Return-Path: X-Original-To: apmail-cxf-commits-archive@www.apache.org Delivered-To: apmail-cxf-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 2454C19DD1 for ; Mon, 25 Apr 2016 15:14:49 +0000 (UTC) Received: (qmail 54486 invoked by uid 500); 25 Apr 2016 15:14:49 -0000 Delivered-To: apmail-cxf-commits-archive@cxf.apache.org Received: (qmail 54386 invoked by uid 500); 25 Apr 2016 15:14:48 -0000 Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list commits@cxf.apache.org Received: (qmail 54371 invoked by uid 99); 25 Apr 2016 15:14:48 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 25 Apr 2016 15:14:48 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id 9F1B5DFE61; Mon, 25 Apr 2016 15:14:48 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: coheigea@apache.org To: commits@cxf.apache.org Date: Mon, 25 Apr 2016 15:14:49 -0000 Message-Id: In-Reply-To: <8cc32b2e3e7f432e9df371f857f58bb7@git.apache.org> References: <8cc32b2e3e7f432e9df371f857f58bb7@git.apache.org> X-Mailer: ASF-Git Admin Mailer Subject: [2/2] cxf git commit: Adding OIDC Hybrid tests Adding OIDC Hybrid tests Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/c8636c03 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/c8636c03 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/c8636c03 Branch: refs/heads/3.1.x-fixes Commit: c8636c03666ce1d6bc101e5ae5f39a05375077bd Parents: 7181101 Author: Colm O hEigeartaigh Authored: Mon Apr 25 16:14:28 2016 +0100 Committer: Colm O hEigeartaigh Committed: Mon Apr 25 16:14:28 2016 +0100 ---------------------------------------------------------------------- .../security/oauth2/common/OAuth2TestUtils.java | 14 +- .../oauth2/common/OAuthDataProviderImpl.java | 1 + .../jaxrs/security/oidc/OIDCFlowTest.java | 161 +++++++++++++++++++ .../systest/jaxrs/security/oidc/oidc-server.xml | 14 +- 4 files changed, 185 insertions(+), 5 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/c8636c03/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/common/OAuth2TestUtils.java ---------------------------------------------------------------------- diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/common/OAuth2TestUtils.java b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/common/OAuth2TestUtils.java index ea7afa0..3ab095d 100644 --- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/common/OAuth2TestUtils.java +++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/common/OAuth2TestUtils.java @@ -69,11 +69,18 @@ public final class OAuth2TestUtils { public static String getAuthorizationCode(WebClient client, String scope, String consumerId, String nonce, String state) { + String location = getLocation(client, scope, consumerId, nonce, state, "code", "authorize/"); + return getSubstring(location, "code"); + } + + public static String getLocation(WebClient client, String scope, String consumerId, + String nonce, String state, String responseType, + String path) { // Make initial authorization request client.type("application/json").accept("application/json"); client.query("client_id", consumerId); client.query("redirect_uri", "http://www.blah.apache.org"); - client.query("response_type", "code"); + client.query("response_type", responseType); if (scope != null) { client.query("scope", scope); } @@ -84,7 +91,7 @@ public final class OAuth2TestUtils { client.query("state", state); } - client.path("authorize/"); + client.path(path); Response response = client.get(); OAuthAuthorizationData authzData = response.readEntity(OAuthAuthorizationData.class); @@ -106,6 +113,7 @@ public final class OAuth2TestUtils { if (authzData.getState() != null) { form.param("state", authzData.getState()); } + form.param("response_type", authzData.getResponseType()); form.param("oauthDecision", "allow"); response = client.post(form); @@ -114,7 +122,7 @@ public final class OAuth2TestUtils { Assert.assertTrue(location.contains("state=" + state)); } - return getSubstring(location, "code"); + return location; } public static ClientAccessToken getAccessTokenWithAuthorizationCode(WebClient client, String code) { http://git-wip-us.apache.org/repos/asf/cxf/blob/c8636c03/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/common/OAuthDataProviderImpl.java ---------------------------------------------------------------------- diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/common/OAuthDataProviderImpl.java b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/common/OAuthDataProviderImpl.java index 0fed0d4..0252e1a 100644 --- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/common/OAuthDataProviderImpl.java +++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/common/OAuthDataProviderImpl.java @@ -45,6 +45,7 @@ public class OAuthDataProviderImpl extends DefaultEHCacheCodeDataProvider { client.getAllowedGrantTypes().add("authorization_code"); client.getAllowedGrantTypes().add("refresh_token"); client.getAllowedGrantTypes().add("implicit"); + client.getAllowedGrantTypes().add("hybrid"); client.getAllowedGrantTypes().add("password"); client.getAllowedGrantTypes().add("client_credentials"); client.getAllowedGrantTypes().add("urn:ietf:params:oauth:grant-type:saml2-bearer"); http://git-wip-us.apache.org/repos/asf/cxf/blob/c8636c03/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oidc/OIDCFlowTest.java ---------------------------------------------------------------------- diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oidc/OIDCFlowTest.java b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oidc/OIDCFlowTest.java index bba05a4..2195cf3 100644 --- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oidc/OIDCFlowTest.java +++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oidc/OIDCFlowTest.java @@ -36,6 +36,7 @@ import org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer; import org.apache.cxf.rs.security.jose.jwt.JwtConstants; import org.apache.cxf.rs.security.jose.jwt.JwtToken; import org.apache.cxf.rs.security.oauth2.common.ClientAccessToken; +import org.apache.cxf.rs.security.oauth2.common.OAuthAuthorizationData; import org.apache.cxf.rs.security.oidc.common.IdToken; import org.apache.cxf.systest.jaxrs.security.oauth2.common.OAuth2TestUtils; import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase; @@ -303,6 +304,166 @@ public class OIDCFlowTest extends AbstractBusClientServerTestBase { assertNotNull(accessToken.getTokenKey()); } + @org.junit.Test + public void testImplicitFlow() throws Exception { + URL busFile = OIDCFlowTest.class.getResource("client.xml"); + + String address = "https://localhost:" + PORT + "/services/"; + WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(), + "alice", "security", busFile.toString()); + // Save the Cookie for the second request... + WebClient.getConfig(client).getRequestContext().put( + org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE); + + // Get Access Token + client.type("application/json").accept("application/json"); + client.query("client_id", "consumer-id"); + client.query("redirect_uri", "http://www.blah.apache.org"); + client.query("scope", "openid"); + client.query("response_type", "id_token token"); + client.query("nonce", "123456789"); + client.path("authorize-implicit/"); + Response response = client.get(); + + OAuthAuthorizationData authzData = response.readEntity(OAuthAuthorizationData.class); + + // Now call "decision" to get the access token + client.path("decision"); + client.type("application/x-www-form-urlencoded"); + + Form form = new Form(); + form.param("session_authenticity_token", authzData.getAuthenticityToken()); + form.param("client_id", authzData.getClientId()); + form.param("redirect_uri", authzData.getRedirectUri()); + form.param("scope", authzData.getProposedScope()); + if (authzData.getResponseType() != null) { + form.param("response_type", authzData.getResponseType()); + } + if (authzData.getNonce() != null) { + form.param("nonce", authzData.getNonce()); + } + form.param("oauthDecision", "allow"); + + response = client.post(form); + + String location = response.getHeaderString("Location"); + + // Check Access Token + String accessToken = OAuth2TestUtils.getSubstring(location, "access_token"); + assertNotNull(accessToken); + + // Check IdToken + String idToken = OAuth2TestUtils.getSubstring(location, "id_token"); + assertNotNull(idToken); + validateIdToken(idToken, null); + + JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(idToken); + JwtToken jwt = jwtConsumer.getJwtToken(); + Assert.assertNotNull(jwt.getClaims().getClaim(IdToken.ACCESS_TOKEN_HASH_CLAIM)); + Assert.assertNotNull(jwt.getClaims().getClaim(IdToken.NONCE_CLAIM)); + } + + @org.junit.Test + public void testHybridCodeIdToken() throws Exception { + URL busFile = OIDCFlowTest.class.getResource("client.xml"); + + String address = "https://localhost:" + PORT + "/services/"; + WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(), + "alice", "security", busFile.toString()); + // Save the Cookie for the second request... + WebClient.getConfig(client).getRequestContext().put( + org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE); + + // Get location + String location = + OAuth2TestUtils.getLocation(client, "openid", "consumer-id", "123456789", null, + "code id_token", "authorize-hybrid"); + assertNotNull(location); + + // Check code + String code = OAuth2TestUtils.getSubstring(location, "code"); + assertNotNull(code); + + // Check id_token + String idToken = OAuth2TestUtils.getSubstring(location, "id_token"); + assertNotNull(idToken); + validateIdToken(idToken, "123456789"); + + // Now get the access token + client = WebClient.create(address, OAuth2TestUtils.setupProviders(), + "consumer-id", "this-is-a-secret", busFile.toString()); + // Save the Cookie for the second request... + WebClient.getConfig(client).getRequestContext().put( + org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE); + + ClientAccessToken accessToken = + OAuth2TestUtils.getAccessTokenWithAuthorizationCode(client, code); + assertNotNull(accessToken.getTokenKey()); + assertTrue(accessToken.getApprovedScope().contains("openid")); + + // Check id_token from the token endpoint + idToken = accessToken.getParameters().get("id_token"); + assertNotNull(idToken); + validateIdToken(idToken, null); + } + + @org.junit.Test + public void testHybridCodeToken() throws Exception { + URL busFile = OIDCFlowTest.class.getResource("client.xml"); + + String address = "https://localhost:" + PORT + "/services/"; + WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(), + "alice", "security", busFile.toString()); + // Save the Cookie for the second request... + WebClient.getConfig(client).getRequestContext().put( + org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE); + + // Get location + String location = + OAuth2TestUtils.getLocation(client, "openid", "consumer-id", "123456789", null, + "code token", "authorize-hybrid"); + assertNotNull(location); + + // Check code + String code = OAuth2TestUtils.getSubstring(location, "code"); + assertNotNull(code); + + // Check Access Token + String accessToken = OAuth2TestUtils.getSubstring(location, "access_token"); + assertNotNull(accessToken); + } + + @org.junit.Test + public void testHybridCodeIdTokenToken() throws Exception { + URL busFile = OIDCFlowTest.class.getResource("client.xml"); + + String address = "https://localhost:" + PORT + "/services/"; + WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(), + "alice", "security", busFile.toString()); + // Save the Cookie for the second request... + WebClient.getConfig(client).getRequestContext().put( + org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE); + + // Get location + String location = + OAuth2TestUtils.getLocation(client, "openid", "consumer-id", "123456789", null, + "code id_token token", "authorize-hybrid"); + assertNotNull(location); + + // Check code + String code = OAuth2TestUtils.getSubstring(location, "code"); + assertNotNull(code); + + // Check id_token + String idToken = OAuth2TestUtils.getSubstring(location, "id_token"); + assertNotNull(idToken); + validateIdToken(idToken, "123456789"); + + // Check Access Token + String accessToken = OAuth2TestUtils.getSubstring(location, "access_token"); + assertNotNull(accessToken); + } + private void validateIdToken(String idToken, String nonce) throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException { JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(idToken); http://git-wip-us.apache.org/repos/asf/cxf/blob/c8636c03/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oidc/oidc-server.xml ---------------------------------------------------------------------- diff --git a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oidc/oidc-server.xml b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oidc/oidc-server.xml index ad95bec..f779096 100644 --- a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oidc/oidc-server.xml +++ b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oidc/oidc-server.xml @@ -66,12 +66,14 @@ under the License. ${testutil.ports.jaxrs-oidc} - + - + + + @@ -94,6 +96,13 @@ under the License. + + + + + + + @@ -106,6 +115,7 @@ under the License. address="https://localhost:${testutil.ports.jaxrs-oidc}/services"> +