From 8a7f4d98f04377aa3e46408ce3a65c8d83a79458 Mon Sep 17 00:00:00 2001 From: Mauro Mugnaini Date: Wed, 8 Jun 2022 19:24:14 +0200 Subject: [PATCH] First release as refactoring of the `keycloak-client` library; moved the discovery functionality (to be compatible with SGv4) here to provide the backward compatibility. (#23478) --- .gitignore | 4 + CHANGELOG.md | 6 + FUNDING.md | 26 ++ LICENSE.md | 311 ++++++++++++++++++ README.md | 44 +++ pom.xml | 119 +++++++ .../DefaultKeycloakClientLegacyIS.java | 163 +++++++++ .../keycloak/KeycloakClientLegacyIS.java | 187 +++++++++++ .../KeycloakClientLegacyISFactory.java | 15 + .../keycloak/TestKeycloakClientLegacyIS.java | 215 ++++++++++++ .../org/gcube/common/keycloak/TestModels.java | 117 +++++++ src/test/resources/log4j.xml | 30 ++ src/test/resources/oidc-access-token.json | 40 +++ src/test/resources/oidc-token-response.json | 10 + src/test/resources/uma-access-token.json | 63 ++++ src/test/resources/uma-refresh-token.json | 36 ++ src/test/resources/uma-token-response.json | 9 + 17 files changed, 1395 insertions(+) create mode 100644 .gitignore create mode 100644 CHANGELOG.md create mode 100644 FUNDING.md create mode 100644 LICENSE.md create mode 100644 README.md create mode 100644 pom.xml create mode 100644 src/main/java/org/gcube/common/keycloak/DefaultKeycloakClientLegacyIS.java create mode 100644 src/main/java/org/gcube/common/keycloak/KeycloakClientLegacyIS.java create mode 100644 src/main/java/org/gcube/common/keycloak/KeycloakClientLegacyISFactory.java create mode 100644 src/test/java/org/gcube/common/keycloak/TestKeycloakClientLegacyIS.java create mode 100644 src/test/java/org/gcube/common/keycloak/TestModels.java create mode 100644 src/test/resources/log4j.xml create mode 100644 src/test/resources/oidc-access-token.json create mode 100644 src/test/resources/oidc-token-response.json create mode 100644 src/test/resources/uma-access-token.json create mode 100644 src/test/resources/uma-refresh-token.json create mode 100644 src/test/resources/uma-token-response.json diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..beef00d --- /dev/null +++ b/.gitignore @@ -0,0 +1,4 @@ +.classpath +.project +.settings +target diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 0000000..81a6c11 --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,6 @@ +This project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). + +# Changelog for "keycloak-client" + +## [v1.0.0-SNAPSHOT] +- First release as refactoring of the `keycloak-client` library; moved the discovery functionality (to be compatible with SGv4) here to provide the backward compatibility. (#23478) diff --git a/FUNDING.md b/FUNDING.md new file mode 100644 index 0000000..6fa9eac --- /dev/null +++ b/FUNDING.md @@ -0,0 +1,26 @@ +# Acknowledgments + +The projects leading to this software have received funding from a series of European Union programmes including: + +- the Sixth Framework Programme for Research and Technological Development + - [DILIGENT](https://cordis.europa.eu/project/id/004260) (grant no. 004260). +- the Seventh Framework Programme for research, technological development and demonstration + - [D4Science](https://cordis.europa.eu/project/id/212488) (grant no. 212488); + - [D4Science-II](https://cordis.europa.eu/project/id/239019) (grant no.239019); + - [ENVRI](https://cordis.europa.eu/project/id/283465) (grant no. 283465); + - [iMarine](https://cordis.europa.eu/project/id/283644) (grant no. 283644); + - [EUBrazilOpenBio](https://cordis.europa.eu/project/id/288754) (grant no. 288754). +- the H2020 research and innovation programme + - [SoBigData](https://cordis.europa.eu/project/id/654024) (grant no. 654024); + - [PARTHENOS](https://cordis.europa.eu/project/id/654119) (grant no. 654119); + - [EGI-Engage](https://cordis.europa.eu/project/id/654142) (grant no. 654142); + - [ENVRI PLUS](https://cordis.europa.eu/project/id/654182) (grant no. 654182); + - [BlueBRIDGE](https://cordis.europa.eu/project/id/675680) (grant no. 675680); + - [PerformFISH](https://cordis.europa.eu/project/id/727610) (grant no. 727610); + - [AGINFRA PLUS](https://cordis.europa.eu/project/id/731001) (grant no. 731001); + - [DESIRA](https://cordis.europa.eu/project/id/818194) (grant no. 818194); + - [ARIADNEplus](https://cordis.europa.eu/project/id/823914) (grant no. 823914); + - [RISIS 2](https://cordis.europa.eu/project/id/824091) (grant no. 824091); + - [EOSC-Pillar](https://cordis.europa.eu/project/id/857650) (grant no. 857650); + - [Blue Cloud](https://cordis.europa.eu/project/id/862409) (grant no. 862409); + - [SoBigData-PlusPlus](https://cordis.europa.eu/project/id/871042) (grant no. 871042); \ No newline at end of file diff --git a/LICENSE.md b/LICENSE.md new file mode 100644 index 0000000..1932b4c --- /dev/null +++ b/LICENSE.md @@ -0,0 +1,311 @@ +#European Union Public Licence V.1.1 + +##*EUPL © the European Community 2007* + + +This **European Union Public Licence** (the **“EUPL”**) applies to the Work or Software +(as defined below) which is provided under the terms of this Licence. Any use of +the Work, other than as authorised under this Licence is prohibited (to the +extent such use is covered by a right of the copyright holder of the Work). + +The Original Work is provided under the terms of this Licence when the Licensor +(as defined below) has placed the following notice immediately following the +copyright notice for the Original Work: + +**Licensed under the EUPL V.1.1** + +or has expressed by any other mean his willingness to license under the EUPL. + + + +##1. Definitions + +In this Licence, the following terms have the following meaning: + +- The Licence: this Licence. + +- The Original Work or the Software: the software distributed and/or + communicated by the Licensor under this Licence, available as Source Code and + also as Executable Code as the case may be. + +- Derivative Works: the works or software that could be created by the Licensee, + based upon the Original Work or modifications thereof. This Licence does not + define the extent of modification or dependence on the Original Work required + in order to classify a work as a Derivative Work; this extent is determined by + copyright law applicable in the country mentioned in Article 15. + +- The Work: the Original Work and/or its Derivative Works. + +- The Source Code: the human-readable form of the Work which is the most + convenient for people to study and modify. + +- The Executable Code: any code which has generally been compiled and which is + meant to be interpreted by a computer as a program. + +- The Licensor: the natural or legal person that distributes and/or communicates + the Work under the Licence. + +- Contributor(s): any natural or legal person who modifies the Work under the + Licence, or otherwise contributes to the creation of a Derivative Work. + +- The Licensee or “You”: any natural or legal person who makes any usage of the + Software under the terms of the Licence. + +- Distribution and/or Communication: any act of selling, giving, lending, + renting, distributing, communicating, transmitting, or otherwise making + available, on-line or off-line, copies of the Work or providing access to its + essential functionalities at the disposal of any other natural or legal + person. + + + +##2. Scope of the rights granted by the Licence + +The Licensor hereby grants You a world-wide, royalty-free, non-exclusive, +sub-licensable licence to do the following, for the duration of copyright vested +in the Original Work: + +- use the Work in any circumstance and for all usage, reproduce the Work, modify +- the Original Work, and make Derivative Works based upon the Work, communicate +- to the public, including the right to make available or display the Work or +- copies thereof to the public and perform publicly, as the case may be, the +- Work, distribute the Work or copies thereof, lend and rent the Work or copies +- thereof, sub-license rights in the Work or copies thereof. + +Those rights can be exercised on any media, supports and formats, whether now +known or later invented, as far as the applicable law permits so. + +In the countries where moral rights apply, the Licensor waives his right to +exercise his moral right to the extent allowed by law in order to make effective +the licence of the economic rights here above listed. + +The Licensor grants to the Licensee royalty-free, non exclusive usage rights to +any patents held by the Licensor, to the extent necessary to make use of the +rights granted on the Work under this Licence. + + + +##3. Communication of the Source Code + +The Licensor may provide the Work either in its Source Code form, or as +Executable Code. If the Work is provided as Executable Code, the Licensor +provides in addition a machine-readable copy of the Source Code of the Work +along with each copy of the Work that the Licensor distributes or indicates, in +a notice following the copyright notice attached to the Work, a repository where +the Source Code is easily and freely accessible for as long as the Licensor +continues to distribute and/or communicate the Work. + + + +##4. Limitations on copyright + +Nothing in this Licence is intended to deprive the Licensee of the benefits from +any exception or limitation to the exclusive rights of the rights owners in the +Original Work or Software, of the exhaustion of those rights or of other +applicable limitations thereto. + + + +##5. Obligations of the Licensee + +The grant of the rights mentioned above is subject to some restrictions and +obligations imposed on the Licensee. Those obligations are the following: + +Attribution right: the Licensee shall keep intact all copyright, patent or +trademarks notices and all notices that refer to the Licence and to the +disclaimer of warranties. The Licensee must include a copy of such notices and a +copy of the Licence with every copy of the Work he/she distributes and/or +communicates. The Licensee must cause any Derivative Work to carry prominent +notices stating that the Work has been modified and the date of modification. + +Copyleft clause: If the Licensee distributes and/or communicates copies of the +Original Works or Derivative Works based upon the Original Work, this +Distribution and/or Communication will be done under the terms of this Licence +or of a later version of this Licence unless the Original Work is expressly +distributed only under this version of the Licence. The Licensee (becoming +Licensor) cannot offer or impose any additional terms or conditions on the Work +or Derivative Work that alter or restrict the terms of the Licence. + +Compatibility clause: If the Licensee Distributes and/or Communicates Derivative +Works or copies thereof based upon both the Original Work and another work +licensed under a Compatible Licence, this Distribution and/or Communication can +be done under the terms of this Compatible Licence. For the sake of this clause, +“Compatible Licence” refers to the licences listed in the appendix attached to +this Licence. Should the Licensee’s obligations under the Compatible Licence +conflict with his/her obligations under this Licence, the obligations of the +Compatible Licence shall prevail. + +Provision of Source Code: When distributing and/or communicating copies of the +Work, the Licensee will provide a machine-readable copy of the Source Code or +indicate a repository where this Source will be easily and freely available for +as long as the Licensee continues to distribute and/or communicate the Work. + +Legal Protection: This Licence does not grant permission to use the trade names, +trademarks, service marks, or names of the Licensor, except as required for +reasonable and customary use in describing the origin of the Work and +reproducing the content of the copyright notice. + + + +##6. Chain of Authorship + +The original Licensor warrants that the copyright in the Original Work granted +hereunder is owned by him/her or licensed to him/her and that he/she has the +power and authority to grant the Licence. + +Each Contributor warrants that the copyright in the modifications he/she brings +to the Work are owned by him/her or licensed to him/her and that he/she has the +power and authority to grant the Licence. + +Each time You accept the Licence, the original Licensor and subsequent +Contributors grant You a licence to their contributions to the Work, under the +terms of this Licence. + + + +##7. Disclaimer of Warranty + +The Work is a work in progress, which is continuously improved by numerous +contributors. It is not a finished work and may therefore contain defects or +“bugs” inherent to this type of software development. + +For the above reason, the Work is provided under the Licence on an “as is” basis +and without warranties of any kind concerning the Work, including without +limitation merchantability, fitness for a particular purpose, absence of defects +or errors, accuracy, non-infringement of intellectual property rights other than +copyright as stated in Article 6 of this Licence. + +This disclaimer of warranty is an essential part of the Licence and a condition +for the grant of any rights to the Work. + + + +##8. Disclaimer of Liability + +Except in the cases of wilful misconduct or damages directly caused to natural +persons, the Licensor will in no event be liable for any direct or indirect, +material or moral, damages of any kind, arising out of the Licence or of the use +of the Work, including without limitation, damages for loss of goodwill, work +stoppage, computer failure or malfunction, loss of data or any commercial +damage, even if the Licensor has been advised of the possibility of such +damage. However, the Licensor will be liable under statutory product liability +laws as far such laws apply to the Work. + + + +##9. Additional agreements + +While distributing the Original Work or Derivative Works, You may choose to +conclude an additional agreement to offer, and charge a fee for, acceptance of +support, warranty, indemnity, or other liability obligations and/or services +consistent with this Licence. However, in accepting such obligations, You may +act only on your own behalf and on your sole responsibility, not on behalf of +the original Licensor or any other Contributor, and only if You agree to +indemnify, defend, and hold each Contributor harmless for any liability incurred +by, or claims asserted against such Contributor by the fact You have accepted +any such warranty or additional liability. + + + +##10. Acceptance of the Licence + +The provisions of this Licence can be accepted by clicking on an icon “I agree” +placed under the bottom of a window displaying the text of this Licence or by +affirming consent in any other similar way, in accordance with the rules of +applicable law. Clicking on that icon indicates your clear and irrevocable +acceptance of this Licence and all of its terms and conditions. + +Similarly, you irrevocably accept this Licence and all of its terms and +conditions by exercising any rights granted to You by Article 2 of this Licence, +such as the use of the Work, the creation by You of a Derivative Work or the +Distribution and/or Communication by You of the Work or copies thereof. + + + +##11. Information to the public + +In case of any Distribution and/or Communication of the Work by means of +electronic communication by You (for example, by offering to download the Work +from a remote location) the distribution channel or media (for example, a +website) must at least provide to the public the information requested by the +applicable law regarding the Licensor, the Licence and the way it may be +accessible, concluded, stored and reproduced by the Licensee. + + + +##12. Termination of the Licence + +The Licence and the rights granted hereunder will terminate automatically upon +any breach by the Licensee of the terms of the Licence. + +Such a termination will not terminate the licences of any person who has +received the Work from the Licensee under the Licence, provided such persons +remain in full compliance with the Licence. + + + +##13. Miscellaneous + +Without prejudice of Article 9 above, the Licence represents the complete +agreement between the Parties as to the Work licensed hereunder. + +If any provision of the Licence is invalid or unenforceable under applicable +law, this will not affect the validity or enforceability of the Licence as a +whole. Such provision will be construed and/or reformed so as necessary to make +it valid and enforceable. + +The European Commission may publish other linguistic versions and/or new +versions of this Licence, so far this is required and reasonable, without +reducing the scope of the rights granted by the Licence. New versions of the +Licence will be published with a unique version number. + +All linguistic versions of this Licence, approved by the European Commission, +have identical value. Parties can take advantage of the linguistic version of +their choice. + + + +##14. Jurisdiction + +Any litigation resulting from the interpretation of this License, arising +between the European Commission, as a Licensor, and any Licensee, will be +subject to the jurisdiction of the Court of Justice of the European Communities, +as laid down in article 238 of the Treaty establishing the European Community. + +Any litigation arising between Parties, other than the European Commission, and +resulting from the interpretation of this License, will be subject to the +exclusive jurisdiction of the competent court where the Licensor resides or +conducts its primary business. + + + +##15. Applicable Law + +This Licence shall be governed by the law of the European Union country where +the Licensor resides or has his registered office. + +This licence shall be governed by the Belgian law if: + +- a litigation arises between the European Commission, as a Licensor, and any +- Licensee; the Licensor, other than the European Commission, has no residence +- or registered office inside a European Union country. + + +--- + + +##Appendix + + +**“Compatible Licences”** according to article 5 EUPL are: + + +- GNU General Public License (GNU GPL) v. 2 + +- Open Software License (OSL) v. 2.1, v. 3.0 + +- Common Public License v. 1.0 + +- Eclipse Public License v. 1.0 + +- Cecill v. 2.0 diff --git a/README.md b/README.md new file mode 100644 index 0000000..04a1ff2 --- /dev/null +++ b/README.md @@ -0,0 +1,44 @@ +# Keycloak Client + +**Keycloak Clienty Legacy IS** extends the functionnalities provided by the `keycloak-client` library adding the endpoints discovery functions against the legacy Information System based on context's scope. For this reason the compatibility is with Smart Gears v.3 and not with SGv4 or newer. + +## Structure of the project + +The source code is present in `src` folder. + +## Built With + +* [OpenJDK](https://openjdk.java.net/) - The JDK used +* [Maven](https://maven.apache.org/) - Dependency Management + +## Documentation + +To build the library JAR it is sufficient to type + + mvn clean package + +## Change log + +See [Releases](https://code-repo.d4science.org/gCubeSystem/authorization-client/releases). + +## Authors + +* **Mauro Mugnaini** ([Nubisware S.r.l.](http://www.nubisware.com)) + +## How to Cite this Software +[Intentionally left blank] + +## License + +This project is licensed under the EUPL V.1.1 License - see the [LICENSE.md](LICENSE.md) file for details. + +## About the gCube Framework +This software is part of the [gCubeFramework](https://www.gcube-system.org/ "gCubeFramework"): an +open-source software toolkit used for building and operating Hybrid Data +Infrastructures enabling the dynamic deployment of Virtual Research Environments +by favouring the realisation of reuse oriented policies. + +The projects leading to this software have received funding from a series of European Union programmes see [FUNDING.md](FUNDING.md) + +## Acknowledgments +[Intentionally left blank] \ No newline at end of file diff --git a/pom.xml b/pom.xml new file mode 100644 index 0000000..82ab813 --- /dev/null +++ b/pom.xml @@ -0,0 +1,119 @@ + + + 4.0.0 + + + maven-parent + org.gcube.tools + 1.1.0 + + + + org.gcube.common + keycloak-client-legacy-is + 1.0.0-SNAPSHOT + + + + + org.gcube.distribution + gcube-bom + 2.0.1 + pom + import + + + + + + scm:git:https://code-repo.d4science.org/gCubeSystem/${project.artifactId}.git + scm:git:https://code-repo.d4science.org/gCubeSystem/${project.artifactId}.git + https://code-repo.d4science.org/gCubeSystem/${project.artifactId} + + + + + org.gcube.common + keycloak-client + [2.0.0-SNAPSHOT,) + + + + org.slf4j + slf4j-api + + + + org.gcube.common + gcube-jackson-databind + + + + org.gcube.common + gcube-jackson-annotations + + + + org.gcube.common + gcube-jackson-core + + + + org.gcube.common + gxJRS + + + + org.gcube.core + common-fw-clients + + + + org.gcube.resources.discovery + ic-client + + + + org.gcube.core + common-scope-maps + test + + + + org.slf4j + slf4j-log4j12 + 1.7.25 + test + + + + log4j + log4j + 1.2.16 + test + + + + junit + junit + 4.12 + test + + + + org.glassfish.jersey.core + jersey-common + test + + + + org.glassfish.jersey.core + jersey-client + test + + + + + + + \ No newline at end of file diff --git a/src/main/java/org/gcube/common/keycloak/DefaultKeycloakClientLegacyIS.java b/src/main/java/org/gcube/common/keycloak/DefaultKeycloakClientLegacyIS.java new file mode 100644 index 0000000..efb4d17 --- /dev/null +++ b/src/main/java/org/gcube/common/keycloak/DefaultKeycloakClientLegacyIS.java @@ -0,0 +1,163 @@ +package org.gcube.common.keycloak; + +import static org.gcube.resources.discovery.icclient.ICFactory.clientFor; +import static org.gcube.resources.discovery.icclient.ICFactory.queryFor; + +import java.net.MalformedURLException; +import java.net.URL; +import java.util.List; + +import org.gcube.common.keycloak.model.ModelUtils; +import org.gcube.common.keycloak.model.TokenIntrospectionResponse; +import org.gcube.common.keycloak.model.TokenResponse; +import org.gcube.common.resources.gcore.ServiceEndpoint; +import org.gcube.common.resources.gcore.ServiceEndpoint.AccessPoint; +import org.gcube.common.scope.api.ScopeProvider; +import org.gcube.resources.discovery.client.api.DiscoveryClient; +import org.gcube.resources.discovery.client.queries.api.SimpleQuery; + +@SuppressWarnings("deprecation") +public class DefaultKeycloakClientLegacyIS extends DefaultKeycloakClient implements KeycloakClientLegacyIS { + + @Override + public URL findTokenEndpointURL() throws KeycloakClientException { + logger.debug("Checking ScopeProvider's scope presence and format"); + String originalScope = ScopeProvider.instance.get(); + if (originalScope == null || !originalScope.startsWith("/") || originalScope.length() < 2) { + throw new KeycloakClientException(originalScope == null ? "Scope not found in ScopeProvider" + : "Bad scope name found: " + originalScope); + } + logger.debug("Assuring use the rootVO to query the endpoint simple query. Actual scope is: {}", originalScope); + String rootVOScope = "/" + originalScope.split("/")[1]; + logger.debug("Setting rootVO scope into provider as: {}", rootVOScope); + + List accessPoints = null; + + // trying to be thread safe at least for these calls + synchronized (ScopeProvider.instance) { + boolean scopeModified = false; + if (!ScopeProvider.instance.get().equals(rootVOScope)) { + logger.debug("Overriding scope in the provider with rootVO scope : {}", rootVOScope); + ScopeProvider.instance.set(rootVOScope); + scopeModified = true; + } + + logger.debug("Creating simple query"); + SimpleQuery query = queryFor(ServiceEndpoint.class); + query.addCondition( + String.format("$resource/Profile/Category/text() eq '%s'", CATEGORY)) + .addCondition(String.format("$resource/Profile/Name/text() eq '%s'", NAME)) + .setResult(String.format("$resource/Profile/AccessPoint[Description/text() eq '%s']", DESCRIPTION)); + + logger.debug("Creating client for AccessPoint"); + DiscoveryClient client = clientFor(AccessPoint.class); + + logger.trace("Submitting query: {}", query); + accessPoints = client.submit(query); + + if (scopeModified) { + logger.debug("Resetting scope into provider to the original value: {}", originalScope); + ScopeProvider.instance.set(originalScope); + } + } + + if (accessPoints.size() == 0) { + throw new KeycloakClientException("Service endpoint not found"); + } else if (accessPoints.size() > 1) { + throw new KeycloakClientException("Found more than one endpoint with query"); + } + String address = accessPoints.iterator().next().address(); + logger.debug("Found address: {}", address); + try { + return new URL(address); + } catch (MalformedURLException e) { + throw new KeycloakClientException("Cannot create URL from address: " + address, e); + } + } + + @Override + public URL computeIntrospectionEndpointURL() throws KeycloakClientException { + return computeIntrospectionEndpointURL(findTokenEndpointURL()); + } + + @Override + public TokenResponse queryOIDCToken(String clientId, String clientSecret) throws KeycloakClientException { + return queryOIDCToken(findTokenEndpointURL(), clientId, clientSecret); + } + + @Override + public TokenResponse queryUMAToken(String clientId, String clientSecret, List permissions) + throws KeycloakClientException { + + return queryUMAToken(clientId, clientSecret, ScopeProvider.instance.get(), permissions); + } + + @Override + public TokenResponse queryUMAToken(TokenResponse oidcTokenResponse, String audience, List permissions) + throws KeycloakClientException { + + return queryUMAToken(findTokenEndpointURL(), constructBeareAuthenticationHeader(oidcTokenResponse), audience, + permissions); + } + + @Override + public TokenResponse queryUMAToken(String clientId, String clientSecret, String audience, + List permissions) throws KeycloakClientException { + + return queryUMAToken(findTokenEndpointURL(), clientId, clientSecret, audience, permissions); + } + + @Override + public TokenResponse refreshToken(TokenResponse tokenResponse) throws KeycloakClientException { + return refreshToken((String) null, tokenResponse); + } + + @Override + public TokenResponse refreshToken(String clientId, TokenResponse tokenResponse) throws KeycloakClientException { + return refreshToken(clientId, null, tokenResponse); + } + + @Override + public TokenResponse refreshToken(String clientId, String clientSecret, TokenResponse tokenResponse) + throws KeycloakClientException { + + return refreshToken(findTokenEndpointURL(), clientId, clientSecret, tokenResponse); + } + + @Override + public TokenResponse refreshToken(String refreshTokenJWTString) throws KeycloakClientException { + try { + String clientId = ModelUtils.getClientIdFromToken(ModelUtils.getRefreshTokenFrom(refreshTokenJWTString)); + return refreshToken(clientId, refreshTokenJWTString); + } catch (Exception e) { + throw new KeycloakClientException("Cannot construct access token object from token response", e); + } + } + + @Override + public TokenResponse refreshToken(String clientId, String refreshTokenJWTString) throws KeycloakClientException { + return refreshToken(clientId, null, refreshTokenJWTString); + } + + @Override + public TokenResponse refreshToken(String clientId, String clientSecret, String refreshTokenJWTString) + throws KeycloakClientException { + + return refreshToken(findTokenEndpointURL(), clientId, clientSecret, refreshTokenJWTString); + } + + @Override + public TokenIntrospectionResponse introspectAccessToken(String clientId, String clientSecret, + String accessTokenJWTString) throws KeycloakClientException { + + return introspectAccessToken(computeIntrospectionEndpointURL(), clientId, clientSecret, accessTokenJWTString); + } + + @Override + public boolean isAccessTokenVerified(String clientId, String clientSecret, String accessTokenJWTString) + throws KeycloakClientException { + + return isAccessTokenVerified(computeIntrospectionEndpointURL(), clientId, clientSecret, accessTokenJWTString); + } + +} diff --git a/src/main/java/org/gcube/common/keycloak/KeycloakClientLegacyIS.java b/src/main/java/org/gcube/common/keycloak/KeycloakClientLegacyIS.java new file mode 100644 index 0000000..16aa334 --- /dev/null +++ b/src/main/java/org/gcube/common/keycloak/KeycloakClientLegacyIS.java @@ -0,0 +1,187 @@ +package org.gcube.common.keycloak; + +import java.net.URL; +import java.util.List; + +import org.gcube.common.keycloak.model.TokenIntrospectionResponse; +import org.gcube.common.keycloak.model.TokenResponse; +import org.gcube.common.scope.api.ScopeProvider; + +@SuppressWarnings("deprecation") +public interface KeycloakClientLegacyIS extends KeycloakClient { + + String CATEGORY = "Auth"; + String NAME = "IAM"; + String DESCRIPTION = "oidc-token endpoint"; + + + /** + * Finds the keycloak token endpoint {@link URL} discovering it in the current scope provided by {@link ScopeProvider} + * + * @return the keycloak token endpoint URL in the current scope + * @throws KeycloakClientException if something goes wrong discovering the endpoint URL + */ + URL findTokenEndpointURL() throws KeycloakClientException; + + /** + * Compute the keycloak introspection endpoint {@link URL} starting from the discovered token endpoint it in the current scope provided by {@link ScopeProvider}. + * + * @return the keycloak introspection endpoint URL in the current scope + * @throws KeycloakClientException if something goes wrong discovering the endpoint URL + */ + URL computeIntrospectionEndpointURL() throws KeycloakClientException; + + /** + * Queries an OIDC token from the Keycloak server discovered in the current scope, by using provided clientId and client secret. + * + * @param clientId the client id + * @param clientSecret the client secret + * @return the issued token as {@link TokenResponse} object + * @throws KeycloakClientException if something goes wrong performing the query + */ + TokenResponse queryOIDCToken(String clientId, String clientSecret) throws KeycloakClientException; + + /** + * Queries an UMA token from the Keycloak server discovered in the current scope, by using access-token provided by the {@link TokenResponse} object + * for the given audience (context), in URLEncoded form or not, and optionally a list of permissions. + * + * @param clientId the client id + * @param clientSecret the client secret + * @param audience the audience (context) where to request the issuing of the ticket + * @param permissions a list of permissions, can be null + * @return the issued token as {@link TokenResponse} object + * @throws KeycloakClientException if something goes wrong performing the query + */ + TokenResponse queryUMAToken(TokenResponse oidcTokenResponse, String audience, List permissions) + throws KeycloakClientException; + + /** + * Queries an UMA token from the Keycloak server discovered in the current scope, by using provided clientId and client secret + * for the given audience (context), in URLEncoded form or not, and optionally a list of permissions. + * + * @param clientId the client id + * @param clientSecret the client secret + * @param audience the audience (context) where to request the issuing of the ticket + * @param permissions a list of permissions, can be null + * @return the issued token as {@link TokenResponse} object + * @throws KeycloakClientException if something goes wrong performing the query + */ + TokenResponse queryUMAToken(String clientId, String clientSecret, String audience, List permissions) + throws KeycloakClientException; + + /** + * Queries an UMA token from the Keycloak server discovered in the current scope, by using provided clientId and client secret + * for the current scope as audience (context), in URLEncoded form or not, and optionally a list of permissions. + * + * @param clientId the client id + * @param clientSecret the client secret + * @param permissions a list of permissions, can be null + * @return the issued token as {@link TokenResponse} object + * @throws KeycloakClientException if something goes wrong performing the query + */ + TokenResponse queryUMAToken(String clientId, String clientSecret, List permissions) + throws KeycloakClientException; + + /** + * Refreshes a previously issued token from the Keycloak server discovered in the current scope using the refresh + * token JWT encoded string in the token response object. + * + * Client id will be read from "issued for" access token's claim and client secret will be not sent. + *
NOTE: For public clients types only. + * + * @param tokenResponse the previously issued token as {@link TokenResponse} object + * @return the refreshed token as {@link TokenResponse} object + * @throws KeycloakClientException if something goes wrong performing the refresh query + */ + TokenResponse refreshToken(TokenResponse tokenResponse) throws KeycloakClientException; + + /** + * Refreshes a previously issued token from the Keycloak server discovered in the current scope using the refresh + * token JWT encoded string in the token response object and the provided client id. + * + * Client secret will be not sent. + *
NOTE: For public clients types only. + * + * @param clientId the requestor client id, may be null and in this case will be take from the access token "issued for" claim + * @param tokenResponse the previously issued token as {@link TokenResponse} object + * @return the refreshed token as {@link TokenResponse} object + * @throws KeycloakClientException if something goes wrong performing the refresh query + */ + TokenResponse refreshToken(String clientId, TokenResponse tokenResponse) throws KeycloakClientException; + + /** + * Refreshes a previously issued token from the Keycloak server discovered in the current scope using the refresh + * token JWT encoded string in the token response object and the provided client id and secret. + * + * @param clientId the requestor client id, may be null and in this case will be take from the access token "issued for" claim + * @param clientSecret the requestor client secret, may be null for non-confidential clients + * @param tokenResponse the previously issued token as {@link TokenResponse} object + * @return the refreshed token as {@link TokenResponse} object + * @throws KeycloakClientException if something goes wrong performing the refresh query + */ + TokenResponse refreshToken(String clientId, String clientSecret, TokenResponse tokenResponse) + throws KeycloakClientException; + + /** + * Refreshes a previously issued token from the Keycloak server discovered in the current scope using the the refresh token JWT encoded string obtained with the access token in the previous token response. + * + * Client id will be read from "issued for" refresh token's claim and client secret will be not sent. + *
NOTE: For public clients types only. + * + * @param refreshTokenJWTString the previously issued refresh token JWT string taken from the same token response of the access token parameter + * @return the refreshed token as {@link TokenResponse} object + * @throws KeycloakClientException if something goes wrong performing the refresh query + */ + TokenResponse refreshToken(String refreshTokenJWTString) throws KeycloakClientException; + + /** + * Refreshes a previously issued token from the Keycloak server discovered in the current scope using the provided + * client id and the refresh token JWT encoded string obtained with the access token in the previous token response. + * + * Client secret will be not used. + *
NOTE: For public clients types only. + * + * @param clientId the requestor client id + * @param refreshTokenJWTString the previously issued refresh token JWT string taken from the same token response of the access token parameter + * @return the refreshed token as {@link TokenResponse} object + * @throws KeycloakClientException if something goes wrong performing the refresh query + */ + TokenResponse refreshToken(String clientId, String refreshTokenJWTString) throws KeycloakClientException; + + /** + * Refreshes a previously issued token from the Keycloak server discovered in the current scope using the provided + * client id and secret and the refresh token JWT encoded string obtained with the access token in the previous + * token response. + * + * @param clientId the requestor client id + * @param clientSecret the requestor client secret, may be null for non-confidential clients + * @param refreshTokenJWTString the previously issued refresh token JWT string taken from the same token response of the access token parameter + * @return the refreshed token as {@link TokenResponse} object + * @throws KeycloakClientException if something goes wrong performing the refresh query + */ + TokenResponse refreshToken(String clientId, String clientSecret, String refreshTokenJWTString) + throws KeycloakClientException; + + /** + * Introspects an access token against the Keycloak server discovered in the current scope. + * + * @param clientId the requestor client id + * @param clientSecret the requestor client secret + * @param accessTokenJWTString the access token to verify + * @return true if the token is valid, false otherwise + * @throws KeycloakClientException if something goes wrong performing the verification + */ + TokenIntrospectionResponse introspectAccessToken(String clientId, String clientSecret, String accessTokenJWTString) throws KeycloakClientException; + + /** + * Verifies an access token against the Keycloak server discovered in the current scope. + * + * @param clientId the requestor client id + * @param clientSecret the requestor client secret + * @param accessTokenJWTString the access token to verify + * @return a {@link TokenIntrospectionResponse} object with the introspection results; in particular, the active field represents the token validity + * @throws KeycloakClientException if something goes wrong performing the verification + */ + boolean isAccessTokenVerified(String clientId, String clientSecret, String accessTokenJWTString) throws KeycloakClientException; + +} \ No newline at end of file diff --git a/src/main/java/org/gcube/common/keycloak/KeycloakClientLegacyISFactory.java b/src/main/java/org/gcube/common/keycloak/KeycloakClientLegacyISFactory.java new file mode 100644 index 0000000..4ff9096 --- /dev/null +++ b/src/main/java/org/gcube/common/keycloak/KeycloakClientLegacyISFactory.java @@ -0,0 +1,15 @@ +package org.gcube.common.keycloak; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +public class KeycloakClientLegacyISFactory { + + protected static final Logger logger = LoggerFactory.getLogger(KeycloakClientLegacyISFactory.class); + + public static KeycloakClientLegacyIS newInstance() { + logger.debug("Instantiating a new keycloak client for legacy IS instance"); + return new DefaultKeycloakClientLegacyIS(); + } + +} \ No newline at end of file diff --git a/src/test/java/org/gcube/common/keycloak/TestKeycloakClientLegacyIS.java b/src/test/java/org/gcube/common/keycloak/TestKeycloakClientLegacyIS.java new file mode 100644 index 0000000..0a32322 --- /dev/null +++ b/src/test/java/org/gcube/common/keycloak/TestKeycloakClientLegacyIS.java @@ -0,0 +1,215 @@ +package org.gcube.common.keycloak; + +import java.net.URL; + +import org.gcube.common.keycloak.model.ModelUtils; +import org.gcube.common.keycloak.model.TokenIntrospectionResponse; +import org.gcube.common.keycloak.model.TokenResponse; +import org.gcube.common.scope.api.ScopeProvider; +import org.junit.After; +import org.junit.Assert; +import org.junit.Before; +import org.junit.FixMethodOrder; +import org.junit.Test; +import org.junit.runners.MethodSorters; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +@SuppressWarnings("deprecation") +@FixMethodOrder(MethodSorters.NAME_ASCENDING) +public class TestKeycloakClientLegacyIS { + + protected static final Logger logger = LoggerFactory.getLogger(TestKeycloakClientLegacyIS.class); + + protected static final String DEV_TOKEN_ENDPOINT = "https://accounts.dev.d4science.org/auth/realms/d4science/protocol/openid-connect/token"; + protected static final String DEV_INTROSPECTION_ENDPOINT = DEV_TOKEN_ENDPOINT + "/introspect"; + + protected static final String CLIENT_ID = "keycloak-client-unit-test"; + protected static final String CLIENT_SECRET = "ebf6f82e-9511-408e-8321-203081e472d8"; + protected static final String TEST_AUDIENCE = "conductor-server"; + protected static final String OLD_OIDC_ACCESS_TOKEN = "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJSSklZNEpoNF9qdDdvNmREY0NlUDFfS1l0akcxVExXVW9oMkQ2Tzk1bFNBIn0.eyJleHAiOjE2NTI5Nzk4NDUsImlhdCI6MTY1Mjk3OTU0NSwianRpIjoiMzQ2MjgwMWItODg4NS00YTM4LWJkNDUtNWExM2U1MGE5MGU5IiwiaXNzIjoiaHR0cHM6Ly9hY2NvdW50cy5kZXYuZDRzY2llbmNlLm9yZy9hdXRoL3JlYWxtcy9kNHNjaWVuY2UiLCJhdWQiOlsiJTJGZ2N1YmUiLCIlMkZnY3ViZSUyRmRldnNlYyUyRmRldlZSRSIsImFjY291bnQiXSwic3ViIjoiYTQ3ZGZlMTYtYjRlZC00NGVkLWExZDktOTdlY2Q1MDQzNjBjIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoia2V5Y2xvYWstY2xpZW50Iiwic2Vzc2lvbl9zdGF0ZSI6ImQ4MDk3MDBmLWEyNDUtNDI3Zi1hYzhjLTQxYjFkZDNkYTQ3MCIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsIkluZnJhc3RydWN0dXJlLUNsaWVudCIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiJTJGZ2N1YmUiOnsicm9sZXMiOlsiTWVtYmVyIl19LCJrZXljbG9hay1jbGllbnQiOnsicm9sZXMiOlsidW1hX3Byb3RlY3Rpb24iXX0sIiUyRmdjdWJlJTJGZGV2c2VjJTJGZGV2VlJFIjp7InJvbGVzIjpbIk1lbWJlciJdfSwiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJlbWFpbCBwcm9maWxlIiwiY2xpZW50SWQiOiJrZXljbG9hay1jbGllbnQiLCJjbGllbnRIb3N0IjoiOTMuNjYuMTg1Ljc1IiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJzZXJ2aWNlLWFjY291bnQta2V5Y2xvYWstY2xpZW50IiwiY2xpZW50QWRkcmVzcyI6IjkzLjY2LjE4NS43NSJ9.FQu4ox2HWeqeaY7nHYVGeJVpkJOcASfOb8tbOUeG-GB6sMjRB2S8PjLLaw63r_c42yxKszP04XdxGqIWqXTtoD9QCiUHTT5yJTkIpio4tMMGHth9Fbx-9dwk0yy_IFi1_OsCvZFmOQRdjMuUkj1lSqslCzAw-2E5q1Zt415-au5pEVJYNTFqIsG72ChJwh6eq1Dh1XBy8krb7YVPQyIwxO_awgAYO5hbsdvXYlRfCrnB38kk2V6-CQ-XYoL1m7xIB-gjhKCiFvDmmntQSRCZFgb0qi8eOmh9FdzPxZgx7yPJwAAj17dS4B_gz9FpZBVciNzpA6Lf4P2bqvoD9-R6ow"; + protected static final String OLD_UMA_ACCESS_TOKEN = "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJSSklZNEpoNF9qdDdvNmREY0NlUDFfS1l0akcxVExXVW9oMkQ2Tzk1bFNBIn0.eyJleHAiOjE2NTI5ODA0NzgsImlhdCI6MTY1Mjk4MDE3OCwianRpIjoiNjBkNzU3MGMtZmQxOC00NGQ1LTg1MzUtODhlMmFmOGQ1ZTgwIiwiaXNzIjoiaHR0cHM6Ly9hY2NvdW50cy5kZXYuZDRzY2llbmNlLm9yZy9hdXRoL3JlYWxtcy9kNHNjaWVuY2UiLCJhdWQiOiJjb25kdWN0b3Itc2VydmVyIiwic3ViIjoiYTQ3ZGZlMTYtYjRlZC00NGVkLWExZDktOTdlY2Q1MDQzNjBjIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoia2V5Y2xvYWstY2xpZW50Iiwic2Vzc2lvbl9zdGF0ZSI6IjI3NDUyN2M5LWNkZjMtNGM2Yi1iNTUxLTFmMTRkZGE5ZGVlZiIsImFjciI6IjEiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsiSW5mcmFzdHJ1Y3R1cmUtQ2xpZW50Il19LCJhdXRob3JpemF0aW9uIjp7InBlcm1pc3Npb25zIjpbeyJzY29wZXMiOlsiZ2V0Il0sInJzaWQiOiIyNDlmZDQ2OS03OWM1LTRiODUtYjE5NS1mMjliM2ViNjAzNDUiLCJyc25hbWUiOiJtZXRhZGF0YSJ9LHsic2NvcGVzIjpbImdldCIsInN0YXJ0IiwidGVybWluYXRlIl0sInJzaWQiOiJhNmYzZWFkZS03NDA0LTRlNWQtOTA3MC04MDBhZGI1YWFjNGUiLCJyc25hbWUiOiJ3b3JrZmxvdyJ9LHsicnNpZCI6IjFiNmMwMGI3LTkxMzktNGVhYS1hYWM3LTIwMjMxZmVlMDVhNSIsInJzbmFtZSI6IkRlZmF1bHQgUmVzb3VyY2UifV19LCJzY29wZSI6ImVtYWlsIHByb2ZpbGUiLCJjbGllbnRJZCI6ImtleWNsb2FrLWNsaWVudCIsImNsaWVudEhvc3QiOiI5My42Ni4xODUuNzUiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsInByZWZlcnJlZF91c2VybmFtZSI6InNlcnZpY2UtYWNjb3VudC1rZXljbG9hay1jbGllbnQiLCJjbGllbnRBZGRyZXNzIjoiOTMuNjYuMTg1Ljc1In0.Hh62E56R-amHwoDPFQEylMvrvmNzWnC_4bDI7_iQYAPJ5YzCNH9d7zcdGaQ96kRmps_JRc2Giv_1W9kYorOhlXl-5QLDrSoqrqFxrNpEGG5r5jpNJbusbu4wNUKiCt_GMnM1UmztgXiQeuggNGkmeBIjotj0eubnmIbUV9ukHj3v7Z5PwNKKX3BCpsghd1u8lg6Nfqk_Oho4GXUfdaFY_AR3SNqzVI_9YLhND_a03MNNWlnfOvj8T4nDCKBZIs91tVyiu98d2TjnQt8PdlVwokMP3LA58m0Khy2cmUm1KF2k0zlzP8MxV9wTxNrpovMr-PnbtEPZ_IlVQIzHwjHfwQ"; + + private static TokenResponse oidcTR = null; + private static TokenResponse umaTR = null; + + @Before + public void setUp() throws Exception { + ScopeProvider.instance.set("/gcube"); + } + + @After + public void tearDown() throws Exception { + } + + @Test + public void test00TokenEndpointDiscovery() throws Exception { + logger.info("*** [0.0] Start testing Keycloak token endpoint discovery..."); + URL url = KeycloakClientLegacyISFactory.newInstance().findTokenEndpointURL(); + Assert.assertNotNull(url); + Assert.assertTrue(url.getProtocol().equals("https")); + Assert.assertEquals(new URL(DEV_TOKEN_ENDPOINT), url); + logger.info("Discovered URL is: {}", url); + } + + @Test + public void test01IntrospectEndpointComputeFromDiscovered() throws Exception { + logger.info("*** [0.1] Start testing Keycloak userinfo endpoint computed from discovered URL..."); + URL url = KeycloakClientLegacyISFactory.newInstance().computeIntrospectionEndpointURL(); + Assert.assertNotNull(url); + Assert.assertTrue(url.getProtocol().equals("https")); + Assert.assertEquals(new URL(DEV_INTROSPECTION_ENDPOINT), url); + logger.info("Discovered URL is: {}", url); + } + + @Test + public void test11QueryOIDCTokenWithDiscoveryInCurrentScope() throws Exception { + logger.info( + "*** [1.1] Start testing query OIDC token from Keycloak with endpoint discovery and current scope..."); + oidcTR = KeycloakClientLegacyISFactory.newInstance().queryOIDCToken(CLIENT_ID, + CLIENT_SECRET); + logger.info("*** [1.1] OIDC access token: {}", oidcTR.getAccessToken()); + logger.info("*** [1.1] OIDC refresh token: {}", oidcTR.getRefreshToken()); + TestModels.checkTokenResponse(oidcTR); + TestModels.checkAccessToken(ModelUtils.getAccessTokenFrom(oidcTR), + "service-account-" + CLIENT_ID, false); + } + + @Test + public void test13RefreshOIDCTokenWithDiscovery() throws Exception { + logger.info("*** [1.3] Start testing refresh OIDC token from Keycloak with endpoint discovery..."); + TokenResponse refreshedTR = KeycloakClientLegacyISFactory.newInstance().refreshToken( + CLIENT_ID, CLIENT_SECRET, + oidcTR); + logger.info("*** [1.3] Refreshed OIDC access token: {}", refreshedTR.getAccessToken()); + logger.info("*** [1.3] Refreshed OIDC refresh token: {}", refreshedTR.getRefreshToken()); + TestModels.checkTokenResponse(refreshedTR); + TestModels.checkAccessToken(ModelUtils.getAccessTokenFrom(refreshedTR), + "service-account-" + CLIENT_ID, false); + TestModels.checkRefreshToken(ModelUtils.getRefreshTokenFrom(refreshedTR)); + } + + @Test + public void test21QueryUMATokenWithDiscoveryInCurrentScope() throws Exception { + logger.info( + "*** [2.1] Start testing query UMA token from Keycloak with endpoint discovery and current scope as audience..."); + + umaTR = KeycloakClientLegacyISFactory.newInstance().queryUMAToken(CLIENT_ID, + CLIENT_SECRET, null); + logger.info("*** [2.1] UMA access token: {}", umaTR.getAccessToken()); + logger.info("*** [2.1] UMA refresh token: {}", umaTR.getRefreshToken()); + TestModels.checkTokenResponse(umaTR); + TestModels.checkAccessToken(ModelUtils.getAccessTokenFrom(umaTR), + "service-account-" + CLIENT_ID, true); + } + + @Test + public void test22QueryUMATokenWithDiscovery() throws Exception { + logger.info("*** [2.2] Start testing query UMA token from Keycloak with endpoint discovery..."); + umaTR = KeycloakClientLegacyISFactory.newInstance().queryUMAToken(CLIENT_ID, + CLIENT_SECRET, TEST_AUDIENCE, + null); + logger.info("*** [2.2] UMA access token: {}", umaTR.getAccessToken()); + logger.info("*** [2.2] UMA refresh token: {}", umaTR.getRefreshToken()); + TestModels.checkTokenResponse(umaTR); + TestModels.checkAccessToken(ModelUtils.getAccessTokenFrom(umaTR), + "service-account-" + CLIENT_ID, true); + } + + @Test + public void test23QueryUMATokenWithDiscoveryWithOIDCAuthorization() throws Exception { + logger.info( + "*** [2.3] Start testing query UMA token from Keycloak with endpoint discovery and OIDC access token for authorization..."); + + umaTR = KeycloakClientLegacyISFactory.newInstance().queryUMAToken(oidcTR, TEST_AUDIENCE, + null); + + logger.info("*** [2.3] UMA access token: {}", umaTR.getAccessToken()); + logger.info("*** [2.3] UMA refresh token: {}", umaTR.getRefreshToken()); + TestModels.checkTokenResponse(umaTR); + TestModels.checkAccessToken(ModelUtils.getAccessTokenFrom(umaTR), + "service-account-" + CLIENT_ID, true); + } + + @Test + public void test25RefreshUMATokenWithDiscovery() throws Exception { + logger.info("*** [2.5] Start testing refresh UMA token from Keycloak with endpoint discovery..."); + TokenResponse refreshedTR = KeycloakClientLegacyISFactory.newInstance().refreshToken( + CLIENT_ID, CLIENT_SECRET, + umaTR); + logger.info("*** [2.5] Refreshed UMA access token: {}", refreshedTR.getAccessToken()); + logger.info("*** [2.5] Refreshed UMA refresh token: {}", refreshedTR.getRefreshToken()); + + TestModels.checkTokenResponse(refreshedTR); + TestModels.checkAccessToken(ModelUtils.getAccessTokenFrom(refreshedTR), + "service-account-" + CLIENT_ID, true); + + TestModels.checkRefreshToken(ModelUtils.getRefreshTokenFrom(refreshedTR)); + } + + @Test(expected = KeycloakClientException.class) + public void test26RefreshTokenWithDiscoveryAndClientIdFromRefreshToken() throws Exception { + logger.info("*** [2.6] Start testing refresh UMA token *with error* since is not a public client..."); + KeycloakClientLegacyISFactory.newInstance().refreshToken(umaTR.getRefreshToken()); + } + + @Test + public void test301IntrospectOIDCAccessTokenWithDiscovery() throws Exception { + logger.info("*** [3.1] Start testing introspect OIDC access token with endpoint discovery..."); + TokenIntrospectionResponse tir = KeycloakClientLegacyISFactory.newInstance().introspectAccessToken( + CLIENT_ID, + CLIENT_SECRET, oidcTR.getAccessToken()); + + TestModels.checkTokenIntrospectionResponse(tir); + } + + @Test + public void test303IntrospectUMAAccessTokenWithDiscovery() throws Exception { + logger.info("*** [3.3] Start testing introspect UMA access token with endpoint discovery..."); + TokenIntrospectionResponse tir = KeycloakClientLegacyISFactory.newInstance().introspectAccessToken( + CLIENT_ID, + CLIENT_SECRET, umaTR.getAccessToken()); + + TestModels.checkTokenIntrospectionResponse(tir); + } + + @Test + public void test305OIDCAccessTokenVerificationWithDiscovery() throws Exception { + logger.info("*** [3.5] Start OIDC access token verification with endpoint discovery..."); + Assert.assertTrue( + KeycloakClientLegacyISFactory.newInstance().isAccessTokenVerified(CLIENT_ID, + CLIENT_SECRET, oidcTR.getAccessToken())); + } + + @Test + public void test307OIDCAccessTokenNonVerificationWithDiscovery() throws Exception { + logger.info("*** [3.7] Start OIDC access token NON verification..."); + Assert.assertFalse(KeycloakClientLegacyISFactory.newInstance().isAccessTokenVerified( + CLIENT_ID, CLIENT_SECRET, + OLD_OIDC_ACCESS_TOKEN)); + } + + @Test + public void test308UMAAccessTokenVerificationWithDiscovery() throws Exception { + logger.info("*** [3.8] Start UMA access token verification with endpoint discovery..."); + Assert.assertTrue( + KeycloakClientLegacyISFactory.newInstance().isAccessTokenVerified(CLIENT_ID, + CLIENT_SECRET, umaTR.getAccessToken())); + } + + @Test + public void test309UMAAccessTokenVerification() throws Exception { + logger.info("*** [3.9] Start UMA access token verification..."); + Assert.assertTrue(KeycloakClientLegacyISFactory.newInstance().isAccessTokenVerified( + new URL(DEV_INTROSPECTION_ENDPOINT), CLIENT_ID, + CLIENT_SECRET, umaTR.getAccessToken())); + } + + @Test + public void test310UMAAccessTokenNonVerificationWithDiscovery() throws Exception { + logger.info("*** [3.10] Start UMA access token NON verification..."); + Assert.assertFalse(KeycloakClientLegacyISFactory.newInstance().isAccessTokenVerified( + CLIENT_ID, CLIENT_SECRET, + OLD_UMA_ACCESS_TOKEN)); + } +} diff --git a/src/test/java/org/gcube/common/keycloak/TestModels.java b/src/test/java/org/gcube/common/keycloak/TestModels.java new file mode 100644 index 0000000..c3ca884 --- /dev/null +++ b/src/test/java/org/gcube/common/keycloak/TestModels.java @@ -0,0 +1,117 @@ +package org.gcube.common.keycloak; + +import java.io.File; + +import org.gcube.com.fasterxml.jackson.databind.ObjectMapper; +import org.gcube.common.keycloak.model.AccessToken; +import org.gcube.common.keycloak.model.ModelUtils; +import org.gcube.common.keycloak.model.RefreshToken; +import org.gcube.common.keycloak.model.TokenIntrospectionResponse; +import org.gcube.common.keycloak.model.TokenResponse; +import org.junit.After; +import org.junit.Assert; +import org.junit.Before; +import org.junit.FixMethodOrder; +import org.junit.Test; +import org.junit.runners.MethodSorters; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +@FixMethodOrder(MethodSorters.NAME_ASCENDING) +public class TestModels { + + protected static final Logger logger = LoggerFactory.getLogger(TestModels.class); + + @Before + public void setUp() throws Exception { + } + + @After + public void tearDown() throws Exception { + } + + @Test + public void testTokenResponseForOIDC() throws Exception { + logger.info("Start testing OIDC token response object binding..."); + TokenResponse tr = new ObjectMapper().readValue(new File("src/test/resources/oidc-token-response.json"), + TokenResponse.class); + + logger.debug("OIDC token response:\n{}", ModelUtils.toJSONString(tr, true)); + checkTokenResponse(tr); + + } + + @Test + public void testTokenResponseForUMA() throws Exception { + logger.info("Start testing UMA token response object binding..."); + TokenResponse tr = new ObjectMapper().readValue(new File("src/test/resources/uma-token-response.json"), + TokenResponse.class); + + logger.debug("UMA token response:\n{}", ModelUtils.toJSONString(tr, true)); + checkTokenResponse(tr); + } + + @Test + public void testUMAAccessToken() throws Exception { + logger.info("Start testing access token object binding..."); + AccessToken at = new ObjectMapper().readValue(new File("src/test/resources/uma-access-token.json"), + AccessToken.class); + + checkAccessToken(at, null, true); + } + + @Test + public void testRemoveBearerPrefixInHeader() throws Exception { + TokenResponse tr = new ObjectMapper().readValue(new File("src/test/resources/oidc-token-response.json"), + TokenResponse.class); + + AccessToken at1 = ModelUtils.getAccessTokenFrom(tr.getAccessToken()); + AccessToken at2 = ModelUtils.getAccessTokenFrom("Bearer " + tr.getAccessToken()); + AccessToken at3 = ModelUtils.getAccessTokenFrom("bearer " + tr.getAccessToken()); + + checkAccessToken(at1, null, true); + checkAccessToken(at2, null, true); + checkAccessToken(at3, null, true); + Assert.assertEquals(ModelUtils.toJSONString(at1), ModelUtils.toJSONString(at2)); + Assert.assertEquals(ModelUtils.toJSONString(at2), ModelUtils.toJSONString(at3)); + } + + @Test + public void testUMARefreshToken() throws Exception { + logger.info("Start testing refresh token object binding..."); + RefreshToken rt = new ObjectMapper().readValue(new File("src/test/resources/uma-refresh-token.json"), + RefreshToken.class); + + checkRefreshToken(rt); + } + + public static void checkTokenResponse(TokenResponse tr) throws Exception { + Assert.assertNotNull(tr); + Assert.assertEquals("bearer", tr.getTokenType().toLowerCase()); + Assert.assertNotNull(tr.getAccessToken()); + Assert.assertNotNull(tr.getRefreshToken()); + } + + public static void checkAccessToken(AccessToken at, String preferredUsername, boolean checkAudience) { + logger.debug("Access token:\n{}", ModelUtils.toJSONString(at, true)); + Assert.assertNotNull(at.getPreferredUsername()); + if (preferredUsername != null) { + Assert.assertEquals(preferredUsername, at.getPreferredUsername()); + } + if (checkAudience) { + Assert.assertNotNull(at.getAudience()); + } + } + + public static void checkRefreshToken(RefreshToken rt) { + logger.debug("Refresh token:\n{}", ModelUtils.toJSONString(rt, true)); + Assert.assertNotNull(rt.getOtherClaims()); + Assert.assertNotNull(rt.getAudience()); + } + + public static void checkTokenIntrospectionResponse(TokenIntrospectionResponse tir) { + logger.debug("Token introspection response :\n{}", ModelUtils.toJSONString(tir, true)); + Assert.assertTrue(tir.isActive()); + } + +} diff --git a/src/test/resources/log4j.xml b/src/test/resources/log4j.xml new file mode 100644 index 0000000..3c7aad1 --- /dev/null +++ b/src/test/resources/log4j.xml @@ -0,0 +1,30 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/src/test/resources/oidc-access-token.json b/src/test/resources/oidc-access-token.json new file mode 100644 index 0000000..00692a9 --- /dev/null +++ b/src/test/resources/oidc-access-token.json @@ -0,0 +1,40 @@ +{ + "exp": 1622216161, + "iat": 1622215861, + "jti": "d391d814-a1f6-4a40-9aa3-3f51ec59988c", + "iss": "https://accounts.dev.d4science.org/auth/realms/d4science", + "aud": "account", + "sub": "1c84108a-201d-4e20-8ad2-d72b08d58f8a", + "typ": "Bearer", + "azp": "lr62_portal", + "session_state": "1a054bb7-4d87-44a9-ad1f-1746ef2dd522", + "acr": "1", + "allowed-origins": [ + "https://dev.d4science.org" + ], + "realm_access": { + "roles": [ + "offline_access", + "Infrastructure-Client", + "uma_authorization" + ] + }, + "resource_access": { + "account": { + "roles": [ + "manage-account", + "manage-account-links", + "view-profile" + ] + } + }, + "scope": "email profile", + "email_verified": true, + "name": "Gino Stilla", + "groups": [], + "preferred_username": "gino.stilla", + "given_name": "Gino", + "locale": "it", + "family_name": "Stilla", + "email": "gino@stilla.com" +} \ No newline at end of file diff --git a/src/test/resources/oidc-token-response.json b/src/test/resources/oidc-token-response.json new file mode 100644 index 0000000..9cb40c5 --- /dev/null +++ b/src/test/resources/oidc-token-response.json @@ -0,0 +1,10 @@ +{ + "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJSSklZNEpoNF9qdDdvNmREY0NlUDFfS1l0akcxVExXVW9oMkQ2Tzk1bFNBIn0.eyJleHAiOjE2MjIyMTYxNjEsImlhdCI6MTYyMjIxNTg2MSwianRpIjoiZDM5MWQ4MTQtYTFmNi00YTQwLTlhYTMtM2Y1MWVjNTk5ODhjIiwiaXNzIjoiaHR0cHM6Ly9hY2NvdW50cy5kZXYuZDRzY2llbmNlLm9yZy9hdXRoL3JlYWxtcy9kNHNjaWVuY2UiLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiMWM4NDEwOGEtMjAxZC00ZTIwLThhZDItZDcyYjA4ZDU4ZjhhIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoibHI2Ml9wb3J0YWwiLCJzZXNzaW9uX3N0YXRlIjoiMWEwNTRiYjctNGQ4Ny00NGE5LWFkMWYtMTc0NmVmMmRkNTIyIiwiYWNyIjoiMSIsImFsbG93ZWQtb3JpZ2lucyI6WyJodHRwczovL2Rldi5kNHNjaWVuY2Uub3JnIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsIkluZnJhc3RydWN0dXJlLUNsaWVudCIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJlbWFpbCBwcm9maWxlIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsIm5hbWUiOiJHaW5vIFN0aWxsYSIsImdyb3VwcyI6W10sInByZWZlcnJlZF91c2VybmFtZSI6Imdpbm8uc3RpbGxhIiwiZ2l2ZW5fbmFtZSI6Ikdpbm8iLCJsb2NhbGUiOiJpdCIsImZhbWlseV9uYW1lIjoiU3RpbGxhIiwiZW1haWwiOiJnaW5vQHN0aWxsYS5jb20ifQ.C43CAMgoHFhRNPACXPKDr_b1ytZeYeB2_AxTOl0jhG5YUpzoigtjwdrYptJbDtlO0fO3Ex9-KgKKBpUROMb0tC7YjuVgK6uGmaBcXGvA2S9mMLVlpl8u0KWJrrvzjPSSBHqH1fKZ6RHhZYkukMAeEeN5nT5SJoftiBNfnQi0wdjsN6fWUDLVQ3kYFQ_8C2RuO-yivSc9TyVpV-1M6ij7PEplWf2UjoygJKchs9R6x_sLHbaQHPTE24PMEY7GcEsgUwBXR3bkcWZ9cVuxAnbcIYITT-qC6V4YXodS2cYew3WoSaMl8LfTmIl7oFiv3lIDYvQ3dd-X8h1QkkbTPlVLOQ", + "expires_in": 300, + "refresh_expires_in": 1800, + "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJjOTk5YmVjNC1iNDc4LTQ4Y2YtYmI5OS0wMWMxODY5NzcwNGIifQ.eyJleHAiOjE2MjIyMTc2NjEsImlhdCI6MTYyMjIxNTg2MSwianRpIjoiNzA2YzEyZjUtZDk3OS00MjVmLWI1NzctMzgxNWU4ZTdlNWM2IiwiaXNzIjoiaHR0cHM6Ly9hY2NvdW50cy5kZXYuZDRzY2llbmNlLm9yZy9hdXRoL3JlYWxtcy9kNHNjaWVuY2UiLCJhdWQiOiJodHRwczovL2FjY291bnRzLmRldi5kNHNjaWVuY2Uub3JnL2F1dGgvcmVhbG1zL2Q0c2NpZW5jZSIsInN1YiI6IjFjODQxMDhhLTIwMWQtNGUyMC04YWQyLWQ3MmIwOGQ1OGY4YSIsInR5cCI6IlJlZnJlc2giLCJhenAiOiJscjYyX3BvcnRhbCIsInNlc3Npb25fc3RhdGUiOiIxYTA1NGJiNy00ZDg3LTQ0YTktYWQxZi0xNzQ2ZWYyZGQ1MjIiLCJzY29wZSI6ImVtYWlsIHByb2ZpbGUifQ.2nYaWSEIbzr56vKx39AxomfiWoSQweAnepf7p3maZMs", + "token_type": "bearer", + "not-before-policy": 1618317421, + "session_state": "1a054bb7-4d87-44a9-ad1f-1746ef2dd522", + "scope": "email profile" +} \ No newline at end of file diff --git a/src/test/resources/uma-access-token.json b/src/test/resources/uma-access-token.json new file mode 100644 index 0000000..11c9ea3 --- /dev/null +++ b/src/test/resources/uma-access-token.json @@ -0,0 +1,63 @@ +{ + "exp": 1621960710, + "iat": 1621960410, + "jti": "5a2a2240-8a32-40c9-8cc2-456dd8b089d9", + "iss": "https://accounts.dev.d4science.org/auth/realms/d4science", + "aud": "conductor-server", + "sub": "a47dfe16-b4ed-44ed-a1d9-97ecd504360c", + "typ": "Bearer", + "azp": "keycloak-client", + "session_state": "1550e4ef-5a92-430d-aa0f-242e5f8048de", + "acr": "1", + "realm_access": { + "roles": [ + "offline_access", + "Infrastructure-Client", + "uma_authorization" + ] + }, + "resource_access": { + "keycloak-client": { + "roles": [ + "uma_protection" + ] + }, + "account": { + "roles": [ + "manage-account", + "manage-account-links", + "view-profile" + ] + } + }, + "authorization": { + "permissions": [ + { + "scopes": [ + "get" + ], + "rsid": "249fd469-79c5-4b85-b195-f29b3eb60345", + "rsname": "metadata" + }, + { + "scopes": [ + "get", + "start", + "terminate" + ], + "rsid": "a6f3eade-7404-4e5d-9070-800adb5aac4e", + "rsname": "workflow" + }, + { + "rsid": "1b6c00b7-9139-4eaa-aac7-20231fee05a5", + "rsname": "Default Resource" + } + ] + }, + "scope": "email profile", + "clientId": "keycloak-client", + "clientHost": "2.231.31.240", + "email_verified": false, + "preferred_username": "service-account-keycloak-client", + "clientAddress": "2.231.31.240" +} \ No newline at end of file diff --git a/src/test/resources/uma-refresh-token.json b/src/test/resources/uma-refresh-token.json new file mode 100644 index 0000000..0d61fcf --- /dev/null +++ b/src/test/resources/uma-refresh-token.json @@ -0,0 +1,36 @@ +{ + "exp": 1621962210, + "iat": 1621960410, + "jti": "ca223961-22a2-4171-af3e-f109749e83ea", + "iss": "https://accounts.dev.d4science.org/auth/realms/d4science", + "aud": "https://accounts.dev.d4science.org/auth/realms/d4science", + "sub": "a47dfe16-b4ed-44ed-a1d9-97ecd504360c", + "typ": "Refresh", + "azp": "keycloak-client", + "session_state": "1550e4ef-5a92-430d-aa0f-242e5f8048de", + "authorization": { + "permissions": [ + { + "scopes": [ + "get" + ], + "rsid": "249fd469-79c5-4b85-b195-f29b3eb60345", + "rsname": "metadata" + }, + { + "scopes": [ + "get", + "start", + "terminate" + ], + "rsid": "a6f3eade-7404-4e5d-9070-800adb5aac4e", + "rsname": "workflow" + }, + { + "rsid": "1b6c00b7-9139-4eaa-aac7-20231fee05a5", + "rsname": "Default Resource" + } + ] + }, + "scope": "email profile" +} \ No newline at end of file diff --git a/src/test/resources/uma-token-response.json b/src/test/resources/uma-token-response.json new file mode 100644 index 0000000..02c0e39 --- /dev/null +++ b/src/test/resources/uma-token-response.json @@ -0,0 +1,9 @@ +{ + "upgraded": false, + "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJSSklZNEpoNF9qdDdvNmREY0NlUDFfS1l0akcxVExXVW9oMkQ2Tzk1bFNBIn0.eyJleHAiOjE2MjE5NjA3MTAsImlhdCI6MTYyMTk2MDQxMCwianRpIjoiNWEyYTIyNDAtOGEzMi00MGM5LThjYzItNDU2ZGQ4YjA4OWQ5IiwiaXNzIjoiaHR0cHM6Ly9hY2NvdW50cy5kZXYuZDRzY2llbmNlLm9yZy9hdXRoL3JlYWxtcy9kNHNjaWVuY2UiLCJhdWQiOiJjb25kdWN0b3Itc2VydmVyIiwic3ViIjoiYTQ3ZGZlMTYtYjRlZC00NGVkLWExZDktOTdlY2Q1MDQzNjBjIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoia2V5Y2xvYWstY2xpZW50Iiwic2Vzc2lvbl9zdGF0ZSI6IjE1NTBlNGVmLTVhOTItNDMwZC1hYTBmLTI0MmU1ZjgwNDhkZSIsImFjciI6IjEiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsib2ZmbGluZV9hY2Nlc3MiLCJJbmZyYXN0cnVjdHVyZS1DbGllbnQiLCJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImtleWNsb2FrLWNsaWVudCI6eyJyb2xlcyI6WyJ1bWFfcHJvdGVjdGlvbiJdfSwiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwiYXV0aG9yaXphdGlvbiI6eyJwZXJtaXNzaW9ucyI6W3sic2NvcGVzIjpbImdldCJdLCJyc2lkIjoiMjQ5ZmQ0NjktNzljNS00Yjg1LWIxOTUtZjI5YjNlYjYwMzQ1IiwicnNuYW1lIjoibWV0YWRhdGEifSx7InNjb3BlcyI6WyJnZXQiLCJzdGFydCIsInRlcm1pbmF0ZSJdLCJyc2lkIjoiYTZmM2VhZGUtNzQwNC00ZTVkLTkwNzAtODAwYWRiNWFhYzRlIiwicnNuYW1lIjoid29ya2Zsb3cifSx7InJzaWQiOiIxYjZjMDBiNy05MTM5LTRlYWEtYWFjNy0yMDIzMWZlZTA1YTUiLCJyc25hbWUiOiJEZWZhdWx0IFJlc291cmNlIn1dfSwic2NvcGUiOiJlbWFpbCBwcm9maWxlIiwiY2xpZW50SWQiOiJrZXljbG9hay1jbGllbnQiLCJjbGllbnRIb3N0IjoiMi4yMzEuMzEuMjQwIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJzZXJ2aWNlLWFjY291bnQta2V5Y2xvYWstY2xpZW50IiwiY2xpZW50QWRkcmVzcyI6IjIuMjMxLjMxLjI0MCJ9.UKcREwcaJc9tpfUIsIfqbN-uON1lrtAcVQSoZan29hyQ-t8o6tjWS4-ix8JnWN8YBxU0Gbo1XcGx2NEnX7QCcAt9R46I9jpd5D9LBF-DF1G5zTVc1Cwm9-XcQ9vU_KDJ_qOzhcbPe1ZeAkYV4LpRXuPS7bBSUiNYExHoWBQTUTjNUc7rJRGWk14YKNjEgvri46RZw3ZZQ19JdjktyLz4WNGF8asSAmLXTeJ4q7O1kWttDzxjiz6QMW1378lYCb_GfXWsnAWbm7zpfz2-Fs3NmZO35BUw_jba_l_8Uog35X9qhsgcw2-_sWEB0vGLEHvz2zowpy70zjpoeHZYq6LeBw", + "expires_in": 300, + "refresh_expires_in": 1800, + "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJjOTk5YmVjNC1iNDc4LTQ4Y2YtYmI5OS0wMWMxODY5NzcwNGIifQ.eyJleHAiOjE2MjE5NjIyMTAsImlhdCI6MTYyMTk2MDQxMCwianRpIjoiY2EyMjM5NjEtMjJhMi00MTcxLWFmM2UtZjEwOTc0OWU4M2VhIiwiaXNzIjoiaHR0cHM6Ly9hY2NvdW50cy5kZXYuZDRzY2llbmNlLm9yZy9hdXRoL3JlYWxtcy9kNHNjaWVuY2UiLCJhdWQiOiJodHRwczovL2FjY291bnRzLmRldi5kNHNjaWVuY2Uub3JnL2F1dGgvcmVhbG1zL2Q0c2NpZW5jZSIsInN1YiI6ImE0N2RmZTE2LWI0ZWQtNDRlZC1hMWQ5LTk3ZWNkNTA0MzYwYyIsInR5cCI6IlJlZnJlc2giLCJhenAiOiJrZXljbG9hay1jbGllbnQiLCJzZXNzaW9uX3N0YXRlIjoiMTU1MGU0ZWYtNWE5Mi00MzBkLWFhMGYtMjQyZTVmODA0OGRlIiwiYXV0aG9yaXphdGlvbiI6eyJwZXJtaXNzaW9ucyI6W3sic2NvcGVzIjpbImdldCJdLCJyc2lkIjoiMjQ5ZmQ0NjktNzljNS00Yjg1LWIxOTUtZjI5YjNlYjYwMzQ1IiwicnNuYW1lIjoibWV0YWRhdGEifSx7InNjb3BlcyI6WyJnZXQiLCJzdGFydCIsInRlcm1pbmF0ZSJdLCJyc2lkIjoiYTZmM2VhZGUtNzQwNC00ZTVkLTkwNzAtODAwYWRiNWFhYzRlIiwicnNuYW1lIjoid29ya2Zsb3cifSx7InJzaWQiOiIxYjZjMDBiNy05MTM5LTRlYWEtYWFjNy0yMDIzMWZlZTA1YTUiLCJyc25hbWUiOiJEZWZhdWx0IFJlc291cmNlIn1dfSwic2NvcGUiOiJlbWFpbCBwcm9maWxlIn0.63dE64hNYpxQRV-M5zOrLLWt9cehJI4DcIbHia977r4", + "token_type": "Bearer", + "not-before-policy": 1618317421 +} \ No newline at end of file