keycloak-aplcache
Changes
services/src/main/java/org/keycloak/services/clientregistration/AbstractClientRegistrationProvider.java 5(+4 -1)
services/src/main/java/org/keycloak/services/clientregistration/ClientRegistrationAuth.java 19(+18 -1)
services/src/main/java/org/keycloak/services/clientregistration/ClientRegistrationTokenUtils.java 40(+34 -6)
services/src/main/java/org/keycloak/services/clientregistration/policy/RegistrationAuth.java 2(+0 -2)
testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/testsuite/authentication/ExpectedParamAuthenticator.java 87(+87 -0)
testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/testsuite/authentication/ExpectedParamAuthenticatorFactory.java 128(+128 -0)
testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/testsuite/authentication/PushButtonAuthenticator.java 90(+90 -0)
testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/testsuite/authentication/PushButtonAuthenticatorFactory.java 109(+109 -0)
testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/resources/META-INF/services/org.keycloak.authentication.AuthenticatorFactory 4(+3 -1)
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/authentication/ProvidersTest.java 4(+4 -0)
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/cli/registration/AbstractRegCliTest.java 2(+1 -1)
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/ClientRegistrationTest.java 17(+17 -0)
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/OIDCClientRegistrationTest.java 2(+1 -1)
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/RegistrationAccessTokenTest.java 11(+7 -4)
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/AuthenticatorSubflowsTest.java 350(+350 -0)
Details
diff --git a/server-spi-private/src/main/java/org/keycloak/models/utils/RepresentationToModel.java b/server-spi-private/src/main/java/org/keycloak/models/utils/RepresentationToModel.java
index 2fc5136..404706c 100755
--- a/server-spi-private/src/main/java/org/keycloak/models/utils/RepresentationToModel.java
+++ b/server-spi-private/src/main/java/org/keycloak/models/utils/RepresentationToModel.java
@@ -1155,6 +1155,7 @@ public class RepresentationToModel {
if (rep.isUseTemplateScope() != null) resource.setUseTemplateScope(rep.isUseTemplateScope());
if (rep.isUseTemplateMappers() != null) resource.setUseTemplateMappers(rep.isUseTemplateMappers());
+ if (rep.getSecret() != null) resource.setSecret(rep.getSecret());
if (rep.getClientTemplate() != null) {
if (rep.getClientTemplate().equals(ClientTemplateRepresentation.NONE)) {
diff --git a/services/src/main/java/org/keycloak/authentication/DefaultAuthenticationFlow.java b/services/src/main/java/org/keycloak/authentication/DefaultAuthenticationFlow.java
index 40433cf..8f9d0e7 100755
--- a/services/src/main/java/org/keycloak/authentication/DefaultAuthenticationFlow.java
+++ b/services/src/main/java/org/keycloak/authentication/DefaultAuthenticationFlow.java
@@ -125,7 +125,20 @@ public class DefaultAuthenticationFlow implements AuthenticationFlow {
if (model.isAuthenticatorFlow()) {
logger.debug("execution is flow");
AuthenticationFlow authenticationFlow = processor.createFlowExecution(model.getFlowId(), model);
- Response flowChallenge = authenticationFlow.processFlow();
+
+ Response flowChallenge = null;
+ try {
+ flowChallenge = authenticationFlow.processFlow();
+ } catch (AuthenticationFlowException afe) {
+ if (model.isAlternative()) {
+ logger.debug("Thrown exception in alternative Subflow. Ignoring Subflow");
+ processor.getClientSession().setExecutionStatus(model.getId(), ClientSessionModel.ExecutionStatus.ATTEMPTED);
+ continue;
+ } else {
+ throw afe;
+ }
+ }
+
if (flowChallenge == null) {
processor.getClientSession().setExecutionStatus(model.getId(), ClientSessionModel.ExecutionStatus.SUCCESS);
if (model.isAlternative()) alternativeSuccessful = true;
@@ -187,7 +200,7 @@ public class DefaultAuthenticationFlow implements AuthenticationFlow {
if (redirect != null) return redirect;
AuthenticationProcessor.Result context = processor.createAuthenticatorContext(model, authenticator, executions);
- logger.debug("invoke authenticator.authenticate");
+ logger.debugv("invoke authenticator.authenticate: {0}", factory.getId());
authenticator.authenticate(context);
Response response = processResult(context);
if (response != null) return response;
diff --git a/services/src/main/java/org/keycloak/services/clientregistration/AbstractClientRegistrationProvider.java b/services/src/main/java/org/keycloak/services/clientregistration/AbstractClientRegistrationProvider.java
index 2974b6c..e9aa8b2 100755
--- a/services/src/main/java/org/keycloak/services/clientregistration/AbstractClientRegistrationProvider.java
+++ b/services/src/main/java/org/keycloak/services/clientregistration/AbstractClientRegistrationProvider.java
@@ -95,9 +95,12 @@ public abstract class AbstractClientRegistrationProvider implements ClientRegist
auth.requireView(client);
ClientRepresentation rep = ModelToRepresentation.toRepresentation(client);
+ if (client.getSecret() != null) {
+ rep.setSecret(client.getSecret());
+ }
if (auth.isRegistrationAccessToken()) {
- String registrationAccessToken = ClientRegistrationTokenUtils.updateRegistrationAccessToken(session, client, auth.getRegistrationAuth());
+ String registrationAccessToken = ClientRegistrationTokenUtils.updateTokenSignature(session, auth);
rep.setRegistrationAccessToken(registrationAccessToken);
}
diff --git a/services/src/main/java/org/keycloak/services/clientregistration/ClientRegistrationAuth.java b/services/src/main/java/org/keycloak/services/clientregistration/ClientRegistrationAuth.java
index 8382155..ef7b3e2 100644
--- a/services/src/main/java/org/keycloak/services/clientregistration/ClientRegistrationAuth.java
+++ b/services/src/main/java/org/keycloak/services/clientregistration/ClientRegistrationAuth.java
@@ -57,6 +57,8 @@ public class ClientRegistrationAuth {
private RealmModel realm;
private JsonWebToken jwt;
private ClientInitialAccessModel initialAccessModel;
+ private String kid;
+ private String token;
public ClientRegistrationAuth(KeycloakSession session, ClientRegistrationProvider provider, EventBuilder event) {
this.session = session;
@@ -78,10 +80,13 @@ public class ClientRegistrationAuth {
return;
}
- ClientRegistrationTokenUtils.TokenVerification tokenVerification = ClientRegistrationTokenUtils.verifyToken(session, realm, uri, split[1]);
+ token = split[1];
+
+ ClientRegistrationTokenUtils.TokenVerification tokenVerification = ClientRegistrationTokenUtils.verifyToken(session, realm, uri, token);
if (tokenVerification.getError() != null) {
throw unauthorized(tokenVerification.getError().getMessage());
}
+ kid = tokenVerification.getKid();
jwt = tokenVerification.getJwt();
if (isInitialAccessToken()) {
@@ -92,6 +97,18 @@ public class ClientRegistrationAuth {
}
}
+ public String getToken() {
+ return token;
+ }
+
+ public String getKid() {
+ return kid;
+ }
+
+ public JsonWebToken getJwt() {
+ return jwt;
+ }
+
private boolean isBearerToken() {
return jwt != null && TokenUtil.TOKEN_TYPE_BEARER.equals(jwt.getType());
}
diff --git a/services/src/main/java/org/keycloak/services/clientregistration/ClientRegistrationTokenUtils.java b/services/src/main/java/org/keycloak/services/clientregistration/ClientRegistrationTokenUtils.java
index e2d4846..270ca2a 100755
--- a/services/src/main/java/org/keycloak/services/clientregistration/ClientRegistrationTokenUtils.java
+++ b/services/src/main/java/org/keycloak/services/clientregistration/ClientRegistrationTokenUtils.java
@@ -44,6 +44,27 @@ public class ClientRegistrationTokenUtils {
public static final String TYPE_INITIAL_ACCESS_TOKEN = "InitialAccessToken";
public static final String TYPE_REGISTRATION_ACCESS_TOKEN = "RegistrationAccessToken";
+ public static String updateTokenSignature(KeycloakSession session, ClientRegistrationAuth auth) {
+ KeyManager.ActiveRsaKey keys = session.keys().getActiveRsaKey(session.getContext().getRealm());
+
+ if (keys.getKid().equals(auth.getKid())) {
+ return auth.getToken();
+ } else {
+ RegistrationAccessToken regToken = new RegistrationAccessToken();
+ regToken.setRegistrationAuth(auth.getRegistrationAuth().toString().toLowerCase());
+
+ regToken.type(auth.getJwt().getType());
+ regToken.id(auth.getJwt().getId());
+ regToken.issuedAt(Time.currentTime());
+ regToken.expiration(0);
+ regToken.issuer(auth.getJwt().getIssuer());
+ regToken.audience(auth.getJwt().getIssuer());
+
+ String token = new JWSBuilder().kid(keys.getKid()).jsonContent(regToken).rsa256(keys.getPrivateKey());
+ return token;
+ }
+ }
+
public static String updateRegistrationAccessToken(KeycloakSession session, ClientModel client, RegistrationAuth registrationAuth) {
return updateRegistrationAccessToken(session, session.getContext().getRealm(), session.getContext().getUri(), client, registrationAuth);
}
@@ -75,7 +96,8 @@ public class ClientRegistrationTokenUtils {
return TokenVerification.error(new RuntimeException("Invalid token", e));
}
- PublicKey publicKey = session.keys().getRsaPublicKey(realm, input.getHeader().getKeyId());
+ String kid = input.getHeader().getKeyId();
+ PublicKey publicKey = session.keys().getRsaPublicKey(realm, kid);
if (!RSAProvider.verify(input, publicKey)) {
return TokenVerification.error(new RuntimeException("Failed verify token"));
@@ -102,7 +124,7 @@ public class ClientRegistrationTokenUtils {
return TokenVerification.error(new RuntimeException("Invalid type of token"));
}
- return TokenVerification.success(jwt);
+ return TokenVerification.success(kid, jwt);
}
private static String setupToken(JsonWebToken jwt, KeycloakSession session, RealmModel realm, UriInfo uri, String id, String type, int expiration) {
@@ -127,22 +149,28 @@ public class ClientRegistrationTokenUtils {
protected static class TokenVerification {
+ private final String kid;
private final JsonWebToken jwt;
private final RuntimeException error;
- public static TokenVerification success(JsonWebToken jwt) {
- return new TokenVerification(jwt, null);
+ public static TokenVerification success(String kid, JsonWebToken jwt) {
+ return new TokenVerification(kid, jwt, null);
}
public static TokenVerification error(RuntimeException error) {
- return new TokenVerification(null, error);
+ return new TokenVerification(null,null, error);
}
- private TokenVerification(JsonWebToken jwt, RuntimeException error) {
+ private TokenVerification(String kid, JsonWebToken jwt, RuntimeException error) {
+ this.kid = kid;
this.jwt = jwt;
this.error = error;
}
+ public String getKid() {
+ return kid;
+ }
+
public JsonWebToken getJwt() {
return jwt;
}
diff --git a/services/src/main/java/org/keycloak/services/clientregistration/policy/RegistrationAuth.java b/services/src/main/java/org/keycloak/services/clientregistration/policy/RegistrationAuth.java
index eca5ca1..bad5bc4 100644
--- a/services/src/main/java/org/keycloak/services/clientregistration/policy/RegistrationAuth.java
+++ b/services/src/main/java/org/keycloak/services/clientregistration/policy/RegistrationAuth.java
@@ -17,8 +17,6 @@
package org.keycloak.services.clientregistration.policy;
-import org.keycloak.services.clientregistration.RegistrationAccessToken;
-
/**
* @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
*/
diff --git a/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/testsuite/authentication/ExpectedParamAuthenticator.java b/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/testsuite/authentication/ExpectedParamAuthenticator.java
new file mode 100644
index 0000000..8e75398
--- /dev/null
+++ b/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/testsuite/authentication/ExpectedParamAuthenticator.java
@@ -0,0 +1,87 @@
+/*
+ * Copyright 2017 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.testsuite.authentication;
+
+import org.jboss.logging.Logger;
+import org.keycloak.authentication.AuthenticationFlowContext;
+import org.keycloak.authentication.Authenticator;
+import org.keycloak.models.KeycloakSession;
+import org.keycloak.models.RealmModel;
+import org.keycloak.models.UserModel;
+import org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint;
+
+/**
+ * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
+ */
+public class ExpectedParamAuthenticator implements Authenticator {
+
+ public static final String EXPECTED_VALUE = "expected_value";
+
+ public static final String LOGGED_USER = "logged_user";
+
+
+ private static final Logger logger = Logger.getLogger(ExpectedParamAuthenticator.class);
+
+ @Override
+ public void authenticate(AuthenticationFlowContext context) {
+ String paramValue = context.getClientSession().getNote(AuthorizationEndpoint.CLIENT_SESSION_NOTE_ADDITIONAL_REQ_PARAMS_PREFIX + "foo");
+ String expectedValue = context.getAuthenticatorConfig().getConfig().get(EXPECTED_VALUE);
+ logger.info("Value: " + paramValue + ", expectedValue: " + expectedValue);
+
+ if (paramValue != null && paramValue.equals(expectedValue)) {
+
+ String loggedUser = context.getAuthenticatorConfig().getConfig().get(LOGGED_USER);
+ if (loggedUser == null) {
+ logger.info("Successfully authenticated, but don't set any authenticated user");
+ } else {
+ UserModel user = context.getSession().users().getUserByUsername(loggedUser, context.getRealm());
+ logger.info("Successfully authenticated as user " + user.getUsername());
+ context.setUser(user);
+ }
+
+ context.success();
+ } else {
+ context.attempted();
+ }
+ }
+
+ @Override
+ public void action(AuthenticationFlowContext context) {
+ }
+
+ @Override
+ public boolean requiresUser() {
+ return false;
+ }
+
+ @Override
+ public boolean configuredFor(KeycloakSession session, RealmModel realm, UserModel user) {
+ return true;
+ }
+
+ @Override
+ public void setRequiredActions(KeycloakSession session, RealmModel realm, UserModel user) {
+
+ }
+
+
+ @Override
+ public void close() {
+
+ }
+}
diff --git a/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/testsuite/authentication/ExpectedParamAuthenticatorFactory.java b/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/testsuite/authentication/ExpectedParamAuthenticatorFactory.java
new file mode 100644
index 0000000..2a10ab1
--- /dev/null
+++ b/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/testsuite/authentication/ExpectedParamAuthenticatorFactory.java
@@ -0,0 +1,128 @@
+/*
+ * Copyright 2017 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.testsuite.authentication;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import org.keycloak.Config;
+import org.keycloak.authentication.Authenticator;
+import org.keycloak.authentication.AuthenticatorFactory;
+import org.keycloak.authentication.ConfigurableAuthenticatorFactory;
+import org.keycloak.models.AuthenticationExecutionModel;
+import org.keycloak.models.KeycloakSession;
+import org.keycloak.models.KeycloakSessionFactory;
+import org.keycloak.provider.ProviderConfigProperty;
+
+/**
+ * @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
+ * @version $Revision: 1 $
+ */
+public class ExpectedParamAuthenticatorFactory implements AuthenticatorFactory, ConfigurableAuthenticatorFactory {
+
+ public static final String PROVIDER_ID = "expected-param-authenticator";
+
+ private static final ExpectedParamAuthenticator SINGLETON = new ExpectedParamAuthenticator();
+
+ @Override
+ public String getId() {
+ return PROVIDER_ID;
+ }
+
+ @Override
+ public Authenticator create(KeycloakSession session) {
+ return SINGLETON;
+ }
+
+ private static AuthenticationExecutionModel.Requirement[] REQUIREMENT_CHOICES = {
+ AuthenticationExecutionModel.Requirement.REQUIRED,
+ AuthenticationExecutionModel.Requirement.ALTERNATIVE,
+ AuthenticationExecutionModel.Requirement.DISABLED
+ };
+ @Override
+ public AuthenticationExecutionModel.Requirement[] getRequirementChoices() {
+ return REQUIREMENT_CHOICES;
+ }
+
+ @Override
+ public boolean isUserSetupAllowed() {
+ return false;
+ }
+
+ @Override
+ public boolean isConfigurable() {
+ return true;
+ }
+
+ @Override
+ public String getHelpText() {
+ return "You will be approved if you send query string parameter 'foo' with expected value.";
+ }
+
+ @Override
+ public String getDisplayType() {
+ return "TEST: Expected Parameter";
+ }
+
+ @Override
+ public String getReferenceCategory() {
+ return "Expected Parameter";
+ }
+
+ @Override
+ public void init(Config.Scope config) {
+
+ }
+
+ @Override
+ public void postInit(KeycloakSessionFactory factory) {
+
+ }
+
+ @Override
+ public void close() {
+
+ }
+
+ private static final List<ProviderConfigProperty> configProperties = new ArrayList<ProviderConfigProperty>();
+
+ static {
+ ProviderConfigProperty property;
+ property = new ProviderConfigProperty();
+ property.setName(ExpectedParamAuthenticator.EXPECTED_VALUE);
+ property.setLabel("Expected query parameter value");
+ property.setType(ProviderConfigProperty.STRING_TYPE);
+ property.setHelpText("Expected value of query parameter foo. Authenticator will success if request to OIDC authz endpoint has this parameter");
+ configProperties.add(property);
+
+ property = new ProviderConfigProperty();
+ property.setName(ExpectedParamAuthenticator.LOGGED_USER);
+ property.setLabel("Automatically logged user");
+ property.setType(ProviderConfigProperty.STRING_TYPE);
+ property.setHelpText("This user will be successfully authenticated automatically when present");
+ configProperties.add(property);
+ }
+
+
+ @Override
+ public List<ProviderConfigProperty> getConfigProperties() {
+ return configProperties;
+ }
+
+
+}
diff --git a/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/testsuite/authentication/PushButtonAuthenticator.java b/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/testsuite/authentication/PushButtonAuthenticator.java
new file mode 100644
index 0000000..bb7dcd3
--- /dev/null
+++ b/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/testsuite/authentication/PushButtonAuthenticator.java
@@ -0,0 +1,90 @@
+/*
+ * Copyright 2017 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.testsuite.authentication;
+
+import javax.ws.rs.core.Response;
+
+import org.keycloak.authentication.AuthenticationFlowContext;
+import org.keycloak.authentication.Authenticator;
+import org.keycloak.models.KeycloakSession;
+import org.keycloak.models.RealmModel;
+import org.keycloak.models.UserModel;
+
+/**
+ * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
+ */
+public class PushButtonAuthenticator implements Authenticator {
+
+ @Override
+ public void authenticate(AuthenticationFlowContext context) {
+ String accessCode = context.generateAccessCode();
+ String actionUrl = context.getActionUrl(accessCode).toString();
+
+ StringBuilder response = new StringBuilder("<html><head><title>PushTheButton</title></head><body>");
+
+ UserModel user = context.getUser();
+ if (user == null) {
+ response.append("No authenticated user<br>");
+ } else {
+ response.append("Authenticated user: " + user.getUsername() + "<br>");
+ }
+
+ response.append("<form method='POST' action='" + actionUrl + "'>");
+ response.append(" This is the Test Approver. Press login to continue.<br>");
+ response.append(" <input type='submit' name='submit1' value='Submit' />");
+ response.append("</form></body></html>");
+ String html = response.toString();
+
+ Response jaxrsResponse = Response
+ .status(Response.Status.OK)
+ .type("text/html")
+ .entity(html)
+ .build();
+
+ context.challenge(jaxrsResponse);
+
+// Response challenge = context.form().createForm("login-approve.ftl");
+// context.challenge(challenge);
+ }
+
+ @Override
+ public void action(AuthenticationFlowContext context) {
+ context.success();
+ }
+
+ @Override
+ public boolean requiresUser() {
+ return false;
+ }
+
+ @Override
+ public boolean configuredFor(KeycloakSession session, RealmModel realm, UserModel user) {
+ return false;
+ }
+
+ @Override
+ public void setRequiredActions(KeycloakSession session, RealmModel realm, UserModel user) {
+
+ }
+
+
+ @Override
+ public void close() {
+
+ }
+}
diff --git a/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/testsuite/authentication/PushButtonAuthenticatorFactory.java b/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/testsuite/authentication/PushButtonAuthenticatorFactory.java
new file mode 100644
index 0000000..84b177b
--- /dev/null
+++ b/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/testsuite/authentication/PushButtonAuthenticatorFactory.java
@@ -0,0 +1,109 @@
+/*
+ * Copyright 2017 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.testsuite.authentication;
+
+import org.keycloak.Config;
+import org.keycloak.authentication.Authenticator;
+import org.keycloak.authentication.AuthenticatorFactory;
+import org.keycloak.authentication.ConfigurableAuthenticatorFactory;
+import org.keycloak.models.AuthenticationExecutionModel;
+import org.keycloak.models.KeycloakSession;
+import org.keycloak.models.KeycloakSessionFactory;
+import org.keycloak.provider.ProviderConfigProperty;
+
+import java.util.ArrayList;
+import java.util.List;
+
+/**
+ * @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
+ * @version $Revision: 1 $
+ */
+public class PushButtonAuthenticatorFactory implements AuthenticatorFactory, ConfigurableAuthenticatorFactory {
+
+ public static final String PROVIDER_ID = "push-button-authenticator";
+ private static final PushButtonAuthenticator SINGLETON = new PushButtonAuthenticator();
+
+ @Override
+ public String getId() {
+ return PROVIDER_ID;
+ }
+
+ @Override
+ public Authenticator create(KeycloakSession session) {
+ return SINGLETON;
+ }
+
+ private static AuthenticationExecutionModel.Requirement[] REQUIREMENT_CHOICES = {
+ AuthenticationExecutionModel.Requirement.REQUIRED,
+ AuthenticationExecutionModel.Requirement.ALTERNATIVE,
+ AuthenticationExecutionModel.Requirement.DISABLED
+ };
+ @Override
+ public AuthenticationExecutionModel.Requirement[] getRequirementChoices() {
+ return REQUIREMENT_CHOICES;
+ }
+
+ @Override
+ public boolean isUserSetupAllowed() {
+ return false;
+ }
+
+ @Override
+ public boolean isConfigurable() {
+ return false;
+ }
+
+ @Override
+ public String getHelpText() {
+ return "Just press the button to login.";
+ }
+
+ @Override
+ public String getDisplayType() {
+ return "TEST: Button Login";
+ }
+
+ @Override
+ public String getReferenceCategory() {
+ return "Button Login";
+ }
+
+ @Override
+ public void init(Config.Scope config) {
+
+ }
+
+ @Override
+ public void postInit(KeycloakSessionFactory factory) {
+
+ }
+
+ @Override
+ public void close() {
+
+ }
+
+ private static final List<ProviderConfigProperty> configProperties = new ArrayList<ProviderConfigProperty>();
+
+ @Override
+ public List<ProviderConfigProperty> getConfigProperties() {
+ return configProperties;
+ }
+
+
+}
diff --git a/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/resources/META-INF/services/org.keycloak.authentication.AuthenticatorFactory b/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/resources/META-INF/services/org.keycloak.authentication.AuthenticatorFactory
index 660f91f..18317d0 100755
--- a/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/resources/META-INF/services/org.keycloak.authentication.AuthenticatorFactory
+++ b/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/resources/META-INF/services/org.keycloak.authentication.AuthenticatorFactory
@@ -17,4 +17,6 @@
org.keycloak.testsuite.forms.PassThroughAuthenticator
org.keycloak.testsuite.forms.PassThroughRegistration
-org.keycloak.testsuite.forms.ClickThroughAuthenticator
\ No newline at end of file
+org.keycloak.testsuite.forms.ClickThroughAuthenticator
+org.keycloak.testsuite.authentication.ExpectedParamAuthenticatorFactory
+org.keycloak.testsuite.authentication.PushButtonAuthenticatorFactory
\ No newline at end of file
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/authentication/ProvidersTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/authentication/ProvidersTest.java
index fc8b25b..4cd98b7 100644
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/authentication/ProvidersTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/authentication/ProvidersTest.java
@@ -147,6 +147,8 @@ public class ProvidersTest extends AbstractAuthenticationTest {
"Validates the password supplied as a 'password' form parameter in direct grant request");
addProviderInfo(result, "direct-grant-validate-username", "Username Validation",
"Validates the username supplied as a 'username' form parameter in direct grant request");
+ addProviderInfo(result, "expected-param-authenticator", "TEST: Expected Parameter",
+ "You will be approved if you send query string parameter 'foo' with expected value.");
addProviderInfo(result, "http-basic-authenticator", "HTTP Basic Authentication", "Validates username and password from Authorization HTTP header");
addProviderInfo(result, "identity-provider-redirector", "Identity Provider Redirector", "Redirects to default Identity Provider or Identity Provider specified with kc_idp_hint query parameter");
addProviderInfo(result, "idp-confirm-link", "Confirm link existing account", "Show the form where user confirms if he wants " +
@@ -159,6 +161,8 @@ public class ProvidersTest extends AbstractAuthenticationTest {
"User reviews and updates profile data retrieved from Identity Provider in the displayed form");
addProviderInfo(result, "idp-username-password-form", "Username Password Form for identity provider reauthentication",
"Validates a password from login form. Username is already known from identity provider authentication");
+ addProviderInfo(result, "push-button-authenticator", "TEST: Button Login",
+ "Just press the button to login.");
addProviderInfo(result, "reset-credential-email", "Send Reset Email", "Send email to user and wait for response.");
addProviderInfo(result, "reset-credentials-choose-user", "Choose User", "Choose a user to reset credentials for");
addProviderInfo(result, "reset-otp", "Reset OTP", "Sets the Configure OTP required action if execution is REQUIRED. " +
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/cli/registration/AbstractRegCliTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/cli/registration/AbstractRegCliTest.java
index 40d755a..e171cca 100644
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/cli/registration/AbstractRegCliTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/cli/registration/AbstractRegCliTest.java
@@ -455,7 +455,7 @@ public abstract class AbstractRegCliTest extends AbstractCliTest {
ClientRepresentation client3 = JsonSerialization.readValue(exe.stdout(), ClientRepresentation.class);
Assert.assertEquals("clientId", "test-client", client3.getClientId());
- Assert.assertNotEquals("registrationAccessToken in returned json is different than one returned by create",
+ Assert.assertEquals("registrationAccessToken in returned json is different than one returned by create",
client.getRegistrationAccessToken(), client3.getRegistrationAccessToken());
lastModified2 = configFile.exists() ? configFile.lastModified() : 0;
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/ClientRegistrationTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/ClientRegistrationTest.java
index 5d1f4ae..c9e6691 100644
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/ClientRegistrationTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/ClientRegistrationTest.java
@@ -165,6 +165,23 @@ public class ClientRegistrationTest extends AbstractClientRegistrationTest {
}
@Test
+ public void updateClientSecret() throws ClientRegistrationException {
+ authManageClients();
+
+ registerClient();
+
+ ClientRepresentation client = reg.get(CLIENT_ID);
+ assertNotNull(client.getSecret());
+ client.setSecret("mysecret");
+
+ reg.update(client);
+
+ ClientRepresentation updatedClient = reg.get(CLIENT_ID);
+
+ assertEquals("mysecret", updatedClient.getSecret());
+ }
+
+ @Test
public void updateClientAsAdminWithCreateOnly() throws ClientRegistrationException {
authCreateClients();
try {
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/OIDCClientRegistrationTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/OIDCClientRegistrationTest.java
index 4b4c9ba..57f71b2 100644
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/OIDCClientRegistrationTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/OIDCClientRegistrationTest.java
@@ -139,7 +139,7 @@ public class OIDCClientRegistrationTest extends AbstractClientRegistrationTest {
OIDCClientRepresentation rep = reg.oidc().get(response.getClientId());
assertNotNull(rep);
- assertNotEquals(response.getRegistrationAccessToken(), rep.getRegistrationAccessToken());
+ assertEquals(response.getRegistrationAccessToken(), rep.getRegistrationAccessToken());
assertTrue(CollectionUtil.collectionEquals(Arrays.asList("code", "none"), response.getResponseTypes()));
assertTrue(CollectionUtil.collectionEquals(Arrays.asList(OAuth2Constants.AUTHORIZATION_CODE, OAuth2Constants.REFRESH_TOKEN), response.getGrantTypes()));
assertNotNull(response.getClientSecret());
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/RegistrationAccessTokenTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/RegistrationAccessTokenTest.java
index 1e48290..04878f3 100644
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/RegistrationAccessTokenTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/RegistrationAccessTokenTest.java
@@ -80,13 +80,16 @@ public class RegistrationAccessTokenTest extends AbstractClientRegistrationTest
@Test
public void getClientWithRegistrationToken() throws ClientRegistrationException {
+ setTimeOffset(10);
+
ClientRepresentation rep = reg.get(client.getClientId());
assertNotNull(rep);
- assertNotEquals(client.getRegistrationAccessToken(), rep.getRegistrationAccessToken());
- // check registration access token is updated
- assertRead(client.getClientId(), client.getRegistrationAccessToken(), false);
- assertRead(client.getClientId(), rep.getRegistrationAccessToken(), true);
+ assertEquals(client.getRegistrationAccessToken(), rep.getRegistrationAccessToken());
+ assertNotNull(rep.getRegistrationAccessToken());
+
+ // KEYCLOAK-4984 check registration access token is not updated
+ assertRead(client.getClientId(), client.getRegistrationAccessToken(), true);
}
@Test
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/AuthenticatorSubflowsTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/AuthenticatorSubflowsTest.java
new file mode 100644
index 0000000..d057ace
--- /dev/null
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/AuthenticatorSubflowsTest.java
@@ -0,0 +1,350 @@
+/*
+ * Copyright 2017 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.testsuite.forms;
+
+import java.util.HashMap;
+import java.util.Map;
+
+import org.jboss.arquillian.container.test.api.Deployment;
+import org.jboss.arquillian.graphene.page.Page;
+import org.jboss.shrinkwrap.api.spec.WebArchive;
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.Rule;
+import org.junit.Test;
+import org.keycloak.admin.client.resource.UserResource;
+import org.keycloak.authentication.authenticators.browser.UsernamePasswordFormFactory;
+import org.keycloak.events.Details;
+import org.keycloak.models.AuthenticationExecutionModel;
+import org.keycloak.models.AuthenticationFlowModel;
+import org.keycloak.models.AuthenticatorConfigModel;
+import org.keycloak.models.RealmModel;
+import org.keycloak.representations.idm.RealmRepresentation;
+import org.keycloak.testsuite.AbstractTestRealmKeycloakTest;
+import org.keycloak.testsuite.AssertEvents;
+import org.keycloak.testsuite.authentication.ExpectedParamAuthenticator;
+import org.keycloak.testsuite.authentication.ExpectedParamAuthenticatorFactory;
+import org.keycloak.testsuite.authentication.PushButtonAuthenticatorFactory;
+import org.keycloak.testsuite.pages.AppPage;
+import org.keycloak.testsuite.pages.ErrorPage;
+import org.keycloak.testsuite.pages.LoginPage;
+import org.keycloak.testsuite.runonserver.RunOnServerDeployment;
+import org.openqa.selenium.By;
+
+/**
+ * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
+ */
+public class AuthenticatorSubflowsTest extends AbstractTestRealmKeycloakTest {
+
+ @Rule
+ public AssertEvents events = new AssertEvents(this);
+
+ @Page
+ protected AppPage appPage;
+
+ @Page
+ protected LoginPage loginPage;
+
+ @Page
+ protected ErrorPage errorPage;
+
+ @Override
+ public void configureTestRealm(RealmRepresentation testRealm) {
+ }
+
+ @Deployment
+ public static WebArchive deploy() {
+ return RunOnServerDeployment.create(UserResource.class)
+ .addPackages(true, "org.keycloak.testsuite");
+ }
+
+
+ @Before
+ public void setupFlows() {
+ testingClient.server().run(session -> {
+ RealmModel realm = session.realms().getRealmByName("test");
+
+ if (realm.getBrowserFlow().getAlias().equals("parent-flow")) {
+ return;
+ }
+
+ // Parent flow
+ AuthenticationFlowModel browser = new AuthenticationFlowModel();
+ browser.setAlias("parent-flow");
+ browser.setDescription("browser based authentication");
+ browser.setProviderId("basic-flow");
+ browser.setTopLevel(true);
+ browser.setBuiltIn(true);
+ browser = realm.addAuthenticationFlow(browser);
+ realm.setBrowserFlow(browser);
+
+ // Subflow1
+ AuthenticationFlowModel subflow1 = new AuthenticationFlowModel();
+ subflow1.setTopLevel(false);
+ subflow1.setBuiltIn(true);
+ subflow1.setAlias("subflow-1");
+ subflow1.setDescription("Parameter 'foo=bar1' AND username+password");
+ subflow1.setProviderId("basic-flow");
+ subflow1 = realm.addAuthenticationFlow(subflow1);
+
+ AuthenticationExecutionModel execution = new AuthenticationExecutionModel();
+ execution.setParentFlow(browser.getId());
+ execution.setRequirement(AuthenticationExecutionModel.Requirement.ALTERNATIVE);
+ execution.setFlowId(subflow1.getId());
+ execution.setPriority(10);
+ execution.setAuthenticatorFlow(true);
+ realm.addAuthenticatorExecution(execution);
+
+ // Subflow1 - foo=bar1
+ execution = new AuthenticationExecutionModel();
+ execution.setParentFlow(subflow1.getId());
+ execution.setRequirement(AuthenticationExecutionModel.Requirement.REQUIRED);
+ execution.setAuthenticator(ExpectedParamAuthenticatorFactory.PROVIDER_ID);
+ execution.setPriority(10);
+ execution.setAuthenticatorFlow(false);
+
+ AuthenticatorConfigModel configModel = new AuthenticatorConfigModel();
+ configModel.setAlias("bar1");
+ Map<String, String> config = new HashMap<>();
+ config.put(ExpectedParamAuthenticator.EXPECTED_VALUE, "bar1");
+ configModel.setConfig(config);
+ configModel = realm.addAuthenticatorConfig(configModel);
+ execution.setAuthenticatorConfig(configModel.getId());
+
+ realm.addAuthenticatorExecution(execution);
+
+ // Subflow1 - username password
+ execution = new AuthenticationExecutionModel();
+ execution.setParentFlow(subflow1.getId());
+ execution.setRequirement(AuthenticationExecutionModel.Requirement.REQUIRED);
+ execution.setAuthenticator(UsernamePasswordFormFactory.PROVIDER_ID);
+ execution.setPriority(20);
+ execution.setAuthenticatorFlow(false);
+
+ realm.addAuthenticatorExecution(execution);
+
+
+
+ // Subflow2
+ AuthenticationFlowModel subflow2 = new AuthenticationFlowModel();
+ subflow2.setTopLevel(false);
+ subflow2.setBuiltIn(true);
+ subflow2.setAlias("subflow-2");
+ subflow2.setDescription("username+password AND pushButton");
+ subflow2.setProviderId("basic-flow");
+ subflow2 = realm.addAuthenticationFlow(subflow2);
+
+ execution = new AuthenticationExecutionModel();
+ execution.setParentFlow(browser.getId());
+ execution.setRequirement(AuthenticationExecutionModel.Requirement.ALTERNATIVE);
+ execution.setFlowId(subflow2.getId());
+ execution.setPriority(20);
+ execution.setAuthenticatorFlow(true);
+ realm.addAuthenticatorExecution(execution);
+
+ // Subflow2 - push the button
+ execution = new AuthenticationExecutionModel();
+ execution.setParentFlow(subflow2.getId());
+ execution.setRequirement(AuthenticationExecutionModel.Requirement.REQUIRED);
+ execution.setAuthenticator(PushButtonAuthenticatorFactory.PROVIDER_ID);
+ execution.setPriority(10);
+ execution.setAuthenticatorFlow(false);
+
+ realm.addAuthenticatorExecution(execution);
+
+ // Subflow2 - username-password
+ execution = new AuthenticationExecutionModel();
+ execution.setParentFlow(subflow2.getId());
+ execution.setRequirement(AuthenticationExecutionModel.Requirement.REQUIRED);
+ execution.setAuthenticator(UsernamePasswordFormFactory.PROVIDER_ID);
+ execution.setPriority(20);
+ execution.setAuthenticatorFlow(false);
+
+ realm.addAuthenticatorExecution(execution);
+
+ // Subflow3
+ AuthenticationFlowModel subflow3 = new AuthenticationFlowModel();
+ subflow3.setTopLevel(false);
+ subflow3.setBuiltIn(true);
+ subflow3.setAlias("subflow-3");
+ subflow3.setDescription("alternative subflow with child subflows");
+ subflow3.setProviderId("basic-flow");
+ subflow3 = realm.addAuthenticationFlow(subflow3);
+
+ execution = new AuthenticationExecutionModel();
+ execution.setParentFlow(browser.getId());
+ execution.setRequirement(AuthenticationExecutionModel.Requirement.ALTERNATIVE);
+ execution.setFlowId(subflow3.getId());
+ execution.setPriority(30);
+ execution.setAuthenticatorFlow(true);
+ realm.addAuthenticatorExecution(execution);
+
+ // Subflow3-1
+ AuthenticationFlowModel subflow31 = new AuthenticationFlowModel();
+ subflow31.setTopLevel(false);
+ subflow31.setBuiltIn(true);
+ subflow31.setAlias("subflow-31");
+ subflow31.setDescription("subflow-31");
+ subflow31.setProviderId("basic-flow");
+ subflow31 = realm.addAuthenticationFlow(subflow31);
+
+ execution = new AuthenticationExecutionModel();
+ execution.setParentFlow(subflow3.getId());
+ execution.setRequirement(AuthenticationExecutionModel.Requirement.ALTERNATIVE);
+ execution.setFlowId(subflow31.getId());
+ execution.setPriority(10);
+ execution.setAuthenticatorFlow(true);
+ realm.addAuthenticatorExecution(execution);
+
+ // Subflow3-1 - foo=bar2
+ execution = new AuthenticationExecutionModel();
+ execution.setParentFlow(subflow31.getId());
+ execution.setRequirement(AuthenticationExecutionModel.Requirement.REQUIRED);
+ execution.setAuthenticator(ExpectedParamAuthenticatorFactory.PROVIDER_ID);
+ execution.setPriority(10);
+ execution.setAuthenticatorFlow(false);
+
+ configModel = new AuthenticatorConfigModel();
+ configModel.setAlias("bar2");
+ config = new HashMap<>();
+ config.put(ExpectedParamAuthenticator.EXPECTED_VALUE, "bar2");
+ config.put(ExpectedParamAuthenticator.LOGGED_USER, "john-doh@localhost");
+ configModel.setConfig(config);
+ configModel = realm.addAuthenticatorConfig(configModel);
+ execution.setAuthenticatorConfig(configModel.getId());
+
+ realm.addAuthenticatorExecution(execution);
+
+ // Subflow3-1 - push the button
+ execution = new AuthenticationExecutionModel();
+ execution.setParentFlow(subflow31.getId());
+ execution.setRequirement(AuthenticationExecutionModel.Requirement.REQUIRED);
+ execution.setAuthenticator(PushButtonAuthenticatorFactory.PROVIDER_ID);
+ execution.setPriority(20);
+ execution.setAuthenticatorFlow(false);
+
+ realm.addAuthenticatorExecution(execution);
+
+ // Subflow3 - foo=bar3
+ execution = new AuthenticationExecutionModel();
+ execution.setParentFlow(subflow3.getId());
+ execution.setRequirement(AuthenticationExecutionModel.Requirement.ALTERNATIVE);
+ execution.setAuthenticator(ExpectedParamAuthenticatorFactory.PROVIDER_ID);
+ execution.setPriority(20);
+ execution.setAuthenticatorFlow(false);
+
+ configModel = new AuthenticatorConfigModel();
+ configModel.setAlias("bar3");
+ config = new HashMap<>();
+ config.put(ExpectedParamAuthenticator.EXPECTED_VALUE, "bar3");
+ config.put(ExpectedParamAuthenticator.LOGGED_USER, "keycloak-user@localhost");
+ configModel.setConfig(config);
+ configModel = realm.addAuthenticatorConfig(configModel);
+ execution.setAuthenticatorConfig(configModel.getId());
+
+ realm.addAuthenticatorExecution(execution);
+
+
+ });
+ }
+
+
+// @Test
+// public void testSleep() throws Exception {
+// log.info("Start sleeping");
+// Thread.sleep(1000000);
+// }
+
+
+ @Test
+ public void testSubflow1() throws Exception {
+ // Add foo=bar1 . I am redirected to subflow1 - username+password form
+ String loginFormUrl = oauth.getLoginFormUrl();
+ loginFormUrl = loginFormUrl + "&foo=bar1";
+ log.info("loginFormUrl: " + loginFormUrl);
+
+ //Thread.sleep(10000000);
+
+ driver.navigate().to(loginFormUrl);
+
+ loginPage.assertCurrent();
+
+ // Fill username+password. I am successfully authenticated
+ oauth.fillLoginForm("test-user@localhost", "password");
+ appPage.assertCurrent();
+
+ events.expectLogin().detail(Details.USERNAME, "test-user@localhost").assertEvent();
+ }
+
+
+ @Test
+ public void testSubflow2() throws Exception {
+ // Don't add 'foo' parameter. I am redirected to subflow2 - push the button
+ String loginFormUrl = oauth.getLoginFormUrl();
+ log.info("loginFormUrl: " + loginFormUrl);
+
+ //Thread.sleep(10000000);
+
+ driver.navigate().to(loginFormUrl);
+
+ Assert.assertEquals("PushTheButton", driver.getTitle());
+
+ // Push the button. I am redirected to username+password form
+ driver.findElement(By.name("submit1")).click();
+
+
+ loginPage.assertCurrent();
+
+ // Fill username+password. I am successfully authenticated
+ oauth.fillLoginForm("test-user@localhost", "password");
+ appPage.assertCurrent();
+
+ events.expectLogin().detail(Details.USERNAME, "test-user@localhost").assertEvent();
+ }
+
+
+// @Test
+// public void testSubflow31() {
+// // Fill foo=bar2. I am see the pushButton
+// String loginFormUrl = oauth.getLoginFormUrl();
+// loginFormUrl = loginFormUrl + "&foo=bar2";
+// log.info("loginFormUrl: " + loginFormUrl);
+//
+// //Thread.sleep(10000000);
+//
+// driver.navigate().to(loginFormUrl);
+// Assert.assertEquals("PushTheButton", driver.getTitle());
+//
+// // Confirm push button. I am authenticated as john-doh@localhost
+// driver.findElement(By.name("submit1")).click();
+//
+// appPage.assertCurrent();
+//
+// events.expectLogin().detail(Details.USERNAME, "john-doh@localhost").assertEvent();
+// }
+//
+//
+// @Test
+// public void testSubflow32() {
+// // Fill foo=bar3. I am login automatically as "keycloak-user@localhost"
+//
+//
+// }
+
+
+}
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/keys/KeyRotationTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/keys/KeyRotationTest.java
index 6c54d2b..3dad4b1 100644
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/keys/KeyRotationTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/keys/KeyRotationTest.java
@@ -23,6 +23,9 @@ import org.jboss.arquillian.graphene.page.Page;
import org.junit.Rule;
import org.junit.Test;
import org.keycloak.RSATokenVerifier;
+import org.keycloak.client.registration.Auth;
+import org.keycloak.client.registration.ClientRegistration;
+import org.keycloak.client.registration.ClientRegistrationException;
import org.keycloak.common.VerificationException;
import org.keycloak.common.util.KeyUtils;
import org.keycloak.common.util.MultivaluedHashMap;
@@ -31,6 +34,8 @@ import org.keycloak.keys.Attributes;
import org.keycloak.keys.GeneratedHmacKeyProviderFactory;
import org.keycloak.keys.KeyProvider;
import org.keycloak.keys.ImportedRsaKeyProviderFactory;
+import org.keycloak.representations.idm.ClientInitialAccessCreatePresentation;
+import org.keycloak.representations.idm.ClientInitialAccessPresentation;
import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.representations.idm.ComponentRepresentation;
import org.keycloak.representations.idm.KeysMetadataRepresentation;
@@ -40,11 +45,11 @@ import org.keycloak.testsuite.AssertEvents;
import org.keycloak.testsuite.pages.AppPage;
import org.keycloak.testsuite.pages.AppPage.RequestType;
import org.keycloak.testsuite.pages.LoginPage;
+import org.keycloak.testsuite.util.ClientBuilder;
import org.keycloak.testsuite.util.KeycloakModelUtils;
import org.keycloak.testsuite.util.OAuthClient;
import org.keycloak.testsuite.util.UserInfoClientUtil;
-import javax.ws.rs.client.ClientBuilder;
import javax.ws.rs.core.Response;
import java.io.IOException;
import java.security.KeyPair;
@@ -125,12 +130,27 @@ public class KeyRotationTest extends AbstractKeycloakTest {
assertTokenSignature(key1, response.getAccessToken());
assertTokenSignature(key1, response.getRefreshToken());
+ // Create client with keys #1
+ ClientInitialAccessCreatePresentation initialToken = new ClientInitialAccessCreatePresentation();
+ initialToken.setCount(100);
+ initialToken.setExpiration(0);
+ ClientInitialAccessPresentation accessRep = adminClient.realm("test").clientInitialAccess().create(initialToken);
+ String initialAccessToken = accessRep.getToken();
+
+ ClientRegistration reg = ClientRegistration.create().url(suiteContext.getAuthServerInfo().getContextRoot() + "/auth", "test").build();
+ reg.auth(Auth.token(initialAccessToken));
+ ClientRepresentation clientRep = reg.create(ClientBuilder.create().clientId("test").build());
+
// Userinfo with keys #1
assertUserInfo(response.getAccessToken(), 200);
// Token introspection with keys #1
assertTokenIntrospection(response.getAccessToken(), true);
+ // Get client with keys #1 - registration access token should not have changed
+ ClientRepresentation clientRep2 = reg.auth(Auth.token(clientRep.getRegistrationAccessToken())).get("test");
+ assertEquals(clientRep.getRegistrationAccessToken(), clientRep2.getRegistrationAccessToken());
+
// Create keys #2
PublicKey key2 = createKeys2();
@@ -146,6 +166,10 @@ public class KeyRotationTest extends AbstractKeycloakTest {
// Token introspection with keys #2
assertTokenIntrospection(response.getAccessToken(), true);
+ // Get client with keys #2 - registration access token should be changed
+ ClientRepresentation clientRep3 = reg.auth(Auth.token(clientRep.getRegistrationAccessToken())).get("test");
+ assertNotEquals(clientRep.getRegistrationAccessToken(), clientRep3.getRegistrationAccessToken());
+
// Drop key #1
dropKeys1();
@@ -160,6 +184,17 @@ public class KeyRotationTest extends AbstractKeycloakTest {
// Token introspection with keys #1 dropped
assertTokenIntrospection(response.getAccessToken(), true);
+ // Get client with keys #1 - should fail
+ try {
+ reg.auth(Auth.token(clientRep.getRegistrationAccessToken())).get("test");
+ fail("Expected to fail");
+ } catch (ClientRegistrationException e) {
+ }
+
+ // Get client with keys #2 - should succeed
+ ClientRepresentation clientRep4 = reg.auth(Auth.token(clientRep3.getRegistrationAccessToken())).get("test");
+ assertNotEquals(clientRep2.getRegistrationAccessToken(), clientRep4.getRegistrationAccessToken());
+
// Drop key #2
dropKeys2();
@@ -283,7 +318,7 @@ public class KeyRotationTest extends AbstractKeycloakTest {
}
private void assertUserInfo(String token, int expectedStatus) {
- Response userInfoResponse = UserInfoClientUtil.executeUserInfoRequest_getMethod(ClientBuilder.newClient(), token);
+ Response userInfoResponse = UserInfoClientUtil.executeUserInfoRequest_getMethod(javax.ws.rs.client.ClientBuilder.newClient(), token);
assertEquals(expectedStatus, userInfoResponse.getStatus());
userInfoResponse.close();
}
diff --git a/testsuite/integration-arquillian/tests/base/src/test/resources/log4j.properties b/testsuite/integration-arquillian/tests/base/src/test/resources/log4j.properties
index 5605c9d..0bd149b 100644
--- a/testsuite/integration-arquillian/tests/base/src/test/resources/log4j.properties
+++ b/testsuite/integration-arquillian/tests/base/src/test/resources/log4j.properties
@@ -67,4 +67,5 @@ log4j.logger.org.apache.directory.server.core=warn
# log4j.logger.org.keycloak.authentication.authenticators.browser.IdentityProviderAuthenticator=trace
# log4j.logger.org.keycloak.keys.infinispan=trace
-log4j.logger.org.keycloak.services.clientregistration.policy=debug
\ No newline at end of file
+log4j.logger.org.keycloak.services.clientregistration.policy=debug
+#log4j.logger.org.keycloak.authentication=debug