keycloak-uncached
Changes
services/src/main/java/org/keycloak/authentication/authenticators/x509/AbstractX509ClientCertificateAuthenticator.java 4(+4 -0)
services/src/main/java/org/keycloak/authentication/authenticators/x509/AbstractX509ClientCertificateAuthenticatorFactory.java 2(+2 -0)
services/src/main/java/org/keycloak/authentication/authenticators/x509/UserIdentityExtractor.java 60(+60 -0)
services/src/main/java/org/keycloak/authentication/authenticators/x509/X509AuthenticatorConfigModel.java 1(+1 -0)
testsuite/integration-arquillian/servers/auth-server/jboss/common/keystore/keycloak.truststore 0(+0 -0)
testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/certs/ca.cert.pem 35(+35 -0)
testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/certs/clients/test-user@localhost.key.pem 54(+54 -0)
testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/certs/clients/test-user-san-email@localhost.cert.pem 38(+38 -0)
testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/index.txt.attr 1(+1 -0)
testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/index.txt.old 0(+0 -0)
testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/intermediate/1 131(+131 -0)
testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/intermediate/certs/ca-chain.cert.pem 69(+69 -0)
testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/intermediate/certs/intermediate.cert.pem 34(+34 -0)
testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/intermediate/crlnumber 1(+1 -0)
testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/intermediate/csr/intermediate.csr.pem 29(+29 -0)
testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/intermediate/index.txt 1(+1 -0)
testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/intermediate/index.txt.attr 1(+1 -0)
testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/intermediate/index.txt.old 0(+0 -0)
testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/intermediate/newcerts/1000.pem 38(+38 -0)
testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/intermediate/openssl.cnf 135(+135 -0)
testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/intermediate/openssl-san.cnf 139(+139 -0)
testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/intermediate/private/intermediate.key.pem 54(+54 -0)
testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/intermediate/serial 1(+1 -0)
testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/intermediate/serial.old 1(+1 -0)
testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/newcerts/1000.pem 34(+34 -0)
testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/openssl.cnf 131(+131 -0)
testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/private/ca.key.pem 54(+54 -0)
testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/resources/javascript/keycloak.js 1416(+1416 -0)
testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/drone/KeycloakWebDriverConfigurator.java 30(+30 -0)
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/x509/AbstractX509AuthenticationTest.java 30(+30 -0)
Details
diff --git a/services/src/main/java/org/keycloak/authentication/authenticators/x509/AbstractX509ClientCertificateAuthenticator.java b/services/src/main/java/org/keycloak/authentication/authenticators/x509/AbstractX509ClientCertificateAuthenticator.java
index d5c6b60..742454e 100644
--- a/services/src/main/java/org/keycloak/authentication/authenticators/x509/AbstractX509ClientCertificateAuthenticator.java
+++ b/services/src/main/java/org/keycloak/authentication/authenticators/x509/AbstractX509ClientCertificateAuthenticator.java
@@ -57,6 +57,7 @@ public abstract class AbstractX509ClientCertificateAuthenticator implements Auth
public static final String MAPPING_SOURCE_SELECTION = "x509-cert-auth.mapping-source-selection";
public static final String MAPPING_SOURCE_CERT_SUBJECTDN = "Match SubjectDN using regular expression";
public static final String MAPPING_SOURCE_CERT_SUBJECTDN_EMAIL = "Subject's e-mail";
+ public static final String MAPPING_SOURCE_CERT_SUBJECTALTNAME_EMAIL = "Subject's Alternative Name E-mail";
public static final String MAPPING_SOURCE_CERT_SUBJECTDN_CN = "Subject's Common Name";
public static final String MAPPING_SOURCE_CERT_ISSUERDN = "Match IssuerDN using regular expression";
public static final String MAPPING_SOURCE_CERT_ISSUERDN_EMAIL = "Issuer's e-mail";
@@ -146,6 +147,9 @@ public abstract class AbstractX509ClientCertificateAuthenticator implements Auth
.either(UserIdentityExtractor.getX500NameExtractor(BCStyle.EmailAddress, subject))
.or(UserIdentityExtractor.getX500NameExtractor(BCStyle.E, subject));
break;
+ case SUBJECTALTNAME_EMAIL:
+ extractor = UserIdentityExtractor.getSubjectAltNameExtractor(1);
+ break;
case ISSUERDN_CN:
extractor = UserIdentityExtractor.getX500NameExtractor(BCStyle.CN, issuer);
break;
diff --git a/services/src/main/java/org/keycloak/authentication/authenticators/x509/AbstractX509ClientCertificateAuthenticatorFactory.java b/services/src/main/java/org/keycloak/authentication/authenticators/x509/AbstractX509ClientCertificateAuthenticatorFactory.java
index 03601e2..29af551 100644
--- a/services/src/main/java/org/keycloak/authentication/authenticators/x509/AbstractX509ClientCertificateAuthenticatorFactory.java
+++ b/services/src/main/java/org/keycloak/authentication/authenticators/x509/AbstractX509ClientCertificateAuthenticatorFactory.java
@@ -43,6 +43,7 @@ import static org.keycloak.authentication.authenticators.x509.AbstractX509Client
import static org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.MAPPING_SOURCE_CERT_ISSUERDN_CN;
import static org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.MAPPING_SOURCE_CERT_ISSUERDN_EMAIL;
import static org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.MAPPING_SOURCE_CERT_SERIALNUMBER;
+import static org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.MAPPING_SOURCE_CERT_SUBJECTALTNAME_EMAIL;
import static org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.MAPPING_SOURCE_CERT_SUBJECTDN;
import static org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.MAPPING_SOURCE_CERT_SUBJECTDN_CN;
import static org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.MAPPING_SOURCE_CERT_SUBJECTDN_EMAIL;
@@ -68,6 +69,7 @@ public abstract class AbstractX509ClientCertificateAuthenticatorFactory implemen
private static final String[] mappingSources = {
MAPPING_SOURCE_CERT_SUBJECTDN,
MAPPING_SOURCE_CERT_SUBJECTDN_EMAIL,
+ MAPPING_SOURCE_CERT_SUBJECTALTNAME_EMAIL,
MAPPING_SOURCE_CERT_SUBJECTDN_CN,
MAPPING_SOURCE_CERT_ISSUERDN,
MAPPING_SOURCE_CERT_ISSUERDN_EMAIL,
diff --git a/services/src/main/java/org/keycloak/authentication/authenticators/x509/UserIdentityExtractor.java b/services/src/main/java/org/keycloak/authentication/authenticators/x509/UserIdentityExtractor.java
index ef29aec..881fdb7 100644
--- a/services/src/main/java/org/keycloak/authentication/authenticators/x509/UserIdentityExtractor.java
+++ b/services/src/main/java/org/keycloak/authentication/authenticators/x509/UserIdentityExtractor.java
@@ -25,7 +25,11 @@ import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x500.style.IETFUtils;
import org.keycloak.services.ServicesLogger;
+import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
+import java.util.Collection;
+import java.util.Iterator;
+import java.util.List;
import java.util.function.Function;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
@@ -92,6 +96,52 @@ public abstract class UserIdentityExtractor {
}
}
+ /**
+ * Extracts the subject identifier from the subjectAltName extension.
+ */
+ static class SubjectAltNameExtractor extends UserIdentityExtractor {
+
+ private final int generalName;
+
+ /**
+ * Creates a new instance
+ *
+ * @param generalName an integer representing the general name. See {@link X509Certificate#getSubjectAlternativeNames()}
+ */
+ SubjectAltNameExtractor(int generalName) {
+ this.generalName = generalName;
+ }
+
+ @Override
+ public Object extractUserIdentity(X509Certificate[] certs) {
+ if (certs == null || certs.length == 0) {
+ throw new IllegalArgumentException();
+ }
+
+ try {
+ Collection<List<?>> subjectAlternativeNames = certs[0].getSubjectAlternativeNames();
+
+ if (subjectAlternativeNames == null) {
+ return null;
+ }
+
+ Iterator<List<?>> iterator = subjectAlternativeNames.iterator();
+
+ while (iterator.hasNext()) {
+ List<?> next = iterator.next();
+
+ if (Integer.class.cast(next.get(0)) == generalName) {
+ return next.get(1);
+ }
+ }
+ } catch (CertificateParsingException cause) {
+ logger.errorf(cause, "Failed to obtain identity from subjectAltName extension");
+ }
+
+ return null;
+ }
+ }
+
static class PatternMatcher extends UserIdentityExtractor {
private final String _pattern;
private final Function<X509Certificate[],String> _f;
@@ -143,6 +193,16 @@ public abstract class UserIdentityExtractor {
return new X500NameRDNExtractor(identifier, x500Name);
}
+ /**
+ * Obtains the subjectAltName given a <code>generalName</code>.
+ *
+ * @param generalName an integer representing the general name. See {@link X509Certificate#getSubjectAlternativeNames()}
+ * @return the value from the subjectAltName extension
+ */
+ public static SubjectAltNameExtractor getSubjectAltNameExtractor(int generalName) {
+ return new SubjectAltNameExtractor(generalName);
+ }
+
public static OrBuilder either(UserIdentityExtractor extractor) {
return new OrBuilder(extractor);
}
diff --git a/services/src/main/java/org/keycloak/authentication/authenticators/x509/X509AuthenticatorConfigModel.java b/services/src/main/java/org/keycloak/authentication/authenticators/x509/X509AuthenticatorConfigModel.java
index 87c60b4..a738f42 100644
--- a/services/src/main/java/org/keycloak/authentication/authenticators/x509/X509AuthenticatorConfigModel.java
+++ b/services/src/main/java/org/keycloak/authentication/authenticators/x509/X509AuthenticatorConfigModel.java
@@ -60,6 +60,7 @@ public class X509AuthenticatorConfigModel extends AuthenticatorConfigModel {
ISSUERDN(MAPPING_SOURCE_CERT_ISSUERDN),
SUBJECTDN_CN(MAPPING_SOURCE_CERT_SUBJECTDN_CN),
SUBJECTDN_EMAIL(MAPPING_SOURCE_CERT_SUBJECTDN_EMAIL),
+ SUBJECTALTNAME_EMAIL(MAPPING_SOURCE_CERT_SUBJECTALTNAME_EMAIL),
SUBJECTDN(MAPPING_SOURCE_CERT_SUBJECTDN);
private String name;
diff --git a/testsuite/integration-arquillian/servers/auth-server/jboss/common/keystore/keycloak.truststore b/testsuite/integration-arquillian/servers/auth-server/jboss/common/keystore/keycloak.truststore
index 5253c8f..d461868 100644
Binary files a/testsuite/integration-arquillian/servers/auth-server/jboss/common/keystore/keycloak.truststore and b/testsuite/integration-arquillian/servers/auth-server/jboss/common/keystore/keycloak.truststore differ
diff --git a/testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/README.md b/testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/README.md
new file mode 100644
index 0000000..9766cc3
--- /dev/null
+++ b/testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/README.md
@@ -0,0 +1,8 @@
+# Keycloak Arquillian Integration Testsuite
+
+This directory contains a OpenSSL CA and Intermediate CA that can be used to manage certificates.
+
+## Passwords
+
+Passwords for any key file is `password`.
+
diff --git a/testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/certs/ca.cert.pem b/testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/certs/ca.cert.pem
new file mode 100644
index 0000000..123bef7
--- /dev/null
+++ b/testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/certs/ca.cert.pem
@@ -0,0 +1,35 @@
+-----BEGIN CERTIFICATE-----
+MIIF/jCCA+agAwIBAgIJAOMEN39fZf7uMA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD
+VQQGEwJVUzELMAkGA1UECAwCTUExDzANBgNVBAcMBkJvc3RvbjEQMA4GA1UECgwH
+UmVkIEhhdDERMA8GA1UECwwIS2V5Y2xvYWsxFDASBgNVBAMMC0tleWNsb2FrIENB
+MSMwIQYJKoZIhvcNAQkBFhRjb250YWN0QGtleWNsb2FrLm9yZzAeFw0xODAyMjAx
+OTQ3NTFaFw00NTA3MDgxOTQ3NTFaMIGLMQswCQYDVQQGEwJVUzELMAkGA1UECAwC
+TUExDzANBgNVBAcMBkJvc3RvbjEQMA4GA1UECgwHUmVkIEhhdDERMA8GA1UECwwI
+S2V5Y2xvYWsxFDASBgNVBAMMC0tleWNsb2FrIENBMSMwIQYJKoZIhvcNAQkBFhRj
+b250YWN0QGtleWNsb2FrLm9yZzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC
+ggIBAJlGjg05FzCm3f3YdIbMHNYuORfiP2n6YhX7vQyDjF/4gh7EYEYgE7spJ864
+/DySQenJ55Jn22K/1MQ1rOHcqfTioIgN3eEAyyuMDx60KU3frMBRYeCgLJVZQHr0
+6x+Sh/+SbbIYq/558+g/6PSZjmPBindHsPzGuBPaLOW4Jz47CA73L/su2qnJGeAi
+UaK/tXmANs1bqJbiNRDr9IJFkdusx1mql2ElfknJT8U+LBPOOID/S7Xd83SKtpFI
+Q8Vikb6C0SKnopOJiG2uWg5g7CYlNYxJpAM25zhDqp71bl8zOsIL2tFfUAvvoBnh
+N31kDIl8RZJ5ELnh+t5SCfwbgdfMzS7uht8qVTeZ0/BG80Lzl1gfzNR8q45gsKC9
+7mg7Voj68kt2aZr+E3Ng1guK69gePMxCpqLyjwlKz187mNUme+zxg2gL2egs4M6u
+ffqsEd0c5QryrRSTcIXi8Bim6PDhL93dBsenAIg25DOJNA6Vt2LELoe9w0TkL48U
+wUvU6GYB7/zM/z3EW45ZkRhHWK+HZppqDAb05lgJeeKUxxdUSy+ot7ls6cSqACYo
+fVjPoVHPD5Ncx+6NGHPGM5N3FGvMMh64PYpChyVWDTEfrZIS7Yyj9Iz/2eCxV3cO
+cO4bU0K6kx/dWRic5B5ymVtRME93+Of/hQuta4uLhlo8ZxRpAgMBAAGjYzBhMB0G
+A1UdDgQWBBQiuPS7cwDHKT+TgKX2HFICast6UjAfBgNVHSMEGDAWgBQiuPS7cwDH
+KT+TgKX2HFICast6UjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAN
+BgkqhkiG9w0BAQsFAAOCAgEAVCVXdx79ooKyOaL+S49S4agP7mE4IxuDefDwQ2dm
+996wpk3nntg0y54Auu1Y2plJirBhTvYZ1RedLNBMVBypm6BQpNn37u5TI39/FYso
+GFPINu1EzLTYl0bFKc0w7UFlFusje9zXLWISm8uTNzxJ1RGLrcnv9gfiXPKxAmN0
+cz9WY0vm+0+OV50HvLyUyqGKxyWmt2ek4jV+oEhsMMSO/MVNNXHEo2MAGcA23XPe
+7FZkiFB1suDIMzzUFCrRBtoZjYSUeyN9Pd0Yg3twl96CLqld4xFjsKMIsz0ACGRI
+8OpzeHAsePH4yS94E6nLwWH9YTi6pgTtoXSaVBLvIYpVHi8UAyIBFNqLMCukoq0O
+BlOdkO0zescmpEtp8GiUWMuB7x+kkaSxmsujEfL3mRWshkqaz/ZHPKXaNtPBUtIM
+jQnTMBF/wQjZxCGAps8dOMZ9pYnZcmVz0KeXpBJe1j+47MhItgt1wQNoyr4iBaxE
+3fAF/Arr/IZtIf0erXOjc7P6dEQW+WiKWvEA5Mp+4tV3Zj2pwSSX5bKDKx4RAkoW
+1jLTE1KN5RWvF8phStLty83gTd5wgykFSl65Lu7KIBW9HH3LIK46fb+cOBOZfSn3
+mdQXrbuXNUXgbhrsetnBfPNMAkJjaBQLNTxebIvXndiTIEsWqHS7h1x+kBkDOKhw
+SCc=
+-----END CERTIFICATE-----
diff --git a/testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/certs/clients/test-user@localhost.key.pem b/testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/certs/clients/test-user@localhost.key.pem
new file mode 100644
index 0000000..20ff9ff
--- /dev/null
+++ b/testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/certs/clients/test-user@localhost.key.pem
@@ -0,0 +1,54 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: AES-256-CBC,58507FBFA90F44D96D42E8ED4989032F
+
+eO/DUxz7PGUmyv6Nu89tWvad4O2Jzdr6kNCMsRcaG1JFJsMdGUNtuXjKyEaIKo9B
+MLXAoFgtyW4t0TozNVzsS8mSwkU9eOP+cAGLReoHZ8C+w5y+Dm7Kuc37X+HF0HCL
+4UkfNGKwgVJuXbVFVTTRVypB0Ul9Q2s43iN0YUfsYK333FHdDHxYyk7X+zvbposO
+Q33oFsa0D4Ga2VdE8FQX5pDBqPOjXt8a3LaZxi5r8pZDRY+mcE04qnZLdUk6jCeQ
+u4zHjsn/F+aW+EhAHH9vAwHLJ7lQOBtsdGxj2QXUAnU3LnRs2XxvYtZbxkG/p4sb
+FCAP57bBxmkL51RJTM4fgnq/b1JRtGwS1kRbHSiKTnrDO8JHcmILKSoIUG9IcwNp
+SFcKVZiabEdNSAiY9J+nvZMR8d946SqAQ/kA2Z7WH/6pbs4pd0ODIpYbNYwUfPcP
+51tQI/fna2fyvGA0xxr5MUi3Ua8kp9KmoZaX+ghjwh8QLa82mcvOjbYaV6c2OT4m
+92Eq7Si+u82fq2l5TjmKXLT5dwAUqZU1GnbG2Qd7/HW2h7PFIuReITL9UZhbCMoi
+zOSz3wKniP/npE+I4+hYTRxKaV2mkAd1FC4+QhSZbmupf3WOxbtaJP6V8gd4BgRQ
+O6mN9BvXYihSWyn7zQ/4MuGq5/k+XmTsxhfPZ7KW7DyeDGdl7qTcW5I7k+i6Lnh6
+YozNJn+CVQnZ67x4OhkQ9GQSBkEXudGurzWOJ3xNHOMtAGfQZRjHepcf1TeRN8C1
+voyY0Yx4V95XfbCMzbQckxhDigHJqCBk0bewp0LYXbn0traawZXNJ9nZHDFMyuX9
+Oztjx5cFdH/kxSjy0Qquzy9rtEzw72CnBw/AisaGMkMaxQWP92n0hav5XSKg5eD3
+OD42fsFWvbTN12kFXETDeQGuSJoJ3X2R9UnG2GL1Uc4lEFOu7LVpQX1hVi0qJjsv
+NqFO/4pbB+IpwwHV/6Nh7hwBXQVXKcGq3fq9+iCWk4hmZLutTSrsdsLWyqxF+r+1
+a3mk2nZgpTVkmfNsOf7vY1R4fWkUu7M7Pb0R0eQ9vG8w7Aodym6snkxdZBwl09TM
+YpxofsvgVGcteZWK7hgESODpBklZstNXOIk4hsDhm8+PPfWuOndBEkocAf0D/4OE
+lPGcdG9gTc8HOiJLtK8QSJUbtfauJHqp9Dzkc3qNZuSTwwCvk4v2oYV7FrCzZfcC
+yPgN2AhOx8EDT3vx2IV62dbHeamWlT+hpdCIiEXnyL5MVBvO3Td+g3BM+RRVSmaB
+ZBgfZaFjlZvDDeqH8eOGNoKN06tGdpxeGJaPr5G3ksrmupBVB1Gay+T98Kux4zAk
+fw0oFPDEyRiup+iOXpltRtP7d3SH7ngjapm6aDBs2weWrnLrcjZx5iyOed8z8zWG
+Ygmar31qn0qMUf/8HZb4c3DYkc1mjpKZLQnyouP82p++1VTN8S27Kf06eTob5zYa
+pWhCDHPWA8FFNF9d1zgSTBLEFawryM59rLJteg7G7yiSN43OBk7THNI2OwK8y2Mv
+KvwMoyStvMbiMn4qVR8mcnLrAYUd2RhuDGX3NOExI+9EBSGpwUP22I/nQ9HRlJ9D
+OoKaTIdqv0twC3QYIbYf6RUngD2Yzo8ie9Ys31dZqJidSRj9xnpkb8Xe4S5J2Sxm
+HP7VJsjjlPH9X+Q+xRWqwvzPi/hDBozo5GR1wrLGOVTRSYsXHjrULu+ael+65m+m
+VXg8Ufzl1j/8KttWjvHOi3RJuusOx8Z6U3E/9YoVCqyuR3rXX7ILHq6UrOLPmLhg
+cOyZy3LJXH2MpLbfhVQ6C5xKUJLQm88FBzdfKTt5aSCHzGa0nmT+qzu+x/s4B37H
+hk9/B0W6hUf8TCy8YYRx7vK6IKpo4qVG3R0n/brtWtw5fYCYHna1qPknQWzROUeK
+2sLW1Xv7Tk1koGcDs4Xv6p3jVCgAYE3DsubqGu7y9j49t9D08IukOMbtY6tc5+b6
+zIrZfz8+XpdM9BmQ+5N5yVv2Ut0t7SGoEQ+pHOwsBu2H2dcW+DdfwyCk7izC0eUR
+Fkv//R+uTaX4g3WSI3++ghDtQlcRf0nFn3c3uCK4HSP2E6doPQuuguKXXnJ+syDD
+rsUZUV0Ia8X8ZCLkza7WfFgoJ2hXe6rehU7YLnvBekCMu0S99/a/oJ3t/JJFB0LF
+5aw9nSlunrcCce9umPwKxc2pMcrIEAAjmmUhXza3LgHJsDiYYSDDo2e1Cbb5j61s
+qCbFxB+WFYc2rRnzK/CLIDhIayWcwyelHAelpQOQ+gReh7ZZSSu5c0Rl9brTZ9tN
+HfMPY5/6eBbASXxA9BStFbasLnlOARojkRgEAMOMv4ZyN4gn949Dd3nwC4gr9f++
+IjqV/YgQOKtL4rOMgvLvb5Y0rhDFOiXTdpZBqhk/6bZo1T2j4ts72FdkAmr2u5gp
+VxVyLv8L/KJv8jKqGbqJeMntarl30wfq4SRNe5te81DbSWrUGaQQyYqLL0/ixL2F
+E6O+0bajYmrz45ZGhJqXJRxnlwyDWL1kPy+f8IlItyXp72WqHqKb/IyImvHgxnnm
+IDv06cjX1LvX+fO3B2/9AveksSqnifrMBRjtFhRxTHdLEt9E1kSOJMb4tOlm/QpI
+UQV0HkQRsUE3F6N7OEmfuA88jwiNRTSjl6WbFQ0O01lKFeKmy4cPJfnSOvHNL34Z
+zztSboe9Red6qXzkR1mjh8BO/5Nu2ihlk8spqxNFUoPteUU57KITanXr63IudaSX
+hDA7viBAqcmjPy/j4YY0UVvvWBCqIK0ejcEghxHJak/n3qpiSm0mYMMubi51O5UT
+rxzZ9aqVfw4zmmZqrh+UIAwHJRpQw+zmXIN1h7pdTR1JGuSqStNgSgL53FoX2v9K
+I0QQ6RbGJ7Yleb4P8DUHkaY9ljARsioVdbmzQgYDpt45KG9iFeREadvA0WpuapKE
+/WePOmKMJ+qhnvENPSLLrf5ssho95GWf/6pGEV4PmMLanQ5iGV48wLXMtbQ/ud9N
+qA7XQd2Vb4fNEVQ1aNdXg1gjB3QYyJoB0/exCOm/xLrewfd7zlXk8BERXwV1yQ5f
+tYumN2X4RS2+Y0s9K6ujwEkYi7HUph6vPuq3il4DcSNFj8Wop/f6AAXSml3mqxYd
+-----END RSA PRIVATE KEY-----
diff --git a/testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/certs/clients/test-user-san-email@localhost.cert.pem b/testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/certs/clients/test-user-san-email@localhost.cert.pem
new file mode 100644
index 0000000..4a00a12
--- /dev/null
+++ b/testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/certs/clients/test-user-san-email@localhost.cert.pem
@@ -0,0 +1,38 @@
+-----BEGIN CERTIFICATE-----
+MIIGtDCCBJygAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwgYcxCzAJBgNVBAYTAlVT
+MQswCQYDVQQIDAJNQTEQMA4GA1UECgwHUmVkIEhhdDERMA8GA1UECwwIS2V5Y2xv
+YWsxITAfBgNVBAMMGEtleWNsb2FrIEludGVybWVkaWF0ZSBDQTEjMCEGCSqGSIb3
+DQEJARYUY29udGFjdEBrZXljbG9hay5vcmcwHhcNMTgwMjIwMjAwNzMwWhcNNDUw
+NzA4MjAwNzMwWjBkMQswCQYDVQQGEwJVUzELMAkGA1UECAwCTUExDzANBgNVBAcM
+BkJvc3RvbjEQMA4GA1UECgwHUmVkIEhhdDERMA8GA1UECwwIS2V5Y2xvYWsxEjAQ
+BgNVBAMMCXRlc3QtdXNlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB
+AOmK2D4VdRvGOUjAPWXol5/hkMwCNKXgO0ZrgTmBrzIn8F8O/QCYvkNgRATIBIN2
++nNK+Pej96tHHzhPC07O7KMDLncjSEjjmZ2xmvh2FjPr+xooT+x0mzv3a9MhVCYj
+WHM7x+LWuAAMne4xPx14AMVZa+P7YTmzabbMWHM9g9Itxjyl/jpkt9LmWsZh2Xvt
+96NgP4CG1Vegml0nNnR6AIwKlKl2x5NMuXrhCs2yn0PrSVwzHsdIajqaTDGedwhW
+pLzCy//k3KLT9ydRahhbUKWK48DPLf+cJubVGcE/hdiAQqA1C/3Um/kXR1PcIjG3
+YLeXavhmT/7H53lRe1mdHmUn1b7Vr6oYX7uln8wZqBMvceOK23wkKY970j2N46Uj
+ABcw9fnUckKYgjpv8I029PgnIgBjX3rZyMmRB8Khw+McVIx0DsFx7oJcc5ZV16RM
+4tHx107F084OBkDkqJ0k42pw1gpsovln+PVKGetBGFbAAsNwMMZxmJT/r1RVWk4u
+pe/HfzWz1PvwcTjaRD8MzhC16xOr7HR8uDRDFU40+X5mkEJkzvT5+ih7a64TsQNZ
+uU/Dx3j5ncYptLMl0FvzlNlfDkZ3XCUQfkr9o/nxdq9DTBGpy6nMaC5BMf8PKzjX
+C6lioUBQTFJGrHsc59PTI0GSOXkls/gO494SmbIkCmarAgMBAAGjggFKMIIBRjAJ
+BgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIFoDAzBglghkgBhvhCAQ0EJhYkT3Bl
+blNTTCBHZW5lcmF0ZWQgQ2xpZW50IENlcnRpZmljYXRlMB0GA1UdDgQWBBT6Y/aV
+XWxkiC3QOuN6nKCjZgRdbTAfBgNVHSMEGDAWgBRHEnyJC0dXGVQK9QMEzZ+GopZ2
+lDAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwME
+MCoGA1UdHwQjMCEwH6AdoBuGGWh0dHA6Ly9sb2NhbGhvc3Q6ODg4OC9jcmwwNgYI
+KwYBBQUHAQEEKjAoMCYGCCsGAQUFBzABhhpodHRwOi8vbG9jYWxob3N0Ojg4ODgv
+b3NjcDAeBgNVHREEFzAVgRN0ZXN0LXVzZXJAbG9jYWxob3N0MA0GCSqGSIb3DQEB
+CwUAA4ICAQCiKCFfS/CxkFcPqu4Xg2bSxd0ge5oXYOtkr5Pe6C6nMXjvSirHTWiX
+eUkxB+8FrU7TZGVUalbROsdZLCaOwPD5Xed7fjRoOKiAk7/JZxkIBjz8q9uAOXql
+fFZOwrAe5DHGaux/hZBmDLc/JRy5eZY5NsW/YfP5WhhZr/zsi1R0Fxkd3QsSr5yl
+SDyaq3yKWAojkGMSmsYsisPL2LXJlEz961YNtok22fTd7mlSREFL13/RcXf/Fegi
+2pjhGwrLjILkil1PTdbxOav6H1UScX2Q2S13rmJmPjmAVcHQAPd/UAQN2n0MLGzB
+iyFT5b7q97vgPCRAzGNE/t9So687bgw+CMPDGprz2yt1StTJnbDbWfgOZk1aj7Y8
+p8TJ2zmifD8VlAfa7+RDeNIfnSMI6Zh7vJWG0IxttKcrPNZxqfoTQKRTZBz1lOGE
+Q06Cs/We6YKWctpf/5UPE29ncjLkT9XX9yqyNKLJnQWlcfltSyDRUTmhNsbhI/Pl
+fxNceHMSY7ewkvfQ0FQMOj4HuXYGaTNfOknTRMRue2gmj0ezH0yxwmLsZShRgKmx
++rEdeplmwKaFRQcQc8TYGmws3uICUf5KbcL4pt2Pi0Yy2hjc/jCrf4RUw/trtwPJ
+7xk/PGGFQBWwzCmZP86ZPUL3BaWOQWauNl8XWCLC9xx9e+mkaUI50w==
+-----END CERTIFICATE-----
diff --git a/testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/index.txt b/testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/index.txt
new file mode 100644
index 0000000..6976f7c
--- /dev/null
+++ b/testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/index.txt
@@ -0,0 +1 @@
+V 450708195701Z 1000 unknown /C=US/ST=MA/O=Red Hat/OU=Keycloak/CN=Keycloak Intermediate CA/emailAddress=contact@keycloak.org
diff --git a/testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/index.txt.attr b/testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/index.txt.attr
new file mode 100644
index 0000000..8f7e63a
--- /dev/null
+++ b/testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/index.txt.attr
@@ -0,0 +1 @@
+unique_subject = yes
diff --git a/testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/index.txt.old b/testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/index.txt.old
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/index.txt.old
diff --git a/testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/intermediate/1 b/testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/intermediate/1
new file mode 100644
index 0000000..b596754
--- /dev/null
+++ b/testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/intermediate/1
@@ -0,0 +1,131 @@
+# OpenSSL root CA configuration file.
+
+[ ca ]
+# `man ca`
+default_ca = Keycloak
+
+[ Keycloak ]
+# Directory and file locations.
+dir = ./
+certs = $dir/certs
+crl_dir = $dir/crl
+new_certs_dir = $dir/newcerts
+database = $dir/index.txt
+serial = $dir/serial
+RANDFILE = $dir/private/.rand
+
+# The root key and root certificate.
+private_key = $dir/private/ca.key.pem
+certificate = $dir/certs/ca.cert.pem
+
+# For certificate revocation lists.
+crlnumber = $dir/crlnumber
+crl = $dir/crl/ca.crl.pem
+crl_extensions = crl_ext
+default_crl_days = 30
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md = sha256
+
+name_opt = ca_default
+cert_opt = ca_default
+default_days = 375
+preserve = no
+policy = policy_strict
+
+[ policy_strict ]
+# The root CA should only sign intermediate certificates that match.
+# See the POLICY FORMAT section of `man ca`.
+countryName = match
+stateOrProvinceName = match
+organizationName = match
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+[ policy_loose ]
+# Allow the intermediate CA to sign a more diverse range of certificates.
+# See the POLICY FORMAT section of the `ca` man page.
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+[ req ]
+# Options for the `req` tool (`man req`).
+default_bits = 2048
+distinguished_name = req_distinguished_name
+string_mask = utf8only
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md = sha256
+
+# Extension to add when the -x509 option is used.
+x509_extensions = v3_ca
+
+[ req_distinguished_name ]
+# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
+countryName = Country Name (2 letter code)
+stateOrProvinceName = State or Province Name
+localityName = Locality Name
+0.organizationName = Organization Name
+organizationalUnitName = Organizational Unit Name
+commonName = Common Name
+emailAddress = Email Address
+
+# Optionally, specify some defaults.
+countryName_default = US
+stateOrProvinceName_default = MA
+localityName_default = Boston
+0.organizationName_default = Red Hat
+organizationalUnitName_default = Keycloak
+emailAddress_default = contact@keycloak.org
+
+[ v3_ca ]
+# Extensions for a typical CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ v3_intermediate_ca ]
+# Extensions for a typical intermediate CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true, pathlen:0
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ usr_cert ]
+# Extensions for client certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = client, email
+nsComment = "OpenSSL Generated Client Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = clientAuth, emailProtection
+
+[ server_cert ]
+# Extensions for server certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = server
+nsComment = "OpenSSL Generated Server Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+
+[ crl_ext ]
+# Extension for CRLs (`man x509v3_config`).
+authorityKeyIdentifier=keyid:always
+
+[ ocsp ]
+# Extension for OCSP signing certificates (`man ocsp`).
+basicConstraints = CA:FALSE
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = critical, digitalSignature
+extendedKeyUsage = critical, OCSPSigning
diff --git a/testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/intermediate/certs/ca-chain.cert.pem b/testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/intermediate/certs/ca-chain.cert.pem
new file mode 100644
index 0000000..bcfaf61
--- /dev/null
+++ b/testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/intermediate/certs/ca-chain.cert.pem
@@ -0,0 +1,69 @@
+-----BEGIN CERTIFICATE-----
+MIIF9jCCA96gAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwgYsxCzAJBgNVBAYTAlVT
+MQswCQYDVQQIDAJNQTEPMA0GA1UEBwwGQm9zdG9uMRAwDgYDVQQKDAdSZWQgSGF0
+MREwDwYDVQQLDAhLZXljbG9hazEUMBIGA1UEAwwLS2V5Y2xvYWsgQ0ExIzAhBgkq
+hkiG9w0BCQEWFGNvbnRhY3RAa2V5Y2xvYWsub3JnMB4XDTE4MDIyMDE5NTcwMVoX
+DTQ1MDcwODE5NTcwMVowgYcxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJNQTEQMA4G
+A1UECgwHUmVkIEhhdDERMA8GA1UECwwIS2V5Y2xvYWsxITAfBgNVBAMMGEtleWNs
+b2FrIEludGVybWVkaWF0ZSBDQTEjMCEGCSqGSIb3DQEJARYUY29udGFjdEBrZXlj
+bG9hay5vcmcwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDYix1zJTa6
+TTsmPjctc1R56vYPsIhEeyRis7HL8s+EbFbBpO8jWSSSaJp0MWkahUtWidu9cWK5
+yPC0ezUD3LYclktG1Y6zxeY6G5RnNCUgV8EYkeCJAmlGVhgFjU+7r6HNh1L2sLJe
+jUOKMsKcIxt1TpiUbph/3J1TrqPWDD1jIwB9337dvZfXdwIa45phk1Sb7wgR6aB4
+mJPKBpekkh/5Wh5QRXI+2+Vv1Mhq6Stx1MdE4P2u8lblICOlnCaIWiI6B27yot2x
+hcie1wvFwa1iqtBr4tIHLIn0XNKwqoeooM+WHlkwjMF/Yp1zYJJJmkXjh1a3ZIT5
+7We1U3RxJrLfxE0D4Gm/S7Q302xxiAuDdycHx6oz4qYYwIYZVk+/8q4CDXVyo0aC
+Y4e9fsAPmJvy5TwKZOKocoj+BFAyRwPd1iVrSGeAQTJBPcMgu70o9xVBnU8Pgsif
+O5HzpXw9LTRrDaTS4BZ/rYA9PDLzexMVrgVCg+X1dRd3T9IsLPOlo+HCpfNGhfgR
+lwp8/SRGmBuiaG5k6kaScP5mimSGYOvhjRHLNkY+Rgtl+hrMDn8DFd75PibM95hG
+ia9k1qbrjmj9gRGA4xz1QBqewd2TTgAhaKxDFqQec+cJ15vf5AxB4A/KqFmqYXYX
+AQpKczbt2goTyb2Annhpa5WJe/sYvYqTUwIDAQABo2YwZDAdBgNVHQ4EFgQURxJ8
+iQtHVxlUCvUDBM2fhqKWdpQwHwYDVR0jBBgwFoAUIrj0u3MAxyk/k4Cl9hxSAmrL
+elIwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcN
+AQELBQADggIBAFwmiG2sd77dmX+klIeLVIYq4X3VwNijwzpuilDPMqSfSlBawj8f
+PjwFJYzpcl2pe/Lq6sq96VMkN65/AUs/XZOW+ybgE7ZuJlfT12sk48TPgaVvP2dJ
+5ud2l+DWYaH6KjU3B/xx8xttN73BilMobaJMDy02TLK6VgHPtV3bRyPOQNsGrOmp
+wJMPi7t9UjcMm0THhVHdP881ryGXraNb38x5AgTILUwRYmwjtc1Rrlls0eKLtoAl
+n5oScPDPeZELVunFFJ/ZX2lx5yApWpP1sMyzvJxnZhruuzfxsW60Tp+6Q8rHkabw
+ZnnkHgi53/Gnp3H7l/kszM+hNYJXTDTHdPTQMETHEHqiWOzYttBTM8p/ffb3haTm
+UnPb5fuRXJxX8vMxA1h6nSFWtQEQbvlGiS2oGNAOi5XlTsE+mjYMALuAPID9v8Yx
+3eTyI7a4I+qy3a+0Q1iBFsAM75q6cbne7LK8FjLHDnZvHOnredoR/tmebgphD4C3
+p4xNlwocSs+Fhjqsf6L5AvAc8fLP1206f/lp/9qEnvD0kocw2KvxwZY2yDtf115z
+aHxhil32iWME340LVSYyQZqwPPr3N2t4CGZsgGs8vPXLECAGqrT3V2/I3iZNF3J5
+i0GE63/1Q35BPHxPAJcqB/a5woBwo/Ae40u6qWR15keFp3UaJ0M/C9GR
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIF/jCCA+agAwIBAgIJAOMEN39fZf7uMA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD
+VQQGEwJVUzELMAkGA1UECAwCTUExDzANBgNVBAcMBkJvc3RvbjEQMA4GA1UECgwH
+UmVkIEhhdDERMA8GA1UECwwIS2V5Y2xvYWsxFDASBgNVBAMMC0tleWNsb2FrIENB
+MSMwIQYJKoZIhvcNAQkBFhRjb250YWN0QGtleWNsb2FrLm9yZzAeFw0xODAyMjAx
+OTQ3NTFaFw00NTA3MDgxOTQ3NTFaMIGLMQswCQYDVQQGEwJVUzELMAkGA1UECAwC
+TUExDzANBgNVBAcMBkJvc3RvbjEQMA4GA1UECgwHUmVkIEhhdDERMA8GA1UECwwI
+S2V5Y2xvYWsxFDASBgNVBAMMC0tleWNsb2FrIENBMSMwIQYJKoZIhvcNAQkBFhRj
+b250YWN0QGtleWNsb2FrLm9yZzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC
+ggIBAJlGjg05FzCm3f3YdIbMHNYuORfiP2n6YhX7vQyDjF/4gh7EYEYgE7spJ864
+/DySQenJ55Jn22K/1MQ1rOHcqfTioIgN3eEAyyuMDx60KU3frMBRYeCgLJVZQHr0
+6x+Sh/+SbbIYq/558+g/6PSZjmPBindHsPzGuBPaLOW4Jz47CA73L/su2qnJGeAi
+UaK/tXmANs1bqJbiNRDr9IJFkdusx1mql2ElfknJT8U+LBPOOID/S7Xd83SKtpFI
+Q8Vikb6C0SKnopOJiG2uWg5g7CYlNYxJpAM25zhDqp71bl8zOsIL2tFfUAvvoBnh
+N31kDIl8RZJ5ELnh+t5SCfwbgdfMzS7uht8qVTeZ0/BG80Lzl1gfzNR8q45gsKC9
+7mg7Voj68kt2aZr+E3Ng1guK69gePMxCpqLyjwlKz187mNUme+zxg2gL2egs4M6u
+ffqsEd0c5QryrRSTcIXi8Bim6PDhL93dBsenAIg25DOJNA6Vt2LELoe9w0TkL48U
+wUvU6GYB7/zM/z3EW45ZkRhHWK+HZppqDAb05lgJeeKUxxdUSy+ot7ls6cSqACYo
+fVjPoVHPD5Ncx+6NGHPGM5N3FGvMMh64PYpChyVWDTEfrZIS7Yyj9Iz/2eCxV3cO
+cO4bU0K6kx/dWRic5B5ymVtRME93+Of/hQuta4uLhlo8ZxRpAgMBAAGjYzBhMB0G
+A1UdDgQWBBQiuPS7cwDHKT+TgKX2HFICast6UjAfBgNVHSMEGDAWgBQiuPS7cwDH
+KT+TgKX2HFICast6UjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAN
+BgkqhkiG9w0BAQsFAAOCAgEAVCVXdx79ooKyOaL+S49S4agP7mE4IxuDefDwQ2dm
+996wpk3nntg0y54Auu1Y2plJirBhTvYZ1RedLNBMVBypm6BQpNn37u5TI39/FYso
+GFPINu1EzLTYl0bFKc0w7UFlFusje9zXLWISm8uTNzxJ1RGLrcnv9gfiXPKxAmN0
+cz9WY0vm+0+OV50HvLyUyqGKxyWmt2ek4jV+oEhsMMSO/MVNNXHEo2MAGcA23XPe
+7FZkiFB1suDIMzzUFCrRBtoZjYSUeyN9Pd0Yg3twl96CLqld4xFjsKMIsz0ACGRI
+8OpzeHAsePH4yS94E6nLwWH9YTi6pgTtoXSaVBLvIYpVHi8UAyIBFNqLMCukoq0O
+BlOdkO0zescmpEtp8GiUWMuB7x+kkaSxmsujEfL3mRWshkqaz/ZHPKXaNtPBUtIM
+jQnTMBF/wQjZxCGAps8dOMZ9pYnZcmVz0KeXpBJe1j+47MhItgt1wQNoyr4iBaxE
+3fAF/Arr/IZtIf0erXOjc7P6dEQW+WiKWvEA5Mp+4tV3Zj2pwSSX5bKDKx4RAkoW
+1jLTE1KN5RWvF8phStLty83gTd5wgykFSl65Lu7KIBW9HH3LIK46fb+cOBOZfSn3
+mdQXrbuXNUXgbhrsetnBfPNMAkJjaBQLNTxebIvXndiTIEsWqHS7h1x+kBkDOKhw
+SCc=
+-----END CERTIFICATE-----
diff --git a/testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/intermediate/certs/intermediate.cert.pem b/testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/intermediate/certs/intermediate.cert.pem
new file mode 100644
index 0000000..3521cbc
--- /dev/null
+++ b/testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/intermediate/certs/intermediate.cert.pem
@@ -0,0 +1,34 @@
+-----BEGIN CERTIFICATE-----
+MIIF9jCCA96gAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwgYsxCzAJBgNVBAYTAlVT
+MQswCQYDVQQIDAJNQTEPMA0GA1UEBwwGQm9zdG9uMRAwDgYDVQQKDAdSZWQgSGF0
+MREwDwYDVQQLDAhLZXljbG9hazEUMBIGA1UEAwwLS2V5Y2xvYWsgQ0ExIzAhBgkq
+hkiG9w0BCQEWFGNvbnRhY3RAa2V5Y2xvYWsub3JnMB4XDTE4MDIyMDE5NTcwMVoX
+DTQ1MDcwODE5NTcwMVowgYcxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJNQTEQMA4G
+A1UECgwHUmVkIEhhdDERMA8GA1UECwwIS2V5Y2xvYWsxITAfBgNVBAMMGEtleWNs
+b2FrIEludGVybWVkaWF0ZSBDQTEjMCEGCSqGSIb3DQEJARYUY29udGFjdEBrZXlj
+bG9hay5vcmcwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDYix1zJTa6
+TTsmPjctc1R56vYPsIhEeyRis7HL8s+EbFbBpO8jWSSSaJp0MWkahUtWidu9cWK5
+yPC0ezUD3LYclktG1Y6zxeY6G5RnNCUgV8EYkeCJAmlGVhgFjU+7r6HNh1L2sLJe
+jUOKMsKcIxt1TpiUbph/3J1TrqPWDD1jIwB9337dvZfXdwIa45phk1Sb7wgR6aB4
+mJPKBpekkh/5Wh5QRXI+2+Vv1Mhq6Stx1MdE4P2u8lblICOlnCaIWiI6B27yot2x
+hcie1wvFwa1iqtBr4tIHLIn0XNKwqoeooM+WHlkwjMF/Yp1zYJJJmkXjh1a3ZIT5
+7We1U3RxJrLfxE0D4Gm/S7Q302xxiAuDdycHx6oz4qYYwIYZVk+/8q4CDXVyo0aC
+Y4e9fsAPmJvy5TwKZOKocoj+BFAyRwPd1iVrSGeAQTJBPcMgu70o9xVBnU8Pgsif
+O5HzpXw9LTRrDaTS4BZ/rYA9PDLzexMVrgVCg+X1dRd3T9IsLPOlo+HCpfNGhfgR
+lwp8/SRGmBuiaG5k6kaScP5mimSGYOvhjRHLNkY+Rgtl+hrMDn8DFd75PibM95hG
+ia9k1qbrjmj9gRGA4xz1QBqewd2TTgAhaKxDFqQec+cJ15vf5AxB4A/KqFmqYXYX
+AQpKczbt2goTyb2Annhpa5WJe/sYvYqTUwIDAQABo2YwZDAdBgNVHQ4EFgQURxJ8
+iQtHVxlUCvUDBM2fhqKWdpQwHwYDVR0jBBgwFoAUIrj0u3MAxyk/k4Cl9hxSAmrL
+elIwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcN
+AQELBQADggIBAFwmiG2sd77dmX+klIeLVIYq4X3VwNijwzpuilDPMqSfSlBawj8f
+PjwFJYzpcl2pe/Lq6sq96VMkN65/AUs/XZOW+ybgE7ZuJlfT12sk48TPgaVvP2dJ
+5ud2l+DWYaH6KjU3B/xx8xttN73BilMobaJMDy02TLK6VgHPtV3bRyPOQNsGrOmp
+wJMPi7t9UjcMm0THhVHdP881ryGXraNb38x5AgTILUwRYmwjtc1Rrlls0eKLtoAl
+n5oScPDPeZELVunFFJ/ZX2lx5yApWpP1sMyzvJxnZhruuzfxsW60Tp+6Q8rHkabw
+ZnnkHgi53/Gnp3H7l/kszM+hNYJXTDTHdPTQMETHEHqiWOzYttBTM8p/ffb3haTm
+UnPb5fuRXJxX8vMxA1h6nSFWtQEQbvlGiS2oGNAOi5XlTsE+mjYMALuAPID9v8Yx
+3eTyI7a4I+qy3a+0Q1iBFsAM75q6cbne7LK8FjLHDnZvHOnredoR/tmebgphD4C3
+p4xNlwocSs+Fhjqsf6L5AvAc8fLP1206f/lp/9qEnvD0kocw2KvxwZY2yDtf115z
+aHxhil32iWME340LVSYyQZqwPPr3N2t4CGZsgGs8vPXLECAGqrT3V2/I3iZNF3J5
+i0GE63/1Q35BPHxPAJcqB/a5woBwo/Ae40u6qWR15keFp3UaJ0M/C9GR
+-----END CERTIFICATE-----
diff --git a/testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/intermediate/crlnumber b/testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/intermediate/crlnumber
new file mode 100644
index 0000000..83b33d2
--- /dev/null
+++ b/testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/intermediate/crlnumber
@@ -0,0 +1 @@
+1000
diff --git a/testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/intermediate/csr/intermediate.csr.pem b/testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/intermediate/csr/intermediate.csr.pem
new file mode 100644
index 0000000..0cc3a5b
--- /dev/null
+++ b/testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/intermediate/csr/intermediate.csr.pem
@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIE3jCCAsYCAQAwgZgxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJNQTEPMA0GA1UE
+BwwGQm9zdG9uMRAwDgYDVQQKDAdSZWQgSGF0MREwDwYDVQQLDAhLZXljbG9hazEh
+MB8GA1UEAwwYS2V5Y2xvYWsgSW50ZXJtZWRpYXRlIENBMSMwIQYJKoZIhvcNAQkB
+FhRjb250YWN0QGtleWNsb2FrLm9yZzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCC
+AgoCggIBANiLHXMlNrpNOyY+Ny1zVHnq9g+wiER7JGKzscvyz4RsVsGk7yNZJJJo
+mnQxaRqFS1aJ271xYrnI8LR7NQPcthyWS0bVjrPF5joblGc0JSBXwRiR4IkCaUZW
+GAWNT7uvoc2HUvawsl6NQ4oywpwjG3VOmJRumH/cnVOuo9YMPWMjAH3fft29l9d3
+AhrjmmGTVJvvCBHpoHiYk8oGl6SSH/laHlBFcj7b5W/UyGrpK3HUx0Tg/a7yVuUg
+I6WcJohaIjoHbvKi3bGFyJ7XC8XBrWKq0Gvi0gcsifRc0rCqh6igz5YeWTCMwX9i
+nXNgkkmaReOHVrdkhPntZ7VTdHEmst/ETQPgab9LtDfTbHGIC4N3JwfHqjPiphjA
+hhlWT7/yrgINdXKjRoJjh71+wA+Ym/LlPApk4qhyiP4EUDJHA93WJWtIZ4BBMkE9
+wyC7vSj3FUGdTw+CyJ87kfOlfD0tNGsNpNLgFn+tgD08MvN7ExWuBUKD5fV1F3dP
+0iws86Wj4cKl80aF+BGXCnz9JEaYG6JobmTqRpJw/maKZIZg6+GNEcs2Rj5GC2X6
+GswOfwMV3vk+Jsz3mEaJr2TWpuuOaP2BEYDjHPVAGp7B3ZNOACForEMWpB5z5wnX
+m9/kDEHgD8qoWaphdhcBCkpzNu3aChPJvYCeeGlrlYl7+xi9ipNTAgMBAAGgADAN
+BgkqhkiG9w0BAQsFAAOCAgEAtZp+hULw+DW9TCzW1Sm1+r4cb6QN/DpWe4lvbSoU
+ah0oiUAa/xF9AaDR2woHvMWXzMehc42Z+4F40L+XSdM1VAg6B36BKM7fYiyGQExo
+bJF0oUqeRD6WneZNCd4APnmzAiMCU6uWzgLbkoUXw9JtNr3uxhIXvg3E+BasU5/F
+pb9UqTHBsSc1yAxhMT9zLOXLpkvX+mrWzkkbc09Schus8wM6naf6oWhgW5uNVQaw
+M3ZemlVmY7LYUwJKamNr7CRpzSPnFed+a77ogOFY1IjfuknYLPKlAaPtBuV5kEWB
+Bx0JjMNoGoqL+FxUqpX6+8RzksSGCecje6q3+j4nm8p2RrhVf4/dfupSTDI3ijGl
+Z0Y+eV0H88EySvnw6TKi9QCHBEc4TVKKA4wD6nASzMK2GtuqdutLJpd3ADgV/p32
+BZ/NM8aB2iGo5S4nnDwjvGIzaHgamZbLkAuFBTQtjzghgwJK0D5FtFmWxn+0PpP4
+IKntdvJXQVMuLL/CYa0L9BFcUbSNbglykfggGAv/kU0tOmDNdW6wv8IlN1c34KOM
+W2GYKDmcn5LTSzRmvN8E9kjvMLYVyFf8TeBpo8K34dkMRODu6LTQVu3EhKN2OZt9
+QXf79Y5zjNQwfdm2s4GBDK/+fkL04Hg69sbOeOID8aYQxy8fyxELad1fYsnas6P6
+u1I=
+-----END CERTIFICATE REQUEST-----
diff --git a/testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/intermediate/index.txt b/testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/intermediate/index.txt
new file mode 100644
index 0000000..60d4030
--- /dev/null
+++ b/testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/intermediate/index.txt
@@ -0,0 +1 @@
+V 450708200730Z 1000 unknown /C=US/ST=MA/L=Boston/O=Red Hat/OU=Keycloak/CN=test-user
diff --git a/testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/intermediate/index.txt.attr b/testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/intermediate/index.txt.attr
new file mode 100644
index 0000000..8f7e63a
--- /dev/null
+++ b/testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/intermediate/index.txt.attr
@@ -0,0 +1 @@
+unique_subject = yes
diff --git a/testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/intermediate/index.txt.old b/testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/intermediate/index.txt.old
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/intermediate/index.txt.old
diff --git a/testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/intermediate/newcerts/1000.pem b/testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/intermediate/newcerts/1000.pem
new file mode 100644
index 0000000..4a00a12
--- /dev/null
+++ b/testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/intermediate/newcerts/1000.pem
@@ -0,0 +1,38 @@
+-----BEGIN CERTIFICATE-----
+MIIGtDCCBJygAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwgYcxCzAJBgNVBAYTAlVT
+MQswCQYDVQQIDAJNQTEQMA4GA1UECgwHUmVkIEhhdDERMA8GA1UECwwIS2V5Y2xv
+YWsxITAfBgNVBAMMGEtleWNsb2FrIEludGVybWVkaWF0ZSBDQTEjMCEGCSqGSIb3
+DQEJARYUY29udGFjdEBrZXljbG9hay5vcmcwHhcNMTgwMjIwMjAwNzMwWhcNNDUw
+NzA4MjAwNzMwWjBkMQswCQYDVQQGEwJVUzELMAkGA1UECAwCTUExDzANBgNVBAcM
+BkJvc3RvbjEQMA4GA1UECgwHUmVkIEhhdDERMA8GA1UECwwIS2V5Y2xvYWsxEjAQ
+BgNVBAMMCXRlc3QtdXNlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB
+AOmK2D4VdRvGOUjAPWXol5/hkMwCNKXgO0ZrgTmBrzIn8F8O/QCYvkNgRATIBIN2
++nNK+Pej96tHHzhPC07O7KMDLncjSEjjmZ2xmvh2FjPr+xooT+x0mzv3a9MhVCYj
+WHM7x+LWuAAMne4xPx14AMVZa+P7YTmzabbMWHM9g9Itxjyl/jpkt9LmWsZh2Xvt
+96NgP4CG1Vegml0nNnR6AIwKlKl2x5NMuXrhCs2yn0PrSVwzHsdIajqaTDGedwhW
+pLzCy//k3KLT9ydRahhbUKWK48DPLf+cJubVGcE/hdiAQqA1C/3Um/kXR1PcIjG3
+YLeXavhmT/7H53lRe1mdHmUn1b7Vr6oYX7uln8wZqBMvceOK23wkKY970j2N46Uj
+ABcw9fnUckKYgjpv8I029PgnIgBjX3rZyMmRB8Khw+McVIx0DsFx7oJcc5ZV16RM
+4tHx107F084OBkDkqJ0k42pw1gpsovln+PVKGetBGFbAAsNwMMZxmJT/r1RVWk4u
+pe/HfzWz1PvwcTjaRD8MzhC16xOr7HR8uDRDFU40+X5mkEJkzvT5+ih7a64TsQNZ
+uU/Dx3j5ncYptLMl0FvzlNlfDkZ3XCUQfkr9o/nxdq9DTBGpy6nMaC5BMf8PKzjX
+C6lioUBQTFJGrHsc59PTI0GSOXkls/gO494SmbIkCmarAgMBAAGjggFKMIIBRjAJ
+BgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIFoDAzBglghkgBhvhCAQ0EJhYkT3Bl
+blNTTCBHZW5lcmF0ZWQgQ2xpZW50IENlcnRpZmljYXRlMB0GA1UdDgQWBBT6Y/aV
+XWxkiC3QOuN6nKCjZgRdbTAfBgNVHSMEGDAWgBRHEnyJC0dXGVQK9QMEzZ+GopZ2
+lDAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwME
+MCoGA1UdHwQjMCEwH6AdoBuGGWh0dHA6Ly9sb2NhbGhvc3Q6ODg4OC9jcmwwNgYI
+KwYBBQUHAQEEKjAoMCYGCCsGAQUFBzABhhpodHRwOi8vbG9jYWxob3N0Ojg4ODgv
+b3NjcDAeBgNVHREEFzAVgRN0ZXN0LXVzZXJAbG9jYWxob3N0MA0GCSqGSIb3DQEB
+CwUAA4ICAQCiKCFfS/CxkFcPqu4Xg2bSxd0ge5oXYOtkr5Pe6C6nMXjvSirHTWiX
+eUkxB+8FrU7TZGVUalbROsdZLCaOwPD5Xed7fjRoOKiAk7/JZxkIBjz8q9uAOXql
+fFZOwrAe5DHGaux/hZBmDLc/JRy5eZY5NsW/YfP5WhhZr/zsi1R0Fxkd3QsSr5yl
+SDyaq3yKWAojkGMSmsYsisPL2LXJlEz961YNtok22fTd7mlSREFL13/RcXf/Fegi
+2pjhGwrLjILkil1PTdbxOav6H1UScX2Q2S13rmJmPjmAVcHQAPd/UAQN2n0MLGzB
+iyFT5b7q97vgPCRAzGNE/t9So687bgw+CMPDGprz2yt1StTJnbDbWfgOZk1aj7Y8
+p8TJ2zmifD8VlAfa7+RDeNIfnSMI6Zh7vJWG0IxttKcrPNZxqfoTQKRTZBz1lOGE
+Q06Cs/We6YKWctpf/5UPE29ncjLkT9XX9yqyNKLJnQWlcfltSyDRUTmhNsbhI/Pl
+fxNceHMSY7ewkvfQ0FQMOj4HuXYGaTNfOknTRMRue2gmj0ezH0yxwmLsZShRgKmx
++rEdeplmwKaFRQcQc8TYGmws3uICUf5KbcL4pt2Pi0Yy2hjc/jCrf4RUw/trtwPJ
+7xk/PGGFQBWwzCmZP86ZPUL3BaWOQWauNl8XWCLC9xx9e+mkaUI50w==
+-----END CERTIFICATE-----
diff --git a/testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/intermediate/openssl.cnf b/testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/intermediate/openssl.cnf
new file mode 100644
index 0000000..acd341f
--- /dev/null
+++ b/testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/intermediate/openssl.cnf
@@ -0,0 +1,135 @@
+# OpenSSL intermediate CA configuration file.
+
+[ ca ]
+# `man ca`
+default_ca = KeycloakICA
+
+[ KeycloakICA ]
+# Directory and file locations.
+dir = ./intermediate
+certs = $dir/certs
+crl_dir = $dir/crl
+new_certs_dir = $dir/newcerts
+database = $dir/index.txt
+serial = $dir/serial
+RANDFILE = $dir/private/.rand
+
+# The root key and root certificate.
+private_key = $dir/private/intermediate.key.pem
+certificate = $dir/certs/intermediate.cert.pem
+
+# For certificate revocation lists.
+crlnumber = $dir/crlnumber
+crl = $dir/crl/intermediate.crl.pem
+crl_extensions = crl_ext
+default_crl_days = 30
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md = sha256
+
+name_opt = ca_default
+cert_opt = ca_default
+default_days = 375
+preserve = no
+policy = policy_loose
+
+[ policy_strict ]
+# The root CA should only sign intermediate certificates that match.
+# See the POLICY FORMAT section of `man ca`.
+countryName = match
+stateOrProvinceName = match
+organizationName = match
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+[ policy_loose ]
+# Allow the intermediate CA to sign a more diverse range of certificates.
+# See the POLICY FORMAT section of the `ca` man page.
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+[ req ]
+# Options for the `req` tool (`man req`).
+default_bits = 2048
+distinguished_name = req_distinguished_name
+string_mask = utf8only
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md = sha256
+
+# Extension to add when the -x509 option is used.
+x509_extensions = v3_ca
+
+[ req_distinguished_name ]
+# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
+countryName = Country Name (2 letter code)
+stateOrProvinceName = State or Province Name
+localityName = Locality Name
+0.organizationName = Organization Name
+organizationalUnitName = Organizational Unit Name
+commonName = Common Name
+emailAddress = Email Address
+
+# Optionally, specify some defaults.
+countryName_default = US
+stateOrProvinceName_default = MA
+localityName_default = Boston
+0.organizationName_default = Red Hat
+organizationalUnitName_default =
+emailAddress_default = contact@keycloak.org
+
+[ v3_ca ]
+# Extensions for a typical CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ v3_intermediate_ca ]
+# Extensions for a typical intermediate CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true, pathlen:0
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ usr_cert ]
+# Extensions for client certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = client, email
+nsComment = "OpenSSL Generated Client Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = clientAuth, emailProtection
+crlDistributionPoints = URI:http://localhost:8888/crl
+authorityInfoAccess = OCSP;URI:http://localhost:8888/oscp
+
+[ server_cert ]
+# Extensions for server certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = server
+nsComment = "OpenSSL Generated Server Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+crlDistributionPoints = URI:http://localhost:8888/crl
+authorityInfoAccess = OCSP;URI:http://localhost:8888/oscp
+
+[ crl_ext ]
+# Extension for CRLs (`man x509v3_config`).
+authorityKeyIdentifier=keyid:always
+
+[ ocsp ]
+# Extension for OCSP signing certificates (`man ocsp`).
+basicConstraints = CA:FALSE
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = critical, digitalSignature
+extendedKeyUsage = critical, OCSPSigning
diff --git a/testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/intermediate/openssl-san.cnf b/testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/intermediate/openssl-san.cnf
new file mode 100644
index 0000000..4bf6ffc
--- /dev/null
+++ b/testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/intermediate/openssl-san.cnf
@@ -0,0 +1,139 @@
+# OpenSSL intermediate CA configuration file.
+
+[ ca ]
+# `man ca`
+default_ca = KeycloakICA
+
+[ KeycloakICA ]
+# Directory and file locations.
+dir = ./intermediate
+certs = $dir/certs
+crl_dir = $dir/crl
+new_certs_dir = $dir/newcerts
+database = $dir/index.txt
+serial = $dir/serial
+RANDFILE = $dir/private/.rand
+
+email_in_dn = no
+
+# The root key and root certificate.
+private_key = $dir/private/intermediate.key.pem
+certificate = $dir/certs/intermediate.cert.pem
+
+# For certificate revocation lists.
+crlnumber = $dir/crlnumber
+crl = $dir/crl/intermediate.crl.pem
+crl_extensions = crl_ext
+default_crl_days = 30
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md = sha256
+
+name_opt = ca_default
+cert_opt = ca_default
+default_days = 375
+preserve = no
+policy = policy_loose
+
+[ policy_strict ]
+# The root CA should only sign intermediate certificates that match.
+# See the POLICY FORMAT section of `man ca`.
+countryName = match
+stateOrProvinceName = match
+organizationName = match
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+[ policy_loose ]
+# Allow the intermediate CA to sign a more diverse range of certificates.
+# See the POLICY FORMAT section of the `ca` man page.
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+[ req ]
+# Options for the `req` tool (`man req`).
+default_bits = 2048
+distinguished_name = req_distinguished_name
+string_mask = utf8only
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md = sha256
+
+# Extension to add when the -x509 option is used.
+x509_extensions = v3_ca
+
+[ req_distinguished_name ]
+# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
+countryName = Country Name (2 letter code)
+stateOrProvinceName = State or Province Name
+localityName = Locality Name
+0.organizationName = Organization Name
+organizationalUnitName = Organizational Unit Name
+commonName = Common Name
+emailAddress = Email Address
+
+# Optionally, specify some defaults.
+countryName_default = US
+stateOrProvinceName_default = MA
+localityName_default = Boston
+0.organizationName_default = Red Hat
+organizationalUnitName_default = Keycloak
+emailAddress_default = contact@keycloak.org
+
+[ v3_ca ]
+# Extensions for a typical CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ v3_intermediate_ca ]
+# Extensions for a typical intermediate CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true, pathlen:0
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ usr_cert ]
+# Extensions for client certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = client, email
+nsComment = "OpenSSL Generated Client Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = clientAuth, emailProtection
+crlDistributionPoints = URI:http://localhost:8888/crl
+authorityInfoAccess = OCSP;URI:http://localhost:8888/oscp
+subjectAltName=email:copy
+subjectAltName=email:move
+
+[ server_cert ]
+# Extensions for server certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = server
+nsComment = "OpenSSL Generated Server Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+crlDistributionPoints = URI:http://localhost:8888/crl
+authorityInfoAccess = OCSP;URI:http://localhost:8888/oscp
+
+[ crl_ext ]
+# Extension for CRLs (`man x509v3_config`).
+authorityKeyIdentifier=keyid:always
+
+[ ocsp ]
+# Extension for OCSP signing certificates (`man ocsp`).
+basicConstraints = CA:FALSE
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = critical, digitalSignature
+extendedKeyUsage = critical, OCSPSigning
diff --git a/testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/intermediate/private/intermediate.key.pem b/testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/intermediate/private/intermediate.key.pem
new file mode 100644
index 0000000..3116bf9
--- /dev/null
+++ b/testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/intermediate/private/intermediate.key.pem
@@ -0,0 +1,54 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: AES-256-CBC,55738491E62D25465F4122B4D81938FA
+
+rivJE7agWr1e9e2zPd8OZttFzBve49d99hdvxpScz6Bl0gVwV2VGiFonGdCzKnB7
+adJgoU1R7nC9jKLoviCM1qd1bnzY7EudnCBsGMbaNhuoeaS6Sc0lEMBNryDIHdQj
+XaBgbDU9drELn2f7AW2l23kofQYTfY/et4qasDlRSH9pdUOTHsMArkCNamg/FCJ2
+/5InAqOZlIOENPmEPWF7gpBLiIdsrb56CezYhxy4Cz9hTGaQrVW/9fFpfEcmA+7F
+7f8TyWGb5pDTPSnBUkYXk5tFqCLghPcooI+hhkGUJR43L5SRg8SqpArYou0enHkT
+r/Hbat5zXZgJAp6qJ1Xi3lH1hqO6m+5aW45SCL4MZhDahLQI632zLcJ/MQMMWLEp
+bYC+l/UWTAh2JGbS+vTwZ/hluOh4qZMC/cti6QJ1oqOzDxDuN7A8UY8RKBSsA1OM
+aX1L80kHHTyN4i91JNNjsGxH1lmBDS19YdWQu1XHpsM8KANRoRVqAMeU12Ip0lVD
+wp5pUzTaNXRlFnoxDpu6fUTjcNxitv08EnjVNeFT5SmneVBH7ZPopLWErd1pTdnU
+fMDnyrNcr7g0HkahmCRoMy4WroRz1yQ1BX0BOoMO+jrLbCR+bDFiyapl5VG7zOW1
+p5tG/ra8fuB7tkXxzqqINSLKCHaqsEsl7hJ9CJNX45ypT6jlehc0E9OGI3W5x2hK
+6fG+T1gzu99YwcnAsSlsTqGgxj/VO8wwS/fPN3QA4iQMFSVdhnjt2jLO2TpbAudW
+6/2G7ulYpj/G7JwdWJD7V91U9LUx6fyOja4NJbV/WB9la84VHluGjGFQul5fMuvU
+nVOv1fdmuJA1WIohczH2nADunzv79rswfr0oZKXezvQUkIRC1kOg1SM6vlQcsGva
+Y4obtLNDmwsJ2qyx51NTkkrewrlMuuf2AeoIy2fBZ6mhEdNCFUkvk+dwb5UsX2fG
+6w8klofTwQxnsdq07+QbDQOVw/MANl3hQPAjtsE19kGWeHNyYp8X0RxGDSoS6qGp
+c+Y2jG0xzK0Mo/m+GFG8AHDHbpC+hVhxU4/ll1L3QL7ZpY9ZNi+YYjI1abqexU/t
+/pf2n9vjAvyrST37SvW3n3bb5ltmDDIqVHarn63Bm2ZM8cvnmK3S65FOxTp0wZ+q
+tZ5fWqcyWMWxnYVV0yGqtlsZOsssYosrsMNV1NGxLI8Gkmz69/4qs2jToNqIsjNa
+SBeweGKTqofFt5VtVjWURvfJMM2wleKMJ8KSOA1HS+c8577gblSrIS1ZtAo8hNlO
+lKqPTuyf0SAe1lyYfzijn5k1v3XfpdC7VbGbprK6jSw9pSFYDwDeVq7rMgHFSGTR
+Jv1mfHt0D3O/C9p8lVz68ROmblQgq7XjbllYmjTBEZOB3HQdRGPV0h8ag3UHHGD+
+lhV0L2RDkzwHfjjwlvJxtBUchKuN4Kxpb0aQAVVt3DzOv49sLAkUyCPzkHu8WliB
+lfXf8alQ9XGbSANWhZxZJ78E/zLInaHBkMlkH4vcsuEsZ2Lwxm36v5ES6RJgjCad
+sNSBg6EHRNfnnFPOVZBtzA/APsR3yMmfw9t8Qcp5vFudhtwxQ26QcWrgj29yZyJm
+Qyvn4d34JIhZM122090lhGbKWDaViEZ88a26SBiMC1qeX9Aomlow+mwEaYpS4EmT
+tNADYipjU2yWB07FXw5tmGaEuAFmsC3t7PcbsYULUlbdjuirbyTiG6QxruecPjW5
+KKBMb5zqcxSxKgeEPa3DsDggMcimLugKu/sc6+mBKu9ngvl40gLEvroSb2fySFJP
+gGdIrjro1nNjaHAIR5U9QJFNaViOiIEiOlDHc53bRWnJadPceH3xdvGJC8d6Tm0d
+T55j2OYBkAxGSwQrrt6C7oo0xoscumkz9etTLZghA6VWZh25m+Xw2sh/qVKDTrHx
+2fw9NKJfSDXDfejqJDR7SWUjZ5ygLs3JI4qj8+5XYFKbat9l5EGPrpqrxWmzy2EM
+CiceOWPHhWUkoAqPgfDCp8AIvtpDJyW8pyz+sMtBSTSidsM9BqacfyIySZKmDxau
+SicM+9M5ggKJkmm7hJ2w0+tHjqzA+2j/HRm2+Ti2aKSBjclcGU70/CxwJooPJ+lk
+dQvlW6FP9enK7sYcZgQ52NPHcsuha0VOyLdnjV5cyCv1VEDFv5XIX2KZveqNeKDS
+A84D/Q2k+I3x4Rc0G5ge1uVuNJV67BiYF2agSfiyr7Gb9RAIZXuqjtPToRqXfs1f
+YKfd/s9/Rq2gB//RRzXtwLdXtZ7GDAGBNsFahk1X/F9DhYg3mkfdqsAjJp6l+UOu
+8khW2LwIGAmstltiC3G9I+66cYz/Z7xv2ycCoTUZ4IjXhpzw0dv3yVzu4Y7mYfls
+oDyDy8Y+Z9QwQl2IYTycxOG07OuwpGmcNDzj2lUGBLLWQEZRfLa+rwFXtx9AbhZZ
+qRAIeI2fAkM9qR3Txarz8HfxqeQV3uHmXMrLVhbL1KPVRvFlCic8VohzNHDa3XMV
+FHn8BGkemhp/5WaaHa2O9b4EF5Ydo7SmNhxQTTkqUTfHaiL/i22ItOtyUVWiMmS3
+D7LnERSegQVA75QYe/4QFsXPa9WSY63bjfWb6QUX1LP4xeqBhl/m6VgxAvCBSknI
+nAbUuyItm/dLTlelsQ7LtKDeGHZ5CWxArmSbfR7kPuCf2OiVoOGyMd+Ygnok51bS
+htWN1mwVN9oHUPSN2twqDUEyuIARCzJhXl4goSm2/CtOc+ZPUuRD895AU41FEMRA
+qZ6SRe6sgUh4gqpTKPaXT6z7+UKd04UKIBhfGmoUSrLwP1tbPSB6C0ppvv7WqsZl
+DL7VYcHASMo0zVmMAw/zIwd0qF0SDiajXfhiSfPypAzHHavz8clq7Po6AvpgWZC3
+vjfCb7MVEXRDXCUMzCALdiaW0YGZv5D20Yj16I9lSmYijAflReGN/j28xhsSuZZz
+uBFHHpD/kN/L25VvDYZslc0KUWkS0kRshkgMtuHEC/YbZy0ptan6MUZ3uWHrUHzs
+FAMDf9j90CGr1dS0amXMZD0IvJ4nNatvt92OvjNCUc76fc4RJ1QGC7oHdUuJEdxF
+IPl4SYWfUPh/cvEPHqPag2G5tFIsBv9252nzr+v+7ochdbDL7ZLOrrmgBAxTubY1
+-----END RSA PRIVATE KEY-----
diff --git a/testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/intermediate/serial b/testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/intermediate/serial
new file mode 100644
index 0000000..dd11724
--- /dev/null
+++ b/testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/intermediate/serial
@@ -0,0 +1 @@
+1001
diff --git a/testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/intermediate/serial.old b/testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/intermediate/serial.old
new file mode 100644
index 0000000..83b33d2
--- /dev/null
+++ b/testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/intermediate/serial.old
@@ -0,0 +1 @@
+1000
diff --git a/testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/newcerts/1000.pem b/testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/newcerts/1000.pem
new file mode 100644
index 0000000..3521cbc
--- /dev/null
+++ b/testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/newcerts/1000.pem
@@ -0,0 +1,34 @@
+-----BEGIN CERTIFICATE-----
+MIIF9jCCA96gAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwgYsxCzAJBgNVBAYTAlVT
+MQswCQYDVQQIDAJNQTEPMA0GA1UEBwwGQm9zdG9uMRAwDgYDVQQKDAdSZWQgSGF0
+MREwDwYDVQQLDAhLZXljbG9hazEUMBIGA1UEAwwLS2V5Y2xvYWsgQ0ExIzAhBgkq
+hkiG9w0BCQEWFGNvbnRhY3RAa2V5Y2xvYWsub3JnMB4XDTE4MDIyMDE5NTcwMVoX
+DTQ1MDcwODE5NTcwMVowgYcxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJNQTEQMA4G
+A1UECgwHUmVkIEhhdDERMA8GA1UECwwIS2V5Y2xvYWsxITAfBgNVBAMMGEtleWNs
+b2FrIEludGVybWVkaWF0ZSBDQTEjMCEGCSqGSIb3DQEJARYUY29udGFjdEBrZXlj
+bG9hay5vcmcwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDYix1zJTa6
+TTsmPjctc1R56vYPsIhEeyRis7HL8s+EbFbBpO8jWSSSaJp0MWkahUtWidu9cWK5
+yPC0ezUD3LYclktG1Y6zxeY6G5RnNCUgV8EYkeCJAmlGVhgFjU+7r6HNh1L2sLJe
+jUOKMsKcIxt1TpiUbph/3J1TrqPWDD1jIwB9337dvZfXdwIa45phk1Sb7wgR6aB4
+mJPKBpekkh/5Wh5QRXI+2+Vv1Mhq6Stx1MdE4P2u8lblICOlnCaIWiI6B27yot2x
+hcie1wvFwa1iqtBr4tIHLIn0XNKwqoeooM+WHlkwjMF/Yp1zYJJJmkXjh1a3ZIT5
+7We1U3RxJrLfxE0D4Gm/S7Q302xxiAuDdycHx6oz4qYYwIYZVk+/8q4CDXVyo0aC
+Y4e9fsAPmJvy5TwKZOKocoj+BFAyRwPd1iVrSGeAQTJBPcMgu70o9xVBnU8Pgsif
+O5HzpXw9LTRrDaTS4BZ/rYA9PDLzexMVrgVCg+X1dRd3T9IsLPOlo+HCpfNGhfgR
+lwp8/SRGmBuiaG5k6kaScP5mimSGYOvhjRHLNkY+Rgtl+hrMDn8DFd75PibM95hG
+ia9k1qbrjmj9gRGA4xz1QBqewd2TTgAhaKxDFqQec+cJ15vf5AxB4A/KqFmqYXYX
+AQpKczbt2goTyb2Annhpa5WJe/sYvYqTUwIDAQABo2YwZDAdBgNVHQ4EFgQURxJ8
+iQtHVxlUCvUDBM2fhqKWdpQwHwYDVR0jBBgwFoAUIrj0u3MAxyk/k4Cl9hxSAmrL
+elIwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcN
+AQELBQADggIBAFwmiG2sd77dmX+klIeLVIYq4X3VwNijwzpuilDPMqSfSlBawj8f
+PjwFJYzpcl2pe/Lq6sq96VMkN65/AUs/XZOW+ybgE7ZuJlfT12sk48TPgaVvP2dJ
+5ud2l+DWYaH6KjU3B/xx8xttN73BilMobaJMDy02TLK6VgHPtV3bRyPOQNsGrOmp
+wJMPi7t9UjcMm0THhVHdP881ryGXraNb38x5AgTILUwRYmwjtc1Rrlls0eKLtoAl
+n5oScPDPeZELVunFFJ/ZX2lx5yApWpP1sMyzvJxnZhruuzfxsW60Tp+6Q8rHkabw
+ZnnkHgi53/Gnp3H7l/kszM+hNYJXTDTHdPTQMETHEHqiWOzYttBTM8p/ffb3haTm
+UnPb5fuRXJxX8vMxA1h6nSFWtQEQbvlGiS2oGNAOi5XlTsE+mjYMALuAPID9v8Yx
+3eTyI7a4I+qy3a+0Q1iBFsAM75q6cbne7LK8FjLHDnZvHOnredoR/tmebgphD4C3
+p4xNlwocSs+Fhjqsf6L5AvAc8fLP1206f/lp/9qEnvD0kocw2KvxwZY2yDtf115z
+aHxhil32iWME340LVSYyQZqwPPr3N2t4CGZsgGs8vPXLECAGqrT3V2/I3iZNF3J5
+i0GE63/1Q35BPHxPAJcqB/a5woBwo/Ae40u6qWR15keFp3UaJ0M/C9GR
+-----END CERTIFICATE-----
diff --git a/testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/openssl.cnf b/testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/openssl.cnf
new file mode 100644
index 0000000..b596754
--- /dev/null
+++ b/testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/openssl.cnf
@@ -0,0 +1,131 @@
+# OpenSSL root CA configuration file.
+
+[ ca ]
+# `man ca`
+default_ca = Keycloak
+
+[ Keycloak ]
+# Directory and file locations.
+dir = ./
+certs = $dir/certs
+crl_dir = $dir/crl
+new_certs_dir = $dir/newcerts
+database = $dir/index.txt
+serial = $dir/serial
+RANDFILE = $dir/private/.rand
+
+# The root key and root certificate.
+private_key = $dir/private/ca.key.pem
+certificate = $dir/certs/ca.cert.pem
+
+# For certificate revocation lists.
+crlnumber = $dir/crlnumber
+crl = $dir/crl/ca.crl.pem
+crl_extensions = crl_ext
+default_crl_days = 30
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md = sha256
+
+name_opt = ca_default
+cert_opt = ca_default
+default_days = 375
+preserve = no
+policy = policy_strict
+
+[ policy_strict ]
+# The root CA should only sign intermediate certificates that match.
+# See the POLICY FORMAT section of `man ca`.
+countryName = match
+stateOrProvinceName = match
+organizationName = match
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+[ policy_loose ]
+# Allow the intermediate CA to sign a more diverse range of certificates.
+# See the POLICY FORMAT section of the `ca` man page.
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+[ req ]
+# Options for the `req` tool (`man req`).
+default_bits = 2048
+distinguished_name = req_distinguished_name
+string_mask = utf8only
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md = sha256
+
+# Extension to add when the -x509 option is used.
+x509_extensions = v3_ca
+
+[ req_distinguished_name ]
+# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
+countryName = Country Name (2 letter code)
+stateOrProvinceName = State or Province Name
+localityName = Locality Name
+0.organizationName = Organization Name
+organizationalUnitName = Organizational Unit Name
+commonName = Common Name
+emailAddress = Email Address
+
+# Optionally, specify some defaults.
+countryName_default = US
+stateOrProvinceName_default = MA
+localityName_default = Boston
+0.organizationName_default = Red Hat
+organizationalUnitName_default = Keycloak
+emailAddress_default = contact@keycloak.org
+
+[ v3_ca ]
+# Extensions for a typical CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ v3_intermediate_ca ]
+# Extensions for a typical intermediate CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true, pathlen:0
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ usr_cert ]
+# Extensions for client certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = client, email
+nsComment = "OpenSSL Generated Client Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = clientAuth, emailProtection
+
+[ server_cert ]
+# Extensions for server certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = server
+nsComment = "OpenSSL Generated Server Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+
+[ crl_ext ]
+# Extension for CRLs (`man x509v3_config`).
+authorityKeyIdentifier=keyid:always
+
+[ ocsp ]
+# Extension for OCSP signing certificates (`man ocsp`).
+basicConstraints = CA:FALSE
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = critical, digitalSignature
+extendedKeyUsage = critical, OCSPSigning
diff --git a/testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/private/ca.key.pem b/testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/private/ca.key.pem
new file mode 100644
index 0000000..9a51de0
--- /dev/null
+++ b/testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/private/ca.key.pem
@@ -0,0 +1,54 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: AES-256-CBC,0DB2418CD45582213A6DA1664904B74D
+
+hCr065CBgHEofMLubxh+GPmnVeLFF/x1w+FhSLxGysTkFARjU2tSxE71LWB45WBX
+eb1cta3aJJTdZWn1c6X/NDWHl91JM4nY3vMsA279SrSZi7/Bb/uJl+Hi4vFKyUpq
+qf0AW5mDQURKZ+WsqiQqCMNXHqeFbBFRmcnN7uhnN30KnwAQyo7rgkimeMg+OWnO
+VFfWT5xgpBx4ki6om8I8SETNsJWLdHmuMLUsTkRQFp+SOxCJ4vQisAiiQVuQjnZX
+wqeGvSf97oSpyYUPF3qgf1kE3hdG9XswOk13rHpYc+fUFi3F/aLeuQWH1Tvc586Z
+mhxGHs0Z4VmTZkMEZ7HeNa5bjszuADyh+Nyk1eXdf/TChLPaFi+JQsz0kdt5MsHE
+eiUfhbQfUxQPdH6r+RPhZK4vSeE3CXY5gdKQmHIUgnoZOkr8jelK/vO6AJ0Tmzig
+gL5W9w++QzuIp6YbRXF0gy804U5CWzvY86a0eX5Ao4w6esDfinT9FNHeF8GR1wkh
+KUvNHQPOyFNR2DOMjFCPTfBiWrYGIral3mDp+zLIMgEIWG8sHzhVfPqup7fokYxb
+/JW3jxuZXatFwUy0FwlqntcoqBZmb7wR42hi9X2uDWfWr/rVh/Vf9fMqDndTz9aF
+9VjyibwJWRLXX+rtzGcG4KxJu6Tg1xjs+7zALCnQ84KifbJdG6HnItu5ME7lY1Cf
+S7+qxERzASla4NYCQK8+/7p0CrSe5jer64AJbSz/PGRCR8Vs7ZCJYBJao27L0MKJ
+fNgDaY/ipv2/ENgd7GUoyz++8q841iY8Q1IWzjbg7/DStVcZwQRD1aiCfzyIo83z
+YwQtAy/epj9x2Jj4s+FDJsBZ+V7aGwhEEvXrfZllDfB2uw+/idopLQUJQThZWRQT
+q9pHfqKNbmvwdviD2E07CNojtNh9TKU1rvzmC0dJIti9hfEGTQJipvQ8tdA7jLyQ
+TIF9KekSWpvTQ1g+4x0NfmvdKTsjgM+71zUyGScOK7WuBDOURBT9bOjqvl4+AYKV
+cqk6TNIf5Rf3hPBYsgNvd24hIpdA1Jab6OrF+zpbaeAVf3voFMn8Ze/QpDn76qsE
+X7quBKaaWsEfZf39P44aCVYLva9jm1MI6PpFZdOsHaq/TLITcTPM1Q1ql4BQJl4t
+3SYC9xDDUrJN11W8sFD/V6B4PdraxtlZ2Uehk4TU6KXksVbUkw02aNFtWPwJCMBN
++9NA5ymPtNQGm4G4VhZzm6ywHEflZ/2rUtG+pe6U4WTmU1yrinaTV9WkGV9qP3SJ
+ttFrUvcJgRxxkfKCTKMfQvIKU7R3P4WbCjAuLO+W9aC8/6ljr4ALSHOXuFc5OrTs
+Xkl2Z3l5xl4JY8cFagXKEZHfjWvNRNwURNQwFC/9aWFqSjuZBrJfpRbshL1HM8lb
+Nef1fww7GgRtjZstjd77BgBF1pLfF6ERUmo1HrbSYtjpMUMgMp78Okj53hAYj7qQ
+VO+U7ARvgDzGAkqBcRMoHD03fp+YvLrao73PQR+lMn/QfkiPFP5KZHulNKf0tJHD
+ASB+v6WaNFWHAvKCSDvKcvAiVvCWd4baKGJUh72cFeVF3S0pqlKrUhdCdOVrf6Oq
+HF0Qmkva8OHj6NC9vrXqOK1QlwqcKfJ6DZUYFEqc8fiWf/+sLuDcCQNmusDMzEC5
+YXHZek5JFgiGZ1OcH6UyQZwnmHcElxm8u9c0vAe3BJnmu9nBVaph8MMF0XKhEalS
+c+J5FPtc1ioM/2lSy8S2eiKlwX3MiQ1kAD7bohd+AGL4hZChNLHVlTmb3n/rr3N9
+9JISLU876c1AkIvAF+dQXsZRUFiqvbMS4cwdOX2ykRBIqrCcsxZXxoBdUd9CvWvj
+ABJ6780R7LD8YYrPfiGMLvAWfIBbiesACRIU2pZwIYbTRKO+wZ7dG2paZSZqskNf
+DQjzW7VL19VDTchnmMcaYUk8HEYuwQt8n1Qk7qntLSH2ANDzopCF0IEtBDL4irgp
+c93zzecmgilVtnfFlBm5vT7Gv7ryU/R7vJgnmYwUIAwPF3oedaPloSAXKw/KKoxT
+SJBcZRhpdl8eMlp1H5OYdWiYBsjJtJuh7oHC2QplG13GN0GdGhZ4H9nFuZG3TLWP
+oBE+j4StCiSxaxENc6Op9J5/xMUwCrTlxD6yVfAijqpvdZ0XIRKdnZLD1+bLFv6k
+Xo6I2Qf9ruSwslaYa7UqUN1eLkyAkouyhN12XYhroQ/I7JTaUnqwMl45a4p9nArh
+7vUQ4Sa52tWXbpgDQ67qHQf5g/3P4dncVbd78YiAs03pqZQ0cSCA/exKCahTuLpy
+nTQy8TiSI1jTRGV86bbga//SuAnJJFkcZAhOMU+dRFYAlzENGJZaacyeEjWF0mpg
+VSMmkZI4YCSmY19PjDk9wKxJYBAZulsK5fqEqBjbC4whrc9N8rPFtuNOG2T5DEoB
+wuKzmJFHPKiY0+/6cd63B4L7yvNJYh6t7uHQJdsW8nzxPkp8Bddtxf5yEDy6Ej3b
+eayKFDLdjzc/Pf7zL8CnKXjZNw218p0vAaHJ0zN/dwyR52GBm4uTlJDxiWVr7Gua
+Uz2KBcPy/h0cAHSCedrecdqkCYKGRf/wpc9Ov7jEOgi/ahgt1qjd4ZkTKpvZ3P/b
+/ZxyHRVGLlfHs17AFHEXxwRvWFvC42tnsiBJBsJPfj7qkpxTHqEtE9x4xfEdwNf3
++faMaPkx7okYDfCkDrnqEshOxS8vOHjVyrYkOHiYVUX8+8tYdwJlNo0/V7ugT8ge
+EIjTyR29N1TOR5ZuhYOAuhR3QNhG0iHf0mXTsA/qNx4UBAQMpg2aWPYepWDMaND4
+n1xGkzBt4qWKNR7umbjzC3JoQACSnI+Qp46rXc1WH8GEpVfcCQry2BGDjFRWlOd9
+fRe4ZAdgEh9mZocbkTDqVqUHZ//Y7jLzkYdZQwqFCegtDGC1RztVocaZUO/Yqcto
+yVs6DWqMlcZsZtM3awXbX/UOJIfx+n7AFJ/IRbptob/p8E3MylcLZXuMIOgcJGF2
+GVOEMTXQlmgyHfUDp8PGTNJdfdtz6CZWNmx/dcrzFrX/OS9M3E9j2qhgpC2XwGza
+ahuTcE9Eu+xxeEycvQkv/5pSO+phCSyfj1Zmk/o0SvUGYAMke5Bm0xCyCyGh5/Qo
+-----END RSA PRIVATE KEY-----
diff --git a/testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/serial b/testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/serial
new file mode 100644
index 0000000..dd11724
--- /dev/null
+++ b/testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/serial
@@ -0,0 +1 @@
+1001
diff --git a/testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/serial.old b/testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/serial.old
new file mode 100644
index 0000000..83b33d2
--- /dev/null
+++ b/testsuite/integration-arquillian/servers/auth-server/jboss/common/pki/root/ca/serial.old
@@ -0,0 +1 @@
+1000
diff --git a/testsuite/integration-arquillian/servers/auth-server/jboss/pom.xml b/testsuite/integration-arquillian/servers/auth-server/jboss/pom.xml
index d66e09d..8160d26 100644
--- a/testsuite/integration-arquillian/servers/auth-server/jboss/pom.xml
+++ b/testsuite/integration-arquillian/servers/auth-server/jboss/pom.xml
@@ -245,6 +245,13 @@
<include>empty.crl</include>
</includes>
</resource>
+ <resource>
+ <directory>${common.resources}/pki/root/ca</directory>
+ <includes>
+ <include>certs/clients/test-user-san-email@localhost.cert.pem</include>
+ <include>certs/clients/test-user@localhost.key.pem</include>
+ </includes>
+ </resource>
</resources>
</configuration>
</execution>
diff --git a/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/resources/javascript/keycloak.js b/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/resources/javascript/keycloak.js
new file mode 100644
index 0000000..80b4477
--- /dev/null
+++ b/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/resources/javascript/keycloak.js
@@ -0,0 +1,1416 @@
+/*
+ * Copyright 2016 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+(function( window, undefined ) {
+
+ var Keycloak = function (config) {
+ if (!(this instanceof Keycloak)) {
+ return new Keycloak(config);
+ }
+
+ var kc = this;
+ var adapter;
+ var refreshQueue = [];
+ var callbackStorage;
+
+ var loginIframe = {
+ enable: true,
+ callbackList: [],
+ interval: 5
+ };
+
+ var scripts = document.getElementsByTagName('script');
+ for (var i = 0; i < scripts.length; i++) {
+ if ((scripts[i].src.indexOf('keycloak.js') !== -1 || scripts[i].src.indexOf('keycloak.min.js') !== -1) && scripts[i].src.indexOf('version=') !== -1) {
+ kc.iframeVersion = scripts[i].src.substring(scripts[i].src.indexOf('version=') + 8).split('&')[0];
+ }
+ }
+
+ var useNonce = true;
+
+ kc.init = function (initOptions) {
+ kc.authenticated = false;
+
+ callbackStorage = createCallbackStorage();
+
+ if (initOptions && initOptions.adapter === 'cordova') {
+ adapter = loadAdapter('cordova');
+ } else if (initOptions && initOptions.adapter === 'default') {
+ adapter = loadAdapter();
+ } else {
+ if (window.Cordova || window.cordova) {
+ adapter = loadAdapter('cordova');
+ } else {
+ adapter = loadAdapter();
+ }
+ }
+
+ if (initOptions) {
+ if (typeof initOptions.useNonce !== 'undefined') {
+ useNonce = initOptions.useNonce;
+ }
+
+ if (typeof initOptions.checkLoginIframe !== 'undefined') {
+ loginIframe.enable = initOptions.checkLoginIframe;
+ }
+
+ if (initOptions.checkLoginIframeInterval) {
+ loginIframe.interval = initOptions.checkLoginIframeInterval;
+ }
+
+ if (initOptions.onLoad === 'login-required') {
+ kc.loginRequired = true;
+ }
+
+ if (initOptions.responseMode) {
+ if (initOptions.responseMode === 'query' || initOptions.responseMode === 'fragment') {
+ kc.responseMode = initOptions.responseMode;
+ } else {
+ throw 'Invalid value for responseMode';
+ }
+ }
+
+ if (initOptions.flow) {
+ switch (initOptions.flow) {
+ case 'standard':
+ kc.responseType = 'code';
+ break;
+ case 'implicit':
+ kc.responseType = 'id_token token';
+ break;
+ case 'hybrid':
+ kc.responseType = 'code id_token token';
+ break;
+ default:
+ throw 'Invalid value for flow';
+ }
+ kc.flow = initOptions.flow;
+ }
+
+ if (initOptions.timeSkew != null) {
+ kc.timeSkew = initOptions.timeSkew;
+ }
+ }
+
+ if (!kc.responseMode) {
+ kc.responseMode = 'fragment';
+ }
+ if (!kc.responseType) {
+ kc.responseType = 'code';
+ kc.flow = 'standard';
+ }
+
+ var promise = createPromise();
+
+ var initPromise = createPromise();
+ initPromise.promise.success(function() {
+ kc.onReady && kc.onReady(kc.authenticated);
+ promise.setSuccess(kc.authenticated);
+ }).error(function(errorData) {
+ promise.setError(errorData);
+ });
+
+ var configPromise = loadConfig(config);
+
+ function onLoad() {
+ var doLogin = function(prompt) {
+ if (!prompt) {
+ options.prompt = 'none';
+ }
+ kc.login(options).success(function () {
+ initPromise.setSuccess();
+ }).error(function () {
+ initPromise.setError();
+ });
+ }
+
+ var options = {};
+ switch (initOptions.onLoad) {
+ case 'check-sso':
+ if (loginIframe.enable) {
+ setupCheckLoginIframe().success(function() {
+ checkLoginIframe().success(function () {
+ doLogin(false);
+ }).error(function () {
+ initPromise.setSuccess();
+ });
+ });
+ } else {
+ doLogin(false);
+ }
+ break;
+ case 'login-required':
+ doLogin(true);
+ break;
+ default:
+ throw 'Invalid value for onLoad';
+ }
+ }
+
+ function processInit() {
+ var callback = parseCallback(window.location.href);
+
+ if (callback) {
+ window.history.replaceState({}, null, callback.newUrl);
+ }
+
+ if (callback && callback.valid) {
+ return setupCheckLoginIframe().success(function() {
+ processCallback(callback, initPromise);
+ }).error(function (e) {
+ initPromise.setError();
+ });
+ } else if (initOptions) {
+ if (initOptions.token && initOptions.refreshToken) {
+ setToken(initOptions.token, initOptions.refreshToken, initOptions.idToken);
+
+ if (loginIframe.enable) {
+ setupCheckLoginIframe().success(function() {
+ checkLoginIframe().success(function () {
+ kc.onAuthSuccess && kc.onAuthSuccess();
+ initPromise.setSuccess();
+ }).error(function () {
+ setToken(null, null, null);
+ initPromise.setSuccess();
+ });
+ });
+ } else {
+ kc.updateToken(-1).success(function() {
+ kc.onAuthSuccess && kc.onAuthSuccess();
+ initPromise.setSuccess();
+ }).error(function() {
+ kc.onAuthError && kc.onAuthError();
+ if (initOptions.onLoad) {
+ onLoad();
+ } else {
+ initPromise.setError();
+ }
+ });
+ }
+ } else if (initOptions.onLoad) {
+ onLoad();
+ } else {
+ initPromise.setSuccess();
+ }
+ } else {
+ initPromise.setSuccess();
+ }
+ }
+
+ configPromise.success(processInit);
+ configPromise.error(function() {
+ promise.setError();
+ });
+
+ return promise.promise;
+ }
+
+ kc.login = function (options) {
+ return adapter.login(options);
+ }
+
+ kc.createLoginUrl = function(options) {
+ var state = createUUID();
+ var nonce = createUUID();
+
+ var redirectUri = adapter.redirectUri(options);
+
+ var callbackState = {
+ state: state,
+ nonce: nonce,
+ redirectUri: encodeURIComponent(redirectUri)
+ }
+
+ if (options && options.prompt) {
+ callbackState.prompt = options.prompt;
+ }
+
+ callbackStorage.add(callbackState);
+
+ var baseUrl;
+ if (options && options.action == 'register') {
+ baseUrl = kc.endpoints.register();
+ } else {
+ baseUrl = kc.endpoints.authorize();
+ }
+
+ var scope = (options && options.scope) ? "openid " + options.scope : "openid";
+
+ var url = baseUrl
+ + '?client_id=' + encodeURIComponent(kc.clientId)
+ + '&redirect_uri=' + encodeURIComponent(redirectUri)
+ + '&state=' + encodeURIComponent(state)
+ + '&response_mode=' + encodeURIComponent(kc.responseMode)
+ + '&response_type=' + encodeURIComponent(kc.responseType)
+ + '&scope=' + encodeURIComponent(scope);
+ if (useNonce) {
+ url = url + '&nonce=' + encodeURIComponent(nonce);
+ }
+
+ if (options && options.prompt) {
+ url += '&prompt=' + encodeURIComponent(options.prompt);
+ }
+
+ if (options && options.maxAge) {
+ url += '&max_age=' + encodeURIComponent(options.maxAge);
+ }
+
+ if (options && options.loginHint) {
+ url += '&login_hint=' + encodeURIComponent(options.loginHint);
+ }
+
+ if (options && options.idpHint) {
+ url += '&kc_idp_hint=' + encodeURIComponent(options.idpHint);
+ }
+
+ if (options && options.locale) {
+ url += '&ui_locales=' + encodeURIComponent(options.locale);
+ }
+
+ return url;
+ }
+
+ kc.logout = function(options) {
+ return adapter.logout(options);
+ }
+
+ kc.createLogoutUrl = function(options) {
+ var url = kc.endpoints.logout()
+ + '?redirect_uri=' + encodeURIComponent(adapter.redirectUri(options, false));
+
+ return url;
+ }
+
+ kc.register = function (options) {
+ return adapter.register(options);
+ }
+
+ kc.createRegisterUrl = function(options) {
+ if (!options) {
+ options = {};
+ }
+ options.action = 'register';
+ return kc.createLoginUrl(options);
+ }
+
+ kc.createAccountUrl = function(options) {
+ var realm = getRealmUrl();
+ var url = undefined;
+ if (typeof realm !== 'undefined') {
+ url = realm
+ + '/account'
+ + '?referrer=' + encodeURIComponent(kc.clientId)
+ + '&referrer_uri=' + encodeURIComponent(adapter.redirectUri(options));
+ }
+ return url;
+ }
+
+ kc.accountManagement = function() {
+ return adapter.accountManagement();
+ }
+
+ kc.hasRealmRole = function (role) {
+ var access = kc.realmAccess;
+ return !!access && access.roles.indexOf(role) >= 0;
+ }
+
+ kc.hasResourceRole = function(role, resource) {
+ if (!kc.resourceAccess) {
+ return false;
+ }
+
+ var access = kc.resourceAccess[resource || kc.clientId];
+ return !!access && access.roles.indexOf(role) >= 0;
+ }
+
+ kc.loadUserProfile = function() {
+ var url = getRealmUrl() + '/account';
+ var req = new XMLHttpRequest();
+ req.open('GET', url, true);
+ req.setRequestHeader('Accept', 'application/json');
+ req.setRequestHeader('Authorization', 'bearer ' + kc.token);
+
+ var promise = createPromise();
+
+ req.onreadystatechange = function () {
+ if (req.readyState == 4) {
+ if (req.status == 200) {
+ kc.profile = JSON.parse(req.responseText);
+ promise.setSuccess(kc.profile);
+ } else {
+ promise.setError();
+ }
+ }
+ }
+
+ req.send();
+
+ return promise.promise;
+ }
+
+ kc.loadUserInfo = function() {
+ var url = kc.endpoints.userinfo();
+ var req = new XMLHttpRequest();
+ req.open('GET', url, true);
+ req.setRequestHeader('Accept', 'application/json');
+ req.setRequestHeader('Authorization', 'bearer ' + kc.token);
+
+ var promise = createPromise();
+
+ req.onreadystatechange = function () {
+ if (req.readyState == 4) {
+ if (req.status == 200) {
+ kc.userInfo = JSON.parse(req.responseText);
+ promise.setSuccess(kc.userInfo);
+ } else {
+ promise.setError();
+ }
+ }
+ }
+
+ req.send();
+
+ return promise.promise;
+ }
+
+ kc.isTokenExpired = function(minValidity) {
+ if (!kc.tokenParsed || (!kc.refreshToken && kc.flow != 'implicit' )) {
+ throw 'Not authenticated';
+ }
+
+ if (kc.timeSkew == null) {
+ console.info('[KEYCLOAK] Unable to determine if token is expired as timeskew is not set');
+ return true;
+ }
+
+ var expiresIn = kc.tokenParsed['exp'] - Math.ceil(new Date().getTime() / 1000) + kc.timeSkew;
+ if (minValidity) {
+ expiresIn -= minValidity;
+ }
+ return expiresIn < 0;
+ }
+
+ kc.updateToken = function(minValidity) {
+ var promise = createPromise();
+
+ if (!kc.refreshToken) {
+ promise.setError();
+ return promise.promise;
+ }
+
+ minValidity = minValidity || 5;
+
+ var exec = function() {
+ var refreshToken = false;
+ if (minValidity == -1) {
+ refreshToken = true;
+ console.info('[KEYCLOAK] Refreshing token: forced refresh');
+ } else if (!kc.tokenParsed || kc.isTokenExpired(minValidity)) {
+ refreshToken = true;
+ console.info('[KEYCLOAK] Refreshing token: token expired');
+ }
+
+ if (!refreshToken) {
+ promise.setSuccess(false);
+ } else {
+ var params = 'grant_type=refresh_token&' + 'refresh_token=' + kc.refreshToken;
+ var url = kc.endpoints.token();
+
+ refreshQueue.push(promise);
+
+ if (refreshQueue.length == 1) {
+ var req = new XMLHttpRequest();
+ req.open('POST', url, true);
+ req.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
+ req.withCredentials = true;
+
+ if (kc.clientId && kc.clientSecret) {
+ req.setRequestHeader('Authorization', 'Basic ' + btoa(kc.clientId + ':' + kc.clientSecret));
+ } else {
+ params += '&client_id=' + encodeURIComponent(kc.clientId);
+ }
+
+ var timeLocal = new Date().getTime();
+
+ req.onreadystatechange = function () {
+ if (req.readyState == 4) {
+ if (req.status == 200) {
+ console.info('[KEYCLOAK] Token refreshed');
+
+ timeLocal = (timeLocal + new Date().getTime()) / 2;
+
+ var tokenResponse = JSON.parse(req.responseText);
+
+ setToken(tokenResponse['access_token'], tokenResponse['refresh_token'], tokenResponse['id_token'], timeLocal);
+
+ kc.onAuthRefreshSuccess && kc.onAuthRefreshSuccess();
+ for (var p = refreshQueue.pop(); p != null; p = refreshQueue.pop()) {
+ p.setSuccess(true);
+ }
+ } else {
+ console.warn('[KEYCLOAK] Failed to refresh token');
+
+ kc.onAuthRefreshError && kc.onAuthRefreshError();
+ for (var p = refreshQueue.pop(); p != null; p = refreshQueue.pop()) {
+ p.setError(true);
+ }
+ }
+ }
+ };
+
+ req.send(params);
+ }
+ }
+ }
+
+ if (loginIframe.enable) {
+ var iframePromise = checkLoginIframe();
+ iframePromise.success(function() {
+ exec();
+ }).error(function() {
+ promise.setError();
+ });
+ } else {
+ exec();
+ }
+
+ return promise.promise;
+ }
+
+ kc.clearToken = function() {
+ if (kc.token) {
+ setToken(null, null, null);
+ kc.onAuthLogout && kc.onAuthLogout();
+ if (kc.loginRequired) {
+ kc.login();
+ }
+ }
+ }
+
+ function getRealmUrl() {
+ if (typeof kc.authServerUrl !== 'undefined') {
+ if (kc.authServerUrl.charAt(kc.authServerUrl.length - 1) == '/') {
+ return kc.authServerUrl + 'realms/' + encodeURIComponent(kc.realm);
+ } else {
+ return kc.authServerUrl + '/realms/' + encodeURIComponent(kc.realm);
+ }
+ } else {
+ return undefined;
+ }
+ }
+
+ function getOrigin() {
+ if (!window.location.origin) {
+ return window.location.protocol + "//" + window.location.hostname + (window.location.port ? ':' + window.location.port: '');
+ } else {
+ return window.location.origin;
+ }
+ }
+
+ function processCallback(oauth, promise) {
+ var code = oauth.code;
+ var error = oauth.error;
+ var prompt = oauth.prompt;
+
+ var timeLocal = new Date().getTime();
+
+ if (error) {
+ if (prompt != 'none') {
+ var errorData = { error: error, error_description: oauth.error_description };
+ kc.onAuthError && kc.onAuthError(errorData);
+ promise && promise.setError(errorData);
+ } else {
+ promise && promise.setSuccess();
+ }
+ return;
+ } else if ((kc.flow != 'standard') && (oauth.access_token || oauth.id_token)) {
+ authSuccess(oauth.access_token, null, oauth.id_token, true);
+ }
+
+ if ((kc.flow != 'implicit') && code) {
+ var params = 'code=' + code + '&grant_type=authorization_code';
+ var url = kc.endpoints.token();
+
+ var req = new XMLHttpRequest();
+ req.open('POST', url, true);
+ req.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
+
+ if (kc.clientId && kc.clientSecret) {
+ req.setRequestHeader('Authorization', 'Basic ' + btoa(kc.clientId + ':' + kc.clientSecret));
+ } else {
+ params += '&client_id=' + encodeURIComponent(kc.clientId);
+ }
+
+ params += '&redirect_uri=' + oauth.redirectUri;
+
+ req.withCredentials = true;
+
+ req.onreadystatechange = function() {
+ if (req.readyState == 4) {
+ if (req.status == 200) {
+
+ var tokenResponse = JSON.parse(req.responseText);
+ authSuccess(tokenResponse['access_token'], tokenResponse['refresh_token'], tokenResponse['id_token'], kc.flow === 'standard');
+ } else {
+ kc.onAuthError && kc.onAuthError();
+ promise && promise.setError();
+ }
+ }
+ };
+
+ req.send(params);
+ }
+
+ function authSuccess(accessToken, refreshToken, idToken, fulfillPromise) {
+ timeLocal = (timeLocal + new Date().getTime()) / 2;
+
+ setToken(accessToken, refreshToken, idToken, timeLocal);
+
+ if (useNonce && ((kc.tokenParsed && kc.tokenParsed.nonce != oauth.storedNonce) ||
+ (kc.refreshTokenParsed && kc.refreshTokenParsed.nonce != oauth.storedNonce) ||
+ (kc.idTokenParsed && kc.idTokenParsed.nonce != oauth.storedNonce))) {
+
+ console.info('[KEYCLOAK] Invalid nonce, clearing token');
+ kc.clearToken();
+ promise && promise.setError();
+ } else {
+ if (fulfillPromise) {
+ kc.onAuthSuccess && kc.onAuthSuccess();
+ promise && promise.setSuccess();
+ }
+ }
+ }
+
+ }
+
+ function loadConfig(url) {
+ var promise = createPromise();
+ var configUrl;
+
+ if (!config) {
+ configUrl = 'keycloak.json';
+ } else if (typeof config === 'string') {
+ configUrl = config;
+ }
+
+ function setupOidcEndoints(oidcConfiguration) {
+ if (! oidcConfiguration) {
+ kc.endpoints = {
+ authorize: function() {
+ return getRealmUrl() + '/protocol/openid-connect/auth';
+ },
+ token: function() {
+ return getRealmUrl() + '/protocol/openid-connect/token';
+ },
+ logout: function() {
+ return getRealmUrl() + '/protocol/openid-connect/logout';
+ },
+ checkSessionIframe: function() {
+ var src = getRealmUrl() + '/protocol/openid-connect/login-status-iframe.html';
+ if (kc.iframeVersion) {
+ src = src + '?version=' + kc.iframeVersion;
+ }
+ return src;
+ },
+ register: function() {
+ return getRealmUrl() + '/protocol/openid-connect/registrations';
+ },
+ userinfo: function() {
+ return getRealmUrl() + '/protocol/openid-connect/userinfo';
+ }
+ };
+ } else {
+ kc.endpoints = {
+ authorize: function() {
+ return oidcConfiguration.authorization_endpoint;
+ },
+ token: function() {
+ return oidcConfiguration.token_endpoint;
+ },
+ logout: function() {
+ if (!oidcConfiguration.end_session_endpoint) {
+ throw "Not supported by the OIDC server";
+ }
+ return oidcConfiguration.end_session_endpoint;
+ },
+ checkSessionIframe: function() {
+ if (!oidcConfiguration.check_session_iframe) {
+ throw "Not supported by the OIDC server";
+ }
+ return oidcConfiguration.check_session_iframe;
+ },
+ register: function() {
+ throw 'Redirection to "Register user" page not supported in standard OIDC mode';
+ },
+ userinfo: function() {
+ if (!oidcConfiguration.userinfo_endpoint) {
+ throw "Not supported by the OIDC server";
+ }
+ return oidcConfiguration.userinfo_endpoint;
+ }
+ }
+ }
+ }
+
+ if (configUrl) {
+ var req = new XMLHttpRequest();
+ req.open('GET', configUrl, true);
+ req.setRequestHeader('Accept', 'application/json');
+
+ req.onreadystatechange = function () {
+ if (req.readyState == 4) {
+ if (req.status == 200 || fileLoaded(req)) {
+ var config = JSON.parse(req.responseText);
+
+ kc.authServerUrl = config['auth-server-url'];
+ kc.realm = config['realm'];
+ kc.clientId = config['resource'];
+ kc.clientSecret = (config['credentials'] || {})['secret'];
+ setupOidcEndoints(null);
+ promise.setSuccess();
+ } else {
+ promise.setError();
+ }
+ }
+ };
+
+ req.send();
+ } else {
+ if (!config.clientId) {
+ throw 'clientId missing';
+ }
+
+ kc.clientId = config.clientId;
+ kc.clientSecret = (config.credentials || {}).secret;
+
+ var oidcProvider = config['oidcProvider'];
+ if (!oidcProvider) {
+ if (!config['url']) {
+ var scripts = document.getElementsByTagName('script');
+ for (var i = 0; i < scripts.length; i++) {
+ if (scripts[i].src.match(/.*keycloak\.js/)) {
+ config.url = scripts[i].src.substr(0, scripts[i].src.indexOf('/js/keycloak.js'));
+ break;
+ }
+ }
+ }
+ if (!config.realm) {
+ throw 'realm missing';
+ }
+
+ kc.authServerUrl = config.url;
+ kc.realm = config.realm;
+ setupOidcEndoints(null);
+ promise.setSuccess();
+ } else {
+ if (typeof oidcProvider === 'string') {
+ var oidcProviderConfigUrl;
+ if (oidcProvider.charAt(oidcProvider.length - 1) == '/') {
+ oidcProviderConfigUrl = oidcProvider + '.well-known/openid-configuration';
+ } else {
+ oidcProviderConfigUrl = oidcProvider + '/.well-known/openid-configuration';
+ }
+ var req = new XMLHttpRequest();
+ req.open('GET', oidcProviderConfigUrl, true);
+ req.setRequestHeader('Accept', 'application/json');
+
+ req.onreadystatechange = function () {
+ if (req.readyState == 4) {
+ if (req.status == 200 || fileLoaded(req)) {
+ var oidcProviderConfig = JSON.parse(req.responseText);
+ setupOidcEndoints(oidcProviderConfig);
+ promise.setSuccess();
+ } else {
+ promise.setError();
+ }
+ }
+ };
+
+ req.send();
+ } else {
+ setupOidcEndoints(oidcProvider);
+ promise.setSuccess();
+ }
+ }
+ }
+
+ return promise.promise;
+ }
+
+ function fileLoaded(xhr) {
+ return xhr.status == 0 && xhr.responseText && xhr.responseURL.startsWith('file:');
+ }
+
+ function setToken(token, refreshToken, idToken, timeLocal) {
+ if (kc.tokenTimeoutHandle) {
+ clearTimeout(kc.tokenTimeoutHandle);
+ kc.tokenTimeoutHandle = null;
+ }
+
+ if (refreshToken) {
+ kc.refreshToken = refreshToken;
+ kc.refreshTokenParsed = decodeToken(refreshToken);
+ } else {
+ delete kc.refreshToken;
+ delete kc.refreshTokenParsed;
+ }
+
+ if (idToken) {
+ kc.idToken = idToken;
+ kc.idTokenParsed = decodeToken(idToken);
+ } else {
+ delete kc.idToken;
+ delete kc.idTokenParsed;
+ }
+
+ if (token) {
+ kc.token = token;
+ kc.tokenParsed = decodeToken(token);
+ kc.sessionId = kc.tokenParsed.session_state;
+ kc.authenticated = true;
+ kc.subject = kc.tokenParsed.sub;
+ kc.realmAccess = kc.tokenParsed.realm_access;
+ kc.resourceAccess = kc.tokenParsed.resource_access;
+
+ if (timeLocal) {
+ kc.timeSkew = Math.floor(timeLocal / 1000) - kc.tokenParsed.iat;
+ }
+
+ if (kc.timeSkew != null) {
+ console.info('[KEYCLOAK] Estimated time difference between browser and server is ' + kc.timeSkew + ' seconds');
+
+ if (kc.onTokenExpired) {
+ var expiresIn = (kc.tokenParsed['exp'] - (new Date().getTime() / 1000) + kc.timeSkew) * 1000;
+ console.info('[KEYCLOAK] Token expires in ' + Math.round(expiresIn / 1000) + ' s');
+ if (expiresIn <= 0) {
+ kc.onTokenExpired();
+ } else {
+ kc.tokenTimeoutHandle = setTimeout(kc.onTokenExpired, expiresIn);
+ }
+ }
+ }
+ } else {
+ delete kc.token;
+ delete kc.tokenParsed;
+ delete kc.subject;
+ delete kc.realmAccess;
+ delete kc.resourceAccess;
+
+ kc.authenticated = false;
+ }
+ }
+
+ function decodeToken(str) {
+ str = str.split('.')[1];
+
+ str = str.replace('/-/g', '+');
+ str = str.replace('/_/g', '/');
+ switch (str.length % 4)
+ {
+ case 0:
+ break;
+ case 2:
+ str += '==';
+ break;
+ case 3:
+ str += '=';
+ break;
+ default:
+ throw 'Invalid token';
+ }
+
+ str = (str + '===').slice(0, str.length + (str.length % 4));
+ str = str.replace(/-/g, '+').replace(/_/g, '/');
+
+ str = decodeURIComponent(escape(atob(str)));
+
+ str = JSON.parse(str);
+ return str;
+ }
+
+ function createUUID() {
+ var s = [];
+ var hexDigits = '0123456789abcdef';
+ for (var i = 0; i < 36; i++) {
+ s[i] = hexDigits.substr(Math.floor(Math.random() * 0x10), 1);
+ }
+ s[14] = '4';
+ s[19] = hexDigits.substr((s[19] & 0x3) | 0x8, 1);
+ s[8] = s[13] = s[18] = s[23] = '-';
+ var uuid = s.join('');
+ return uuid;
+ }
+
+ kc.callback_id = 0;
+
+ function createCallbackId() {
+ var id = '<id: ' + (kc.callback_id++) + (Math.random()) + '>';
+ return id;
+
+ }
+
+ function parseCallback(url) {
+ var oauth = parseCallbackUrl(url);
+ if (!oauth) {
+ return;
+ }
+
+ var oauthState = callbackStorage.get(oauth.state);
+
+ if (oauthState) {
+ oauth.valid = true;
+ oauth.redirectUri = oauthState.redirectUri;
+ oauth.storedNonce = oauthState.nonce;
+ oauth.prompt = oauthState.prompt;
+ }
+
+ return oauth;
+ }
+
+ function parseCallbackUrl(url) {
+ var supportedParams;
+ switch (kc.flow) {
+ case 'standard':
+ supportedParams = ['code', 'state', 'session_state'];
+ break;
+ case 'implicit':
+ supportedParams = ['access_token', 'id_token', 'state', 'session_state'];
+ break;
+ case 'hybrid':
+ supportedParams = ['access_token', 'id_token', 'code', 'state', 'session_state'];
+ break;
+ }
+
+ supportedParams.push('error');
+ supportedParams.push('error_description');
+ supportedParams.push('error_uri');
+
+ var queryIndex = url.indexOf('?');
+ var fragmentIndex = url.indexOf('#');
+
+ var newUrl;
+ var parsed;
+
+ if (kc.responseMode === 'query' && queryIndex !== -1) {
+ newUrl = url.substring(0, queryIndex);
+ parsed = parseCallbackParams(url.substring(queryIndex + 1, fragmentIndex !== -1 ? fragmentIndex : url.length), supportedParams);
+ if (parsed.paramsString !== '') {
+ newUrl += '?' + parsed.paramsString;
+ }
+ if (fragmentIndex !== -1) {
+ newUrl += url.substring(fragmentIndex);
+ }
+ } else if (kc.responseMode === 'fragment' && fragmentIndex !== -1) {
+ newUrl = url.substring(0, fragmentIndex);
+ parsed = parseCallbackParams(url.substring(fragmentIndex + 1), supportedParams);
+ if (parsed.paramsString !== '') {
+ newUrl += '#' + parsed.paramsString;
+ }
+ }
+
+ if (parsed && parsed.oauthParams) {
+ if (kc.flow === 'standard' || kc.flow === 'hybrid') {
+ if ((parsed.oauthParams.code || parsed.oauthParams.error) && parsed.oauthParams.state) {
+ parsed.oauthParams.newUrl = newUrl;
+ return parsed.oauthParams;
+ }
+ } else if (kc.flow === 'implicit') {
+ if ((parsed.oauthParams.access_token || parsed.oauthParams.error) && parsed.oauthParams.state) {
+ parsed.oauthParams.newUrl = newUrl;
+ return parsed.oauthParams;
+ }
+ }
+ }
+ }
+
+ function parseCallbackParams(paramsString, supportedParams) {
+ var p = paramsString.split('&');
+ var result = {
+ paramsString: '',
+ oauthParams: {}
+ }
+ for (var i = 0; i < p.length; i++) {
+ var t = p[i].split('=');
+ if (supportedParams.indexOf(t[0]) !== -1) {
+ result.oauthParams[t[0]] = t[1];
+ } else {
+ if (result.paramsString !== '') {
+ result.paramsString += '&';
+ }
+ result.paramsString += p[i];
+ }
+ }
+ return result;
+ }
+
+ function createPromise() {
+ if (typeof Promise === "function") {
+ return createNativePromise();
+ } else {
+ return createLegacyPromise();
+ }
+ }
+
+ function createNativePromise() {
+ // Need to create a native Promise which also preserves the
+ // interface of the custom promise type previously used by the API
+ var p = {
+ setSuccess: function(result) {
+ p.success = true;
+ p.resolve(result);
+ },
+
+ setError: function(result) {
+ p.success = false;
+ p.reject(result);
+ }
+ };
+ p.promise = new Promise(function(resolve, reject) {
+ p.resolve = resolve;
+ p.reject = reject;
+ });
+ p.promise.success = function(callback) {
+ p.promise.then(callback);
+ return p.promise;
+ }
+ p.promise.error = function(callback) {
+ p.promise.catch(callback);
+ return p.promise;
+ }
+ return p;
+ }
+
+ function createLegacyPromise() {
+ var p = {
+ setSuccess: function(result) {
+ p.success = true;
+ p.result = result;
+ if (p.successCallback) {
+ p.successCallback(result);
+ }
+ },
+
+ setError: function(result) {
+ p.error = true;
+ p.result = result;
+ if (p.errorCallback) {
+ p.errorCallback(result);
+ }
+ },
+
+ promise: {
+ success: function(callback) {
+ if (p.success) {
+ callback(p.result);
+ } else if (!p.error) {
+ p.successCallback = callback;
+ }
+ return p.promise;
+ },
+ error: function(callback) {
+ if (p.error) {
+ callback(p.result);
+ } else if (!p.success) {
+ p.errorCallback = callback;
+ }
+ return p.promise;
+ }
+ }
+ }
+ return p;
+ }
+
+ function setupCheckLoginIframe() {
+ var promise = createPromise();
+
+ if (!loginIframe.enable) {
+ promise.setSuccess();
+ return promise.promise;
+ }
+
+ if (loginIframe.iframe) {
+ promise.setSuccess();
+ return promise.promise;
+ }
+
+ var iframe = document.createElement('iframe');
+ loginIframe.iframe = iframe;
+
+ iframe.onload = function() {
+ var authUrl = kc.endpoints.authorize();
+ if (authUrl.charAt(0) === '/') {
+ loginIframe.iframeOrigin = getOrigin();
+ } else {
+ loginIframe.iframeOrigin = authUrl.substring(0, authUrl.indexOf('/', 8));
+ }
+ promise.setSuccess();
+
+ setTimeout(check, loginIframe.interval * 1000);
+ }
+
+ var src = kc.endpoints.checkSessionIframe();
+ iframe.setAttribute('src', src );
+ iframe.setAttribute('title', 'keycloak-session-iframe' );
+ iframe.style.display = 'none';
+ document.body.appendChild(iframe);
+
+ var messageCallback = function(event) {
+ if ((event.origin !== loginIframe.iframeOrigin) || (loginIframe.iframe.contentWindow !== event.source)) {
+ return;
+ }
+
+ if (!(event.data == 'unchanged' || event.data == 'changed' || event.data == 'error')) {
+ return;
+ }
+
+
+ if (event.data != 'unchanged') {
+ kc.clearToken();
+ }
+
+ var callbacks = loginIframe.callbackList.splice(0, loginIframe.callbackList.length);
+
+ for (var i = callbacks.length - 1; i >= 0; --i) {
+ var promise = callbacks[i];
+ if (event.data == 'unchanged') {
+ promise.setSuccess();
+ } else {
+ promise.setError();
+ }
+ }
+ };
+
+ window.addEventListener('message', messageCallback, false);
+
+ var check = function() {
+ checkLoginIframe();
+ if (kc.token) {
+ setTimeout(check, loginIframe.interval * 1000);
+ }
+ };
+
+ return promise.promise;
+ }
+
+ function checkLoginIframe() {
+ var promise = createPromise();
+
+ if (loginIframe.iframe && loginIframe.iframeOrigin ) {
+ var msg = kc.clientId + ' ' + kc.sessionId;
+ loginIframe.callbackList.push(promise);
+ var origin = loginIframe.iframeOrigin;
+ if (loginIframe.callbackList.length == 1) {
+ loginIframe.iframe.contentWindow.postMessage(msg, origin);
+ }
+ } else {
+ promise.setSuccess();
+ }
+
+ return promise.promise;
+ }
+
+ function loadAdapter(type) {
+ if (!type || type == 'default') {
+ return {
+ login: function(options) {
+ window.location.href = kc.createLoginUrl(options);
+ return createPromise().promise;
+ },
+
+ logout: function(options) {
+ window.location.href = kc.createLogoutUrl(options);
+ return createPromise().promise;
+ },
+
+ register: function(options) {
+ window.location.href = kc.createRegisterUrl(options);
+ return createPromise().promise;
+ },
+
+ accountManagement : function() {
+ var accountUrl = kc.createAccountUrl();
+ if (typeof accountUrl !== 'undefined') {
+ window.location.href = accountUrl;
+ } else {
+ throw "Not supported by the OIDC server";
+ }
+ return createPromise().promise;
+ },
+
+ redirectUri: function(options, encodeHash) {
+ if (arguments.length == 1) {
+ encodeHash = true;
+ }
+
+ if (options && options.redirectUri) {
+ return options.redirectUri;
+ } else if (kc.redirectUri) {
+ return kc.redirectUri;
+ } else {
+ return location.href;
+ }
+ }
+ };
+ }
+
+ if (type == 'cordova') {
+ loginIframe.enable = false;
+ var cordovaOpenWindowWrapper = function(loginUrl, target, options) {
+ if (window.cordova && window.cordova.InAppBrowser) {
+ // Use inappbrowser for IOS and Android if available
+ return window.cordova.InAppBrowser.open(loginUrl, target, options);
+ } else {
+ return window.open(loginUrl, target, options);
+ }
+ };
+ return {
+ login: function(options) {
+ var promise = createPromise();
+
+ var o = 'location=no';
+ if (options && options.prompt == 'none') {
+ o += ',hidden=yes';
+ }
+
+ var loginUrl = kc.createLoginUrl(options);
+ var ref = cordovaOpenWindowWrapper(loginUrl, '_blank', o);
+ var completed = false;
+
+ ref.addEventListener('loadstart', function(event) {
+ if (event.url.indexOf('http://localhost') == 0) {
+ var callback = parseCallback(event.url);
+ processCallback(callback, promise);
+ ref.close();
+ completed = true;
+ }
+ });
+
+ ref.addEventListener('loaderror', function(event) {
+ if (!completed) {
+ if (event.url.indexOf('http://localhost') == 0) {
+ var callback = parseCallback(event.url);
+ processCallback(callback, promise);
+ ref.close();
+ completed = true;
+ } else {
+ promise.setError();
+ ref.close();
+ }
+ }
+ });
+
+ return promise.promise;
+ },
+
+ logout: function(options) {
+ var promise = createPromise();
+
+ var logoutUrl = kc.createLogoutUrl(options);
+ var ref = cordovaOpenWindowWrapper(logoutUrl, '_blank', 'location=no,hidden=yes');
+
+ var error;
+
+ ref.addEventListener('loadstart', function(event) {
+ if (event.url.indexOf('http://localhost') == 0) {
+ ref.close();
+ }
+ });
+
+ ref.addEventListener('loaderror', function(event) {
+ if (event.url.indexOf('http://localhost') == 0) {
+ ref.close();
+ } else {
+ error = true;
+ ref.close();
+ }
+ });
+
+ ref.addEventListener('exit', function(event) {
+ if (error) {
+ promise.setError();
+ } else {
+ kc.clearToken();
+ promise.setSuccess();
+ }
+ });
+
+ return promise.promise;
+ },
+
+ register : function() {
+ var registerUrl = kc.createRegisterUrl();
+ var ref = cordovaOpenWindowWrapper(registerUrl, '_blank', 'location=no');
+ ref.addEventListener('loadstart', function(event) {
+ if (event.url.indexOf('http://localhost') == 0) {
+ ref.close();
+ }
+ });
+ },
+
+ accountManagement : function() {
+ var accountUrl = kc.createAccountUrl();
+ if (typeof accountUrl !== 'undefined') {
+ var ref = cordovaOpenWindowWrapper(accountUrl, '_blank', 'location=no');
+ ref.addEventListener('loadstart', function(event) {
+ if (event.url.indexOf('http://localhost') == 0) {
+ ref.close();
+ }
+ });
+ } else {
+ throw "Not supported by the OIDC server";
+ }
+ },
+
+ redirectUri: function(options) {
+ return 'http://localhost';
+ }
+ }
+ }
+
+ throw 'invalid adapter type: ' + type;
+ }
+
+ var LocalStorage = function() {
+ if (!(this instanceof LocalStorage)) {
+ return new LocalStorage();
+ }
+
+ localStorage.setItem('kc-test', 'test');
+ localStorage.removeItem('kc-test');
+
+ var cs = this;
+
+ function clearExpired() {
+ var time = new Date().getTime();
+ for (var i = 0; i < localStorage.length; i++) {
+ var key = localStorage.key(i);
+ if (key && key.indexOf('kc-callback-') == 0) {
+ var value = localStorage.getItem(key);
+ if (value) {
+ try {
+ var expires = JSON.parse(value).expires;
+ if (!expires || expires < time) {
+ localStorage.removeItem(key);
+ }
+ } catch (err) {
+ localStorage.removeItem(key);
+ }
+ }
+ }
+ }
+ }
+
+ cs.get = function(state) {
+ if (!state) {
+ return;
+ }
+
+ var key = 'kc-callback-' + state;
+ var value = localStorage.getItem(key);
+ if (value) {
+ localStorage.removeItem(key);
+ value = JSON.parse(value);
+ }
+
+ clearExpired();
+ return value;
+ };
+
+ cs.add = function(state) {
+ clearExpired();
+
+ var key = 'kc-callback-' + state.state;
+ state.expires = new Date().getTime() + (60 * 60 * 1000);
+ localStorage.setItem(key, JSON.stringify(state));
+ };
+ };
+
+ var CookieStorage = function() {
+ if (!(this instanceof CookieStorage)) {
+ return new CookieStorage();
+ }
+
+ var cs = this;
+
+ cs.get = function(state) {
+ if (!state) {
+ return;
+ }
+
+ var value = getCookie('kc-callback-' + state);
+ setCookie('kc-callback-' + state, '', cookieExpiration(-100));
+ if (value) {
+ return JSON.parse(value);
+ }
+ };
+
+ cs.add = function(state) {
+ setCookie('kc-callback-' + state.state, JSON.stringify(state), cookieExpiration(60));
+ };
+
+ cs.removeItem = function(key) {
+ setCookie(key, '', cookieExpiration(-100));
+ };
+
+ var cookieExpiration = function (minutes) {
+ var exp = new Date();
+ exp.setTime(exp.getTime() + (minutes*60*1000));
+ return exp;
+ };
+
+ var getCookie = function (key) {
+ var name = key + '=';
+ var ca = document.cookie.split(';');
+ for (var i = 0; i < ca.length; i++) {
+ var c = ca[i];
+ while (c.charAt(0) == ' ') {
+ c = c.substring(1);
+ }
+ if (c.indexOf(name) == 0) {
+ return c.substring(name.length, c.length);
+ }
+ }
+ return '';
+ };
+
+ var setCookie = function (key, value, expirationDate) {
+ var cookie = key + '=' + value + '; '
+ + 'expires=' + expirationDate.toUTCString() + '; ';
+ document.cookie = cookie;
+ }
+ };
+
+ function createCallbackStorage() {
+ try {
+ return new LocalStorage();
+ } catch (err) {
+ }
+
+ return new CookieStorage();
+ }
+ }
+
+ if ( typeof module === "object" && module && typeof module.exports === "object" ) {
+ module.exports = Keycloak;
+ } else {
+ window.Keycloak = Keycloak;
+
+ if ( typeof define === "function" && define.amd ) {
+ define( "keycloak", [], function () { return Keycloak; } );
+ }
+ }
+})( window );
diff --git a/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/drone/KeycloakWebDriverConfigurator.java b/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/drone/KeycloakWebDriverConfigurator.java
index f2f5528..fb0aa3d 100644
--- a/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/drone/KeycloakWebDriverConfigurator.java
+++ b/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/drone/KeycloakWebDriverConfigurator.java
@@ -17,7 +17,10 @@
package org.keycloak.testsuite.drone;
+import java.util.ArrayList;
+import java.util.Arrays;
import java.util.HashMap;
+import java.util.List;
import java.util.Map;
import org.jboss.arquillian.config.descriptor.api.ArquillianDescriptor;
@@ -25,9 +28,11 @@ import org.jboss.arquillian.drone.spi.Configurator;
import org.jboss.arquillian.drone.spi.DronePoint;
import org.jboss.arquillian.drone.webdriver.configuration.WebDriverConfiguration;
import org.jboss.arquillian.drone.webdriver.factory.BrowserCapabilitiesList;
+import org.jboss.arquillian.drone.webdriver.factory.BrowserCapabilitiesList.PhantomJS;
import org.jboss.arquillian.drone.webdriver.factory.WebDriverFactory;
import org.jboss.logging.Logger;
import org.openqa.selenium.WebDriver;
+import org.openqa.selenium.phantomjs.PhantomJSDriverService;
/**
* @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
@@ -47,11 +52,36 @@ public class KeycloakWebDriverConfigurator extends WebDriverFactory implements C
if (webDriverCfg.getBrowser().equals("htmlUnit")) {
updateCapabilities(webDriverCfg);
+ } else if (webDriverCfg.getBrowser().equals("phantomjs")) {
+ configurePhantomJSDriver(webDriverCfg);
}
return webDriverCfg;
}
+ private void configurePhantomJSDriver(WebDriverConfiguration webDriverCfg) {
+ webDriverCfg.setBrowserInternal(new PhantomJS() {
+ @Override
+ public Map<String, ?> getRawCapabilities() {
+ List<String> cliArgs = new ArrayList<>();
+ String cliArgsProperty = System.getProperty("keycloak.phantomjs.cli.args");
+
+ if (cliArgsProperty != null) {
+ cliArgs = Arrays.asList(cliArgsProperty.split(" "));
+ } else {
+ cliArgs.add("--ignore-ssl-errors=true");
+ cliArgs.add("--web-security=false");
+ }
+
+ Map<String, Object> mergedCapabilities = new HashMap<>(super.getRawCapabilities());
+
+ mergedCapabilities.put(PhantomJSDriverService.PHANTOMJS_CLI_ARGS, cliArgs.toArray(new String[cliArgs.size()]));
+
+ return mergedCapabilities;
+ }
+ });
+ }
+
// This is to ensure that default value of capabilities like "version" will be used just for the HtmlUnitDriver, but not for other drivers.
// Hence in configs we have "htmlUnit.version" instead of "version"
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/x509/AbstractX509AuthenticationTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/x509/AbstractX509AuthenticationTest.java
index f0b2fe5..15d7bf7 100644
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/x509/AbstractX509AuthenticationTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/x509/AbstractX509AuthenticationTest.java
@@ -21,6 +21,7 @@ package org.keycloak.testsuite.x509;
import org.jboss.logging.Logger;
import org.junit.Assert;
import org.junit.Before;
+import org.junit.BeforeClass;
import org.junit.Rule;
import org.keycloak.admin.client.resource.AuthenticationManagementResource;
import org.keycloak.authentication.AuthenticationFlow;
@@ -57,6 +58,7 @@ import static org.keycloak.authentication.authenticators.x509.X509AuthenticatorC
import static org.keycloak.authentication.authenticators.x509.X509AuthenticatorConfigModel.IdentityMapperType.USER_ATTRIBUTE;
import static org.keycloak.authentication.authenticators.x509.X509AuthenticatorConfigModel.MappingSourceType.ISSUERDN;
import static org.keycloak.authentication.authenticators.x509.X509AuthenticatorConfigModel.MappingSourceType.ISSUERDN_CN;
+import static org.keycloak.authentication.authenticators.x509.X509AuthenticatorConfigModel.MappingSourceType.SUBJECTALTNAME_EMAIL;
import static org.keycloak.authentication.authenticators.x509.X509AuthenticatorConfigModel.MappingSourceType.SUBJECTDN_CN;
import static org.keycloak.authentication.authenticators.x509.X509AuthenticatorConfigModel.MappingSourceType.SUBJECTDN_EMAIL;
@@ -100,6 +102,27 @@ public abstract class AbstractX509AuthenticationTest extends AbstractTestRealmKe
return true;
}
+ @BeforeClass
+ public static void onBeforeTestClass() {
+ if (Boolean.parseBoolean(System.getProperty("auth.server.jboss"))) {
+ String authServerHome = System.getProperty("auth.server.home");
+
+ if (authServerHome != null && System.getProperty("auth.server.ssl.required") != null) {
+ authServerHome = authServerHome + "/standalone/configuration";
+ StringBuilder cliArgs = new StringBuilder();
+
+ cliArgs.append("--ignore-ssl-errors=true ");
+ cliArgs.append("--web-security=false ");
+ cliArgs.append("--ssl-certificates-path=" + authServerHome + "/ca.crt ");
+ cliArgs.append("--ssl-client-certificate-file=" + authServerHome + "/client.crt ");
+ cliArgs.append("--ssl-client-key-file=" + authServerHome + "/client.key ");
+ cliArgs.append("--ssl-client-key-passphrase=secret ");
+
+ System.setProperty("keycloak.phantomjs.cli.args", cliArgs.toString());
+ }
+ }
+ }
+
@Before
public void configureFlows() {
authMgmtResource = adminClient.realms().realm(REALM_NAME).flows();
@@ -301,6 +324,13 @@ public abstract class AbstractX509AuthenticationTest extends AbstractTestRealmKe
.setUserIdentityMapperType(USERNAME_EMAIL);
}
+ protected static X509AuthenticatorConfigModel createLoginSubjectAltNameEmail2UsernameOrEmailConfig() {
+ return new X509AuthenticatorConfigModel()
+ .setConfirmationPageAllowed(true)
+ .setMappingSourceType(SUBJECTALTNAME_EMAIL)
+ .setUserIdentityMapperType(USERNAME_EMAIL);
+ }
+
protected static X509AuthenticatorConfigModel createLoginSubjectEmailWithKeyUsage(String keyUsage) {
return createLoginSubjectEmail2UsernameOrEmailConfig()
.setKeyUsage(keyUsage);
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/x509/X509BrowserLoginSubjectAltNameEmailTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/x509/X509BrowserLoginSubjectAltNameEmailTest.java
new file mode 100644
index 0000000..e8cfc37
--- /dev/null
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/x509/X509BrowserLoginSubjectAltNameEmailTest.java
@@ -0,0 +1,97 @@
+/*
+ * Copyright 2018 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.testsuite.x509;
+
+import org.jboss.arquillian.graphene.page.Page;
+import org.junit.Assert;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.keycloak.OAuth2Constants;
+import org.keycloak.authentication.authenticators.x509.X509AuthenticatorConfigModel;
+import org.keycloak.events.Details;
+import org.keycloak.representations.idm.AuthenticatorConfigRepresentation;
+import org.keycloak.testsuite.pages.AppPage;
+import org.keycloak.testsuite.pages.LoginPage;
+import org.keycloak.testsuite.pages.x509.X509IdentityConfirmationPage;
+
+/**
+ * @author <a href="mailto:brat000012001@gmail.com">Peter Nalyvayko</a>
+ * @version $Revision: 1 $
+ * @date 8/12/2016
+ */
+
+public class X509BrowserLoginSubjectAltNameEmailTest extends AbstractX509AuthenticationTest {
+
+ @Page
+ protected AppPage appPage;
+
+ @Page
+ protected X509IdentityConfirmationPage loginConfirmationPage;
+
+ @Page
+ protected LoginPage loginPage;
+
+ @BeforeClass
+ public static void onBeforeTestClass() {
+ if (Boolean.parseBoolean(System.getProperty("auth.server.jboss"))) {
+ String authServerHome = System.getProperty("auth.server.home");
+
+ if (authServerHome != null && System.getProperty("auth.server.ssl.required") != null) {
+ authServerHome = authServerHome + "/standalone/configuration";
+ StringBuilder cliArgs = new StringBuilder();
+
+ cliArgs.append("--ignore-ssl-errors=true ");
+ cliArgs.append("--web-security=false ");
+ cliArgs.append("--ssl-certificates-path=" + authServerHome + "/ca.crt ");
+ cliArgs.append("--ssl-client-certificate-file=" + authServerHome + "/certs/clients/test-user-san-email@localhost.cert.pem ");
+ cliArgs.append("--ssl-client-key-file=" + authServerHome + "/certs/clients/test-user@localhost.key.pem ");
+ cliArgs.append("--ssl-client-key-passphrase=password");
+
+ System.setProperty("keycloak.phantomjs.cli.args", cliArgs.toString());
+ }
+ }
+ }
+
+ private void login(X509AuthenticatorConfigModel config, String userId, String username, String attemptedUsername) {
+
+ AuthenticatorConfigRepresentation cfg = newConfig("x509-browser-config", config.getConfig());
+ String cfgId = createConfig(browserExecution.getId(), cfg);
+ Assert.assertNotNull(cfgId);
+
+ loginConfirmationPage.open();
+
+ Assert.assertTrue(loginConfirmationPage.getSubjectDistinguishedNameText().equals("CN=test-user, OU=Keycloak, O=Red Hat, L=Boston, ST=MA, C=US"));
+ Assert.assertEquals(username, loginConfirmationPage.getUsernameText());
+
+ loginConfirmationPage.confirm();
+
+ Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, appPage.getRequestType());
+ Assert.assertNotNull(oauth.getCurrentQuery().get(OAuth2Constants.CODE));
+
+ events.expectLogin()
+ .user(userId)
+ .detail(Details.USERNAME, attemptedUsername)
+ .removeDetail(Details.REDIRECT_URI)
+ .assertEvent();
+ }
+
+ @Test
+ public void loginAsUserFromCertSubjectEmail() {
+ login(createLoginSubjectAltNameEmail2UsernameOrEmailConfig(), userId, "test-user@localhost", "test-user@localhost");
+ }
+}
\ No newline at end of file
diff --git a/testsuite/integration-arquillian/tests/base/src/test/resources/arquillian.xml b/testsuite/integration-arquillian/tests/base/src/test/resources/arquillian.xml
index 4c5ccfa..b320fd4 100644
--- a/testsuite/integration-arquillian/tests/base/src/test/resources/arquillian.xml
+++ b/testsuite/integration-arquillian/tests/base/src/test/resources/arquillian.xml
@@ -33,9 +33,6 @@
<property name="htmlUnit.version">${htmlUnitBrowserVersion}</property>
<property name="htmlUnitWebClientOptions">cssEnabled=false;historyPageCacheLimit=1</property>
- <!-- phantomjs -->
- <property name="phantomjs.cli.args">${phantomjs.cli.args}</property>
-
<!-- firefox -->
<property name="firefox_binary">${firefox_binary}</property>
<property name="firefoxLogLevel">OFF</property>
@@ -59,7 +56,6 @@
<property name="firefox_binary">${firefox_binary}</property>
<property name="chromeDriverBinary">${webdriver.chrome.driver}</property>
<property name="chromeArguments">${js.chromeArguments}</property>
- <property name="phantomjs.cli.args">${phantomjs.cli.args} --ssl-certificates-path=${client.certificate.ca.path} --ssl-client-certificate-file=${client.certificate.file} --ssl-client-key-file=${client.key.file} --ssl-client-key-passphrase=${client.key.passphrase}</property>
</extension>
<extension qualifier="graphene-secondbrowser">
diff --git a/testsuite/integration-arquillian/tests/pom.xml b/testsuite/integration-arquillian/tests/pom.xml
index c8664a5..563d115 100755
--- a/testsuite/integration-arquillian/tests/pom.xml
+++ b/testsuite/integration-arquillian/tests/pom.xml
@@ -108,7 +108,6 @@
<js.browser>phantomjs</js.browser>
<js.chromeArguments>--headless</js.chromeArguments>
<htmlUnitBrowserVersion>chrome</htmlUnitBrowserVersion>
- <phantomjs.cli.args>--ignore-ssl-errors=true --web-security=false --ssl-certificates-path=${client.certificate.ca.path} --ssl-client-certificate-file=${client.certificate.file} --ssl-client-key-file=${client.key.file} --ssl-client-key-passphrase=${client.key.passphrase}</phantomjs.cli.args>
<firefox_binary>/usr/bin/firefox</firefox_binary>
<firefoxLegacyDriver>true</firefoxLegacyDriver>
<chromeBinary/>
@@ -285,7 +284,6 @@
<ieDriverArch>${ieDriverArch}</ieDriverArch>
<firefox_binary>${firefox_binary}</firefox_binary>
- <phantomjs.cli.args>${phantomjs.cli.args}</phantomjs.cli.args>
<chromeBinary>${chromeBinary}</chromeBinary>
<chromeArguments>${chromeArguments}</chromeArguments>