From 460b080fcd666bc92caaf51f763e8d972050b1c5 Mon Sep 17 00:00:00 2001 From: Mauro Mugnaini Date: Wed, 8 Jun 2022 19:05:40 +0200 Subject: [PATCH] Removed the discovery functionality to be compatible with SmartGears.v4 and moved to the new library `keycloak-client-legacy-is` that will provide the backward compatibility. (#23478) --- CHANGELOG.md | 3 + pom.xml | 13 +- .../gcube/common/keycloak/AbstractPlugin.java | 25 --- .../keycloak/DefaultKeycloakClient.java | 148 --------------- .../gcube/common/keycloak/KeycloakClient.java | 175 ------------------ .../common/keycloak/TestKeycloakClient.java | 152 ++------------- .../org/gcube/common/keycloak/TestModels.java | 14 +- 7 files changed, 24 insertions(+), 506 deletions(-) delete mode 100644 src/main/java/org/gcube/common/keycloak/AbstractPlugin.java diff --git a/CHANGELOG.md b/CHANGELOG.md index c9f7f86..1fbf710 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,9 @@ This project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.htm # Changelog for "keycloak-client" +## [v2.0.0-SNAPSHOT] +- Removed the discovery functionality to be compatible with SmartGears.v4 and moved to the new library `keycloak-client-legacy-is` that will provide the backward compatibility. (#23478) + ## [v1.3.0-SNAPSHOT] - Added functions to introspect and verify access tokens (both OIDC and UMA are supported) (#23326). diff --git a/pom.xml b/pom.xml index 6c8584b..c3d27f4 100644 --- a/pom.xml +++ b/pom.xml @@ -13,7 +13,7 @@ org.gcube.common keycloak-client - 1.3.0-SNAPSHOT + 2.0.0-SNAPSHOT @@ -65,17 +65,6 @@ common-fw-clients - - org.gcube.resources.discovery - ic-client - - - - org.gcube.core - common-scope-maps - test - - org.slf4j slf4j-log4j12 diff --git a/src/main/java/org/gcube/common/keycloak/AbstractPlugin.java b/src/main/java/org/gcube/common/keycloak/AbstractPlugin.java deleted file mode 100644 index 54c67ec..0000000 --- a/src/main/java/org/gcube/common/keycloak/AbstractPlugin.java +++ /dev/null @@ -1,25 +0,0 @@ -package org.gcube.common.keycloak; - -import org.gcube.common.clients.fw.plugin.Plugin; - -public abstract class AbstractPlugin implements Plugin, KeycloakClient { - - public final String name; - - public AbstractPlugin(String name) { - this.name = name; - } - - public String serviceClass() { - return CATEGORY; - } - - public String serviceName() { - return NAME; - } - - public String name() { - return name; - } - -} \ No newline at end of file diff --git a/src/main/java/org/gcube/common/keycloak/DefaultKeycloakClient.java b/src/main/java/org/gcube/common/keycloak/DefaultKeycloakClient.java index b3fad44..c4f45e7 100644 --- a/src/main/java/org/gcube/common/keycloak/DefaultKeycloakClient.java +++ b/src/main/java/org/gcube/common/keycloak/DefaultKeycloakClient.java @@ -10,8 +10,6 @@ import static org.gcube.common.keycloak.model.OIDCConstants.REFRESH_TOKEN_GRANT_ import static org.gcube.common.keycloak.model.OIDCConstants.REFRESH_TOKEN_PARAMETER; import static org.gcube.common.keycloak.model.OIDCConstants.TOKEN_PARAMETER; import static org.gcube.common.keycloak.model.OIDCConstants.UMA_TOKEN_GRANT_TYPE; -import static org.gcube.resources.discovery.icclient.ICFactory.clientFor; -import static org.gcube.resources.discovery.icclient.ICFactory.queryFor; import java.io.UnsupportedEncodingException; import java.net.MalformedURLException; @@ -30,75 +28,9 @@ import org.gcube.common.gxrest.response.inbound.GXInboundResponse; import org.gcube.common.keycloak.model.ModelUtils; import org.gcube.common.keycloak.model.TokenIntrospectionResponse; import org.gcube.common.keycloak.model.TokenResponse; -import org.gcube.common.resources.gcore.ServiceEndpoint; -import org.gcube.common.resources.gcore.ServiceEndpoint.AccessPoint; -import org.gcube.common.scope.api.ScopeProvider; -import org.gcube.resources.discovery.client.api.DiscoveryClient; -import org.gcube.resources.discovery.client.queries.api.SimpleQuery; public class DefaultKeycloakClient implements KeycloakClient { - @Override - public URL findTokenEndpointURL() throws KeycloakClientException { - logger.debug("Checking ScopeProvider's scope presence and format"); - String originalScope = ScopeProvider.instance.get(); - if (originalScope == null || !originalScope.startsWith("/") || originalScope.length() < 2) { - throw new KeycloakClientException(originalScope == null ? "Scope not found in ScopeProvider" - : "Bad scope name found: " + originalScope); - } - logger.debug("Assuring use the rootVO to query the endpoint simple query. Actual scope is: {}", originalScope); - String rootVOScope = "/" + originalScope.split("/")[1]; - logger.debug("Setting rootVO scope into provider as: {}", rootVOScope); - - List accessPoints = null; - - // trying to be thread safe at least for these calls - synchronized (ScopeProvider.instance) { - boolean scopeModified = false; - if (!ScopeProvider.instance.get().equals(rootVOScope)) { - logger.debug("Overriding scope in the provider with rootVO scope : {}", rootVOScope); - ScopeProvider.instance.set(rootVOScope); - scopeModified = true; - } - - logger.debug("Creating simple query"); - SimpleQuery query = queryFor(ServiceEndpoint.class); - query.addCondition( - String.format("$resource/Profile/Category/text() eq '%s'", CATEGORY)) - .addCondition(String.format("$resource/Profile/Name/text() eq '%s'", NAME)) - .setResult(String.format("$resource/Profile/AccessPoint[Description/text() eq '%s']", DESCRIPTION)); - - logger.debug("Creating client for AccessPoint"); - DiscoveryClient client = clientFor(AccessPoint.class); - - logger.trace("Submitting query: {}", query); - accessPoints = client.submit(query); - - if (scopeModified) { - logger.debug("Resetting scope into provider to the original value: {}", originalScope); - ScopeProvider.instance.set(originalScope); - } - } - - if (accessPoints.size() == 0) { - throw new KeycloakClientException("Service endpoint not found"); - } else if (accessPoints.size() > 1) { - throw new KeycloakClientException("Found more than one endpoint with query"); - } - String address = accessPoints.iterator().next().address(); - logger.debug("Found address: {}", address); - try { - return new URL(address); - } catch (MalformedURLException e) { - throw new KeycloakClientException("Cannot create URL from address: " + address, e); - } - } - - @Override - public URL computeIntrospectionEndpointURL() throws KeycloakClientException { - return computeIntrospectionEndpointURL(findTokenEndpointURL()); - } - @Override public URL computeIntrospectionEndpointURL(URL tokenEndpointURL) throws KeycloakClientException { logger.debug("Computing introspection URL starting from token endpoint URL: {}", tokenEndpointURL); @@ -116,11 +48,6 @@ public class DefaultKeycloakClient implements KeycloakClient { } } - @Override - public TokenResponse queryOIDCToken(String clientId, String clientSecret) throws KeycloakClientException { - return queryOIDCToken(findTokenEndpointURL(), clientId, clientSecret); - } - @Override public TokenResponse queryOIDCToken(URL tokenURL, String clientId, String clientSecret) throws KeycloakClientException { @@ -142,28 +69,6 @@ public class DefaultKeycloakClient implements KeycloakClient { return performRequest(tokenURL, authorization, params); } - @Override - public TokenResponse queryUMAToken(String clientId, String clientSecret, List permissions) - throws KeycloakClientException { - - return queryUMAToken(clientId, clientSecret, ScopeProvider.instance.get(), permissions); - } - - @Override - public TokenResponse queryUMAToken(TokenResponse oidcTokenResponse, String audience, List permissions) - throws KeycloakClientException { - - return queryUMAToken(findTokenEndpointURL(), constructBeareAuthenticationHeader(oidcTokenResponse), audience, - permissions); - } - - @Override - public TokenResponse queryUMAToken(String clientId, String clientSecret, String audience, - List permissions) throws KeycloakClientException { - - return queryUMAToken(findTokenEndpointURL(), clientId, clientSecret, audience, permissions); - } - @Override public TokenResponse queryUMAToken(URL tokenURL, TokenResponse oidcTokenResponse, String audience, List permissions) throws KeycloakClientException { @@ -278,28 +183,11 @@ public class DefaultKeycloakClient implements KeycloakClient { return audience; } - @Override - public TokenResponse refreshToken(TokenResponse tokenResponse) throws KeycloakClientException { - return refreshToken((String) null, tokenResponse); - } - @Override public TokenResponse refreshToken(URL tokenURL, TokenResponse tokenResponse) throws KeycloakClientException { return refreshToken(tokenURL, null, null, tokenResponse); } - @Override - public TokenResponse refreshToken(String clientId, TokenResponse tokenResponse) throws KeycloakClientException { - return refreshToken(clientId, null, tokenResponse); - } - - @Override - public TokenResponse refreshToken(String clientId, String clientSecret, TokenResponse tokenResponse) - throws KeycloakClientException { - - return refreshToken(findTokenEndpointURL(), clientId, clientSecret, tokenResponse); - } - @Override public TokenResponse refreshToken(URL tokenURL, String clientId, String clientSecret, TokenResponse tokenResponse) throws KeycloakClientException { @@ -315,28 +203,6 @@ public class DefaultKeycloakClient implements KeycloakClient { return refreshToken(tokenURL, clientId, clientSecret, tokenResponse.getRefreshToken()); } - @Override - public TokenResponse refreshToken(String refreshTokenJWTString) throws KeycloakClientException { - try { - String clientId = ModelUtils.getClientIdFromToken(ModelUtils.getRefreshTokenFrom(refreshTokenJWTString)); - return refreshToken(clientId, refreshTokenJWTString); - } catch (Exception e) { - throw new KeycloakClientException("Cannot construct access token object from token response", e); - } - } - - @Override - public TokenResponse refreshToken(String clientId, String refreshTokenJWTString) throws KeycloakClientException { - return refreshToken(clientId, null, refreshTokenJWTString); - } - - @Override - public TokenResponse refreshToken(String clientId, String clientSecret, String refreshTokenJWTString) - throws KeycloakClientException { - - return refreshToken(findTokenEndpointURL(), clientId, clientSecret, refreshTokenJWTString); - } - @Override public TokenResponse refreshToken(URL tokenURL, String clientId, String clientSecret, String refreshTokenJWTString) throws KeycloakClientException { @@ -398,13 +264,6 @@ public class DefaultKeycloakClient implements KeycloakClient { } } - @Override - public TokenIntrospectionResponse introspectAccessToken(String clientId, String clientSecret, - String accessTokenJWTString) throws KeycloakClientException { - - return introspectAccessToken(computeIntrospectionEndpointURL(), clientId, clientSecret, accessTokenJWTString); - } - @Override public TokenIntrospectionResponse introspectAccessToken(URL introspectionURL, String clientId, String clientSecret, String accessTokenJWTString) throws KeycloakClientException { @@ -462,13 +321,6 @@ public class DefaultKeycloakClient implements KeycloakClient { } } - @Override - public boolean isAccessTokenVerified(String clientId, String clientSecret, String accessTokenJWTString) - throws KeycloakClientException { - - return isAccessTokenVerified(computeIntrospectionEndpointURL(), clientId, clientSecret, accessTokenJWTString); - } - @Override public boolean isAccessTokenVerified(URL introspectionURL, String clientId, String clientSecret, String accessTokenJWTString) throws KeycloakClientException { diff --git a/src/main/java/org/gcube/common/keycloak/KeycloakClient.java b/src/main/java/org/gcube/common/keycloak/KeycloakClient.java index 31b411d..142c1a1 100644 --- a/src/main/java/org/gcube/common/keycloak/KeycloakClient.java +++ b/src/main/java/org/gcube/common/keycloak/KeycloakClient.java @@ -5,7 +5,6 @@ import java.util.List; import org.gcube.common.keycloak.model.TokenIntrospectionResponse; import org.gcube.common.keycloak.model.TokenResponse; -import org.gcube.common.scope.api.ScopeProvider; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -13,27 +12,6 @@ public interface KeycloakClient { Logger logger = LoggerFactory.getLogger(KeycloakClient.class); - String CATEGORY = "Auth"; - String NAME = "IAM"; - String DESCRIPTION = "oidc-token endpoint"; - - - /** - * Finds the keycloak token endpoint {@link URL} discovering it in the current scope provided by {@link ScopeProvider} - * - * @return the keycloak token endpoint URL in the current scope - * @throws KeycloakClientException if something goes wrong discovering the endpoint URL - */ - URL findTokenEndpointURL() throws KeycloakClientException; - - /** - * Compute the keycloak introspection endpoint {@link URL} starting from the discovered token endpoint it in the current scope provided by {@link ScopeProvider}. - * - * @return the keycloak introspection endpoint URL in the current scope - * @throws KeycloakClientException if something goes wrong discovering the endpoint URL - */ - URL computeIntrospectionEndpointURL() throws KeycloakClientException; - /** * Compute the keycloak introspection endpoint {@link URL} starting from the provided token endpoint. * @@ -42,16 +20,6 @@ public interface KeycloakClient { */ URL computeIntrospectionEndpointURL(URL tokenEndpointURL) throws KeycloakClientException; - /** - * Queries an OIDC token from the Keycloak server discovered in the current scope, by using provided clientId and client secret. - * - * @param clientId the client id - * @param clientSecret the client secret - * @return the issued token as {@link TokenResponse} object - * @throws KeycloakClientException if something goes wrong performing the query - */ - TokenResponse queryOIDCToken(String clientId, String clientSecret) throws KeycloakClientException; - /** * Queries an OIDC token from the Keycloak server, by using provided clientId and client secret. * @@ -116,60 +84,6 @@ public interface KeycloakClient { TokenResponse queryUMAToken(URL tokenURL, String clientId, String clientSecret, String audience, List permissions) throws KeycloakClientException; - /** - * Queries an UMA token from the Keycloak server discovered in the current scope, by using access-token provided by the {@link TokenResponse} object - * for the given audience (context), in URLEncoded form or not, and optionally a list of permissions. - * - * @param clientId the client id - * @param clientSecret the client secret - * @param audience the audience (context) where to request the issuing of the ticket - * @param permissions a list of permissions, can be null - * @return the issued token as {@link TokenResponse} object - * @throws KeycloakClientException if something goes wrong performing the query - */ - TokenResponse queryUMAToken(TokenResponse oidcTokenResponse, String audience, List permissions) - throws KeycloakClientException; - - /** - * Queries an UMA token from the Keycloak server discovered in the current scope, by using provided clientId and client secret - * for the given audience (context), in URLEncoded form or not, and optionally a list of permissions. - * - * @param clientId the client id - * @param clientSecret the client secret - * @param audience the audience (context) where to request the issuing of the ticket - * @param permissions a list of permissions, can be null - * @return the issued token as {@link TokenResponse} object - * @throws KeycloakClientException if something goes wrong performing the query - */ - TokenResponse queryUMAToken(String clientId, String clientSecret, String audience, List permissions) - throws KeycloakClientException; - - /** - * Queries an UMA token from the Keycloak server discovered in the current scope, by using provided clientId and client secret - * for the current scope as audience (context), in URLEncoded form or not, and optionally a list of permissions. - * - * @param clientId the client id - * @param clientSecret the client secret - * @param permissions a list of permissions, can be null - * @return the issued token as {@link TokenResponse} object - * @throws KeycloakClientException if something goes wrong performing the query - */ - TokenResponse queryUMAToken(String clientId, String clientSecret, List permissions) - throws KeycloakClientException; - - /** - * Refreshes a previously issued token from the Keycloak server discovered in the current scope using the refresh - * token JWT encoded string in the token response object. - * - * Client id will be read from "issued for" access token's claim and client secret will be not sent. - *
NOTE: For public clients types only. - * - * @param tokenResponse the previously issued token as {@link TokenResponse} object - * @return the refreshed token as {@link TokenResponse} object - * @throws KeycloakClientException if something goes wrong performing the refresh query - */ - TokenResponse refreshToken(TokenResponse tokenResponse) throws KeycloakClientException; - /** * Refreshes a previously issued token from the Keycloak server using the refresh token JWT encoded string in the * token response object. @@ -184,33 +98,6 @@ public interface KeycloakClient { */ TokenResponse refreshToken(URL tokenURL, TokenResponse tokenResponse) throws KeycloakClientException; - /** - * Refreshes a previously issued token from the Keycloak server discovered in the current scope using the refresh - * token JWT encoded string in the token response object and the provided client id. - * - * Client secret will be not sent. - *
NOTE: For public clients types only. - * - * @param clientId the requestor client id, may be null and in this case will be take from the access token "issued for" claim - * @param tokenResponse the previously issued token as {@link TokenResponse} object - * @return the refreshed token as {@link TokenResponse} object - * @throws KeycloakClientException if something goes wrong performing the refresh query - */ - TokenResponse refreshToken(String clientId, TokenResponse tokenResponse) throws KeycloakClientException; - - /** - * Refreshes a previously issued token from the Keycloak server discovered in the current scope using the refresh - * token JWT encoded string in the token response object and the provided client id and secret. - * - * @param clientId the requestor client id, may be null and in this case will be take from the access token "issued for" claim - * @param clientSecret the requestor client secret, may be null for non-confidential clients - * @param tokenResponse the previously issued token as {@link TokenResponse} object - * @return the refreshed token as {@link TokenResponse} object - * @throws KeycloakClientException if something goes wrong performing the refresh query - */ - TokenResponse refreshToken(String clientId, String clientSecret, TokenResponse tokenResponse) - throws KeycloakClientException; - /** * Refreshes a previously issued token from the Keycloak server using the refresh token JWT encoded string in the * token response object and the provided client id and secret. @@ -224,46 +111,6 @@ public interface KeycloakClient { TokenResponse refreshToken(URL tokenURL, String clientId, String clientSecret, TokenResponse tokenResponse) throws KeycloakClientException; - /** - * Refreshes a previously issued token from the Keycloak server discovered in the current scope using the the refresh token JWT encoded string obtained with the access token in the previous token response. - * - * Client id will be read from "issued for" refresh token's claim and client secret will be not sent. - *
NOTE: For public clients types only. - * - * @param refreshTokenJWTString the previously issued refresh token JWT string taken from the same token response of the access token parameter - * @return the refreshed token as {@link TokenResponse} object - * @throws KeycloakClientException if something goes wrong performing the refresh query - */ - TokenResponse refreshToken(String refreshTokenJWTString) throws KeycloakClientException; - - /** - * Refreshes a previously issued token from the Keycloak server discovered in the current scope using the provided - * client id and the refresh token JWT encoded string obtained with the access token in the previous token response. - * - * Client secret will be not used. - *
NOTE: For public clients types only. - * - * @param clientId the requestor client id - * @param refreshTokenJWTString the previously issued refresh token JWT string taken from the same token response of the access token parameter - * @return the refreshed token as {@link TokenResponse} object - * @throws KeycloakClientException if something goes wrong performing the refresh query - */ - TokenResponse refreshToken(String clientId, String refreshTokenJWTString) throws KeycloakClientException; - - /** - * Refreshes a previously issued token from the Keycloak server discovered in the current scope using the provided - * client id and secret and the refresh token JWT encoded string obtained with the access token in the previous - * token response. - * - * @param clientId the requestor client id - * @param clientSecret the requestor client secret, may be null for non-confidential clients - * @param refreshTokenJWTString the previously issued refresh token JWT string taken from the same token response of the access token parameter - * @return the refreshed token as {@link TokenResponse} object - * @throws KeycloakClientException if something goes wrong performing the refresh query - */ - TokenResponse refreshToken(String clientId, String clientSecret, String refreshTokenJWTString) - throws KeycloakClientException; - /** * Refreshes a previously issued token from the Keycloak server by using the client id and secret * and the refresh token JWT encoded string obtained with the access token in the previous token response. @@ -278,17 +125,6 @@ public interface KeycloakClient { TokenResponse refreshToken(URL tokenURL, String clientId, String clientSecret, String refreshTokenJWTString) throws KeycloakClientException; - /** - * Introspects an access token against the Keycloak server discovered in the current scope. - * - * @param clientId the requestor client id - * @param clientSecret the requestor client secret - * @param accessTokenJWTString the access token to verify - * @return true if the token is valid, false otherwise - * @throws KeycloakClientException if something goes wrong performing the verification - */ - TokenIntrospectionResponse introspectAccessToken(String clientId, String clientSecret, String accessTokenJWTString) throws KeycloakClientException; - /** * Introspects an access token against the Keycloak server. * @@ -301,17 +137,6 @@ public interface KeycloakClient { */ TokenIntrospectionResponse introspectAccessToken(URL introspectionURL, String clientId, String clientSecret, String accessTokenJWTString) throws KeycloakClientException; - /** - * Verifies an access token against the Keycloak server discovered in the current scope. - * - * @param clientId the requestor client id - * @param clientSecret the requestor client secret - * @param accessTokenJWTString the access token to verify - * @return a {@link TokenIntrospectionResponse} object with the introspection results; in particular, the active field represents the token validity - * @throws KeycloakClientException if something goes wrong performing the verification - */ - boolean isAccessTokenVerified(String clientId, String clientSecret, String accessTokenJWTString) throws KeycloakClientException; - /** * Verifies an access token against the Keycloak server. * diff --git a/src/test/java/org/gcube/common/keycloak/TestKeycloakClient.java b/src/test/java/org/gcube/common/keycloak/TestKeycloakClient.java index a3c20c0..0c129f1 100644 --- a/src/test/java/org/gcube/common/keycloak/TestKeycloakClient.java +++ b/src/test/java/org/gcube/common/keycloak/TestKeycloakClient.java @@ -5,7 +5,6 @@ import java.net.URL; import org.gcube.common.keycloak.model.ModelUtils; import org.gcube.common.keycloak.model.TokenIntrospectionResponse; import org.gcube.common.keycloak.model.TokenResponse; -import org.gcube.common.scope.api.ScopeProvider; import org.junit.After; import org.junit.Assert; import org.junit.Before; @@ -20,21 +19,20 @@ public class TestKeycloakClient { protected static final Logger logger = LoggerFactory.getLogger(TestKeycloakClient.class); - private static final String DEV_TOKEN_ENDPOINT = "https://accounts.dev.d4science.org/auth/realms/d4science/protocol/openid-connect/token"; - private static final String DEV_INTROSPECTION_ENDPOINT = DEV_TOKEN_ENDPOINT + "/introspect"; + protected static final String DEV_TOKEN_ENDPOINT = "https://accounts.dev.d4science.org/auth/realms/d4science/protocol/openid-connect/token"; + protected static final String DEV_INTROSPECTION_ENDPOINT = DEV_TOKEN_ENDPOINT + "/introspect"; - private static final String CLIENT_ID = "keycloak-client"; - private static final String CLIENT_SECRET = "38f76152-2b7c-418f-9b67-66f4cc2f401e"; - private static final String TEST_AUDIENCE = "conductor-server"; - private static final String OLD_OIDC_ACCESS_TOKEN = "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJSSklZNEpoNF9qdDdvNmREY0NlUDFfS1l0akcxVExXVW9oMkQ2Tzk1bFNBIn0.eyJleHAiOjE2NTI5Nzk4NDUsImlhdCI6MTY1Mjk3OTU0NSwianRpIjoiMzQ2MjgwMWItODg4NS00YTM4LWJkNDUtNWExM2U1MGE5MGU5IiwiaXNzIjoiaHR0cHM6Ly9hY2NvdW50cy5kZXYuZDRzY2llbmNlLm9yZy9hdXRoL3JlYWxtcy9kNHNjaWVuY2UiLCJhdWQiOlsiJTJGZ2N1YmUiLCIlMkZnY3ViZSUyRmRldnNlYyUyRmRldlZSRSIsImFjY291bnQiXSwic3ViIjoiYTQ3ZGZlMTYtYjRlZC00NGVkLWExZDktOTdlY2Q1MDQzNjBjIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoia2V5Y2xvYWstY2xpZW50Iiwic2Vzc2lvbl9zdGF0ZSI6ImQ4MDk3MDBmLWEyNDUtNDI3Zi1hYzhjLTQxYjFkZDNkYTQ3MCIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsIkluZnJhc3RydWN0dXJlLUNsaWVudCIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiJTJGZ2N1YmUiOnsicm9sZXMiOlsiTWVtYmVyIl19LCJrZXljbG9hay1jbGllbnQiOnsicm9sZXMiOlsidW1hX3Byb3RlY3Rpb24iXX0sIiUyRmdjdWJlJTJGZGV2c2VjJTJGZGV2VlJFIjp7InJvbGVzIjpbIk1lbWJlciJdfSwiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJlbWFpbCBwcm9maWxlIiwiY2xpZW50SWQiOiJrZXljbG9hay1jbGllbnQiLCJjbGllbnRIb3N0IjoiOTMuNjYuMTg1Ljc1IiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJzZXJ2aWNlLWFjY291bnQta2V5Y2xvYWstY2xpZW50IiwiY2xpZW50QWRkcmVzcyI6IjkzLjY2LjE4NS43NSJ9.FQu4ox2HWeqeaY7nHYVGeJVpkJOcASfOb8tbOUeG-GB6sMjRB2S8PjLLaw63r_c42yxKszP04XdxGqIWqXTtoD9QCiUHTT5yJTkIpio4tMMGHth9Fbx-9dwk0yy_IFi1_OsCvZFmOQRdjMuUkj1lSqslCzAw-2E5q1Zt415-au5pEVJYNTFqIsG72ChJwh6eq1Dh1XBy8krb7YVPQyIwxO_awgAYO5hbsdvXYlRfCrnB38kk2V6-CQ-XYoL1m7xIB-gjhKCiFvDmmntQSRCZFgb0qi8eOmh9FdzPxZgx7yPJwAAj17dS4B_gz9FpZBVciNzpA6Lf4P2bqvoD9-R6ow"; - private static final String OLD_UMA_ACCESS_TOKEN = "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJSSklZNEpoNF9qdDdvNmREY0NlUDFfS1l0akcxVExXVW9oMkQ2Tzk1bFNBIn0.eyJleHAiOjE2NTI5ODA0NzgsImlhdCI6MTY1Mjk4MDE3OCwianRpIjoiNjBkNzU3MGMtZmQxOC00NGQ1LTg1MzUtODhlMmFmOGQ1ZTgwIiwiaXNzIjoiaHR0cHM6Ly9hY2NvdW50cy5kZXYuZDRzY2llbmNlLm9yZy9hdXRoL3JlYWxtcy9kNHNjaWVuY2UiLCJhdWQiOiJjb25kdWN0b3Itc2VydmVyIiwic3ViIjoiYTQ3ZGZlMTYtYjRlZC00NGVkLWExZDktOTdlY2Q1MDQzNjBjIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoia2V5Y2xvYWstY2xpZW50Iiwic2Vzc2lvbl9zdGF0ZSI6IjI3NDUyN2M5LWNkZjMtNGM2Yi1iNTUxLTFmMTRkZGE5ZGVlZiIsImFjciI6IjEiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsiSW5mcmFzdHJ1Y3R1cmUtQ2xpZW50Il19LCJhdXRob3JpemF0aW9uIjp7InBlcm1pc3Npb25zIjpbeyJzY29wZXMiOlsiZ2V0Il0sInJzaWQiOiIyNDlmZDQ2OS03OWM1LTRiODUtYjE5NS1mMjliM2ViNjAzNDUiLCJyc25hbWUiOiJtZXRhZGF0YSJ9LHsic2NvcGVzIjpbImdldCIsInN0YXJ0IiwidGVybWluYXRlIl0sInJzaWQiOiJhNmYzZWFkZS03NDA0LTRlNWQtOTA3MC04MDBhZGI1YWFjNGUiLCJyc25hbWUiOiJ3b3JrZmxvdyJ9LHsicnNpZCI6IjFiNmMwMGI3LTkxMzktNGVhYS1hYWM3LTIwMjMxZmVlMDVhNSIsInJzbmFtZSI6IkRlZmF1bHQgUmVzb3VyY2UifV19LCJzY29wZSI6ImVtYWlsIHByb2ZpbGUiLCJjbGllbnRJZCI6ImtleWNsb2FrLWNsaWVudCIsImNsaWVudEhvc3QiOiI5My42Ni4xODUuNzUiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsInByZWZlcnJlZF91c2VybmFtZSI6InNlcnZpY2UtYWNjb3VudC1rZXljbG9hay1jbGllbnQiLCJjbGllbnRBZGRyZXNzIjoiOTMuNjYuMTg1Ljc1In0.Hh62E56R-amHwoDPFQEylMvrvmNzWnC_4bDI7_iQYAPJ5YzCNH9d7zcdGaQ96kRmps_JRc2Giv_1W9kYorOhlXl-5QLDrSoqrqFxrNpEGG5r5jpNJbusbu4wNUKiCt_GMnM1UmztgXiQeuggNGkmeBIjotj0eubnmIbUV9ukHj3v7Z5PwNKKX3BCpsghd1u8lg6Nfqk_Oho4GXUfdaFY_AR3SNqzVI_9YLhND_a03MNNWlnfOvj8T4nDCKBZIs91tVyiu98d2TjnQt8PdlVwokMP3LA58m0Khy2cmUm1KF2k0zlzP8MxV9wTxNrpovMr-PnbtEPZ_IlVQIzHwjHfwQ"; + protected static final String CLIENT_ID = "keycloak-client-unit-test"; + protected static final String CLIENT_SECRET = "ebf6f82e-9511-408e-8321-203081e472d8"; + protected static final String TEST_AUDIENCE = "conductor-server"; + protected static final String OLD_OIDC_ACCESS_TOKEN = "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJSSklZNEpoNF9qdDdvNmREY0NlUDFfS1l0akcxVExXVW9oMkQ2Tzk1bFNBIn0.eyJleHAiOjE2NTI5Nzk4NDUsImlhdCI6MTY1Mjk3OTU0NSwianRpIjoiMzQ2MjgwMWItODg4NS00YTM4LWJkNDUtNWExM2U1MGE5MGU5IiwiaXNzIjoiaHR0cHM6Ly9hY2NvdW50cy5kZXYuZDRzY2llbmNlLm9yZy9hdXRoL3JlYWxtcy9kNHNjaWVuY2UiLCJhdWQiOlsiJTJGZ2N1YmUiLCIlMkZnY3ViZSUyRmRldnNlYyUyRmRldlZSRSIsImFjY291bnQiXSwic3ViIjoiYTQ3ZGZlMTYtYjRlZC00NGVkLWExZDktOTdlY2Q1MDQzNjBjIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoia2V5Y2xvYWstY2xpZW50Iiwic2Vzc2lvbl9zdGF0ZSI6ImQ4MDk3MDBmLWEyNDUtNDI3Zi1hYzhjLTQxYjFkZDNkYTQ3MCIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsIkluZnJhc3RydWN0dXJlLUNsaWVudCIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiJTJGZ2N1YmUiOnsicm9sZXMiOlsiTWVtYmVyIl19LCJrZXljbG9hay1jbGllbnQiOnsicm9sZXMiOlsidW1hX3Byb3RlY3Rpb24iXX0sIiUyRmdjdWJlJTJGZGV2c2VjJTJGZGV2VlJFIjp7InJvbGVzIjpbIk1lbWJlciJdfSwiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJlbWFpbCBwcm9maWxlIiwiY2xpZW50SWQiOiJrZXljbG9hay1jbGllbnQiLCJjbGllbnRIb3N0IjoiOTMuNjYuMTg1Ljc1IiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJzZXJ2aWNlLWFjY291bnQta2V5Y2xvYWstY2xpZW50IiwiY2xpZW50QWRkcmVzcyI6IjkzLjY2LjE4NS43NSJ9.FQu4ox2HWeqeaY7nHYVGeJVpkJOcASfOb8tbOUeG-GB6sMjRB2S8PjLLaw63r_c42yxKszP04XdxGqIWqXTtoD9QCiUHTT5yJTkIpio4tMMGHth9Fbx-9dwk0yy_IFi1_OsCvZFmOQRdjMuUkj1lSqslCzAw-2E5q1Zt415-au5pEVJYNTFqIsG72ChJwh6eq1Dh1XBy8krb7YVPQyIwxO_awgAYO5hbsdvXYlRfCrnB38kk2V6-CQ-XYoL1m7xIB-gjhKCiFvDmmntQSRCZFgb0qi8eOmh9FdzPxZgx7yPJwAAj17dS4B_gz9FpZBVciNzpA6Lf4P2bqvoD9-R6ow"; + protected static final String OLD_UMA_ACCESS_TOKEN = "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJSSklZNEpoNF9qdDdvNmREY0NlUDFfS1l0akcxVExXVW9oMkQ2Tzk1bFNBIn0.eyJleHAiOjE2NTI5ODA0NzgsImlhdCI6MTY1Mjk4MDE3OCwianRpIjoiNjBkNzU3MGMtZmQxOC00NGQ1LTg1MzUtODhlMmFmOGQ1ZTgwIiwiaXNzIjoiaHR0cHM6Ly9hY2NvdW50cy5kZXYuZDRzY2llbmNlLm9yZy9hdXRoL3JlYWxtcy9kNHNjaWVuY2UiLCJhdWQiOiJjb25kdWN0b3Itc2VydmVyIiwic3ViIjoiYTQ3ZGZlMTYtYjRlZC00NGVkLWExZDktOTdlY2Q1MDQzNjBjIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoia2V5Y2xvYWstY2xpZW50Iiwic2Vzc2lvbl9zdGF0ZSI6IjI3NDUyN2M5LWNkZjMtNGM2Yi1iNTUxLTFmMTRkZGE5ZGVlZiIsImFjciI6IjEiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsiSW5mcmFzdHJ1Y3R1cmUtQ2xpZW50Il19LCJhdXRob3JpemF0aW9uIjp7InBlcm1pc3Npb25zIjpbeyJzY29wZXMiOlsiZ2V0Il0sInJzaWQiOiIyNDlmZDQ2OS03OWM1LTRiODUtYjE5NS1mMjliM2ViNjAzNDUiLCJyc25hbWUiOiJtZXRhZGF0YSJ9LHsic2NvcGVzIjpbImdldCIsInN0YXJ0IiwidGVybWluYXRlIl0sInJzaWQiOiJhNmYzZWFkZS03NDA0LTRlNWQtOTA3MC04MDBhZGI1YWFjNGUiLCJyc25hbWUiOiJ3b3JrZmxvdyJ9LHsicnNpZCI6IjFiNmMwMGI3LTkxMzktNGVhYS1hYWM3LTIwMjMxZmVlMDVhNSIsInJzbmFtZSI6IkRlZmF1bHQgUmVzb3VyY2UifV19LCJzY29wZSI6ImVtYWlsIHByb2ZpbGUiLCJjbGllbnRJZCI6ImtleWNsb2FrLWNsaWVudCIsImNsaWVudEhvc3QiOiI5My42Ni4xODUuNzUiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsInByZWZlcnJlZF91c2VybmFtZSI6InNlcnZpY2UtYWNjb3VudC1rZXljbG9hay1jbGllbnQiLCJjbGllbnRBZGRyZXNzIjoiOTMuNjYuMTg1Ljc1In0.Hh62E56R-amHwoDPFQEylMvrvmNzWnC_4bDI7_iQYAPJ5YzCNH9d7zcdGaQ96kRmps_JRc2Giv_1W9kYorOhlXl-5QLDrSoqrqFxrNpEGG5r5jpNJbusbu4wNUKiCt_GMnM1UmztgXiQeuggNGkmeBIjotj0eubnmIbUV9ukHj3v7Z5PwNKKX3BCpsghd1u8lg6Nfqk_Oho4GXUfdaFY_AR3SNqzVI_9YLhND_a03MNNWlnfOvj8T4nDCKBZIs91tVyiu98d2TjnQt8PdlVwokMP3LA58m0Khy2cmUm1KF2k0zlzP8MxV9wTxNrpovMr-PnbtEPZ_IlVQIzHwjHfwQ"; - private static TokenResponse oidcTR = null; - private static TokenResponse umaTR = null; + protected static TokenResponse oidcTR = null; + protected static TokenResponse umaTR = null; @Before public void setUp() throws Exception { - ScopeProvider.instance.set("/gcube"); } @After @@ -42,27 +40,7 @@ public class TestKeycloakClient { } @Test - public void test00TokenEndpointDiscovery() throws Exception { - logger.info("*** [0.0] Start testing Keycloak token endpoint discovery..."); - URL url = KeycloakClientFactory.newInstance().findTokenEndpointURL(); - Assert.assertNotNull(url); - Assert.assertTrue(url.getProtocol().equals("https")); - Assert.assertEquals(new URL(DEV_TOKEN_ENDPOINT), url); - logger.info("Discovered URL is: {}", url); - } - - @Test - public void test01TokenEndpointComputeFromDiscovered() throws Exception { - logger.info("*** [0.1] Start testing Keycloak userinfo endpoint computed from discovered URL..."); - URL url = KeycloakClientFactory.newInstance().computeIntrospectionEndpointURL(); - Assert.assertNotNull(url); - Assert.assertTrue(url.getProtocol().equals("https")); - Assert.assertEquals(new URL(DEV_INTROSPECTION_ENDPOINT), url); - logger.info("Discovered URL is: {}", url); - } - - @Test - public void test02TokenEndpointCompute() throws Exception { + public void test02IntrospectEndpointCompute() throws Exception { logger.info("*** [0.2] Start testing Keycloak userinfo endpoint computed from provided URL..."); URL url = KeycloakClientFactory.newInstance().computeIntrospectionEndpointURL(new URL(DEV_TOKEN_ENDPOINT)); Assert.assertNotNull(url); @@ -71,17 +49,6 @@ public class TestKeycloakClient { logger.info("Discovered URL is: {}", url); } - @Test - public void test11QueryOIDCTokenWithDiscoveryInCurrentScope() throws Exception { - logger.info( - "*** [1.1] Start testing query OIDC token from Keycloak with endpoint discovery and current scope..."); - oidcTR = KeycloakClientFactory.newInstance().queryOIDCToken(CLIENT_ID, CLIENT_SECRET); - logger.info("*** [1.1] OIDC access token: {}", oidcTR.getAccessToken()); - logger.info("*** [1.1] OIDC refresh token: {}", oidcTR.getRefreshToken()); - TestModels.checkTokenResponse(oidcTR); - TestModels.checkAccessToken(ModelUtils.getAccessTokenFrom(oidcTR), "service-account-" + CLIENT_ID); - } - @Test public void test12QueryOIDCToken() throws Exception { logger.info("*** [1.2] Start testing query OIDC token from Keycloak with URL..."); @@ -91,52 +58,7 @@ public class TestKeycloakClient { logger.info("*** [1.2] OIDC access token: {}", oidcTR.getAccessToken()); logger.info("*** [1.2] OIDC refresh token: {}", oidcTR.getRefreshToken()); TestModels.checkTokenResponse(oidcTR); - TestModels.checkAccessToken(ModelUtils.getAccessTokenFrom(oidcTR), "service-account-" + CLIENT_ID); - } - - @Test - public void test13RefreshOIDCTokenWithDiscovery() throws Exception { - logger.info("*** [1.3] Start testing refresh OIDC token from Keycloak with endpoint discovery..."); - TokenResponse refreshedTR = KeycloakClientFactory.newInstance().refreshToken(CLIENT_ID, CLIENT_SECRET, oidcTR); - logger.info("*** [1.3] Refreshed OIDC access token: {}", refreshedTR.getAccessToken()); - logger.info("*** [1.3] Refreshed OIDC refresh token: {}", refreshedTR.getRefreshToken()); - TestModels.checkTokenResponse(refreshedTR); - TestModels.checkAccessToken(ModelUtils.getAccessTokenFrom(refreshedTR), "service-account-" + CLIENT_ID); - TestModels.checkRefreshToken(ModelUtils.getRefreshTokenFrom(refreshedTR)); - } - - @Test - public void test21QueryUMATokenWithDiscoveryInCurrentScope() throws Exception { - logger.info( - "*** [2.1] Start testing query UMA token from Keycloak with endpoint discovery and current scope as audience..."); - - umaTR = KeycloakClientFactory.newInstance().queryUMAToken(CLIENT_ID, CLIENT_SECRET, null); - logger.info("*** [2.1] UMA access token: {}", umaTR.getAccessToken()); - logger.info("*** [2.1] UMA refresh token: {}", umaTR.getRefreshToken()); - TestModels.checkTokenResponse(umaTR); - TestModels.checkAccessToken(ModelUtils.getAccessTokenFrom(umaTR), "service-account-" + CLIENT_ID); - } - - @Test - public void test22QueryUMATokenWithDiscovery() throws Exception { - logger.info("*** [2.2] Start testing query UMA token from Keycloak with endpoint discovery..."); - umaTR = KeycloakClientFactory.newInstance().queryUMAToken(CLIENT_ID, CLIENT_SECRET, TEST_AUDIENCE, null); - logger.info("*** [2.2] UMA access token: {}", umaTR.getAccessToken()); - logger.info("*** [2.2] UMA refresh token: {}", umaTR.getRefreshToken()); - TestModels.checkTokenResponse(umaTR); - TestModels.checkAccessToken(ModelUtils.getAccessTokenFrom(umaTR), "service-account-" + CLIENT_ID); - } - - @Test - public void test23QueryUMATokenWithDiscoveryWithOIDCAuthorization() throws Exception { - logger.info( - "*** [2.3] Start testing query UMA token from Keycloak with endpoint discovery and OIDC access token for authorization..."); - - umaTR = KeycloakClientFactory.newInstance().queryUMAToken(oidcTR, TEST_AUDIENCE, null); - logger.info("*** [2.3] UMA access token: {}", umaTR.getAccessToken()); - logger.info("*** [2.3] UMA refresh token: {}", umaTR.getRefreshToken()); - TestModels.checkTokenResponse(umaTR); - TestModels.checkAccessToken(ModelUtils.getAccessTokenFrom(umaTR), "service-account-" + CLIENT_ID); + TestModels.checkAccessToken(ModelUtils.getAccessTokenFrom(oidcTR), "service-account-" + CLIENT_ID, false); } @Test @@ -149,34 +71,7 @@ public class TestKeycloakClient { logger.info("*** [2.4] UMA refresh token: {}", umaTR.getRefreshToken()); TestModels.checkTokenResponse(umaTR); - TestModels.checkAccessToken(ModelUtils.getAccessTokenFrom(umaTR), "service-account-" + CLIENT_ID); - } - - @Test - public void test25RefreshUMATokenWithDiscovery() throws Exception { - logger.info("*** [2.5] Start testing refresh UMA token from Keycloak with endpoint discovery..."); - TokenResponse refreshedTR = KeycloakClientFactory.newInstance().refreshToken(CLIENT_ID, CLIENT_SECRET, umaTR); - logger.info("*** [2.5] Refreshed UMA access token: {}", refreshedTR.getAccessToken()); - logger.info("*** [2.5] Refreshed UMA refresh token: {}", refreshedTR.getRefreshToken()); - - TestModels.checkTokenResponse(refreshedTR); - TestModels.checkAccessToken(ModelUtils.getAccessTokenFrom(refreshedTR), "service-account-" + CLIENT_ID); - TestModels.checkRefreshToken(ModelUtils.getRefreshTokenFrom(refreshedTR)); - } - - @Test(expected = KeycloakClientException.class) - public void test26RefreshTokenWithDiscoveryAndClientIdFromRefreshToken() throws Exception { - logger.info("*** [2.6] Start testing refresh UMA token *with error* since is not a public client..."); - KeycloakClientFactory.newInstance().refreshToken(umaTR.getRefreshToken()); - } - - @Test - public void test301IntrospectOIDCAccessTokenWithDiscovery() throws Exception { - logger.info("*** [3.1] Start testing introspect OIDC access token with endpoint discovery..."); - TokenIntrospectionResponse tir = KeycloakClientFactory.newInstance().introspectAccessToken(CLIENT_ID, - CLIENT_SECRET, oidcTR.getAccessToken()); - - TestModels.checkTokenIntrospectionResponse(tir); + TestModels.checkAccessToken(ModelUtils.getAccessTokenFrom(umaTR), "service-account-" + CLIENT_ID, true); } @Test @@ -188,15 +83,6 @@ public class TestKeycloakClient { TestModels.checkTokenIntrospectionResponse(tir); } - @Test - public void test303IntrospectUMAAccessTokenWithDiscovery() throws Exception { - logger.info("*** [3.3] Start testing introspect UMA access token with endpoint discovery..."); - TokenIntrospectionResponse tir = KeycloakClientFactory.newInstance().introspectAccessToken(CLIENT_ID, - CLIENT_SECRET, umaTR.getAccessToken()); - - TestModels.checkTokenIntrospectionResponse(tir); - } - @Test public void test304IntrospectUMAAccessToken() throws Exception { logger.info("*** [3.4] Start testing introspect UMA access token..."); @@ -206,13 +92,6 @@ public class TestKeycloakClient { TestModels.checkTokenIntrospectionResponse(tir); } - @Test - public void test305OIDCAccessTokenVerificationWithDiscovery() throws Exception { - logger.info("*** [3.5] Start OIDC access token verification with endpoint discovery..."); - Assert.assertTrue(KeycloakClientFactory.newInstance().isAccessTokenVerified(CLIENT_ID, - CLIENT_SECRET, oidcTR.getAccessToken())); - } - @Test public void test306OIDCAccessTokenVerification() throws Exception { logger.info("*** [3.6] Start OIDC access token verification..."); @@ -227,13 +106,6 @@ public class TestKeycloakClient { new URL(DEV_INTROSPECTION_ENDPOINT), CLIENT_ID, CLIENT_SECRET, OLD_OIDC_ACCESS_TOKEN)); } - @Test - public void test308UMAAccessTokenVerificationWithDiscovery() throws Exception { - logger.info("*** [3.8] Start UMA access token verification with endpoint discovery..."); - Assert.assertTrue(KeycloakClientFactory.newInstance().isAccessTokenVerified(CLIENT_ID, - CLIENT_SECRET, umaTR.getAccessToken())); - } - @Test public void test309UMAAccessTokenVerification() throws Exception { logger.info("*** [3.9] Start UMA access token verification..."); diff --git a/src/test/java/org/gcube/common/keycloak/TestModels.java b/src/test/java/org/gcube/common/keycloak/TestModels.java index a94e94b..c3ca884 100644 --- a/src/test/java/org/gcube/common/keycloak/TestModels.java +++ b/src/test/java/org/gcube/common/keycloak/TestModels.java @@ -57,7 +57,7 @@ public class TestModels { AccessToken at = new ObjectMapper().readValue(new File("src/test/resources/uma-access-token.json"), AccessToken.class); - checkAccessToken(at, null); + checkAccessToken(at, null, true); } @Test @@ -69,9 +69,9 @@ public class TestModels { AccessToken at2 = ModelUtils.getAccessTokenFrom("Bearer " + tr.getAccessToken()); AccessToken at3 = ModelUtils.getAccessTokenFrom("bearer " + tr.getAccessToken()); - checkAccessToken(at1, null); - checkAccessToken(at2, null); - checkAccessToken(at3, null); + checkAccessToken(at1, null, true); + checkAccessToken(at2, null, true); + checkAccessToken(at3, null, true); Assert.assertEquals(ModelUtils.toJSONString(at1), ModelUtils.toJSONString(at2)); Assert.assertEquals(ModelUtils.toJSONString(at2), ModelUtils.toJSONString(at3)); } @@ -92,13 +92,15 @@ public class TestModels { Assert.assertNotNull(tr.getRefreshToken()); } - public static void checkAccessToken(AccessToken at, String preferredUsername) { + public static void checkAccessToken(AccessToken at, String preferredUsername, boolean checkAudience) { logger.debug("Access token:\n{}", ModelUtils.toJSONString(at, true)); Assert.assertNotNull(at.getPreferredUsername()); if (preferredUsername != null) { Assert.assertEquals(preferredUsername, at.getPreferredUsername()); } - Assert.assertNotNull(at.getAudience()); + if (checkAudience) { + Assert.assertNotNull(at.getAudience()); + } } public static void checkRefreshToken(RefreshToken rt) {