From 021c2ec7018dd35c2eea6acf17e918384bd5c0c9 Mon Sep 17 00:00:00 2001 From: mposolda Date: Fri, 15 Jul 2016 09:14:56 +0200 Subject: [PATCH 1/3] KEYCLOAK-3220 Added test for missing response_type --- .../testsuite/oauth/AuthorizationCodeTest.java | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/AuthorizationCodeTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/AuthorizationCodeTest.java index 5eddf14aa1..ece81d876e 100755 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/AuthorizationCodeTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/AuthorizationCodeTest.java @@ -158,6 +158,19 @@ public class AuthorizationCodeTest extends AbstractKeycloakTest { events.expectLogin().error(Errors.NOT_ALLOWED).user((String) null).session((String) null).clearDetails().detail(Details.RESPONSE_TYPE, "token id_token").assertEvent(); } + @Test + public void authorizationRequestMissingResponseType() throws IOException { + oauth.responseType(null); + UriBuilder b = UriBuilder.fromUri(oauth.getLoginFormUrl()); + driver.navigate().to(b.build().toURL()); + + OAuthClient.AuthorizationCodeResponse errorResponse = new OAuthClient.AuthorizationCodeResponse(oauth); + Assert.assertTrue(errorResponse.isRedirected()); + Assert.assertEquals(errorResponse.getError(), OAuthErrorException.INVALID_REQUEST); + + events.expectLogin().error(Errors.INVALID_REQUEST).user((String) null).session((String) null).clearDetails().assertEvent(); + } + @Test public void authorizationRequestInvalidResponseType() throws IOException { oauth.responseType("tokenn"); From fda0a79e27927bfe4eca4da44dd1ac4050c3d317 Mon Sep 17 00:00:00 2001 From: mposolda Date: Fri, 15 Jul 2016 09:47:09 +0200 Subject: [PATCH 2/3] KEYCLOAK-3237 Add scopes_supported to OIDC WellKnown endpoint --- .../keycloak/protocol/oidc/OIDCWellKnownProvider.java | 5 +++++ .../OIDCConfigurationRepresentation.java | 11 +++++++++++ .../testsuite/oidc/OIDCWellKnownProviderTest.java | 3 +++ 3 files changed, 19 insertions(+) diff --git a/services/src/main/java/org/keycloak/protocol/oidc/OIDCWellKnownProvider.java b/services/src/main/java/org/keycloak/protocol/oidc/OIDCWellKnownProvider.java index daff056113..ddb415118f 100755 --- a/services/src/main/java/org/keycloak/protocol/oidc/OIDCWellKnownProvider.java +++ b/services/src/main/java/org/keycloak/protocol/oidc/OIDCWellKnownProvider.java @@ -61,6 +61,9 @@ public class OIDCWellKnownProvider implements WellKnownProvider { public static final List DEFAULT_CLAIM_TYPES_SUPPORTED= list("normal"); + // TODO: Add more of OIDC scopes + public static final List SCOPES_SUPPORTED= list(OAuth2Constants.SCOPE_OPENID, OAuth2Constants.OFFLINE_ACCESS); + private KeycloakSession session; public OIDCWellKnownProvider(KeycloakSession session) { @@ -97,6 +100,8 @@ public class OIDCWellKnownProvider implements WellKnownProvider { config.setClaimTypesSupported(DEFAULT_CLAIM_TYPES_SUPPORTED); config.setClaimsParameterSupported(false); + config.setScopesSupported(SCOPES_SUPPORTED); + return config; } diff --git a/services/src/main/java/org/keycloak/protocol/oidc/representations/OIDCConfigurationRepresentation.java b/services/src/main/java/org/keycloak/protocol/oidc/representations/OIDCConfigurationRepresentation.java index bae3b52280..7f558b1217 100755 --- a/services/src/main/java/org/keycloak/protocol/oidc/representations/OIDCConfigurationRepresentation.java +++ b/services/src/main/java/org/keycloak/protocol/oidc/representations/OIDCConfigurationRepresentation.java @@ -85,6 +85,9 @@ public class OIDCConfigurationRepresentation { @JsonProperty("claims_parameter_supported") private Boolean claimsParameterSupported; + @JsonProperty("scopes_supported") + private List scopesSupported; + protected Map otherClaims = new HashMap(); public String getIssuer() { @@ -231,6 +234,14 @@ public class OIDCConfigurationRepresentation { this.claimsParameterSupported = claimsParameterSupported; } + public List getScopesSupported() { + return scopesSupported; + } + + public void setScopesSupported(List scopesSupported) { + this.scopesSupported = scopesSupported; + } + @JsonAnyGetter public Map getOtherClaims() { return otherClaims; diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/OIDCWellKnownProviderTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/OIDCWellKnownProviderTest.java index c8ced0fd2c..24188fc2f2 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/OIDCWellKnownProviderTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/OIDCWellKnownProviderTest.java @@ -95,6 +95,9 @@ public class OIDCWellKnownProviderTest extends AbstractKeycloakTest { assertContains(oidcConfig.getClaimsSupported(), IDToken.NAME, IDToken.EMAIL, IDToken.PREFERRED_USERNAME, IDToken.FAMILY_NAME); Assert.assertNames(oidcConfig.getClaimTypesSupported(), "normal"); Assert.assertFalse(oidcConfig.getClaimsParameterSupported()); + + // Scopes supported + Assert.assertNames(oidcConfig.getScopesSupported(), OAuth2Constants.SCOPE_OPENID, OAuth2Constants.OFFLINE_ACCESS); } finally { client.close(); } From 243105f952ef5d0dcc54bd4a9d85179b5358988a Mon Sep 17 00:00:00 2001 From: mposolda Date: Fri, 15 Jul 2016 12:51:35 +0200 Subject: [PATCH 3/3] KEYCLOAK-3175 Document run of OIDC Conformance test --- misc/OIDCConformanceTestsuite.md | 99 ++++++++++++++++++++++++++++++++ 1 file changed, 99 insertions(+) create mode 100644 misc/OIDCConformanceTestsuite.md diff --git a/misc/OIDCConformanceTestsuite.md b/misc/OIDCConformanceTestsuite.md new file mode 100644 index 0000000000..9e4650adca --- /dev/null +++ b/misc/OIDCConformanceTestsuite.md @@ -0,0 +1,99 @@ +Executing OIDC Conformance Testsuite +==================================== + +Run Keycloak on Openshift +------------------------- +First step is to run Keycloak server in the environment, where it is available online, so the OIDC conformance testsuite can connect to it. + +1) Take a look at https://github.com/keycloak/openshift-keycloak-cartridge for how to run Keycloak on Openshift. Follow the instructions until you have +openshift instance with Keycloak 2.0.0.CR1 available on some URL like https://keycloak-mposolda.rhcloud.com/auth . + +2) Admin user needs to be manually created on command line on Openshift cartridge. Then cartridge needs to be restarted. See Keycloak docs for details. + +3) Login to Keycloak admin console. Create confidential client `openidd` with redirect_uri `https://op.certification.openid.net:60720/authz_cb` . +This points to the testing client deployed by OIDC conformance testsuite. You will need to change the port later based on where your OIDC conformance testing app will be running. + +4) Create some user with basic claims filled (email, first name, last name). + +Run conformance testsuite +------------------------- + +Full instructions on http://openid.net/certification/testing/ . + +So what I did was: + +1) Go to https://op.certification.openid.net:60000/ + + +2) Fill issuer `https://keycloak-mposolda.rhcloud.com/auth/realms/master` + + +3) Configured the testing instance like this (second line are my answers): + +Q: Does the OP have a .well-known/openid-configuration endpoint? +A: Yes + +Q: Do the provider support dynamic client registration? +A: No (just for easier start) + +Q: redirect_uris +Non-editable value: https://op.certification.openid.net:60720/authz_cb +Copy/paste that and use it as valid redirect_uri in Keycloak admin console for your Openshift client (See above paragraph `Run Keycloak on Openshift` ) + +Q: client_id: +A: openidd + +Q: client_secret: +A: 98d90dd1-9d2e-43ad-a46b-1daeec3f5133 (copy/paste from your client in KC admin console) + +Q: Which subject type do you want to use by default? +A: Public + +Q: Which response type should be used by default? +A: Code (this is just for OIDC Basic profile) + +Q: Select supported features: +A: JWT signed with algorithm other than "none" + +Q: Test specific request parameters: +Nothing filled + + +4) After setup, you will be redirected to the testing application. Something like `https://op.certification.openid.net:60720/` and can run individual tests. +Some tests require some manual actions (eg. delete cookies). The conformance testsuite should guide you. + + +Update the openshift cartridge with latest Keycloak +--------------------------------------------------- + +Once some issue is fixed on Keycloak side, you may want to doublecheck if test on OIDC conformance side is passing. Hence you may want to test with JARs from latest +Keycloak master instead of the "official release" Keycloak JARs from cartridge. + +Openshift allows to connect with SSH and restart the cartridge. So you may use something like this on your laptop (example with the fix in module keycloak-services ). + +On your laptop +````bash +cd $KEYCLOAK_SOURCES +cd services +mvn clean install +scp target/keycloak-services-2.1.0-SNAPSHOT.jar 51122e382d5271c5ca0000bc@keycloak-mposolda.rhcloud.com:/tmp/ +ssh 51122e382d5271c5ca0000bc@keycloak-mposolda.rhcloud.com +```` + +Then on the machine: + +1) update the version in `/var/lib/openshift/51122e382d5271c5ca0000bc/wildfly/modules/system/add-ons/keycloak/org/keycloak/keycloak-server-spi/main/modules.xml` + +2) Replace JAR and restart server: + +````bash +cp /tmp/keycloak-server-spi-2.1.0-SNAPSHOT.jar /var/lib/openshift/51122e382d5271c5ca0000bc/wildfly/modules/system/add-ons/keycloak/org/keycloak/keycloak-server-spi/main/ +ps aux | grep java +kill -9 +cd /var/lib/openshift/51122e382d5271c5ca0000bc/wildfly/bin +./standalone.sh -b 127.3.168.129 -bmanagement=127.3.168.129 -Dh2.bindAddress=127.3.168.129 +```` + +Wait for the server to start. Then rerun the OIDC test with the updated cartridge. + +Another possibility is to test with pure Wildfly Openshift cartridge and always install the latest keycloak-overlay to it.