Making sure public clients can RPT tokens

Closes #14165
This commit is contained in:
Pedro Igor 2023-09-20 11:14:50 -03:00 committed by Marek Posolda
parent 55a5a8c0eb
commit d4a5391013

View file

@ -2021,6 +2021,32 @@ public class EntitlementAPITest extends AbstractAuthzTest {
assertEquals(PUBLIC_TEST_CLIENT, token.getIssuedFor()); assertEquals(PUBLIC_TEST_CLIENT, token.getIssuedFor());
} }
@Test
public void testRefreshTokenFromClientOtherThanAudience() throws Exception {
oauth.realm("authz-test");
oauth.clientId(PUBLIC_TEST_CLIENT);
oauth.doLogin("marta", "password");
String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
OAuthClient.AccessTokenResponse accessTokenResponse = oauth.doAccessTokenRequest(code, null);
assertNotNull(accessTokenResponse.getAccessToken());
assertNotNull(accessTokenResponse.getRefreshToken());
AuthorizationRequest request = new AuthorizationRequest();
request.setAudience(RESOURCE_SERVER_TEST);
AuthorizationResponse authorizationResponse = getAuthzClient(PUBLIC_TEST_CLIENT_CONFIG).authorization(accessTokenResponse.getAccessToken()).authorize(request);
AccessToken token = toAccessToken(authorizationResponse.getToken());
assertEquals(PUBLIC_TEST_CLIENT, token.getIssuedFor());
assertEquals(RESOURCE_SERVER_TEST, token.getAudience()[0]);
assertFalse(token.getAuthorization().getPermissions().isEmpty());
accessTokenResponse = oauth.doRefreshTokenRequest(authorizationResponse.getRefreshToken(), null);
assertNotNull(accessTokenResponse.getAccessToken());
assertNotNull(accessTokenResponse.getRefreshToken());
token = toAccessToken(authorizationResponse.getToken());
assertEquals(PUBLIC_TEST_CLIENT, token.getIssuedFor());
assertFalse(token.getAuthorization().getPermissions().isEmpty());
}
@Test @Test
public void testUsingExpiredToken() throws Exception { public void testUsingExpiredToken() throws Exception {
ClientResource client = getClient(getRealm(), RESOURCE_SERVER_TEST); ClientResource client = getClient(getRealm(), RESOURCE_SERVER_TEST);