Java Code Examples for org.keycloak.models.RealmModel#addClient()

The following examples show how to use org.keycloak.models.RealmModel#addClient() . You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: SystemClientUtil.java    From keycloak with Apache License 2.0 6 votes vote down vote up
/**
 * @return system client used during usecases when some "metaclient" is needed (EG. For fresh authenticationSession used during actionTokenFlow when email link is opened in new browser)
 */
public static ClientModel getSystemClient(RealmModel realm) {
    // Try to return builtin "account" client first
    ClientModel client = realm.getClientByClientId(Constants.ACCOUNT_MANAGEMENT_CLIENT_ID);
    if (client != null) {
        return client;
    }


    // Fallback to "system" client
    client = realm.getClientByClientId(SYSTEM_CLIENT_ID);
    if (client != null) {
        return client;
    } else {
        // Return system client
        logger.warnf("Client '%s' not available. Creating system client '%s' for system operations", Constants.ACCOUNT_MANAGEMENT_CLIENT_ID, SYSTEM_CLIENT_ID);
        client = realm.addClient(SYSTEM_CLIENT_ID);
        client.setName(SYSTEM_CLIENT_ID);
        return client;
    }

}
 
Example 2
Source File: FineGrainAdminUnitTest.java    From keycloak with Apache License 2.0 6 votes vote down vote up
public static void setupDemo(KeycloakSession session) {
    RealmModel realm = session.realms().getRealmByName(TEST);
    realm.addRole("realm-role");
    ClientModel client = realm.addClient("sales-application");
    RoleModel clientAdmin = client.addRole("admin");
    client.addRole("leader-creator");
    client.addRole("viewLeads");
    GroupModel sales = realm.createGroup("sales");


    UserModel admin = session.users().addUser(realm, "salesManager");
    admin.setEnabled(true);
    session.userCredentialManager().updateCredential(realm, admin, UserCredentialModel.password("password"));

    admin = session.users().addUser(realm, "sales-admin");
    admin.setEnabled(true);
    session.userCredentialManager().updateCredential(realm, admin, UserCredentialModel.password("password"));

    UserModel user = session.users().addUser(realm, "salesman");
    user.setEnabled(true);
    user.joinGroup(sales);

    user = session.users().addUser(realm, "saleswoman");
    user.setEnabled(true);

}
 
Example 3
Source File: FineGrainAdminUnitTest.java    From keycloak with Apache License 2.0 6 votes vote down vote up
private static void setupTokenExchange(KeycloakSession session) {
    RealmModel realm = session.realms().getRealmByName("master");
    ClientModel client = session.realms().getClientByClientId("kcinit", realm);
    if (client != null) {
        return;
    }

    ClientModel kcinit = realm.addClient("kcinit");
    kcinit.setEnabled(true);
    kcinit.addRedirectUri("http://localhost:*");
    kcinit.setPublicClient(false);
    kcinit.setSecret("password");
    kcinit.setDirectAccessGrantsEnabled(true);

    // permission for client to client exchange to "target" client
    ClientModel adminCli = realm.getClientByClientId(ConfigUtil.DEFAULT_CLIENT);
    AdminPermissionManagement management = AdminPermissions.management(session, realm);
    management.clients().setPermissionsEnabled(adminCli, true);
    ClientPolicyRepresentation clientRep = new ClientPolicyRepresentation();
    clientRep.setName("to");
    clientRep.addClient(kcinit.getId());
    ResourceServer server = management.realmResourceServer();
    Policy clientPolicy = management.authz().getStoreFactory().getPolicyStore().create(clientRep, server);
    management.clients().exchangeToPermission(adminCli).addAssociatedPolicy(clientPolicy);
}
 
Example 4
Source File: ClientModelTest.java    From keycloak with Apache License 2.0 6 votes vote down vote up
private ClientModel setUpClient(RealmModel realm) {
    ClientModel client = realm.addClient("application");
    client.setName("Application");
    client.setDescription("Description");
    client.setBaseUrl("http://base");
    client.setManagementUrl("http://management");
    client.setClientId("app-name");
    client.setProtocol("openid-connect");
    client.addRole("role-1");
    client.addRole("role-2");
    client.addRole("role-3");
    client.addDefaultRole("role-1");
    client.addDefaultRole("role-2");
    client.addRedirectUri("redirect-1");
    client.addRedirectUri("redirect-2");
    client.addWebOrigin("origin-1");
    client.addWebOrigin("origin-2");
    client.registerNode("node1", 10);
    client.registerNode("10.20.30.40", 50);
    client.addProtocolMapper(AddressMapper.createAddressMapper());
    client.updateClient();
    return client;
}
 
Example 5
Source File: KeycloakModelUtils.java    From keycloak with Apache License 2.0 5 votes vote down vote up
public static ClientModel createClient(RealmModel realm, String name) {
    ClientModel app = realm.addClient(name);
    app.setClientAuthenticatorType(getDefaultClientAuthenticatorType());
    generateSecret(app);
    app.setFullScopeAllowed(true);

    return app;
}
 
Example 6
Source File: FineGrainAdminUnitTest.java    From keycloak with Apache License 2.0 5 votes vote down vote up
public static void setupDeleteTest(KeycloakSession session )  {
    RealmModel realm = session.realms().getRealmByName(TEST);
    RoleModel removedRole = realm.addRole("removedRole");
    ClientModel client = realm.addClient("removedClient");
    RoleModel removedClientRole = client.addRole("removedClientRole");
    GroupModel removedGroup = realm.createGroup("removedGroup");
    AdminPermissionManagement management = AdminPermissions.management(session, realm);
    management.roles().setPermissionsEnabled(removedRole, true);
    management.roles().setPermissionsEnabled(removedClientRole, true);
    management.groups().setPermissionsEnabled(removedGroup, true);
    management.clients().setPermissionsEnabled(client, true);
    management.users().setPermissionsEnabled(true);
}
 
Example 7
Source File: MultipleRealmsTest.java    From keycloak with Apache License 2.0 5 votes vote down vote up
public static void createObjects(KeycloakSession session, RealmModel realm) {
    ClientModel app1 = realm.addClient("app1");
    realm.addClient("app2");

    session.users().addUser(realm, "user1");
    session.users().addUser(realm, "user2");

    realm.addRole("role1");
    realm.addRole("role2");

    app1.addRole("app1Role1");
    app1.addScopeMapping(realm.getRole("role1"));

    realm.addClient("cl1");
}
 
Example 8
Source File: ClientTokenExchangeSAML2Test.java    From keycloak with Apache License 2.0 5 votes vote down vote up
private static void addDirectExchanger(KeycloakSession session) {
    RealmModel realm = session.realms().getRealmByName(TEST);
    RoleModel exampleRole = realm.addRole("example");
    AdminPermissionManagement management = AdminPermissions.management(session, realm);

    ClientModel directExchanger = realm.addClient("direct-exchanger");
    directExchanger.setName("direct-exchanger");
    directExchanger.setClientId("direct-exchanger");
    directExchanger.setPublicClient(false);
    directExchanger.setDirectAccessGrantsEnabled(true);
    directExchanger.setEnabled(true);
    directExchanger.setSecret("secret");
    directExchanger.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL);
    directExchanger.setFullScopeAllowed(false);

    // permission for client to client exchange to "target" client
    management.clients().setPermissionsEnabled(realm.getClientByClientId(SAML_SIGNED_TARGET), true);
    management.clients().setPermissionsEnabled(realm.getClientByClientId(SAML_ENCRYPTED_TARGET), true);
    management.clients().setPermissionsEnabled(realm.getClientByClientId(SAML_SIGNED_AND_ENCRYPTED_TARGET), true);
    management.clients().setPermissionsEnabled(realm.getClientByClientId(SAML_UNSIGNED_AND_UNENCRYPTED_TARGET), true);

    ClientPolicyRepresentation clientImpersonateRep = new ClientPolicyRepresentation();
    clientImpersonateRep.setName("clientImpersonatorsDirect");
    clientImpersonateRep.addClient(directExchanger.getId());

    ResourceServer server = management.realmResourceServer();
    Policy clientImpersonatePolicy = management.authz().getStoreFactory().getPolicyStore().create(clientImpersonateRep, server);
    management.users().setPermissionsEnabled(true);
    management.users().adminImpersonatingPermission().addAssociatedPolicy(clientImpersonatePolicy);
    management.users().adminImpersonatingPermission().setDecisionStrategy(DecisionStrategy.AFFIRMATIVE);

    UserModel impersonatedUser = session.users().addUser(realm, "impersonated-user");
    impersonatedUser.setEnabled(true);
    session.userCredentialManager().updateCredential(realm, impersonatedUser, UserCredentialModel.password("password"));
    impersonatedUser.grantRole(exampleRole);
}
 
Example 9
Source File: BrokerLinkAndTokenExchangeTest.java    From keycloak with Apache License 2.0 5 votes vote down vote up
public static void setupRealm(KeycloakSession session) {
    RealmModel realm = session.realms().getRealmByName(CHILD_IDP);
    ClientModel client = realm.getClientByClientId(ClientApp.DEPLOYMENT_NAME);
    IdentityProviderModel idp = realm.getIdentityProviderByAlias(PARENT_IDP);
    Assert.assertNotNull(idp);

    ClientModel directExchanger = realm.addClient("direct-exchanger");
    directExchanger.setClientId("direct-exchanger");
    directExchanger.setPublicClient(false);
    directExchanger.setDirectAccessGrantsEnabled(true);
    directExchanger.setEnabled(true);
    directExchanger.setSecret("secret");
    directExchanger.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL);
    directExchanger.setFullScopeAllowed(false);


    AdminPermissionManagement management = AdminPermissions.management(session, realm);
    management.idps().setPermissionsEnabled(idp, true);
    ClientPolicyRepresentation clientRep = new ClientPolicyRepresentation();
    clientRep.setName("toIdp");
    clientRep.addClient(client.getId());
    clientRep.addClient(directExchanger.getId());
    ResourceServer server = management.realmResourceServer();
    Policy clientPolicy = management.authz().getStoreFactory().getPolicyStore().create(clientRep, server);
    management.idps().exchangeToPermission(idp).addAssociatedPolicy(clientPolicy);


    // permission for user impersonation for a client

    ClientPolicyRepresentation clientImpersonateRep = new ClientPolicyRepresentation();
    clientImpersonateRep.setName("clientImpersonators");
    clientImpersonateRep.addClient(directExchanger.getId());
    server = management.realmResourceServer();
    Policy clientImpersonatePolicy = management.authz().getStoreFactory().getPolicyStore().create(clientImpersonateRep, server);
    management.users().setPermissionsEnabled(true);
    management.users().adminImpersonatingPermission().addAssociatedPolicy(clientImpersonatePolicy);
    management.users().adminImpersonatingPermission().setDecisionStrategy(DecisionStrategy.AFFIRMATIVE);

}
 
Example 10
Source File: SocialLoginTest.java    From keycloak with Apache License 2.0 5 votes vote down vote up
public static void setupClientExchangePermissions(KeycloakSession session) {
    RealmModel realm = session.realms().getRealmByName(REALM);
    ClientModel client = session.realms().getClientByClientId(EXCHANGE_CLIENT, realm);
    // lazy init
    if (client != null) return;
    client = realm.addClient(EXCHANGE_CLIENT);
    client.setSecret("secret");
    client.setPublicClient(false);
    client.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL);
    client.setEnabled(true);
    client.setDirectAccessGrantsEnabled(true);

    ClientPolicyRepresentation clientPolicyRep = new ClientPolicyRepresentation();
    clientPolicyRep.setName("client-policy");
    clientPolicyRep.addClient(client.getId());
    AdminPermissionManagement management = AdminPermissions.management(session, realm);
    management.users().setPermissionsEnabled(true);
    ResourceServer server = management.realmResourceServer();
    Policy clientPolicy = management.authz().getStoreFactory().getPolicyStore().create(clientPolicyRep, server);
    management.users().adminImpersonatingPermission().addAssociatedPolicy(clientPolicy);
    management.users().adminImpersonatingPermission().setDecisionStrategy(DecisionStrategy.AFFIRMATIVE);
    for (IdentityProviderModel idp : realm.getIdentityProviders()) {
        management.idps().setPermissionsEnabled(idp, true);
        management.idps().exchangeToPermission(idp).addAssociatedPolicy(clientPolicy);
    }

}
 
Example 11
Source File: ClientTokenExchangeSAML2Test.java    From keycloak with Apache License 2.0 4 votes vote down vote up
private static void addTargetClients(KeycloakSession session) {
    RealmModel realm = session.realms().getRealmByName(TEST);

    // Create SAML 2.0 target clients
    ClientModel samlSignedTarget = realm.addClient(SAML_SIGNED_TARGET);
    samlSignedTarget.setClientId(SAML_SIGNED_TARGET);
    samlSignedTarget.setEnabled(true);
    samlSignedTarget.setProtocol(SamlProtocol.LOGIN_PROTOCOL);
    samlSignedTarget.setFullScopeAllowed(true);
    samlSignedTarget.setAttribute(SamlConfigAttributes.SAML_AUTHNSTATEMENT, "true");
    samlSignedTarget.setAttribute(SAML_ASSERTION_CONSUMER_URL_POST_ATTRIBUTE,
            SAML_SIGNED_TARGET + "endpoint");
    samlSignedTarget.setAttribute(SamlConfigAttributes.SAML_NAME_ID_FORMAT_ATTRIBUTE, "username");
    samlSignedTarget.setAttribute(SamlConfigAttributes.SAML_ASSERTION_SIGNATURE, "true");
    samlSignedTarget.setAttribute(SamlConfigAttributes.SAML_SERVER_SIGNATURE, "true");
    samlSignedTarget.setAttribute(SamlConfigAttributes.SAML_ENCRYPT, "false");

    ClientModel samlEncryptedTarget = realm.addClient(SAML_ENCRYPTED_TARGET);
    samlEncryptedTarget.setClientId(SAML_ENCRYPTED_TARGET);
    samlEncryptedTarget.setEnabled(true);
    samlEncryptedTarget.setProtocol(SamlProtocol.LOGIN_PROTOCOL);
    samlEncryptedTarget.setFullScopeAllowed(true);
    samlEncryptedTarget.setAttribute(SamlConfigAttributes.SAML_AUTHNSTATEMENT, "true");
    samlEncryptedTarget.setAttribute(SAML_ASSERTION_CONSUMER_URL_POST_ATTRIBUTE,
            SAML_ENCRYPTED_TARGET + "endpoint");
    samlEncryptedTarget.setAttribute(SamlConfigAttributes.SAML_NAME_ID_FORMAT_ATTRIBUTE, "username");
    samlEncryptedTarget.setAttribute(SamlConfigAttributes.SAML_ASSERTION_SIGNATURE, "false");
    samlEncryptedTarget.setAttribute(SamlConfigAttributes.SAML_SERVER_SIGNATURE, "true");
    samlEncryptedTarget.setAttribute(SamlConfigAttributes.SAML_ENCRYPT, "true");
    samlEncryptedTarget.setAttribute(SamlConfigAttributes.SAML_ENCRYPTION_CERTIFICATE_ATTRIBUTE, ENCRYPTION_CERTIFICATE);
    samlEncryptedTarget.setAttribute(SamlConfigAttributes.SAML_ASSERTION_LIFESPAN, "30");

    ClientModel samlSignedAndEncryptedTarget = realm.addClient(SAML_SIGNED_AND_ENCRYPTED_TARGET);
    samlSignedAndEncryptedTarget.setClientId(SAML_SIGNED_AND_ENCRYPTED_TARGET);
    samlSignedAndEncryptedTarget.setEnabled(true);
    samlSignedAndEncryptedTarget.setProtocol(SamlProtocol.LOGIN_PROTOCOL);
    samlSignedAndEncryptedTarget.setFullScopeAllowed(true);
    samlSignedAndEncryptedTarget.setAttribute(SamlConfigAttributes.SAML_AUTHNSTATEMENT, "true");
    samlSignedAndEncryptedTarget.setAttribute(SAML_ASSERTION_CONSUMER_URL_POST_ATTRIBUTE,
            SAML_SIGNED_AND_ENCRYPTED_TARGET + "endpoint");
    samlSignedAndEncryptedTarget.setAttribute(SamlConfigAttributes.SAML_NAME_ID_FORMAT_ATTRIBUTE, "username");
    samlSignedAndEncryptedTarget.setAttribute(SamlConfigAttributes.SAML_ASSERTION_SIGNATURE, "true");
    samlSignedAndEncryptedTarget.setAttribute(SamlConfigAttributes.SAML_SERVER_SIGNATURE, "true");
    samlSignedAndEncryptedTarget.setAttribute(SamlConfigAttributes.SAML_ENCRYPT, "true");
    samlSignedAndEncryptedTarget.setAttribute(SamlConfigAttributes.SAML_ENCRYPTION_CERTIFICATE_ATTRIBUTE, ENCRYPTION_CERTIFICATE);

    ClientModel samlUnsignedAndUnencryptedTarget = realm.addClient(SAML_UNSIGNED_AND_UNENCRYPTED_TARGET);
    samlUnsignedAndUnencryptedTarget.setClientId(SAML_UNSIGNED_AND_UNENCRYPTED_TARGET);
    samlUnsignedAndUnencryptedTarget.setEnabled(true);
    samlUnsignedAndUnencryptedTarget.setProtocol(SamlProtocol.LOGIN_PROTOCOL);
    samlUnsignedAndUnencryptedTarget.setFullScopeAllowed(true);
    samlUnsignedAndUnencryptedTarget.setAttribute(SamlConfigAttributes.SAML_AUTHNSTATEMENT, "true");
    samlUnsignedAndUnencryptedTarget.setAttribute(SAML_ASSERTION_CONSUMER_URL_POST_ATTRIBUTE,
            SAML_UNSIGNED_AND_UNENCRYPTED_TARGET + "endpoint");
    samlUnsignedAndUnencryptedTarget.setAttribute(SamlConfigAttributes.SAML_NAME_ID_FORMAT_ATTRIBUTE, "username");
    samlUnsignedAndUnencryptedTarget.setAttribute(SamlConfigAttributes.SAML_ASSERTION_SIGNATURE, "false");
    samlUnsignedAndUnencryptedTarget.setAttribute(SamlConfigAttributes.SAML_SERVER_SIGNATURE, "true");
    samlUnsignedAndUnencryptedTarget.setAttribute(SamlConfigAttributes.SAML_ENCRYPT, "false");
}
 
Example 12
Source File: ClientTokenExchangeTest.java    From keycloak with Apache License 2.0 4 votes vote down vote up
public static void setupRealm(KeycloakSession session) {
    addDirectExchanger(session);

    RealmModel realm = session.realms().getRealmByName(TEST);
    RoleModel exampleRole = realm.getRole("example");

    AdminPermissionManagement management = AdminPermissions.management(session, realm);
    ClientModel target = realm.getClientByClientId("target");
    assertNotNull(target);

    RoleModel impersonateRole = management.getRealmManagementClient().getRole(ImpersonationConstants.IMPERSONATION_ROLE);

    ClientModel clientExchanger = realm.addClient("client-exchanger");
    clientExchanger.setClientId("client-exchanger");
    clientExchanger.setPublicClient(false);
    clientExchanger.setDirectAccessGrantsEnabled(true);
    clientExchanger.setEnabled(true);
    clientExchanger.setSecret("secret");
    clientExchanger.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL);
    clientExchanger.setFullScopeAllowed(false);
    clientExchanger.addScopeMapping(impersonateRole);
    clientExchanger.addProtocolMapper(UserSessionNoteMapper.createUserSessionNoteMapper(IMPERSONATOR_ID));
    clientExchanger.addProtocolMapper(UserSessionNoteMapper.createUserSessionNoteMapper(IMPERSONATOR_USERNAME));

    ClientModel illegal = realm.addClient("illegal");
    illegal.setClientId("illegal");
    illegal.setPublicClient(false);
    illegal.setDirectAccessGrantsEnabled(true);
    illegal.setEnabled(true);
    illegal.setSecret("secret");
    illegal.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL);
    illegal.setFullScopeAllowed(false);

    ClientModel legal = realm.addClient("legal");
    legal.setClientId("legal");
    legal.setPublicClient(false);
    legal.setDirectAccessGrantsEnabled(true);
    legal.setEnabled(true);
    legal.setSecret("secret");
    legal.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL);
    legal.setFullScopeAllowed(false);

    ClientModel directLegal = realm.addClient("direct-legal");
    directLegal.setClientId("direct-legal");
    directLegal.setPublicClient(false);
    directLegal.setDirectAccessGrantsEnabled(true);
    directLegal.setEnabled(true);
    directLegal.setSecret("secret");
    directLegal.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL);
    directLegal.setFullScopeAllowed(false);

    ClientModel directPublic = realm.addClient("direct-public");
    directPublic.setClientId("direct-public");
    directPublic.setPublicClient(true);
    directPublic.setDirectAccessGrantsEnabled(true);
    directPublic.setEnabled(true);
    directPublic.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL);
    directPublic.setFullScopeAllowed(false);

    ClientModel directNoSecret = realm.addClient("direct-no-secret");
    directNoSecret.setClientId("direct-no-secret");
    directNoSecret.setPublicClient(false);
    directNoSecret.setDirectAccessGrantsEnabled(true);
    directNoSecret.setEnabled(true);
    directNoSecret.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL);
    directNoSecret.setFullScopeAllowed(false);

    // permission for client to client exchange to "target" client
    ClientPolicyRepresentation clientRep = new ClientPolicyRepresentation();
    clientRep.setName("to");
    clientRep.addClient(clientExchanger.getId());
    clientRep.addClient(legal.getId());
    clientRep.addClient(directLegal.getId());

    ResourceServer server = management.realmResourceServer();
    Policy clientPolicy = management.authz().getStoreFactory().getPolicyStore().create(clientRep, server);
    management.clients().exchangeToPermission(target).addAssociatedPolicy(clientPolicy);

    // permission for user impersonation for a client

    ClientPolicyRepresentation clientImpersonateRep = new ClientPolicyRepresentation();
    clientImpersonateRep.setName("clientImpersonators");
    clientImpersonateRep.addClient(directLegal.getId());
    clientImpersonateRep.addClient(directPublic.getId());
    clientImpersonateRep.addClient(directNoSecret.getId());
    server = management.realmResourceServer();
    Policy clientImpersonatePolicy = management.authz().getStoreFactory().getPolicyStore().create(clientImpersonateRep, server);
    management.users().setPermissionsEnabled(true);
    management.users().adminImpersonatingPermission().addAssociatedPolicy(clientImpersonatePolicy);
    management.users().adminImpersonatingPermission().setDecisionStrategy(DecisionStrategy.AFFIRMATIVE);

    UserModel user = session.users().addUser(realm, "user");
    user.setEnabled(true);
    session.userCredentialManager().updateCredential(realm, user, UserCredentialModel.password("password"));
    user.grantRole(exampleRole);
    user.grantRole(impersonateRole);

    UserModel bad = session.users().addUser(realm, "bad-impersonator");
    bad.setEnabled(true);
    session.userCredentialManager().updateCredential(realm, bad, UserCredentialModel.password("password"));
}
 
Example 13
Source File: ClientTokenExchangeTest.java    From keycloak with Apache License 2.0 4 votes vote down vote up
private static void addDirectExchanger(KeycloakSession session) {
    RealmModel realm = session.realms().getRealmByName(TEST);
    RoleModel exampleRole = realm.addRole("example");
    AdminPermissionManagement management = AdminPermissions.management(session, realm);

    ClientModel target = realm.addClient("target");
    target.setName("target");
    target.setClientId("target");
    target.setDirectAccessGrantsEnabled(true);
    target.setEnabled(true);
    target.setSecret("secret");
    target.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL);
    target.setFullScopeAllowed(false);
    target.addScopeMapping(exampleRole);

    ClientModel directExchanger = realm.addClient("direct-exchanger");
    directExchanger.setName("direct-exchanger");
    directExchanger.setClientId("direct-exchanger");
    directExchanger.setPublicClient(false);
    directExchanger.setDirectAccessGrantsEnabled(true);
    directExchanger.setEnabled(true);
    directExchanger.setSecret("secret");
    directExchanger.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL);
    directExchanger.setFullScopeAllowed(false);

    // permission for client to client exchange to "target" client
    management.clients().setPermissionsEnabled(target, true);

    ClientPolicyRepresentation clientImpersonateRep = new ClientPolicyRepresentation();
    clientImpersonateRep.setName("clientImpersonatorsDirect");
    clientImpersonateRep.addClient(directExchanger.getId());

    ResourceServer server = management.realmResourceServer();
    Policy clientImpersonatePolicy = management.authz().getStoreFactory().getPolicyStore().create(clientImpersonateRep, server);
    management.users().setPermissionsEnabled(true);
    management.users().adminImpersonatingPermission().addAssociatedPolicy(clientImpersonatePolicy);
    management.users().adminImpersonatingPermission().setDecisionStrategy(DecisionStrategy.AFFIRMATIVE);

    UserModel impersonatedUser = session.users().addUser(realm, "impersonated-user");
    impersonatedUser.setEnabled(true);
    session.userCredentialManager().updateCredential(realm, impersonatedUser, UserCredentialModel.password("password"));
    impersonatedUser.grantRole(exampleRole);
}