org.keycloak.OAuth2Constants Java Examples

private void doResourceOwnerCredentialsLogin(String clientId, String clientSecret, String login, String password) throws Exception {

        oauth.clientId(clientId);
        OAuthClient.AccessTokenResponse response = oauth.doGrantAccessTokenRequest(clientSecret, "", "", null);

        assertEquals(200, response.getStatusCode());

        AccessToken accessToken = oauth.verifyToken(response.getAccessToken());
        RefreshToken refreshToken = oauth.parseRefreshToken(response.getRefreshToken());

        AssertEvents.ExpectedEvent expectedEvent = events.expectLogin()
                .client(clientId)
                .user(userId)
                .session(accessToken.getSessionState())
                .detail(Details.GRANT_TYPE, OAuth2Constants.PASSWORD)
                .detail(Details.TOKEN_ID, accessToken.getId())
                .detail(Details.REFRESH_TOKEN_ID, refreshToken.getId())
                .detail(Details.USERNAME, login)
                .removeDetail(Details.CODE_ID)
                .removeDetail(Details.REDIRECT_URI)
                .removeDetail(Details.CONSENT);

        addX509CertificateDetails(expectedEvent)
                .assertEvent();
    }
 

@Test
public void specifyEmptyScopeTest() throws Exception {
    String loginUser = "john-doh@localhost";
    String loginPassword = "password";
    String clientSecret = "password";
    
	String requestedScope = "";
	String expectedScope = "openid profile email";
	
	oauth.scope(requestedScope);
    oauth.doLogin(loginUser, loginPassword);

    String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
    
    expectSuccessfulResponseFromTokenEndpoint(code, expectedScope, clientSecret);
}
 

private List<OAuthClient.AccessTokenResponse> createInitialSessions(boolean offline) throws Exception {
    if (offline) {
        oauth.scope(OAuth2Constants.OFFLINE_ACCESS);
    }

    List<OAuthClient.AccessTokenResponse> responses = new LinkedList<>();

    for (int i=0 ; i<SESSIONS_COUNT ; i++) {
        OAuthClient.AccessTokenResponse resp = oauth.doGrantAccessTokenRequest("password", "test-user@localhost", "password");
        Assert.assertNull(resp.getError());
        Assert.assertNotNull(resp.getAccessToken());
        responses.add(resp);
    }

    return responses;
}
 

@Test
public void loginInvalidUsername() {
    loginPage.open();
    loginPage.login("invalid", "password");

    loginPage.assertCurrent();

    // KEYCLOAK-1741 - assert form field values kept
    Assert.assertEquals("invalid", loginPage.getUsername());
    Assert.assertEquals("", loginPage.getPassword());

    Assert.assertEquals("Invalid username or password.", loginPage.getError());

    events.expectLogin().user((String) null).session((String) null).error("user_not_found")
            .detail(Details.USERNAME, "invalid")
            .removeDetail(Details.CONSENT)
            .assertEvent();

    loginPage.login("login-test", "password");

    Assert.assertEquals(RequestType.AUTH_RESPONSE, appPage.getRequestType());
    Assert.assertNotNull(oauth.getCurrentQuery().get(OAuth2Constants.CODE));

    events.expectLogin().user(userId).detail(Details.USERNAME, "login-test").assertEvent();
}
 

@Test
// KEYCLOAK-4503
public void initializeWithRefreshToken() {

    oauth.setDriver(jsDriver); // Oauth need to login with jsDriver

    oauth.realm(REALM_NAME);
    oauth.clientId(CLIENT_ID);
    oauth.redirectUri(testAppUrl);
    oauth.doLogin(testUser);

    String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
    OAuthClient.AccessTokenResponse tokenResponse = oauth.doAccessTokenRequest(code, "password");
    String token = tokenResponse.getAccessToken();
    String refreshToken = tokenResponse.getRefreshToken();

    testExecutor.init(JSObjectBuilder.create()
                    .add("refreshToken", refreshToken)
            , (driver1, output, events) -> {
        assertInitNotAuth(driver1, output, events);
        waitUntilElement(events).text().not().contains("Auth Success");
    });
}
 

private OIDCClientRepresentation createClientWithManuallySetKid(String kid) throws Exception {
    OIDCClientRepresentation clientRep = createRep();

    clientRep.setGrantTypes(Collections.singletonList(OAuth2Constants.CLIENT_CREDENTIALS));
    clientRep.setTokenEndpointAuthMethod(OIDCLoginProtocol.PRIVATE_KEY_JWT);

    // Generate keys for client
    TestOIDCEndpointsApplicationResource oidcClientEndpointsResource = testingClient.testApp().oidcClientEndpoints();
    oidcClientEndpointsResource.generateKeys("RS256");

    JSONWebKeySet keySet = oidcClientEndpointsResource.getJwks();

    // Override kid with custom value
    keySet.getKeys()[0].setKeyId(kid);
    clientRep.setJwks(keySet);

    return reg.oidc().create(clientRep);
}
 

@Test
public void testAuthentication() {
    // Test that user is required to provide OTP credential during authentication
    loginPage.open();
    loginPage.login("test-user", DummyUserFederationProvider.HARDCODED_PASSWORD);

    loginTotpPage.assertCurrent();

    loginTotpPage.login("654321");
    loginTotpPage.assertCurrent();
    Assert.assertEquals("Invalid authenticator code.", loginPage.getError());

    loginTotpPage.login(DummyUserFederationProvider.HARDCODED_OTP);

    appPage.assertCurrent();
    Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, appPage.getRequestType());
    Assert.assertNotNull(oauth.getCurrentQuery().get(OAuth2Constants.CODE));
}
 

protected void redirect(AuthenticationFlowContext context, String providerId) {

        IdentityProviderModel identityProviderModel = selectIdp(context, providerId);
        if (identityProviderModel == null || !identityProviderModel.isEnabled()) {
            log.warnf("Provider not found or not enabled for realm %s", providerId);
            context.attempted();
            return;
        }

        String accessCode = new ClientSessionCode<>(context.getSession(), context.getRealm(), context.getAuthenticationSession()).getOrGenerateCode();
        String clientId = context.getAuthenticationSession().getClient().getClientId();
        String tabId = context.getAuthenticationSession().getTabId();
        URI location = Urls.identityProviderAuthnRequest(context.getUriInfo().getBaseUri(), providerId, context.getRealm().getName(), accessCode, clientId, tabId);
        if (context.getAuthenticationSession().getClientNote(OAuth2Constants.DISPLAY) != null) {
            location = UriBuilder.fromUri(location).queryParam(OAuth2Constants.DISPLAY, context.getAuthenticationSession().getClientNote(OAuth2Constants.DISPLAY)).build();
        }
        log.debugf("Redirecting to %s", providerId);
        Response response = Response.seeOther(location).build();
        context.forceChallenge(response);
    }
 

@Test
public void postLogoutWithValidIdTokenWhenLoggedOutByAdmin() throws Exception {
    oauth.doLogin("test-user@localhost", "password");

    String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);

    oauth.clientSessionState("client-session");
    OAuthClient.AccessTokenResponse tokenResponse = oauth.doAccessTokenRequest(code, "password");
    String idTokenString = tokenResponse.getIdToken();

    adminClient.realm("test").logoutAll();

    // Logout should succeed with user already logged out, see KEYCLOAK-3399
    String logoutUrl = oauth.getLogoutUrl()
      .idTokenHint(idTokenString)
      .postLogoutRedirectUri(oauth.APP_AUTH_ROOT)
      .build();

    try (CloseableHttpClient c = HttpClientBuilder.create().disableRedirectHandling().build();
      CloseableHttpResponse response = c.execute(new HttpGet(logoutUrl))) {
        assertThat(response, Matchers.statusCodeIsHC(Status.FOUND));
        assertThat(response.getFirstHeader(HttpHeaders.LOCATION).getValue(), is(oauth.APP_AUTH_ROOT));
    }
}
 

protected AuthChallenge checkStateCookie() {
    OIDCHttpFacade.Cookie stateCookie = getCookie(deployment.getStateCookieName());

    if (stateCookie == null) {
        log.warn("No state cookie");
        return challenge(400, OIDCAuthenticationError.Reason.INVALID_STATE_COOKIE, null);
    }
    // reset the cookie
    log.debug("** reseting application state cookie");
    facade.getResponse().resetCookie(deployment.getStateCookieName(), stateCookie.getPath());
    String stateCookieValue = getCookieValue(deployment.getStateCookieName());

    String state = getQueryParamValue(OAuth2Constants.STATE);
    if (state == null) {
        log.warn("state parameter was null");
        return challenge(400, OIDCAuthenticationError.Reason.INVALID_STATE_COOKIE, null);
    }
    if (!state.equals(stateCookieValue)) {
        log.warn("state parameter invalid");
        log.warn("cookie: " + stateCookieValue);
        log.warn("queryParam: " + state);
        return challenge(400, OIDCAuthenticationError.Reason.INVALID_STATE_COOKIE, null);
    }
    return null;

}
 

public String resolveBearerToken(String redirectUri, String code) {
    redirectUri = stripOauthParametersFromRedirect(redirectUri);
    Form codeForm = new Form()
            .param(OAuth2Constants.GRANT_TYPE, "authorization_code")
            .param(OAuth2Constants.CODE, code)
            .param(OAuth2Constants.CLIENT_ID, clientId)
            .param(OAuth2Constants.REDIRECT_URI, redirectUri);
    for (Map.Entry<String, Object> entry : credentials.entrySet()) {
        codeForm.param(entry.getKey(), (String) entry.getValue());
    }
    Response res = client.target(tokenUrl).request().post(Entity.form(codeForm));
    try {
        if (res.getStatus() == 400) {
            throw new BadRequestException();
        } else if (res.getStatus() != 200) {
            throw new InternalServerErrorException(new Exception("Unknown error when getting acess token"));
        }
        AccessTokenResponse tokenResponse = res.readEntity(AccessTokenResponse.class);
        return tokenResponse.getToken();
    } finally {
        res.close();
    }
}
 

@Test
public void createClientWithJWKSURI() throws Exception {
    OIDCClientRepresentation clientRep = createRep();

    clientRep.setGrantTypes(Collections.singletonList(OAuth2Constants.CLIENT_CREDENTIALS));
    clientRep.setTokenEndpointAuthMethod(OIDCLoginProtocol.PRIVATE_KEY_JWT);

    // Generate keys for client
    TestOIDCEndpointsApplicationResource oidcClientEndpointsResource = testingClient.testApp().oidcClientEndpoints();
    Map<String, String> generatedKeys = oidcClientEndpointsResource.generateKeys("RS256");

    clientRep.setJwksUri(TestApplicationResourceUrls.clientJwksUri());

    OIDCClientRepresentation response = reg.oidc().create(clientRep);
    Assert.assertEquals(OIDCLoginProtocol.PRIVATE_KEY_JWT, response.getTokenEndpointAuthMethod());
    Assert.assertNull(response.getClientSecret());
    Assert.assertNull(response.getClientSecretExpiresAt());
    Assert.assertEquals(response.getJwksUri(), TestApplicationResourceUrls.clientJwksUri());

    // Tries to authenticate client with privateKey JWT
    assertAuthenticateClientSuccess(generatedKeys, response, KEEP_GENERATED_KID);
}
 

@Override
protected BrokeredIdentityContext exchangeExternalImpl(EventBuilder event, MultivaluedMap<String, String> params) {
    if (!supportsExternalExchange()) return null;
    String subjectToken = params.getFirst(OAuth2Constants.SUBJECT_TOKEN);
    if (subjectToken == null) {
        event.detail(Details.REASON, OAuth2Constants.SUBJECT_TOKEN + " param unset");
        event.error(Errors.INVALID_TOKEN);
        throw new ErrorResponseException(OAuthErrorException.INVALID_TOKEN, "token not set", Response.Status.BAD_REQUEST);
    }
    String subjectTokenType = params.getFirst(OAuth2Constants.SUBJECT_TOKEN_TYPE);
    if (subjectTokenType == null) {
        subjectTokenType = OAuth2Constants.ACCESS_TOKEN_TYPE;
    }
    if (OAuth2Constants.JWT_TOKEN_TYPE.equals(subjectTokenType) || OAuth2Constants.ID_TOKEN_TYPE.equals(subjectTokenType)) {
        return validateJwt(event, subjectToken, subjectTokenType);
    } else if (OAuth2Constants.ACCESS_TOKEN_TYPE.equals(subjectTokenType)) {
        return validateExternalTokenThroughUserInfo(event, subjectToken, subjectTokenType);
    } else {
        event.detail(Details.REASON, OAuth2Constants.SUBJECT_TOKEN_TYPE + " invalid");
        event.error(Errors.INVALID_TOKEN_TYPE);
        throw new ErrorResponseException(OAuthErrorException.INVALID_TOKEN, "invalid token type", Response.Status.BAD_REQUEST);
    }
}
 

@Test
public void loginIgnoreX509IdentityContinueToFormLogin() throws Exception {
    // Set the X509 authenticator configuration
    AuthenticatorConfigRepresentation cfg = newConfig("x509-browser-config", createLoginSubjectEmail2UsernameOrEmailConfig().getConfig());
    String cfgId = createConfig(browserExecution.getId(), cfg);
    Assert.assertNotNull(cfgId);

    loginConfirmationPage.open();

    Assert.assertTrue(loginConfirmationPage.getSubjectDistinguishedNameText().startsWith("EMAILADDRESS=test-user@localhost"));
    Assert.assertEquals("test-user@localhost", loginConfirmationPage.getUsernameText());

    loginConfirmationPage.ignore();
    loginPage.login("test-user@localhost", "password");

    Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, appPage.getRequestType());
    Assert.assertNotNull(oauth.getCurrentQuery().get(OAuth2Constants.CODE));

     events.expectLogin()
             .user(userId)
             .detail(Details.USERNAME, "test-user@localhost")
             .removeDetail(Details.REDIRECT_URI)
             .assertEvent();
}
 

@Test
public void loginAttemptedNoConfig() {

    loginConfirmationPage.open();
    loginPage.assertCurrent();

    Assert.assertThat(loginPage.getInfoMessage(), containsString("X509 client authentication has not been configured yet"));
    // Continue with form based login
    loginPage.login("test-user@localhost", "password");

    Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, appPage.getRequestType());
    Assert.assertNotNull(oauth.getCurrentQuery().get(OAuth2Constants.CODE));
    events.expectLogin()
            .user(userId)
            .detail(Details.USERNAME, "test-user@localhost")
            .removeDetail(Details.REDIRECT_URI)
            .assertEvent();
}
 

@Test
public void loginSuccessToLegacy() throws Exception {
    String originalServerRoot = OAuthClient.SERVER_ROOT;
    try {
        OAuthClient.updateURLs(legacyNode.getContextRoot().toString());
        OAuthClient oauth = new OAuthClient();
        oauth.init(DroneUtils.getCurrentDriver());
        oauth.realm(MASTER).clientId("account").redirectUri(legacyNode.getContextRoot().toString() + "/auth/realms/master/account/");
        
        oauth.openLoginForm();
        assertThat(DroneUtils.getCurrentDriver().getTitle(), containsString("Log in to "));
        loginPage.login("admin", "admin");

        assertThat("Login was not successful.", oauth.getCurrentQuery().get(OAuth2Constants.CODE), notNullValue());
    } finally {
        OAuthClient.updateURLs(originalServerRoot);
    }
}
 

@Test
public void specifyMultipleScopeTest() throws Exception {
    String loginUser = "[email protected]";
    String loginPassword = "password";
    String clientSecret = "password";
    
	String requestedScope = "address";
	String expectedScope = "openid profile email address";
	
	oauth.scope(requestedScope);
    oauth.doLogin(loginUser, loginPassword);

    String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
    
    expectSuccessfulResponseFromTokenEndpoint(code, expectedScope, clientSecret);
}
 

private void testIntrospectAccessToken(String jwaAlgorithm) throws Exception {
    try {
        TokenSignatureUtil.changeClientAccessTokenSignatureProvider(ApiUtil.findClientByClientId(adminClient.realm("test"), "test-app"), jwaAlgorithm);

        oauth.doLogin("test-user@localhost", "password");
        String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
        EventRepresentation loginEvent = events.expectLogin().assertEvent();
        AccessTokenResponse accessTokenResponse = oauth.doAccessTokenRequest(code, "password");

        assertEquals(jwaAlgorithm, new JWSInput(accessTokenResponse.getAccessToken()).getHeader().getAlgorithm().name());

        String tokenResponse = oauth.introspectAccessTokenWithClientCredential("confidential-cli", "secret1", accessTokenResponse.getAccessToken());

        TokenMetadataRepresentation rep = JsonSerialization.readValue(tokenResponse, TokenMetadataRepresentation.class);

        assertTrue(rep.isActive());
        assertEquals("test-user@localhost", rep.getUserName());
        assertEquals("test-app", rep.getClientId());
        assertEquals(loginEvent.getUserId(), rep.getSubject());

        // Assert expected scope
        OIDCScopeTest.assertScopes("openid email profile", rep.getScope());
    } finally {
        TokenSignatureUtil.changeClientAccessTokenSignatureProvider(ApiUtil.findClientByClientId(adminClient.realm("test"), "test-app"), Algorithm.RS256);
    }
}
 

@Test
public void grantAccessTokenUserNotFound() throws Exception {
    oauth.clientId("resource-owner");

    OAuthClient.AccessTokenResponse response = oauth.doGrantAccessTokenRequest("secret", "invalid", "invalid");

    assertEquals(401, response.getStatusCode());

    assertEquals("invalid_grant", response.getError());

    events.expectLogin()
            .client("resource-owner")
            .user((String) null)
            .session((String) null)
            .detail(Details.GRANT_TYPE, OAuth2Constants.PASSWORD)
            .detail(Details.USERNAME, "invalid")
            .removeDetail(Details.CODE_ID)
            .removeDetail(Details.REDIRECT_URI)
            .removeDetail(Details.CONSENT)
            .error(Errors.USER_NOT_FOUND)
            .assertEvent();
}
 

@Test
public void testCustomClaimProvider() {
    KeycloakDeployment deployment = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-bearer-only-with-cip.json"));
    PolicyEnforcer policyEnforcer = deployment.getPolicyEnforcer();

    oauth.realm(REALM_NAME);
    oauth.clientId("public-client-test");
    oauth.doLogin("marta", "password");

    String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
    OAuthClient.AccessTokenResponse response = oauth.doAccessTokenRequest(code, null);
    String token = response.getAccessToken();

    OIDCHttpFacade httpFacade = createHttpFacade("/api/resourcea", token);

    AuthorizationContext context = policyEnforcer.enforce(httpFacade);
    Permission permission = context.getPermissions().get(0);
    Map<String, Set<String>> claims = permission.getClaims();

    assertTrue(context.isGranted());
    assertEquals("test", claims.get("resolved-claim").iterator().next());
}
 

protected OAuthClient.AccessTokenResponse assertAuthenticationSuccess(String codeUrl) throws Exception {
    List<NameValuePair> pairs = URLEncodedUtils.parse(new URI(codeUrl), "UTF-8");
    String code = null;
    String state = null;
    for (NameValuePair pair : pairs) {
        if (pair.getName().equals(OAuth2Constants.CODE)) {
            code = pair.getValue();
        } else if (pair.getName().equals(OAuth2Constants.STATE)) {
            state = pair.getValue();
        }
    }
    Assert.assertNotNull(code);
    Assert.assertNotNull(state);
    OAuthClient.AccessTokenResponse response = oauth.doAccessTokenRequest(code, "password");
    Assert.assertNotNull(response.getAccessToken());
    events.clear();
    return response;
}
 

@Test
public void loginSuccessRealmSigningAlgorithms() throws JWSInputException {
    ContainerAssume.assumeAuthServerSSL();

    loginPage.open();
    loginPage.login("login-test", "password");

    Assert.assertEquals(RequestType.AUTH_RESPONSE, appPage.getRequestType());
    Assert.assertNotNull(oauth.getCurrentQuery().get(OAuth2Constants.CODE));

    events.expectLogin().user(userId).detail(Details.USERNAME, "login-test").assertEvent();

    driver.navigate().to(AuthServerTestEnricher.getAuthServerContextRoot() + "/auth/realms/test/");
    String keycloakIdentity = driver.manage().getCookieNamed("KEYCLOAK_IDENTITY").getValue();

    // Check identity cookie is signed with HS256
    String algorithm = new JWSInput(keycloakIdentity).getHeader().getAlgorithm().name();
    assertEquals("HS256", algorithm);

    try {
        TokenSignatureUtil.changeRealmTokenSignatureProvider(adminClient, Algorithm.ES256);

        oauth.openLoginForm();
        Assert.assertEquals(RequestType.AUTH_RESPONSE, appPage.getRequestType());

        driver.navigate().to(AuthServerTestEnricher.getAuthServerContextRoot() + "/auth/realms/test/");
        keycloakIdentity = driver.manage().getCookieNamed("KEYCLOAK_IDENTITY").getValue();

        // Check identity cookie is still signed with HS256
        algorithm = new JWSInput(keycloakIdentity).getHeader().getAlgorithm().name();
        assertEquals("HS256", algorithm);

        // Check identity cookie still works
        oauth.openLoginForm();
        Assert.assertEquals(RequestType.AUTH_RESPONSE, appPage.getRequestType());
    } finally {
        TokenSignatureUtil.changeRealmTokenSignatureProvider(adminClient, Algorithm.RS256);
    }
}
 

@Test
public void loginLoginHint() {
    String loginFormUrl = oauth.getLoginFormUrl() + "&login_hint=login-test";
    driver.navigate().to(loginFormUrl);

    Assert.assertEquals("login-test", loginPage.getUsername());
    loginPage.login("password");

    Assert.assertEquals(RequestType.AUTH_RESPONSE, appPage.getRequestType());
    Assert.assertNotNull(oauth.getCurrentQuery().get(OAuth2Constants.CODE));

    events.expectLogin().user(userId).detail(Details.USERNAME, "login-test").assertEvent();
}
 

@Test
public void loginDuplicateUsersNotAllowed() {

    AuthenticatorConfigRepresentation cfg = newConfig("x509-browser-config", createLoginIssuerDN_OU2CustomAttributeConfig().getConfig());
    String cfgId = createConfig(browserExecution.getId(), cfg);
    Assert.assertNotNull(cfgId);

    // Set up the users so that the identity extracted from X509 client cert
    // matches more than a single user to trigger DuplicateModelException.

    UserRepresentation user = testRealm().users().get(userId2).toRepresentation();
    Assert.assertNotNull(user);

    user.singleAttribute("x509_certificate_identity", "Red Hat");
    this.updateUser(user);

    user = testRealm().users().get(userId).toRepresentation();
    Assert.assertNotNull(user);

    user.singleAttribute("x509_certificate_identity", "Red Hat");
    this.updateUser(user);

    events.clear();

    loginPage.open();

    Assert.assertThat(loginPage.getError(), containsString("X509 certificate authentication's failed."));

    loginPage.login("test-user@localhost", "password");

    Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, appPage.getRequestType());
    Assert.assertNotNull(oauth.getCurrentQuery().get(OAuth2Constants.CODE));

    events.expectLogin()
            .user(userId)
            .detail(Details.USERNAME, "test-user@localhost")
            .removeDetail(Details.REDIRECT_URI)
            .assertEvent();
}
 

@Test
public void accessTokenUserSessionExpired() {
    oauth.doLogin("test-user@localhost", "password");

    EventRepresentation loginEvent = events.expectLogin().assertEvent();

    String codeId = loginEvent.getDetails().get(Details.CODE_ID);
    String sessionId = loginEvent.getSessionId();


    testingClient.testing().removeUserSession("test", sessionId);
    String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);

    OAuthClient.AccessTokenResponse tokenResponse = oauth.doAccessTokenRequest(code, "password");
    assertEquals(400, tokenResponse.getStatusCode());
    assertNull(tokenResponse.getAccessToken());
    assertNull(tokenResponse.getRefreshToken());

    events.expectCodeToToken(codeId, sessionId)
            .removeDetail(Details.TOKEN_ID)
            .user((String) null)
            .removeDetail(Details.REFRESH_TOKEN_ID)
            .removeDetail(Details.REFRESH_TOKEN_TYPE)
            .error(Errors.INVALID_CODE).assertEvent();

    events.clear();
}
 

protected JsonWebToken generateToken() {
    JsonWebToken jwt = new JsonWebToken();
    jwt.id(KeycloakModelUtils.generateId());
    jwt.type(OAuth2Constants.JWT);
    jwt.issuer(getConfig().getClientId());
    jwt.subject(getConfig().getClientId());
    jwt.audience(getConfig().getTokenUrl());
    int expirationDelay = session.getContext().getRealm().getAccessCodeLifespan();
    jwt.expiration(Time.currentTime() + expirationDelay);
    jwt.issuedNow();
    return jwt;
}
 

@Test
@AuthServerContainerExclude(AuthServer.REMOTE)
public void accessTokenCorsRequest() throws Exception {
    oauth.realm("test");
    oauth.clientId("test-app2");
    oauth.redirectUri(VALID_CORS_URL + "/realms/master/app");

    oauth.doLogin("test-user@localhost", "password");

    // Token request
    String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
    oauth.origin(VALID_CORS_URL);
    OAuthClient.AccessTokenResponse response = oauth.doAccessTokenRequest(code, "password");

    assertEquals(200, response.getStatusCode());
    assertCors(response);

    // Refresh request
    response = oauth.doRefreshTokenRequest(response.getRefreshToken(), null);

    assertEquals(200, response.getStatusCode());
    assertCors(response);

    // Invalid origin
    oauth.origin(INVALID_CORS_URL);
    response = oauth.doRefreshTokenRequest(response.getRefreshToken(), "password");
    assertEquals(200, response.getStatusCode());
    assertNotCors(response);
    oauth.origin(VALID_CORS_URL);

    // No session
    oauth.openLogout();
    response = oauth.doRefreshTokenRequest(response.getRefreshToken(), null);
    assertEquals(400, response.getStatusCode());
    assertCors(response);
    assertEquals("invalid_grant", response.getError());
    assertEquals("Session not active", response.getErrorDescription());
}
 

@Test
public void clientSessionStats() {
    setupTestAppAndUser();

    List<Map<String, String>> sessionStats = realm.getClientSessionStats();
    assertTrue(sessionStats.isEmpty());

    System.out.println(sessionStats.size());

    oauth.doLogin("testuser", "password");
    AccessTokenResponse tokenResponse = oauth.doAccessTokenRequest(oauth.getCurrentQuery().get(OAuth2Constants.CODE),
        "secret");
    assertEquals(200, tokenResponse.getStatusCode());

    sessionStats = realm.getClientSessionStats();

    assertEquals(1, sessionStats.size());
    assertEquals("test-app", sessionStats.get(0).get("clientId"));
    assertEquals("1", sessionStats.get(0).get("active"));

    String clientUuid = sessionStats.get(0).get("id");
    realm.clients().get(clientUuid).remove();

    sessionStats = realm.getClientSessionStats();

    assertEquals(0, sessionStats.size());
}
 

@Test
public void refreshTokenAfterUserLogoutAndLoginAgain() {
    String refreshToken1 = loginAndForceNewLoginPage();

    oauth.doLogout(refreshToken1, "password");
    events.clear();

    // Set time offset to 2 (Just to simulate to be more close to real situation)
    setTimeOffset(2);

    // Continue with login
    oauth.fillLoginForm("test-user@localhost", "password");

    assertFalse(loginPage.isCurrent());

    OAuthClient.AccessTokenResponse tokenResponse2 = null;
    String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
    tokenResponse2 = oauth.doAccessTokenRequest(code, "password");

    setTimeOffset(4);
    // Now try refresh with the original refreshToken1 created in logged-out userSession. It should fail
    OAuthClient.AccessTokenResponse responseReuseExceeded = oauth.doRefreshTokenRequest(refreshToken1, "password");
    assertEquals(400, responseReuseExceeded.getStatusCode());

    setTimeOffset(6);
    // Finally try with valid refresh token
    responseReuseExceeded = oauth.doRefreshTokenRequest(tokenResponse2.getRefreshToken(), "password");
    assertEquals(200, responseReuseExceeded.getStatusCode());
}
 

@Test
public void testIntrospectRefreshTokenAfterUserSessionLogoutAndLoginAgain() throws Exception {
    AccessTokenResponse accessTokenResponse = loginAndForceNewLoginPage();
    String refreshToken1 = accessTokenResponse.getRefreshToken();

    oauth.doLogout(refreshToken1, "password");
    events.clear();

    setTimeOffset(2);

    oauth.fillLoginForm("test-user@localhost", "password");
    events.expectLogin().assertEvent();

    Assert.assertFalse(loginPage.isCurrent());

    String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
    OAuthClient.AccessTokenResponse tokenResponse2 = oauth.doAccessTokenRequest(code, "password");

    String introspectResponse = oauth.introspectRefreshTokenWithClientCredential("confidential-cli", "secret1", tokenResponse2.getRefreshToken());

    ObjectMapper objectMapper = new ObjectMapper();
    JsonNode jsonNode = objectMapper.readTree(introspectResponse);
    assertTrue(jsonNode.get("active").asBoolean());

    introspectResponse = oauth.introspectRefreshTokenWithClientCredential("confidential-cli", "secret1", refreshToken1);

    jsonNode = objectMapper.readTree(introspectResponse);
    assertFalse(jsonNode.get("active").asBoolean());
}