Java Code Examples for org.keycloak.representations.idm.ClientRepresentation#setFullScopeAllowed()

The following examples show how to use org.keycloak.representations.idm.ClientRepresentation#setFullScopeAllowed() . You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: ClientRegistrationPoliciesTest.java    From keycloak with Apache License 2.0 6 votes vote down vote up
@Test
@AuthServerContainerExclude(AuthServer.REMOTE) // We would need to do domain name -> ip address to set trusted host
public void testAnonFullScopeAllowed() throws Exception {
    setTrustedHost("localhost");
    OIDCClientRepresentation client = create();

    // Assert new client has fullScopeAllowed disabled
    String clientId = client.getClientId();
    ClientRepresentation clientRep = ApiUtil.findClientByClientId(realmResource(), clientId).toRepresentation();
    Assert.assertFalse(clientRep.isFullScopeAllowed());

    // Try update with disabled consent required. Should fail
    clientRep.setFullScopeAllowed(true);
    assertFail(ClientRegOp.UPDATE, clientRep, 403, "Not permitted to enable fullScopeAllowed");

    // Try update with enabled consent required. Should pass
    clientRep.setFullScopeAllowed(false);
    reg.update(clientRep);
}
 
Example 2
Source File: KeycloakModelUtils.java    From keycloak with Apache License 2.0 6 votes vote down vote up
public static ClientRepresentation createClient(RealmRepresentation realm, String name) {
    ClientRepresentation app = new ClientRepresentation();
    app.setName(name);
    app.setClientId(name);
    List<ClientRepresentation> clients = realm.getClients();
    if (clients != null) {
        clients.add(app);
    } else {
        realm.setClients(Arrays.asList(app));
    }
    app.setClientAuthenticatorType(getDefaultClientAuthenticatorType());
    generateSecret(app);
    app.setFullScopeAllowed(true);

    return app;
}
 
Example 3
Source File: AbstractClientTest.java    From keycloak with Apache License 2.0 6 votes vote down vote up
public static ClientRepresentation createClientRep(String clientId, String protocol) {
    ClientRepresentation client = new ClientRepresentation();
    client.setClientId(clientId);
    client.setEnabled(true);
    client.setProtocol(protocol);

    client.setDirectAccessGrantsEnabled(true);
    client.setFullScopeAllowed(true);
    client.setPublicClient(true);
    client.setStandardFlowEnabled(true);

    if (protocol.equals(SAML)) {
        client.setAttributes(getSAMLAttributes());
    }
    return client;
}
 
Example 4
Source File: AudienceTest.java    From keycloak with Apache License 2.0 5 votes vote down vote up
@Override
public void configureTestRealm(RealmRepresentation testRealm) {
    // Create service client with some client role
    ClientRepresentation client1 = new ClientRepresentation();
    client1.setClientId("service-client");
    client1.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL);
    client1.setBearerOnly(true);
    client1.setBaseUrl("http://foo/service-client");
    testRealm.getClients().add(client1);

    RoleRepresentation role1 = new RoleRepresentation();
    role1.setName("role1");
    testRealm.getRoles().getClient().put("service-client", Arrays.asList(role1));

    // Disable FullScopeAllowed for the 'test-app' client
    ClientRepresentation testApp = testRealm.getClients().stream().filter((ClientRepresentation client) -> {
        return "test-app".equals(client.getClientId());
    }).findFirst().get();

    testApp.setFullScopeAllowed(false);

    // Create sample user
    UserRepresentation user = UserBuilder.create()
            .id(userId)
            .username("john")
            .enabled(true)
            .email("[email protected]")
            .firstName("John")
            .lastName("Doe")
            .password("password")
            .role("account", "manage-account")
            .role("account", "view-profile")
            .role("service-client", "role1")
            .build();
    testRealm.getUsers().add(user);
}
 
Example 5
Source File: FineGrainAdminUnitTest.java    From keycloak with Apache License 2.0 5 votes vote down vote up
@Test
public void testCreateRealmCreateClientWithMaster() throws Exception {
    ClientRepresentation rep = new ClientRepresentation();
    rep.setName("fullScopedClient");
    rep.setClientId("fullScopedClient");
    rep.setFullScopeAllowed(true);
    rep.setSecret("618268aa-51e6-4e64-93c4-3c0bc65b8171");
    rep.setProtocol("openid-connect");
    rep.setPublicClient(false);
    rep.setEnabled(true);
    adminClient.realm("master").clients().create(rep);

    RealmRepresentation newRealm=new RealmRepresentation();
    newRealm.setRealm("anotherRealm");
    newRealm.setId("anotherRealm");
    newRealm.setEnabled(true);
    adminClient.realms().create(newRealm);

    try {
        ClientRepresentation newClient = new ClientRepresentation();

        newClient.setName("newClient");
        newClient.setClientId("newClient");
        newClient.setFullScopeAllowed(true);
        newClient.setSecret("secret");
        newClient.setProtocol("openid-connect");
        newClient.setPublicClient(false);
        newClient.setEnabled(true);
        Response response = adminClient.realm("anotherRealm").clients().create(newClient);
        Assert.assertEquals(201, response.getStatus());
    } finally {
        adminClient.realm("anotherRealm").remove();

    }
}
 
Example 6
Source File: AbstractBasePhotozExampleAdapterTest.java    From keycloak with Apache License 2.0 5 votes vote down vote up
protected void setManageAlbumScopeRequired() {
    ClientScopeRepresentation clientScope = new ClientScopeRepresentation();

    clientScope.setName("manage-albums");
    clientScope.setProtocol("openid-connect");

    ProtocolMapperRepresentation mapper = new ProtocolMapperRepresentation();

    mapper.setName("manage-albums");
    mapper.setProtocol("openid-connect");
    mapper.setProtocolMapper(UserClientRoleMappingMapper.PROVIDER_ID);

    Map<String, String> config = new HashMap<>();
    config.put("access.token.claim", "true");
    config.put("id.token.claim", "true");
    config.put("userinfo.token.claim", "true");
    config.put(ProtocolMapperUtils.USER_MODEL_CLIENT_ROLE_MAPPING_CLIENT_ID, "photoz-restful-api");

    mapper.setConfig(config);

    clientScope.setProtocolMappers(Arrays.asList(mapper));

    RealmResource realmResource = realmsResouce().realm(REALM_NAME);
    ClientScopesResource clientScopes = realmResource.clientScopes();
    Response resp = clientScopes.create(clientScope);
    Assert.assertEquals(201, resp.getStatus());
    resp.close();
    String clientScopeId = ApiUtil.getCreatedId(resp);
    ClientResource resourceServer = getClientResource(RESOURCE_SERVER_ID);
    clientScopes.get(clientScopeId).getScopeMappings().clientLevel(resourceServer.toRepresentation().getId()).add(Arrays.asList(resourceServer.roles().get("manage-albums").toRepresentation()));
    ClientResource html5ClientApp = getClientResource("photoz-html5-client");
    html5ClientApp.addOptionalClientScope(clientScopeId);
    html5ClientApp.getScopeMappings().realmLevel().add(Arrays.asList(realmResource.roles().get("user").toRepresentation(), realmResource.roles().get("admin").toRepresentation()));
    ClientRepresentation clientRep = html5ClientApp.toRepresentation();
    clientRep.setFullScopeAllowed(false);
    html5ClientApp.update(clientRep);
}
 
Example 7
Source File: OIDCScopeTest.java    From keycloak with Apache License 2.0 4 votes vote down vote up
@Test
public void testTwoRefreshTokensWithDifferentScopes() {
    // Add 2 client scopes. Each with scope to 1 realm role
    ClientScopeRepresentation clientScope1 = new ClientScopeRepresentation();
    clientScope1.setName("scope-role-1");
    clientScope1.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL);
    Response response = testRealm().clientScopes().create(clientScope1);
    String scope1Id = ApiUtil.getCreatedId(response);
    getCleanup().addClientScopeId(scope1Id);
    response.close();

    ClientScopeRepresentation clientScope2 = new ClientScopeRepresentation();
    clientScope2.setName("scope-role-2");
    clientScope2.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL);
    response = testRealm().clientScopes().create(clientScope2);
    String scope2Id = ApiUtil.getCreatedId(response);
    getCleanup().addClientScopeId(scope2Id);
    response.close();

    RoleRepresentation role1 = testRealm().roles().get("role-1").toRepresentation();
    testRealm().clientScopes().get(scope1Id).getScopeMappings().realmLevel().add(Arrays.asList(role1));

    RoleRepresentation role2 = testRealm().roles().get("role-2").toRepresentation();
    testRealm().clientScopes().get(scope2Id).getScopeMappings().realmLevel().add(Arrays.asList(role2));

    // Add client scopes to our client. Disable fullScopeAllowed
    ClientResource testApp = ApiUtil.findClientByClientId(testRealm(), "test-app");
    ClientRepresentation testAppRep = testApp.toRepresentation();
    testAppRep.setFullScopeAllowed(false);
    testApp.update(testAppRep);
    testApp.addOptionalClientScope(scope1Id);
    testApp.addOptionalClientScope(scope2Id);

    // Login with scope-role-1. Save refresh token
    oauth.scope("scope-role-1");
    oauth.doLogin("john", "password");
    EventRepresentation loginEvent = events.expectLogin()
            .user(userId)
            .assertEvent();

    Tokens tokens1 = sendTokenRequest(loginEvent, userId,"openid email profile scope-role-1", "test-app");
    Assert.assertTrue(tokens1.accessToken.getRealmAccess().isUserInRole("role-1"));
    Assert.assertFalse(tokens1.accessToken.getRealmAccess().isUserInRole("role-2"));

    //SSO login with scope-role-2. Save refresh token
    oauth.scope("scope-role-2");
    oauth.openLoginForm();
    loginEvent = events.expectLogin().user(userId).removeDetail(Details.USERNAME).client("test-app").assertEvent();
    Tokens tokens2 = sendTokenRequest(loginEvent, userId,"openid email profile scope-role-2", "test-app");
    Assert.assertFalse(tokens2.accessToken.getRealmAccess().isUserInRole("role-1"));
    Assert.assertTrue(tokens2.accessToken.getRealmAccess().isUserInRole("role-2"));

    // Ensure I can refresh refreshToken1. Just role1 is present
    OAuthClient.AccessTokenResponse refreshResponse1 = oauth.doRefreshTokenRequest(tokens1.refreshToken, "password");
    Assert.assertEquals(200, refreshResponse1.getStatusCode());
    AccessToken accessToken1 = oauth.verifyToken(refreshResponse1.getAccessToken());
    Assert.assertTrue(accessToken1.getRealmAccess().isUserInRole("role-1"));
    Assert.assertFalse(accessToken1.getRealmAccess().isUserInRole("role-2"));

    // Ensure I can refresh refreshToken2. Just role2 is present
    OAuthClient.AccessTokenResponse refreshResponse2 = oauth.doRefreshTokenRequest(tokens2.refreshToken, "password");
    Assert.assertEquals(200, refreshResponse2.getStatusCode());
    AccessToken accessToken2 = oauth.verifyToken(refreshResponse2.getAccessToken());
    Assert.assertFalse(accessToken2.getRealmAccess().isUserInRole("role-1"));
    Assert.assertTrue(accessToken2.getRealmAccess().isUserInRole("role-2"));

    // Revert
    testAppRep.setFullScopeAllowed(true);
    testApp.update(testAppRep);
    testApp.removeOptionalClientScope(scope1Id);
    testApp.removeOptionalClientScope(scope2Id);
}
 
Example 8
Source File: FineGrainAdminUnitTest.java    From keycloak with Apache License 2.0 4 votes vote down vote up
@Test
public void testCreateRealmCreateClient() throws Exception {
    ClientRepresentation rep = new ClientRepresentation();
    rep.setName("fullScopedClient");
    rep.setClientId("fullScopedClient");
    rep.setFullScopeAllowed(true);
    rep.setSecret("618268aa-51e6-4e64-93c4-3c0bc65b8171");
    rep.setProtocol("openid-connect");
    rep.setPublicClient(false);
    rep.setEnabled(true);
    adminClient.realm("master").clients().create(rep);

    Keycloak realmClient = AdminClientUtil.createAdminClient(suiteContext.isAdapterCompatTesting(),
            "master", "admin", "admin", "fullScopedClient", "618268aa-51e6-4e64-93c4-3c0bc65b8171");
    try {
        RealmRepresentation newRealm=new RealmRepresentation();
        newRealm.setRealm("anotherRealm");
        newRealm.setId("anotherRealm");
        newRealm.setEnabled(true);
        realmClient.realms().create(newRealm);

        ClientRepresentation newClient = new ClientRepresentation();

        newClient.setName("newClient");
        newClient.setClientId("newClient");
        newClient.setFullScopeAllowed(true);
        newClient.setSecret("secret");
        newClient.setProtocol("openid-connect");
        newClient.setPublicClient(false);
        newClient.setEnabled(true);
        Response response = realmClient.realm("anotherRealm").clients().create(newClient);
        Assert.assertEquals(403, response.getStatus());

        realmClient.close();
        realmClient = AdminClientUtil.createAdminClient(suiteContext.isAdapterCompatTesting(),
                "master", "admin", "admin", "fullScopedClient", "618268aa-51e6-4e64-93c4-3c0bc65b8171");
        response = realmClient.realm("anotherRealm").clients().create(newClient);
        Assert.assertEquals(201, response.getStatus());
    } finally {
        adminClient.realm("anotherRealm").remove();
        realmClient.close();
    }


}
 
Example 9
Source File: OIDCProtocolMappersTest.java    From keycloak with Apache License 2.0 4 votes vote down vote up
/**
 * KEYCLOAK-5259
 * @throws Exception
 */
@Test
public void testUserRoleToAttributeMappersWithFullScopeDisabled() throws Exception {
    // Add mapper for realm roles
    ProtocolMapperRepresentation realmMapper = ProtocolMapperUtil.createUserRealmRoleMappingMapper("pref.", "Realm roles mapper", "roles-custom.realm", true, true, true);
    ProtocolMapperRepresentation clientMapper = ProtocolMapperUtil.createUserClientRoleMappingMapper("test-app", null, "Client roles mapper", "roles-custom.test-app", true, true, true);

    ClientResource client = ApiUtil.findClientResourceByClientId(adminClient.realm("test"), "test-app");

    // Disable full-scope-allowed
    ClientRepresentation rep = client.toRepresentation();
    rep.setFullScopeAllowed(false);
    client.update(rep);

    ProtocolMappersResource protocolMappers = ApiUtil.findClientResourceByClientId(adminClient.realm("test"), "test-app").getProtocolMappers();
    protocolMappers.createMapper(Arrays.asList(realmMapper, clientMapper));

    // Login user
    OAuthClient.AccessTokenResponse response = browserLogin("password", "test-user@localhost", "password");
    IDToken idToken = oauth.verifyIDToken(response.getIdToken());

    // Verify attribute is filled
    Map<String, Object> roleMappings = (Map<String, Object>)idToken.getOtherClaims().get("roles-custom");
    Assert.assertThat(roleMappings.keySet(), containsInAnyOrder("realm", "test-app"));
    Assert.assertThat(roleMappings.get("realm"), CoreMatchers.instanceOf(List.class));
    Assert.assertThat(roleMappings.get("test-app"), CoreMatchers.instanceOf(List.class));

    List<String> realmRoleMappings = (List<String>) roleMappings.get("realm");
    List<String> testAppMappings = (List<String>) roleMappings.get("test-app");
    assertRoles(realmRoleMappings,
            "pref.user"                      // from direct assignment in user definition
    );
    assertRoles(testAppMappings,
            "customer-user"                   // from direct assignment in user definition
    );

    // Revert
    deleteMappers(protocolMappers);

    rep = client.toRepresentation();
    rep.setFullScopeAllowed(true);
    client.update(rep);
}
 
Example 10
Source File: ClientManager.java    From keycloak with Apache License 2.0 4 votes vote down vote up
public ClientManagerBuilder fullScopeAllowed(boolean enable) {
    ClientRepresentation app = clientResource.toRepresentation();
    app.setFullScopeAllowed(enable);
    clientResource.update(app);
    return this;
}