org.gluu.oxauth.model.common.ResponseType Java Examples

The following examples show how to use org.gluu.oxauth.model.common.ResponseType. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: RegistrationRestWebServiceHttpTest.java    From oxAuth with MIT License 6 votes vote down vote up
@Test
public void failRegistration_whenRedirectUriIsNotSetForResponseTypeCode() throws Exception {
    showTitle("failRegistration_whenRedirectUriIsNotSetForResponseTypeCode");

    RegisterRequest request = new RegisterRequest();
    request.setResponseTypes(Lists.newArrayList(ResponseType.CODE));

    RegisterClient registerClient = new RegisterClient(registrationEndpoint);
    registerClient.setExecutor(clientExecutor(true));
    registerClient.setRequest(request);
    RegisterResponse response = registerClient.exec();

    showClient(registerClient);
    assertEquals(response.getStatus(), 400, "Unexpected response code: " + response.getEntity());
    assertNotNull(response.getEntity(), "The entity is null");
    assertNotNull(response.getErrorType(), "The error type is null");
    assertNotNull(response.getErrorDescription(), "The error description is null");
}
 
Example #2
Source File: BenchmarkRequestAccessToken.java    From oxAuth with MIT License 6 votes vote down vote up
@Parameters({"userId", "userSecret", "redirectUris", "sectorIdentifierUri"})
@BeforeClass
public void registerClient(final String userId, final String userSecret, String redirectUris, String sectorIdentifierUri) throws Exception {
    Reporter.log("Register client", true);

    List<ResponseType> responseTypes = Arrays.asList(ResponseType.CODE, ResponseType.ID_TOKEN);
    List<String> scopes = Arrays.asList("openid", "profile", "address", "email", "user_name");

    RegisterResponse registerResponse = registerClient(redirectUris, responseTypes, scopes, sectorIdentifierUri);

    assertEquals(registerResponse.getStatus(), 200, "Unexpected response code: " + registerResponse.getEntity());
    assertNotNull(registerResponse.getClientId());
    assertNotNull(registerResponse.getClientSecret());
    assertNotNull(registerResponse.getRegistrationAccessToken());
    assertNotNull(registerResponse.getClientIdIssuedAt());
    assertNotNull(registerResponse.getClientSecretExpiresAt());

    this.clientId = registerResponse.getClientId();
    this.clientSecret = registerResponse.getClientSecret();
}
 
Example #3
Source File: AuthorizationCodeFlowHttpTest.java    From oxAuth with MIT License 6 votes vote down vote up
private AuthorizationResponse requestAuthorization(final String userId, final String userSecret, final String redirectUri,
                                                   List<ResponseType> responseTypes, List<String> scopes, String clientId, String nonce) {
    String state = UUID.randomUUID().toString();

    AuthorizationRequest authorizationRequest = new AuthorizationRequest(responseTypes, clientId, scopes, redirectUri, nonce);
    authorizationRequest.setState(state);

    AuthorizationResponse authorizationResponse = authenticateResourceOwnerAndGrantAccess(
            authorizationEndpoint, authorizationRequest, userId, userSecret);

    assertNotNull(authorizationResponse.getLocation(), "The location is null");
    assertNotNull(authorizationResponse.getCode(), "The authorization code is null");
    assertNotNull(authorizationResponse.getState(), "The state is null");
    assertNotNull(authorizationResponse.getScope(), "The scope is null");
    return authorizationResponse;
}
 
Example #4
Source File: AccessTokenManualTest.java    From oxAuth with MIT License 6 votes vote down vote up
@Parameters({"userId", "userSecret", "redirectUri", "clientId"})
@Test
public void accessTokenExpiration(final String userId, final String userSecret, final String redirectUri, String clientId) throws Exception {
    showTitle("accessTokenExpiration");

    // Request authorization and receive the authorization code.
    String nonce = UUID.randomUUID().toString();
    List<ResponseType> responseTypes = Arrays.asList(ResponseType.CODE, ResponseType.ID_TOKEN, ResponseType.TOKEN);
    List<String> scopes = Arrays.asList("openid", "profile", "address", "email", "phone", "user_name");
    AuthorizationResponse authorizationResponse = requestAuthorization(userId, userSecret, redirectUri, responseTypes, scopes, clientId, nonce);

    String accessToken = authorizationResponse.getAccessToken();

    System.out.println("access_token: " + accessToken);

    for (int i = 0; i < 100; i++) {
        requestUserInfo(accessToken);

        sleepSeconds(10);

        System.out.println("Obtained user info successfully, seconds: " + ((i + 1) * 10));
    }
}
 
Example #5
Source File: SpontaneousScopeHttpTest.java    From oxAuth with MIT License 6 votes vote down vote up
@Parameters({"userId", "userSecret", "redirectUri"})
@Test
public void spontaneousScope(final String userId, final String userSecret, final String redirectUri) throws Exception {
    showTitle("spontaneousScope");

    List<ResponseType> responseTypes = Arrays.asList(ResponseType.CODE, ResponseType.ID_TOKEN, ResponseType.TOKEN);

    RegisterResponse registerResponse = registerClient(redirectUri, responseTypes);

    String clientId = registerResponse.getClientId();

    // Request authorization and receive the authorization code.
    List<String> scopes = Lists.newArrayList("openid", "profile", "address", "email", "phone", "user_name",
            "transaction:245", "transaction:8645");
    AuthorizationResponse authorizationResponse = requestAuthorization(userId, userSecret, redirectUri, responseTypes, scopes, clientId);

    final String[] responseScopes = authorizationResponse.getScope().split(" ");

    // Validate spontaneous scopes are present
    assertTrue(Arrays.asList(responseScopes).contains("transaction:245"));
    assertTrue(Arrays.asList(responseScopes).contains("transaction:8645"));
    assertFalse(Arrays.asList(responseScopes).contains("transaction:not_requested"));
}
 
Example #6
Source File: RegistrationRestWebServiceEmbeddedTest.java    From oxAuth with MIT License 6 votes vote down vote up
@Parameters({"registerPath"})
@Test
public void failRegistration_whenRedirectUriIsNotSetForResponseTypeCode(final String registerPath) throws Exception {
    Builder request = ResteasyClientBuilder.newClient().target(url.toString() + registerPath).request();

    String registerRequestContent = null;
    try {
        RegisterRequest registerRequest = new RegisterRequest(null, null, null);
        registerRequest.setResponseTypes(Lists.newArrayList(ResponseType.CODE));

        registerRequestContent = ServerUtil.toPrettyJson(registerRequest.getJSONParameters());
    } catch (JSONException e) {
        e.printStackTrace();
        fail(e.getMessage());
    }

    Response response = request.post(Entity.json(registerRequestContent));
    String entity = response.readEntity(String.class);

    showResponse("requestClientRegistrationFail 1", response, entity);

    assertEquals(response.getStatus(), 400, "Unexpected response code. " + entity);
    TestUtil.assertErrorResponse(entity);
}
 
Example #7
Source File: UserAuthenticationFilterEmbeddedTest.java    From oxAuth with MIT License 5 votes vote down vote up
@Parameters({"registerPath", "redirectUris"})
@Test
public void dynamicClientRegistration(final String registerPath, final String redirectUris) throws Exception {
    Builder request = ResteasyClientBuilder.newClient().target(url.toString() + registerPath).request();

    List<ResponseType> responseTypes = Arrays.asList(ResponseType.CODE, ResponseType.TOKEN, ResponseType.ID_TOKEN);

    RegisterRequest registerRequest = new RegisterRequest(ApplicationType.WEB, "oxAuth test app",
            StringUtils.spaceSeparatedToList(redirectUris));
    registerRequest.setResponseTypes(responseTypes);
    registerRequest.addCustomAttribute("oxAuthTrustedClient", "true");

    List<GrantType> grantTypes = Arrays.asList(
            GrantType.RESOURCE_OWNER_PASSWORD_CREDENTIALS
    );
    registerRequest.setGrantTypes(grantTypes);

    String registerRequestContent = ServerUtil.toPrettyJson(registerRequest.getJSONParameters());

    Response response = request.post(Entity.json(registerRequestContent));
    String entity = response.readEntity(String.class);

    showResponse("dynamicClientRegistration", response, entity);

    assertEquals(response.getStatus(), 200, "Unexpected response code. " + entity);
    assertNotNull(entity, "Unexpected result: " + entity);
    try {
        final RegisterResponse registerResponse = RegisterResponse.valueOf(entity);
        ClientTestUtil.assert_(registerResponse);

        clientId = registerResponse.getClientId();
        clientSecret = registerResponse.getClientSecret();
    } catch (Exception e) {
        e.printStackTrace();
        fail(e.getMessage() + "\nResponse was: " + entity);
    }
}
 
Example #8
Source File: AuthorizeParamsValidator.java    From oxAuth with MIT License 5 votes vote down vote up
public static boolean validateResponseTypes(List<ResponseType> responseTypes, Client client) {
    if (responseTypes == null || responseTypes.isEmpty() || client == null || client.getResponseTypes() == null) {
        return false;
    }

    List<ResponseType> clientSupportedResponseTypes = Arrays.asList(client.getResponseTypes());

    return clientSupportedResponseTypes.containsAll(responseTypes);
}
 
Example #9
Source File: ResponseTypesRestrictionHttpTest.java    From oxAuth with MIT License 5 votes vote down vote up
@DataProvider(name = "responseTypesCodeIdTokenFailDataProvider")
public Object[][] responseTypesCodeIdTokenFailDataProvider(ITestContext context) {
    String redirectUris = context.getCurrentXmlTest().getParameter("redirectUris");
    String redirectUri = context.getCurrentXmlTest().getParameter("redirectUri");
    String userId = context.getCurrentXmlTest().getParameter("userId");
    String userSecret = context.getCurrentXmlTest().getParameter("userSecret");
    String sectorIdentifierUri = context.getCurrentXmlTest().getParameter("sectorIdentifierUri");

    return new Object[][]{
            {redirectUris, redirectUri, userId, userSecret, Arrays.asList(ResponseType.TOKEN), sectorIdentifierUri},
            {redirectUris, redirectUri, userId, userSecret, Arrays.asList(ResponseType.TOKEN, ResponseType.ID_TOKEN), sectorIdentifierUri},
            {redirectUris, redirectUri, userId, userSecret, Arrays.asList(ResponseType.CODE, ResponseType.TOKEN), sectorIdentifierUri},
            {redirectUris, redirectUri, userId, userSecret, Arrays.asList(ResponseType.CODE, ResponseType.TOKEN, ResponseType.ID_TOKEN), sectorIdentifierUri},
    };
}
 
Example #10
Source File: BenchmarkRequestAuthorization.java    From oxAuth with MIT License 5 votes vote down vote up
private void testAuthorizationImpl(final String userId, final String userSecret, final String clientId, final String redirectUri, boolean useNewDriver) {
    List<ResponseType> responseTypes = Arrays.asList(ResponseType.CODE, ResponseType.ID_TOKEN);
    List<String> scopes = Arrays.asList("openid", "profile", "address", "email", "user_name");
    String nonce = UUID.randomUUID().toString();

    AuthorizationResponse response = requestAuthorization(userId, userSecret, redirectUri, responseTypes, scopes, clientId, nonce, useNewDriver);

    assertNotNull(response.getLocation(), "The location is null");
    assertNotNull(response.getCode(), "The authorization code is null");
    assertNotNull(response.getState(), "The state is null");
    assertNotNull(response.getScope(), "The scope is null");
}
 
Example #11
Source File: UpdateClientAction.java    From oxTrust with MIT License 5 votes vote down vote up
public boolean checkClientSecretRequired() {
	for (ResponseType responseType : this.responseTypes) {
		if (responseType.getValue().equalsIgnoreCase("token")
				|| responseType.getValue().equalsIgnoreCase("id_token")) {
			return false;
		}
	}
	for (GrantType grantType : this.grantTypes) {
		if (grantType.getValue().equalsIgnoreCase("implicit")) {
			return false;
		}
	}
	return true;
}
 
Example #12
Source File: BenchmarkRequestAuthorization.java    From oxAuth with MIT License 5 votes vote down vote up
private AuthorizationResponse requestAuthorization(final String userId, final String userSecret, final String redirectUri,
                                                   List<ResponseType> responseTypes, List<String> scopes, String clientId, String nonce, boolean useNewDriver) {
    String state = UUID.randomUUID().toString();

    AuthorizationRequest authorizationRequest = new AuthorizationRequest(responseTypes, clientId, scopes, redirectUri, nonce);
    authorizationRequest.setState(state);

    AuthorizationResponse authorizationResponse = authenticateResourceOwnerAndGrantAccess(
            authorizationEndpoint, authorizationRequest, userId, userSecret, true, useNewDriver);

    return authorizationResponse;
}
 
Example #13
Source File: ResponseTypesRestrictionEmbeddedTest.java    From oxAuth with MIT License 5 votes vote down vote up
/**
 * Authorization request with the other Response types combination should
 * fail.
 */
@Test(dependsOnMethods = "omittedResponseTypesStep3b", dataProvider = "responseTypesCodeIdTokenStep4DataProvider")
public void responseTypesCodeIdTokenStep4(final String authorizePath, final String userId, final String userSecret,
                                          final String redirectUri, final List<ResponseType> responseTypes) throws Exception {
    List<String> scopes = Arrays.asList("openid", "profile", "address", "email");
    String nonce = UUID.randomUUID().toString();

    AuthorizationRequest authorizationRequest = new AuthorizationRequest(responseTypes, clientId1, scopes,
            redirectUri, nonce);
    authorizationRequest.setState("af0ifjsldkj");
    authorizationRequest.getPrompts().add(Prompt.NONE);
    authorizationRequest.setAuthUsername(userId);
    authorizationRequest.setAuthPassword(userSecret);

    Builder request = ResteasyClientBuilder.newClient()
            .target(url.toString() + authorizePath + "?" + authorizationRequest.getQueryString()).request();
    request.header("Authorization", "Basic " + authorizationRequest.getEncodedCredentials());
    request.header("Accept", MediaType.TEXT_PLAIN);

    Response response = request.get();
    String entity = response.readEntity(String.class);

    showResponse("responseTypesCodeIdTokenStep4", response, entity);

    if (response.getStatus() == 400) {
        assertNotNull(entity, "Unexpected result: " + entity);
        try {
            JSONObject jsonObj = new JSONObject(entity);
            assertTrue(jsonObj.has("error"), "The error type is null");
            assertTrue(jsonObj.has("error_description"), "The error description is null");
        } catch (JSONException e) {
            e.printStackTrace();
            fail(e.getMessage() + "\nResponse was: " + entity);
        }
    } else {
        fail("Unexpected response code: " + response.getStatus());
    }
}
 
Example #14
Source File: ClientAuthenticationByAccessTokenHttpTest.java    From oxAuth with MIT License 5 votes vote down vote up
@Test
public void requestClientRegistrationWithCustomAttributes() throws Exception {
    showTitle("requestClientRegistrationWithCustomAttributes");

    List<ResponseType> responseTypes = Arrays.asList(
            ResponseType.CODE,
            ResponseType.TOKEN,
            ResponseType.ID_TOKEN);
    List<GrantType> grantTypes = Arrays.asList(
            GrantType.RESOURCE_OWNER_PASSWORD_CREDENTIALS
    );

    RegisterRequest registerRequest = new RegisterRequest(ApplicationType.WEB, "oxAuth test app", Collections.singletonList(REDIRECT_URI));
    registerRequest.setResponseTypes(responseTypes);
    registerRequest.setGrantTypes(grantTypes);
    registerRequest.setAuthenticationMethod(AuthenticationMethod.CLIENT_SECRET_BASIC);
    registerRequest.addCustomAttribute("oxAuthTrustedClient", "true");

    RegisterClient registerClient = new RegisterClient(registrationEndpoint);
    registerClient.setExecutor(clientExecutor(true));
    registerClient.setRequest(registerRequest);
    RegisterResponse response = registerClient.exec();

    showClient(registerClient);
    assertEquals(response.getStatus(), 200, "Unexpected response code: " + response.getEntity());
    assertNotNull(response.getClientId());
    assertNotNull(response.getClientSecret());
    assertNotNull(response.getRegistrationAccessToken());
    assertNotNull(response.getClientSecretExpiresAt());

    clientId = response.getClientId();
    clientSecret = response.getClientSecret();
}
 
Example #15
Source File: TokenRestWebServiceHttpTest.java    From oxAuth with MIT License 5 votes vote down vote up
@Parameters({"redirectUris", "redirectUri", "sectorIdentifierUri"})
@Test
public void requestAccessTokenFail(final String redirectUris, final String redirectUri, final String sectorIdentifierUri) throws Exception {
    showTitle("requestAccessTokenFail");

    List<ResponseType> responseTypes = new ArrayList<ResponseType>();

    // 1. Register client
    RegisterRequest registerRequest = new RegisterRequest(ApplicationType.WEB, "oxAuth test app",
            StringUtils.spaceSeparatedToList(redirectUris));
    registerRequest.setResponseTypes(responseTypes);
    registerRequest.setSectorIdentifierUri(sectorIdentifierUri);

    RegisterClient registerClient = new RegisterClient(registrationEndpoint);
    registerClient.setRequest(registerRequest);
    RegisterResponse registerResponse = registerClient.exec();

    showClient(registerClient);
    assertEquals(registerResponse.getStatus(), 200, "Unexpected response code: " + registerResponse.getEntity());
    assertNotNull(registerResponse.getClientId());
    assertNotNull(registerResponse.getClientSecret());
    assertNotNull(registerResponse.getRegistrationAccessToken());
    assertNotNull(registerResponse.getClientIdIssuedAt());
    assertNotNull(registerResponse.getClientSecretExpiresAt());

    String clientId = registerResponse.getClientId();
    String clientSecret = registerResponse.getClientSecret();

    // 2. Request with invalid Authorization Code
    String code = "INVALID_AUTHORIZATION_CODE";

    TokenClient tokenClient = new TokenClient(tokenEndpoint);
    TokenResponse response = tokenClient.execAuthorizationCode(code, redirectUri, clientId, clientSecret);

    showClient(tokenClient);
    assertEquals(response.getStatus(), 400, "Unexpected response code: " + response.getStatus());
    assertNotNull(response.getEntity(), "The entity is null");
    assertNotNull(response.getErrorType(), "The error type is null");
    assertNotNull(response.getErrorDescription(), "The error description is null");
}
 
Example #16
Source File: AuthorizeRestWebServiceEmbeddedTest.java    From oxAuth with MIT License 5 votes vote down vote up
@Parameters({"authorizePath", "userId", "userSecret"})
@Test(dependsOnMethods = "dynamicClientRegistration")
public void requestAuthorizationCodeWithoutRedirectUriFail(final String authorizePath, final String userId,
                                                           final String userSecret) throws Exception {
    final String state = UUID.randomUUID().toString();

    List<ResponseType> responseTypes = Arrays.asList(ResponseType.CODE);
    List<String> scopes = Arrays.asList("openid", "profile", "address", "email");

    AuthorizationRequest authorizationRequest = new AuthorizationRequest(responseTypes, clientId1, scopes, null,
            null);
    authorizationRequest.setState(state);
    authorizationRequest.getPrompts().add(Prompt.NONE);
    authorizationRequest.setAuthUsername(userId);
    authorizationRequest.setAuthPassword(userSecret);

    Builder request = ResteasyClientBuilder.newClient()
            .target(url.toString() + authorizePath + "?" + authorizationRequest.getQueryString()).request();
    request.header("Authorization", "Basic " + authorizationRequest.getEncodedCredentials());
    request.header("Accept", MediaType.TEXT_PLAIN);

    Response response = request.get();
    String entity = response.readEntity(String.class);

    showResponse("requestAuthorizationCodeWithoutRedirectUriFailStep", response, entity);

    assertEquals(response.getStatus(), 400, "Unexpected response code.");
    assertNotNull(entity, "Unexpected result: " + entity);
    try {
        JSONObject jsonObj = new JSONObject(entity);
        assertTrue(jsonObj.has("error"), "The error type is null");
        assertTrue(jsonObj.has("error_description"), "The error description is null");
        assertEquals(jsonObj.get(AuthorizeResponseParam.STATE), state);
    } catch (JSONException e) {
        e.printStackTrace();
        fail(e.getMessage() + "\nResponse was: " + entity);
    }
}
 
Example #17
Source File: OpenIDRequestObjectWithRSAlgEmbeddedTest.java    From oxAuth with MIT License 5 votes vote down vote up
@Parameters({ "registerPath", "redirectUris", "clientJwksUri" })
@Test
public void requestParameterMethodRS384Step1(final String registerPath, final String redirectUris,
		final String jwksUri) throws Exception {
	Builder request = ResteasyClientBuilder.newClient().target(url.toString() + registerPath).request();

	String registerRequestContent = null;
	try {
		List<ResponseType> responseTypes = Arrays.asList(ResponseType.TOKEN);

		RegisterRequest registerRequest = new RegisterRequest(ApplicationType.WEB, "oxAuth test app",
				StringUtils.spaceSeparatedToList(redirectUris));
		registerRequest.setJwksUri(jwksUri);
		registerRequest.setResponseTypes(responseTypes);
		registerRequest.setRequestObjectSigningAlg(SignatureAlgorithm.RS384);
		registerRequest.addCustomAttribute("oxAuthTrustedClient", "true");

		registerRequestContent = ServerUtil.toPrettyJson(registerRequest.getJSONParameters());
	} catch (JSONException e) {
		e.printStackTrace();
		fail(e.getMessage());
	}

	Response response = request.post(Entity.json(registerRequestContent));
	String entity = response.readEntity(String.class);

	showResponse("requestParameterMethodRS384Step1", response, entity);

	ResponseAsserter responseAsserter = ResponseAsserter.of(response.getStatus(), entity);
	responseAsserter.assertRegisterResponse();
	clientId2 = responseAsserter.getJson().getJson().getString(RegisterResponseParam.CLIENT_ID.toString());
}
 
Example #18
Source File: ResponseTypesRestrictionEmbeddedTest.java    From oxAuth with MIT License 5 votes vote down vote up
/**
 * Authorization request with the other Response types combination should
 * fail.
 */
@Test(dependsOnMethods = "responseTypesTokenIdTokenStep3", dataProvider = "responseTypesTokenIdTokenStep4DataProvider")
public void responseTypesTokenIdTokenStep4(final String authorizePath, final String userId, final String userSecret,
                                           final String redirectUri, final List<ResponseType> responseTypes) throws Exception {
    List<String> scopes = Arrays.asList("openid", "profile", "address", "email");
    String nonce = UUID.randomUUID().toString();

    AuthorizationRequest authorizationRequest = new AuthorizationRequest(responseTypes, clientId3, scopes,
            redirectUri, nonce);
    authorizationRequest.setState("af0ifjsldkj");
    authorizationRequest.getPrompts().add(Prompt.NONE);
    authorizationRequest.setAuthUsername(userId);
    authorizationRequest.setAuthPassword(userSecret);

    Builder request = ResteasyClientBuilder.newClient()
            .target(url.toString() + authorizePath + "?" + authorizationRequest.getQueryString()).request();
    request.header("Authorization", "Basic " + authorizationRequest.getEncodedCredentials());
    request.header("Accept", MediaType.TEXT_PLAIN);

    Response response = request.get();
    String entity = response.readEntity(String.class);

    showResponse("responseTypesTokenIdTokenStep4", response, entity);

    if (response.getStatus() == 400) {
        assertNotNull(entity, "Unexpected result: " + entity);
        try {
            JSONObject jsonObj = new JSONObject(entity);
            assertTrue(jsonObj.has("error"), "The error type is null");
            assertTrue(jsonObj.has("error_description"), "The error description is null");
        } catch (JSONException e) {
            e.printStackTrace();
            fail(e.getMessage() + "\nResponse was: " + entity);
        }
    } else {
        fail("Unexpected response code: " + response.getStatus());
    }
}
 
Example #19
Source File: OpenIDRequestObjectWithRSAlgEmbeddedTest.java    From oxAuth with MIT License 5 votes vote down vote up
@Parameters({ "registerPath", "redirectUris", "clientJwksUri" })
@Test
public void requestParameterMethodRS256Step1(final String registerPath, final String redirectUris,
		final String jwksUri) throws Exception {
	Builder request = ResteasyClientBuilder.newClient().target(url.toString() + registerPath).request();

	String registerRequestContent = null;
	try {
		List<ResponseType> responseTypes = Arrays.asList(ResponseType.TOKEN);

		RegisterRequest registerRequest = new RegisterRequest(ApplicationType.WEB, "oxAuth test app",
				StringUtils.spaceSeparatedToList(redirectUris));
		registerRequest.setJwksUri(jwksUri);
		registerRequest.setResponseTypes(responseTypes);
		registerRequest.setRequestObjectSigningAlg(SignatureAlgorithm.RS256);
		registerRequest.addCustomAttribute("oxAuthTrustedClient", "true");

		registerRequestContent = ServerUtil.toPrettyJson(registerRequest.getJSONParameters());
	} catch (JSONException e) {
		e.printStackTrace();
		fail(e.getMessage());
	}

	Response response = request.post(Entity.json(registerRequestContent));
	String entity = response.readEntity(String.class);

	showResponse("requestParameterMethodRS256Step1", response, entity);

	ResponseAsserter responseAsserter = ResponseAsserter.of(response.getStatus(), entity);
	responseAsserter.assertRegisterResponse();
	clientId1 = responseAsserter.getJson().getJson().getString(RegisterResponseParam.CLIENT_ID.toString());
}
 
Example #20
Source File: UsesAsymmetricIdTokenSignatures.java    From oxAuth with MIT License 4 votes vote down vote up
@Parameters({"redirectUris", "userId", "userSecret", "redirectUri", "sectorIdentifierUri"})
@Test
public void usesAsymmetricIdTokenSignaturesRS512(
        final String redirectUris, final String userId, final String userSecret, final String redirectUri,
        final String sectorIdentifierUri) throws Exception {
    showTitle("OC5:FeatureTest-Uses Asymmetric ID Token Signatures RS512");

    List<ResponseType> responseTypes = Arrays.asList(ResponseType.ID_TOKEN);

    // 1. Registration
    RegisterRequest registerRequest = new RegisterRequest(ApplicationType.WEB, "oxAuth test app",
            StringUtils.spaceSeparatedToList(redirectUris));
    registerRequest.setResponseTypes(responseTypes);
    registerRequest.setIdTokenSignedResponseAlg(SignatureAlgorithm.RS512);
    registerRequest.setSectorIdentifierUri(sectorIdentifierUri);

    RegisterClient registerClient = new RegisterClient(registrationEndpoint);
    registerClient.setRequest(registerRequest);
    RegisterResponse registerResponse = registerClient.exec();

    showClient(registerClient);
    assertEquals(registerResponse.getStatus(), 200, "Unexpected response code: " + registerResponse.getEntity());
    assertNotNull(registerResponse.getClientId());
    assertNotNull(registerResponse.getClientSecret());
    assertNotNull(registerResponse.getRegistrationAccessToken());
    assertNotNull(registerResponse.getClientSecretExpiresAt());

    String clientId = registerResponse.getClientId();

    // 2. Request Authorization
    List<String> scopes = Arrays.asList("openid", "profile", "address", "email");
    String nonce = UUID.randomUUID().toString();
    String state = UUID.randomUUID().toString();

    AuthorizationRequest authorizationRequest = new AuthorizationRequest(responseTypes, clientId, scopes, redirectUri, nonce);
    authorizationRequest.setState(state);

    AuthorizationResponse authorizationResponse = authenticateResourceOwnerAndGrantAccess(
            authorizationEndpoint, authorizationRequest, userId, userSecret);

    assertNotNull(authorizationResponse.getLocation());
    assertNotNull(authorizationResponse.getIdToken());
    assertNotNull(authorizationResponse.getState());

    String idToken = authorizationResponse.getIdToken();

    // 3. Validate id_token
    Jwt jwt = Jwt.parse(idToken);
    RSAPublicKey publicKey = JwkClient.getRSAPublicKey(
            jwksUri,
            jwt.getHeader().getClaimAsString(JwtHeaderName.KEY_ID));
    RSASigner rsaSigner = new RSASigner(SignatureAlgorithm.RS512, publicKey);
    assertTrue(rsaSigner.validate(jwt));
}
 
Example #21
Source File: EndSessionRestWebServiceHttpTest.java    From oxAuth with MIT License 4 votes vote down vote up
@Parameters({"userId", "userSecret", "redirectUri", "redirectUris", "postLogoutRedirectUri", "logoutUri", "sectorIdentifierUri"})
@Test
public void requestEndSession(
        final String userId, final String userSecret, final String redirectUri, final String redirectUris,
        final String postLogoutRedirectUri, final String logoutUri, final String sectorIdentifierUri) throws Exception {
    showTitle("requestEndSession by id_token");

    // 1. OpenID Connect Dynamic Registration
    RegisterRequest registerRequest = new RegisterRequest(ApplicationType.WEB, "oxAuth test app",
            StringUtils.spaceSeparatedToList(redirectUris));
    registerRequest.setResponseTypes(Arrays.asList(ResponseType.TOKEN, ResponseType.ID_TOKEN));
    registerRequest.setPostLogoutRedirectUris(Arrays.asList(postLogoutRedirectUri));
    registerRequest.setFrontChannelLogoutUris(Lists.newArrayList(logoutUri));
    registerRequest.setSectorIdentifierUri(sectorIdentifierUri);

    RegisterClient registerClient = new RegisterClient(registrationEndpoint);
    registerClient.setRequest(registerRequest);
    RegisterResponse response = registerClient.exec();

    showClient(registerClient);
    assertEquals(response.getStatus(), 200, "Unexpected response code: " + response.getEntity());
    assertNotNull(response.getClientId());
    assertNotNull(response.getClientSecret());
    assertNotNull(response.getRegistrationAccessToken());
    assertNotNull(response.getClientSecretExpiresAt());

    String clientId = response.getClientId();

    // 2. Request authorization
    List<ResponseType> responseTypes = new ArrayList<ResponseType>();
    responseTypes.add(ResponseType.TOKEN);
    responseTypes.add(ResponseType.ID_TOKEN);
    List<String> scopes = new ArrayList<String>();
    scopes.add("openid");
    scopes.add("profile");
    scopes.add("address");
    scopes.add("email");
    String nonce = UUID.randomUUID().toString();
    String state = UUID.randomUUID().toString();

    AuthorizationRequest authorizationRequest = new AuthorizationRequest(responseTypes, clientId, scopes, redirectUri, nonce);
    authorizationRequest.setState(state);

    AuthorizationResponse authorizationResponse = authenticateResourceOwnerAndGrantAccess(
            authorizationEndpoint, authorizationRequest, userId, userSecret);

    assertNotNull(authorizationResponse.getLocation(), "The location is null");
    assertNotNull(authorizationResponse.getAccessToken(), "The access token is null");
    assertEquals(authorizationResponse.getState(), state);
    assertNotNull(authorizationResponse.getTokenType(), "The token type is null");
    assertNotNull(authorizationResponse.getExpiresIn(), "The expires in value is null");
    assertNotNull(authorizationResponse.getScope(), "The scope must be null");
    assertNotNull(authorizationResponse.getSessionId(), "The session_id is null");

    String idToken = authorizationResponse.getIdToken();

    // 3. End session
    String endSessionId1 = UUID.randomUUID().toString();
    EndSessionRequest endSessionRequest1 = new EndSessionRequest(idToken, postLogoutRedirectUri, endSessionId1);
    endSessionRequest1.setSessionId(authorizationResponse.getSessionId());

    EndSessionClient endSessionClient = new EndSessionClient(endSessionEndpoint);
    endSessionClient.setRequest(endSessionRequest1);

    EndSessionResponse endSessionResponse1 = endSessionClient.exec();

    showClient(endSessionClient);
    assertEquals(endSessionResponse1.getStatus(), 200);
    assertNotNull(endSessionResponse1.getHtmlPage(), "The HTML page is null");

    // silly validation of html content returned by server but at least it verifies that logout_uri and post_logout_uri are present
    assertTrue(endSessionResponse1.getHtmlPage().contains("<html>"), "The HTML page is null");
    assertTrue(endSessionResponse1.getHtmlPage().contains(logoutUri), "logout_uri is not present on html page");
    assertTrue(endSessionResponse1.getHtmlPage().contains(postLogoutRedirectUri), "postLogoutRedirectUri is not present on html page");
    // assertEquals(endSessionResponse.getState(), endSessionId); // commented out, for http-based logout we get html page

    // 4. End session with an already ended session
    String endSessionId2 = UUID.randomUUID().toString();
    EndSessionRequest endSessionRequest2 = new EndSessionRequest(idToken, postLogoutRedirectUri, endSessionId2);
    endSessionRequest2.setSessionId(authorizationResponse.getSessionId());

    EndSessionClient endSessionClient2 = new EndSessionClient(endSessionEndpoint);
    endSessionClient2.setRequest(endSessionRequest2);

    EndSessionResponse endSessionResponse2 = endSessionClient2.exec();

    showClient(endSessionClient2);
    assertStatusOrRedirect(endSessionResponse2.getStatus(), Status.BAD_REQUEST.getStatusCode());
    assertEquals(endSessionResponse2.getErrorType(), EndSessionErrorResponseType.INVALID_GRANT_AND_SESSION);
}
 
Example #22
Source File: EndSessionRestWebServiceHttpTest.java    From oxAuth with MIT License 4 votes vote down vote up
@Parameters({"userId", "userSecret", "redirectUri", "redirectUris", "postLogoutRedirectUri", "logoutUri", "sectorIdentifierUri"})
@Test
public void requestEndSessionWithSessionId(
        final String userId, final String userSecret, final String redirectUri, final String redirectUris,
        final String postLogoutRedirectUri, final String logoutUri, final String sectorIdentifierUri) throws Exception {
    showTitle("requestEndSession by session_id");

    // 1. OpenID Connect Dynamic Registration
    RegisterRequest registerRequest = new RegisterRequest(ApplicationType.WEB, "oxAuth test app",
            StringUtils.spaceSeparatedToList(redirectUris));
    registerRequest.setResponseTypes(Arrays.asList(ResponseType.TOKEN, ResponseType.ID_TOKEN));
    registerRequest.setPostLogoutRedirectUris(Arrays.asList(postLogoutRedirectUri));
    registerRequest.setFrontChannelLogoutUris(Lists.newArrayList(logoutUri));
    registerRequest.setSectorIdentifierUri(sectorIdentifierUri);

    RegisterClient registerClient = new RegisterClient(registrationEndpoint);
    registerClient.setRequest(registerRequest);
    RegisterResponse response = registerClient.exec();

    showClient(registerClient);
    assertEquals(response.getStatus(), 200, "Unexpected response code: " + response.getEntity());
    assertNotNull(response.getClientId());
    assertNotNull(response.getClientSecret());
    assertNotNull(response.getRegistrationAccessToken());
    assertNotNull(response.getClientSecretExpiresAt());

    String clientId = response.getClientId();

    // 2. Request authorization
    List<ResponseType> responseTypes = new ArrayList<ResponseType>();
    responseTypes.add(ResponseType.TOKEN);
    responseTypes.add(ResponseType.ID_TOKEN);
    List<String> scopes = new ArrayList<String>();
    scopes.add("openid");
    scopes.add("profile");
    scopes.add("address");
    scopes.add("email");
    String nonce = UUID.randomUUID().toString();
    String state = UUID.randomUUID().toString();

    AuthorizationRequest authorizationRequest = new AuthorizationRequest(responseTypes, clientId, scopes, redirectUri, nonce);
    authorizationRequest.setState(state);

    AuthorizationResponse authorizationResponse = authenticateResourceOwnerAndGrantAccess(
            authorizationEndpoint, authorizationRequest, userId, userSecret);

    assertNotNull(authorizationResponse.getLocation(), "The location is null");
    assertNotNull(authorizationResponse.getAccessToken(), "The access token is null");
    assertEquals(authorizationResponse.getState(), state);
    assertNotNull(authorizationResponse.getTokenType(), "The token type is null");
    assertNotNull(authorizationResponse.getExpiresIn(), "The expires in value is null");
    assertNotNull(authorizationResponse.getScope(), "The scope must be null");
    assertNotNull(authorizationResponse.getSessionId(), "The session_id is null");

    // 3. End session
    String endSessionId1 = UUID.randomUUID().toString();
    EndSessionRequest endSessionRequest1 = new EndSessionRequest(null, postLogoutRedirectUri, endSessionId1);
    endSessionRequest1.setSessionId(authorizationResponse.getSessionId());

    EndSessionClient endSessionClient = new EndSessionClient(endSessionEndpoint);
    endSessionClient.setRequest(endSessionRequest1);

    EndSessionResponse endSessionResponse1 = endSessionClient.exec();

    showClient(endSessionClient);
    assertEquals(endSessionResponse1.getStatus(), 200);
    assertNotNull(endSessionResponse1.getHtmlPage(), "The HTML page is null");

    // silly validation of html content returned by server but at least it verifies that logout_uri and post_logout_uri are present
    assertTrue(endSessionResponse1.getHtmlPage().contains("<html>"), "The HTML page is null");
    assertTrue(endSessionResponse1.getHtmlPage().contains(logoutUri), "logout_uri is not present on html page");
    assertTrue(endSessionResponse1.getHtmlPage().contains(postLogoutRedirectUri), "postLogoutRedirectUri is not present on html page");
    // assertEquals(endSessionResponse.getState(), endSessionId); // commented out, for http-based logout we get html page

    // 4. End session with an already ended session
    String endSessionId2 = UUID.randomUUID().toString();
    EndSessionRequest endSessionRequest2 = new EndSessionRequest(null, postLogoutRedirectUri, endSessionId2);
    endSessionRequest2.setSessionId(authorizationResponse.getSessionId());

    EndSessionClient endSessionClient2 = new EndSessionClient(endSessionEndpoint);
    endSessionClient2.setRequest(endSessionRequest2);

    EndSessionResponse endSessionResponse2 = endSessionClient2.exec();

    showClient(endSessionClient2);
    assertStatusOrRedirect(endSessionResponse2.getStatus(), Status.BAD_REQUEST.getStatusCode());
    assertEquals(endSessionResponse2.getErrorType(), EndSessionErrorResponseType.INVALID_GRANT_AND_SESSION);
}
 
Example #23
Source File: CanProvideEncryptedIdTokenResponse.java    From oxAuth with MIT License 4 votes vote down vote up
@Parameters({"userId", "userSecret", "redirectUri", "redirectUris", "sectorIdentifierUri"})
@Test
public void canProvideEncryptedIdTokenResponseAlgA128KWEncA128GCM(
        final String userId, final String userSecret, final String redirectUri, final String redirectUris,
        final String sectorIdentifierUri) {
    try {
        showTitle("OC5:FeatureTest-Can Provide Encrypted ID Token Response A128KW A128GCM");

        List<ResponseType> responseTypes = Arrays.asList(ResponseType.TOKEN, ResponseType.ID_TOKEN);

        // 1. Register client
        RegisterRequest registerRequest = new RegisterRequest(ApplicationType.WEB, "oxAuth test app",
                StringUtils.spaceSeparatedToList(redirectUris));
        registerRequest.setResponseTypes(responseTypes);
        registerRequest.setIdTokenEncryptedResponseAlg(KeyEncryptionAlgorithm.A128KW);
        registerRequest.setIdTokenEncryptedResponseEnc(BlockEncryptionAlgorithm.A128GCM);
        registerRequest.setSectorIdentifierUri(sectorIdentifierUri);

        RegisterClient registerClient = new RegisterClient(registrationEndpoint);
        registerClient.setRequest(registerRequest);
        RegisterResponse registerResponse = registerClient.exec();

        showClient(registerClient);
        assertEquals(registerResponse.getStatus(), 200, "Unexpected response code: " + registerResponse.getEntity());
        assertNotNull(registerResponse.getClientId());
        assertNotNull(registerResponse.getClientSecret());
        assertNotNull(registerResponse.getRegistrationAccessToken());
        assertNotNull(registerResponse.getClientIdIssuedAt());
        assertNotNull(registerResponse.getClientSecretExpiresAt());

        String clientId = registerResponse.getClientId();
        String clientSecret = registerResponse.getClientSecret();

        // 2. Request authorization
        List<String> scopes = Arrays.asList("openid", "profile", "address", "email");
        String nonce = UUID.randomUUID().toString();
        String state = UUID.randomUUID().toString();

        AuthorizationRequest authorizationRequest = new AuthorizationRequest(responseTypes, clientId, scopes, redirectUri, nonce);
        authorizationRequest.setState(state);

        AuthorizeClient authorizeClient = new AuthorizeClient(authorizationEndpoint);
        authorizeClient.setRequest(authorizationRequest);

        AuthorizationResponse authorizationResponse = authenticateResourceOwnerAndGrantAccess(
                authorizationEndpoint, authorizationRequest, userId, userSecret);

        assertNotNull(authorizationResponse.getLocation(), "The location is null");
        assertNotNull(authorizationResponse.getAccessToken(), "The accessToken is null");
        assertNotNull(authorizationResponse.getTokenType(), "The tokenType is null");
        assertNotNull(authorizationResponse.getIdToken(), "The idToken is null");
        assertNotNull(authorizationResponse.getState(), "The state is null");

        String idToken = authorizationResponse.getIdToken();

        // 3. Read Encrypted ID Token
        Jwe jwe = Jwe.parse(idToken, null, clientSecret.getBytes(Util.UTF8_STRING_ENCODING));
        assertNotNull(jwe.getHeader().getClaimAsString(JwtHeaderName.TYPE));
        assertNotNull(jwe.getHeader().getClaimAsString(JwtHeaderName.ALGORITHM));
        assertNotNull(jwe.getClaims().getClaimAsString(JwtClaimName.ISSUER));
        assertNotNull(jwe.getClaims().getClaimAsString(JwtClaimName.AUDIENCE));
        assertNotNull(jwe.getClaims().getClaimAsString(JwtClaimName.EXPIRATION_TIME));
        assertNotNull(jwe.getClaims().getClaimAsString(JwtClaimName.ISSUED_AT));
        assertNotNull(jwe.getClaims().getClaimAsString(JwtClaimName.SUBJECT_IDENTIFIER));
    } catch (Exception ex) {
        fail(ex.getMessage(), ex);
    }
}
 
Example #24
Source File: SupportClaimsRequestSpecifyingSubValue.java    From oxAuth with MIT License 4 votes vote down vote up
@Parameters({"userId", "userSecret", "redirectUri", "redirectUris", "sectorIdentifierUri"})
@Test
public void supportClaimsRequestSpecifyingSubValueFail(
        final String userId, final String userSecret, final String redirectUri, final String redirectUris,
        final String sectorIdentifierUri) throws Exception {
    showTitle("OC5:FeatureTest-Support claims Request Specifying sub Value (fail)");

    List<ResponseType> responseTypes = Arrays.asList(ResponseType.TOKEN, ResponseType.ID_TOKEN);

    // 1. Register client
    RegisterRequest registerRequest = new RegisterRequest(ApplicationType.WEB, "oxAuth test app",
            StringUtils.spaceSeparatedToList(redirectUris));
    registerRequest.setResponseTypes(responseTypes);
    registerRequest.setSectorIdentifierUri(sectorIdentifierUri);

    RegisterClient registerClient = new RegisterClient(registrationEndpoint);
    registerClient.setRequest(registerRequest);
    RegisterResponse registerResponse = registerClient.exec();

    showClient(registerClient);
    assertEquals(registerResponse.getStatus(), 200, "Unexpected response code: " + registerResponse.getEntity());
    assertNotNull(registerResponse.getClientId());
    assertNotNull(registerResponse.getClientSecret());
    assertNotNull(registerResponse.getRegistrationAccessToken());
    assertNotNull(registerResponse.getClientIdIssuedAt());
    assertNotNull(registerResponse.getClientSecretExpiresAt());

    String clientId = registerResponse.getClientId();
    String clientSecret = registerResponse.getClientSecret();

    // 2. Request authorization
    OxAuthCryptoProvider cryptoProvider = new OxAuthCryptoProvider();

    List<String> scopes = Arrays.asList("openid", "email");
    String nonce = UUID.randomUUID().toString();
    String state = UUID.randomUUID().toString();

    AuthorizationRequest authorizationRequest = new AuthorizationRequest(responseTypes, clientId, scopes, redirectUri, nonce);
    authorizationRequest.setState(state);

    JwtAuthorizationRequest jwtAuthorizationRequest = new JwtAuthorizationRequest(
            authorizationRequest, SignatureAlgorithm.HS256, clientSecret, cryptoProvider);
    jwtAuthorizationRequest.addUserInfoClaim(new Claim(JwtClaimName.GIVEN_NAME, ClaimValue.createNull()));
    jwtAuthorizationRequest.addUserInfoClaim(new Claim(JwtClaimName.FAMILY_NAME, ClaimValue.createNull()));
    jwtAuthorizationRequest.addIdTokenClaim(new Claim(JwtClaimName.SUBJECT_IDENTIFIER, ClaimValue.createSingleValue("WRONG_USER_ID")));

    String authJwt = jwtAuthorizationRequest.getEncodedJwt();
    authorizationRequest.setRequest(authJwt);

    AuthorizeClient authorizeClient = new AuthorizeClient(authorizationEndpoint);
    authorizeClient.setRequest(authorizationRequest);

    AuthorizationResponse authorizationResponse = authenticateResourceOwnerAndGrantAccess(
            authorizationEndpoint, authorizationRequest, userId, userSecret);

    assertNotNull(authorizationResponse.getErrorType(), "The error type is null");
    assertEquals(authorizationResponse.getErrorType(), AuthorizeErrorResponseType.USER_MISMATCHED);
    assertNotNull(authorizationResponse.getErrorDescription(), "The error description is null");
}
 
Example #25
Source File: UsesSymmetricIdTokenSignatures.java    From oxAuth with MIT License 4 votes vote down vote up
@Parameters({"redirectUris", "userId", "userSecret", "redirectUri", "sectorIdentifierUri"})
@Test
public void usesSymmetricIdTokenSignaturesHS256(
        final String redirectUris, final String userId, final String userSecret, final String redirectUri,
        final String sectorIdentifierUri) throws Exception {
    showTitle("OC5:FeatureTest-Uses Symmetric ID Token Signatures HS256");

    List<ResponseType> responseTypes = Arrays.asList(ResponseType.ID_TOKEN);

    // 1. Registration
    RegisterRequest registerRequest = new RegisterRequest(ApplicationType.WEB, "oxAuth test app",
            StringUtils.spaceSeparatedToList(redirectUris));
    registerRequest.setResponseTypes(responseTypes);
    registerRequest.setIdTokenSignedResponseAlg(SignatureAlgorithm.HS256);
    registerRequest.setSectorIdentifierUri(sectorIdentifierUri);

    RegisterClient registerClient = new RegisterClient(registrationEndpoint);
    registerClient.setRequest(registerRequest);
    RegisterResponse registerResponse = registerClient.exec();

    showClient(registerClient);
    assertEquals(registerResponse.getStatus(), 200, "Unexpected response code: " + registerResponse.getEntity());
    assertNotNull(registerResponse.getClientId());
    assertNotNull(registerResponse.getClientSecret());
    assertNotNull(registerResponse.getRegistrationAccessToken());
    assertNotNull(registerResponse.getClientSecretExpiresAt());

    String clientId = registerResponse.getClientId();
    String clientSecret = registerResponse.getClientSecret();

    // 2. Request Authorization
    List<String> scopes = Arrays.asList("openid", "profile", "address", "email");
    String nonce = UUID.randomUUID().toString();
    String state = UUID.randomUUID().toString();

    AuthorizationRequest authorizationRequest = new AuthorizationRequest(responseTypes, clientId, scopes, redirectUri, nonce);
    authorizationRequest.setState(state);

    AuthorizationResponse authorizationResponse = authenticateResourceOwnerAndGrantAccess(
            authorizationEndpoint, authorizationRequest, userId, userSecret);

    assertNotNull(authorizationResponse.getLocation());
    assertNotNull(authorizationResponse.getIdToken());
    assertNotNull(authorizationResponse.getState());

    String idToken = authorizationResponse.getIdToken();

    // 3. Validate id_token
    Jwt jwt = Jwt.parse(idToken);
    HMACSigner hmacSigner = new HMACSigner(SignatureAlgorithm.HS256, clientSecret);
    assertTrue(hmacSigner.validate(jwt));
}
 
Example #26
Source File: CanProvideSignedUserInfoResponse.java    From oxAuth with MIT License 4 votes vote down vote up
@Parameters({"userId", "userSecret", "redirectUri", "redirectUris", "sectorIdentifierUri"})
@Test
public void canProvideSignedUserInfoResponseHS512(
        final String userId, final String userSecret, final String redirectUri, final String redirectUris,
        final String sectorIdentifierUri) throws Exception {
    showTitle("OC5:FeatureTest-Can Provide Signed UserInfo Response HS512");

    List<ResponseType> responseTypes = Arrays.asList(ResponseType.TOKEN, ResponseType.ID_TOKEN);

    // 1. Register client
    RegisterRequest registerRequest = new RegisterRequest(ApplicationType.WEB, "oxAuth test app",
            StringUtils.spaceSeparatedToList(redirectUris));
    registerRequest.setResponseTypes(responseTypes);
    registerRequest.setUserInfoSignedResponseAlg(SignatureAlgorithm.HS512);
    registerRequest.setSectorIdentifierUri(sectorIdentifierUri);

    RegisterClient registerClient = new RegisterClient(registrationEndpoint);
    registerClient.setRequest(registerRequest);
    RegisterResponse registerResponse = registerClient.exec();

    showClient(registerClient);
    assertEquals(registerResponse.getStatus(), 200, "Unexpected response code: " + registerResponse.getEntity());
    assertNotNull(registerResponse.getClientId());
    assertNotNull(registerResponse.getClientSecret());
    assertNotNull(registerResponse.getRegistrationAccessToken());
    assertNotNull(registerResponse.getClientIdIssuedAt());
    assertNotNull(registerResponse.getClientSecretExpiresAt());

    String clientId = registerResponse.getClientId();
    String clientSecret = registerResponse.getClientSecret();

    // 2. Request authorization
    List<String> scopes = Arrays.asList("openid", "profile", "address", "email");
    String nonce = UUID.randomUUID().toString();
    String state = UUID.randomUUID().toString();

    AuthorizationRequest authorizationRequest = new AuthorizationRequest(responseTypes, clientId, scopes, redirectUri, nonce);
    authorizationRequest.setState(state);

    AuthorizeClient authorizeClient = new AuthorizeClient(authorizationEndpoint);
    authorizeClient.setRequest(authorizationRequest);

    AuthorizationResponse authorizationResponse = authenticateResourceOwnerAndGrantAccess(
            authorizationEndpoint, authorizationRequest, userId, userSecret);

    assertNotNull(authorizationResponse.getLocation(), "The location is null");
    assertNotNull(authorizationResponse.getAccessToken(), "The accessToken is null");
    assertNotNull(authorizationResponse.getTokenType(), "The tokenType is null");
    assertNotNull(authorizationResponse.getIdToken(), "The idToken is null");
    assertNotNull(authorizationResponse.getState(), "The state is null");

    String accessToken = authorizationResponse.getAccessToken();

    // 3. Request user info
    UserInfoClient userInfoClient = new UserInfoClient(userInfoEndpoint);
    userInfoClient.setSharedKey(clientSecret);
    UserInfoResponse userInfoResponse = userInfoClient.execUserInfo(accessToken);

    showClient(userInfoClient);
    assertEquals(userInfoResponse.getStatus(), 200, "Unexpected response code: " + userInfoResponse.getStatus());
    assertNotNull(userInfoResponse.getClaim(JwtClaimName.SUBJECT_IDENTIFIER));
    assertNotNull(userInfoResponse.getClaim(JwtClaimName.NAME));
    assertNotNull(userInfoResponse.getClaim(JwtClaimName.GIVEN_NAME));
    assertNotNull(userInfoResponse.getClaim(JwtClaimName.FAMILY_NAME));
    assertNotNull(userInfoResponse.getClaim(JwtClaimName.PICTURE));
    assertNotNull(userInfoResponse.getClaim(JwtClaimName.ZONEINFO));
    assertNotNull(userInfoResponse.getClaim(JwtClaimName.EMAIL));
    assertNotNull(userInfoResponse.getClaim(JwtClaimName.LOCALE));
    assertNotNull(userInfoResponse.getClaim(JwtClaimName.ADDRESS));
    assertNotNull(userInfoResponse.getClaim(JwtClaimName.ADDRESS).containsAll(Arrays.asList(
            JwtClaimName.ADDRESS_STREET_ADDRESS,
            JwtClaimName.ADDRESS_REGION,
            JwtClaimName.ADDRESS_LOCALITY,
            JwtClaimName.ADDRESS_COUNTRY)));
}
 
Example #27
Source File: CanProvideSignedUserInfoResponse.java    From oxAuth with MIT License 4 votes vote down vote up
@Parameters({"userId", "userSecret", "redirectUri", "redirectUris", "sectorIdentifierUri"})
@Test
public void canProvideSignedUserInfoResponseRS512(
        final String userId, final String userSecret, final String redirectUri, final String redirectUris,
        final String sectorIdentifierUri) throws Exception {
    showTitle("OC5:FeatureTest-Can Provide Signed UserInfo Response RS512");

    List<ResponseType> responseTypes = Arrays.asList(ResponseType.TOKEN, ResponseType.ID_TOKEN);

    // 1. Register client
    RegisterRequest registerRequest = new RegisterRequest(ApplicationType.WEB, "oxAuth test app",
            StringUtils.spaceSeparatedToList(redirectUris));
    registerRequest.setResponseTypes(responseTypes);
    registerRequest.setUserInfoSignedResponseAlg(SignatureAlgorithm.RS512);
    registerRequest.setSectorIdentifierUri(sectorIdentifierUri);

    RegisterClient registerClient = new RegisterClient(registrationEndpoint);
    registerClient.setRequest(registerRequest);
    RegisterResponse registerResponse = registerClient.exec();

    showClient(registerClient);
    assertEquals(registerResponse.getStatus(), 200, "Unexpected response code: " + registerResponse.getEntity());
    assertNotNull(registerResponse.getClientId());
    assertNotNull(registerResponse.getClientSecret());
    assertNotNull(registerResponse.getRegistrationAccessToken());
    assertNotNull(registerResponse.getClientIdIssuedAt());
    assertNotNull(registerResponse.getClientSecretExpiresAt());

    String clientId = registerResponse.getClientId();

    // 2. Request authorization
    List<String> scopes = Arrays.asList("openid", "profile", "address", "email");
    String nonce = UUID.randomUUID().toString();
    String state = UUID.randomUUID().toString();

    AuthorizationRequest authorizationRequest = new AuthorizationRequest(responseTypes, clientId, scopes, redirectUri, nonce);
    authorizationRequest.setState(state);

    AuthorizeClient authorizeClient = new AuthorizeClient(authorizationEndpoint);
    authorizeClient.setRequest(authorizationRequest);

    AuthorizationResponse authorizationResponse = authenticateResourceOwnerAndGrantAccess(
            authorizationEndpoint, authorizationRequest, userId, userSecret);

    assertNotNull(authorizationResponse.getLocation(), "The location is null");
    assertNotNull(authorizationResponse.getAccessToken(), "The accessToken is null");
    assertNotNull(authorizationResponse.getTokenType(), "The tokenType is null");
    assertNotNull(authorizationResponse.getIdToken(), "The idToken is null");
    assertNotNull(authorizationResponse.getState(), "The state is null");

    String accessToken = authorizationResponse.getAccessToken();

    // 3. Request user info
    UserInfoClient userInfoClient = new UserInfoClient(userInfoEndpoint);
    userInfoClient.setJwksUri(jwksUri);
    UserInfoResponse userInfoResponse = userInfoClient.execUserInfo(accessToken);

    showClient(userInfoClient);
    assertEquals(userInfoResponse.getStatus(), 200, "Unexpected response code: " + userInfoResponse.getStatus());
    assertNotNull(userInfoResponse.getClaim(JwtClaimName.SUBJECT_IDENTIFIER));
    assertNotNull(userInfoResponse.getClaim(JwtClaimName.NAME));
    assertNotNull(userInfoResponse.getClaim(JwtClaimName.GIVEN_NAME));
    assertNotNull(userInfoResponse.getClaim(JwtClaimName.FAMILY_NAME));
    assertNotNull(userInfoResponse.getClaim(JwtClaimName.PICTURE));
    assertNotNull(userInfoResponse.getClaim(JwtClaimName.ZONEINFO));
    assertNotNull(userInfoResponse.getClaim(JwtClaimName.EMAIL));
    assertNotNull(userInfoResponse.getClaim(JwtClaimName.LOCALE));
    assertNotNull(userInfoResponse.getClaim(JwtClaimName.ADDRESS));
    assertNotNull(userInfoResponse.getClaim(JwtClaimName.ADDRESS).containsAll(Arrays.asList(
            JwtClaimName.ADDRESS_STREET_ADDRESS,
            JwtClaimName.ADDRESS_REGION,
            JwtClaimName.ADDRESS_LOCALITY,
            JwtClaimName.ADDRESS_COUNTRY)));
}
 
Example #28
Source File: UsesSymmetricIdTokenSignatures.java    From oxAuth with MIT License 4 votes vote down vote up
@Parameters({"redirectUris", "userId", "userSecret", "redirectUri", "sectorIdentifierUri"})
@Test
public void usesSymmetricIdTokenSignaturesHS512(
        final String redirectUris, final String userId, final String userSecret, final String redirectUri,
        final String sectorIdentifierUri) throws Exception {
    showTitle("OC5:FeatureTest-Uses Symmetric ID Token Signatures HS512");

    List<ResponseType> responseTypes = Arrays.asList(ResponseType.ID_TOKEN);

    // 1. Registration
    RegisterRequest registerRequest = new RegisterRequest(ApplicationType.WEB, "oxAuth test app",
            StringUtils.spaceSeparatedToList(redirectUris));
    registerRequest.setResponseTypes(responseTypes);
    registerRequest.setIdTokenSignedResponseAlg(SignatureAlgorithm.HS512);
    registerRequest.setSectorIdentifierUri(sectorIdentifierUri);

    RegisterClient registerClient = new RegisterClient(registrationEndpoint);
    registerClient.setRequest(registerRequest);
    RegisterResponse registerResponse = registerClient.exec();

    showClient(registerClient);
    assertEquals(registerResponse.getStatus(), 200, "Unexpected response code: " + registerResponse.getEntity());
    assertNotNull(registerResponse.getClientId());
    assertNotNull(registerResponse.getClientSecret());
    assertNotNull(registerResponse.getRegistrationAccessToken());
    assertNotNull(registerResponse.getClientSecretExpiresAt());

    String clientId = registerResponse.getClientId();
    String clientSecret = registerResponse.getClientSecret();

    // 2. Request Authorization
    List<String> scopes = Arrays.asList("openid", "profile", "address", "email");
    String nonce = UUID.randomUUID().toString();
    String state = UUID.randomUUID().toString();

    AuthorizationRequest authorizationRequest = new AuthorizationRequest(responseTypes, clientId, scopes, redirectUri, nonce);
    authorizationRequest.setState(state);

    AuthorizationResponse authorizationResponse = authenticateResourceOwnerAndGrantAccess(
            authorizationEndpoint, authorizationRequest, userId, userSecret);

    assertNotNull(authorizationResponse.getLocation());
    assertNotNull(authorizationResponse.getIdToken());
    assertNotNull(authorizationResponse.getState());

    String idToken = authorizationResponse.getIdToken();

    // 3. Validate id_token
    Jwt jwt = Jwt.parse(idToken);
    HMACSigner hmacSigner = new HMACSigner(SignatureAlgorithm.HS512, clientSecret);
    assertTrue(hmacSigner.validate(jwt));
}
 
Example #29
Source File: OPRegistrationJwks.java    From oxAuth with MIT License 4 votes vote down vote up
@Parameters({"redirectUri", "postLogoutRedirectUri", "clientJwksUri", "userId", "userSecret", "RS256_keyId",
        "dnName", "keyStoreFile", "keyStoreSecret"})
@Test
public void opRegistrationJwks(
        final String redirectUri, final String postLogoutRedirectUri, final String clientJwksUri,
        final String userId, final String userSecret, final String keyId, final String dnName,
        final String keyStoreFile, final String keyStoreSecret) throws Exception {
    showTitle("opRegistrationJwks");

    List<ResponseType> responseTypes = Arrays.asList(ResponseType.CODE);
    List<GrantType> grantTypes = Arrays.asList(GrantType.AUTHORIZATION_CODE);
    List<String> contacts = Arrays.asList("[email protected]", "[email protected]");

    // 1. Register client
    JwkClient jwkClient = new JwkClient(clientJwksUri);
    JwkResponse jwkResponse = jwkClient.exec();

    RegisterRequest registerRequest = new RegisterRequest(ApplicationType.WEB, "oxAuth test app",
            StringUtils.spaceSeparatedToList(redirectUri));
    registerRequest.setPostLogoutRedirectUris(Arrays.asList(postLogoutRedirectUri));
    registerRequest.setResponseTypes(responseTypes);
    registerRequest.setGrantTypes(grantTypes);
    registerRequest.setContacts(contacts);
    registerRequest.setTokenEndpointAuthMethod(AuthenticationMethod.PRIVATE_KEY_JWT);
    registerRequest.setJwks(jwkResponse.getJwks().toString());

    RegisterClient registerClient = new RegisterClient(registrationEndpoint);
    registerClient.setRequest(registerRequest);
    RegisterResponse registerResponse = registerClient.exec();

    showClient(registerClient);
    assertEquals(registerResponse.getStatus(), 200, "Unexpected response code: " + registerResponse.getEntity());
    assertNotNull(registerResponse.getClientId());
    assertNotNull(registerResponse.getClientSecret());
    assertNotNull(registerResponse.getRegistrationAccessToken());
    assertNotNull(registerResponse.getRegistrationClientUri());
    assertNotNull(registerResponse.getClientIdIssuedAt());
    assertNotNull(registerResponse.getClientSecretExpiresAt());
    assertNotNull(registerResponse.getResponseTypes());
    assertTrue(registerResponse.getResponseTypes().containsAll(responseTypes));
    assertNotNull(registerResponse.getGrantTypes());
    assertTrue(registerResponse.getGrantTypes().containsAll(grantTypes));
    assertNotNull(registerResponse.getClaims().get(RegisterRequestParam.JWKS.getName()));
    assertNotNull(registerResponse.getClaims().get(RegisterRequestParam.TOKEN_ENDPOINT_AUTH_METHOD.getName()));
    assertEquals(AuthenticationMethod.PRIVATE_KEY_JWT.toString(), registerResponse.getClaims().get(RegisterRequestParam.TOKEN_ENDPOINT_AUTH_METHOD.getName()));

    String clientId = registerResponse.getClientId();
    String clientSecret = registerResponse.getClientSecret();

    // 2. Request authorization
    List<String> scopes = Arrays.asList("openid");
    String nonce = UUID.randomUUID().toString();
    String state = UUID.randomUUID().toString();

    AuthorizationRequest authorizationRequest = new AuthorizationRequest(responseTypes, clientId, scopes, redirectUri, nonce);
    authorizationRequest.setState(state);

    AuthorizationResponse authorizationResponse = authenticateResourceOwnerAndGrantAccess(
            authorizationEndpoint, authorizationRequest, userId, userSecret);

    assertNotNull(authorizationResponse.getLocation());
    assertNotNull(authorizationResponse.getState());
    assertNotNull(authorizationResponse.getScope());

    String authorizationCode = authorizationResponse.getCode();

    // 3. Request access token using the authorization code.
    OxAuthCryptoProvider cryptoProvider = new OxAuthCryptoProvider(keyStoreFile, keyStoreSecret, dnName);

    TokenRequest tokenRequest = new TokenRequest(GrantType.AUTHORIZATION_CODE);
    tokenRequest.setCode(authorizationCode);

    tokenRequest.setRedirectUri(redirectUri);
    tokenRequest.setAuthUsername(clientId);
    tokenRequest.setAuthPassword(clientSecret);
    tokenRequest.setAuthenticationMethod(AuthenticationMethod.PRIVATE_KEY_JWT);
    tokenRequest.setAlgorithm(SignatureAlgorithm.RS256);
    tokenRequest.setCryptoProvider(cryptoProvider);
    tokenRequest.setKeyId(keyId);
    tokenRequest.setAudience(tokenEndpoint);

    TokenClient tokenClient = new TokenClient(tokenEndpoint);
    tokenClient.setRequest(tokenRequest);
    TokenResponse tokenResponse = tokenClient.exec();

    showClient(tokenClient);
    assertEquals(tokenResponse.getStatus(), 200, "Unexpected response code: " + tokenResponse.getStatus());
    assertNotNull(tokenResponse.getEntity(), "The entity is null");
    assertNotNull(tokenResponse.getAccessToken(), "The access token is null");
    assertNotNull(tokenResponse.getTokenType(), "The token type is null");
    assertNotNull(tokenResponse.getRefreshToken(), "The refresh token is null");
    assertNotNull(tokenResponse.getIdToken(), "The id token is null");
}
 
Example #30
Source File: SupportCombinationOfIdTokenTokenResponseTypes.java    From oxAuth with MIT License 4 votes vote down vote up
@Parameters({"userId", "userSecret", "redirectUris", "redirectUri", "sectorIdentifierUri"})
@Test
public void supportCombinationOfIdTokenTokenResponseTypes(
        final String userId, final String userSecret, final String redirectUris, final String redirectUri,
        final String sectorIdentifierUri) throws Exception {
    showTitle("OC5:FeatureTest-Support Combination of id token token Response Types");

    List<ResponseType> responseTypes = Arrays.asList(ResponseType.ID_TOKEN, ResponseType.TOKEN);

    // 1. Register client
    RegisterRequest registerRequest = new RegisterRequest(ApplicationType.WEB, "oxAuth test app",
            StringUtils.spaceSeparatedToList(redirectUris));
    registerRequest.setResponseTypes(responseTypes);
    registerRequest.setSectorIdentifierUri(sectorIdentifierUri);

    RegisterClient registerClient = new RegisterClient(registrationEndpoint);
    registerClient.setRequest(registerRequest);
    RegisterResponse registerResponse = registerClient.exec();

    showClient(registerClient);
    assertEquals(registerResponse.getStatus(), 200, "Unexpected response code: " + registerResponse.getEntity());
    assertNotNull(registerResponse.getClientId());
    assertNotNull(registerResponse.getClientSecret());
    assertNotNull(registerResponse.getRegistrationAccessToken());
    assertNotNull(registerResponse.getClientIdIssuedAt());

    String clientId = registerResponse.getClientId();
    String registrationAccessToken = registerResponse.getRegistrationAccessToken();

    // 2. Request authorization
    List<String> scopes = Arrays.asList("openid", "profile", "address", "email");
    String nonce = UUID.randomUUID().toString();
    String state = UUID.randomUUID().toString();

    AuthorizationRequest authorizationRequest = new AuthorizationRequest(responseTypes, clientId, scopes, redirectUri, nonce);
    authorizationRequest.setState(state);

    AuthorizationResponse authorizationResponse = authenticateResourceOwnerAndGrantAccess(
            authorizationEndpoint, authorizationRequest, userId, userSecret);

    assertNotNull(authorizationResponse.getLocation());
    assertNotNull(authorizationResponse.getIdToken());
    assertNotNull(authorizationResponse.getAccessToken());
    assertNotNull(authorizationResponse.getState());
}