Set client in context for dynamic scopes calculation

Closes #33684

Signed-off-by: rmartinc <rmartinc@redhat.com>
This commit is contained in:
rmartinc 2024-10-28 12:37:15 +01:00 committed by Pedro Igor
parent 0d07342649
commit b52256facc
2 changed files with 29 additions and 0 deletions

View file

@ -621,6 +621,7 @@ public class TokenManager {
Set<ClientScopeModel> clientScopes; Set<ClientScopeModel> clientScopes;
if (Profile.isFeatureEnabled(Profile.Feature.DYNAMIC_SCOPES)) { if (Profile.isFeatureEnabled(Profile.Feature.DYNAMIC_SCOPES)) {
session.getContext().setClient(client);
clientScopes = AuthorizationContextUtil.getClientScopesStreamFromAuthorizationRequestContextWithClient(session, scopeParam) clientScopes = AuthorizationContextUtil.getClientScopesStreamFromAuthorizationRequestContextWithClient(session, scopeParam)
.collect(Collectors.toSet()); .collect(Collectors.toSet());
} else { } else {

View file

@ -19,8 +19,12 @@ package org.keycloak.testsuite.oidc;
import jakarta.ws.rs.NotFoundException; import jakarta.ws.rs.NotFoundException;
import jakarta.ws.rs.core.HttpHeaders; import jakarta.ws.rs.core.HttpHeaders;
import jakarta.ws.rs.core.Response;
import org.apache.http.client.methods.CloseableHttpResponse; import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpGet; import org.apache.http.client.methods.HttpGet;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.entity.ContentType;
import org.apache.http.entity.StringEntity;
import org.apache.http.impl.client.CloseableHttpClient; import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClientBuilder; import org.apache.http.impl.client.HttpClientBuilder;
import org.jboss.logging.Logger; import org.jboss.logging.Logger;
@ -102,6 +106,7 @@ import static org.keycloak.protocol.oidc.mappers.RoleNameMapper.NEW_ROLE_NAME;
import static org.keycloak.protocol.oidc.mappers.RoleNameMapper.ROLE_CONFIG; import static org.keycloak.protocol.oidc.mappers.RoleNameMapper.ROLE_CONFIG;
import static org.keycloak.testsuite.admin.AbstractAdminTest.loadJson; import static org.keycloak.testsuite.admin.AbstractAdminTest.loadJson;
import static org.keycloak.testsuite.auth.page.AuthRealm.TEST; import static org.keycloak.testsuite.auth.page.AuthRealm.TEST;
import org.keycloak.testsuite.updaters.ClientAttributeUpdater;
import static org.keycloak.testsuite.util.ClientPoliciesUtil.createAnyClientConditionConfig; import static org.keycloak.testsuite.util.ClientPoliciesUtil.createAnyClientConditionConfig;
@EnableFeature(value = Profile.Feature.TOKEN_EXCHANGE, skipRestart = true) @EnableFeature(value = Profile.Feature.TOKEN_EXCHANGE, skipRestart = true)
@ -523,6 +528,29 @@ public class LightWeightAccessTokenTest extends AbstractClientPoliciesTest {
} }
} }
@Test
@EnableFeature(value = Profile.Feature.DYNAMIC_SCOPES, skipRestart = true)
public void testAdminConsoleClientWithLightweightAccessTokenTransientSessionDynamicScopes() throws Exception {
try (ClientAttributeUpdater clientUpdater = ClientAttributeUpdater.forClient(adminClient, oauth.getRealm(), TEST_CLIENT)
.setAttribute(Constants.USE_LIGHTWEIGHT_ACCESS_TOKEN_ENABLED, Boolean.TRUE.toString())
.update()) {
oauth.clientId(TEST_CLIENT);
OAuthClient.AccessTokenResponse response = oauth.doClientCredentialsGrantAccessTokenRequest(TEST_CLIENT_SECRET);
String accessToken = response.getAccessToken();
logger.debug("access token:" + accessToken);
assertBasicClaims(oauth.verifyToken(accessToken), false, false);
try (CloseableHttpClient client = HttpClientBuilder.create().build()) {
HttpPost post = new HttpPost(OAuthClient.SERVER_ROOT + "/auth/admin/realms");
post.setHeader("Authorization", "Bearer " + accessToken);
post.setEntity(new StringEntity("{\"realm\":\"invalid\",\"enabled\":true}", ContentType.APPLICATION_JSON));
try (CloseableHttpResponse resp = client.execute(post)) {
Assert.assertEquals(Response.Status.FORBIDDEN.getStatusCode(), resp.getStatusLine().getStatusCode());
}
}
}
}
@Test @Test
public void testAdminApiWithLightweightAccessTokenAndTransientSession() { public void testAdminApiWithLightweightAccessTokenAndTransientSession() {
RealmResource masterRealm = realmsResouce().realm("master"); RealmResource masterRealm = realmsResouce().realm("master");