libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases 1 Packages Activity Actions

KEYCLOAK-1108 Remove option for enable/disable login per application

Browse source
This commit is contained in:
mposolda 2015-03-17 22:16:19 +01:00
parent 48adefdbea
commit aeb27ff047
15 changed files with 155 additions and 243 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

29
docbook/reference/en/en-US/modules/identity-broker.xml
View file

@ -954,23 +954,9 @@ Authorization: Bearer {keycloak_access_token}]]></programlisting>
In this case, given that you are accessing an protected service in Keycloak, you need to send the access token
issued by Keycloak during the user authentication.
</para>
<note>
<para>
If your application is not at the same origin as the authentication server, make sure you have properly configured CORS.
</para>
</note>
</section>
<section>
<title>Configuring Identity Providers for Applications</title>
<para>
By default, all identity providers enabled for a particular realm are also available to all its applications.
However, you can also specify which identity providers should be available when
authenticating users for a particular application.
</para>
<para>
For that, please follow these steps:
</para>
By default, the Keycloak access token issued for the application can't be automatically used for retrieve thirdparty token. You will
need to enable this in admin console first:
<orderedlist>
<listitem>
<para>
@ -989,14 +975,17 @@ Authorization: Bearer {keycloak_access_token}]]></programlisting>
</listitem>
<listitem>
<para>
Now you should be able to enable or disabled identity providers to the application by clicking on the Enable/Disable button.
From this page you can configure if an application is allowed to retrieve tokens from an specific identity provider. For that,
just click on the <emphasis>Can Retrieve Token</emphasis> button.
</para>
</listitem>
</orderedlist>
<para>
From this page you can also configure if an application is allowed to retrieve tokens from an specific identity provider. For that,
just click on the <emphasis>Can Retrieve Token</emphasis> button.
</para>
<note>
<para>
If your application is not at the same origin as the authentication server, make sure you have properly configured CORS.
</para>
</note>
</section>
<section>

54
forms/common-themes/src/main/resources/theme/admin/base/resources/js/controllers/applications.js
View file

@ -56,35 +56,34 @@ module.controller('ApplicationIdentityProviderCtrl', function($scope, $location,
if ($scope.application.identityProviders) {
length = $scope.application.identityProviders.length;
} else {
$scope.application.identityProviders = new Array(realm.identityProviders.length);
for (i = 0; i < $scope.application.identityProviders.length; i++) {
var applicationProvider = $scope.application.identityProviders[i];
if (applicationProvider.retrieveToken) {
applicationProvider.retrieveToken = applicationProvider.retrieveToken.toString();
}
}
for (j = length; j < realm.identityProviders.length; j++) {
$scope.application.identityProviders[j] = {};
} else {
$scope.application.identityProviders = [];
}
$scope.identityProviders = [];
var providersMissingInApp = [];
for (j = 0; j < realm.identityProviders.length; j++) {
var identityProvider = realm.identityProviders[j];
var match = false;
var applicationProvider;
var applicationProvider = null;
for (i = 0; i < $scope.application.identityProviders.length; i++) {
applicationProvider = $scope.application.identityProviders[i];
if (applicationProvider) {
if (applicationProvider.retrieveToken) {
applicationProvider.retrieveToken = applicationProvider.retrieveToken.toString();
} else {
applicationProvider.retrieveToken = false.toString();
}
if (applicationProvider.id == identityProvider.id) {
$scope.identityProviders[i] = {};
$scope.identityProviders[i].identityProvider = identityProvider;
$scope.identityProviders[i].retrieveToken = applicationProvider.retrieveToken.toString();
$scope.identityProviders[i].retrieveToken = applicationProvider.retrieveToken;
break;
}
@ -93,30 +92,27 @@ module.controller('ApplicationIdentityProviderCtrl', function($scope, $location,
}
if (applicationProvider == null) {
var length = $scope.identityProviders.length + $scope.application.identityProviders.length;
$scope.identityProviders[length] = {};
$scope.identityProviders[length].identityProvider = identityProvider;
$scope.identityProviders[length].retrieveToken = false.toString();
providersMissingInApp.push(identityProvider);
}
}
$scope.identityProviders = $scope.identityProviders.filter(function(n){ return n != undefined });
for (j = 0; j < providersMissingInApp.length; j++) {
var identityProvider = providersMissingInApp[j];
var currentProvider = {};
currentProvider.identityProvider = identityProvider;
currentProvider.retrieveToken = "false";
$scope.identityProviders.push(currentProvider);
var currentAppProvider = {};
currentAppProvider.id = identityProvider.id;
currentAppProvider.retrieveToken = "false";
$scope.application.identityProviders.push(currentAppProvider);
}
var oldCopy = angular.copy($scope.application);
$scope.save = function() {
var selectedProviders = [];
for (i = 0; i < $scope.application.identityProviders.length; i++) {
var appProvider = $scope.application.identityProviders[i];
if (appProvider.id != null && appProvider.id != false) {
selectedProviders[selectedProviders.length] = appProvider;
}
}
$scope.application.identityProviders = selectedProviders;
Application.update({
realm : realm.realm,

4
forms/common-themes/src/main/resources/theme/admin/base/resources/partials/application-identity-provider.html
View file

@ -11,10 +11,6 @@
<form class="form-horizontal" name="identityProviderForm" novalidate>
<div class="form-group" ng-repeat="identityProvider in identityProviders">
<legend><span class="text">{{identityProvider.identityProvider.name}}</span></legend>
<label class="col-sm-2 control-label" for="{{identityProvider.identityProvider.id}}">Enable&nbsp;<span tooltip-placement="right" tooltip="If disabled, users can not login to the application using this identity provider." class="fa fa-info-circle"></span></label>
<div class="col-sm-4">
<input ng-model="application.identityProviders[$index].id" name="identityProvider.identityProvider.id" id="identityProvider.identityProvider.id" value="identityProvider.identityProvider.id" onoffswitchmodel />
</div>
<div data-ng-show="application.identityProviders[$index].id">
<label class="col-sm-2 control-label" for="{{identityProvider.identityProvider.id}}retrieveToken">Can Retrieve Token&nbsp;<span tooltip-placement="right" tooltip="If disabled, the application can not retrieve tokens from the identity provider." class="fa fa-info-circle"></span></label>
<div class="col-sm-4">

18
forms/login-freemarker/src/main/java/org/keycloak/login/freemarker/model/IdentityProviderBean.java
View file

@ -53,24 +53,6 @@ public class IdentityProviderBean {
for (IdentityProviderModel identityProvider : identityProviders) {
if (identityProvider.isEnabled()) {
String clientId = uriInfo.getQueryParameters().getFirst(OAuth2Constants.CLIENT_ID);
if (clientId != null) {
ClientModel clientModel = realm.findClient(clientId);
if (clientModel != null && !clientModel.hasIdentityProvider(identityProvider.getId())) {
if (ApplicationModel.class.isInstance(clientModel)) {
ApplicationModel applicationModel = (ApplicationModel) clientModel;
if (applicationModel.getName().equals(Constants.ACCOUNT_MANAGEMENT_APP)) {
addIdentityProvider(realm, baseURI, identityProvider);
}
}
continue;
}
}
addIdentityProvider(realm, baseURI, identityProvider);
}
}

3
model/api/src/main/java/org/keycloak/models/ClientModel.java
View file

@ -98,9 +98,8 @@ public interface ClientModel {
void setNotBefore(int notBefore);
void updateAllowedIdentityProviders(List<ClientIdentityProviderMappingModel> identityProviders);
void updateIdentityProviders(List<ClientIdentityProviderMappingModel> identityProviders);
List<ClientIdentityProviderMappingModel> getIdentityProviders();
boolean hasIdentityProvider(String providerId);
boolean isAllowedRetrieveTokenFromIdentityProvider(String providerId);
Set<ProtocolMapperModel> getProtocolMappers();

34
model/api/src/main/java/org/keycloak/models/utils/RepresentationToModel.java
View file

@ -489,7 +489,7 @@ public class RepresentationToModel {
}
}
applicationModel.updateAllowedIdentityProviders(toModel(resourceRep.getIdentityProviders(), realm));
applicationModel.updateIdentityProviders(toModel(resourceRep.getIdentityProviders(), realm));
return applicationModel;
}
@ -538,7 +538,7 @@ public class RepresentationToModel {
}
}
updateClientIdentityProvides(rep.getIdentityProviders(), resource);
updateClientIdentityProviders(rep.getIdentityProviders(), resource);
}
public static void setClaims(ClientModel model, ClaimRepresentation rep) {
@ -613,7 +613,7 @@ public class RepresentationToModel {
public static OAuthClientModel createOAuthClient(OAuthClientRepresentation rep, RealmModel realm) {
OAuthClientModel model = createOAuthClient(rep.getId(), rep.getName(), realm);
model.updateAllowedIdentityProviders(toModel(rep.getIdentityProviders(), realm));
model.updateIdentityProviders(toModel(rep.getIdentityProviders(), realm));
updateOAuthClient(rep, model);
return model;
@ -653,7 +653,7 @@ public class RepresentationToModel {
}
}
updateClientIdentityProvides(rep.getIdentityProviders(), model);
updateClientIdentityProviders(rep.getIdentityProviders(), model);
if (rep.getProtocolMappers() != null) {
// first, remove all default/built in mappers
@ -818,35 +818,25 @@ public class RepresentationToModel {
}
private static List<ClientIdentityProviderMappingModel> toModel(List<ClientIdentityProviderMappingRepresentation> repIdentityProviders, RealmModel realm) {
List<ClientIdentityProviderMappingModel> allowedIdentityProviders = new ArrayList<ClientIdentityProviderMappingModel>();
List<ClientIdentityProviderMappingModel> result = new ArrayList<ClientIdentityProviderMappingModel>();
if (repIdentityProviders == null || repIdentityProviders.isEmpty()) {
allowedIdentityProviders = new ArrayList<ClientIdentityProviderMappingModel>();
for (IdentityProviderModel identityProvider : realm.getIdentityProviders()) {
ClientIdentityProviderMappingModel identityProviderMapping = new ClientIdentityProviderMappingModel();
identityProviderMapping.setIdentityProvider(identityProvider.getId());
allowedIdentityProviders.add(identityProviderMapping);
}
} else {
if (repIdentityProviders != null) {
for (ClientIdentityProviderMappingRepresentation rep : repIdentityProviders) {
ClientIdentityProviderMappingModel identityProviderMapping = new ClientIdentityProviderMappingModel();
identityProviderMapping.setIdentityProvider(rep.getId());
identityProviderMapping.setRetrieveToken(rep.isRetrieveToken());
allowedIdentityProviders.add(identityProviderMapping);
result.add(identityProviderMapping);
}
}
return allowedIdentityProviders;
return result;
}
private static void updateClientIdentityProvides(List<ClientIdentityProviderMappingRepresentation> identityProviders, ClientModel resource) {
private static void updateClientIdentityProviders(List<ClientIdentityProviderMappingRepresentation> identityProviders, ClientModel resource) {
if (identityProviders != null) {
List<ClientIdentityProviderMappingModel> allowedIdentityProviders = new ArrayList<ClientIdentityProviderMappingModel>();
List<ClientIdentityProviderMappingModel> result = new ArrayList<ClientIdentityProviderMappingModel>();
for (ClientIdentityProviderMappingRepresentation mappingRepresentation : identityProviders) {
ClientIdentityProviderMappingModel identityProviderMapping = new ClientIdentityProviderMappingModel();
@ -854,10 +844,10 @@ public class RepresentationToModel {
identityProviderMapping.setIdentityProvider(mappingRepresentation.getId());
identityProviderMapping.setRetrieveToken(mappingRepresentation.isRetrieveToken());
allowedIdentityProviders.add(identityProviderMapping);
result.add(identityProviderMapping);
}
resource.updateAllowedIdentityProviders(allowedIdentityProviders);
resource.updateIdentityProviders(result);
}
}
}

15
model/file/src/main/java/org/keycloak/models/file/adapter/ClientAdapter.java
View file

@ -386,7 +386,7 @@ public abstract class ClientAdapter implements ClientModel {
}
@Override
public void updateAllowedIdentityProviders(List<ClientIdentityProviderMappingModel> identityProviders) {
public void updateIdentityProviders(List<ClientIdentityProviderMappingModel> identityProviders) {
List<ClientIdentityProviderMappingEntity> stored = new ArrayList<ClientIdentityProviderMappingEntity>();
for (ClientIdentityProviderMappingModel model : identityProviders) {
@ -416,19 +416,6 @@ public abstract class ClientAdapter implements ClientModel {
return models;
}
@Override
public boolean hasIdentityProvider(String providerId) {
for (ClientIdentityProviderMappingEntity identityProviderMappingModel : clientEntity.getIdentityProviders()) {
String identityProvider = identityProviderMappingModel.getId();
if (identityProvider.equals(providerId)) {
return true;
}
}
return false;
}
@Override
public boolean isAllowedRetrieveTokenFromIdentityProvider(String providerId) {
for (ClientIdentityProviderMappingEntity identityProviderMappingModel : clientEntity.getIdentityProviders()) {

10
model/invalidation-cache/model-adapters/src/main/java/org/keycloak/models/cache/ClientAdapter.java vendored
View file

@ -264,9 +264,9 @@ public abstract class ClientAdapter implements ClientModel {
}
@Override
public void updateAllowedIdentityProviders(List<ClientIdentityProviderMappingModel> identityProviders) {
public void updateIdentityProviders(List<ClientIdentityProviderMappingModel> identityProviders) {
getDelegateForUpdate();
updatedClient.updateAllowedIdentityProviders(identityProviders);
updatedClient.updateIdentityProviders(identityProviders);
}
@Override
@ -275,12 +275,6 @@ public abstract class ClientAdapter implements ClientModel {
return cachedClient.getIdentityProviders();
}
@Override
public boolean hasIdentityProvider(String providerId) {
if (updatedClient != null) return updatedClient.hasIdentityProvider(providerId);
return cachedClient.hasIdentityProvider(providerId);
}
@Override
public boolean isAllowedRetrieveTokenFromIdentityProvider(String providerId) {
if (updatedClient != null) return updatedClient.isAllowedRetrieveTokenFromIdentityProvider(providerId);

13
model/jpa/src/main/java/org/keycloak/models/jpa/ClientAdapter.java
View file

@ -307,7 +307,7 @@ public abstract class ClientAdapter implements ClientModel {
}
@Override
public void updateAllowedIdentityProviders(List<ClientIdentityProviderMappingModel> identityProviders) {
public void updateIdentityProviders(List<ClientIdentityProviderMappingModel> identityProviders) {
Collection<ClientIdentityProviderMappingEntity> entities = entity.getIdentityProviders();
Set<String> already = new HashSet<String>();
List<ClientIdentityProviderMappingEntity> remove = new ArrayList<ClientIdentityProviderMappingEntity>();
@ -377,17 +377,6 @@ public abstract class ClientAdapter implements ClientModel {
return models;
}
@Override
public boolean hasIdentityProvider(String providerId) {
for (ClientIdentityProviderMappingModel model : getIdentityProviders()) {
if (model.getIdentityProvider().equals(providerId)) {
return true;
}
}
return false;
}
@Override
public boolean isAllowedRetrieveTokenFromIdentityProvider(String providerId) {
for (ClientIdentityProviderMappingModel model : getIdentityProviders()) {

15
model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/adapters/ClientAdapter.java
View file

@ -411,7 +411,7 @@ public abstract class ClientAdapter<T extends MongoIdentifiableEntity> extends A
@Override
public void updateAllowedIdentityProviders(List<ClientIdentityProviderMappingModel> identityProviders) {
public void updateIdentityProviders(List<ClientIdentityProviderMappingModel> identityProviders) {
List<ClientIdentityProviderMappingEntity> stored = new ArrayList<ClientIdentityProviderMappingEntity>();
for (ClientIdentityProviderMappingModel model : identityProviders) {
@ -442,19 +442,6 @@ public abstract class ClientAdapter<T extends MongoIdentifiableEntity> extends A
return models;
}
@Override
public boolean hasIdentityProvider(String providerId) {
for (ClientIdentityProviderMappingEntity identityProviderMappingModel : getMongoEntityAsClient().getIdentityProviders()) {
String identityProvider = identityProviderMappingModel.getId();
if (identityProvider.equals(providerId)) {
return true;
}
}
return false;
}
@Override
public boolean isAllowedRetrieveTokenFromIdentityProvider(String providerId) {
for (ClientIdentityProviderMappingEntity identityProviderMappingModel : getMongoEntityAsClient().getIdentityProviders()) {

25
services/src/main/java/org/keycloak/services/resources/IdentityBrokerService.java
View file

@ -182,10 +182,6 @@ public class IdentityBrokerService {
return badRequest("Invalid client.");
}
if (!clientModel.hasIdentityProvider(providerId)) {
return corsResponse(badRequest("Client [" + audience + "] not authorized."), clientModel);
}
if (!clientModel.isAllowedRetrieveTokenFromIdentityProvider(providerId)) {
return corsResponse(badRequest("Client [" + audience + "] not authorized to retrieve tokens from identity provider [" + providerId + "]."), clientModel);
}
@ -399,16 +395,16 @@ public class IdentityBrokerService {
if (clientSession != null) {
ClientModel client = clientSession.getClient();
if (client != null) {
if (client == null) {
throw new IdentityBrokerException("Invalid client");
}
LOGGER.debugf("Got authorization code from client [%s].", client.getClientId());
this.event.client(client);
}
if (clientSession.getUserSession() != null) {
this.event.session(clientSession.getUserSession());
}
} else {
validateClientPermissions(clientCode, providerId);
}
if (isDebugEnabled()) {
@ -509,19 +505,6 @@ public class IdentityBrokerService {
throw new IdentityBrokerException("Configuration for identity provider [" + providerId + "] not found.");
}
private void validateClientPermissions(ClientSessionCode clientSessionCode, String providerId) {
ClientSessionModel clientSession = clientSessionCode.getClientSession();
ClientModel clientModel = clientSession.getClient();
if (clientModel == null) {
throw new IdentityBrokerException("Invalid client.");
}
if (!clientModel.hasIdentityProvider(providerId)) {
throw new IdentityBrokerException("Client [" + clientModel.getClientId() + "] not authorized to authenticate with identity provider [" + providerId + "].");
}
}
private UserModel createUser(FederatedIdentity updatedIdentity) {
FederatedIdentityModel federatedIdentityModel = new FederatedIdentityModel(updatedIdentity.getIdentityProviderId(), updatedIdentity.getId(),
updatedIdentity.getUsername(), updatedIdentity.getToken());

65
services/src/main/java/org/keycloak/services/resources/admin/IdentityProviderResource.java
View file

@ -1,7 +1,7 @@
package org.keycloak.services.resources.admin;
import org.jboss.logging.Logger;
import org.jboss.resteasy.annotations.cache.NoCache;
import org.keycloak.broker.provider.IdentityBrokerException;
import org.keycloak.broker.provider.IdentityProvider;
import org.keycloak.broker.provider.IdentityProviderFactory;
import org.keycloak.models.ClientIdentityProviderMappingModel;
@ -22,22 +22,21 @@ import javax.ws.rs.DELETE;
import javax.ws.rs.GET;
import javax.ws.rs.PUT;
import javax.ws.rs.Path;
import javax.ws.rs.PathParam;
import javax.ws.rs.Produces;
import javax.ws.rs.QueryParam;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriInfo;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
/**
* @author Pedro Igor
*/
public class IdentityProviderResource {
private static Logger logger = Logger.getLogger(IdentityProviderResource.class);
private final RealmAuth auth;
private final RealmModel realm;
private final KeycloakSession session;
@ -62,20 +61,66 @@ public class IdentityProviderResource {
public Response delete() {
this.auth.requireManage();
removeClientIdentityProviders(this.realm.getApplications(), this.identityProviderModel);
removeClientIdentityProviders(this.realm.getApplications(), this.identityProviderModel);
removeClientIdentityProviders(this.realm.getOAuthClients(), this.identityProviderModel);
this.realm.removeIdentityProviderById(this.identityProviderModel.getId());
return Response.noContent().build();
}
@PUT
@Consumes("application/json")
public Response update(IdentityProviderRepresentation model) {
public Response update(IdentityProviderRepresentation providerRep) {
try {
this.auth.requireManage();
this.realm.updateIdentityProvider(RepresentationToModel.toModel(model));
String internalId = providerRep.getInternalId();
String newProviderId = providerRep.getId();
String oldProviderId = getProviderIdByInternalId(this.realm, internalId);
this.realm.updateIdentityProvider(RepresentationToModel.toModel(providerRep));
if (oldProviderId != null && !oldProviderId.equals(newProviderId)) {
// User changed the ID (alias) of identity provider. We must update all clients
logger.info("Changing identityProviderMapping in all clients. oldProviderId=" + oldProviderId + ", newProviderId=" + newProviderId);
updateClientsAfterProviderAliasChange(this.realm.getApplications(), oldProviderId, newProviderId);
updateClientsAfterProviderAliasChange(this.realm.getOAuthClients(), oldProviderId, newProviderId);
}
return Response.noContent().build();
} catch (ModelDuplicateException e) {
return Flows.errors().exists("Identity Provider " + model.getId() + " already exists");
return Flows.errors().exists("Identity Provider " + providerRep.getId() + " already exists");
}
}
// return ID of IdentityProvider from realm based on internalId of this provider
private String getProviderIdByInternalId(RealmModel realm, String providerInternalId) {
List<IdentityProviderModel> providerModels = realm.getIdentityProviders();
for (IdentityProviderModel providerModel : providerModels) {
if (providerModel.getInternalId().equals(providerInternalId)) {
return providerModel.getId();
}
}
return null;
}
private void updateClientsAfterProviderAliasChange(List<? extends ClientModel> clients, String oldProviderId, String newProviderId) {
for (ClientModel client : clients) {
List<ClientIdentityProviderMappingModel> clientIdentityProviders = client.getIdentityProviders();
boolean found = true;
for (ClientIdentityProviderMappingModel mappingModel : clientIdentityProviders) {
if (mappingModel.getIdentityProvider().equals(oldProviderId)) {
mappingModel.setIdentityProvider(newProviderId);
found = true;
break;
}
}
if (found) {
client.updateIdentityProviders(clientIdentityProviders);
}
}
}
@ -113,10 +158,10 @@ public class IdentityProviderResource {
for (ClientIdentityProviderMappingModel providerMappingModel : new ArrayList<ClientIdentityProviderMappingModel>(identityProviders)) {
if (providerMappingModel.getIdentityProvider().equals(identityProvider.getId())) {
identityProviders.remove(providerMappingModel);
clientModel.updateIdentityProviders(identityProviders);
break;
}
}
clientModel.updateAllowedIdentityProviders(identityProviders);
}
}

16
services/src/main/java/org/keycloak/services/resources/admin/IdentityProvidersResource.java
View file

@ -94,9 +94,6 @@ public class IdentityProvidersResource {
try {
this.realm.addIdentityProvider(RepresentationToModel.toModel(representation));
updateClientIdentityProviders(this.realm.getApplications(), representation);
updateClientIdentityProviders(this.realm.getOAuthClients(), representation);
return Response.created(uriInfo.getAbsolutePathBuilder().path(representation.getProviderId()).build()).build();
} catch (ModelDuplicateException e) {
return Flows.errors().exists("Identity Provider " + representation.getId() + " already exists");
@ -220,17 +217,4 @@ public class IdentityProvidersResource {
return allProviders;
}
private void updateClientIdentityProviders(List<? extends ClientModel> clients, IdentityProviderRepresentation identityProvider) {
for (ClientModel clientModel : clients) {
List<ClientIdentityProviderMappingModel> allowedIdentityProviders = clientModel.getIdentityProviders();
ClientIdentityProviderMappingModel providerMappingModel = new ClientIdentityProviderMappingModel();
providerMappingModel.setIdentityProvider(identityProvider.getId());
allowedIdentityProviders.add(providerMappingModel);
clientModel.updateAllowedIdentityProviders(allowedIdentityProviders);
}
}
}

53
testsuite/integration/src/test/java/org/keycloak/testsuite/broker/AbstractIdentityProviderTest.java
View file

@ -62,6 +62,7 @@ import javax.ws.rs.core.UriBuilder;
import java.io.IOException;
import java.net.URI;
import java.util.ArrayList;
import java.util.List;
import java.util.Set;
@ -226,40 +227,30 @@ public abstract class AbstractIdentityProviderTest {
}
@Test
public void testDisabledForApplication() {
public void testProviderOnLoginPage() {
IdentityProviderModel identityProviderModel = getIdentityProviderModel();
RealmModel realm = getRealm();
ApplicationModel applicationModel = realm.getApplicationByName("test-app");
List<ClientIdentityProviderMappingModel> allowedIdentityProviders = applicationModel.getIdentityProviders();
ClientIdentityProviderMappingModel mapping = null;
for (ClientIdentityProviderMappingModel model : allowedIdentityProviders) {
if (model.getIdentityProvider().equals(identityProviderModel.getId())) {
mapping = model;
}
}
assertNotNull(mapping);
allowedIdentityProviders.remove(mapping);
// This client doesn't have any specific identity providers settings
ClientModel client2 = realm.findClient("test-app");
assertEquals(0, client2.getIdentityProviders().size());
// Provider button is available on login page
this.driver.navigate().to("http://localhost:8081/test-app/");
assertTrue(this.driver.getCurrentUrl().startsWith("http://localhost:8081/auth/realms/realm-with-broker/protocol/openid-connect/auth"));
try {
this.driver.findElement(By.className(getProviderId()));
fail("Provider [" + getProviderId() + "] not disabled.");
} catch (NoSuchElementException nsee) {
}
allowedIdentityProviders.add(mapping);
applicationModel.updateAllowedIdentityProviders(allowedIdentityProviders);
// Add identityProvider to client model
List<ClientIdentityProviderMappingModel> appIdentityProviders = new ArrayList<ClientIdentityProviderMappingModel>();
ClientIdentityProviderMappingModel mapping = new ClientIdentityProviderMappingModel();
mapping.setIdentityProvider(getProviderId());
mapping.setRetrieveToken(true);
appIdentityProviders.add(mapping);
applicationModel.updateIdentityProviders(appIdentityProviders);
// Provider button still available on login page
this.driver.navigate().to("http://localhost:8081/test-app/");
this.driver.findElement(By.className(getProviderId()));
}
@ -477,16 +468,16 @@ public abstract class AbstractIdentityProviderTest {
assertTrue(oauth.getCurrentQuery().containsKey(OAuth2Constants.CODE));
ClientModel clientModel = getRealm().findClient("third-party");
ClientIdentityProviderMappingModel providerMappingModel = null;
for (ClientIdentityProviderMappingModel identityProviderMappingModel : clientModel.getIdentityProviders()) {
if (identityProviderMappingModel.getIdentityProvider().equals(getProviderId())) {
providerMappingModel = identityProviderMappingModel;
break;
}
}
assertEquals(0, clientModel.getIdentityProviders().size());
ClientIdentityProviderMappingModel providerMappingModel = new ClientIdentityProviderMappingModel();
providerMappingModel.setIdentityProvider(getProviderId());
providerMappingModel.setRetrieveToken(true);
List<ClientIdentityProviderMappingModel> providerMappingModels = new ArrayList<ClientIdentityProviderMappingModel>();
providerMappingModels.add(providerMappingModel);
clientModel.updateIdentityProviders(providerMappingModels);
brokerServerRule.stopSession(session, true);
session = brokerServerRule.startSession();
AccessTokenResponse accessToken = oauth.doAccessTokenRequest(oauth.getCurrentQuery().get(OAuth2Constants.CODE), "password");
URI tokenEndpointUrl = Urls.identityProviderRetrieveToken(BASE_URI, getProviderId(), getRealm().getName());

2
testsuite/integration/src/test/java/org/keycloak/testsuite/broker/ImportIdentityProviderTest.java
View file

@ -133,7 +133,7 @@ public class ImportIdentityProviderTest extends AbstractIdentityProviderModelTes
identityProviders.remove(identityProviderMappingModel);
client.updateAllowedIdentityProviders(identityProviders);
client.updateIdentityProviders(identityProviders);
client = realm.findClientById(client.getId());
identityProviders = client.getIdentityProviders();