Java源码示例:org.keycloak.util.BasicAuthHelper
示例1
@Test
public void testGrantAccessTokenWithClientOverride() throws Exception {
String clientId = TEST_APP_DIRECT_OVERRIDE;
Client httpClient = javax.ws.rs.client.ClientBuilder.newClient();
String grantUri = oauth.getResourceOwnerPasswordCredentialGrantUrl();
WebTarget grantTarget = httpClient.target(grantUri);
{ // test no password
String header = BasicAuthHelper.createHeader(clientId, "password");
Form form = new Form();
form.param(OAuth2Constants.GRANT_TYPE, OAuth2Constants.PASSWORD);
form.param("username", "[email protected]");
Response response = grantTarget.request()
.header(HttpHeaders.AUTHORIZATION, header)
.post(Entity.form(form));
assertEquals(200, response.getStatus());
response.close();
}
httpClient.close();
events.clear();
}
示例2
@Test
public void testClientOverrideFlowUsingDirectGrantHttpChallenge() {
Client httpClient = javax.ws.rs.client.ClientBuilder.newClient();
String grantUri = oauth.getResourceOwnerPasswordCredentialGrantUrl();
WebTarget grantTarget = httpClient.target(grantUri);
// no username/password
Form form = new Form();
form.param(OAuth2Constants.GRANT_TYPE, OAuth2Constants.PASSWORD);
form.param(OAuth2Constants.CLIENT_ID, TEST_APP_HTTP_CHALLENGE);
Response response = grantTarget.request()
.post(Entity.form(form));
assertEquals("Basic realm=\"test\"", response.getHeaderString(HttpHeaders.WWW_AUTHENTICATE));
assertEquals(401, response.getStatus());
response.close();
// now, username password using basic challenge response
response = grantTarget.request()
.header(HttpHeaders.AUTHORIZATION, BasicAuthHelper.createHeader("[email protected]", "password"))
.post(Entity.form(form));
assertEquals(200, response.getStatus());
response.close();
httpClient.close();
events.clear();
}
示例3
private Response checkTokenExchange() {
Client httpClient = ClientBuilder.newClient();
WebTarget exchangeUrl = httpClient.target(OAuthClient.AUTH_SERVER_ROOT)
.path("/realms")
.path(TEST)
.path("protocol/openid-connect/token");
Response response = exchangeUrl.request()
.header(HttpHeaders.AUTHORIZATION, BasicAuthHelper.createHeader("direct-exchanger", "secret"))
.post(Entity.form(
new Form()
.param(OAuth2Constants.GRANT_TYPE, OAuth2Constants.TOKEN_EXCHANGE_GRANT_TYPE)
.param(OAuth2Constants.REQUESTED_SUBJECT, "impersonated-user")
));
return response;
}
示例4
/**
* KEYCLOAK-547
*
* @throws Exception
*/
@Test
public void nullRefreshToken() throws Exception {
Client client = ClientBuilder.newClient();
UriBuilder builder = UriBuilder.fromUri(AUTH_SERVER_ROOT);
URI uri = OIDCLoginProtocolService.tokenUrl(builder).build("test");
WebTarget target = client.target(uri);
org.keycloak.representations.AccessTokenResponse tokenResponse = null;
{
String header = BasicAuthHelper.createHeader("test-app", "password");
Form form = new Form();
Response response = target.request()
.header(HttpHeaders.AUTHORIZATION, header)
.post(Entity.form(form));
assertEquals(400, response.getStatus());
response.close();
}
events.clear();
}
示例5
@Test
public void testBadUser() {
Client client = ClientBuilder.newClient();
URI uri = OIDCLoginProtocolService.tokenUrl(authServerPage.createUriBuilder()).build("demo");
WebTarget target = client.target(uri);
String header = BasicAuthHelper.createHeader("customer-portal", "password");
Form form = new Form();
form.param(OAuth2Constants.GRANT_TYPE, OAuth2Constants.PASSWORD)
.param("username", "[email protected]")
.param("password", "password");
Response response = target.request()
.header(HttpHeaders.AUTHORIZATION, header)
.post(Entity.form(form));
assertEquals(401, response.getStatus());
response.close();
client.close();
}
示例6
@Test
public void testBasicAuth() {
String value = "hello";
Client client = ClientBuilder.newClient();
//pause(1000000);
Response response = client.target(basicAuthPage
.setTemplateValues(value).buildUri()).request().header("Authorization", BasicAuthHelper.createHeader("mposolda", "password")).get();
assertThat(response, Matchers.statusCodeIs(Status.OK));
assertEquals(value, response.readEntity(String.class));
response.close();
response = client.target(basicAuthPage
.setTemplateValues(value).buildUri()).request().header("Authorization", BasicAuthHelper.createHeader("invalid-user", "password")).get();
assertThat(response, Matchers.statusCodeIs(Status.UNAUTHORIZED));
assertThat(response, Matchers.body(anyOf(containsString("Unauthorized"), containsString("Status 401"))));
response = client.target(basicAuthPage
.setTemplateValues(value).buildUri()).request().header("Authorization", BasicAuthHelper.createHeader("admin", "invalid-password")).get();
assertThat(response, Matchers.statusCodeIs(Status.UNAUTHORIZED));
assertThat(response, Matchers.body(anyOf(containsString("Unauthorized"), containsString("Status 401"))));
client.close();
}
示例7
/**
* Returns an HTTP Basic authentication header for authenticating a confidential client
* to the Keycloak server.
*
* @return an HTTP Basic authentication header for the current client
*/
protected String createBasicAuthorizationHeader() {
String user = keycloakDeployment.getResourceName();
String pass = keycloakDeployment.getResourceCredentials().get("secret").toString();
if (keycloakDeployment.isPublicClient()) {
throw new IllegalStateException("Public clients are not supported");
}
return BasicAuthHelper.createHeader(user, pass);
}
示例8
public AccessTokenResponse doTokenExchange(String realm, String token, String requestedIssuer,
String clientId, String clientSecret) throws Exception {
try (CloseableHttpClient client = (CloseableHttpClient) new HttpClientBuilder().disableTrustManager().build()) {
String exchangeUrl = KeycloakUriBuilder.fromUri(ServletTestUtils.getAuthServerUrlBase())
.path("/auth/realms/{realm}/protocol/openid-connect/token").build(realm).toString();
HttpPost post = new HttpPost(exchangeUrl);
HashMap<String, String> parameters = new HashMap<>();
if (clientSecret != null) {
String authorization = BasicAuthHelper.createHeader(clientId, clientSecret);
post.setHeader(HttpHeaders.CONTENT_TYPE, ContentType.APPLICATION_FORM_URLENCODED.toString());
post.setHeader(HttpHeaders.AUTHORIZATION, authorization);
} else {
parameters.put("client_id", clientId);
}
parameters.put(OAuth2Constants.GRANT_TYPE, OAuth2Constants.TOKEN_EXCHANGE_GRANT_TYPE);
parameters.put(OAuth2Constants.SUBJECT_TOKEN, token);
parameters.put(OAuth2Constants.SUBJECT_TOKEN_TYPE, OAuth2Constants.ACCESS_TOKEN_TYPE);
parameters.put(OAuth2Constants.REQUESTED_ISSUER, requestedIssuer);
post.setEntity(new StringEntity(getPostDataString(parameters)));
HttpResponse response = client.execute(post);
int statusCode = response.getStatusLine().getStatusCode();
if (statusCode == 200 || statusCode == 400) {
return JsonSerialization.readValue(EntityUtils.toString(response.getEntity()), AccessTokenResponse.class);
} else {
throw new RuntimeException("Unknown error!");
}
}
}
示例9
private AccessTokenResponse executeGrantAccessTokenRequest(Client client, boolean requestOfflineToken) {
UriBuilder builder = UriBuilder.fromUri(AUTH_SERVER_ROOT);
URI grantUri = OIDCLoginProtocolService.tokenUrl(builder).build("test");
WebTarget grantTarget = client.target(grantUri);
String header = BasicAuthHelper.createHeader("test-app", "password");
Form form = new Form();
form.param(OAuth2Constants.GRANT_TYPE, OAuth2Constants.PASSWORD)
.param("username", "[email protected]")
.param("password", "password");
if( requestOfflineToken) {
form.param("scope", "offline_access");
}
Response response = grantTarget.request()
.header(HttpHeaders.AUTHORIZATION, header)
.post(Entity.form(form));
assertEquals(200, response.getStatus());
AccessTokenResponse accessTokenResponse = response.readEntity(AccessTokenResponse.class);
response.close();
events.clear();
return accessTokenResponse;
}
示例10
protected Response executeRefreshToken(WebTarget refreshTarget, String refreshToken) {
String header = BasicAuthHelper.createHeader("test-app", "password");
Form form = new Form();
form.param(OAuth2Constants.GRANT_TYPE, OAuth2Constants.REFRESH_TOKEN);
form.param("refresh_token", refreshToken);
return refreshTarget.request()
.header(HttpHeaders.AUTHORIZATION, header)
.post(Entity.form(form));
}
示例11
protected Response executeGrantAccessTokenRequest(WebTarget grantTarget) {
String header = BasicAuthHelper.createHeader("test-app", "password");
Form form = new Form();
form.param(OAuth2Constants.GRANT_TYPE, OAuth2Constants.PASSWORD)
.param("username", "[email protected]")
.param("password", "password");
return grantTarget.request()
.header(HttpHeaders.AUTHORIZATION, header)
.post(Entity.form(form));
}
示例12
protected Response executeGrantRequest(WebTarget grantTarget, String username, String password) {
String header = BasicAuthHelper.createHeader("test-app", "password");
Form form = new Form();
form.param(OAuth2Constants.GRANT_TYPE, OAuth2Constants.PASSWORD)
.param("username", username)
.param("password", password)
.param(OAuth2Constants.SCOPE, OAuth2Constants.SCOPE_OPENID);
return grantTarget.request()
.header(HttpHeaders.AUTHORIZATION, header)
.post(Entity.form(form));
}
示例13
private AccessTokenResponse checkFeature(int expectedStatusCode, String username) {
Client httpClient = ClientBuilder.newClient();
Response response = null;
try {
testingClient.server().run(SocialLoginTest::setupClientExchangePermissions);
WebTarget exchangeUrl = getExchangeUrl(httpClient);
response = exchangeUrl.request()
.header(HttpHeaders.AUTHORIZATION, BasicAuthHelper.createHeader(EXCHANGE_CLIENT, "secret"))
.post(Entity.form(
new Form()
.param(OAuth2Constants.GRANT_TYPE, OAuth2Constants.TOKEN_EXCHANGE_GRANT_TYPE)
.param(OAuth2Constants.REQUESTED_SUBJECT, username)
.param(OAuth2Constants.REQUESTED_TOKEN_TYPE, OAuth2Constants.ACCESS_TOKEN_TYPE)
.param(OAuth2Constants.REQUESTED_ISSUER, currentTestProvider.id())
));
Assert.assertEquals(expectedStatusCode, response.getStatus());
if (expectedStatusCode == Response.Status.OK.getStatusCode())
return response.readEntity(AccessTokenResponse.class);
else
return null;
} finally {
if (response != null)
response.close();
httpClient.close();
}
}
示例14
/**
* Creates a default client authenticator which uses HTTP BASIC and client id and secret to authenticate the client.
*
* @return the default client authenticator
*/
private ClientAuthenticator createDefaultClientAuthenticator() {
return new ClientAuthenticator() {
@Override
public void configureClientCredentials(Map<String, List<String>> requestParams, Map<String, String> requestHeaders) {
String secret = (String) getCredentials().get("secret");
if (secret == null) {
throw new RuntimeException("Client secret not provided.");
}
requestHeaders.put("Authorization", BasicAuthHelper.createHeader(getResource(), secret));
}
};
}
示例15
protected String[] getChallenge(String authorizationHeader) {
String[] challenge = BasicAuthHelper.parseHeader(authorizationHeader);
if (challenge.length < 2) {
return null;
}
return challenge;
}
示例16
@Override
public void setClientCredentials(KeycloakDeployment deployment, Map<String, String> requestHeaders, Map<String, String> formParams) {
String clientId = deployment.getResourceName();
if (!deployment.isPublicClient()) {
if (clientSecret != null) {
String authorization = BasicAuthHelper.createHeader(clientId, clientSecret);
requestHeaders.put("Authorization", authorization);
} else {
logger.warnf("Client '%s' doesn't have secret available", clientId);
}
} else {
formParams.put(OAuth2Constants.CLIENT_ID, clientId);
}
}
示例17
public static String ensureToken(ConfigData config) {
if (config.getExternalToken() != null) {
return config.getExternalToken();
}
checkAuthInfo(config);
RealmConfigData realmConfig = config.sessionRealmConfigData();
long now = currentTimeMillis();
// check expires of access_token against time
// if it's less than 5s to expiry, renew it
if (realmConfig.getExpiresAt() - now < 5000) {
// check refresh_token against expiry time
// if it's less than 5s to expiry, fail with credentials expired
if (realmConfig.getRefreshExpiresAt() - now < 5000) {
throw new RuntimeException("Session has expired. Login again with '" + OsUtil.CMD + " config credentials'");
}
if (realmConfig.getSigExpiresAt() != null && realmConfig.getSigExpiresAt() - now < 5000) {
throw new RuntimeException("Session has expired. Login again with '" + OsUtil.CMD + " config credentials'");
}
try {
String authorization = null;
StringBuilder body = new StringBuilder("grant_type=refresh_token")
.append("&refresh_token=").append(realmConfig.getRefreshToken())
.append("&client_id=").append(urlencode(realmConfig.getClientId()));
if (realmConfig.getSigningToken() != null) {
body.append("&client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer")
.append("&client_assertion=").append(realmConfig.getSigningToken());
} else if (realmConfig.getSecret() != null) {
authorization = BasicAuthHelper.createHeader(realmConfig.getClientId(), realmConfig.getSecret());
}
InputStream result = doPost(realmConfig.serverUrl() + "/realms/" + realmConfig.realm() + "/protocol/openid-connect/token",
APPLICATION_FORM_URL_ENCODED, APPLICATION_JSON, body.toString(), authorization);
AccessTokenResponse token = JsonSerialization.readValue(result, AccessTokenResponse.class);
saveMergeConfig(cfg -> {
RealmConfigData realmData = cfg.sessionRealmConfigData();
realmData.setToken(token.getToken());
realmData.setRefreshToken(token.getRefreshToken());
realmData.setExpiresAt(currentTimeMillis() + token.getExpiresIn() * 1000);
realmData.setRefreshExpiresAt(currentTimeMillis() + token.getRefreshExpiresIn() * 1000);
});
return token.getToken();
} catch (Exception e) {
throw new RuntimeException("Failed to refresh access token - " + e.getMessage(), e);
}
}
return realmConfig.getToken();
}
示例18
public AccessTokenResponse doAccessTokenRequest(String code, String password, CloseableHttpClient client) {
HttpPost post = new HttpPost(getAccessTokenUrl());
List<NameValuePair> parameters = new LinkedList<>();
parameters.add(new BasicNameValuePair(OAuth2Constants.GRANT_TYPE, OAuth2Constants.AUTHORIZATION_CODE));
if (origin != null) {
post.addHeader("Origin", origin);
}
if (code != null) {
parameters.add(new BasicNameValuePair(OAuth2Constants.CODE, code));
}
if (redirectUri != null) {
parameters.add(new BasicNameValuePair(OAuth2Constants.REDIRECT_URI, redirectUri));
}
if (clientId != null && password != null) {
String authorization = BasicAuthHelper.createHeader(clientId, password);
post.setHeader("Authorization", authorization);
} else if (clientId != null) {
parameters.add(new BasicNameValuePair(OAuth2Constants.CLIENT_ID, clientId));
}
if (clientSessionState != null) {
parameters.add(new BasicNameValuePair(AdapterConstants.CLIENT_SESSION_STATE, clientSessionState));
}
if (clientSessionHost != null) {
parameters.add(new BasicNameValuePair(AdapterConstants.CLIENT_SESSION_HOST, clientSessionHost));
}
// https://tools.ietf.org/html/rfc7636#section-4.5
if (codeVerifier != null) {
parameters.add(new BasicNameValuePair(OAuth2Constants.CODE_VERIFIER, codeVerifier));
}
UrlEncodedFormEntity formEntity = new UrlEncodedFormEntity(parameters, Charsets.UTF_8);
post.setEntity(formEntity);
try {
return new AccessTokenResponse(client.execute(post));
} catch (Exception e) {
throw new RuntimeException("Failed to retrieve access token", e);
}
}
示例19
@Test
public void testDirectGrantHttpChallengeOTP() {
UserRepresentation user = adminClient.realm("test").users().search("[email protected]").get(0);
UserRepresentation userUpdate = UserBuilder.edit(user).totpSecret("totpSecret").otpEnabled().build();
adminClient.realm("test").users().get(user.getId()).update(userUpdate);
CredentialRepresentation totpCredential = adminClient.realm("test").users()
.get(user.getId()).credentials().stream().filter(c -> OTPCredentialModel.TYPE.equals(c.getType())).findFirst().get();
setupBruteForce();
Client httpClient = javax.ws.rs.client.ClientBuilder.newClient();
String grantUri = oauth.getResourceOwnerPasswordCredentialGrantUrl();
WebTarget grantTarget = httpClient.target(grantUri);
Form form = new Form();
form.param(OAuth2Constants.GRANT_TYPE, OAuth2Constants.PASSWORD);
form.param(OAuth2Constants.CLIENT_ID, TEST_APP_HTTP_CHALLENGE_OTP);
// correct password + totp
String totpCode = totp.generateTOTP("totpSecret");
Response response = grantTarget.request()
.header(HttpHeaders.AUTHORIZATION, BasicAuthHelper.createHeader("[email protected]", "password" + totpCode))
.post(Entity.form(form));
assertEquals(200, response.getStatus());
response.close();
// correct password + wrong totp 2x
response = grantTarget.request()
.header(HttpHeaders.AUTHORIZATION, BasicAuthHelper.createHeader("[email protected]", "password123456"))
.post(Entity.form(form));
assertEquals(401, response.getStatus());
response = grantTarget.request()
.header(HttpHeaders.AUTHORIZATION, BasicAuthHelper.createHeader("[email protected]", "password123456"))
.post(Entity.form(form));
assertEquals(401, response.getStatus());
// correct password + totp but user is temporarily locked
totpCode = totp.generateTOTP("totpSecret");
response = grantTarget.request()
.header(HttpHeaders.AUTHORIZATION, BasicAuthHelper.createHeader("[email protected]", "password" + totpCode))
.post(Entity.form(form));
assertEquals(401, response.getStatus());
response.close();
clearBruteForce();
adminClient.realm("test").users().get(user.getId()).removeCredential(totpCredential.getId());
}
示例20
@Test
public void testDirectGrantHttpChallengeUserDisabled() {
setupBruteForce();
Client httpClient = javax.ws.rs.client.ClientBuilder.newClient();
String grantUri = oauth.getResourceOwnerPasswordCredentialGrantUrl();
WebTarget grantTarget = httpClient.target(grantUri);
Form form = new Form();
form.param(OAuth2Constants.GRANT_TYPE, OAuth2Constants.PASSWORD);
form.param(OAuth2Constants.CLIENT_ID, TEST_APP_HTTP_CHALLENGE);
UserRepresentation user = adminClient.realm("test").users().search("[email protected]").get(0);
user.setEnabled(false);
adminClient.realm("test").users().get(user.getId()).update(user);
// user disabled
Response response = grantTarget.request()
.header(HttpHeaders.AUTHORIZATION, BasicAuthHelper.createHeader("[email protected]", "password"))
.post(Entity.form(form));
assertEquals(401, response.getStatus());
assertEquals("Unauthorized", response.getStatusInfo().getReasonPhrase());
response.close();
user.setEnabled(true);
adminClient.realm("test").users().get(user.getId()).update(user);
// lock the user account
grantTarget.request()
.header(HttpHeaders.AUTHORIZATION, BasicAuthHelper.createHeader("[email protected]", "wrongpassword"))
.post(Entity.form(form));
grantTarget.request()
.header(HttpHeaders.AUTHORIZATION, BasicAuthHelper.createHeader("[email protected]", "wrongpassword"))
.post(Entity.form(form));
// user is temporarily disabled
response = grantTarget.request()
.header(HttpHeaders.AUTHORIZATION, BasicAuthHelper.createHeader("[email protected]", "password"))
.post(Entity.form(form));
assertEquals(401, response.getStatus());
assertEquals("Unauthorized", response.getStatusInfo().getReasonPhrase());
response.close();
clearBruteForce();
httpClient.close();
events.clear();
}
示例21
@Test
@UncaughtServerErrorExpected
public void testBadImpersonator() throws Exception {
testingClient.server().run(ClientTokenExchangeTest::setupRealm);
oauth.realm(TEST);
oauth.clientId("client-exchanger");
Client httpClient = ClientBuilder.newClient();
WebTarget exchangeUrl = httpClient.target(OAuthClient.AUTH_SERVER_ROOT)
.path("/realms")
.path(TEST)
.path("protocol/openid-connect/token");
System.out.println("Exchange url: " + exchangeUrl.getUri().toString());
OAuthClient.AccessTokenResponse tokenResponse = oauth.doGrantAccessTokenRequest("secret", "bad-impersonator", "password");
String accessToken = tokenResponse.getAccessToken();
TokenVerifier<AccessToken> accessTokenVerifier = TokenVerifier.create(accessToken, AccessToken.class);
AccessToken token = accessTokenVerifier.parse().getToken();
Assert.assertEquals(token.getPreferredUsername(), "bad-impersonator");
Assert.assertTrue(token.getRealmAccess() == null || !token.getRealmAccess().isUserInRole("example"));
// test that user does not have impersonator permission
{
Response response = exchangeUrl.request()
.header(HttpHeaders.AUTHORIZATION, BasicAuthHelper.createHeader("client-exchanger", "secret"))
.post(Entity.form(
new Form()
.param(OAuth2Constants.GRANT_TYPE, OAuth2Constants.TOKEN_EXCHANGE_GRANT_TYPE)
.param(OAuth2Constants.SUBJECT_TOKEN, accessToken)
.param(OAuth2Constants.SUBJECT_TOKEN_TYPE, OAuth2Constants.ACCESS_TOKEN_TYPE)
.param(OAuth2Constants.REQUESTED_SUBJECT, "impersonated-user")
));
org.junit.Assert.assertEquals(403, response.getStatus());
response.close();
}
}
示例22
private void checkFeature(int statusCode) throws Exception {
String accessToken = oauth.doGrantAccessTokenRequest(PARENT_IDP, PARENT2_USERNAME, "password", null, PARENT_CLIENT, "password").getAccessToken();
if (statusCode != Response.Status.NOT_IMPLEMENTED.getStatusCode()) {
Assert.assertEquals(0, adminClient.realm(CHILD_IDP).getClientSessionStats().size());
}
Client httpClient = ClientBuilder.newClient();
try {
WebTarget exchangeUrl = childTokenExchangeWebTarget(httpClient);
{
IdentityProviderRepresentation rep = adminClient.realm(CHILD_IDP).identityProviders().get(PARENT_IDP).toRepresentation();
rep.getConfig().put(OIDCIdentityProviderConfig.VALIDATE_SIGNATURE, String.valueOf(false));
adminClient.realm(CHILD_IDP).identityProviders().get(PARENT_IDP).update(rep);
// test user info validation.
Response response = exchangeUrl.request()
.header(HttpHeaders.AUTHORIZATION, BasicAuthHelper.createHeader(ClientApp.DEPLOYMENT_NAME, "password"))
.post(Entity.form(
new Form()
.param(OAuth2Constants.GRANT_TYPE, OAuth2Constants.TOKEN_EXCHANGE_GRANT_TYPE)
.param(OAuth2Constants.SUBJECT_TOKEN, accessToken)
.param(OAuth2Constants.SUBJECT_TOKEN_TYPE, OAuth2Constants.JWT_TOKEN_TYPE)
.param(OAuth2Constants.SUBJECT_ISSUER, PARENT_IDP)
.param(OAuth2Constants.SCOPE, OAuth2Constants.SCOPE_OPENID)
));
Assert.assertEquals(statusCode, response.getStatus());
if (statusCode != Response.Status.NOT_IMPLEMENTED.getStatusCode()) {
AccessTokenResponse tokenResponse = response.readEntity(AccessTokenResponse.class);
String idToken = tokenResponse.getIdToken();
Assert.assertNotNull(idToken);
response.close();
Assert.assertEquals(1, adminClient.realm(CHILD_IDP).getClientSessionStats().size());
// test logout
response = childLogoutWebTarget(httpClient)
.queryParam("id_token_hint", idToken)
.request()
.get();
response.close();
Assert.assertEquals(0, adminClient.realm(CHILD_IDP).getClientSessionStats().size());
}
}
} finally {
httpClient.close();
}
}
示例23
protected void testTokenExchange() {
List<UserRepresentation> users = adminClient.realm(REALM).users().search(null, null, null);
Assert.assertEquals(1, users.size());
String username = users.get(0).getUsername();
checkFeature(501, username);
Response tokenResp = testingClient.testing().enableFeature(Profile.Feature.TOKEN_EXCHANGE.toString());
assertEquals(200, tokenResp.getStatus());
ProfileAssume.assumeFeatureEnabled(Profile.Feature.TOKEN_EXCHANGE);
Client httpClient = ClientBuilder.newClient();
try {
AccessTokenResponse tokenResponse = checkFeature(200, username);
Assert.assertNotNull(tokenResponse);
String socialToken = tokenResponse.getToken();
Assert.assertNotNull(socialToken);
// remove all users
removeUser();
users = adminClient.realm(REALM).users().search(null, null, null);
Assert.assertEquals(0, users.size());
// now try external exchange where we trust social provider and import the external token.
Response response = getExchangeUrl(httpClient).request()
.header(HttpHeaders.AUTHORIZATION, BasicAuthHelper.createHeader(EXCHANGE_CLIENT, "secret"))
.post(Entity.form(
new Form()
.param(OAuth2Constants.GRANT_TYPE, OAuth2Constants.TOKEN_EXCHANGE_GRANT_TYPE)
.param(OAuth2Constants.SUBJECT_TOKEN, socialToken)
.param(OAuth2Constants.SUBJECT_TOKEN_TYPE, OAuth2Constants.ACCESS_TOKEN_TYPE)
.param(OAuth2Constants.SUBJECT_ISSUER, currentTestProvider.id())
));
Assert.assertEquals(200, response.getStatus());
response.close();
users = adminClient.realm(REALM).users().search(null, null, null);
Assert.assertEquals(1, users.size());
Assert.assertEquals(username, users.get(0).getUsername());
// remove all users
removeUser();
users = adminClient.realm(REALM).users().search(null, null, null);
Assert.assertEquals(0, users.size());
///// Test that we can update social token from session with stored tokens turned off.
// turn off store token
IdentityProviderRepresentation idp = adminClient.realm(REALM).identityProviders().get(currentTestProvider.id).toRepresentation();
idp.setStoreToken(false);
adminClient.realm(REALM).identityProviders().get(idp.getAlias()).update(idp);
// first exchange social token to get a user session that should store the social token there
response = getExchangeUrl(httpClient).request()
.header(HttpHeaders.AUTHORIZATION, BasicAuthHelper.createHeader(EXCHANGE_CLIENT, "secret"))
.post(Entity.form(
new Form()
.param(OAuth2Constants.GRANT_TYPE, OAuth2Constants.TOKEN_EXCHANGE_GRANT_TYPE)
.param(OAuth2Constants.SUBJECT_TOKEN, socialToken)
.param(OAuth2Constants.SUBJECT_TOKEN_TYPE, OAuth2Constants.ACCESS_TOKEN_TYPE)
.param(OAuth2Constants.SUBJECT_ISSUER, currentTestProvider.id())
));
Assert.assertEquals(200, response.getStatus());
tokenResponse = response.readEntity(AccessTokenResponse.class);
String keycloakToken = tokenResponse.getToken();
response.close();
// now take keycloak token and make sure it can get back the social token from the user session since stored tokens are off
response = getExchangeUrl(httpClient).request()
.header(HttpHeaders.AUTHORIZATION, BasicAuthHelper.createHeader(EXCHANGE_CLIENT, "secret"))
.post(Entity.form(
new Form()
.param(OAuth2Constants.GRANT_TYPE, OAuth2Constants.TOKEN_EXCHANGE_GRANT_TYPE)
.param(OAuth2Constants.SUBJECT_TOKEN, keycloakToken)
.param(OAuth2Constants.SUBJECT_TOKEN_TYPE, OAuth2Constants.ACCESS_TOKEN_TYPE)
.param(OAuth2Constants.REQUESTED_TOKEN_TYPE, OAuth2Constants.ACCESS_TOKEN_TYPE)
.param(OAuth2Constants.REQUESTED_ISSUER, currentTestProvider.id())
));
Assert.assertEquals(200, response.getStatus());
tokenResponse = response.readEntity(AccessTokenResponse.class);
response.close();
Assert.assertEquals(socialToken, tokenResponse.getToken());
// turn on store token
idp = adminClient.realm(REALM).identityProviders().get(currentTestProvider.id).toRepresentation();
idp.setStoreToken(true);
adminClient.realm(REALM).identityProviders().get(idp.getAlias()).update(idp);
} finally {
httpClient.close();
tokenResp = testingClient.testing().disableFeature(Profile.Feature.TOKEN_EXCHANGE.toString());
assertEquals(200, tokenResp.getStatus());
checkFeature(501, username);
}
}
示例24
@Test
public void testRefreshRpt() {
AccessTokenResponse accessTokenResponse = getAuthzClient().obtainAccessToken("marta", "password");
AuthorizationResponse response = authorize(null, null, null, null, accessTokenResponse.getToken(), null, null, new PermissionRequest("Resource A", "ScopeA", "ScopeB"));
String rpt = response.getToken();
assertNotNull(rpt);
AccessToken accessToken = toAccessToken(rpt);
AccessToken.Authorization authorization = accessToken.getAuthorization();
assertNotNull(authorization);
Collection<Permission> permissions = authorization.getPermissions();
assertNotNull(permissions);
assertPermissions(permissions, "Resource A", "ScopeA", "ScopeB");
assertTrue(permissions.isEmpty());
String refreshToken = response.getRefreshToken();
assertNotNull(refreshToken);
AccessToken refreshTokenToken = toAccessToken(refreshToken);
assertNotNull(refreshTokenToken.getAuthorization());
Client client = ClientBuilder.newClient();
UriBuilder builder = UriBuilder.fromUri(AUTH_SERVER_ROOT);
URI uri = OIDCLoginProtocolService.tokenUrl(builder).build(REALM_NAME);
WebTarget target = client.target(uri);
Form parameters = new Form();
parameters.param("grant_type", OAuth2Constants.REFRESH_TOKEN);
parameters.param(OAuth2Constants.REFRESH_TOKEN, refreshToken);
AccessTokenResponse refreshTokenResponse = target.request()
.header(HttpHeaders.AUTHORIZATION, BasicAuthHelper.createHeader("resource-server-test", "secret"))
.post(Entity.form(parameters)).readEntity(AccessTokenResponse.class);
assertNotNull(refreshTokenResponse.getToken());
refreshToken = refreshTokenResponse.getRefreshToken();
refreshTokenToken = toAccessToken(refreshToken);
assertNotNull(refreshTokenToken.getAuthorization());
AccessToken refreshedToken = toAccessToken(rpt);
authorization = refreshedToken.getAuthorization();
assertNotNull(authorization);
permissions = authorization.getPermissions();
assertNotNull(permissions);
assertPermissions(permissions, "Resource A", "ScopeA", "ScopeB");
assertTrue(permissions.isEmpty());
refreshTokenResponse = target.request()
.header(HttpHeaders.AUTHORIZATION, BasicAuthHelper.createHeader("resource-server-test", "secret"))
.post(Entity.form(parameters)).readEntity(AccessTokenResponse.class);
assertNotNull(refreshTokenResponse.getToken());
refreshToken = refreshTokenResponse.getRefreshToken();
refreshTokenToken = toAccessToken(refreshToken);
assertNotNull(refreshTokenToken.getAuthorization());
refreshedToken = toAccessToken(rpt);
authorization = refreshedToken.getAuthorization();
assertNotNull(authorization);
permissions = authorization.getPermissions();
assertNotNull(permissions);
assertPermissions(permissions, "Resource A", "ScopeA", "ScopeB");
assertTrue(permissions.isEmpty());
}
