], is(equalTo(idToken.getIssuedFor()))); + assertThat(idToken.getPreferredUsername(), is(equalTo(username))); + assertThat(idToken.getIssuedFor(), is(equalTo(clientId))); + assertThat(idToken.getAudience()[0], is(equalTo(idToken.getIssuedFor()))); return tokenRes; } @@ -1468,92 +1493,105 @@ public class CIBATest extends AbstractTestRealmKeycloakTest { String tokenResponse = oauth.introspectAccessTokenWithClientCredential(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, tokenRes.getAccessToken()); ObjectMapper objectMapper = new ObjectMapper(); JsonNode jsonNode = objectMapper.readTree(tokenResponse); - Assert.assertThat(jsonNode.get("active").asBoolean(), is(equalTo(true))); - Assert.assertThat(jsonNode.get("username").asText(), is(equalTo(username))); - Assert.assertThat(jsonNode.get("client_id").asText(), is(equalTo(TEST_CLIENT_NAME))); + assertThat(jsonNode.get("active").asBoolean(), is(equalTo(true))); + assertThat(jsonNode.get("username").asText(), is(equalTo(username))); + assertThat(jsonNode.get("client_id").asText(), is(equalTo(TEST_CLIENT_NAME))); TokenMetadataRepresentation rep = objectMapper.readValue(tokenResponse, TokenMetadataRepresentation.class); - Assert.assertThat(rep.isActive(), is(equalTo(true))); - Assert.assertThat(rep.getClientId(), is(equalTo(TEST_CLIENT_NAME))); - Assert.assertThat(rep.getIssuedFor(), is(equalTo(TEST_CLIENT_NAME))); - events.expect(EventType.INTROSPECT_TOKEN).user((String)null).clearDetails().assertEvent(); + assertThat(rep.isActive(), is(equalTo(true))); + assertThat(rep.getClientId(), is(equalTo(TEST_CLIENT_NAME))); + assertThat(rep.getIssuedFor(), is(equalTo(TEST_CLIENT_NAME))); + events.expect(EventType.INTROSPECT_TOKEN).user((String) null).clearDetails().assertEvent(); tokenResponse = oauth.introspectAccessTokenWithClientCredential(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, tokenRes.getRefreshToken()); jsonNode = objectMapper.readTree(tokenResponse); - Assert.assertThat(jsonNode.get("active").asBoolean(), is(equalTo(true))); - Assert.assertThat(jsonNode.get("client_id").asText(), is(equalTo(TEST_CLIENT_NAME))); + assertThat(jsonNode.get("active").asBoolean(), is(equalTo(true))); + assertThat(jsonNode.get("client_id").asText(), is(equalTo(TEST_CLIENT_NAME))); rep = objectMapper.readValue(tokenResponse, TokenMetadataRepresentation.class); - Assert.assertThat(rep.isActive(), is(equalTo(true))); - Assert.assertThat(rep.getClientId(), is(equalTo(TEST_CLIENT_NAME))); - Assert.assertThat(rep.getIssuedFor(), is(equalTo(TEST_CLIENT_NAME))); - Assert.assertThat(rep.getAudience()[0], is(equalTo(rep.getIssuer()))); - events.expect(EventType.INTROSPECT_TOKEN).user((String)null).clearDetails().assertEvent(); + assertThat(rep.isActive(), is(equalTo(true))); + assertThat(rep.getClientId(), is(equalTo(TEST_CLIENT_NAME))); + assertThat(rep.getIssuedFor(), is(equalTo(TEST_CLIENT_NAME))); + assertThat(rep.getAudience()[0], is(equalTo(rep.getIssuer()))); + events.expect(EventType.INTROSPECT_TOKEN).user((String) null).clearDetails().assertEvent(); tokenResponse = oauth.introspectAccessTokenWithClientCredential(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, tokenRes.getIdToken()); jsonNode = objectMapper.readTree(tokenResponse); - Assert.assertThat(jsonNode.get("active").asBoolean(), is(equalTo(true))); - Assert.assertThat(jsonNode.get("client_id").asText(), is(equalTo(TEST_CLIENT_NAME))); + assertThat(jsonNode.get("active").asBoolean(), is(equalTo(true))); + assertThat(jsonNode.get("client_id").asText(), is(equalTo(TEST_CLIENT_NAME))); rep = objectMapper.readValue(tokenResponse, TokenMetadataRepresentation.class); - Assert.assertThat(rep.isActive(), is(equalTo(true))); - Assert.assertThat(rep.getUserName(), is(equalTo(username))); - Assert.assertThat(rep.getClientId(), is(equalTo(TEST_CLIENT_NAME))); - Assert.assertThat(rep.getIssuedFor(), is(equalTo(TEST_CLIENT_NAME))); - Assert.assertThat(rep.getPreferredUsername(), is(equalTo(username))); - Assert.assertThat(rep.getAudience()[0], is(equalTo(rep.getIssuedFor()))); - events.expect(EventType.INTROSPECT_TOKEN).user((String)null).clearDetails().assertEvent(); + assertThat(rep.isActive(), is(equalTo(true))); + assertThat(rep.getUserName(), is(equalTo(username))); + assertThat(rep.getClientId(), is(equalTo(TEST_CLIENT_NAME))); + assertThat(rep.getIssuedFor(), is(equalTo(TEST_CLIENT_NAME))); + assertThat(rep.getPreferredUsername(), is(equalTo(username))); + assertThat(rep.getAudience()[0], is(equalTo(rep.getIssuedFor()))); + events.expect(EventType.INTROSPECT_TOKEN).user((String) null).clearDetails().assertEvent(); return tokenResponse; } private OAuthClient.AccessTokenResponse doRefreshTokenRequest(String oldRefreshToken, String username, String sessionId, boolean isOfflineAccess) { OAuthClient.AccessTokenResponse tokenRes = oauth.doRefreshTokenRequest(oldRefreshToken, TEST_CLIENT_PASSWORD); - Assert.assertThat(tokenRes.getStatusCode(), is(equalTo(200))); + assertThat(tokenRes.getStatusCode(), is(equalTo(200))); AccessToken accessToken = oauth.verifyToken(tokenRes.getAccessToken()); - Assert.assertThat(accessToken.getIssuedFor(), is(equalTo(TEST_CLIENT_NAME))); - Assert.assertThat(accessToken.getExp().longValue(), is(equalTo(accessToken.getIat().longValue() + tokenRes.getExpiresIn()))); + assertThat(accessToken.getIssuedFor(), is(equalTo(TEST_CLIENT_NAME))); + checkTokenExpiration(accessToken, tokenRes.getExpiresIn()); RefreshToken refreshToken = oauth.parseRefreshToken(tokenRes.getRefreshToken()); - Assert.assertThat(refreshToken.getIssuedFor(), is(equalTo(TEST_CLIENT_NAME))); - Assert.assertThat(refreshToken.getAudience()[0], is(equalTo(refreshToken.getIssuer()))); - if(!isOfflineAccess) Assert.assertThat(refreshToken.getExp().longValue(), is(equalTo(refreshToken.getIat().longValue() + tokenRes.getRefreshExpiresIn()))); + assertThat(refreshToken.getIssuedFor(), is(equalTo(TEST_CLIENT_NAME))); + assertThat(refreshToken.getAudience()[0], is(equalTo(refreshToken.getIssuer()))); + if (!isOfflineAccess) checkTokenExpiration(refreshToken, tokenRes.getRefreshExpiresIn()); IDToken idToken = oauth.verifyIDToken(tokenRes.getIdToken()); - Assert.assertThat(idToken.getPreferredUsername(), is(equalTo(username))); - Assert.assertThat(idToken.getIssuedFor(), is(equalTo(TEST_CLIENT_NAME))); - Assert.assertThat(idToken.getAudience()[0], is(equalTo(idToken.getIssuedFor()))); - Assert.assertThat(idToken.getExp().longValue(), is(equalTo(idToken.getIat().longValue() + tokenRes.getExpiresIn()))); + assertThat(idToken.getPreferredUsername(), is(equalTo(username))); + assertThat(idToken.getIssuedFor(), is(equalTo(TEST_CLIENT_NAME))); + assertThat(idToken.getAudience()[0], is(equalTo(idToken.getIssuedFor()))); + checkTokenExpiration(idToken, tokenRes.getExpiresIn()); events.expectRefresh(tokenRes.getRefreshToken(), sessionId).session(CoreMatchers.notNullValue(String.class)).user(AssertEvents.isUUID()).clearDetails().assertEvent(); return tokenRes; } - private EventRepresentation doLogoutByRefreshToken(String refreshToken, String sessionId, String userId, boolean isOfflineAccess) throws IOException{ + // KEYCLOAK-18391 + private void checkTokenExpiration(JsonWebToken token, long expiresIn) { + assertThat(token, notNullValue()); + + final Long tokenExp = token.getExp(); + final Long tokenIat = token.getIat(); + + assertThat(tokenExp, notNullValue()); + assertThat(tokenIat, notNullValue()); + + assertExpiration(tokenExp, tokenIat + expiresIn); + } + + private EventRepresentation doLogoutByRefreshToken(String refreshToken, String sessionId, String userId, boolean isOfflineAccess) throws IOException { try (CloseableHttpResponse res = oauth.doLogout(refreshToken, TEST_CLIENT_PASSWORD)) { assertThat(res, Matchers.statusCodeIsHC(Status.NO_CONTENT)); } // confirm logged out OAuthClient.AccessTokenResponse tokenRes = oauth.doRefreshTokenRequest(refreshToken, TEST_CLIENT_PASSWORD); - Assert.assertThat(tokenRes.getStatusCode(), is(equalTo(400))); - Assert.assertThat(tokenRes.getError(), is(equalTo(OAuthErrorException.INVALID_GRANT))); - if (isOfflineAccess) Assert.assertThat(tokenRes.getErrorDescription(), is(equalTo("Offline user session not found"))); - else Assert.assertThat(tokenRes.getErrorDescription(), is(equalTo("Session not active"))); + assertThat(tokenRes.getStatusCode(), is(equalTo(400))); + assertThat(tokenRes.getError(), is(equalTo(OAuthErrorException.INVALID_GRANT))); + if (isOfflineAccess) assertThat(tokenRes.getErrorDescription(), is(equalTo("Offline user session not found"))); + else assertThat(tokenRes.getErrorDescription(), is(equalTo("Session not active"))); return events.expectLogout(sessionId).client(TEST_CLIENT_NAME).user(AssertEvents.isUUID()).session(AssertEvents.isUUID()).clearDetails().assertEvent(); } - private EventRepresentation doTokenRevokeByRefreshToken(String refreshToken, String sessionId, String userId, boolean isOfflineAccess) throws IOException{ + private EventRepresentation doTokenRevokeByRefreshToken(String refreshToken, String sessionId, String userId, boolean isOfflineAccess) throws IOException { try (CloseableHttpResponse res = oauth.doTokenRevoke(refreshToken, "refresh_token", TEST_CLIENT_PASSWORD)) { assertThat(res, Matchers.statusCodeIsHC(Status.OK)); } // confirm revocation OAuthClient.AccessTokenResponse tokenRes = oauth.doRefreshTokenRequest(refreshToken, TEST_CLIENT_PASSWORD); - Assert.assertThat(tokenRes.getStatusCode(), is(equalTo(400))); - Assert.assertThat(tokenRes.getError(), is(equalTo(OAuthErrorException.INVALID_GRANT))); - if (isOfflineAccess) Assert.assertThat(tokenRes.getErrorDescription(), is(equalTo("Offline user session not found"))); - else Assert.assertThat(tokenRes.getErrorDescription(), is(equalTo("Session not active"))); + assertThat(tokenRes.getStatusCode(), is(equalTo(400))); + assertThat(tokenRes.getError(), is(equalTo(OAuthErrorException.INVALID_GRANT))); + if (isOfflineAccess) assertThat(tokenRes.getErrorDescription(), is(equalTo("Offline user session not found"))); + else assertThat(tokenRes.getErrorDescription(), is(equalTo("Session not active"))); return events.expect(EventType.REVOKE_GRANT).clearDetails().client(TEST_CLIENT_NAME).user(AssertEvents.isUUID()).assertEvent(); } @@ -1567,9 +1605,11 @@ public class CIBATest extends AbstractTestRealmKeycloakTest { // prepare CIBA settings clientResource = ApiUtil.findClientByClientId(adminClient.realm(TEST_REALM_NAME), TEST_CLIENT_NAME); + assertThat(clientResource, notNullValue()); + clientRep = clientResource.toRepresentation(); prepareCIBASettings(clientResource, clientRep); - if(isOfflineAccess) oauth.scope(OAuth2Constants.OFFLINE_ACCESS); + if (isOfflineAccess) oauth.scope(OAuth2Constants.OFFLINE_ACCESS); // user Backchannel Authentication Request AuthenticationRequestAcknowledgement response = doBackchannelAuthenticationRequest(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, username, bindingMessage); @@ -1577,9 +1617,9 @@ public class CIBATest extends AbstractTestRealmKeycloakTest { // user Authentication Channel Request TestAuthenticationChannelRequest testRequest = doAuthenticationChannelRequest(bindingMessage); AuthenticationChannelRequest authenticationChannelReq = testRequest.getRequest(); - Assert.assertThat(authenticationChannelReq.getBindingMessage(), is(equalTo(bindingMessage))); - if (isOfflineAccess) Assert.assertThat(authenticationChannelReq.getScope(), is(containsString(OAuth2Constants.OFFLINE_ACCESS))); - Assert.assertThat(authenticationChannelReq.getScope(), is(containsString(OAuth2Constants.SCOPE_OPENID))); + assertThat(authenticationChannelReq.getBindingMessage(), is(equalTo(bindingMessage))); + if (isOfflineAccess) assertThat(authenticationChannelReq.getScope(), is(containsString(OAuth2Constants.OFFLINE_ACCESS))); + assertThat(authenticationChannelReq.getScope(), is(containsString(OAuth2Constants.SCOPE_OPENID))); // user Authentication Channel completed EventRepresentation loginEvent = doAuthenticationChannelCallback(testRequest);