Java Code Examples for org.keycloak.representations.idm.ClientRepresentation#setFullScopeAllowed()
The following examples show how to use
org.keycloak.representations.idm.ClientRepresentation#setFullScopeAllowed() .
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
| Source File: ClientRegistrationPoliciesTest.java From keycloak with Apache License 2.0 | 6 votes |
|
@Test
@AuthServerContainerExclude(AuthServer.REMOTE) // We would need to do domain name -> ip address to set trusted host
public void testAnonFullScopeAllowed() throws Exception {
setTrustedHost("localhost");
OIDCClientRepresentation client = create();
// Assert new client has fullScopeAllowed disabled
String clientId = client.getClientId();
ClientRepresentation clientRep = ApiUtil.findClientByClientId(realmResource(), clientId).toRepresentation();
Assert.assertFalse(clientRep.isFullScopeAllowed());
// Try update with disabled consent required. Should fail
clientRep.setFullScopeAllowed(true);
assertFail(ClientRegOp.UPDATE, clientRep, 403, "Not permitted to enable fullScopeAllowed");
// Try update with enabled consent required. Should pass
clientRep.setFullScopeAllowed(false);
reg.update(clientRep);
}
Example 2
| Source File: KeycloakModelUtils.java From keycloak with Apache License 2.0 | 6 votes |
|
public static ClientRepresentation createClient(RealmRepresentation realm, String name) {
ClientRepresentation app = new ClientRepresentation();
app.setName(name);
app.setClientId(name);
List<ClientRepresentation> clients = realm.getClients();
if (clients != null) {
clients.add(app);
} else {
realm.setClients(Arrays.asList(app));
}
app.setClientAuthenticatorType(getDefaultClientAuthenticatorType());
generateSecret(app);
app.setFullScopeAllowed(true);
return app;
}
Example 3
| Source File: AbstractClientTest.java From keycloak with Apache License 2.0 | 6 votes |
|
public static ClientRepresentation createClientRep(String clientId, String protocol) {
ClientRepresentation client = new ClientRepresentation();
client.setClientId(clientId);
client.setEnabled(true);
client.setProtocol(protocol);
client.setDirectAccessGrantsEnabled(true);
client.setFullScopeAllowed(true);
client.setPublicClient(true);
client.setStandardFlowEnabled(true);
if (protocol.equals(SAML)) {
client.setAttributes(getSAMLAttributes());
}
return client;
}
Example 4
| Source File: AudienceTest.java From keycloak with Apache License 2.0 | 5 votes |
|
@Override
public void configureTestRealm(RealmRepresentation testRealm) {
// Create service client with some client role
ClientRepresentation client1 = new ClientRepresentation();
client1.setClientId("service-client");
client1.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL);
client1.setBearerOnly(true);
client1.setBaseUrl("http://foo/service-client");
testRealm.getClients().add(client1);
RoleRepresentation role1 = new RoleRepresentation();
role1.setName("role1");
testRealm.getRoles().getClient().put("service-client", Arrays.asList(role1));
// Disable FullScopeAllowed for the 'test-app' client
ClientRepresentation testApp = testRealm.getClients().stream().filter((ClientRepresentation client) -> {
return "test-app".equals(client.getClientId());
}).findFirst().get();
testApp.setFullScopeAllowed(false);
// Create sample user
UserRepresentation user = UserBuilder.create()
.id(userId)
.username("john")
.enabled(true)
.email("[email protected]")
.firstName("John")
.lastName("Doe")
.password("password")
.role("account", "manage-account")
.role("account", "view-profile")
.role("service-client", "role1")
.build();
testRealm.getUsers().add(user);
}
Example 5
| Source File: FineGrainAdminUnitTest.java From keycloak with Apache License 2.0 | 5 votes |
|
@Test
public void testCreateRealmCreateClientWithMaster() throws Exception {
ClientRepresentation rep = new ClientRepresentation();
rep.setName("fullScopedClient");
rep.setClientId("fullScopedClient");
rep.setFullScopeAllowed(true);
rep.setSecret("618268aa-51e6-4e64-93c4-3c0bc65b8171");
rep.setProtocol("openid-connect");
rep.setPublicClient(false);
rep.setEnabled(true);
adminClient.realm("master").clients().create(rep);
RealmRepresentation newRealm=new RealmRepresentation();
newRealm.setRealm("anotherRealm");
newRealm.setId("anotherRealm");
newRealm.setEnabled(true);
adminClient.realms().create(newRealm);
try {
ClientRepresentation newClient = new ClientRepresentation();
newClient.setName("newClient");
newClient.setClientId("newClient");
newClient.setFullScopeAllowed(true);
newClient.setSecret("secret");
newClient.setProtocol("openid-connect");
newClient.setPublicClient(false);
newClient.setEnabled(true);
Response response = adminClient.realm("anotherRealm").clients().create(newClient);
Assert.assertEquals(201, response.getStatus());
} finally {
adminClient.realm("anotherRealm").remove();
}
}
Example 6
| Source File: AbstractBasePhotozExampleAdapterTest.java From keycloak with Apache License 2.0 | 5 votes |
|
protected void setManageAlbumScopeRequired() {
ClientScopeRepresentation clientScope = new ClientScopeRepresentation();
clientScope.setName("manage-albums");
clientScope.setProtocol("openid-connect");
ProtocolMapperRepresentation mapper = new ProtocolMapperRepresentation();
mapper.setName("manage-albums");
mapper.setProtocol("openid-connect");
mapper.setProtocolMapper(UserClientRoleMappingMapper.PROVIDER_ID);
Map<String, String> config = new HashMap<>();
config.put("access.token.claim", "true");
config.put("id.token.claim", "true");
config.put("userinfo.token.claim", "true");
config.put(ProtocolMapperUtils.USER_MODEL_CLIENT_ROLE_MAPPING_CLIENT_ID, "photoz-restful-api");
mapper.setConfig(config);
clientScope.setProtocolMappers(Arrays.asList(mapper));
RealmResource realmResource = realmsResouce().realm(REALM_NAME);
ClientScopesResource clientScopes = realmResource.clientScopes();
Response resp = clientScopes.create(clientScope);
Assert.assertEquals(201, resp.getStatus());
resp.close();
String clientScopeId = ApiUtil.getCreatedId(resp);
ClientResource resourceServer = getClientResource(RESOURCE_SERVER_ID);
clientScopes.get(clientScopeId).getScopeMappings().clientLevel(resourceServer.toRepresentation().getId()).add(Arrays.asList(resourceServer.roles().get("manage-albums").toRepresentation()));
ClientResource html5ClientApp = getClientResource("photoz-html5-client");
html5ClientApp.addOptionalClientScope(clientScopeId);
html5ClientApp.getScopeMappings().realmLevel().add(Arrays.asList(realmResource.roles().get("user").toRepresentation(), realmResource.roles().get("admin").toRepresentation()));
ClientRepresentation clientRep = html5ClientApp.toRepresentation();
clientRep.setFullScopeAllowed(false);
html5ClientApp.update(clientRep);
}
Example 7
| Source File: OIDCScopeTest.java From keycloak with Apache License 2.0 | 4 votes |
|
@Test
public void testTwoRefreshTokensWithDifferentScopes() {
// Add 2 client scopes. Each with scope to 1 realm role
ClientScopeRepresentation clientScope1 = new ClientScopeRepresentation();
clientScope1.setName("scope-role-1");
clientScope1.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL);
Response response = testRealm().clientScopes().create(clientScope1);
String scope1Id = ApiUtil.getCreatedId(response);
getCleanup().addClientScopeId(scope1Id);
response.close();
ClientScopeRepresentation clientScope2 = new ClientScopeRepresentation();
clientScope2.setName("scope-role-2");
clientScope2.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL);
response = testRealm().clientScopes().create(clientScope2);
String scope2Id = ApiUtil.getCreatedId(response);
getCleanup().addClientScopeId(scope2Id);
response.close();
RoleRepresentation role1 = testRealm().roles().get("role-1").toRepresentation();
testRealm().clientScopes().get(scope1Id).getScopeMappings().realmLevel().add(Arrays.asList(role1));
RoleRepresentation role2 = testRealm().roles().get("role-2").toRepresentation();
testRealm().clientScopes().get(scope2Id).getScopeMappings().realmLevel().add(Arrays.asList(role2));
// Add client scopes to our client. Disable fullScopeAllowed
ClientResource testApp = ApiUtil.findClientByClientId(testRealm(), "test-app");
ClientRepresentation testAppRep = testApp.toRepresentation();
testAppRep.setFullScopeAllowed(false);
testApp.update(testAppRep);
testApp.addOptionalClientScope(scope1Id);
testApp.addOptionalClientScope(scope2Id);
// Login with scope-role-1. Save refresh token
oauth.scope("scope-role-1");
oauth.doLogin("john", "password");
EventRepresentation loginEvent = events.expectLogin()
.user(userId)
.assertEvent();
Tokens tokens1 = sendTokenRequest(loginEvent, userId,"openid email profile scope-role-1", "test-app");
Assert.assertTrue(tokens1.accessToken.getRealmAccess().isUserInRole("role-1"));
Assert.assertFalse(tokens1.accessToken.getRealmAccess().isUserInRole("role-2"));
//SSO login with scope-role-2. Save refresh token
oauth.scope("scope-role-2");
oauth.openLoginForm();
loginEvent = events.expectLogin().user(userId).removeDetail(Details.USERNAME).client("test-app").assertEvent();
Tokens tokens2 = sendTokenRequest(loginEvent, userId,"openid email profile scope-role-2", "test-app");
Assert.assertFalse(tokens2.accessToken.getRealmAccess().isUserInRole("role-1"));
Assert.assertTrue(tokens2.accessToken.getRealmAccess().isUserInRole("role-2"));
// Ensure I can refresh refreshToken1. Just role1 is present
OAuthClient.AccessTokenResponse refreshResponse1 = oauth.doRefreshTokenRequest(tokens1.refreshToken, "password");
Assert.assertEquals(200, refreshResponse1.getStatusCode());
AccessToken accessToken1 = oauth.verifyToken(refreshResponse1.getAccessToken());
Assert.assertTrue(accessToken1.getRealmAccess().isUserInRole("role-1"));
Assert.assertFalse(accessToken1.getRealmAccess().isUserInRole("role-2"));
// Ensure I can refresh refreshToken2. Just role2 is present
OAuthClient.AccessTokenResponse refreshResponse2 = oauth.doRefreshTokenRequest(tokens2.refreshToken, "password");
Assert.assertEquals(200, refreshResponse2.getStatusCode());
AccessToken accessToken2 = oauth.verifyToken(refreshResponse2.getAccessToken());
Assert.assertFalse(accessToken2.getRealmAccess().isUserInRole("role-1"));
Assert.assertTrue(accessToken2.getRealmAccess().isUserInRole("role-2"));
// Revert
testAppRep.setFullScopeAllowed(true);
testApp.update(testAppRep);
testApp.removeOptionalClientScope(scope1Id);
testApp.removeOptionalClientScope(scope2Id);
}
Example 8
| Source File: FineGrainAdminUnitTest.java From keycloak with Apache License 2.0 | 4 votes |
|
@Test
public void testCreateRealmCreateClient() throws Exception {
ClientRepresentation rep = new ClientRepresentation();
rep.setName("fullScopedClient");
rep.setClientId("fullScopedClient");
rep.setFullScopeAllowed(true);
rep.setSecret("618268aa-51e6-4e64-93c4-3c0bc65b8171");
rep.setProtocol("openid-connect");
rep.setPublicClient(false);
rep.setEnabled(true);
adminClient.realm("master").clients().create(rep);
Keycloak realmClient = AdminClientUtil.createAdminClient(suiteContext.isAdapterCompatTesting(),
"master", "admin", "admin", "fullScopedClient", "618268aa-51e6-4e64-93c4-3c0bc65b8171");
try {
RealmRepresentation newRealm=new RealmRepresentation();
newRealm.setRealm("anotherRealm");
newRealm.setId("anotherRealm");
newRealm.setEnabled(true);
realmClient.realms().create(newRealm);
ClientRepresentation newClient = new ClientRepresentation();
newClient.setName("newClient");
newClient.setClientId("newClient");
newClient.setFullScopeAllowed(true);
newClient.setSecret("secret");
newClient.setProtocol("openid-connect");
newClient.setPublicClient(false);
newClient.setEnabled(true);
Response response = realmClient.realm("anotherRealm").clients().create(newClient);
Assert.assertEquals(403, response.getStatus());
realmClient.close();
realmClient = AdminClientUtil.createAdminClient(suiteContext.isAdapterCompatTesting(),
"master", "admin", "admin", "fullScopedClient", "618268aa-51e6-4e64-93c4-3c0bc65b8171");
response = realmClient.realm("anotherRealm").clients().create(newClient);
Assert.assertEquals(201, response.getStatus());
} finally {
adminClient.realm("anotherRealm").remove();
realmClient.close();
}
}
Example 9
| Source File: OIDCProtocolMappersTest.java From keycloak with Apache License 2.0 | 4 votes |
|
/**
* KEYCLOAK-5259
* @throws Exception
*/
@Test
public void testUserRoleToAttributeMappersWithFullScopeDisabled() throws Exception {
// Add mapper for realm roles
ProtocolMapperRepresentation realmMapper = ProtocolMapperUtil.createUserRealmRoleMappingMapper("pref.", "Realm roles mapper", "roles-custom.realm", true, true, true);
ProtocolMapperRepresentation clientMapper = ProtocolMapperUtil.createUserClientRoleMappingMapper("test-app", null, "Client roles mapper", "roles-custom.test-app", true, true, true);
ClientResource client = ApiUtil.findClientResourceByClientId(adminClient.realm("test"), "test-app");
// Disable full-scope-allowed
ClientRepresentation rep = client.toRepresentation();
rep.setFullScopeAllowed(false);
client.update(rep);
ProtocolMappersResource protocolMappers = ApiUtil.findClientResourceByClientId(adminClient.realm("test"), "test-app").getProtocolMappers();
protocolMappers.createMapper(Arrays.asList(realmMapper, clientMapper));
// Login user
OAuthClient.AccessTokenResponse response = browserLogin("password", "test-user@localhost", "password");
IDToken idToken = oauth.verifyIDToken(response.getIdToken());
// Verify attribute is filled
Map<String, Object> roleMappings = (Map<String, Object>)idToken.getOtherClaims().get("roles-custom");
Assert.assertThat(roleMappings.keySet(), containsInAnyOrder("realm", "test-app"));
Assert.assertThat(roleMappings.get("realm"), CoreMatchers.instanceOf(List.class));
Assert.assertThat(roleMappings.get("test-app"), CoreMatchers.instanceOf(List.class));
List<String> realmRoleMappings = (List<String>) roleMappings.get("realm");
List<String> testAppMappings = (List<String>) roleMappings.get("test-app");
assertRoles(realmRoleMappings,
"pref.user" // from direct assignment in user definition
);
assertRoles(testAppMappings,
"customer-user" // from direct assignment in user definition
);
// Revert
deleteMappers(protocolMappers);
rep = client.toRepresentation();
rep.setFullScopeAllowed(true);
client.update(rep);
}
Example 10
| Source File: ClientManager.java From keycloak with Apache License 2.0 | 4 votes |
|
public ClientManagerBuilder fullScopeAllowed(boolean enable) {
ClientRepresentation app = clientResource.toRepresentation();
app.setFullScopeAllowed(enable);
clientResource.update(app);
return this;
}
