org.keycloak.OAuth2Constants Java Examples
The following examples show how to use
org.keycloak.OAuth2Constants.
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: X509DirectGrantTest.java From keycloak with Apache License 2.0 | 6 votes |
private void doResourceOwnerCredentialsLogin(String clientId, String clientSecret, String login, String password) throws Exception { oauth.clientId(clientId); OAuthClient.AccessTokenResponse response = oauth.doGrantAccessTokenRequest(clientSecret, "", "", null); assertEquals(200, response.getStatusCode()); AccessToken accessToken = oauth.verifyToken(response.getAccessToken()); RefreshToken refreshToken = oauth.parseRefreshToken(response.getRefreshToken()); AssertEvents.ExpectedEvent expectedEvent = events.expectLogin() .client(clientId) .user(userId) .session(accessToken.getSessionState()) .detail(Details.GRANT_TYPE, OAuth2Constants.PASSWORD) .detail(Details.TOKEN_ID, accessToken.getId()) .detail(Details.REFRESH_TOKEN_ID, refreshToken.getId()) .detail(Details.USERNAME, login) .removeDetail(Details.CODE_ID) .removeDetail(Details.REDIRECT_URI) .removeDetail(Details.CONSENT); addX509CertificateDetails(expectedEvent) .assertEvent(); }
Example #2
Source File: OAuthScopeInTokenResponseTest.java From keycloak with Apache License 2.0 | 6 votes |
@Test public void specifyEmptyScopeTest() throws Exception { String loginUser = "john-doh@localhost"; String loginPassword = "password"; String clientSecret = "password"; String requestedScope = ""; String expectedScope = "openid profile email"; oauth.scope(requestedScope); oauth.doLogin(loginUser, loginPassword); String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE); expectSuccessfulResponseFromTokenEndpoint(code, expectedScope, clientSecret); }
Example #3
Source File: SessionsPreloadCrossDCTest.java From keycloak with Apache License 2.0 | 6 votes |
private List<OAuthClient.AccessTokenResponse> createInitialSessions(boolean offline) throws Exception { if (offline) { oauth.scope(OAuth2Constants.OFFLINE_ACCESS); } List<OAuthClient.AccessTokenResponse> responses = new LinkedList<>(); for (int i=0 ; i<SESSIONS_COUNT ; i++) { OAuthClient.AccessTokenResponse resp = oauth.doGrantAccessTokenRequest("password", "test-user@localhost", "password"); Assert.assertNull(resp.getError()); Assert.assertNotNull(resp.getAccessToken()); responses.add(resp); } return responses; }
Example #4
Source File: LoginTest.java From keycloak with Apache License 2.0 | 6 votes |
@Test public void loginInvalidUsername() { loginPage.open(); loginPage.login("invalid", "password"); loginPage.assertCurrent(); // KEYCLOAK-1741 - assert form field values kept Assert.assertEquals("invalid", loginPage.getUsername()); Assert.assertEquals("", loginPage.getPassword()); Assert.assertEquals("Invalid username or password.", loginPage.getError()); events.expectLogin().user((String) null).session((String) null).error("user_not_found") .detail(Details.USERNAME, "invalid") .removeDetail(Details.CONSENT) .assertEvent(); loginPage.login("login-test", "password"); Assert.assertEquals(RequestType.AUTH_RESPONSE, appPage.getRequestType()); Assert.assertNotNull(oauth.getCurrentQuery().get(OAuth2Constants.CODE)); events.expectLogin().user(userId).detail(Details.USERNAME, "login-test").assertEvent(); }
Example #5
Source File: JavascriptAdapterTest.java From keycloak with Apache License 2.0 | 6 votes |
@Test // KEYCLOAK-4503 public void initializeWithRefreshToken() { oauth.setDriver(jsDriver); // Oauth need to login with jsDriver oauth.realm(REALM_NAME); oauth.clientId(CLIENT_ID); oauth.redirectUri(testAppUrl); oauth.doLogin(testUser); String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE); OAuthClient.AccessTokenResponse tokenResponse = oauth.doAccessTokenRequest(code, "password"); String token = tokenResponse.getAccessToken(); String refreshToken = tokenResponse.getRefreshToken(); testExecutor.init(JSObjectBuilder.create() .add("refreshToken", refreshToken) , (driver1, output, events) -> { assertInitNotAuth(driver1, output, events); waitUntilElement(events).text().not().contains("Auth Success"); }); }
Example #6
Source File: OIDCJwksClientRegistrationTest.java From keycloak with Apache License 2.0 | 6 votes |
private OIDCClientRepresentation createClientWithManuallySetKid(String kid) throws Exception { OIDCClientRepresentation clientRep = createRep(); clientRep.setGrantTypes(Collections.singletonList(OAuth2Constants.CLIENT_CREDENTIALS)); clientRep.setTokenEndpointAuthMethod(OIDCLoginProtocol.PRIVATE_KEY_JWT); // Generate keys for client TestOIDCEndpointsApplicationResource oidcClientEndpointsResource = testingClient.testApp().oidcClientEndpoints(); oidcClientEndpointsResource.generateKeys("RS256"); JSONWebKeySet keySet = oidcClientEndpointsResource.getJwks(); // Override kid with custom value keySet.getKeys()[0].setKeyId(kid); clientRep.setJwks(keySet); return reg.oidc().create(clientRep); }
Example #7
Source File: UserStorageOTPTest.java From keycloak with Apache License 2.0 | 6 votes |
@Test public void testAuthentication() { // Test that user is required to provide OTP credential during authentication loginPage.open(); loginPage.login("test-user", DummyUserFederationProvider.HARDCODED_PASSWORD); loginTotpPage.assertCurrent(); loginTotpPage.login("654321"); loginTotpPage.assertCurrent(); Assert.assertEquals("Invalid authenticator code.", loginPage.getError()); loginTotpPage.login(DummyUserFederationProvider.HARDCODED_OTP); appPage.assertCurrent(); Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, appPage.getRequestType()); Assert.assertNotNull(oauth.getCurrentQuery().get(OAuth2Constants.CODE)); }
Example #8
Source File: DynamicIdpRedirectAuthenticator.java From keycloak-extension-playground with Apache License 2.0 | 6 votes |
protected void redirect(AuthenticationFlowContext context, String providerId) { IdentityProviderModel identityProviderModel = selectIdp(context, providerId); if (identityProviderModel == null || !identityProviderModel.isEnabled()) { log.warnf("Provider not found or not enabled for realm %s", providerId); context.attempted(); return; } String accessCode = new ClientSessionCode<>(context.getSession(), context.getRealm(), context.getAuthenticationSession()).getOrGenerateCode(); String clientId = context.getAuthenticationSession().getClient().getClientId(); String tabId = context.getAuthenticationSession().getTabId(); URI location = Urls.identityProviderAuthnRequest(context.getUriInfo().getBaseUri(), providerId, context.getRealm().getName(), accessCode, clientId, tabId); if (context.getAuthenticationSession().getClientNote(OAuth2Constants.DISPLAY) != null) { location = UriBuilder.fromUri(location).queryParam(OAuth2Constants.DISPLAY, context.getAuthenticationSession().getClientNote(OAuth2Constants.DISPLAY)).build(); } log.debugf("Redirecting to %s", providerId); Response response = Response.seeOther(location).build(); context.forceChallenge(response); }
Example #9
Source File: LogoutTest.java From keycloak with Apache License 2.0 | 6 votes |
@Test public void postLogoutWithValidIdTokenWhenLoggedOutByAdmin() throws Exception { oauth.doLogin("test-user@localhost", "password"); String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE); oauth.clientSessionState("client-session"); OAuthClient.AccessTokenResponse tokenResponse = oauth.doAccessTokenRequest(code, "password"); String idTokenString = tokenResponse.getIdToken(); adminClient.realm("test").logoutAll(); // Logout should succeed with user already logged out, see KEYCLOAK-3399 String logoutUrl = oauth.getLogoutUrl() .idTokenHint(idTokenString) .postLogoutRedirectUri(oauth.APP_AUTH_ROOT) .build(); try (CloseableHttpClient c = HttpClientBuilder.create().disableRedirectHandling().build(); CloseableHttpResponse response = c.execute(new HttpGet(logoutUrl))) { assertThat(response, Matchers.statusCodeIsHC(Status.FOUND)); assertThat(response.getFirstHeader(HttpHeaders.LOCATION).getValue(), is(oauth.APP_AUTH_ROOT)); } }
Example #10
Source File: OAuthRequestAuthenticator.java From keycloak with Apache License 2.0 | 6 votes |
protected AuthChallenge checkStateCookie() { OIDCHttpFacade.Cookie stateCookie = getCookie(deployment.getStateCookieName()); if (stateCookie == null) { log.warn("No state cookie"); return challenge(400, OIDCAuthenticationError.Reason.INVALID_STATE_COOKIE, null); } // reset the cookie log.debug("** reseting application state cookie"); facade.getResponse().resetCookie(deployment.getStateCookieName(), stateCookie.getPath()); String stateCookieValue = getCookieValue(deployment.getStateCookieName()); String state = getQueryParamValue(OAuth2Constants.STATE); if (state == null) { log.warn("state parameter was null"); return challenge(400, OIDCAuthenticationError.Reason.INVALID_STATE_COOKIE, null); } if (!state.equals(stateCookieValue)) { log.warn("state parameter invalid"); log.warn("cookie: " + stateCookieValue); log.warn("queryParam: " + state); return challenge(400, OIDCAuthenticationError.Reason.INVALID_STATE_COOKIE, null); } return null; }
Example #11
Source File: JaxrsOAuthClient.java From keycloak with Apache License 2.0 | 6 votes |
public String resolveBearerToken(String redirectUri, String code) { redirectUri = stripOauthParametersFromRedirect(redirectUri); Form codeForm = new Form() .param(OAuth2Constants.GRANT_TYPE, "authorization_code") .param(OAuth2Constants.CODE, code) .param(OAuth2Constants.CLIENT_ID, clientId) .param(OAuth2Constants.REDIRECT_URI, redirectUri); for (Map.Entry<String, Object> entry : credentials.entrySet()) { codeForm.param(entry.getKey(), (String) entry.getValue()); } Response res = client.target(tokenUrl).request().post(Entity.form(codeForm)); try { if (res.getStatus() == 400) { throw new BadRequestException(); } else if (res.getStatus() != 200) { throw new InternalServerErrorException(new Exception("Unknown error when getting acess token")); } AccessTokenResponse tokenResponse = res.readEntity(AccessTokenResponse.class); return tokenResponse.getToken(); } finally { res.close(); } }
Example #12
Source File: OIDCJwksClientRegistrationTest.java From keycloak with Apache License 2.0 | 6 votes |
@Test public void createClientWithJWKSURI() throws Exception { OIDCClientRepresentation clientRep = createRep(); clientRep.setGrantTypes(Collections.singletonList(OAuth2Constants.CLIENT_CREDENTIALS)); clientRep.setTokenEndpointAuthMethod(OIDCLoginProtocol.PRIVATE_KEY_JWT); // Generate keys for client TestOIDCEndpointsApplicationResource oidcClientEndpointsResource = testingClient.testApp().oidcClientEndpoints(); Map<String, String> generatedKeys = oidcClientEndpointsResource.generateKeys("RS256"); clientRep.setJwksUri(TestApplicationResourceUrls.clientJwksUri()); OIDCClientRepresentation response = reg.oidc().create(clientRep); Assert.assertEquals(OIDCLoginProtocol.PRIVATE_KEY_JWT, response.getTokenEndpointAuthMethod()); Assert.assertNull(response.getClientSecret()); Assert.assertNull(response.getClientSecretExpiresAt()); Assert.assertEquals(response.getJwksUri(), TestApplicationResourceUrls.clientJwksUri()); // Tries to authenticate client with privateKey JWT assertAuthenticateClientSuccess(generatedKeys, response, KEEP_GENERATED_KID); }
Example #13
Source File: OIDCIdentityProvider.java From keycloak with Apache License 2.0 | 6 votes |
@Override protected BrokeredIdentityContext exchangeExternalImpl(EventBuilder event, MultivaluedMap<String, String> params) { if (!supportsExternalExchange()) return null; String subjectToken = params.getFirst(OAuth2Constants.SUBJECT_TOKEN); if (subjectToken == null) { event.detail(Details.REASON, OAuth2Constants.SUBJECT_TOKEN + " param unset"); event.error(Errors.INVALID_TOKEN); throw new ErrorResponseException(OAuthErrorException.INVALID_TOKEN, "token not set", Response.Status.BAD_REQUEST); } String subjectTokenType = params.getFirst(OAuth2Constants.SUBJECT_TOKEN_TYPE); if (subjectTokenType == null) { subjectTokenType = OAuth2Constants.ACCESS_TOKEN_TYPE; } if (OAuth2Constants.JWT_TOKEN_TYPE.equals(subjectTokenType) || OAuth2Constants.ID_TOKEN_TYPE.equals(subjectTokenType)) { return validateJwt(event, subjectToken, subjectTokenType); } else if (OAuth2Constants.ACCESS_TOKEN_TYPE.equals(subjectTokenType)) { return validateExternalTokenThroughUserInfo(event, subjectToken, subjectTokenType); } else { event.detail(Details.REASON, OAuth2Constants.SUBJECT_TOKEN_TYPE + " invalid"); event.error(Errors.INVALID_TOKEN_TYPE); throw new ErrorResponseException(OAuthErrorException.INVALID_TOKEN, "invalid token type", Response.Status.BAD_REQUEST); } }
Example #14
Source File: X509BrowserLoginTest.java From keycloak with Apache License 2.0 | 6 votes |
@Test public void loginIgnoreX509IdentityContinueToFormLogin() throws Exception { // Set the X509 authenticator configuration AuthenticatorConfigRepresentation cfg = newConfig("x509-browser-config", createLoginSubjectEmail2UsernameOrEmailConfig().getConfig()); String cfgId = createConfig(browserExecution.getId(), cfg); Assert.assertNotNull(cfgId); loginConfirmationPage.open(); Assert.assertTrue(loginConfirmationPage.getSubjectDistinguishedNameText().startsWith("EMAILADDRESS=test-user@localhost")); Assert.assertEquals("test-user@localhost", loginConfirmationPage.getUsernameText()); loginConfirmationPage.ignore(); loginPage.login("test-user@localhost", "password"); Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, appPage.getRequestType()); Assert.assertNotNull(oauth.getCurrentQuery().get(OAuth2Constants.CODE)); events.expectLogin() .user(userId) .detail(Details.USERNAME, "test-user@localhost") .removeDetail(Details.REDIRECT_URI) .assertEvent(); }
Example #15
Source File: X509BrowserLoginTest.java From keycloak with Apache License 2.0 | 6 votes |
@Test public void loginAttemptedNoConfig() { loginConfirmationPage.open(); loginPage.assertCurrent(); Assert.assertThat(loginPage.getInfoMessage(), containsString("X509 client authentication has not been configured yet")); // Continue with form based login loginPage.login("test-user@localhost", "password"); Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, appPage.getRequestType()); Assert.assertNotNull(oauth.getCurrentQuery().get(OAuth2Constants.CODE)); events.expectLogin() .user(userId) .detail(Details.USERNAME, "test-user@localhost") .removeDetail(Details.REDIRECT_URI) .assertEvent(); }
Example #16
Source File: MultiVersionClusterTest.java From keycloak with Apache License 2.0 | 6 votes |
@Test public void loginSuccessToLegacy() throws Exception { String originalServerRoot = OAuthClient.SERVER_ROOT; try { OAuthClient.updateURLs(legacyNode.getContextRoot().toString()); OAuthClient oauth = new OAuthClient(); oauth.init(DroneUtils.getCurrentDriver()); oauth.realm(MASTER).clientId("account").redirectUri(legacyNode.getContextRoot().toString() + "/auth/realms/master/account/"); oauth.openLoginForm(); assertThat(DroneUtils.getCurrentDriver().getTitle(), containsString("Log in to ")); loginPage.login("admin", "admin"); assertThat("Login was not successful.", oauth.getCurrentQuery().get(OAuth2Constants.CODE), notNullValue()); } finally { OAuthClient.updateURLs(originalServerRoot); } }
Example #17
Source File: OAuthScopeInTokenResponseTest.java From keycloak with Apache License 2.0 | 6 votes |
@Test public void specifyMultipleScopeTest() throws Exception { String loginUser = "rich.roles@redhat.com"; String loginPassword = "password"; String clientSecret = "password"; String requestedScope = "address"; String expectedScope = "openid profile email address"; oauth.scope(requestedScope); oauth.doLogin(loginUser, loginPassword); String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE); expectSuccessfulResponseFromTokenEndpoint(code, expectedScope, clientSecret); }
Example #18
Source File: TokenIntrospectionTest.java From keycloak with Apache License 2.0 | 6 votes |
private void testIntrospectAccessToken(String jwaAlgorithm) throws Exception { try { TokenSignatureUtil.changeClientAccessTokenSignatureProvider(ApiUtil.findClientByClientId(adminClient.realm("test"), "test-app"), jwaAlgorithm); oauth.doLogin("test-user@localhost", "password"); String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE); EventRepresentation loginEvent = events.expectLogin().assertEvent(); AccessTokenResponse accessTokenResponse = oauth.doAccessTokenRequest(code, "password"); assertEquals(jwaAlgorithm, new JWSInput(accessTokenResponse.getAccessToken()).getHeader().getAlgorithm().name()); String tokenResponse = oauth.introspectAccessTokenWithClientCredential("confidential-cli", "secret1", accessTokenResponse.getAccessToken()); TokenMetadataRepresentation rep = JsonSerialization.readValue(tokenResponse, TokenMetadataRepresentation.class); assertTrue(rep.isActive()); assertEquals("test-user@localhost", rep.getUserName()); assertEquals("test-app", rep.getClientId()); assertEquals(loginEvent.getUserId(), rep.getSubject()); // Assert expected scope OIDCScopeTest.assertScopes("openid email profile", rep.getScope()); } finally { TokenSignatureUtil.changeClientAccessTokenSignatureProvider(ApiUtil.findClientByClientId(adminClient.realm("test"), "test-app"), Algorithm.RS256); } }
Example #19
Source File: ResourceOwnerPasswordCredentialsGrantTest.java From keycloak with Apache License 2.0 | 6 votes |
@Test public void grantAccessTokenUserNotFound() throws Exception { oauth.clientId("resource-owner"); OAuthClient.AccessTokenResponse response = oauth.doGrantAccessTokenRequest("secret", "invalid", "invalid"); assertEquals(401, response.getStatusCode()); assertEquals("invalid_grant", response.getError()); events.expectLogin() .client("resource-owner") .user((String) null) .session((String) null) .detail(Details.GRANT_TYPE, OAuth2Constants.PASSWORD) .detail(Details.USERNAME, "invalid") .removeDetail(Details.CODE_ID) .removeDetail(Details.REDIRECT_URI) .removeDetail(Details.CONSENT) .error(Errors.USER_NOT_FOUND) .assertEvent(); }
Example #20
Source File: PolicyEnforcerTest.java From keycloak with Apache License 2.0 | 6 votes |
@Test public void testCustomClaimProvider() { KeycloakDeployment deployment = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-bearer-only-with-cip.json")); PolicyEnforcer policyEnforcer = deployment.getPolicyEnforcer(); oauth.realm(REALM_NAME); oauth.clientId("public-client-test"); oauth.doLogin("marta", "password"); String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE); OAuthClient.AccessTokenResponse response = oauth.doAccessTokenRequest(code, null); String token = response.getAccessToken(); OIDCHttpFacade httpFacade = createHttpFacade("/api/resourcea", token); AuthorizationContext context = policyEnforcer.enforce(httpFacade); Permission permission = context.getPermissions().get(0); Map<String, Set<String>> claims = permission.getClaims(); assertTrue(context.isGranted()); assertEquals("test", claims.get("resolved-claim").iterator().next()); }
Example #21
Source File: AbstractKerberosTest.java From keycloak with Apache License 2.0 | 6 votes |
protected OAuthClient.AccessTokenResponse assertAuthenticationSuccess(String codeUrl) throws Exception { List<NameValuePair> pairs = URLEncodedUtils.parse(new URI(codeUrl), "UTF-8"); String code = null; String state = null; for (NameValuePair pair : pairs) { if (pair.getName().equals(OAuth2Constants.CODE)) { code = pair.getValue(); } else if (pair.getName().equals(OAuth2Constants.STATE)) { state = pair.getValue(); } } Assert.assertNotNull(code); Assert.assertNotNull(state); OAuthClient.AccessTokenResponse response = oauth.doAccessTokenRequest(code, "password"); Assert.assertNotNull(response.getAccessToken()); events.clear(); return response; }
Example #22
Source File: LoginTest.java From keycloak with Apache License 2.0 | 5 votes |
@Test public void loginSuccessRealmSigningAlgorithms() throws JWSInputException { ContainerAssume.assumeAuthServerSSL(); loginPage.open(); loginPage.login("login-test", "password"); Assert.assertEquals(RequestType.AUTH_RESPONSE, appPage.getRequestType()); Assert.assertNotNull(oauth.getCurrentQuery().get(OAuth2Constants.CODE)); events.expectLogin().user(userId).detail(Details.USERNAME, "login-test").assertEvent(); driver.navigate().to(AuthServerTestEnricher.getAuthServerContextRoot() + "/auth/realms/test/"); String keycloakIdentity = driver.manage().getCookieNamed("KEYCLOAK_IDENTITY").getValue(); // Check identity cookie is signed with HS256 String algorithm = new JWSInput(keycloakIdentity).getHeader().getAlgorithm().name(); assertEquals("HS256", algorithm); try { TokenSignatureUtil.changeRealmTokenSignatureProvider(adminClient, Algorithm.ES256); oauth.openLoginForm(); Assert.assertEquals(RequestType.AUTH_RESPONSE, appPage.getRequestType()); driver.navigate().to(AuthServerTestEnricher.getAuthServerContextRoot() + "/auth/realms/test/"); keycloakIdentity = driver.manage().getCookieNamed("KEYCLOAK_IDENTITY").getValue(); // Check identity cookie is still signed with HS256 algorithm = new JWSInput(keycloakIdentity).getHeader().getAlgorithm().name(); assertEquals("HS256", algorithm); // Check identity cookie still works oauth.openLoginForm(); Assert.assertEquals(RequestType.AUTH_RESPONSE, appPage.getRequestType()); } finally { TokenSignatureUtil.changeRealmTokenSignatureProvider(adminClient, Algorithm.RS256); } }
Example #23
Source File: LoginTest.java From keycloak with Apache License 2.0 | 5 votes |
@Test public void loginLoginHint() { String loginFormUrl = oauth.getLoginFormUrl() + "&login_hint=login-test"; driver.navigate().to(loginFormUrl); Assert.assertEquals("login-test", loginPage.getUsername()); loginPage.login("password"); Assert.assertEquals(RequestType.AUTH_RESPONSE, appPage.getRequestType()); Assert.assertNotNull(oauth.getCurrentQuery().get(OAuth2Constants.CODE)); events.expectLogin().user(userId).detail(Details.USERNAME, "login-test").assertEvent(); }
Example #24
Source File: X509BrowserLoginTest.java From keycloak with Apache License 2.0 | 5 votes |
@Test public void loginDuplicateUsersNotAllowed() { AuthenticatorConfigRepresentation cfg = newConfig("x509-browser-config", createLoginIssuerDN_OU2CustomAttributeConfig().getConfig()); String cfgId = createConfig(browserExecution.getId(), cfg); Assert.assertNotNull(cfgId); // Set up the users so that the identity extracted from X509 client cert // matches more than a single user to trigger DuplicateModelException. UserRepresentation user = testRealm().users().get(userId2).toRepresentation(); Assert.assertNotNull(user); user.singleAttribute("x509_certificate_identity", "Red Hat"); this.updateUser(user); user = testRealm().users().get(userId).toRepresentation(); Assert.assertNotNull(user); user.singleAttribute("x509_certificate_identity", "Red Hat"); this.updateUser(user); events.clear(); loginPage.open(); Assert.assertThat(loginPage.getError(), containsString("X509 certificate authentication's failed.")); loginPage.login("test-user@localhost", "password"); Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, appPage.getRequestType()); Assert.assertNotNull(oauth.getCurrentQuery().get(OAuth2Constants.CODE)); events.expectLogin() .user(userId) .detail(Details.USERNAME, "test-user@localhost") .removeDetail(Details.REDIRECT_URI) .assertEvent(); }
Example #25
Source File: AccessTokenTest.java From keycloak with Apache License 2.0 | 5 votes |
@Test public void accessTokenUserSessionExpired() { oauth.doLogin("test-user@localhost", "password"); EventRepresentation loginEvent = events.expectLogin().assertEvent(); String codeId = loginEvent.getDetails().get(Details.CODE_ID); String sessionId = loginEvent.getSessionId(); testingClient.testing().removeUserSession("test", sessionId); String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE); OAuthClient.AccessTokenResponse tokenResponse = oauth.doAccessTokenRequest(code, "password"); assertEquals(400, tokenResponse.getStatusCode()); assertNull(tokenResponse.getAccessToken()); assertNull(tokenResponse.getRefreshToken()); events.expectCodeToToken(codeId, sessionId) .removeDetail(Details.TOKEN_ID) .user((String) null) .removeDetail(Details.REFRESH_TOKEN_ID) .removeDetail(Details.REFRESH_TOKEN_TYPE) .error(Errors.INVALID_CODE).assertEvent(); events.clear(); }
Example #26
Source File: AbstractOAuth2IdentityProvider.java From keycloak with Apache License 2.0 | 5 votes |
protected JsonWebToken generateToken() { JsonWebToken jwt = new JsonWebToken(); jwt.id(KeycloakModelUtils.generateId()); jwt.type(OAuth2Constants.JWT); jwt.issuer(getConfig().getClientId()); jwt.subject(getConfig().getClientId()); jwt.audience(getConfig().getTokenUrl()); int expirationDelay = session.getContext().getRealm().getAccessCodeLifespan(); jwt.expiration(Time.currentTime() + expirationDelay); jwt.issuedNow(); return jwt; }
Example #27
Source File: TokenEndpointCorsTest.java From keycloak with Apache License 2.0 | 5 votes |
@Test @AuthServerContainerExclude(AuthServer.REMOTE) public void accessTokenCorsRequest() throws Exception { oauth.realm("test"); oauth.clientId("test-app2"); oauth.redirectUri(VALID_CORS_URL + "/realms/master/app"); oauth.doLogin("test-user@localhost", "password"); // Token request String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE); oauth.origin(VALID_CORS_URL); OAuthClient.AccessTokenResponse response = oauth.doAccessTokenRequest(code, "password"); assertEquals(200, response.getStatusCode()); assertCors(response); // Refresh request response = oauth.doRefreshTokenRequest(response.getRefreshToken(), null); assertEquals(200, response.getStatusCode()); assertCors(response); // Invalid origin oauth.origin(INVALID_CORS_URL); response = oauth.doRefreshTokenRequest(response.getRefreshToken(), "password"); assertEquals(200, response.getStatusCode()); assertNotCors(response); oauth.origin(VALID_CORS_URL); // No session oauth.openLogout(); response = oauth.doRefreshTokenRequest(response.getRefreshToken(), null); assertEquals(400, response.getStatusCode()); assertCors(response); assertEquals("invalid_grant", response.getError()); assertEquals("Session not active", response.getErrorDescription()); }
Example #28
Source File: RealmTest.java From keycloak with Apache License 2.0 | 5 votes |
@Test public void clientSessionStats() { setupTestAppAndUser(); List<Map<String, String>> sessionStats = realm.getClientSessionStats(); assertTrue(sessionStats.isEmpty()); System.out.println(sessionStats.size()); oauth.doLogin("testuser", "password"); AccessTokenResponse tokenResponse = oauth.doAccessTokenRequest(oauth.getCurrentQuery().get(OAuth2Constants.CODE), "secret"); assertEquals(200, tokenResponse.getStatusCode()); sessionStats = realm.getClientSessionStats(); assertEquals(1, sessionStats.size()); assertEquals("test-app", sessionStats.get(0).get("clientId")); assertEquals("1", sessionStats.get(0).get("active")); String clientUuid = sessionStats.get(0).get("id"); realm.clients().get(clientUuid).remove(); sessionStats = realm.getClientSessionStats(); assertEquals(0, sessionStats.size()); }
Example #29
Source File: RefreshTokenTest.java From keycloak with Apache License 2.0 | 5 votes |
@Test public void refreshTokenAfterUserLogoutAndLoginAgain() { String refreshToken1 = loginAndForceNewLoginPage(); oauth.doLogout(refreshToken1, "password"); events.clear(); // Set time offset to 2 (Just to simulate to be more close to real situation) setTimeOffset(2); // Continue with login oauth.fillLoginForm("test-user@localhost", "password"); assertFalse(loginPage.isCurrent()); OAuthClient.AccessTokenResponse tokenResponse2 = null; String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE); tokenResponse2 = oauth.doAccessTokenRequest(code, "password"); setTimeOffset(4); // Now try refresh with the original refreshToken1 created in logged-out userSession. It should fail OAuthClient.AccessTokenResponse responseReuseExceeded = oauth.doRefreshTokenRequest(refreshToken1, "password"); assertEquals(400, responseReuseExceeded.getStatusCode()); setTimeOffset(6); // Finally try with valid refresh token responseReuseExceeded = oauth.doRefreshTokenRequest(tokenResponse2.getRefreshToken(), "password"); assertEquals(200, responseReuseExceeded.getStatusCode()); }
Example #30
Source File: TokenIntrospectionTest.java From keycloak with Apache License 2.0 | 5 votes |
@Test public void testIntrospectRefreshTokenAfterUserSessionLogoutAndLoginAgain() throws Exception { AccessTokenResponse accessTokenResponse = loginAndForceNewLoginPage(); String refreshToken1 = accessTokenResponse.getRefreshToken(); oauth.doLogout(refreshToken1, "password"); events.clear(); setTimeOffset(2); oauth.fillLoginForm("test-user@localhost", "password"); events.expectLogin().assertEvent(); Assert.assertFalse(loginPage.isCurrent()); String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE); OAuthClient.AccessTokenResponse tokenResponse2 = oauth.doAccessTokenRequest(code, "password"); String introspectResponse = oauth.introspectRefreshTokenWithClientCredential("confidential-cli", "secret1", tokenResponse2.getRefreshToken()); ObjectMapper objectMapper = new ObjectMapper(); JsonNode jsonNode = objectMapper.readTree(introspectResponse); assertTrue(jsonNode.get("active").asBoolean()); introspectResponse = oauth.introspectRefreshTokenWithClientCredential("confidential-cli", "secret1", refreshToken1); jsonNode = objectMapper.readTree(introspectResponse); assertFalse(jsonNode.get("active").asBoolean()); }