commit
bb138bd6e4
3 changed files with 374 additions and 325 deletions
|
@ -429,6 +429,14 @@ public class TokenService {
|
||||||
|
|
||||||
ClientModel client = authorizeClient(authorizationHeader, form, audit);
|
ClientModel client = authorizeClient(authorizationHeader, form, audit);
|
||||||
String refreshToken = form.getFirst(OAuth2Constants.REFRESH_TOKEN);
|
String refreshToken = form.getFirst(OAuth2Constants.REFRESH_TOKEN);
|
||||||
|
if (refreshToken == null) {
|
||||||
|
Map<String, String> error = new HashMap<String, String>();
|
||||||
|
error.put(OAuth2Constants.ERROR, OAuthErrorException.INVALID_REQUEST);
|
||||||
|
error.put(OAuth2Constants.ERROR_DESCRIPTION, "No refresh token");
|
||||||
|
audit.error(Errors.INVALID_TOKEN);
|
||||||
|
logger.error("OAuth Error: no refresh token");
|
||||||
|
return Response.status(Response.Status.BAD_REQUEST).entity(error).type("application/json").build();
|
||||||
|
}
|
||||||
AccessToken accessToken;
|
AccessToken accessToken;
|
||||||
try {
|
try {
|
||||||
accessToken = tokenManager.refreshAccessToken(session, uriInfo, clientConnection, realm, client, refreshToken, audit);
|
accessToken = tokenManager.refreshAccessToken(session, uriInfo, clientConnection, realm, client, refreshToken, audit);
|
||||||
|
|
|
@ -1,325 +1,325 @@
|
||||||
/*
|
/*
|
||||||
* JBoss, Home of Professional Open Source.
|
* JBoss, Home of Professional Open Source.
|
||||||
* Copyright 2012, Red Hat, Inc., and individual contributors
|
* Copyright 2012, Red Hat, Inc., and individual contributors
|
||||||
* as indicated by the @author tags. See the copyright.txt file in the
|
* as indicated by the @author tags. See the copyright.txt file in the
|
||||||
* distribution for a full listing of individual contributors.
|
* distribution for a full listing of individual contributors.
|
||||||
*
|
*
|
||||||
* This is free software; you can redistribute it and/or modify it
|
* This is free software; you can redistribute it and/or modify it
|
||||||
* under the terms of the GNU Lesser General Public License as
|
* under the terms of the GNU Lesser General Public License as
|
||||||
* published by the Free Software Foundation; either version 2.1 of
|
* published by the Free Software Foundation; either version 2.1 of
|
||||||
* the License, or (at your option) any later version.
|
* the License, or (at your option) any later version.
|
||||||
*
|
*
|
||||||
* This software is distributed in the hope that it will be useful,
|
* This software is distributed in the hope that it will be useful,
|
||||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||||
* Lesser General Public License for more details.
|
* Lesser General Public License for more details.
|
||||||
*
|
*
|
||||||
* You should have received a copy of the GNU Lesser General Public
|
* You should have received a copy of the GNU Lesser General Public
|
||||||
* License along with this software; if not, write to the Free
|
* License along with this software; if not, write to the Free
|
||||||
* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
|
* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
|
||||||
* 02110-1301 USA, or see the FSF site: http://www.fsf.org.
|
* 02110-1301 USA, or see the FSF site: http://www.fsf.org.
|
||||||
*/
|
*/
|
||||||
package org.keycloak.testsuite.oauth;
|
package org.keycloak.testsuite.oauth;
|
||||||
|
|
||||||
import org.junit.Assert;
|
import org.junit.Assert;
|
||||||
import org.junit.ClassRule;
|
import org.junit.ClassRule;
|
||||||
import org.junit.Rule;
|
import org.junit.Rule;
|
||||||
import org.junit.Test;
|
import org.junit.Test;
|
||||||
import org.keycloak.OAuth2Constants;
|
import org.keycloak.OAuth2Constants;
|
||||||
import org.keycloak.audit.Details;
|
import org.keycloak.audit.Details;
|
||||||
import org.keycloak.audit.Errors;
|
import org.keycloak.audit.Errors;
|
||||||
import org.keycloak.audit.Event;
|
import org.keycloak.audit.Event;
|
||||||
import org.keycloak.audit.EventType;
|
import org.keycloak.audit.EventType;
|
||||||
import org.keycloak.models.RealmModel;
|
import org.keycloak.models.RealmModel;
|
||||||
import org.keycloak.models.UserModel;
|
import org.keycloak.models.UserModel;
|
||||||
import org.keycloak.representations.AccessToken;
|
import org.keycloak.representations.AccessToken;
|
||||||
import org.keycloak.services.managers.RealmManager;
|
import org.keycloak.services.managers.RealmManager;
|
||||||
import org.keycloak.services.resources.TokenService;
|
import org.keycloak.services.resources.TokenService;
|
||||||
import org.keycloak.testsuite.AssertEvents;
|
import org.keycloak.testsuite.AssertEvents;
|
||||||
import org.keycloak.testsuite.OAuthClient;
|
import org.keycloak.testsuite.OAuthClient;
|
||||||
import org.keycloak.testsuite.OAuthClient.AccessTokenResponse;
|
import org.keycloak.testsuite.OAuthClient.AccessTokenResponse;
|
||||||
import org.keycloak.testsuite.pages.LoginPage;
|
import org.keycloak.testsuite.pages.LoginPage;
|
||||||
import org.keycloak.testsuite.rule.KeycloakRule;
|
import org.keycloak.testsuite.rule.KeycloakRule;
|
||||||
import org.keycloak.testsuite.rule.WebResource;
|
import org.keycloak.testsuite.rule.WebResource;
|
||||||
import org.keycloak.testsuite.rule.WebRule;
|
import org.keycloak.testsuite.rule.WebRule;
|
||||||
import org.keycloak.util.BasicAuthHelper;
|
import org.keycloak.util.BasicAuthHelper;
|
||||||
import org.openqa.selenium.WebDriver;
|
import org.openqa.selenium.WebDriver;
|
||||||
|
|
||||||
import javax.ws.rs.client.Client;
|
import javax.ws.rs.client.Client;
|
||||||
import javax.ws.rs.client.ClientBuilder;
|
import javax.ws.rs.client.ClientBuilder;
|
||||||
import javax.ws.rs.client.Entity;
|
import javax.ws.rs.client.Entity;
|
||||||
import javax.ws.rs.client.WebTarget;
|
import javax.ws.rs.client.WebTarget;
|
||||||
import javax.ws.rs.core.Form;
|
import javax.ws.rs.core.Form;
|
||||||
import javax.ws.rs.core.GenericType;
|
import javax.ws.rs.core.GenericType;
|
||||||
import javax.ws.rs.core.HttpHeaders;
|
import javax.ws.rs.core.HttpHeaders;
|
||||||
import javax.ws.rs.core.Response;
|
import javax.ws.rs.core.Response;
|
||||||
import javax.ws.rs.core.UriBuilder;
|
import javax.ws.rs.core.UriBuilder;
|
||||||
import java.net.URI;
|
import java.net.URI;
|
||||||
import java.util.HashMap;
|
import java.util.HashMap;
|
||||||
import java.util.Map;
|
import java.util.Map;
|
||||||
|
|
||||||
import static org.hamcrest.Matchers.allOf;
|
import static org.hamcrest.Matchers.allOf;
|
||||||
import static org.hamcrest.Matchers.greaterThanOrEqualTo;
|
import static org.hamcrest.Matchers.greaterThanOrEqualTo;
|
||||||
import static org.hamcrest.Matchers.lessThanOrEqualTo;
|
import static org.hamcrest.Matchers.lessThanOrEqualTo;
|
||||||
import static org.junit.Assert.assertEquals;
|
import static org.junit.Assert.assertEquals;
|
||||||
import static org.junit.Assert.assertNotNull;
|
import static org.junit.Assert.assertNotNull;
|
||||||
import static org.junit.Assert.assertNull;
|
import static org.junit.Assert.assertNull;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
|
* @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
|
||||||
*/
|
*/
|
||||||
public class AccessTokenTest {
|
public class AccessTokenTest {
|
||||||
|
|
||||||
@ClassRule
|
@ClassRule
|
||||||
public static KeycloakRule keycloakRule = new KeycloakRule();
|
public static KeycloakRule keycloakRule = new KeycloakRule();
|
||||||
|
|
||||||
@Rule
|
@Rule
|
||||||
public WebRule webRule = new WebRule(this);
|
public WebRule webRule = new WebRule(this);
|
||||||
|
|
||||||
@WebResource
|
@WebResource
|
||||||
protected WebDriver driver;
|
protected WebDriver driver;
|
||||||
|
|
||||||
@WebResource
|
@WebResource
|
||||||
protected OAuthClient oauth;
|
protected OAuthClient oauth;
|
||||||
|
|
||||||
@WebResource
|
@WebResource
|
||||||
protected LoginPage loginPage;
|
protected LoginPage loginPage;
|
||||||
|
|
||||||
@Rule
|
@Rule
|
||||||
public AssertEvents events = new AssertEvents(keycloakRule);
|
public AssertEvents events = new AssertEvents(keycloakRule);
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void accessTokenRequest() throws Exception {
|
public void accessTokenRequest() throws Exception {
|
||||||
oauth.doLogin("test-user@localhost", "password");
|
oauth.doLogin("test-user@localhost", "password");
|
||||||
|
|
||||||
Event loginEvent = events.expectLogin().assertEvent();
|
Event loginEvent = events.expectLogin().assertEvent();
|
||||||
|
|
||||||
String sessionId = loginEvent.getSessionId();
|
String sessionId = loginEvent.getSessionId();
|
||||||
String codeId = loginEvent.getDetails().get(Details.CODE_ID);
|
String codeId = loginEvent.getDetails().get(Details.CODE_ID);
|
||||||
|
|
||||||
String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
|
String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
|
||||||
AccessTokenResponse response = oauth.doAccessTokenRequest(code, "password");
|
AccessTokenResponse response = oauth.doAccessTokenRequest(code, "password");
|
||||||
|
|
||||||
Assert.assertEquals(200, response.getStatusCode());
|
Assert.assertEquals(200, response.getStatusCode());
|
||||||
|
|
||||||
Assert.assertThat(response.getExpiresIn(), allOf(greaterThanOrEqualTo(250), lessThanOrEqualTo(300)));
|
Assert.assertThat(response.getExpiresIn(), allOf(greaterThanOrEqualTo(250), lessThanOrEqualTo(300)));
|
||||||
|
|
||||||
Assert.assertEquals("bearer", response.getTokenType());
|
Assert.assertEquals("bearer", response.getTokenType());
|
||||||
|
|
||||||
AccessToken token = oauth.verifyToken(response.getAccessToken());
|
AccessToken token = oauth.verifyToken(response.getAccessToken());
|
||||||
|
|
||||||
Assert.assertEquals(keycloakRule.getUser("test", "test-user@localhost").getId(), token.getSubject());
|
Assert.assertEquals(keycloakRule.getUser("test", "test-user@localhost").getId(), token.getSubject());
|
||||||
Assert.assertNotEquals("test-user@localhost", token.getSubject());
|
Assert.assertNotEquals("test-user@localhost", token.getSubject());
|
||||||
|
|
||||||
Assert.assertEquals(sessionId, token.getSessionState());
|
Assert.assertEquals(sessionId, token.getSessionState());
|
||||||
|
|
||||||
Assert.assertEquals(1, token.getRealmAccess().getRoles().size());
|
Assert.assertEquals(1, token.getRealmAccess().getRoles().size());
|
||||||
Assert.assertTrue(token.getRealmAccess().isUserInRole("user"));
|
Assert.assertTrue(token.getRealmAccess().isUserInRole("user"));
|
||||||
|
|
||||||
Assert.assertEquals(1, token.getResourceAccess(oauth.getClientId()).getRoles().size());
|
Assert.assertEquals(1, token.getResourceAccess(oauth.getClientId()).getRoles().size());
|
||||||
Assert.assertTrue(token.getResourceAccess(oauth.getClientId()).isUserInRole("customer-user"));
|
Assert.assertTrue(token.getResourceAccess(oauth.getClientId()).isUserInRole("customer-user"));
|
||||||
|
|
||||||
Event event = events.expectCodeToToken(codeId, sessionId).assertEvent();
|
Event event = events.expectCodeToToken(codeId, sessionId).assertEvent();
|
||||||
Assert.assertEquals(token.getId(), event.getDetails().get(Details.TOKEN_ID));
|
Assert.assertEquals(token.getId(), event.getDetails().get(Details.TOKEN_ID));
|
||||||
Assert.assertEquals(oauth.verifyRefreshToken(response.getRefreshToken()).getId(), event.getDetails().get(Details.REFRESH_TOKEN_ID));
|
Assert.assertEquals(oauth.verifyRefreshToken(response.getRefreshToken()).getId(), event.getDetails().get(Details.REFRESH_TOKEN_ID));
|
||||||
Assert.assertEquals(sessionId, token.getSessionState());
|
Assert.assertEquals(sessionId, token.getSessionState());
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void accessTokenInvalidClientCredentials() throws Exception {
|
public void accessTokenInvalidClientCredentials() throws Exception {
|
||||||
oauth.doLogin("test-user@localhost", "password");
|
oauth.doLogin("test-user@localhost", "password");
|
||||||
|
|
||||||
Event loginEvent = events.expectLogin().assertEvent();
|
Event loginEvent = events.expectLogin().assertEvent();
|
||||||
String codeId = loginEvent.getDetails().get(Details.CODE_ID);
|
String codeId = loginEvent.getDetails().get(Details.CODE_ID);
|
||||||
|
|
||||||
String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
|
String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
|
||||||
AccessTokenResponse response = oauth.doAccessTokenRequest(code, "invalid");
|
AccessTokenResponse response = oauth.doAccessTokenRequest(code, "invalid");
|
||||||
Assert.assertEquals(400, response.getStatusCode());
|
Assert.assertEquals(400, response.getStatusCode());
|
||||||
|
|
||||||
events.expectCodeToToken(codeId, loginEvent.getSessionId()).error("invalid_client_credentials").removeDetail(Details.TOKEN_ID).removeDetail(Details.REFRESH_TOKEN_ID).assertEvent();
|
events.expectCodeToToken(codeId, loginEvent.getSessionId()).error("invalid_client_credentials").removeDetail(Details.TOKEN_ID).removeDetail(Details.REFRESH_TOKEN_ID).assertEvent();
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void accessTokenUserSessionExpired() {
|
public void accessTokenUserSessionExpired() {
|
||||||
oauth.doLogin("test-user@localhost", "password");
|
oauth.doLogin("test-user@localhost", "password");
|
||||||
|
|
||||||
Event loginEvent = events.expectLogin().assertEvent();
|
Event loginEvent = events.expectLogin().assertEvent();
|
||||||
|
|
||||||
String codeId = loginEvent.getDetails().get(Details.CODE_ID);
|
String codeId = loginEvent.getDetails().get(Details.CODE_ID);
|
||||||
String sessionId = loginEvent.getSessionId();
|
String sessionId = loginEvent.getSessionId();
|
||||||
|
|
||||||
keycloakRule.removeUserSession(sessionId);
|
keycloakRule.removeUserSession(sessionId);
|
||||||
|
|
||||||
String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
|
String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
|
||||||
|
|
||||||
OAuthClient.AccessTokenResponse tokenResponse = oauth.doAccessTokenRequest(code, "password");
|
OAuthClient.AccessTokenResponse tokenResponse = oauth.doAccessTokenRequest(code, "password");
|
||||||
assertEquals(400, tokenResponse.getStatusCode());
|
assertEquals(400, tokenResponse.getStatusCode());
|
||||||
assertNull(tokenResponse.getAccessToken());
|
assertNull(tokenResponse.getAccessToken());
|
||||||
assertNull(tokenResponse.getRefreshToken());
|
assertNull(tokenResponse.getRefreshToken());
|
||||||
|
|
||||||
events.expectCodeToToken(codeId, sessionId).removeDetail(Details.TOKEN_ID).client((String) null).user((String) null).session((String) null).removeDetail(Details.REFRESH_TOKEN_ID).error(Errors.INVALID_CODE).assertEvent();
|
events.expectCodeToToken(codeId, sessionId).removeDetail(Details.TOKEN_ID).client((String) null).user((String) null).session((String) null).removeDetail(Details.REFRESH_TOKEN_ID).error(Errors.INVALID_CODE).assertEvent();
|
||||||
|
|
||||||
events.clear();
|
events.clear();
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void accessTokenCodeExpired() {
|
public void accessTokenCodeExpired() {
|
||||||
keycloakRule.update(new KeycloakRule.KeycloakSetup() {
|
keycloakRule.update(new KeycloakRule.KeycloakSetup() {
|
||||||
@Override
|
@Override
|
||||||
public void config(RealmManager manager, RealmModel adminstrationRealm, RealmModel appRealm) {
|
public void config(RealmManager manager, RealmModel adminstrationRealm, RealmModel appRealm) {
|
||||||
appRealm.setAccessCodeLifespan(1);
|
appRealm.setAccessCodeLifespan(1);
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
|
|
||||||
oauth.doLogin("test-user@localhost", "password");
|
oauth.doLogin("test-user@localhost", "password");
|
||||||
|
|
||||||
Event loginEvent = events.expectLogin().assertEvent();
|
Event loginEvent = events.expectLogin().assertEvent();
|
||||||
|
|
||||||
String codeId = loginEvent.getDetails().get(Details.CODE_ID);
|
String codeId = loginEvent.getDetails().get(Details.CODE_ID);
|
||||||
loginEvent.getSessionId();
|
loginEvent.getSessionId();
|
||||||
|
|
||||||
String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
|
String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
|
||||||
|
|
||||||
try {
|
try {
|
||||||
Thread.sleep(2000);
|
Thread.sleep(2000);
|
||||||
} catch (InterruptedException e) {
|
} catch (InterruptedException e) {
|
||||||
}
|
}
|
||||||
|
|
||||||
OAuthClient.AccessTokenResponse response = oauth.doAccessTokenRequest(code, "password");
|
OAuthClient.AccessTokenResponse response = oauth.doAccessTokenRequest(code, "password");
|
||||||
Assert.assertEquals(400, response.getStatusCode());
|
Assert.assertEquals(400, response.getStatusCode());
|
||||||
|
|
||||||
AssertEvents.ExpectedEvent expectedEvent = events.expectCodeToToken(codeId, null);
|
AssertEvents.ExpectedEvent expectedEvent = events.expectCodeToToken(codeId, null);
|
||||||
expectedEvent.error("invalid_code").removeDetail(Details.TOKEN_ID).removeDetail(Details.REFRESH_TOKEN_ID).client((String) null).user((String) null);
|
expectedEvent.error("invalid_code").removeDetail(Details.TOKEN_ID).removeDetail(Details.REFRESH_TOKEN_ID).client((String) null).user((String) null);
|
||||||
expectedEvent.assertEvent();
|
expectedEvent.assertEvent();
|
||||||
|
|
||||||
events.clear();
|
events.clear();
|
||||||
|
|
||||||
keycloakRule.update(new KeycloakRule.KeycloakSetup() {
|
keycloakRule.update(new KeycloakRule.KeycloakSetup() {
|
||||||
@Override
|
@Override
|
||||||
public void config(RealmManager manager, RealmModel adminstrationRealm, RealmModel appRealm) {
|
public void config(RealmManager manager, RealmModel adminstrationRealm, RealmModel appRealm) {
|
||||||
appRealm.setAccessCodeLifespan(60);
|
appRealm.setAccessCodeLifespan(60);
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void accessTokenCodeUsed() {
|
public void accessTokenCodeUsed() {
|
||||||
oauth.doLogin("test-user@localhost", "password");
|
oauth.doLogin("test-user@localhost", "password");
|
||||||
|
|
||||||
Event loginEvent = events.expectLogin().assertEvent();
|
Event loginEvent = events.expectLogin().assertEvent();
|
||||||
|
|
||||||
String codeId = loginEvent.getDetails().get(Details.CODE_ID);
|
String codeId = loginEvent.getDetails().get(Details.CODE_ID);
|
||||||
loginEvent.getSessionId();
|
loginEvent.getSessionId();
|
||||||
|
|
||||||
String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
|
String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
|
||||||
OAuthClient.AccessTokenResponse response = oauth.doAccessTokenRequest(code, "password");
|
OAuthClient.AccessTokenResponse response = oauth.doAccessTokenRequest(code, "password");
|
||||||
Assert.assertEquals(200, response.getStatusCode());
|
Assert.assertEquals(200, response.getStatusCode());
|
||||||
|
|
||||||
events.clear();
|
events.clear();
|
||||||
|
|
||||||
response = oauth.doAccessTokenRequest(code, "password");
|
response = oauth.doAccessTokenRequest(code, "password");
|
||||||
Assert.assertEquals(400, response.getStatusCode());
|
Assert.assertEquals(400, response.getStatusCode());
|
||||||
|
|
||||||
AssertEvents.ExpectedEvent expectedEvent = events.expectCodeToToken(codeId, null);
|
AssertEvents.ExpectedEvent expectedEvent = events.expectCodeToToken(codeId, null);
|
||||||
expectedEvent.error("invalid_code").removeDetail(Details.TOKEN_ID).removeDetail(Details.REFRESH_TOKEN_ID).client((String) null).user((String) null);
|
expectedEvent.error("invalid_code").removeDetail(Details.TOKEN_ID).removeDetail(Details.REFRESH_TOKEN_ID).client((String) null).user((String) null);
|
||||||
expectedEvent.assertEvent();
|
expectedEvent.assertEvent();
|
||||||
|
|
||||||
events.clear();
|
events.clear();
|
||||||
|
|
||||||
keycloakRule.update(new KeycloakRule.KeycloakSetup() {
|
keycloakRule.update(new KeycloakRule.KeycloakSetup() {
|
||||||
@Override
|
@Override
|
||||||
public void config(RealmManager manager, RealmModel adminstrationRealm, RealmModel appRealm) {
|
public void config(RealmManager manager, RealmModel adminstrationRealm, RealmModel appRealm) {
|
||||||
appRealm.setAccessCodeLifespan(60);
|
appRealm.setAccessCodeLifespan(60);
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void accessTokenCodeHasRequiredAction() {
|
public void accessTokenCodeHasRequiredAction() {
|
||||||
keycloakRule.configure(new KeycloakRule.KeycloakSetup() {
|
keycloakRule.configure(new KeycloakRule.KeycloakSetup() {
|
||||||
@Override
|
@Override
|
||||||
public void config(RealmManager manager, RealmModel defaultRealm, RealmModel appRealm) {
|
public void config(RealmManager manager, RealmModel defaultRealm, RealmModel appRealm) {
|
||||||
UserModel user = manager.getSession().users().getUserByUsername("test-user@localhost", appRealm);
|
UserModel user = manager.getSession().users().getUserByUsername("test-user@localhost", appRealm);
|
||||||
user.addRequiredAction(UserModel.RequiredAction.UPDATE_PROFILE);
|
user.addRequiredAction(UserModel.RequiredAction.UPDATE_PROFILE);
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
|
|
||||||
oauth.doLogin("test-user@localhost", "password");
|
oauth.doLogin("test-user@localhost", "password");
|
||||||
|
|
||||||
String code = driver.getPageSource().split("code=")[1].split("&")[0].split("\"")[0];
|
String code = driver.getPageSource().split("code=")[1].split("&")[0].split("\"")[0];
|
||||||
|
|
||||||
OAuthClient.AccessTokenResponse response = oauth.doAccessTokenRequest(code, "password");
|
OAuthClient.AccessTokenResponse response = oauth.doAccessTokenRequest(code, "password");
|
||||||
Assert.assertEquals(400, response.getStatusCode());
|
Assert.assertEquals(400, response.getStatusCode());
|
||||||
|
|
||||||
Event event = events.poll();
|
Event event = events.poll();
|
||||||
assertNotNull(event.getDetails().get(Details.CODE_ID));
|
assertNotNull(event.getDetails().get(Details.CODE_ID));
|
||||||
|
|
||||||
keycloakRule.update(new KeycloakRule.KeycloakSetup() {
|
keycloakRule.update(new KeycloakRule.KeycloakSetup() {
|
||||||
@Override
|
@Override
|
||||||
public void config(RealmManager manager, RealmModel adminstrationRealm, RealmModel appRealm) {
|
public void config(RealmManager manager, RealmModel adminstrationRealm, RealmModel appRealm) {
|
||||||
manager.getSession().users().getUserByUsername("test-user@localhost", appRealm).removeRequiredAction(UserModel.RequiredAction.UPDATE_PROFILE);
|
manager.getSession().users().getUserByUsername("test-user@localhost", appRealm).removeRequiredAction(UserModel.RequiredAction.UPDATE_PROFILE);
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void testValidateAccessToken() throws Exception {
|
public void testValidateAccessToken() throws Exception {
|
||||||
Client client = ClientBuilder.newClient();
|
Client client = ClientBuilder.newClient();
|
||||||
UriBuilder builder = UriBuilder.fromUri(org.keycloak.testsuite.Constants.AUTH_SERVER_ROOT);
|
UriBuilder builder = UriBuilder.fromUri(org.keycloak.testsuite.Constants.AUTH_SERVER_ROOT);
|
||||||
URI grantUri = TokenService.grantAccessTokenUrl(builder).build("test");
|
URI grantUri = TokenService.grantAccessTokenUrl(builder).build("test");
|
||||||
WebTarget grantTarget = client.target(grantUri);
|
WebTarget grantTarget = client.target(grantUri);
|
||||||
builder = UriBuilder.fromUri(org.keycloak.testsuite.Constants.AUTH_SERVER_ROOT);
|
builder = UriBuilder.fromUri(org.keycloak.testsuite.Constants.AUTH_SERVER_ROOT);
|
||||||
URI validateUri = TokenService.validateAccessTokenUrl(builder).build("test");
|
URI validateUri = TokenService.validateAccessTokenUrl(builder).build("test");
|
||||||
WebTarget validateTarget = client.target(validateUri);
|
WebTarget validateTarget = client.target(validateUri);
|
||||||
|
|
||||||
{
|
{
|
||||||
Response response = validateTarget.queryParam("access_token", "bad token").request().get();
|
Response response = validateTarget.queryParam("access_token", "bad token").request().get();
|
||||||
Assert.assertEquals(400, response.getStatus());
|
Assert.assertEquals(400, response.getStatus());
|
||||||
HashMap<String, String> error = response.readEntity(new GenericType <HashMap<String, String>>() {});
|
HashMap<String, String> error = response.readEntity(new GenericType <HashMap<String, String>>() {});
|
||||||
Assert.assertNotNull(error.get("error"));
|
Assert.assertNotNull(error.get("error"));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
org.keycloak.representations.AccessTokenResponse tokenResponse = null;
|
org.keycloak.representations.AccessTokenResponse tokenResponse = null;
|
||||||
{
|
{
|
||||||
String header = BasicAuthHelper.createHeader("test-app", "password");
|
String header = BasicAuthHelper.createHeader("test-app", "password");
|
||||||
Form form = new Form();
|
Form form = new Form();
|
||||||
form.param("username", "test-user@localhost")
|
form.param("username", "test-user@localhost")
|
||||||
.param("password", "password");
|
.param("password", "password");
|
||||||
Response response = grantTarget.request()
|
Response response = grantTarget.request()
|
||||||
.header(HttpHeaders.AUTHORIZATION, header)
|
.header(HttpHeaders.AUTHORIZATION, header)
|
||||||
.post(Entity.form(form));
|
.post(Entity.form(form));
|
||||||
Assert.assertEquals(200, response.getStatus());
|
Assert.assertEquals(200, response.getStatus());
|
||||||
tokenResponse = response.readEntity(org.keycloak.representations.AccessTokenResponse.class);
|
tokenResponse = response.readEntity(org.keycloak.representations.AccessTokenResponse.class);
|
||||||
response.close();
|
response.close();
|
||||||
}
|
}
|
||||||
|
|
||||||
{
|
{
|
||||||
Response response = validateTarget.queryParam("access_token", tokenResponse.getToken()).request().get();
|
Response response = validateTarget.queryParam("access_token", tokenResponse.getToken()).request().get();
|
||||||
Assert.assertEquals(200, response.getStatus());
|
Assert.assertEquals(200, response.getStatus());
|
||||||
AccessToken token = response.readEntity(AccessToken.class);
|
AccessToken token = response.readEntity(AccessToken.class);
|
||||||
Assert.assertNotNull(token);
|
Assert.assertNotNull(token);
|
||||||
response.close();
|
response.close();
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
builder = UriBuilder.fromUri(org.keycloak.testsuite.Constants.AUTH_SERVER_ROOT);
|
builder = UriBuilder.fromUri(org.keycloak.testsuite.Constants.AUTH_SERVER_ROOT);
|
||||||
URI logoutUri = TokenService.logoutUrl(builder).build("test");
|
URI logoutUri = TokenService.logoutUrl(builder).build("test");
|
||||||
Response response = client.target(logoutUri).queryParam("session_state", tokenResponse.getSessionState()).request().get();
|
Response response = client.target(logoutUri).queryParam("session_state", tokenResponse.getSessionState()).request().get();
|
||||||
Assert.assertEquals(200, response.getStatus());
|
Assert.assertEquals(200, response.getStatus());
|
||||||
response.close();
|
response.close();
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
Response response = validateTarget.queryParam("access_token", tokenResponse.getToken()).request().get();
|
Response response = validateTarget.queryParam("access_token", tokenResponse.getToken()).request().get();
|
||||||
Assert.assertEquals(400, response.getStatus());
|
Assert.assertEquals(400, response.getStatus());
|
||||||
HashMap<String, String> error = response.readEntity(new GenericType <HashMap<String, String>>() {});
|
HashMap<String, String> error = response.readEntity(new GenericType <HashMap<String, String>>() {});
|
||||||
Assert.assertNotNull(error.get("error"));
|
Assert.assertNotNull(error.get("error"));
|
||||||
}
|
}
|
||||||
|
|
||||||
client.close();
|
client.close();
|
||||||
events.clear();
|
events.clear();
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -34,6 +34,7 @@ import org.keycloak.models.RealmModel;
|
||||||
import org.keycloak.models.UserSessionModel;
|
import org.keycloak.models.UserSessionModel;
|
||||||
import org.keycloak.representations.AccessToken;
|
import org.keycloak.representations.AccessToken;
|
||||||
import org.keycloak.representations.RefreshToken;
|
import org.keycloak.representations.RefreshToken;
|
||||||
|
import org.keycloak.services.resources.TokenService;
|
||||||
import org.keycloak.testsuite.AssertEvents;
|
import org.keycloak.testsuite.AssertEvents;
|
||||||
import org.keycloak.testsuite.OAuthClient;
|
import org.keycloak.testsuite.OAuthClient;
|
||||||
import org.keycloak.testsuite.OAuthClient.AccessTokenResponse;
|
import org.keycloak.testsuite.OAuthClient.AccessTokenResponse;
|
||||||
|
@ -41,9 +42,22 @@ import org.keycloak.testsuite.pages.LoginPage;
|
||||||
import org.keycloak.testsuite.rule.KeycloakRule;
|
import org.keycloak.testsuite.rule.KeycloakRule;
|
||||||
import org.keycloak.testsuite.rule.WebResource;
|
import org.keycloak.testsuite.rule.WebResource;
|
||||||
import org.keycloak.testsuite.rule.WebRule;
|
import org.keycloak.testsuite.rule.WebRule;
|
||||||
|
import org.keycloak.util.BasicAuthHelper;
|
||||||
import org.keycloak.util.Time;
|
import org.keycloak.util.Time;
|
||||||
import org.openqa.selenium.WebDriver;
|
import org.openqa.selenium.WebDriver;
|
||||||
|
|
||||||
|
import javax.ws.rs.client.Client;
|
||||||
|
import javax.ws.rs.client.ClientBuilder;
|
||||||
|
import javax.ws.rs.client.Entity;
|
||||||
|
import javax.ws.rs.client.WebTarget;
|
||||||
|
import javax.ws.rs.core.Form;
|
||||||
|
import javax.ws.rs.core.GenericType;
|
||||||
|
import javax.ws.rs.core.HttpHeaders;
|
||||||
|
import javax.ws.rs.core.Response;
|
||||||
|
import javax.ws.rs.core.UriBuilder;
|
||||||
|
import java.net.URI;
|
||||||
|
import java.util.HashMap;
|
||||||
|
|
||||||
import static org.hamcrest.Matchers.allOf;
|
import static org.hamcrest.Matchers.allOf;
|
||||||
import static org.hamcrest.Matchers.greaterThan;
|
import static org.hamcrest.Matchers.greaterThan;
|
||||||
import static org.hamcrest.Matchers.greaterThanOrEqualTo;
|
import static org.hamcrest.Matchers.greaterThanOrEqualTo;
|
||||||
|
@ -75,6 +89,33 @@ public class RefreshTokenTest {
|
||||||
@Rule
|
@Rule
|
||||||
public AssertEvents events = new AssertEvents(keycloakRule);
|
public AssertEvents events = new AssertEvents(keycloakRule);
|
||||||
|
|
||||||
|
/**
|
||||||
|
* KEYCLOAK-547
|
||||||
|
*
|
||||||
|
* @throws Exception
|
||||||
|
*/
|
||||||
|
@Test
|
||||||
|
public void nullRefreshToken() throws Exception {
|
||||||
|
Client client = ClientBuilder.newClient();
|
||||||
|
UriBuilder builder = UriBuilder.fromUri(org.keycloak.testsuite.Constants.AUTH_SERVER_ROOT);
|
||||||
|
URI uri = TokenService.refreshUrl(builder).build("test");
|
||||||
|
WebTarget target = client.target(uri);
|
||||||
|
|
||||||
|
org.keycloak.representations.AccessTokenResponse tokenResponse = null;
|
||||||
|
{
|
||||||
|
String header = BasicAuthHelper.createHeader("test-app", "password");
|
||||||
|
Form form = new Form();
|
||||||
|
Response response = target.request()
|
||||||
|
.header(HttpHeaders.AUTHORIZATION, header)
|
||||||
|
.post(Entity.form(form));
|
||||||
|
Assert.assertEquals(400, response.getStatus());
|
||||||
|
response.close();
|
||||||
|
}
|
||||||
|
events.clear();
|
||||||
|
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void refreshTokenRequest() throws Exception {
|
public void refreshTokenRequest() throws Exception {
|
||||||
oauth.doLogin("test-user@localhost", "password");
|
oauth.doLogin("test-user@localhost", "password");
|
||||||
|
|
Loading…
Reference in a new issue