From d089e23aef560f9d9ceb96490d68a64aa910b79b Mon Sep 17 00:00:00 2001 From: Stian Thorgersen Date: Thu, 6 Mar 2025 11:56:59 +0100 Subject: [PATCH] Move token introspection to AbstractOAuthClient (#37859) Closes #37858 Signed-off-by: stianst --- .../test/examples/OAuthClientTest.java | 12 ++ .../util/oauth/AbstractHttpResponse.java | 6 + .../util/oauth/AbstractOAuthClient.java | 16 +++ .../util/oauth/IntrospectionRequest.java | 10 +- .../util/oauth/IntrospectionResponse.java | 35 ++++++ .../testsuite/util/oauth/OAuthClient.java | 19 --- .../testsuite/authz/UmaGrantTypeTest.java | 2 +- .../KcOidcBrokerTransientSessionsTest.java | 4 +- .../keycloak/testsuite/client/CIBATest.java | 48 +++----- .../client/OAuth2_1PublicClientTest.java | 3 - .../OIDCPairwiseClientRegistrationTest.java | 5 +- .../policies/AbstractClientPoliciesTest.java | 13 +- .../testsuite/keys/KeyRotationTest.java | 4 +- .../testsuite/oauth/AccessTokenTest.java | 8 +- .../keycloak/testsuite/oauth/DPoPTest.java | 16 ++- .../testsuite/oauth/OfflineTokenTest.java | 4 +- .../testsuite/oauth/RefreshTokenTest.java | 6 +- .../testsuite/oauth/ServiceAccountTest.java | 4 +- .../oauth/TokenIntrospectionTest.java | 116 +++++------------- .../oauth/TokenRevocationCorsTest.java | 25 ++-- .../testsuite/oauth/TokenRevocationTest.java | 6 +- .../keycloak/testsuite/oauth/hok/HoKTest.java | 5 +- ...SubjectImpersonationTokenExchangeTest.java | 4 +- .../StandardTokenExchangeV2Test.java | 6 +- .../oidc/LightWeightAccessTokenTest.java | 28 ++--- .../NonceBackwardsCompatibleMapperTest.java | 17 +-- 26 files changed, 185 insertions(+), 237 deletions(-) rename {testsuite/integration-arquillian/tests/base => tests/utils-shared}/src/main/java/org/keycloak/testsuite/util/oauth/IntrospectionRequest.java (75%) create mode 100644 tests/utils-shared/src/main/java/org/keycloak/testsuite/util/oauth/IntrospectionResponse.java diff --git a/test-framework/examples/tests/src/test/java/org/keycloak/test/examples/OAuthClientTest.java b/test-framework/examples/tests/src/test/java/org/keycloak/test/examples/OAuthClientTest.java index b28db91dbc5..2b1d2b9b779 100644 --- a/test-framework/examples/tests/src/test/java/org/keycloak/test/examples/OAuthClientTest.java +++ b/test-framework/examples/tests/src/test/java/org/keycloak/test/examples/OAuthClientTest.java @@ -15,9 +15,12 @@ import org.keycloak.testframework.realm.UserConfig; import org.keycloak.testframework.realm.UserConfigBuilder; import org.keycloak.testsuite.util.oauth.AccessTokenResponse; import org.keycloak.testsuite.util.oauth.AuthorizationEndpointResponse; +import org.keycloak.testsuite.util.oauth.IntrospectionResponse; import org.keycloak.testsuite.util.oauth.TokenRevocationResponse; import org.keycloak.testsuite.util.oauth.UserInfoResponse; +import java.io.IOException; + @KeycloakIntegrationTest public class OAuthClientTest { @@ -82,6 +85,15 @@ public class OAuthClientTest { Assertions.assertNotNull(oidcConfiguration); } + @Test + public void testIntrospection() throws IOException { + AccessTokenResponse accessTokenResponse = oauth.doPasswordGrantRequest(user.getUsername(), user.getPassword()); + + IntrospectionResponse introspectionResponse = oauth.doIntrospectionAccessTokenRequest(accessTokenResponse.getAccessToken()); + Assertions.assertTrue(introspectionResponse.isSuccess()); + Assertions.assertTrue(introspectionResponse.asTokenMetadata().isActive()); + } + @Test public void testRevocation() { AccessTokenResponse accessTokenResponse = oauth.doPasswordGrantRequest(user.getUsername(), user.getPassword()); diff --git a/tests/utils-shared/src/main/java/org/keycloak/testsuite/util/oauth/AbstractHttpResponse.java b/tests/utils-shared/src/main/java/org/keycloak/testsuite/util/oauth/AbstractHttpResponse.java index 774098c992b..cacc58c1a87 100644 --- a/tests/utils-shared/src/main/java/org/keycloak/testsuite/util/oauth/AbstractHttpResponse.java +++ b/tests/utils-shared/src/main/java/org/keycloak/testsuite/util/oauth/AbstractHttpResponse.java @@ -3,10 +3,12 @@ package org.keycloak.testsuite.util.oauth; import com.fasterxml.jackson.databind.node.ObjectNode; import org.apache.http.Header; import org.apache.http.client.methods.CloseableHttpResponse; +import org.apache.http.util.EntityUtils; import org.keycloak.OAuth2Constants; import org.keycloak.util.JsonSerialization; import java.io.IOException; +import java.nio.charset.StandardCharsets; import java.util.HashMap; import java.util.Map; @@ -79,6 +81,10 @@ public abstract class AbstractHttpResponse { return JsonSerialization.readValue(response.getEntity().getContent(), clazz); } + protected String asString() throws IOException { + return EntityUtils.toString(response.getEntity(), StandardCharsets.UTF_8); + } + protected abstract void parseContent() throws IOException; private void parseError() throws IOException { diff --git a/tests/utils-shared/src/main/java/org/keycloak/testsuite/util/oauth/AbstractOAuthClient.java b/tests/utils-shared/src/main/java/org/keycloak/testsuite/util/oauth/AbstractOAuthClient.java index 39df3f929fa..1c7671d25cf 100644 --- a/tests/utils-shared/src/main/java/org/keycloak/testsuite/util/oauth/AbstractOAuthClient.java +++ b/tests/utils-shared/src/main/java/org/keycloak/testsuite/util/oauth/AbstractOAuthClient.java @@ -132,6 +132,22 @@ public abstract class AbstractOAuthClient { return userInfoRequest(accessToken).send(); } + public IntrospectionRequest introspectionRequest(String tokenToIntrospect) { + return new IntrospectionRequest(tokenToIntrospect, this); + } + + public IntrospectionResponse doIntrospectionRequest(String tokenToIntrospect, String tokenType) { + return introspectionRequest(tokenToIntrospect).tokenTypeHint(tokenType).send(); + } + + public IntrospectionResponse doIntrospectionAccessTokenRequest(String tokenToIntrospect) { + return introspectionRequest(tokenToIntrospect).tokenTypeHint("access_token").send(); + } + + public IntrospectionResponse doIntrospectionRefreshTokenRequest(String tokenToIntrospect) { + return introspectionRequest(tokenToIntrospect).tokenTypeHint("refresh_token").send(); + } + public TokenRevocationRequest tokenRevocationRequest(String token) { return new TokenRevocationRequest(token, this); } diff --git a/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/oauth/IntrospectionRequest.java b/tests/utils-shared/src/main/java/org/keycloak/testsuite/util/oauth/IntrospectionRequest.java similarity index 75% rename from testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/oauth/IntrospectionRequest.java rename to tests/utils-shared/src/main/java/org/keycloak/testsuite/util/oauth/IntrospectionRequest.java index 376840d32bb..64e18f54d79 100644 --- a/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/oauth/IntrospectionRequest.java +++ b/tests/utils-shared/src/main/java/org/keycloak/testsuite/util/oauth/IntrospectionRequest.java @@ -1,19 +1,17 @@ package org.keycloak.testsuite.util.oauth; import org.apache.http.client.methods.CloseableHttpResponse; -import org.apache.http.util.EntityUtils; import org.keycloak.utils.MediaType; import java.io.IOException; -import java.nio.charset.StandardCharsets; -public class IntrospectionRequest extends AbstractHttpPostRequest { +public class IntrospectionRequest extends AbstractHttpPostRequest { private final String token; private String tokenTypeHint; private boolean jwtResponse = false; - IntrospectionRequest(String token, OAuthClient client) { + IntrospectionRequest(String token, AbstractOAuthClient client) { super(client); this.token = token; } @@ -39,8 +37,8 @@ public class IntrospectionRequest extends AbstractHttpPostRequest { loginPage.login(username, password); } - public IntrospectionRequest introspectionRequest(String tokenToIntrospect) { - return new IntrospectionRequest(tokenToIntrospect, this); - } - - public String doIntrospectionRequest(String tokenToIntrospect, String tokenType) { - return introspectionRequest(tokenToIntrospect).tokenTypeHint(tokenType).send(); - } - - public String doIntrospectionAccessTokenRequest(String tokenToIntrospect) { - return introspectionRequest(tokenToIntrospect).tokenTypeHint("access_token").send(); - } - - public String doIntrospectionRefreshTokenRequest(String tokenToIntrospect) { - return introspectionRequest(tokenToIntrospect).tokenTypeHint("refresh_token").send(); - } - public TokenExchangeRequest tokenExchangeRequest(String subjectToken) { return new TokenExchangeRequest(subjectToken, this); } diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/UmaGrantTypeTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/UmaGrantTypeTest.java index 6bfd39e4603..8f58de6c52d 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/UmaGrantTypeTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/UmaGrantTypeTest.java @@ -583,7 +583,7 @@ public class UmaGrantTypeTest extends AbstractResourceServerTest { assertNotNull(introspectionResponse.getPermissions()); oauth.realm("authz-test").client("resource-server-test", "secret"); - String introspectHttpResponse = oauth.doIntrospectionRequest(rpt, "requesting_party_token"); + String introspectHttpResponse = oauth.doIntrospectionRequest(rpt, "requesting_party_token").getRaw(); Map jsonNode = JsonSerialization.readValue(introspectHttpResponse, Map.class); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/broker/KcOidcBrokerTransientSessionsTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/broker/KcOidcBrokerTransientSessionsTest.java index cc179e713cb..a9f2b04bf36 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/broker/KcOidcBrokerTransientSessionsTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/broker/KcOidcBrokerTransientSessionsTest.java @@ -564,9 +564,7 @@ public final class KcOidcBrokerTransientSessionsTest extends AbstractAdvancedBro assertThat(userInfoResponse.getUserInfo().getEmail(), is(bc.getUserEmail())); // Check that tokenIntrospection can be invoked - var introspectionResponse = oauth.doIntrospectionAccessTokenRequest(tokenResponse.getAccessToken()); - ObjectMapper objectMapper = new ObjectMapper(); - JsonNode jsonNode = objectMapper.readTree(introspectionResponse); + JsonNode jsonNode = oauth.doIntrospectionAccessTokenRequest(tokenResponse.getAccessToken()).asJsonNode(); org.junit.Assert.assertEquals(true, jsonNode.get("active").asBoolean()); org.junit.Assert.assertEquals(bc.getUserEmail(), jsonNode.get("email").asText()); } diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/CIBATest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/CIBATest.java index 8fdf354c1e7..0de34516cc7 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/CIBATest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/CIBATest.java @@ -504,13 +504,13 @@ public class CIBATest extends AbstractClientPoliciesTest { AccessTokenResponse tokenRes = doBackchannelAuthenticationTokenRequest(username, response.getAuthReqId()); // token introspection - String tokenResponse = doIntrospectAccessTokenWithClientCredential(tokenRes, username); + doIntrospectAccessTokenWithClientCredential(tokenRes, username); // token refresh tokenRes = doRefreshTokenRequest(tokenRes.getRefreshToken(), username, sessionId, true); // token introspection after token refresh - tokenResponse = doIntrospectAccessTokenWithClientCredential(tokenRes, username); + doIntrospectAccessTokenWithClientCredential(tokenRes, username); // revoke by refresh token EventRepresentation logoutEvent = doTokenRevokeByRefreshToken(tokenRes.getRefreshToken(), tokenRes.getSessionState(), userId, true); @@ -606,13 +606,13 @@ public class CIBATest extends AbstractClientPoliciesTest { tokenRes = doBackchannelAuthenticationTokenRequest(username, response.getAuthReqId()); // token introspection - String tokenResponse = doIntrospectAccessTokenWithClientCredential(tokenRes, username); + doIntrospectAccessTokenWithClientCredential(tokenRes, username); // token refresh tokenRes = doRefreshTokenRequest(tokenRes.getRefreshToken(), username, sessionId, false); // token introspection after token refresh - tokenResponse = doIntrospectAccessTokenWithClientCredential(tokenRes, username); + doIntrospectAccessTokenWithClientCredential(tokenRes, username); // revoke by refresh token EventRepresentation logoutEvent = doTokenRevokeByRefreshToken(tokenRes.getRefreshToken(), tokenRes.getSessionState(), userId, false); @@ -670,13 +670,13 @@ public class CIBATest extends AbstractClientPoliciesTest { tokenRes = doBackchannelAuthenticationTokenRequest(username, response.getAuthReqId()); // token introspection - String tokenResponse = doIntrospectAccessTokenWithClientCredential(tokenRes, username); + doIntrospectAccessTokenWithClientCredential(tokenRes, username); // token refresh tokenRes = doRefreshTokenRequest(tokenRes.getRefreshToken(), username, sessionId, false); // token introspection after token refresh - tokenResponse = doIntrospectAccessTokenWithClientCredential(tokenRes, username); + doIntrospectAccessTokenWithClientCredential(tokenRes, username); // revoke by refresh token EventRepresentation logoutEvent = doTokenRevokeByRefreshToken(tokenRes.getRefreshToken(), tokenRes.getSessionState(), userId, false); @@ -907,13 +907,13 @@ public class CIBATest extends AbstractClientPoliciesTest { assertTrue(authTime <= currentTime + 5); // token introspection - String tokenResponse = doIntrospectAccessTokenWithClientCredential(tokenRes, username); + doIntrospectAccessTokenWithClientCredential(tokenRes, username); // token refresh tokenRes = doRefreshTokenRequest(tokenRes.getRefreshToken(), username, sessionId, false); // token introspection after token refresh - tokenResponse = doIntrospectAccessTokenWithClientCredential(tokenRes, username); + doIntrospectAccessTokenWithClientCredential(tokenRes, username); // logout by refresh token EventRepresentation logoutEvent = doLogoutByRefreshToken(tokenRes.getRefreshToken(), sessionId, userId, false); @@ -2556,13 +2556,13 @@ public class CIBATest extends AbstractClientPoliciesTest { AccessTokenResponse tokenRes = doBackchannelAuthenticationTokenRequest(username, response.getAuthReqId()); // token introspection - String tokenResponse = doIntrospectAccessTokenWithClientCredential(tokenRes, username); + doIntrospectAccessTokenWithClientCredential(tokenRes, username); // token refresh tokenRes = doRefreshTokenRequest(tokenRes.getRefreshToken(), username, sessionId, false); // token introspection after token refresh - tokenResponse = doIntrospectAccessTokenWithClientCredential(tokenRes, username); + doIntrospectAccessTokenWithClientCredential(tokenRes, username); // logout by refresh token EventRepresentation logoutEvent = doLogoutByRefreshToken(tokenRes.getRefreshToken(), sessionId, userId, false); @@ -2785,36 +2785,22 @@ public class CIBATest extends AbstractClientPoliciesTest { assertThat(idToken.getAudience()[0], is(equalTo(idToken.getIssuedFor()))); } - private String doIntrospectAccessTokenWithClientCredential(AccessTokenResponse tokenRes, String username) throws IOException { + private void doIntrospectAccessTokenWithClientCredential(AccessTokenResponse tokenRes, String username) throws IOException { AccessToken accessToken = oauth.verifyToken(tokenRes.getAccessToken()); - String tokenResponse = oauth.doIntrospectionAccessTokenRequest(tokenRes.getAccessToken()); - ObjectMapper objectMapper = new ObjectMapper(); - JsonNode jsonNode = objectMapper.readTree(tokenResponse); - assertThat(jsonNode.get("active").asBoolean(), is(equalTo(true))); - assertThat(jsonNode.get("username").asText(), is(equalTo(username))); - assertThat(jsonNode.get("client_id").asText(), is(equalTo(TEST_CLIENT_NAME))); - TokenMetadataRepresentation rep = objectMapper.readValue(tokenResponse, TokenMetadataRepresentation.class); + TokenMetadataRepresentation rep = oauth.doIntrospectionAccessTokenRequest(tokenRes.getAccessToken()).asTokenMetadata(); assertThat(rep.isActive(), is(equalTo(true))); assertThat(rep.getClientId(), is(equalTo(TEST_CLIENT_NAME))); assertThat(rep.getIssuedFor(), is(equalTo(TEST_CLIENT_NAME))); events.expect(EventType.INTROSPECT_TOKEN).user((String) null).session(accessToken.getSessionId()).clearDetails().assertEvent(); - tokenResponse = oauth.doIntrospectionAccessTokenRequest(tokenRes.getRefreshToken()); - jsonNode = objectMapper.readTree(tokenResponse); - assertThat(jsonNode.get("active").asBoolean(), is(equalTo(true))); - assertThat(jsonNode.get("client_id").asText(), is(equalTo(TEST_CLIENT_NAME))); - rep = objectMapper.readValue(tokenResponse, TokenMetadataRepresentation.class); + rep = oauth.doIntrospectionAccessTokenRequest(tokenRes.getRefreshToken()).asTokenMetadata(); assertThat(rep.isActive(), is(equalTo(true))); assertThat(rep.getClientId(), is(equalTo(TEST_CLIENT_NAME))); assertThat(rep.getIssuedFor(), is(equalTo(TEST_CLIENT_NAME))); assertThat(rep.getAudience()[0], is(equalTo(rep.getIssuer()))); events.expect(EventType.INTROSPECT_TOKEN).user((String) null).session(accessToken.getSessionId()).clearDetails().assertEvent(); - tokenResponse = oauth.doIntrospectionAccessTokenRequest(tokenRes.getIdToken()); - jsonNode = objectMapper.readTree(tokenResponse); - assertThat(jsonNode.get("active").asBoolean(), is(equalTo(true))); - assertThat(jsonNode.get("client_id").asText(), is(equalTo(TEST_CLIENT_NAME))); - rep = objectMapper.readValue(tokenResponse, TokenMetadataRepresentation.class); + rep = oauth.doIntrospectionAccessTokenRequest(tokenRes.getIdToken()).asTokenMetadata(); assertThat(rep.isActive(), is(equalTo(true))); assertThat(rep.getUserName(), is(equalTo(username))); assertThat(rep.getClientId(), is(equalTo(TEST_CLIENT_NAME))); @@ -2822,8 +2808,6 @@ public class CIBATest extends AbstractClientPoliciesTest { assertThat(rep.getPreferredUsername(), is(equalTo(username))); assertThat(rep.getAudience()[0], is(equalTo(rep.getIssuedFor()))); events.expect(EventType.INTROSPECT_TOKEN).user((String) null).session(accessToken.getSessionId()).clearDetails().assertEvent(); - - return tokenResponse; } private AccessTokenResponse doRefreshTokenRequest(String oldRefreshToken, String username, String sessionId, boolean isOfflineAccess) { @@ -2951,13 +2935,13 @@ public class CIBATest extends AbstractClientPoliciesTest { assertTrue(authTime <= currentTime + 5); // token introspection - String tokenResponse = doIntrospectAccessTokenWithClientCredential(tokenRes, username); + doIntrospectAccessTokenWithClientCredential(tokenRes, username); // token refresh tokenRes = doRefreshTokenRequest(tokenRes.getRefreshToken(), username, sessionId, isOfflineAccess); // token introspection after token refresh - tokenResponse = doIntrospectAccessTokenWithClientCredential(tokenRes, username); + doIntrospectAccessTokenWithClientCredential(tokenRes, username); // logout by refresh token EventRepresentation logoutEvent = doLogoutByRefreshToken(tokenRes.getRefreshToken(), sessionId, userId, isOfflineAccess); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/OAuth2_1PublicClientTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/OAuth2_1PublicClientTest.java index f769713f59c..fc2ede65e6f 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/OAuth2_1PublicClientTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/OAuth2_1PublicClientTest.java @@ -248,9 +248,6 @@ public class OAuth2_1PublicClientTest extends AbstractFAPITest { dpopProofEcEncoded = generateSignedDPoPProof(UUID.randomUUID().toString(), HttpMethod.POST, oauth.getEndpoints().getRevocation(), (long) Time.currentTime(), Algorithm.ES256, jwsEcHeader, ecKeyPair.getPrivate()); oauth.dpopProof(dpopProofEcEncoded); assertTrue(oauth.doTokenRevoke(response.getAccessToken(), "access_token").isSuccess()); - String introspectionResponse = oauth.doIntrospectionAccessTokenRequest(response.getAccessToken()); - TokenMetadataRepresentation tokenMetadataRepresentation = JsonSerialization.readValue(introspectionResponse, TokenMetadataRepresentation.class); - assertFalse(tokenMetadataRepresentation.isActive()); oauth.idTokenHint(response.getIdToken()).openLogout(); } diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/OIDCPairwiseClientRegistrationTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/OIDCPairwiseClientRegistrationTest.java index 4c08d51b187..468cfe25d99 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/OIDCPairwiseClientRegistrationTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/OIDCPairwiseClientRegistrationTest.java @@ -418,10 +418,7 @@ public class OIDCPairwiseClientRegistrationTest extends AbstractClientRegistrati // Login to pairwise client AccessTokenResponse accessTokenResponse = login(pairwiseClient, "test-user@localhost", "password"); - String introspectionResponse = oauth.client(pairwiseClient.getClientId(), pairwiseClient.getClientSecret()).doIntrospectionAccessTokenRequest(accessTokenResponse.getAccessToken()); - - ObjectMapper objectMapper = new ObjectMapper(); - JsonNode jsonNode = objectMapper.readTree(introspectionResponse); + JsonNode jsonNode = oauth.client(pairwiseClient.getClientId(), pairwiseClient.getClientSecret()).doIntrospectionAccessTokenRequest(accessTokenResponse.getAccessToken()).asJsonNode(); Assert.assertEquals(true, jsonNode.get("active").asBoolean()); Assert.assertEquals("test-user@localhost", jsonNode.get("email").asText()); } diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/policies/AbstractClientPoliciesTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/policies/AbstractClientPoliciesTest.java index d5389befb96..662b43231bd 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/policies/AbstractClientPoliciesTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/policies/AbstractClientPoliciesTest.java @@ -179,6 +179,7 @@ import org.keycloak.testsuite.util.SignatureSignerUtil; import org.keycloak.testsuite.util.oauth.AccessTokenResponse; import org.keycloak.testsuite.util.oauth.AuthorizationEndpointResponse; import org.keycloak.testsuite.util.ServerURLs; +import org.keycloak.testsuite.util.oauth.IntrospectionResponse; import org.keycloak.testsuite.util.oauth.LogoutResponse; import org.keycloak.util.JsonSerialization; @@ -650,15 +651,11 @@ public abstract class AbstractClientPoliciesTest extends AbstractKeycloakTest { // OAuth2 protocol operation protected void doIntrospectAccessToken(AccessTokenResponse tokenRes, String username, String clientId, String sessionId, String clientSecret) throws IOException { - String tokenResponse = oauth.client(clientId, clientSecret).doIntrospectionAccessTokenRequest(tokenRes.getAccessToken()); - JsonNode jsonNode = objectMapper.readTree(tokenResponse); - assertEquals(true, jsonNode.get("active").asBoolean()); - assertEquals(username, jsonNode.get("username").asText()); - assertEquals(clientId, jsonNode.get("client_id").asText()); - TokenMetadataRepresentation rep = objectMapper.readValue(tokenResponse, TokenMetadataRepresentation.class); + TokenMetadataRepresentation rep = oauth.client(clientId, clientSecret).doIntrospectionAccessTokenRequest(tokenRes.getAccessToken()).asTokenMetadata(); assertEquals(true, rep.isActive()); assertEquals(clientId, rep.getClientId()); assertEquals(clientId, rep.getIssuedFor()); + assertEquals(username, rep.getUserName()); events.expect(EventType.INTROSPECT_TOKEN).client(clientId).session(sessionId).user((String)null).clearDetails().assertEvent(); } @@ -1332,7 +1329,7 @@ public abstract class AbstractClientPoliciesTest extends AbstractKeycloakTest { assertEquals(200, accessTokenResponseRefreshed.getStatusCode()); // Check token introspection. - String tokenResponse; + IntrospectionResponse tokenResponse; try (CloseableHttpClient client = MutualTLSUtils.newCloseableHttpClientWithDefaultKeyStoreAndTrustStore()) { oauth.client(TEST_CLIENT, TEST_CLIENT_SECRET).httpClient().set(client); tokenResponse = oauth.doIntrospectionRequest(accessTokenResponse.getAccessToken(), "access_token"); @@ -1342,7 +1339,7 @@ public abstract class AbstractClientPoliciesTest extends AbstractKeycloakTest { oauth.httpClient().reset(); } Assert.assertNotNull(tokenResponse); - TokenMetadataRepresentation tokenMetadataRepresentation = JsonSerialization.readValue(tokenResponse, TokenMetadataRepresentation.class); + TokenMetadataRepresentation tokenMetadataRepresentation = tokenResponse.asTokenMetadata(); Assert.assertTrue(tokenMetadataRepresentation.isActive()); // Check token revoke. diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/keys/KeyRotationTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/keys/KeyRotationTest.java index c3154de8776..292d733163b 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/keys/KeyRotationTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/keys/KeyRotationTest.java @@ -335,9 +335,7 @@ public class KeyRotationTest extends AbstractKeycloakTest { private void assertTokenIntrospection(String token, boolean expectActive) { try { - String tokenResponse = oauth.client("confidential-cli", "secret1").doIntrospectionAccessTokenRequest(token); - ObjectMapper objectMapper = new ObjectMapper(); - JsonNode jsonNode = objectMapper.readTree(tokenResponse); + JsonNode jsonNode = oauth.client("confidential-cli", "secret1").doIntrospectionAccessTokenRequest(token).asJsonNode(); assertEquals(expectActive, jsonNode.get("active").asBoolean()); oauth.client("test-app", "password"); } catch (IOException e) { diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/AccessTokenTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/AccessTokenTest.java index acc42eeea42..9d9baaf1032 100755 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/AccessTokenTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/AccessTokenTest.java @@ -451,9 +451,7 @@ public class AccessTokenTest extends AbstractKeycloakTest { UserInfoClientUtil.testSuccessfulUserInfoResponse(userInfoResponse, "test-user@localhost", "test-user@localhost"); // Check that tokenIntrospection can be invoked - String introspectionResponse = oauth.doIntrospectionAccessTokenRequest(accessToken); - ObjectMapper objectMapper = new ObjectMapper(); - JsonNode jsonNode = objectMapper.readTree(introspectionResponse); + JsonNode jsonNode = oauth.doIntrospectionAccessTokenRequest(accessToken).asJsonNode(); Assert.assertEquals(true, jsonNode.get("active").asBoolean()); Assert.assertEquals("test-user@localhost", jsonNode.get("email").asText()); @@ -477,9 +475,7 @@ public class AccessTokenTest extends AbstractKeycloakTest { userInfoResponse.close(); // Check that tokenIntrospection can't be invoked with invalidated accessToken - introspectionResponse = oauth.doIntrospectionAccessTokenRequest(accessToken); - objectMapper = new ObjectMapper(); - jsonNode = objectMapper.readTree(introspectionResponse); + jsonNode = oauth.doIntrospectionAccessTokenRequest(accessToken).asJsonNode(); Assert.assertEquals(false, jsonNode.get("active").asBoolean()); Assert.assertNull(jsonNode.get("email")); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/DPoPTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/DPoPTest.java index 64fd72fbb1c..bd9ac05a13c 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/DPoPTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/DPoPTest.java @@ -65,6 +65,7 @@ import org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPolicyBuilder; import org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfileBuilder; import org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfilesBuilder; import org.keycloak.testsuite.util.oauth.AccessTokenResponse; +import org.keycloak.testsuite.util.oauth.IntrospectionResponse; import org.keycloak.testsuite.util.oauth.UserInfoResponse; import org.keycloak.testsuite.util.ServerURLs; import org.keycloak.util.JWKSUtils; @@ -211,17 +212,14 @@ public class DPoPTest extends AbstractTestRealmKeycloakTest { // For confidential client, DPoP is not bind to refresh token (See "section 5 DPoP Access Token Request" of DPoP specification) assertNull(refreshToken.getConfirmation()); - String tokenResponse = oauth.doIntrospectionRequest(response.getAccessToken(), "access_token"); - Assert.assertNotNull(tokenResponse); - TokenMetadataRepresentation tokenMetadataRepresentation = JsonSerialization.readValue(tokenResponse, TokenMetadataRepresentation.class); + TokenMetadataRepresentation tokenMetadataRepresentation = oauth.doIntrospectionRequest(response.getAccessToken(), "access_token").asTokenMetadata(); Assert.assertTrue(tokenMetadataRepresentation.isActive()); assertEquals(jktRsa, tokenMetadataRepresentation.getConfirmation().getKeyThumbprint()); assertEquals(TokenUtil.TOKEN_TYPE_DPOP, tokenMetadataRepresentation.getOtherClaims().get(OAuth2Constants.TOKEN_TYPE)); oauth.doTokenRevoke(response.getAccessToken(), "access_token", TEST_CONFIDENTIAL_CLIENT_SECRET); - tokenResponse = oauth.doIntrospectionRequest(response.getAccessToken(), "access_token"); - Assert.assertNotNull(tokenResponse); - tokenMetadataRepresentation = JsonSerialization.readValue(tokenResponse, TokenMetadataRepresentation.class); + + tokenMetadataRepresentation = oauth.doIntrospectionRequest(response.getAccessToken(), "access_token").asTokenMetadata(); Assert.assertFalse(tokenMetadataRepresentation.isActive()); // token refresh @@ -644,9 +642,9 @@ public class DPoPTest extends AbstractTestRealmKeycloakTest { dpopProofEcEncoded = generateSignedDPoPProof(UUID.randomUUID().toString(), HttpMethod.POST, oauth.getEndpoints().getRevocation(), (long) Time.currentTime(), Algorithm.ES256, jwsEcHeader, ecKeyPair.getPrivate()); oauth.dpopProof(dpopProofEcEncoded); assertTrue(oauth.doTokenRevoke(encodedAccessToken, "access_token").isSuccess()); - String introspectionResponse = oauth.doIntrospectionAccessTokenRequest(encodedAccessToken); - TokenMetadataRepresentation tokenMetadataRepresentation = JsonSerialization.readValue(introspectionResponse, TokenMetadataRepresentation.class); - assertFalse(tokenMetadataRepresentation.isActive()); + IntrospectionResponse introspectionResponse = oauth.doIntrospectionAccessTokenRequest(encodedAccessToken); + assertFalse(introspectionResponse.isSuccess()); + assertEquals("Client not allowed.", introspectionResponse.getErrorDescription()); updatePolicies("{}"); updateProfiles("{}"); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/OfflineTokenTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/OfflineTokenTest.java index 1e5832f14dd..a87a06285e2 100755 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/OfflineTokenTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/OfflineTokenTest.java @@ -1368,9 +1368,7 @@ public class OfflineTokenTest extends AbstractKeycloakTest { assertThat(tokenResponse.getRefreshExpiresIn(), allOf(greaterThanOrEqualTo(29), lessThanOrEqualTo(30))); assertEquals(TokenUtil.TOKEN_TYPE_OFFLINE, offlineToken.getType()); - String introspectionResponse = oauth.doIntrospectionAccessTokenRequest(tokenResponse.getAccessToken()); - ObjectMapper objectMapper = new ObjectMapper(); - JsonNode jsonNode = objectMapper.readTree(introspectionResponse); + JsonNode jsonNode = oauth.doIntrospectionAccessTokenRequest(tokenResponse.getAccessToken()).asJsonNode(); Assert.assertEquals(true, jsonNode.get("active").asBoolean()); Assert.assertEquals("test-user@localhost", jsonNode.get("email").asText()); assertThat(jsonNode.get("exp").asInt() - getCurrentTime(), diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/RefreshTokenTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/RefreshTokenTest.java index 5b551aa74c5..16469da807d 100755 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/RefreshTokenTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/RefreshTokenTest.java @@ -938,8 +938,7 @@ public class RefreshTokenTest extends AbstractKeycloakTest { Assert.assertFalse(hasClientSessionForTestApp()); // Introspection with the accessToken from the first authentication. This should fail - String introspectionResponse = oauth.doIntrospectionAccessTokenRequest(response1.getAccessToken()); - JsonNode jsonNode = JsonSerialization.mapper.readTree(introspectionResponse); + JsonNode jsonNode = oauth.doIntrospectionAccessTokenRequest(response1.getAccessToken()).asJsonNode(); Assert.assertFalse(jsonNode.get("active").asBoolean()); events.clear(); @@ -960,8 +959,7 @@ public class RefreshTokenTest extends AbstractKeycloakTest { Assert.assertTrue(hasClientSessionForTestApp()); // Introspection again with the accessToken from the very first authentication. This should fail as the access token was obtained for the old client session before SSO re-authentication - introspectionResponse = oauth.doIntrospectionAccessTokenRequest(response1.getAccessToken()); - jsonNode = JsonSerialization.mapper.readTree(introspectionResponse); + jsonNode = oauth.doIntrospectionAccessTokenRequest(response1.getAccessToken()).asJsonNode(); Assert.assertFalse(jsonNode.get("active").asBoolean()); // Try userInfo with the same old access token. Should fail as well diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/ServiceAccountTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/ServiceAccountTest.java index 97b6db147e6..d6ae4d7c6d7 100755 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/ServiceAccountTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/ServiceAccountTest.java @@ -444,9 +444,7 @@ public class ServiceAccountTest extends AbstractKeycloakTest { } private boolean getIntrospectionResponse(String tokenString) throws IOException { - String introspectionResponse = oauth.doIntrospectionAccessTokenRequest(tokenString); - ObjectMapper objectMapper = new ObjectMapper(); - JsonNode jsonNode = objectMapper.readTree(introspectionResponse); + JsonNode jsonNode = oauth.doIntrospectionAccessTokenRequest(tokenString).asJsonNode(); return jsonNode.get("active").asBoolean(); } diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/TokenIntrospectionTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/TokenIntrospectionTest.java index 43026ffed6a..6762680a066 100755 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/TokenIntrospectionTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/TokenIntrospectionTest.java @@ -57,6 +57,7 @@ import org.keycloak.testsuite.pages.LoginPage; import org.keycloak.testsuite.util.KeycloakModelUtils; import org.keycloak.testsuite.util.oauth.AccessTokenResponse; import org.keycloak.testsuite.util.TokenSignatureUtil; +import org.keycloak.testsuite.util.oauth.IntrospectionResponse; import org.keycloak.util.BasicAuthHelper; import org.keycloak.util.JsonSerialization; import org.keycloak.util.TokenUtil; @@ -151,9 +152,8 @@ public class TokenIntrospectionTest extends AbstractTestRealmKeycloakTest { String code = oauth.parseLoginResponse().getCode(); AccessTokenResponse accessTokenResponse = oauth.doAccessTokenRequest(code); oauth.client("confidential-cli", "secret1"); - String tokenResponse = oauth.doIntrospectionAccessTokenRequest(accessTokenResponse.getAccessToken()); - ObjectMapper objectMapper = new ObjectMapper(); - JsonNode jsonNode = objectMapper.readTree(tokenResponse); + IntrospectionResponse introspectionResponse = oauth.doIntrospectionAccessTokenRequest(accessTokenResponse.getAccessToken()); + JsonNode jsonNode = introspectionResponse.asJsonNode(); assertTrue(jsonNode.get("active").asBoolean()); assertEquals("test-user@localhost", jsonNode.get("username").asText()); @@ -166,7 +166,7 @@ public class TokenIntrospectionTest extends AbstractTestRealmKeycloakTest { assertTrue(jsonNode.has("iss")); assertTrue(jsonNode.has("jti")); - TokenMetadataRepresentation rep = objectMapper.readValue(tokenResponse, TokenMetadataRepresentation.class); + TokenMetadataRepresentation rep = introspectionResponse.asTokenMetadata(); assertTrue(rep.isActive()); assertEquals("test-user@localhost", rep.getUserName()); @@ -193,11 +193,10 @@ public class TokenIntrospectionTest extends AbstractTestRealmKeycloakTest { String code = oauth.parseLoginResponse().getCode(); AccessTokenResponse accessTokenResponse = oauth.doAccessTokenRequest(code); oauth.client("confidential-cli", "bad_credential"); - String tokenResponse = oauth.doIntrospectionAccessTokenRequest(accessTokenResponse.getAccessToken()); + IntrospectionResponse tokenResponse = oauth.doIntrospectionAccessTokenRequest(accessTokenResponse.getAccessToken()); - OAuth2ErrorRepresentation errorRep = JsonSerialization.readValue(tokenResponse, OAuth2ErrorRepresentation.class); - Assert.assertEquals("Authentication failed.", errorRep.getErrorDescription()); - Assert.assertEquals(OAuthErrorException.INVALID_REQUEST, errorRep.getError()); + Assert.assertEquals("Authentication failed.", tokenResponse.getErrorDescription()); + Assert.assertEquals(OAuthErrorException.INVALID_REQUEST, tokenResponse.getError()); } @Test @@ -208,11 +207,8 @@ public class TokenIntrospectionTest extends AbstractTestRealmKeycloakTest { String sessionId = loginEvent.getSessionId(); AccessTokenResponse accessTokenResponse = oauth.doAccessTokenRequest(code); oauth.client("confidential-cli", "secret1"); - String tokenResponse = oauth.doIntrospectionRefreshTokenRequest(accessTokenResponse.getRefreshToken()); - ObjectMapper objectMapper = new ObjectMapper(); - JsonNode jsonNode = objectMapper.readTree(tokenResponse); + JsonNode jsonNode = oauth.doIntrospectionRefreshTokenRequest(accessTokenResponse.getRefreshToken()).asJsonNode(); - assertTrue(jsonNode.get("active").asBoolean()); assertEquals(sessionId, jsonNode.get("sid").asText()); assertEquals("test-app", jsonNode.get("client_id").asText()); assertTrue(jsonNode.has("exp")); @@ -223,18 +219,6 @@ public class TokenIntrospectionTest extends AbstractTestRealmKeycloakTest { assertTrue(jsonNode.has("iss")); assertTrue(jsonNode.has("jti")); assertTrue(jsonNode.has("typ")); - - TokenMetadataRepresentation rep = objectMapper.readValue(tokenResponse, TokenMetadataRepresentation.class); - - assertTrue(rep.isActive()); - assertEquals("test-app", rep.getClientId()); - assertEquals(jsonNode.get("sid").asText(), rep.getSessionState()); - assertEquals(Long.valueOf(jsonNode.get("exp").asLong()), rep.getExp()); - assertEquals(Long.valueOf(jsonNode.get("iat").asLong()), rep.getIat()); - assertEquals(Optional.ofNullable(jsonNode.get("nbf")).map(JsonNode::asLong).orElse(null), rep.getNbf()); - assertEquals(jsonNode.get("iss").asText(), rep.getIssuer()); - assertEquals(jsonNode.get("jti").asText(), rep.getId()); - assertEquals(jsonNode.get("typ").asText(), "Refresh"); } @Test @@ -258,15 +242,10 @@ public class TokenIntrospectionTest extends AbstractTestRealmKeycloakTest { oauth.client("confidential-cli", "secret1"); - String introspectResponse = oauth.doIntrospectionRefreshTokenRequest(tokenResponse2.getRefreshToken()); - - ObjectMapper objectMapper = new ObjectMapper(); - JsonNode jsonNode = objectMapper.readTree(introspectResponse); + JsonNode jsonNode = oauth.doIntrospectionRefreshTokenRequest(tokenResponse2.getRefreshToken()).asJsonNode(); assertTrue(jsonNode.get("active").asBoolean()); - introspectResponse = oauth.doIntrospectionRefreshTokenRequest(refreshToken1); - - jsonNode = objectMapper.readTree(introspectResponse); + jsonNode = oauth.doIntrospectionRefreshTokenRequest(refreshToken1).asJsonNode(); assertFalse(jsonNode.get("active").asBoolean()); } @@ -277,11 +256,10 @@ public class TokenIntrospectionTest extends AbstractTestRealmKeycloakTest { String code = oauth.parseLoginResponse().getCode(); AccessTokenResponse accessTokenResponse = oauth.doAccessTokenRequest(code); oauth.client("public-cli"); - String tokenResponse = oauth.doIntrospectionAccessTokenRequest(accessTokenResponse.getAccessToken()); + IntrospectionResponse tokenResponse = oauth.doIntrospectionAccessTokenRequest(accessTokenResponse.getAccessToken()); - OAuth2ErrorRepresentation errorRep = JsonSerialization.readValue(tokenResponse, OAuth2ErrorRepresentation.class); - Assert.assertEquals("Client not allowed.", errorRep.getErrorDescription()); - Assert.assertEquals(OAuthErrorException.INVALID_REQUEST, errorRep.getError()); + Assert.assertEquals("Client not allowed.", tokenResponse.getErrorDescription()); + Assert.assertEquals(OAuthErrorException.INVALID_REQUEST, tokenResponse.getError()); } @Test @@ -289,13 +267,7 @@ public class TokenIntrospectionTest extends AbstractTestRealmKeycloakTest { oauth.doLogin("test-user@localhost", "password"); String inactiveAccessToken = "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJGSjg2R2NGM2pUYk5MT2NvNE52WmtVQ0lVbWZZQ3FvcXRPUWVNZmJoTmxFIn0.eyJqdGkiOiI5NjgxZTRlOC01NzhlLTQ3M2ItOTIwNC0yZWE5OTdhYzMwMTgiLCJleHAiOjE0NzYxMDY4NDksIm5iZiI6MCwiaWF0IjoxNDc2MTA2NTQ5LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgxODAvYXV0aC9yZWFsbXMvdGVzdCIsImF1ZCI6InRlc3QtYXBwIiwic3ViIjoiZWYyYzk0NjAtZDRkYy00OTk5LWJlYmUtZWVmYWVkNmJmMGU3IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoidGVzdC1hcHAiLCJhdXRoX3RpbWUiOjE0NzYxMDY1NDksInNlc3Npb25fc3RhdGUiOiI1OGY4M2MzMi03MDhkLTQzNjktODhhNC05YjI5OGRjMDY5NzgiLCJhY3IiOiIxIiwiY2xpZW50X3Nlc3Npb24iOiI2NTYyOTVkZC1kZWNkLTQyZDAtYWJmYy0zZGJjZjJlMDE3NzIiLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cDovL2xvY2FsaG9zdDo4MTgwIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJ1c2VyIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsidGVzdC1hcHAiOnsicm9sZXMiOlsiY3VzdG9tZXItdXNlciJdfSwiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsInZpZXctcHJvZmlsZSJdfX0sIm5hbWUiOiJUb20gQnJhZHkiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ0ZXN0LXVzZXJAbG9jYWxob3N0IiwiZ2l2ZW5fbmFtZSI6IlRvbSIsImZhbWlseV9uYW1lIjoiQnJhZHkiLCJlbWFpbCI6InRlc3QtdXNlckBsb2NhbGhvc3QifQ.LYU7opqZsc9e-ZmdsIhcecjHL3kQkpP13VpwO4MHMqEVNeJsZI1WOkTM5HGVAihcPfQazhaYvcik0gFTF_6ZcKzDqanjx80TGhSIrV5FoCeUrbp7w_66VKDH7ImPc8T2kICQGHh2d521WFBnvXNifw7P6AR1rGg4qrUljHdf_KU"; oauth.client("confidential-cli", "secret1"); - String tokenResponse = oauth.doIntrospectionAccessTokenRequest(inactiveAccessToken); - ObjectMapper objectMapper = new ObjectMapper(); - JsonNode jsonNode = objectMapper.readTree(tokenResponse); - - assertFalse(jsonNode.get("active").asBoolean()); - - TokenMetadataRepresentation rep = objectMapper.readValue(tokenResponse, TokenMetadataRepresentation.class); + TokenMetadataRepresentation rep = oauth.doIntrospectionAccessTokenRequest(inactiveAccessToken).asTokenMetadata(); assertFalse(rep.isActive()); assertNull(rep.getUserName()); @@ -308,13 +280,7 @@ public class TokenIntrospectionTest extends AbstractTestRealmKeycloakTest { oauth.doLogin("test-user@localhost", "password"); String inactiveAccessToken = "unsupported"; oauth.client("confidential-cli", "secret1"); - String tokenResponse = oauth.doIntrospectionAccessTokenRequest(inactiveAccessToken); - ObjectMapper objectMapper = new ObjectMapper(); - JsonNode jsonNode = objectMapper.readTree(tokenResponse); - - assertFalse(jsonNode.get("active").asBoolean()); - - TokenMetadataRepresentation rep = objectMapper.readValue(tokenResponse, TokenMetadataRepresentation.class); + TokenMetadataRepresentation rep = oauth.doIntrospectionAccessTokenRequest(inactiveAccessToken).asTokenMetadata(); assertFalse(rep.isActive()); assertNull(rep.getUserName()); @@ -329,8 +295,7 @@ public class TokenIntrospectionTest extends AbstractTestRealmKeycloakTest { EventRepresentation loginEvent = events.expectLogin().assertEvent(); AccessTokenResponse accessTokenResponse = oauth.doAccessTokenRequest(code); oauth.client("confidential-cli", "secret1"); - String tokenResponse = oauth.doIntrospectionAccessTokenRequest(accessTokenResponse.getAccessToken()); - TokenMetadataRepresentation rep = JsonSerialization.readValue(tokenResponse, TokenMetadataRepresentation.class); + TokenMetadataRepresentation rep = oauth.doIntrospectionAccessTokenRequest(accessTokenResponse.getAccessToken()).asTokenMetadata(); assertTrue(rep.isActive()); assertEquals("test-user@localhost", rep.getUserName()); @@ -353,8 +318,7 @@ public class TokenIntrospectionTest extends AbstractTestRealmKeycloakTest { EventRepresentation loginEvent = events.expectLogin().client("no-scope").assertEvent(); AccessTokenResponse accessTokenResponse = oauth.doAccessTokenRequest(code); oauth.client("no-scope", "password"); - String tokenResponse = oauth.doIntrospectionAccessTokenRequest(accessTokenResponse.getAccessToken()); - TokenMetadataRepresentation rep = JsonSerialization.readValue(tokenResponse, TokenMetadataRepresentation.class); + TokenMetadataRepresentation rep = oauth.doIntrospectionAccessTokenRequest(accessTokenResponse.getAccessToken()).asTokenMetadata(); assertTrue(rep.isActive()); assertEquals("test-user@localhost", rep.getUserName()); @@ -373,12 +337,11 @@ public class TokenIntrospectionTest extends AbstractTestRealmKeycloakTest { EventRepresentation loginEvent = events.expectLogin().assertEvent(); AccessTokenResponse accessTokenResponse = oauth.doAccessTokenRequest(code); - String tokenResponse = oauth.introspectionRequest(accessTokenResponse.getAccessToken()) + TokenMetadataRepresentation rep = oauth.introspectionRequest(accessTokenResponse.getAccessToken()) .tokenTypeHint("access_token") .client("confidential-cli", "secret1") .jwtResponse() - .send(); - TokenMetadataRepresentation rep = JsonSerialization.readValue(tokenResponse, TokenMetadataRepresentation.class); + .send().asTokenMetadata(); assertTrue(rep.isActive()); assertEquals("test-user@localhost", rep.getUserName()); @@ -412,9 +375,7 @@ public class TokenIntrospectionTest extends AbstractTestRealmKeycloakTest { assertEquals(jwaAlgorithm, new JWSInput(accessTokenResponse.getAccessToken()).getHeader().getAlgorithm().name()); oauth.client("confidential-cli", "secret1"); - String tokenResponse = oauth.doIntrospectionAccessTokenRequest(accessTokenResponse.getAccessToken()); - - TokenMetadataRepresentation rep = JsonSerialization.readValue(tokenResponse, TokenMetadataRepresentation.class); + TokenMetadataRepresentation rep = oauth.doIntrospectionAccessTokenRequest(accessTokenResponse.getAccessToken()).asTokenMetadata(); assertTrue(rep.isActive()); assertEquals("test-user@localhost", rep.getUserName()); @@ -437,8 +398,7 @@ public class TokenIntrospectionTest extends AbstractTestRealmKeycloakTest { oauth.doLogout(accessTokenResponse.getRefreshToken(), "password"); oauth.client("confidential-cli", "secret1"); - String tokenResponse = oauth.doIntrospectionAccessTokenRequest(accessTokenResponse.getAccessToken()); - TokenMetadataRepresentation rep = JsonSerialization.readValue(tokenResponse, TokenMetadataRepresentation.class); + TokenMetadataRepresentation rep = oauth.doIntrospectionAccessTokenRequest(accessTokenResponse.getAccessToken()).asTokenMetadata(); assertFalse(rep.isActive()); assertNull(rep.getUserName()); @@ -459,8 +419,7 @@ public class TokenIntrospectionTest extends AbstractTestRealmKeycloakTest { // "Online" session still exists, but is invalid accessTokenResponse = oauth.doRefreshTokenRequest(accessTokenResponse.getRefreshToken()); oauth.client("confidential-cli", "secret1"); - String tokenResponse = oauth.doIntrospectionAccessTokenRequest(accessTokenResponse.getAccessToken()); - TokenMetadataRepresentation rep = JsonSerialization.readValue(tokenResponse, TokenMetadataRepresentation.class); + TokenMetadataRepresentation rep = oauth.doIntrospectionAccessTokenRequest(accessTokenResponse.getAccessToken()).asTokenMetadata(); assertTrue(rep.isActive()); assertEquals("test-user@localhost", rep.getUserName()); @@ -472,8 +431,7 @@ public class TokenIntrospectionTest extends AbstractTestRealmKeycloakTest { oauth.client("test-app", "password"); accessTokenResponse = oauth.doRefreshTokenRequest(accessTokenResponse.getRefreshToken()); oauth.client("confidential-cli", "secret1"); - tokenResponse = oauth.doIntrospectionAccessTokenRequest(accessTokenResponse.getAccessToken()); - rep = JsonSerialization.readValue(tokenResponse, TokenMetadataRepresentation.class); + rep = oauth.doIntrospectionAccessTokenRequest(accessTokenResponse.getAccessToken()).asTokenMetadata(); assertTrue(rep.isActive()); assertEquals("test-user@localhost", rep.getUserName()); @@ -490,8 +448,7 @@ public class TokenIntrospectionTest extends AbstractTestRealmKeycloakTest { setTimeOffset(1200); oauth.client("confidential-cli", "secret1"); - String tokenResponse = oauth.doIntrospectionRefreshTokenRequest(accessTokenResponse.getRefreshToken()); - TokenMetadataRepresentation rep = JsonSerialization.readValue(tokenResponse, TokenMetadataRepresentation.class); + TokenMetadataRepresentation rep = oauth.doIntrospectionRefreshTokenRequest(accessTokenResponse.getRefreshToken()).asTokenMetadata(); assertTrue(rep.isActive()); assertEquals("test-user@localhost", rep.getUserName()); @@ -520,8 +477,7 @@ public class TokenIntrospectionTest extends AbstractTestRealmKeycloakTest { adminClient.realm(oauth.getRealm()).users().get(loginEvent.getUserId()).update(userRep); oauth.client("confidential-cli", "secret1"); - String tokenResponse = oauth.doIntrospectionAccessTokenRequest(accessTokenResponse.getAccessToken()); - TokenMetadataRepresentation rep = JsonSerialization.readValue(tokenResponse, TokenMetadataRepresentation.class); + TokenMetadataRepresentation rep = oauth.doIntrospectionAccessTokenRequest(accessTokenResponse.getAccessToken()).asTokenMetadata(); assertFalse(rep.isActive()); assertNull(rep.getUserName()); @@ -541,8 +497,7 @@ public class TokenIntrospectionTest extends AbstractTestRealmKeycloakTest { setTimeOffset(adminClient.realm(oauth.getRealm()).toRepresentation().getAccessTokenLifespan() + 1); oauth.client("confidential-cli", "secret1"); - String tokenResponse = oauth.doIntrospectionAccessTokenRequest(accessTokenResponse.getAccessToken()); - TokenMetadataRepresentation rep = JsonSerialization.readValue(tokenResponse, TokenMetadataRepresentation.class); + TokenMetadataRepresentation rep = oauth.doIntrospectionAccessTokenRequest(accessTokenResponse.getAccessToken()).asTokenMetadata(); assertFalse(rep.isActive()); assertNull(rep.getUserName()); @@ -555,17 +510,15 @@ public class TokenIntrospectionTest extends AbstractTestRealmKeycloakTest { * Test covers the same scenario from different endpoints like TokenEndpoint and LogoutEndpoint. */ @Test - public void testIntrospectWithSamlClient() throws Exception { + public void testIntrospectWithSamlClient() { oauth.doLogin("test-user@localhost", "password"); String code = oauth.parseLoginResponse().getCode(); events.expectLogin().assertEvent(); AccessTokenResponse accessTokenResponse = oauth.doAccessTokenRequest(code); oauth.client("saml-client", "secret2"); - String tokenResponse = oauth.doIntrospectionAccessTokenRequest(accessTokenResponse.getAccessToken()); - TokenMetadataRepresentation rep = JsonSerialization.readValue(tokenResponse, TokenMetadataRepresentation.class); + IntrospectionResponse introspectionResponse = oauth.doIntrospectionAccessTokenRequest(accessTokenResponse.getAccessToken()); - assertEquals(Errors.INVALID_CLIENT, rep.getOtherClaims().get("error")); - assertNull(rep.getSubject()); + assertEquals(Errors.INVALID_CLIENT, introspectionResponse.getError()); } private AccessTokenResponse loginAndForceNewLoginPage() { @@ -651,17 +604,14 @@ public class TokenIntrospectionTest extends AbstractTestRealmKeycloakTest { accessTokenResponse = oauth.doRefreshTokenRequest(oldRefreshToken); String newRefreshToken = accessTokenResponse.getRefreshToken(); oauth.client("confidential-cli", "secret1"); - String tokenResponse = oauth.doIntrospectionRefreshTokenRequest(newRefreshToken); - ObjectMapper objectMapper = new ObjectMapper(); - JsonNode jsonNode = objectMapper.readTree(tokenResponse); + JsonNode jsonNode = oauth.doIntrospectionRefreshTokenRequest(newRefreshToken).asJsonNode(); assertTrue(jsonNode.get("active").asBoolean()); oauth.client("test-app", "password"); accessTokenResponse = oauth.doRefreshTokenRequest(newRefreshToken); oauth.client("confidential-cli", "secret1"); - tokenResponse = oauth.doIntrospectionRefreshTokenRequest(oldRefreshToken); - jsonNode = objectMapper.readTree(tokenResponse); + jsonNode = oauth.doIntrospectionRefreshTokenRequest(oldRefreshToken).asJsonNode(); assertFalse(jsonNode.get("active").asBoolean()); } finally { realm.setRevokeRefreshToken(false); @@ -703,8 +653,6 @@ public class TokenIntrospectionTest extends AbstractTestRealmKeycloakTest { accessTokenResponse = oauth.doRefreshTokenRequest(stringRefreshToken); oauth.client("confidential-cli", "secret1"); - String tokenResponse = oauth.doIntrospectionRefreshTokenRequest(stringRefreshToken); - ObjectMapper objectMapper = new ObjectMapper(); - return objectMapper.readTree(tokenResponse); + return oauth.doIntrospectionRefreshTokenRequest(stringRefreshToken).asJsonNode(); } } diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/TokenRevocationCorsTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/TokenRevocationCorsTest.java index 52bc52a8b65..a84c79a9d6c 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/TokenRevocationCorsTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/TokenRevocationCorsTest.java @@ -17,25 +17,23 @@ package org.keycloak.testsuite.oauth; -import static org.junit.Assert.*; -import static org.keycloak.testsuite.admin.AbstractAdminTest.*; - -import java.io.IOException; -import java.util.List; - import jakarta.ws.rs.core.Response.Status; - -import org.apache.http.client.methods.CloseableHttpResponse; -import org.hamcrest.MatcherAssert; import org.junit.Test; import org.keycloak.representations.idm.RealmRepresentation; import org.keycloak.representations.oidc.TokenMetadataRepresentation; import org.keycloak.testsuite.AbstractKeycloakTest; import org.keycloak.testsuite.util.ClientBuilder; -import org.keycloak.testsuite.util.Matchers; import org.keycloak.testsuite.util.oauth.AccessTokenResponse; import org.keycloak.testsuite.util.oauth.TokenRevocationResponse; -import org.keycloak.util.JsonSerialization; + +import java.io.IOException; +import java.util.List; + +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertNull; +import static org.junit.Assert.assertTrue; +import static org.keycloak.testsuite.admin.AbstractAdminTest.loadJson; /** * @author Yoshiyuki Tabata @@ -49,7 +47,7 @@ public class TokenRevocationCorsTest extends AbstractKeycloakTest { public void addTestRealms(List testRealms) { RealmRepresentation realm = loadJson(getClass().getResourceAsStream("/testrealm.json"), RealmRepresentation.class); realm.getClients().add(ClientBuilder.create().redirectUris(VALID_CORS_URL + "/realms/master/app") - .addWebOrigin(VALID_CORS_URL).clientId("test-app2").publicClient().directAccessGrants().build()); + .addWebOrigin(VALID_CORS_URL).clientId("test-app2").secret("password").directAccessGrants().build()); testRealms.add(realm); } @@ -98,8 +96,7 @@ public class TokenRevocationCorsTest extends AbstractKeycloakTest { } private void isTokenDisabled(AccessTokenResponse tokenResponse) throws IOException { - String introspectionResponse = oauth.doIntrospectionAccessTokenRequest(tokenResponse.getAccessToken()); - TokenMetadataRepresentation rep = JsonSerialization.readValue(introspectionResponse, TokenMetadataRepresentation.class); + TokenMetadataRepresentation rep = oauth.doIntrospectionAccessTokenRequest(tokenResponse.getAccessToken()).asTokenMetadata(); assertFalse(rep.isActive()); AccessTokenResponse tokenRefreshResponse = oauth.doRefreshTokenRequest(tokenResponse.getRefreshToken()); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/TokenRevocationTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/TokenRevocationTest.java index ab9f7924eb5..ee9b439b48f 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/TokenRevocationTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/TokenRevocationTest.java @@ -344,8 +344,7 @@ public class TokenRevocationTest extends AbstractKeycloakTest { private void isTokenEnabled(AccessTokenResponse tokenResponse, String clientId) throws IOException { oauth.client(clientId, "password"); - String introspectionResponse = oauth.doIntrospectionAccessTokenRequest(tokenResponse.getAccessToken()); - TokenMetadataRepresentation rep = JsonSerialization.readValue(introspectionResponse, TokenMetadataRepresentation.class); + TokenMetadataRepresentation rep = oauth.doIntrospectionAccessTokenRequest(tokenResponse.getAccessToken()).asTokenMetadata(); assertTrue(rep.isActive()); AccessTokenResponse tokenRefreshResponse = oauth.doRefreshTokenRequest(tokenResponse.getRefreshToken()); @@ -363,8 +362,7 @@ public class TokenRevocationTest extends AbstractKeycloakTest { private void isAccessTokenDisabled(String accessTokenString, String clientId) throws IOException { // Test introspection endpoint not possible oauth.client(clientId, "password"); - String introspectionResponse = oauth.doIntrospectionAccessTokenRequest(accessTokenString); - TokenMetadataRepresentation rep = JsonSerialization.readValue(introspectionResponse, TokenMetadataRepresentation.class); + TokenMetadataRepresentation rep = oauth.doIntrospectionAccessTokenRequest(accessTokenString).asTokenMetadata(); assertFalse(rep.isActive()); // Test userInfo endpoint not possible diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/hok/HoKTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/hok/HoKTest.java index 742684337c2..766037a2b86 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/hok/HoKTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/hok/HoKTest.java @@ -663,16 +663,15 @@ public class HoKTest extends AbstractTestRealmKeycloakTest { // Do token introspection // mimic Resource Server - String tokenResponse; + TokenMetadataRepresentation rep; try (CloseableHttpClient client = MutualTLSUtils.newCloseableHttpClientWithoutKeyStoreAndTrustStore()) { oauth.client("confidential-cli", "secret1").httpClient().set(client); - tokenResponse = oauth.doIntrospectionRequest(accessTokenResponse.getAccessToken(), "access_token"); + rep = oauth.doIntrospectionRequest(accessTokenResponse.getAccessToken(), "access_token").asTokenMetadata(); } catch (IOException ioe) { throw new RuntimeException(ioe); } finally { oauth.httpClient().reset(); } - TokenMetadataRepresentation rep = JsonSerialization.readValue(tokenResponse, TokenMetadataRepresentation.class); JWSInput jws = new JWSInput(accessTokenResponse.getAccessToken()); AccessToken at = jws.readJsonContent(AccessToken.class); jws = new JWSInput(accessTokenResponse.getRefreshToken()); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/tokenexchange/AbstractSubjectImpersonationTokenExchangeTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/tokenexchange/AbstractSubjectImpersonationTokenExchangeTest.java index a44c9fec22c..f0927e15a66 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/tokenexchange/AbstractSubjectImpersonationTokenExchangeTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/tokenexchange/AbstractSubjectImpersonationTokenExchangeTest.java @@ -256,7 +256,7 @@ public abstract class AbstractSubjectImpersonationTokenExchangeTest extends Abst org.junit.Assert.assertEquals(200, response.getStatus()); AccessTokenResponse accessTokenResponse = response.readEntity(AccessTokenResponse.class); String exchangedTokenString = accessTokenResponse.getToken(); - JsonNode json = JsonSerialization.readValue(oauth.doIntrospectionAccessTokenRequest(exchangedTokenString), com.fasterxml.jackson.databind.JsonNode.class); + JsonNode json = oauth.doIntrospectionAccessTokenRequest(exchangedTokenString).asJsonNode(); assertTrue(json.get("active").asBoolean()); assertEquals("impersonated-user", json.get("preferred_username").asText()); assertEquals("user", json.get("act").get("sub").asText()); @@ -276,7 +276,7 @@ public abstract class AbstractSubjectImpersonationTokenExchangeTest extends Abst org.junit.Assert.assertEquals(200, response.getStatus()); AccessTokenResponse accessTokenResponse = response.readEntity(AccessTokenResponse.class); String exchangedTokenString = accessTokenResponse.getToken(); - JsonNode json = JsonSerialization.readValue(oauth.doIntrospectionAccessTokenRequest(exchangedTokenString), com.fasterxml.jackson.databind.JsonNode.class); + JsonNode json = oauth.doIntrospectionAccessTokenRequest(exchangedTokenString).asJsonNode(); assertTrue(json.get("active").asBoolean()); assertEquals("impersonated-user", json.get("preferred_username").asText()); assertEquals("user", json.get("act").get("sub").asText()); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/tokenexchange/StandardTokenExchangeV2Test.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/tokenexchange/StandardTokenExchangeV2Test.java index a1df5a93a5b..7b78969f983 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/tokenexchange/StandardTokenExchangeV2Test.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/tokenexchange/StandardTokenExchangeV2Test.java @@ -1016,15 +1016,13 @@ public class StandardTokenExchangeV2Test extends AbstractClientPoliciesTest { } private void assertIntrospectSuccess(String token, String clientId, String clientSecret, String userId) throws IOException { - String tokenResponse = oauth.client(clientId, clientSecret).introspectionRequest(token).tokenTypeHint("access_token").send(); - TokenMetadataRepresentation rep = JsonSerialization.readValue(tokenResponse, TokenMetadataRepresentation.class); + TokenMetadataRepresentation rep = oauth.client(clientId, clientSecret).introspectionRequest(token).tokenTypeHint("access_token").send().asTokenMetadata(); assertTrue(rep.isActive()); assertEquals(userId, rep.getSubject()); } private void assertIntrospectError(String token, String clientId, String clientSecret) throws IOException { - String tokenResponse = oauth.client(clientId, clientSecret).introspectionRequest(token).tokenTypeHint("access_token").send(); - TokenMetadataRepresentation rep = JsonSerialization.readValue(tokenResponse, TokenMetadataRepresentation.class); + TokenMetadataRepresentation rep = oauth.client(clientId, clientSecret).introspectionRequest(token).tokenTypeHint("access_token").send().asTokenMetadata(); assertFalse(rep.isActive()); } diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/LightWeightAccessTokenTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/LightWeightAccessTokenTest.java index fdd743436c7..e77c8358725 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/LightWeightAccessTokenTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/LightWeightAccessTokenTest.java @@ -158,7 +158,7 @@ public class LightWeightAccessTokenTest extends AbstractClientPoliciesTest { assertAccessToken(oauth.verifyToken(accessToken), true, false, false); oauth.client(RESOURCE_SERVER_CLIENT_ID, RESOURCE_SERVER_CLIENT_PASSWORD); - String tokenResponse = oauth.doIntrospectionAccessTokenRequest(accessToken); + String tokenResponse = oauth.doIntrospectionAccessTokenRequest(accessToken).getRaw(); logger.debug("tokenResponse:" + tokenResponse); assertTokenIntrospectionResponse(JsonSerialization.readValue(tokenResponse, AccessToken.class), true, true, false); } finally { @@ -179,7 +179,7 @@ public class LightWeightAccessTokenTest extends AbstractClientPoliciesTest { assertAccessToken(oauth.verifyToken(accessToken), true, true, false); oauth.client(RESOURCE_SERVER_CLIENT_ID, RESOURCE_SERVER_CLIENT_PASSWORD); - String tokenResponse = oauth.doIntrospectionAccessTokenRequest(accessToken); + String tokenResponse = oauth.doIntrospectionAccessTokenRequest(accessToken).getRaw(); logger.debug("tokenResponse:" + tokenResponse); // Most of the claims should not be included in introspectionResponse as introspectionMapper was disabled assertTokenIntrospectionResponse(JsonSerialization.readValue(tokenResponse, AccessToken.class), true, false, false); @@ -201,7 +201,7 @@ public class LightWeightAccessTokenTest extends AbstractClientPoliciesTest { assertAccessToken(oauth.verifyToken(accessToken), true, true, false); oauth.client(RESOURCE_SERVER_CLIENT_ID, RESOURCE_SERVER_CLIENT_PASSWORD); - String tokenResponse = oauth.doIntrospectionAccessTokenRequest(accessToken); + String tokenResponse = oauth.doIntrospectionAccessTokenRequest(accessToken).getRaw(); logger.debug("tokenResponse:" + tokenResponse); assertTokenIntrospectionResponse(JsonSerialization.readValue(tokenResponse, AccessToken.class), true, true, false); } finally { @@ -223,7 +223,7 @@ public class LightWeightAccessTokenTest extends AbstractClientPoliciesTest { oauth.client(RESOURCE_SERVER_CLIENT_ID, RESOURCE_SERVER_CLIENT_PASSWORD); - String tokenResponse = oauth.introspectionRequest(accessToken).tokenTypeHint("access_token").jwtResponse().send(); + String tokenResponse = oauth.introspectionRequest(accessToken).tokenTypeHint("access_token").jwtResponse().send().getRaw(); logger.debug("tokenResponse:" + tokenResponse); AccessToken introspectionResult = JsonSerialization.readValue(tokenResponse, AccessToken.class); assertTokenIntrospectionResponse(introspectionResult, true, true, false); @@ -251,7 +251,7 @@ public class LightWeightAccessTokenTest extends AbstractClientPoliciesTest { oauth.client(RESOURCE_SERVER_CLIENT_ID, RESOURCE_SERVER_CLIENT_PASSWORD); removeSession(ctx.userSessionId); - String tokenResponse = oauth.doIntrospectionAccessTokenRequest(accessToken); + String tokenResponse = oauth.doIntrospectionAccessTokenRequest(accessToken).getRaw(); logger.debug("tokenResponse:" + tokenResponse); assertTokenIntrospectionResponse(JsonSerialization.readValue(tokenResponse, AccessToken.class), true, true, false); } finally { @@ -273,7 +273,7 @@ public class LightWeightAccessTokenTest extends AbstractClientPoliciesTest { assertAccessToken(oauth.verifyToken(accessToken), false, false, false); oauth.client(RESOURCE_SERVER_CLIENT_ID, RESOURCE_SERVER_CLIENT_PASSWORD); - String tokenResponse = oauth.doIntrospectionAccessTokenRequest(accessToken); + String tokenResponse = oauth.doIntrospectionAccessTokenRequest(accessToken).getRaw(); logger.debug("tokenResponse:" + tokenResponse); assertTokenIntrospectionResponse(JsonSerialization.readValue(tokenResponse, AccessToken.class), false, true, false); } finally { @@ -299,7 +299,7 @@ public class LightWeightAccessTokenTest extends AbstractClientPoliciesTest { logger.debug("exchangedTokenString:" + exchangedTokenString); oauth.client(RESOURCE_SERVER_CLIENT_ID, RESOURCE_SERVER_CLIENT_PASSWORD); - String tokenResponse = oauth.doIntrospectionAccessTokenRequest(exchangedTokenString); + String tokenResponse = oauth.doIntrospectionAccessTokenRequest(exchangedTokenString).getRaw(); logger.debug("tokenResponse:" + tokenResponse); assertTokenIntrospectionResponse(JsonSerialization.readValue(tokenResponse, AccessToken.class), true, true, false); } finally { @@ -324,7 +324,7 @@ public class LightWeightAccessTokenTest extends AbstractClientPoliciesTest { logger.debug("lightweight access token:" + accessToken); oauth.client(RESOURCE_SERVER_CLIENT_ID, RESOURCE_SERVER_CLIENT_PASSWORD); - String introspectResponse = oauth.doIntrospectionAccessTokenRequest(accessToken); + String introspectResponse = oauth.doIntrospectionAccessTokenRequest(accessToken).getRaw(); assertTokenIntrospectionResponse(JsonSerialization.readValue(introspectResponse, AccessToken.class), true, true, false); logger.debug("tokenResponse:" + introspectResponse); @@ -365,7 +365,7 @@ public class LightWeightAccessTokenTest extends AbstractClientPoliciesTest { Assert.assertEquals(ctx.getGrantType(), OAuth2Constants.AUTHORIZATION_CODE); oauth.client(RESOURCE_SERVER_CLIENT_ID, RESOURCE_SERVER_CLIENT_PASSWORD); - String introspectResponse = oauth.doIntrospectionAccessTokenRequest(accessToken); + String introspectResponse = oauth.doIntrospectionAccessTokenRequest(accessToken).getRaw(); logger.debug("tokenResponse:" + introspectResponse); assertTokenIntrospectionResponse(JsonSerialization.readValue(introspectResponse, AccessToken.class), true, true, false); @@ -391,7 +391,7 @@ public class LightWeightAccessTokenTest extends AbstractClientPoliciesTest { logger.debug("lightweight access token:" + accessToken); oauth.client(RESOURCE_SERVER_CLIENT_ID, RESOURCE_SERVER_CLIENT_PASSWORD); - String introspectResponse = oauth.doIntrospectionAccessTokenRequest(accessToken); + String introspectResponse = oauth.doIntrospectionAccessTokenRequest(accessToken).getRaw(); assertTokenIntrospectionResponse(JsonSerialization.readValue(introspectResponse, AccessToken.class), true, true, false); logger.debug("tokenResponse:" + introspectResponse); @@ -426,7 +426,7 @@ public class LightWeightAccessTokenTest extends AbstractClientPoliciesTest { assertAccessToken(oauth.verifyToken(accessToken), true, true, true); oauth.client(RESOURCE_SERVER_CLIENT_ID, RESOURCE_SERVER_CLIENT_PASSWORD); - String introspectResponse = oauth.doIntrospectionAccessTokenRequest(accessToken); + String introspectResponse = oauth.doIntrospectionAccessTokenRequest(accessToken).getRaw(); logger.debug("tokenResponse:" + introspectResponse); assertTokenIntrospectionResponse(JsonSerialization.readValue(introspectResponse, AccessToken.class), true, true, false); @@ -452,7 +452,7 @@ public class LightWeightAccessTokenTest extends AbstractClientPoliciesTest { assertAccessToken(oauth.verifyToken(accessToken), true, false,true); oauth.client(RESOURCE_SERVER_CLIENT_ID, RESOURCE_SERVER_CLIENT_PASSWORD); - String introspectResponse = oauth.doIntrospectionAccessTokenRequest(accessToken); + String introspectResponse = oauth.doIntrospectionAccessTokenRequest(accessToken).getRaw(); logger.debug("tokenResponse:" + introspectResponse); assertTokenIntrospectionResponse(JsonSerialization.readValue(introspectResponse, AccessToken.class), true, true, true); @@ -468,7 +468,7 @@ public class LightWeightAccessTokenTest extends AbstractClientPoliciesTest { assertAccessToken(oauth.verifyToken(accessToken), true, true, true); oauth.client(RESOURCE_SERVER_CLIENT_ID, RESOURCE_SERVER_CLIENT_PASSWORD); - introspectResponse = oauth.doIntrospectionAccessTokenRequest(accessToken); + introspectResponse = oauth.doIntrospectionAccessTokenRequest(accessToken).getRaw(); logger.debug("tokenResponse:" + introspectResponse); assertTokenIntrospectionResponse(JsonSerialization.readValue(introspectResponse, AccessToken.class), true, true, true); @@ -492,7 +492,7 @@ public class LightWeightAccessTokenTest extends AbstractClientPoliciesTest { assertAccessToken(oauth.verifyToken(accessToken), false, false,false); oauth.client(RESOURCE_SERVER_CLIENT_ID, RESOURCE_SERVER_CLIENT_PASSWORD); - String tokenResponse = oauth.doIntrospectionAccessTokenRequest(accessToken); + String tokenResponse = oauth.doIntrospectionAccessTokenRequest(accessToken).getRaw(); logger.debug("tokenResponse:" + tokenResponse); assertTokenIntrospectionResponse(JsonSerialization.readValue(tokenResponse, AccessToken.class), false, true, false); } finally { diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/NonceBackwardsCompatibleMapperTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/NonceBackwardsCompatibleMapperTest.java index 35213cedfb7..50974aeb3c3 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/NonceBackwardsCompatibleMapperTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/NonceBackwardsCompatibleMapperTest.java @@ -49,6 +49,8 @@ import org.keycloak.testsuite.util.oauth.AccessTokenResponse; import org.keycloak.testsuite.util.oauth.AuthorizationEndpointResponse; import org.keycloak.util.TokenUtil; +import java.io.IOException; + /** * * @author rmartinc @@ -63,12 +65,12 @@ public class NonceBackwardsCompatibleMapperTest extends AbstractTestRealmKeycloa } @Test - public void testNonceWithoutMapper() throws JsonProcessingException { + public void testNonceWithoutMapper() throws IOException { testNonce(false, false); } @Test - public void testNonceWithMapper() throws JsonProcessingException { + public void testNonceWithMapper() throws IOException { ClientResource testApp = ApiUtil.findClientByClientId(testRealm(), "test-app"); String mapperId = createNonceMapper(testApp); try { @@ -79,7 +81,7 @@ public class NonceBackwardsCompatibleMapperTest extends AbstractTestRealmKeycloa } @Test - public void testOfflineSessionNonceWithMapper() throws JsonProcessingException { + public void testOfflineSessionNonceWithMapper() throws IOException { ClientResource testApp = ApiUtil.findClientByClientId(testRealm(), "test-app"); String mapperId = createNonceMapper(testApp); try { @@ -128,13 +130,12 @@ public class NonceBackwardsCompatibleMapperTest extends AbstractTestRealmKeycloa } } - private void testIntrospection(String accessToken, String expectedNonce, boolean expected) throws JsonProcessingException { - String tokenResponse = oauth.client("test-app", "password").doIntrospectionAccessTokenRequest(accessToken); - JsonNode nonce = new ObjectMapper().readTree(tokenResponse).get(OIDCLoginProtocol.NONCE_PARAM); + private void testIntrospection(String accessToken, String expectedNonce, boolean expected) throws IOException { + JsonNode nonce = oauth.client("test-app", "password").doIntrospectionAccessTokenRequest(accessToken).asJsonNode().get(OIDCLoginProtocol.NONCE_PARAM); checkNonce(expectedNonce, nonce != null? nonce.asText() : null, expected); } - private void testNonceImplicit(boolean mapper) throws JsonProcessingException { + private void testNonceImplicit(boolean mapper) throws IOException { String nonce = KeycloakModelUtils.generateId(); oauth.nonce(nonce); oauth.responseMode(OIDCResponseMode.JWT.value()); @@ -155,7 +156,7 @@ public class NonceBackwardsCompatibleMapperTest extends AbstractTestRealmKeycloa testIntrospection(idTokenString, nonce, true); } - private void testNonce(boolean mapper, boolean offlineSession) throws JsonProcessingException { + private void testNonce(boolean mapper, boolean offlineSession) throws IOException { String nonce = KeycloakModelUtils.generateId(); oauth.nonce(nonce); if (offlineSession) {