External-Mirrors/keycloak
2
0
Fork 0
mirror of https://github.com/keycloak/keycloak.git synced 2026-01-09 23:12:06 -03:30
Code Issues Packages Projects Releases Wiki Activity

Make state and nonce passed on requests in AbstractOAuthClient (#37978)

Browse Source 
Closes #37973

Signed-off-by: stianst <stianst@gmail.com>
This commit is contained in:
Stian Thorgersen 2025-03-10 17:17:42 +01:00 committed by GitHub
parent 0b3cfde860
commit 6720c2b29c
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
32 changed files with 189 additions and 329 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
tests/utils-shared/src/main/java/org/keycloak/testsuite/util/oauth/AbstractOAuthClient.java
View File

@ -30,8 +30,6 @@ public abstract class AbstractOAuthClient<T> {
protected String request;
protected String requestUri;
protected String claims;
protected StateParamProvider state;
protected String nonce;
private final KeyManager keyManager = new KeyManager(this);
private final TokensManager tokensManager = new TokensManager(keyManager);
@ -308,18 +306,4 @@ public abstract class AbstractOAuthClient<T> {
return claims;
}
public String getState() {
return state != null ? state.getState() : null;
}
public String getNonce() {
return nonce;
}
protected interface StateParamProvider {
String getState();
}
}

18
tests/utils-shared/src/main/java/org/keycloak/testsuite/util/oauth/LoginUrlBuilder.java
View File

@ -20,6 +20,16 @@ public class LoginUrlBuilder extends AbstractUrlBuilder {
return this;
}
public LoginUrlBuilder state(String state) {
parameter(OIDCLoginProtocol.STATE_PARAM, state);
return this;
}
public LoginUrlBuilder nonce(String nonce) {
parameter(OIDCLoginProtocol.NONCE_PARAM, nonce);
return this;
}
public LoginUrlBuilder prompt(String prompt) {
parameter(OIDCLoginProtocol.PROMPT_PARAM, prompt);
return this;
@ -52,8 +62,6 @@ public class LoginUrlBuilder extends AbstractUrlBuilder {
parameter(OAuth2Constants.CLIENT_ID, client.config().getClientId());
parameter(OAuth2Constants.REDIRECT_URI, client.config().getRedirectUri());
parameter(OAuth2Constants.STATE, client.getState());
parameter(OIDCLoginProtocol.NONCE_PARAM, client.getNonce());
parameter(OAuth2Constants.SCOPE, client.config().getScope());
parameter(OAuth2Constants.CODE_CHALLENGE, client.getCodeChallenge());
@ -70,4 +78,10 @@ public class LoginUrlBuilder extends AbstractUrlBuilder {
}
}
public AuthorizationEndpointResponse doLogin(String username, String password) {
open();
client.fillLoginForm(username, password);
return client.parseLoginResponse();
}
}

11
tests/utils-shared/src/main/java/org/keycloak/testsuite/util/oauth/ParRequest.java
View File

@ -24,12 +24,21 @@ public class ParRequest extends AbstractHttpPostRequest<ParRequest, ParResponse>
return this;
}
public ParRequest nonce(String nonce) {
parameter(OIDCLoginProtocol.NONCE_PARAM, nonce);
return this;
}
public ParRequest state(String state) {
parameter(OIDCLoginProtocol.STATE_PARAM, state);
return this;
}
@Override
protected void initRequest() {
parameter(OAuth2Constants.RESPONSE_TYPE, client.config().getResponseType());
parameter(OIDCLoginProtocol.RESPONSE_MODE_PARAM, client.config().getResponseMode());
parameter(OAuth2Constants.REDIRECT_URI, client.config().getRedirectUri());
parameter(OIDCLoginProtocol.NONCE_PARAM, client.getNonce());
parameter(OAuth2Constants.SCOPE, client.config().getScope());
parameter(OIDCLoginProtocol.REQUEST_PARAM, client.getRequest());
parameter(OIDCLoginProtocol.REQUEST_URI_PARAM, client.getRequestUri());

2
tests/utils-shared/src/main/java/org/keycloak/testsuite/util/oauth/device/DeviceAuthorizationRequest.java
View File

@ -2,7 +2,6 @@ package org.keycloak.testsuite.util.oauth.device;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.keycloak.OAuth2Constants;
import org.keycloak.protocol.oidc.OIDCLoginProtocol;
import org.keycloak.testsuite.util.oauth.AbstractHttpPostRequest;
import org.keycloak.testsuite.util.oauth.AbstractOAuthClient;
@ -22,7 +21,6 @@ public class DeviceAuthorizationRequest extends AbstractHttpPostRequest<DeviceAu
@Override
protected void initRequest() {
parameter(OAuth2Constants.SCOPE, client.config().getScope());
parameter(OIDCLoginProtocol.NONCE_PARAM, client.getNonce());
parameter(OAuth2Constants.CODE_CHALLENGE, client.getCodeChallenge());
parameter(OAuth2Constants.CODE_CHALLENGE_METHOD, client.getCodeChallengeMethod());
}

26
testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/oauth/OAuthClient.java
View File

@ -19,7 +19,6 @@ package org.keycloak.testsuite.util.oauth;
import org.apache.http.impl.client.CloseableHttpClient;
import org.keycloak.OAuth2Constants;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.representations.ClaimsRepresentation;
import org.keycloak.testsuite.pages.LoginPage;
import org.keycloak.util.JsonSerialization;
@ -86,10 +85,8 @@ public class OAuthClient extends AbstractOAuthClient<OAuthClient> {
.postLogoutRedirectUri(APP_ROOT + "/auth")
.responseType(OAuth2Constants.CODE);
state = KeycloakModelUtils::generateId;
clientSessionState = null;
clientSessionHost = null;
nonce = null;
request = null;
requestUri = null;
claims = null;
@ -121,14 +118,6 @@ public class OAuthClient extends AbstractOAuthClient<OAuthClient> {
return config.getScope();
}
public String getState() {
return state.getState();
}
public String getNonce() {
return nonce;
}
public OAuthClient realm(String realm) {
config.realm(realm);
return this;
@ -149,16 +138,6 @@ public class OAuthClient extends AbstractOAuthClient<OAuthClient> {
return this;
}
public OAuthClient stateParamHardcoded(String value) {
this.state = () -> value;
return this;
}
public OAuthClient stateParamRandom() {
this.state = KeycloakModelUtils::generateId;
return this;
}
public OAuthClient scope(String scope) {
config.scope(scope);
return this;
@ -189,11 +168,6 @@ public class OAuthClient extends AbstractOAuthClient<OAuthClient> {
return this;
}
public OAuthClient nonce(String nonce) {
this.nonce = nonce;
return this;
}
public OAuthClient request(String request) {
this.request = request;
return this;

11
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/concurrency/ConcurrentLoginTest.java
View File

@ -343,8 +343,6 @@ public class ConcurrentLoginTest extends AbstractConcurrencyTest {
OAuthClient oauth1 = new OAuthClient(HttpClientUtils.createDefault(), driver);
// Add some randomness to state, nonce and redirectUri. Verify that login is successful and "state" and "nonce" will match
oauth1.stateParamHardcoded(KeycloakModelUtils.generateId());
oauth1.nonce(KeycloakModelUtils.generateId());
oauth1.redirectUri(oauth.getRedirectUri() + "?some=" + new Random().nextInt(1024));
return oauth1;
}
@ -380,10 +378,13 @@ public class ConcurrentLoginTest extends AbstractConcurrencyTest {
oauth1.client("client" + i, "password");
log.infof("%d [%s]: Accessing login page for %s", threadIndex, Thread.currentThread().getName(), oauth1.getClientId());
String requestState = KeycloakModelUtils.generateId();
String requestNonce = KeycloakModelUtils.generateId();
final HttpClientContext templateContext = clientContexts.get(i % clientContexts.size());
final HttpClientContext context = HttpClientContext.create();
context.setCookieStore(templateContext.getCookieStore());
String pageContent = getPageContent(oauth1.loginForm().build(), httpClient, context);
String pageContent = getPageContent(oauth1.loginForm().nonce(requestNonce).state(requestState).build(), httpClient, context);
assertThat(pageContent, Matchers.containsString("<title>AUTH_RESPONSE</title>"));
assertThat(context.getRedirectLocations(), Matchers.notNullValue());
assertThat(context.getRedirectLocations(), Matchers.not(Matchers.empty()));
@ -393,7 +394,7 @@ public class ConcurrentLoginTest extends AbstractConcurrencyTest {
String code = query.get(OAuth2Constants.CODE);
String state = query.get(OAuth2Constants.STATE);
Assert.assertEquals("Invalid state.", state, oauth1.getState());
Assert.assertEquals("Invalid state.", requestState, state);
AtomicReference<AccessTokenResponse> accessResRef = new AtomicReference<>();
totalInvocations.incrementAndGet();
@ -410,7 +411,7 @@ public class ConcurrentLoginTest extends AbstractConcurrencyTest {
Assert.assertNull(refreshedToken.getNonce());
AccessToken idToken = JsonSerialization.readValue(new JWSInput(accessRes.getIdToken()).getContent(), AccessToken.class);
Assert.assertEquals(oauth1.getNonce(), idToken.getNonce());
Assert.assertEquals(requestNonce, idToken.getNonce());
accessResRef.set(accessRes);

6
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/broker/AbstractBaseBrokerTest.java
View File

@ -260,7 +260,11 @@ public abstract class AbstractBaseBrokerTest extends AbstractKeycloakTest {
}
protected AuthorizationEndpointResponse doLoginSocial(OAuthClient oauth, String brokerId, String username, String password) {
oauth.openLoginForm();
return doLoginSocial(oauth, brokerId, username, password, null);
}
protected AuthorizationEndpointResponse doLoginSocial(OAuthClient oauth, String brokerId, String username, String password, String nonce) {
oauth.loginForm().nonce(nonce).open();
WaitUtils.waitForPageToLoad();
oauth.getDriver().findElement(By.id("social-" + brokerId)).click();

6
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/broker/KcOidcBrokerNonceParameterTest.java
View File

@ -62,9 +62,8 @@ public class KcOidcBrokerNonceParameterTest extends AbstractBrokerTest {
oauth.realm(bc.consumerRealmName());
oauth.clientId("consumer-client");
oauth.nonce("123456");
AuthorizationEndpointResponse authzResponse = doLoginSocial(oauth, bc.getIDPAlias(), bc.getUserLogin(), bc.getUserPassword());
AuthorizationEndpointResponse authzResponse = doLoginSocial(oauth, bc.getIDPAlias(), bc.getUserLogin(), bc.getUserPassword(), "123456");
String code = authzResponse.getCode();
AccessTokenResponse response = oauth.doAccessTokenRequest(code);
IDToken idToken = toIdToken(response.getIdToken());
@ -89,9 +88,8 @@ public class KcOidcBrokerNonceParameterTest extends AbstractBrokerTest {
oauth.realm(bc.consumerRealmName());
oauth.clientId("consumer-client");
oauth.nonce(null);
AuthorizationEndpointResponse authzResponse = doLoginSocial(oauth, bc.getIDPAlias(), bc.getUserLogin(), bc.getUserPassword());
AuthorizationEndpointResponse authzResponse = doLoginSocial(oauth, bc.getIDPAlias(), bc.getUserLogin(), bc.getUserPassword(), null);
String code = authzResponse.getCode();
AccessTokenResponse response = oauth.doAccessTokenRequest(code);
IDToken idToken = toIdToken(response.getIdToken());

8
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/AbstractFAPITest.java
View File

@ -121,9 +121,9 @@ public abstract class AbstractFAPITest extends AbstractClientPoliciesTest {
expectedScopes.containsAll(receivedScopes) && receivedScopes.containsAll(expectedScopes));
}
protected String loginUserAndGetCode(String clientId, boolean fragmentResponseModeExpected) {
protected String loginUserAndGetCode(String clientId, String nonce, boolean fragmentResponseModeExpected) {
oauth.clientId(clientId);
oauth.doLogin(TEST_USERNAME, TEST_USERSECRET);
oauth.loginForm().nonce(nonce).doLogin(TEST_USERNAME, TEST_USERSECRET);
grantPage.assertCurrent();
grantPage.assertGrants(OAuthGrantPage.PROFILE_CONSENT_TEXT, OAuthGrantPage.EMAIL_CONSENT_TEXT, OAuthGrantPage.ROLES_CONSENT_TEXT);
@ -134,9 +134,9 @@ public abstract class AbstractFAPITest extends AbstractClientPoliciesTest {
return code;
}
protected String loginUserAndGetCodeInJwtQueryResponseMode(String clientId) {
protected String loginUserAndGetCodeInJwtQueryResponseMode(String clientId, String nonce) {
oauth.clientId(clientId);
oauth.doLogin(TEST_USERNAME, TEST_USERSECRET);
oauth.loginForm().nonce(nonce).doLogin(TEST_USERNAME, TEST_USERSECRET);
grantPage.assertCurrent();
grantPage.assertGrants(OAuthGrantPage.PROFILE_CONSENT_TEXT, OAuthGrantPage.EMAIL_CONSENT_TEXT, OAuthGrantPage.ROLES_CONSENT_TEXT);

28
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/FAPI1Test.java
View File

@ -263,7 +263,7 @@ public class FAPI1Test extends AbstractFAPITest {
checkRedirectUriForCurrentClientDuringLogin();
// Check PKCE with S256, redirectUri and nonce/state set. Login should be successful
successfulLoginAndLogout("foo", TEST_USERNAME, false, (String code) -> {
successfulLoginAndLogout("foo", "123456", TEST_USERNAME, false, (String code) -> {
String signedJwt = getClientSecretSignedJWT("atleast-14chars-password", Algorithm.HS256);
return doAccessTokenRequestWithClientSignedJWT(code, signedJwt, codeVerifier, DefaultHttpClient::new);
});
@ -293,7 +293,7 @@ public class FAPI1Test extends AbstractFAPITest {
checkRedirectUriForCurrentClientDuringLogin();
// Check PKCE with S256, redirectUri and nonce/state set. Login should be successful
successfulLoginAndLogout("foo", TEST_USERNAME, false, (String code) -> {
successfulLoginAndLogout("foo", "123456", TEST_USERNAME, false, (String code) -> {
oauth.codeVerifier(codeVerifier);
return oauth.doAccessTokenRequest(code);
});
@ -378,14 +378,13 @@ public class FAPI1Test extends AbstractFAPITest {
Assert.assertTrue(client.isPublicClient());
// Setup PKCE and nonce
oauth.nonce("123456");
String codeVerifier = "1234567890123456789012345678901234567890123"; // 43
String codeChallenge = generateS256CodeChallenge(codeVerifier);
oauth.codeChallenge(codeChallenge);
oauth.codeChallengeMethod(OAuth2Constants.PKCE_METHOD_S256);
// Check PKCE with S256, redirectUri and nonce/state set. Login should be successful
successfulLoginAndLogout("foo", TEST_USERNAME, false, (String code) -> {
successfulLoginAndLogout("foo", "123456", TEST_USERNAME, false, (String code) -> {
oauth.codeVerifier(codeVerifier);
return oauth.doAccessTokenRequest(code);
});
@ -394,7 +393,7 @@ public class FAPI1Test extends AbstractFAPITest {
setupPolicyFAPIAdvancedForAllClient();
// Should not be possible to login anymore with public client
oauth.openLoginForm();
oauth.loginForm().nonce("123456").open();
assertRedirectedToClientWithError(OAuthErrorException.INVALID_CLIENT, "invalid client access type");
}
@ -462,7 +461,7 @@ public class FAPI1Test extends AbstractFAPITest {
checkRedirectUriForCurrentClientDuringLogin();
// Check login request object required
oauth.openLoginForm();
oauth.loginForm().nonce("123456").open();
assertRedirectedToClientWithError(OAuthErrorException.INVALID_REQUEST,"Missing parameter: 'request' or 'request_uri'");
// Create request without 'nbf' . Should fail in FAPI1 advanced client policy
@ -503,7 +502,7 @@ public class FAPI1Test extends AbstractFAPITest {
PublicKey publicKey = keyPair.getPublic();
String code = loginUserAndGetCode("foo", true);
String code = loginUserAndGetCode("foo", null, true);
AuthorizationEndpointResponse authorizationEndpointResponse = oauth.parseLoginResponse();
@ -559,7 +558,7 @@ public class FAPI1Test extends AbstractFAPITest {
checkRedirectUriForCurrentClientDuringLogin();
// Check login request object required
oauth.openLoginForm();
oauth.loginForm().nonce("123456").open();
assertRedirectedToClientWithError(OAuthErrorException.INVALID_REQUEST,"Missing parameter: 'request' or 'request_uri'");
// Set request object and correct responseType
@ -571,7 +570,7 @@ public class FAPI1Test extends AbstractFAPITest {
oauth.openLoginForm();
loginPage.assertCurrent();
String code = loginUserAndGetCode("foo", true);
String code = loginUserAndGetCode("foo", null, true);
AuthorizationEndpointResponse authorizationEndpointResponse = oauth.parseLoginResponse();
@ -610,14 +609,9 @@ public class FAPI1Test extends AbstractFAPITest {
assertRedirectedToClientWithError(OAuthErrorException.INVALID_REQUEST,"Missing parameter: nonce");
// Check "state" required in non-OIDC request
oauth.nonce("123456");
oauth.stateParamHardcoded(null);
oauth.openid(false);
oauth.openLoginForm();
oauth.loginForm().nonce("123456").open();
assertRedirectedToClientWithError(OAuthErrorException.INVALID_REQUEST,"Missing parameter: state");
// Revert to default "state" parameter generator
oauth.stateParamRandom();
}
private void checkRedirectUriForCurrentClientDuringLogin() {
@ -671,8 +665,8 @@ public class FAPI1Test extends AbstractFAPITest {
}
// codeToTokenExchanger is supposed to exchange "code" for the accessTokenResponse. It is supposed to send the tokenRequest including proper client authentication
private void successfulLoginAndLogout(String clientId, String username, boolean fragmentResponseModeExpected, Function<String, AccessTokenResponse> codeToTokenExchanger) throws Exception {
String code = loginUserAndGetCode(clientId, fragmentResponseModeExpected);
private void successfulLoginAndLogout(String clientId, String nonce, String username, boolean fragmentResponseModeExpected, Function<String, AccessTokenResponse> codeToTokenExchanger) throws Exception {
String code = loginUserAndGetCode(clientId, nonce, fragmentResponseModeExpected);
AccessTokenResponse tokenResponse = codeToTokenExchanger.apply(code);

27
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/FAPI2Test.java
View File

@ -119,7 +119,7 @@ public class FAPI2Test extends AbstractFAPITest {
oauth.request(null);
// send an authorization request
String code = loginUserAndGetCode(clientId, false);
String code = loginUserAndGetCode(clientId, null, false);
// send a token request
signedJwt = createSignedRequestToken(clientId, Algorithm.PS256);
@ -168,12 +168,10 @@ public class FAPI2Test extends AbstractFAPITest {
String codeChallenge = generateS256CodeChallenge(codeVerifier);
oauth.codeChallenge(codeChallenge);
oauth.codeChallengeMethod(OAuth2Constants.PKCE_METHOD_S256);
oauth.stateParamHardcoded(null);
oauth.nonce("123456");
// requiring hybrid request - should fail
oauth.responseType(OIDCResponseType.CODE + " " + OIDCResponseType.ID_TOKEN + " " + OIDCResponseType.TOKEN);
ParResponse pResp = oauth.doPushedAuthorizationRequest();
ParResponse pResp = oauth.pushedAuthorizationRequest().nonce("123456").send();
assertEquals(401, pResp.getStatusCode());
assertEquals(OAuthErrorException.UNAUTHORIZED_CLIENT, pResp.getError());
@ -196,25 +194,23 @@ public class FAPI2Test extends AbstractFAPITest {
pResp = oauth.doPushedAuthorizationRequest();
assertEquals(201, pResp.getStatusCode());
requestUri = pResp.getRequestUri();
oauth.stateParamRandom();
oauth.requestUri(requestUri);
oauth.openLoginForm();
oauth.loginForm().state("testFAPI2SecurityProfileLoginWithMTLS").open();
assertBrowserWithError("PAR request did not include necessary parameters");
// duplicated usage of a PAR request - should fail
oauth.openLoginForm();
oauth.loginForm().state("testFAPI2SecurityProfileLoginWithMTLS").open();
assertBrowserWithError("PAR not found. not issued or used multiple times.");
// send a pushed authorization request
oauth.stateParamHardcoded(null);
oauth.requestUri(null);
pResp = oauth.doPushedAuthorizationRequest();
pResp = oauth.pushedAuthorizationRequest().nonce("123456").send();
assertEquals(201, pResp.getStatusCode());
requestUri = pResp.getRequestUri();
// send an authorization request
oauth.requestUri(requestUri);
String code = loginUserAndGetCode(clientId, false);
String code = loginUserAndGetCode(clientId, "123456", false);
// send a token request
oauth.codeVerifier(codeVerifier);
@ -274,7 +270,6 @@ public class FAPI2Test extends AbstractFAPITest {
// Set request object and correct responseType
oauth.client(clientId);
oauth.stateParamHardcoded(null);
String codeVerifier = "1234567890123456789012345678901234567890123"; // 43
String codeChallenge = generateS256CodeChallenge(codeVerifier);
TestingOIDCEndpointsApplicationResource.AuthorizationEndpointRequestObject requestObject = createValidRequestObjectForSecureRequestObjectExecutor(clientId);
@ -293,12 +288,11 @@ public class FAPI2Test extends AbstractFAPITest {
// send an authorization request
oauth.codeChallenge(codeChallenge);
oauth.codeChallengeMethod(OAuth2Constants.PKCE_METHOD_S256);
oauth.nonce("123456");
oauth.responseType(OIDCResponseType.CODE);
oauth.responseMode(OIDCResponseMode.QUERY_JWT.value());
oauth.requestUri(requestUri);
oauth.request(null);
String code = loginUserAndGetCodeInJwtQueryResponseMode(clientId);
String code = loginUserAndGetCodeInJwtQueryResponseMode(clientId, "123456");
// send a token request
oauth.codeVerifier(codeVerifier);
@ -339,15 +333,12 @@ public class FAPI2Test extends AbstractFAPITest {
assertEquals(true, client.isConsentRequired());
oauth.client(clientId);
oauth.stateParamHardcoded(null);
String codeVerifier = "1234567890123456789012345678901234567890123"; // 43
String codeChallenge = generateS256CodeChallenge(codeVerifier);
// without a request object - should fail
oauth.codeChallenge(codeChallenge);
oauth.codeChallengeMethod(OAuth2Constants.PKCE_METHOD_S256);
oauth.stateParamHardcoded(null);
oauth.nonce("123456");
oauth.responseType(OIDCResponseType.CODE);
TestingOIDCEndpointsApplicationResource.AuthorizationEndpointRequestObject requestObject = createValidRequestObjectForSecureRequestObjectExecutor(clientId);
registerRequestObject(requestObject, clientId, Algorithm.PS256, true);
@ -355,7 +346,7 @@ public class FAPI2Test extends AbstractFAPITest {
oauth.request(null);
oauth.client(clientId);
String signedJwt = createSignedRequestToken(clientId, Algorithm.PS256);
ParResponse pResp = oauth.pushedAuthorizationRequest().signedJwt(signedJwt).send();
ParResponse pResp = oauth.pushedAuthorizationRequest().nonce("123456").signedJwt(signedJwt).send();
assertEquals(400, pResp.getStatusCode());
assertEquals(OAuthErrorException.INVALID_REQUEST_OBJECT, pResp.getError());
@ -377,7 +368,7 @@ public class FAPI2Test extends AbstractFAPITest {
// send an authorization request
oauth.requestUri(requestUri);
oauth.request(null);
String code = loginUserAndGetCodeInJwtQueryResponseMode(clientId);
String code = loginUserAndGetCodeInJwtQueryResponseMode(clientId, null);
// send a token request
signedJwt = createSignedRequestToken(clientId, Algorithm.PS256);

4
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/OAuth2_1ConfidentialClientTest.java
View File

@ -71,7 +71,6 @@ public class OAuth2_1ConfidentialClientTest extends AbstractFAPITest {
public void revertPolicies() throws ClientPolicyException {
oauth.openid(true);
oauth.responseType(OIDCResponseType.CODE);
oauth.nonce(null);
oauth.codeChallenge(null);
oauth.codeChallengeMethod(null);
oauth.dpopProof(null);
@ -226,9 +225,8 @@ public class OAuth2_1ConfidentialClientTest extends AbstractFAPITest {
private void testProhibitedImplicitOrHybridFlow(boolean isOpenid, String responseType, String nonce) {
oauth.openid(isOpenid);
oauth.responseType(responseType);
oauth.nonce(nonce);
oauth.redirectUri(validRedirectUri);
oauth.openLoginForm();
oauth.loginForm().nonce(nonce).open();
AuthorizationEndpointResponse authorizationEndpointResponse = oauth.parseLoginResponse();
assertEquals(OAuthErrorException.INVALID_REQUEST, authorizationEndpointResponse.getError());
assertEquals("Implicit/Hybrid flow is prohibited.", authorizationEndpointResponse.getErrorDescription());

4
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/OAuth2_1PublicClientTest.java
View File

@ -88,7 +88,6 @@ public class OAuth2_1PublicClientTest extends AbstractFAPITest {
public void revertPolicies() throws ClientPolicyException {
oauth.openid(true);
oauth.responseType(OIDCResponseType.CODE);
oauth.nonce(null);
oauth.codeChallenge(null);
oauth.codeChallengeMethod(null);
oauth.dpopProof(null);
@ -274,9 +273,8 @@ public class OAuth2_1PublicClientTest extends AbstractFAPITest {
private void testProhibitedImplicitOrHybridFlow(boolean isOpenid, String responseType, String nonce) {
oauth.openid(isOpenid);
oauth.responseType(responseType);
oauth.nonce(nonce);
oauth.redirectUri(validRedirectUri);
oauth.openLoginForm();
oauth.loginForm().nonce(nonce).open();
AuthorizationEndpointResponse authorizationEndpointResponse = oauth.parseLoginResponse();
assertEquals(OAuthErrorException.INVALID_REQUEST, authorizationEndpointResponse.getError());
assertEquals("Implicit/Hybrid flow is prohibited.", authorizationEndpointResponse.getErrorDescription());

16
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/policies/AbstractClientPoliciesTest.java
View File

@ -597,7 +597,6 @@ public abstract class AbstractClientPoliciesTest extends AbstractKeycloakTest {
requestObject.setRedirectUriParam(oauth.getRedirectUri());
requestObject.setScope("openid");
String state = KeycloakModelUtils.generateId();
oauth.stateParamHardcoded(state);
requestObject.setState(state);
requestObject.setMax_age(Integer.valueOf(600));
requestObject.setOtherClaims("custom_claim_ein", "rot");
@ -1500,14 +1499,22 @@ public abstract class AbstractClientPoliciesTest extends AbstractKeycloakTest {
}
protected void successfulLoginAndLogout(String clientId, String clientSecret) {
AccessTokenResponse res = successfulLogin(clientId, clientSecret);
successfulLoginAndLogout(clientId, clientSecret, null, null);
}
protected void successfulLoginAndLogout(String clientId, String clientSecret, String nonce, String state) {
AccessTokenResponse res = successfulLogin(clientId, clientSecret, nonce, state);
oauth.doLogout(res.getRefreshToken());
events.expectLogout(res.getSessionState()).client(clientId).clearDetails().assertEvent();
}
protected AccessTokenResponse successfulLogin(String clientId, String clientSecret) {
return successfulLogin(clientId, clientSecret, null, null);
}
protected AccessTokenResponse successfulLogin(String clientId, String clientSecret, String nonce, String state) {
oauth.client(clientId, clientSecret);
oauth.doLogin(TEST_USER_NAME, TEST_USER_PASSWORD);
oauth.loginForm().nonce(nonce).state(state).doLogin(TEST_USER_NAME, TEST_USER_PASSWORD);
EventRepresentation loginEvent = events.expectLogin().client(clientId).assertEvent();
String sessionId = loginEvent.getSessionId();
@ -1526,9 +1533,8 @@ public abstract class AbstractClientPoliciesTest extends AbstractKeycloakTest {
String codeChallenge = generateS256CodeChallenge(codeVerifier);
oauth.codeChallenge(codeChallenge);
oauth.codeChallengeMethod(OAuth2Constants.PKCE_METHOD_S256);
oauth.nonce("bjapewiziIE083d");
oauth.doLogin(userName, userPassword);
oauth.loginForm().nonce("bjapewiziIE083d").doLogin(userName, userPassword);
EventRepresentation loginEvent = events.expectLogin().client(clientId).assertEvent();
String sessionId = loginEvent.getSessionId();

3
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/policies/ClientPoliciesConditionTest.java
View File

@ -200,8 +200,7 @@ public class ClientPoliciesConditionTest extends AbstractClientPoliciesTest {
try {
failLoginWithoutSecureSessionParameter(clientBetaId, ERR_MSG_MISSING_NONCE);
oauth.nonce("yesitisnonce");
successfulLoginAndLogout(clientAlphaId, clientAlphaSecret);
successfulLoginAndLogout(clientAlphaId, clientAlphaSecret, "yesitisnonce", "somestate");
} catch (Exception e) {
fail();
}

30
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/policies/ClientPoliciesExecutorTest.java
View File

@ -293,8 +293,7 @@ public class ClientPoliciesExecutorTest extends AbstractClientPoliciesTest {
assertEquals("invalid response_type", authorizationEndpointResponse.getErrorDescription());
oauth.responseType(OIDCResponseType.CODE + " " + OIDCResponseType.ID_TOKEN);
oauth.nonce("vbwe566fsfffds");
oauth.doLogin(TEST_USER_NAME, TEST_USER_PASSWORD);
oauth.loginForm().nonce("vbwe566fsfffds").doLogin(TEST_USER_NAME, TEST_USER_PASSWORD);
EventRepresentation loginEvent = events.expectLogin().client(clientId).assertEvent();
String sessionId = loginEvent.getSessionId();
@ -316,8 +315,7 @@ public class ClientPoliciesExecutorTest extends AbstractClientPoliciesTest {
updateProfiles(json);
oauth.responseType(OIDCResponseType.CODE + " " + OIDCResponseType.ID_TOKEN + " " + OIDCResponseType.TOKEN); // token response type allowed
oauth.nonce("cie8cjcwiw");
oauth.doLogin(TEST_USER_NAME, TEST_USER_PASSWORD);
oauth.loginForm().nonce("cie8cjcwiw").doLogin(TEST_USER_NAME, TEST_USER_PASSWORD);
loginEvent = events.expectLogin().client(clientId).assertEvent();
sessionId = loginEvent.getSessionId();
@ -425,8 +423,7 @@ public class ClientPoliciesExecutorTest extends AbstractClientPoliciesTest {
assertEquals("invalid response_type", authorizationEndpointResponse.getErrorDescription());
oauth.responseType(OIDCResponseType.CODE + " " + OIDCResponseType.ID_TOKEN);
oauth.nonce("LIVieviDie028f");
oauth.doLogin(TEST_USER_NAME, TEST_USER_PASSWORD);
oauth.loginForm().nonce("LIVieviDie028f").doLogin(TEST_USER_NAME, TEST_USER_PASSWORD);
EventRepresentation loginEvent = events.expectLogin().client(clientId).assertEvent();
String sessionId = loginEvent.getSessionId();
@ -634,7 +631,7 @@ public class ClientPoliciesExecutorTest extends AbstractClientPoliciesTest {
requestObject = createValidRequestObjectForSecureRequestObjectExecutor(clientId);
requestObject.setState("notmatchstate");
registerRequestObject(requestObject, clientId, Algorithm.ES256, false);
oauth.openLoginForm();
oauth.loginForm().state("wrongstate").open();
authorizationEndpointResponse = oauth.parseLoginResponse();
assertEquals(OAuthErrorException.INVALID_REQUEST, authorizationEndpointResponse.getError());
assertEquals("Invalid parameter. Parameters in 'request' object not matching with request parameters", authorizationEndpointResponse.getErrorDescription());
@ -856,15 +853,12 @@ public class ClientPoliciesExecutorTest extends AbstractClientPoliciesTest {
oauth.openid(true);
failLoginWithoutSecureSessionParameter(clientBetaId, ERR_MSG_MISSING_NONCE);
oauth.nonce("yesitisnonce");
successfulLoginAndLogout(clientBetaId, clientBetaSecret);
successfulLoginAndLogout(clientBetaId, clientBetaSecret, "yesitisnonce", "somestate");
oauth.openid(false);
oauth.stateParamHardcoded(null);
failLoginWithoutSecureSessionParameter(clientBetaId, ERR_MSG_MISSING_STATE);
oauth.stateParamRandom();
successfulLoginAndLogout(clientBetaId, clientBetaSecret);
successfulLoginAndLogout(clientBetaId, clientBetaSecret, "somenonce", "somestate");
}
@Test
@ -1512,13 +1506,13 @@ public class ClientPoliciesExecutorTest extends AbstractClientPoliciesTest {
oauth.client(clientBetaId, "secretBeta");
// Pushed Authorization Request
ParResponse pResp = oauth.doPushedAuthorizationRequest();
ParResponse pResp = oauth.pushedAuthorizationRequest().send();
assertEquals(201, pResp.getStatusCode());
String requestUri = pResp.getRequestUri();
oauth.requestUri(requestUri);
oauth.client(clientBetaId);
oauth.openLoginForm();
oauth.loginForm().state("randomstatesomething").open();
assertTrue(errorPage.isCurrent());
assertEquals("PAR request did not include necessary parameters", errorPage.getError());
@ -1529,7 +1523,6 @@ public class ClientPoliciesExecutorTest extends AbstractClientPoliciesTest {
requestUri = pResp.getRequestUri();
oauth.requestUri(requestUri);
oauth.stateParamHardcoded(null);
successfulLoginAndLogout(clientBetaId, "secretBeta");
}
@ -1562,15 +1555,14 @@ public class ClientPoliciesExecutorTest extends AbstractClientPoliciesTest {
// Pushed Authorization Request without state parameter
oauth.addCustomParameter("request", encodedRequestObject);
ParResponse pResp = oauth.doPushedAuthorizationRequest();
ParResponse pResp = oauth.pushedAuthorizationRequest().send();
assertEquals(201, pResp.getStatusCode());
String requestUri = pResp.getRequestUri();
// only query parameters include state parameter
oauth.removeCustomParameter("request");
oauth.stateParamHardcoded("mystate2");
oauth.requestUri(requestUri);
oauth.openLoginForm();
oauth.loginForm().state("mystate2").open();
assertTrue(errorPage.isCurrent());
assertEquals("PAR request did not include necessary parameters", errorPage.getError());
@ -1580,7 +1572,7 @@ public class ClientPoliciesExecutorTest extends AbstractClientPoliciesTest {
oauth.requestUri(null);
oauth.addCustomParameter("request", encodedRequestObject);
pResp = oauth.doPushedAuthorizationRequest();
pResp = oauth.pushedAuthorizationRequest().state("mystate2").send();
assertEquals(201, pResp.getStatusCode());
requestUri = pResp.getRequestUri();

7
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/policies/ClientPoliciesTest.java
View File

@ -1212,9 +1212,8 @@ public class ClientPoliciesTest extends AbstractClientPoliciesTest {
oauth.scope("openid" + " " + "microprofile-jwt");
oauth.request(request);
oauth.client(clientId, clientSecret);
oauth.nonce(nonce);
oauth.responseType(OIDCResponseType.CODE + " " + OIDCResponseType.ID_TOKEN);
oauth.openLoginForm();
oauth.loginForm().nonce(nonce).open();
AuthorizationEndpointResponse authorizationEndpointResponse = oauth.parseLoginResponse();
assertEquals(OAuthErrorException.INVALID_REQUEST, authorizationEndpointResponse.getError());
assertEquals("The intent is not bound with the client", authorizationEndpointResponse.getErrorDescription());
@ -1325,7 +1324,6 @@ public class ClientPoliciesTest extends AbstractClientPoliciesTest {
// revert test client instance settings the same as OAuthClient.init
oauth.openid(true);
oauth.responseType(OIDCResponseType.CODE);
oauth.nonce(null);
}
}
@ -1426,8 +1424,7 @@ public class ClientPoliciesTest extends AbstractClientPoliciesTest {
private void testProhibitedImplicitOrHybridFlow(boolean isOpenid, String responseType, String nonce, String expectedError, String expectedErrorDescription) {
oauth.openid(isOpenid);
oauth.responseType(responseType);
oauth.nonce(nonce);
oauth.openLoginForm();
oauth.loginForm().nonce(nonce).open();
AuthorizationEndpointResponse authorizationEndpointResponse = oauth.parseLoginResponse();
assertEquals(expectedError, authorizationEndpointResponse.getError());
assertEquals(expectedErrorDescription, authorizationEndpointResponse.getErrorDescription());

2
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/federation/kerberos/AbstractKerberosTest.java
View File

@ -241,7 +241,7 @@ public abstract class AbstractKerberosTest extends AbstractAuthTest {
protected Response spnegoLogin(String username, String password) {
String kcLoginPageLocation = oauth.loginForm().build();
String kcLoginPageLocation = oauth.loginForm().state("spnegoLogin").build();
// Request for SPNEGO login sent with Resteasy client
spnegoSchemeFactory.setCredentials(username, password);

12
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/MultipleTabsLoginTest.java
View File

@ -597,17 +597,15 @@ public class MultipleTabsLoginTest extends AbstractTestRealmKeycloakTest {
String redirectUri1 = String.format("%s/auth/realms/master/app/auth/suffix1", getAuthServerContextRoot());
String redirectUri2 = String.format("%s/auth/realms/master/app/auth/suffix2", getAuthServerContextRoot());
// Open tab1 and start login here
oauth.stateParamHardcoded("state1");
oauth.redirectUri(redirectUri1);
oauth.openLoginForm();
oauth.loginForm().state("state1").open();
loginPage.assertCurrent();
loginPage.login("login-test", "bad-password");
String tab1Url = driver.getCurrentUrl();
// Go to tab2 and start login with different client "root-url-client"
oauth.stateParamHardcoded("state2");
oauth.redirectUri(redirectUri2);
oauth.openLoginForm();
oauth.loginForm().state("state2").open();
loginPage.assertCurrent();
String tab2Url = driver.getCurrentUrl();
@ -629,17 +627,15 @@ public class MultipleTabsLoginTest extends AbstractTestRealmKeycloakTest {
String redirectUri1 = String.format("%s/auth/realms/master/app/auth/suffix1", getAuthServerContextRoot());
String redirectUri2 = String.format("%s/auth/realms/master/app/auth/suffix2", getAuthServerContextRoot());
// Open tab1 and start login here
oauth.stateParamHardcoded("state1");
oauth.redirectUri(redirectUri1);
oauth.openLoginForm();
oauth.loginForm().state("state1").open();
loginPage.assertCurrent();
loginPage.login("login-test", "bad-password");
String tab1Url = driver.getCurrentUrl();
// Go to tab2 and start login with different client "root-url-client"
oauth.stateParamHardcoded("state2");
oauth.redirectUri(redirectUri2);
oauth.openLoginForm();
oauth.loginForm().state("state2").open();
loginPage.assertCurrent();
String tab2Url = driver.getCurrentUrl();

4
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/RestartCookieTest.java
View File

@ -158,10 +158,8 @@ public class RestartCookieTest extends AbstractTestRealmKeycloakTest {
oauth.scope(null);
oauth.responseType(null);
oauth.requestUri(requestUri);
String state = oauth.stateParamRandom().getState();
oauth.stateParamHardcoded(state);
oauth.openLoginForm();
oauth.loginForm().state("testRestartCookieWithPar").open();
String restartCookie = driver.manage().getCookieNamed(RestartLoginCookie.KC_RESTART).getValue();
assertRestartCookie(restartCookie);
}

42
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/AuthorizationCodeTest.java
View File

@ -86,14 +86,11 @@ public class AuthorizationCodeTest extends AbstractKeycloakTest {
public void clientConfiguration() {
oauth.responseType(OAuth2Constants.CODE);
oauth.responseMode(null);
oauth.stateParamRandom();
}
@Test
public void authorizationRequest() throws IOException {
oauth.stateParamHardcoded("OpenIdConnect.AuthenticationProperties=2302984sdlk");
AuthorizationEndpointResponse response = oauth.doLogin("test-user@localhost", "password");
AuthorizationEndpointResponse response = oauth.loginForm().state("OpenIdConnect.AuthenticationProperties=2302984sdlk").doLogin("test-user@localhost", "password");
assertTrue(response.isRedirected());
Assert.assertNotNull(response.getCode());
@ -166,8 +163,6 @@ public class AuthorizationCodeTest extends AbstractKeycloakTest {
@Test
public void authorizationRequestNoState() throws IOException {
oauth.stateParamHardcoded(null);
AuthorizationEndpointResponse response = oauth.doLogin("test-user@localhost", "password");
assertTrue(response.isRedirected());
@ -210,8 +205,7 @@ public class AuthorizationCodeTest extends AbstractKeycloakTest {
public void authorizationRequestFormPostResponseModeInvalidResponseType() throws IOException {
oauth.responseMode(OIDCResponseMode.FORM_POST.value());
oauth.responseType("tokenn");
oauth.stateParamHardcoded("OpenIdConnect.AuthenticationProperties=2302984sdlk");
oauth.openLoginForm();
oauth.loginForm().state("OpenIdConnect.AuthenticationProperties=2302984sdlk").open();
String error = driver.findElement(By.id("error")).getText();
String state = driver.findElement(By.id("state")).getText();
@ -225,8 +219,7 @@ public class AuthorizationCodeTest extends AbstractKeycloakTest {
public void authorizationRequestFormPostResponseModeWithoutResponseType() throws IOException {
oauth.responseMode(OIDCResponseMode.FORM_POST.value());
oauth.responseType(null);
oauth.stateParamHardcoded("OpenIdConnect.AuthenticationProperties=2302984sdlk");
oauth.openLoginForm();
oauth.loginForm().state("OpenIdConnect.AuthenticationProperties=2302984sdlk").open();
String error = driver.findElement(By.id("error")).getText();
String errorDescription = driver.findElement(By.id("error_description")).getText();
@ -242,8 +235,7 @@ public class AuthorizationCodeTest extends AbstractKeycloakTest {
@Test
public void authorizationRequestFormPostResponseMode() throws IOException {
oauth.responseMode(OIDCResponseMode.FORM_POST.value());
oauth.stateParamHardcoded("OpenIdConnect.AuthenticationProperties=2302984sdlk");
oauth.doLogin("test-user@localhost", "password");
oauth.loginForm().state("OpenIdConnect.AuthenticationProperties=2302984sdlk").doLogin("test-user@localhost", "password");
String sources = driver.getPageSource();
System.out.println(sources);
@ -282,14 +274,16 @@ public class AuthorizationCodeTest extends AbstractKeycloakTest {
oauth.responseType(OAuth2Constants.CODE);
final String redirectUri = oauth.getRedirectUri() + "?p=&gt;"; // set HTML entity &gt;
oauth.redirectUri(redirectUri);
oauth.stateParamHardcoded(KeycloakModelUtils.generateId());
oauth.doLogin("test-user@localhost", "password");
String requestState = "authorizationRequestFormPostResponseModeHTMLEntitiesRedirectUri";
oauth.loginForm().state(requestState).doLogin("test-user@localhost", "password");
WaitUtils.waitForPageToLoad();
// if not properly encoded %3E would be received instead of &gt;
Assert.assertEquals("Redirect page was not encoded", redirectUri, oauth.getDriver().getCurrentUrl());
String state = driver.findElement(By.id("state")).getText();
Assert.assertEquals(oauth.getState(), state);
Assert.assertEquals(requestState, state);
Assert.assertNotNull(driver.findElement(By.id("code")).getText());
events.expect(EventType.LOGIN)
@ -311,8 +305,9 @@ public class AuthorizationCodeTest extends AbstractKeycloakTest {
oauth.responseType(OAuth2Constants.CODE);
final String redirectUri = oauth.getRedirectUri() + "?p=&gt;"; // set HTML entity &gt;
oauth.redirectUri(redirectUri);
oauth.stateParamHardcoded(KeycloakModelUtils.generateId());
oauth.doLogin("test-user@localhost", "password");
String requestState = "authorizationRequestFormPostJwtResponseModeHTMLEntitiesRedirectUri";
oauth.loginForm().state(requestState).doLogin("test-user@localhost", "password");
WaitUtils.waitForPageToLoad();
// if not properly encoded %3E would be received instead of &gt;
@ -322,7 +317,7 @@ public class AuthorizationCodeTest extends AbstractKeycloakTest {
assertEquals("test-app", responseToken.getAudience()[0]);
Assert.assertNotNull(responseToken.getOtherClaims().get("code"));
Assert.assertNull(responseToken.getOtherClaims().get("error"));
Assert.assertEquals(oauth.getState(), responseToken.getOtherClaims().get("state"));
Assert.assertEquals(requestState, responseToken.getOtherClaims().get("state"));
Assert.assertNotNull(responseToken.getOtherClaims().get("code"));
events.expect(EventType.LOGIN)
@ -338,8 +333,7 @@ public class AuthorizationCodeTest extends AbstractKeycloakTest {
@Test
public void authorizationRequestFormPostResponseModeWithCustomState() throws IOException {
oauth.responseMode(OIDCResponseMode.FORM_POST.value());
oauth.stateParamHardcoded("\"><foo>bar_baz(2)far</foo>");
oauth.doLogin("test-user@localhost", "password");
oauth.loginForm().state("\"><foo>bar_baz(2)far</foo>").doLogin("test-user@localhost", "password");
String sources = driver.getPageSource();
System.out.println(sources);
@ -357,7 +351,7 @@ public class AuthorizationCodeTest extends AbstractKeycloakTest {
public void authorizationRequestFragmentResponseModeNotKept() throws Exception {
// Set response_mode=fragment and login
oauth.responseMode(OIDCResponseMode.FRAGMENT.value());
AuthorizationEndpointResponse response = oauth.doLogin("test-user@localhost", "password");
AuthorizationEndpointResponse response = oauth.loginForm().state("authorizationRequestFragmentResponseModeNotKept").doLogin("test-user@localhost", "password");
Assert.assertNotNull(response.getCode());
Assert.assertNotNull(response.getState());
@ -368,7 +362,7 @@ public class AuthorizationCodeTest extends AbstractKeycloakTest {
// Unset response_mode. The initial OIDC AuthenticationRequest won't contain "response_mode" parameter now and hence it should fallback to "query".
oauth.responseMode(null);
oauth.openLoginForm();
oauth.loginForm().state("authorizationRequestFragmentResponseModeNotKept2").open();
response = oauth.parseLoginResponse();
Assert.assertNotNull(response.getCode());
@ -382,8 +376,6 @@ public class AuthorizationCodeTest extends AbstractKeycloakTest {
@Test
public void authorizationRequestParamsMoreThanOnce() throws IOException {
oauth.stateParamHardcoded("OpenIdConnect.AuthenticationProperties=2302984sdlk");
String logoutUrl = UriBuilder.fromUri(oauth.loginForm().build()).queryParam(OAuth2Constants.SCOPE, "read_write")
.queryParam(OAuth2Constants.STATE, "abcdefg")
.queryParam(OAuth2Constants.SCOPE, "pop push").build().toString();
@ -400,8 +392,6 @@ public class AuthorizationCodeTest extends AbstractKeycloakTest {
@Test
public void authorizationRequestClientParamsMoreThanOnce() throws IOException {
oauth.stateParamHardcoded("OpenIdConnect.AuthenticationProperties=2302984sdlk");
String logoutUrl = UriBuilder.fromUri(oauth.loginForm().build()).queryParam(OAuth2Constants.SCOPE, "read_write")
.queryParam(OAuth2Constants.CLIENT_ID, "client2client")
.queryParam(OAuth2Constants.REDIRECT_URI, "https://www.example.com")

3
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/OAuth2OnlyTest.java
View File

@ -177,8 +177,7 @@ public class OAuth2OnlyTest extends AbstractTestRealmKeycloakTest {
@Test
public void testMissingNonceInOAuth2ImplicitFlow() throws Exception {
oauth.responseType("token");
oauth.nonce(null);
String loginFormUrl = oauth.loginForm().build();
String loginFormUrl = oauth.loginForm().nonce(null).build();
loginFormUrl = ActionURIUtils.removeQueryParamFromURI(loginFormUrl, OAuth2Constants.SCOPE);
driver.navigate().to(loginFormUrl);

5
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/OAuthRedirectUriStateTest.java
View File

@ -38,13 +38,10 @@ public class OAuthRedirectUriStateTest extends AbstractTestRealmKeycloakTest {
public void clientConfiguration() {
oauth.clientId("test-app");
oauth.responseType(OIDCResponseType.CODE);
oauth.stateParamRandom();
}
void assertStateReflected(String state) {
oauth.stateParamHardcoded(state);
AuthorizationEndpointResponse response = oauth.doLogin("test-user@localhost", "password");
AuthorizationEndpointResponse response = oauth.loginForm().state(state).doLogin("test-user@localhost", "password");
Assert.assertNotNull(response.getCode());
URL url;

7
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/RefreshTokenTest.java
View File

@ -195,9 +195,7 @@ public class RefreshTokenTest extends AbstractKeycloakTest {
@Test
public void refreshTokenStructure() {
oauth.nonce("123456");
oauth.doLogin("test-user@localhost", "password");
oauth.loginForm().nonce("123456").doLogin("test-user@localhost", "password");
EventRepresentation loginEvent = events.expectLogin().assertEvent();
@ -227,8 +225,7 @@ public class RefreshTokenTest extends AbstractKeycloakTest {
@Test
public void refreshTokenRequest() throws Exception {
oauth.nonce("123456");
oauth.doLogin("test-user@localhost", "password");
oauth.loginForm().nonce("123456").doLogin("test-user@localhost", "password");
EventRepresentation loginEvent = events.expectLogin().assertEvent();

3
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/hok/HoKTest.java
View File

@ -611,9 +611,8 @@ public class HoKTest extends AbstractTestRealmKeycloakTest {
ClientManager.realm(adminClient.realm("test")).clientId("test-app").standardFlow(true).implicitFlow(true);
oauth.client("test-app", "password");
oauth.responseType(OIDCResponseType.CODE + " " + OIDCResponseType.ID_TOKEN);
oauth.nonce(nonce);
oauth.doLogin("test-user@localhost", "password");
oauth.loginForm().nonce(nonce).doLogin("test-user@localhost", "password");
EventRepresentation loginEvent = events.expectLogin().assertEvent();
AuthorizationEndpointResponse authzResponse = oauth.parseLoginResponse();

80
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/par/ParTest.java
View File

@ -168,9 +168,8 @@ public class ParTest extends AbstractClientPoliciesTest {
oauth.scope(null);
oauth.responseType(null);
oauth.requestUri(requestUri);
String state = oauth.stateParamRandom().getState();
oauth.stateParamHardcoded(state);
AuthorizationEndpointResponse loginResponse = oauth.doLogin(TEST_USER_NAME, TEST_USER_PASSWORD);
String state = "testSuccessfulSinglePar";
AuthorizationEndpointResponse loginResponse = oauth.loginForm().state(state).doLogin(TEST_USER_NAME, TEST_USER_PASSWORD);
assertEquals(state, loginResponse.getState());
String code = loginResponse.getCode();
String sessionId =loginResponse.getSessionState();
@ -247,9 +246,8 @@ public class ParTest extends AbstractClientPoliciesTest {
oauth.scope(null);
oauth.responseType(null);
oauth.requestUri(requestUri);
String state = oauth.stateParamRandom().getState();
oauth.stateParamHardcoded(state);
AuthorizationEndpointResponse loginResponse = oauth.doLogin(TEST_USER_NAME, TEST_USER_PASSWORD);
String state = "testSuccessfulSingleParPublicClient";
AuthorizationEndpointResponse loginResponse = oauth.loginForm().state(state).doLogin(TEST_USER_NAME, TEST_USER_PASSWORD);
assertEquals(state, loginResponse.getState());
String code = loginResponse.getCode();
String sessionId =loginResponse.getSessionState();
@ -462,7 +460,7 @@ public class ParTest extends AbstractClientPoliciesTest {
requestObject.setRedirectUriParam(CLIENT_REDIRECT_URI);
requestObject.setScope("openid");
requestObject.setNonce(KeycloakModelUtils.generateId());
requestObject.setState(oauth.stateParamRandom().getState());
requestObject.setState("testRequestParameterPrecedenceOverOtherParameters");
byte[] contentBytes = JsonSerialization.writeValueAsBytes(requestObject);
@ -483,8 +481,7 @@ public class ParTest extends AbstractClientPoliciesTest {
oauth.responseType("code id_token");
oauth.redirectUri("http://invalid");
oauth.scope(null);
oauth.nonce("12345");
ParResponse pResp = oauth.doPushedAuthorizationRequest();
ParResponse pResp = oauth.pushedAuthorizationRequest().nonce("12345").send();
assertEquals(201, pResp.getStatusCode());
String requestUri = pResp.getRequestUri();
assertEquals(requestUriLifespan, pResp.getExpiresIn());
@ -493,12 +490,10 @@ public class ParTest extends AbstractClientPoliciesTest {
oauth.redirectUri("http://invalid");
oauth.responseType("invalid");
oauth.redirectUri(null);
oauth.nonce("12345");
oauth.request(null);
oauth.requestUri(requestUri);
String wrongState = oauth.stateParamRandom().getState();
oauth.stateParamHardcoded(wrongState);
AuthorizationEndpointResponse loginResponse = oauth.doLogin(TEST_USER_NAME, TEST_USER_PASSWORD);
String wrongState = "wrongState";
AuthorizationEndpointResponse loginResponse = oauth.loginForm().state(wrongState).nonce("12345").doLogin(TEST_USER_NAME, TEST_USER_PASSWORD);
assertEquals(requestObject.getState(), loginResponse.getState());
assertNotEquals(requestObject.getState(), wrongState);
@ -565,8 +560,7 @@ public class ParTest extends AbstractClientPoliciesTest {
oauth.responseType("code id_token");
oauth.redirectUri("http://invalid");
oauth.scope(null);
oauth.nonce("12345");
ParResponse pResp = oauth.doPushedAuthorizationRequest();
ParResponse pResp = oauth.pushedAuthorizationRequest().nonce("12345").send();
assertEquals(201, pResp.getStatusCode());
String requestUri = pResp.getRequestUri();
assertEquals(requestUriLifespan, pResp.getExpiresIn());
@ -575,12 +569,10 @@ public class ParTest extends AbstractClientPoliciesTest {
oauth.redirectUri("http://invalid");
oauth.responseType("invalid");
oauth.redirectUri(null);
oauth.nonce("12345");
oauth.request(null);
oauth.requestUri(requestUri);
String wrongState = oauth.stateParamRandom().getState();
oauth.stateParamHardcoded(wrongState);
AuthorizationEndpointResponse loginResponse = oauth.doLogin(TEST_USER_NAME, TEST_USER_PASSWORD);
String wrongState = "wrongState";
AuthorizationEndpointResponse loginResponse = oauth.loginForm().state(wrongState).nonce("12345").doLogin(TEST_USER_NAME, TEST_USER_PASSWORD);
assertNull(loginResponse.getState());
assertNotEquals(requestObject.getState(), wrongState);
@ -632,9 +624,8 @@ public class ParTest extends AbstractClientPoliciesTest {
oauth.scope(null);
oauth.responseType(null);
oauth.requestUri(requestUriTwo);
String state = oauth.stateParamRandom().getState();
oauth.stateParamHardcoded(state);
AuthorizationEndpointResponse loginResponse = oauth.doLogin(TEST_USER2_NAME, TEST_USER2_PASSWORD);
String state = "testSuccessfulMultipleParBySameClient";
AuthorizationEndpointResponse loginResponse = oauth.loginForm().state(state).doLogin(TEST_USER2_NAME, TEST_USER2_PASSWORD);
assertEquals(state, loginResponse.getState());
String code = loginResponse.getCode();
String sessionId =loginResponse.getSessionState();
@ -664,9 +655,8 @@ public class ParTest extends AbstractClientPoliciesTest {
oauth.scope(null);
oauth.responseType(null);
oauth.requestUri(requestUriOne);
state = oauth.stateParamRandom().getState();
oauth.stateParamHardcoded(state);
loginResponse = oauth.doLogin(TEST_USER_NAME, TEST_USER_PASSWORD);
state = "testSuccessfulMultipleParBySameClient2";
loginResponse = oauth.loginForm().state(state).doLogin(TEST_USER_NAME, TEST_USER_PASSWORD);
assertEquals(state, loginResponse.getState());
code = loginResponse.getCode();
sessionId =loginResponse.getSessionState();
@ -734,9 +724,8 @@ public class ParTest extends AbstractClientPoliciesTest {
oauth.scope(null);
oauth.responseType(null);
oauth.requestUri(requestUriTwo);
String state = oauth.stateParamRandom().getState();
oauth.stateParamHardcoded(state);
AuthorizationEndpointResponse loginResponse = oauth.doLogin(TEST_USER2_NAME, TEST_USER2_PASSWORD);
String state = "testSuccessfulMultipleParByMultipleClients";
AuthorizationEndpointResponse loginResponse = oauth.loginForm().state(state).doLogin(TEST_USER2_NAME, TEST_USER2_PASSWORD);
assertEquals(state, loginResponse.getState());
String code = loginResponse.getCode();
String sessionId =loginResponse.getSessionState();
@ -767,9 +756,8 @@ public class ParTest extends AbstractClientPoliciesTest {
oauth.scope(null);
oauth.responseType(null);
oauth.requestUri(requestUriOne);
state = oauth.stateParamRandom().getState();
oauth.stateParamHardcoded(state);
loginResponse = oauth.doLogin(TEST_USER_NAME, TEST_USER_PASSWORD);
state = "testSuccessfulMultipleParByMultipleClients2";
loginResponse = oauth.loginForm().state(state).doLogin(TEST_USER_NAME, TEST_USER_PASSWORD);
assertEquals(state, loginResponse.getState());
code = loginResponse.getCode();
sessionId =loginResponse.getSessionState();
@ -817,9 +805,8 @@ public class ParTest extends AbstractClientPoliciesTest {
oauth.scope(null);
oauth.responseType(null);
oauth.requestUri(IMAGINARY_REQUEST_URI);
String state = oauth.stateParamRandom().getState();
oauth.stateParamHardcoded(state);
oauth.openLoginForm();
String state = "testFailureNotIssuedParUsed";
oauth.loginForm().state(state).open();
AuthorizationEndpointResponse errorResponse = oauth.parseLoginResponse();
Assert.assertFalse(errorResponse.isRedirected());
}
@ -851,9 +838,8 @@ public class ParTest extends AbstractClientPoliciesTest {
oauth.scope(null);
oauth.responseType(null);
oauth.requestUri(requestUri);
String state = oauth.stateParamRandom().getState();
oauth.stateParamHardcoded(state);
AuthorizationEndpointResponse loginResponse = oauth.doLogin(TEST_USER_NAME, TEST_USER_PASSWORD);
String state = "testFailureParUsedTwice";
AuthorizationEndpointResponse loginResponse = oauth.loginForm().state(state).doLogin(TEST_USER_NAME, TEST_USER_PASSWORD);
assertEquals(state, loginResponse.getState());
String code = loginResponse.getCode();
@ -864,9 +850,8 @@ public class ParTest extends AbstractClientPoliciesTest {
// Authorization Request with request_uri of PAR
// use same redirect_uri
state = oauth.stateParamRandom().getState();
oauth.stateParamHardcoded(state);
oauth.openLoginForm();
state = "testFailureParUsedTwice2";
oauth.loginForm().state(state).open();
AuthorizationEndpointResponse errorResponse = oauth.parseLoginResponse();
Assert.assertFalse(errorResponse.isRedirected());
}
@ -911,9 +896,8 @@ public class ParTest extends AbstractClientPoliciesTest {
oauth.scope(null);
oauth.responseType(null);
oauth.requestUri(requestUri);
String state = oauth.stateParamRandom().getState();
oauth.stateParamHardcoded(state);
oauth.openLoginForm();
String state = "testFailureParUsedByOtherClient";
oauth.loginForm().state(state).open();
AuthorizationEndpointResponse errorResponse = oauth.parseLoginResponse();
Assert.assertFalse(errorResponse.isRedirected());
}
@ -975,9 +959,8 @@ public class ParTest extends AbstractClientPoliciesTest {
oauth.scope(null);
oauth.responseType(null);
oauth.requestUri(requestUri);
String state = oauth.stateParamRandom().getState();
oauth.stateParamHardcoded(state);
oauth.openLoginForm();
String state = "testFailureParExpired";
oauth.loginForm().state(state).open();
AuthorizationEndpointResponse errorResponse = oauth.parseLoginResponse();
Assert.assertFalse(errorResponse.isRedirected());
}
@ -1264,9 +1247,8 @@ public class ParTest extends AbstractClientPoliciesTest {
oauth.scope(null);
oauth.responseType(null);
oauth.requestUri(requestUri);
String state = oauth.stateParamRandom().getState();
oauth.stateParamHardcoded(state);
AuthorizationEndpointResponse loginResponse = oauth.doLogin(TEST_USER_NAME, TEST_USER_PASSWORD);
String state = "doNormalAuthzProcess";
AuthorizationEndpointResponse loginResponse = oauth.loginForm().state(state).doLogin(TEST_USER_NAME, TEST_USER_PASSWORD);
assertEquals(state, loginResponse.getState());
String code = loginResponse.getCode();
String sessionId =loginResponse.getSessionState();

7
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/AuthorizationTokenEncryptionTest.java
View File

@ -182,8 +182,7 @@ public class AuthorizationTokenEncryptionTest extends AbstractTestRealmKeycloakT
// get authorization response
oauth.responseMode("jwt");
oauth.stateParamHardcoded("OpenIdConnect.AuthenticationProperties=2302984sdlk");
AuthorizationEndpointResponse response = oauth.doLogin("test-user@localhost", "password");
AuthorizationEndpointResponse response = oauth.loginForm().state("OpenIdConnect.AuthenticationProperties=2302984sdlk").doLogin("test-user@localhost", "password");
// parse JWE and JOSE Header
String jweStr = response.getResponse();
@ -279,9 +278,7 @@ public class AuthorizationTokenEncryptionTest extends AbstractTestRealmKeycloakT
// get authorization response but failed
oauth.responseMode("jwt");
oauth.stateParamHardcoded("OpenIdConnect.AuthenticationProperties=2302984sdlk");
AuthorizationEndpointResponse errorResponse = oauth.doLogin("test-user@localhost", "password");
AuthorizationEndpointResponse errorResponse = oauth.loginForm().state("OpenIdConnect.AuthenticationProperties=2302984sdlk").doLogin("test-user@localhost", "password");
System.out.println(driver.getPageSource().contains("Unexpected error when handling authentication request to identity provider."));

28
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/AuthorizationTokenResponseModeTest.java
View File

@ -53,9 +53,8 @@ public class AuthorizationTokenResponseModeTest extends AbstractTestRealmKeycloa
@Test
public void authorizationRequestQueryJWTResponseMode() throws Exception {
oauth.responseMode(OIDCResponseMode.QUERY_JWT.value());
oauth.stateParamHardcoded("OpenIdConnect.AuthenticationProperties=2302984sdlk");
AuthorizationEndpointResponse response = oauth.doLogin("test-user@localhost", "password");
AuthorizationEndpointResponse response = oauth.loginForm().state("OpenIdConnect.AuthenticationProperties=2302984sdlk").doLogin("test-user@localhost", "password");
assertTrue(response.isRedirected());
AuthorizationResponseToken responseToken = oauth.verifyAuthorizationResponseToken(response.getResponse());
@ -72,9 +71,8 @@ public class AuthorizationTokenResponseModeTest extends AbstractTestRealmKeycloa
public void authorizationRequestJWTResponseMode() throws Exception {
// jwt response_mode. It should fallback to query.jwt
oauth.responseMode("jwt");
oauth.stateParamHardcoded("OpenIdConnect.AuthenticationProperties=2302984sdlk");
AuthorizationEndpointResponse response = oauth.doLogin("test-user@localhost", "password");
AuthorizationEndpointResponse response = oauth.loginForm().state("OpenIdConnect.AuthenticationProperties=2302984sdlk").doLogin("test-user@localhost", "password");
assertTrue(response.isRedirected());
AuthorizationResponseToken responseToken = oauth.verifyAuthorizationResponseToken(response.getResponse());
@ -96,9 +94,8 @@ public class AuthorizationTokenResponseModeTest extends AbstractTestRealmKeycloa
@Test
public void authorizationRequestFragmentJWTResponseMode() throws Exception {
oauth.responseMode(OIDCResponseMode.FRAGMENT_JWT.value());
oauth.stateParamHardcoded("OpenIdConnect.AuthenticationProperties=2302984sdlk");
AuthorizationEndpointResponse response = oauth.doLogin("test-user@localhost", "password");
AuthorizationEndpointResponse response = oauth.loginForm().state("OpenIdConnect.AuthenticationProperties=2302984sdlk").doLogin("test-user@localhost", "password");
assertTrue(response.isRedirected());
AuthorizationResponseToken responseToken = oauth.verifyAuthorizationResponseToken(response.getResponse());
@ -118,8 +115,7 @@ public class AuthorizationTokenResponseModeTest extends AbstractTestRealmKeycloa
@Test
public void authorizationRequestFormPostJWTResponseMode() throws IOException {
oauth.responseMode(OIDCResponseMode.FORM_POST_JWT.value());
oauth.stateParamHardcoded("OpenIdConnect.AuthenticationProperties=2302984sdlk");
oauth.doLogin("test-user@localhost", "password");
oauth.loginForm().state("OpenIdConnect.AuthenticationProperties=2302984sdlk").doLogin("test-user@localhost", "password");
String sources = driver.getPageSource();
System.out.println(sources);
@ -142,10 +138,8 @@ public class AuthorizationTokenResponseModeTest extends AbstractTestRealmKeycloa
// jwt response_mode. It should fallback to fragment.jwt when its hybrid flow
oauth.responseMode("jwt");
oauth.responseType("code id_token");
oauth.stateParamHardcoded("OpenIdConnect.AuthenticationProperties=2302984sdlk");
oauth.nonce("123456");
AuthorizationEndpointResponse response = oauth.doLogin("test-user@localhost", "password");
AuthorizationEndpointResponse response = oauth.loginForm().state("OpenIdConnect.AuthenticationProperties=2302984sdlk").nonce("123456").doLogin("test-user@localhost", "password");
assertTrue(response.isRedirected());
AuthorizationResponseToken responseToken = oauth.verifyAuthorizationResponseToken(response.getResponse());
@ -173,10 +167,8 @@ public class AuthorizationTokenResponseModeTest extends AbstractTestRealmKeycloa
// jwt response_mode. It should fallback to fragment.jwt when its hybrid flow
oauth.responseMode("jwt");
oauth.responseType("token id_token");
oauth.stateParamHardcoded("OpenIdConnect.AuthenticationProperties=2302984sdlk");
oauth.nonce("123456");
AuthorizationEndpointResponse response = oauth.doLogin("test-user@localhost", "password");
AuthorizationEndpointResponse response = oauth.loginForm().state("OpenIdConnect.AuthenticationProperties=2302984sdlk").nonce("123456").doLogin("test-user@localhost", "password");
assertTrue(response.isRedirected());
AuthorizationResponseToken responseToken = oauth.verifyAuthorizationResponseToken(response.getResponse());
@ -206,9 +198,7 @@ public class AuthorizationTokenResponseModeTest extends AbstractTestRealmKeycloa
ClientManager.realm(adminClient.realm("test")).clientId("test-app").implicitFlow(true);
oauth.responseMode("query.jwt");
oauth.responseType("code id_token");
oauth.stateParamHardcoded("OpenIdConnect.AuthenticationProperties=2302984sdlk");
oauth.nonce("123456");
oauth.openLoginForm();
oauth.loginForm().state("OpenIdConnect.AuthenticationProperties=2302984sdlk").nonce("123456").open();
AuthorizationEndpointResponse errorResponse = oauth.parseLoginResponse();
AuthorizationResponseToken responseToken = oauth.verifyAuthorizationResponseToken(errorResponse.getResponse());
@ -223,9 +213,7 @@ public class AuthorizationTokenResponseModeTest extends AbstractTestRealmKeycloa
ClientManager.realm(adminClient.realm("test")).clientId("test-app").implicitFlow(true);
oauth.responseMode("query.jwt");
oauth.responseType("code id_token");
oauth.stateParamHardcoded("OpenIdConnect.AuthenticationProperties=2302984sdlk");
oauth.nonce("123456");
oauth.openLoginForm();
oauth.loginForm().state("OpenIdConnect.AuthenticationProperties=2302984sdlk").nonce("123456").open();
AuthorizationEndpointResponse errorResponse = oauth.parseLoginResponse();
AuthorizationResponseToken responseToken = oauth.verifyAuthorizationResponseToken(errorResponse.getResponse());

23
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/LightWeightAccessTokenTest.java
View File

@ -149,7 +149,6 @@ public class LightWeightAccessTokenTest extends AbstractClientPoliciesTest {
public void accessTokenFalseIntrospectionTrueTest() throws IOException {
ProtocolMappersResource protocolMappers = setProtocolMappers(false, true, true);
try {
oauth.nonce("123456");
oauth.scope("address");
oauth.client(TEST_CLIENT, TEST_CLIENT_SECRET);
AccessTokenResponse response = browserLogin(TEST_USER_NAME, TEST_USER_PASSWORD).tokenResponse;
@ -170,7 +169,6 @@ public class LightWeightAccessTokenTest extends AbstractClientPoliciesTest {
public void accessTokenTrueIntrospectionFalseTest() throws IOException {
ProtocolMappersResource protocolMappers = setProtocolMappers(true, false, true);
try {
oauth.nonce("123456");
oauth.scope("address");
oauth.client(TEST_CLIENT, TEST_CLIENT_SECRET);
AccessTokenResponse response = browserLogin(TEST_USER_NAME, TEST_USER_PASSWORD).tokenResponse;
@ -192,7 +190,6 @@ public class LightWeightAccessTokenTest extends AbstractClientPoliciesTest {
public void accessTokenTrueIntrospectionTrueTest() throws IOException {
ProtocolMappersResource protocolMappers = setProtocolMappers(true, true, true);
try {
oauth.nonce("123456");
oauth.scope("address");
oauth.client(TEST_CLIENT, TEST_CLIENT_SECRET);
AccessTokenResponse response = browserLogin(TEST_USER_NAME, TEST_USER_PASSWORD).tokenResponse;
@ -213,7 +210,6 @@ public class LightWeightAccessTokenTest extends AbstractClientPoliciesTest {
public void accessTokenTrueIntrospectionReturnedAsJwt() throws IOException {
ProtocolMappersResource protocolMappers = setProtocolMappers(true, true, true);
try {
oauth.nonce("123456");
oauth.scope("address");
oauth.client(TEST_CLIENT, TEST_CLIENT_SECRET);
AccessTokenResponse response = browserLogin(TEST_USER_NAME, TEST_USER_PASSWORD).tokenResponse;
@ -238,7 +234,6 @@ public class LightWeightAccessTokenTest extends AbstractClientPoliciesTest {
public void offlineTokenTest() throws IOException {
ProtocolMappersResource protocolMappers = setProtocolMappers(false, true, true);
try {
oauth.nonce("123456");
oauth.scope("openid address offline_access");
oauth.client(TEST_CLIENT, TEST_CLIENT_SECRET);
@ -263,7 +258,6 @@ public class LightWeightAccessTokenTest extends AbstractClientPoliciesTest {
public void clientCredentialTest() throws Exception {
ProtocolMappersResource protocolMappers = setProtocolMappers(false, true, false);
try {
oauth.nonce("123456");
oauth.scope("address");
oauth.client(TEST_CLIENT, TEST_CLIENT_SECRET);
@ -286,7 +280,6 @@ public class LightWeightAccessTokenTest extends AbstractClientPoliciesTest {
public void exchangeTest() throws Exception {
ProtocolMappersResource protocolMappers = setProtocolMappers(false, true, true);
try {
oauth.nonce("123456");
oauth.scope("address");
oauth.client(TEST_CLIENT, TEST_CLIENT_SECRET);
@ -312,12 +305,11 @@ public class LightWeightAccessTokenTest extends AbstractClientPoliciesTest {
setUseLightweightAccessTokenExecutor();
ProtocolMappersResource protocolMappers = setProtocolMappers(true, true, false, false);
try {
oauth.nonce("123456");
oauth.scope("address");
oauth.client(TEST_CLIENT, TEST_CLIENT_SECRET);
AuthorizationEndpointResponse authsEndpointResponse = oauth.doLogin(TEST_USER_NAME, TEST_USER_PASSWORD);
AuthorizationEndpointResponse authsEndpointResponse = oauth.loginForm().nonce("123456").doLogin(TEST_USER_NAME, TEST_USER_PASSWORD);
AccessTokenResponse tokenResponse = oauth.doAccessTokenRequest(authsEndpointResponse.getCode());
String accessToken = tokenResponse.getAccessToken();
assertAccessToken(oauth.verifyToken(accessToken), true, false, true);
@ -347,12 +339,11 @@ public class LightWeightAccessTokenTest extends AbstractClientPoliciesTest {
setUseLightweightAccessTokenExecutor();
ProtocolMappersResource protocolMappers = setProtocolMappers(false, true, true, false);
try {
oauth.nonce("123456");
oauth.scope("address");
oauth.client(TEST_CLIENT, TEST_CLIENT_SECRET);
AuthorizationEndpointResponse authsEndpointResponse = oauth.doLogin(TEST_USER_NAME, TEST_USER_PASSWORD);
AuthorizationEndpointResponse authsEndpointResponse = oauth.loginForm().nonce("123456").doLogin(TEST_USER_NAME, TEST_USER_PASSWORD);
AccessTokenResponse tokenResponse = oauth.doAccessTokenRequest(authsEndpointResponse.getCode());
String accessToken = tokenResponse.getAccessToken();
logger.debug("access token:" + accessToken);
@ -379,12 +370,11 @@ public class LightWeightAccessTokenTest extends AbstractClientPoliciesTest {
alwaysUseLightWeightAccessToken(true);
ProtocolMappersResource protocolMappers = setProtocolMappers(true, true, false, false);
try {
oauth.nonce("123456");
oauth.scope("address");
oauth.client(TEST_CLIENT, TEST_CLIENT_SECRET);
AuthorizationEndpointResponse authsEndpointResponse = oauth.doLogin(TEST_USER_NAME, TEST_USER_PASSWORD);
AuthorizationEndpointResponse authsEndpointResponse = oauth.loginForm().nonce("123456").doLogin(TEST_USER_NAME, TEST_USER_PASSWORD);
AccessTokenResponse tokenResponse = oauth.doAccessTokenRequest(authsEndpointResponse.getCode());
String accessToken = tokenResponse.getAccessToken();
assertAccessToken(oauth.verifyToken(accessToken), true, false, true);
@ -414,12 +404,11 @@ public class LightWeightAccessTokenTest extends AbstractClientPoliciesTest {
alwaysUseLightWeightAccessToken(true);
ProtocolMappersResource protocolMappers = setProtocolMappers(false, true, true, false);
try {
oauth.nonce("123456");
oauth.scope("address");
oauth.client(TEST_CLIENT, TEST_CLIENT_SECRET);
AuthorizationEndpointResponse authsEndpointResponse = oauth.doLogin(TEST_USER_NAME, TEST_USER_PASSWORD);
AuthorizationEndpointResponse authsEndpointResponse = oauth.loginForm().nonce("123456").doLogin(TEST_USER_NAME, TEST_USER_PASSWORD);
AccessTokenResponse tokenResponse = oauth.doAccessTokenRequest(authsEndpointResponse.getCode());
String accessToken = tokenResponse.getAccessToken();
logger.debug("access token:" + accessToken);
@ -483,8 +472,6 @@ public class LightWeightAccessTokenTest extends AbstractClientPoliciesTest {
removeDefaultBasicClientScope();
alwaysUseLightWeightAccessToken(true);
try {
oauth.nonce("123456");
oauth.client(TEST_CLIENT, TEST_CLIENT_SECRET);
AccessTokenResponse response = oauth.doClientCredentialsGrantAccessTokenRequest();
String accessToken = response.getAccessToken();
@ -886,7 +873,7 @@ public class LightWeightAccessTokenTest extends AbstractClientPoliciesTest {
}
private TokenResponseContext browserLogin(String username, String password) {
AuthorizationEndpointResponse authsEndpointResponse = oauth.doLogin(username, password);
AuthorizationEndpointResponse authsEndpointResponse = oauth.loginForm().nonce("123456").doLogin(username, password);
String userSessionId = authsEndpointResponse.getSessionState();
AccessTokenResponse tokenResponse = oauth.doAccessTokenRequest(authsEndpointResponse.getCode());
return new TokenResponseContext(userSessionId, tokenResponse);

6
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/NonceBackwardsCompatibleMapperTest.java
View File

@ -137,10 +137,9 @@ public class NonceBackwardsCompatibleMapperTest extends AbstractTestRealmKeycloa
private void testNonceImplicit(boolean mapper) throws IOException {
String nonce = KeycloakModelUtils.generateId();
oauth.nonce(nonce);
oauth.responseMode(OIDCResponseMode.JWT.value());
oauth.responseType(OIDCResponseType.TOKEN + " " + OIDCResponseType.ID_TOKEN);
AuthorizationEndpointResponse response = oauth.doLogin("test-user@localhost", "password");
AuthorizationEndpointResponse response = oauth.loginForm().nonce(nonce).doLogin("test-user@localhost", "password");
Assert.assertTrue(response.isRedirected());
AuthorizationResponseToken responseToken = oauth.verifyAuthorizationResponseToken(response.getResponse());
@ -158,11 +157,10 @@ public class NonceBackwardsCompatibleMapperTest extends AbstractTestRealmKeycloa
private void testNonce(boolean mapper, boolean offlineSession) throws IOException {
String nonce = KeycloakModelUtils.generateId();
oauth.nonce(nonce);
if (offlineSession) {
oauth.scope(OAuth2Constants.OFFLINE_ACCESS);
}
oauth.doLogin("test-user@localhost", "password");
oauth.loginForm().nonce(nonce).doLogin("test-user@localhost", "password");
EventRepresentation loginEvent = events.expectLogin().assertEvent();
String code = oauth.parseLoginResponse().getCode();

58
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/OIDCAdvancedRequestParamsTest.java
View File

@ -511,7 +511,6 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
// REQUEST & REQUEST_URI
@Test
public void requestObjectNotRequiredNotProvided() {
oauth.stateParamHardcoded("mystate2");
// Set request object not required for client
ClientResource clientResource = ApiUtil.findClientByClientId(adminClient.realm("test"), "test-app");
ClientRepresentation clientRep = clientResource.toRepresentation();
@ -520,7 +519,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
// Send request without request object
// Assert that the request is accepted
AuthorizationEndpointResponse response = oauth.doLogin("test-user@localhost", "password");
AuthorizationEndpointResponse response = oauth.loginForm().state("mystate2").doLogin("test-user@localhost", "password");
Assert.assertNotNull(response.getCode());
Assert.assertEquals("mystate2", response.getState());
assertTrue(appPage.isCurrent());
@ -528,7 +527,6 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
@Test
public void requestObjectNotRequiredProvidedInRequestParam() {
oauth.stateParamHardcoded("mystate2");
// Set request object not required for client
ClientResource clientResource = ApiUtil.findClientByClientId(adminClient.realm("test"), "test-app");
ClientRepresentation clientRep = clientResource.toRepresentation();
@ -542,7 +540,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
// Send request object in "request" param
oauth.request(oidcClientEndpointsResource.getOIDCRequest());
// Assert that the request is accepted
AuthorizationEndpointResponse response1 = oauth.doLogin("test-user@localhost", "password");
AuthorizationEndpointResponse response1 = oauth.loginForm().state("mystate2").doLogin("test-user@localhost", "password");
Assert.assertNotNull(response1.getCode());
Assert.assertEquals("mystate2", response1.getState());
assertTrue(appPage.isCurrent());
@ -550,7 +548,6 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
@Test
public void requestObjectNotRequiredProvidedInRequestUriParam() {
oauth.stateParamHardcoded("mystate2");
// Set request object not required for client
ClientResource clientResource = ApiUtil.findClientByClientId(adminClient.realm("test"), "test-app");
ClientRepresentation clientRep = clientResource.toRepresentation();
@ -564,7 +561,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
// Send request object reference in "request_uri" param
oauth.requestUri(TestApplicationResourceUrls.clientRequestUri());
// Assert that the request is accepted
AuthorizationEndpointResponse response2 = oauth.doLogin("test-user@localhost", "password");
AuthorizationEndpointResponse response2 = oauth.loginForm().state("mystate2").doLogin("test-user@localhost", "password");
Assert.assertNotNull(response2.getCode());
Assert.assertEquals("mystate2", response2.getState());
assertTrue(appPage.isCurrent());
@ -572,7 +569,6 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
@Test
public void requestObjectRequiredNotProvided() {
oauth.stateParamHardcoded("mystate2");
// Set request object not required for client
ClientResource clientResource = ApiUtil.findClientByClientId(adminClient.realm("test"), "test-app");
ClientRepresentation clientRep = clientResource.toRepresentation();
@ -581,7 +577,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
// Send request without request object
// Assert that the request is not accepted
oauth.openLoginForm();
oauth.loginForm().state("mystate2").open();
Assert.assertTrue(errorPage.isCurrent());
assertEquals("Invalid Request", errorPage.getError());
@ -592,7 +588,6 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
@Test
public void requestObjectRequiredProvidedInRequestParam() {
oauth.stateParamHardcoded("mystate2");
// Set request object not required for client
ClientResource clientResource = ApiUtil.findClientByClientId(adminClient.realm("test"), "test-app");
ClientRepresentation clientRep = clientResource.toRepresentation();
@ -606,7 +601,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
// Send request object in "request" param
oauth.request(oidcClientEndpointsResource.getOIDCRequest());
// Assert that the request is accepted
AuthorizationEndpointResponse response1 = oauth.doLogin("test-user@localhost", "password");
AuthorizationEndpointResponse response1 = oauth.loginForm().state("mystate2").doLogin("test-user@localhost", "password");
Assert.assertNotNull(response1.getCode());
Assert.assertEquals("mystate2", response1.getState());
assertTrue(appPage.isCurrent());
@ -620,7 +615,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
public void requestObjectSupersedesQueryParameter() {
String stateInRequestObject = "stateInRequestObject";
String stateInQueryParameter = "stateInQueryParameter";
oauth.stateParamHardcoded(stateInQueryParameter);
// Set request object not required for client
ClientResource clientResource = ApiUtil.findClientByClientId(adminClient.realm("test"), "test-app");
ClientRepresentation clientRep = clientResource.toRepresentation();
@ -634,7 +629,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
// Send request object in "request" param
oauth.request(oidcClientEndpointsResource.getOIDCRequest());
// Assert that the request is accepted
AuthorizationEndpointResponse response1 = oauth.doLogin("test-user@localhost", "password");
AuthorizationEndpointResponse response1 = oauth.loginForm().state(stateInQueryParameter).doLogin("test-user@localhost", "password");
Assert.assertNotNull(response1.getCode());
Assert.assertEquals(stateInRequestObject, response1.getState());
assertTrue(appPage.isCurrent());
@ -646,20 +641,18 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
@Test
public void requestObjectClientIdAndResponseTypeTest() {
oauth.stateParamHardcoded("some-state");
// Test that "client_id" mandatory in the query even if set in the "request" object
TestOIDCEndpointsApplicationResource oidcClientEndpointsResource = testingClient.testApp().oidcClientEndpoints();
oidcClientEndpointsResource.setOIDCRequest("test", "test-app", oauth.getRedirectUri(), "10", "some-state", "none");
oauth.request(oidcClientEndpointsResource.getOIDCRequest());
oauth.clientId(null);
oauth.openLoginForm();
oauth.loginForm().state("some-state").open();
errorPage.assertCurrent();
// Test that "response_type" mandatory in the query even if set in the "request" object
oauth.clientId("test-app");
oauth.responseType(null);
oauth.openLoginForm();
oauth.loginForm().state("some-state").open();
appPage.assertCurrent();
AuthorizationEndpointResponse authorizationEndpointResponse = oauth.parseLoginResponse();
Assert.assertEquals("invalid_request", authorizationEndpointResponse.getError());
@ -668,13 +661,13 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
// Test that different "client_id" in the query and in the request object is disallowed
oauth.clientId("test-app-scope");
oauth.responseType(OAuth2Constants.CODE);
oauth.openLoginForm();
oauth.loginForm().state("some-state").open();
errorPage.assertCurrent();
// Test that different "response_type" in the query and in the request object is disallowed
oauth.clientId("test-app");
oauth.responseType(OAuth2Constants.CODE + " " + OAuth2Constants.ID_TOKEN);
oauth.openLoginForm();
oauth.loginForm().state("some-state").open();
appPage.assertCurrent();
oauth.responseMode("query"); // Keycloak falls back to query in this case
authorizationEndpointResponse = oauth.parseLoginResponse();
@ -691,14 +684,13 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
oauth.request(requestObjectString);
oauth.clientId("test-app");
oauth.responseType(OAuth2Constants.CODE);
AuthorizationEndpointResponse response1 = oauth.doLogin("test-user@localhost", "password");
AuthorizationEndpointResponse response1 = oauth.loginForm().state("some-state").doLogin("test-user@localhost", "password");
Assert.assertNotNull(response1.getCode());
Assert.assertEquals("request-state", response1.getState());
}
@Test
public void requestObjectRequiredProvidedInRequestUriParam() {
oauth.stateParamHardcoded("mystate2");
// Set request object not required for client
ClientResource clientResource = ApiUtil.findClientByClientId(adminClient.realm("test"), "test-app");
ClientRepresentation clientRep = clientResource.toRepresentation();
@ -712,7 +704,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
// Send request object reference in "request_uri" param
oauth.requestUri(TestApplicationResourceUrls.clientRequestUri());
// Assert that the request is accepted
AuthorizationEndpointResponse response2 = oauth.doLogin("test-user@localhost", "password");
AuthorizationEndpointResponse response2 = oauth.loginForm().state("mystate2").doLogin("test-user@localhost", "password");
Assert.assertNotNull(response2.getCode());
Assert.assertEquals("mystate2", response2.getState());
assertTrue(appPage.isCurrent());
@ -724,7 +716,6 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
@Test
public void requestObjectRequiredAsRequestParamNotProvided() {
oauth.stateParamHardcoded("mystate2");
// Set request object not required for client
ClientResource clientResource = ApiUtil.findClientByClientId(adminClient.realm("test"), "test-app");
ClientRepresentation clientRep = clientResource.toRepresentation();
@ -733,7 +724,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
// Send request without request object
// Assert that the request is not accepted
oauth.openLoginForm();
oauth.loginForm().state("mystate2").open();
Assert.assertTrue(errorPage.isCurrent());
assertEquals("Invalid Request", errorPage.getError());
@ -744,7 +735,6 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
@Test
public void requestObjectRequiredAsRequestParamProvidedInRequestParam() {
oauth.stateParamHardcoded("mystate2");
// Set request object not required for client
ClientResource clientResource = ApiUtil.findClientByClientId(adminClient.realm("test"), "test-app");
ClientRepresentation clientRep = clientResource.toRepresentation();
@ -758,7 +748,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
// Send request object in "request" param
oauth.request(oidcClientEndpointsResource.getOIDCRequest());
// Assert that the request is accepted
AuthorizationEndpointResponse response1 = oauth.doLogin("test-user@localhost", "password");
AuthorizationEndpointResponse response1 = oauth.loginForm().state("mystate2").doLogin("test-user@localhost", "password");
Assert.assertNotNull(response1.getCode());
Assert.assertEquals("mystate2", response1.getState());
assertTrue(appPage.isCurrent());
@ -770,7 +760,6 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
@Test
public void requestObjectRequiredAsRequestParamProvidedInRequestUriParam() {
oauth.stateParamHardcoded("mystate2");
// Set request object not required for client
ClientResource clientResource = ApiUtil.findClientByClientId(adminClient.realm("test"), "test-app");
ClientRepresentation clientRep = clientResource.toRepresentation();
@ -784,7 +773,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
// Send request object reference in "request_uri" param
oauth.requestUri(TestApplicationResourceUrls.clientRequestUri());
// Assert that the request is accepted
oauth.openLoginForm();
oauth.loginForm().state("mystate2").open();
Assert.assertTrue(errorPage.isCurrent());
assertEquals("Invalid Request", errorPage.getError());
@ -795,7 +784,6 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
@Test
public void requestObjectRequiredAsRequestUriParamNotProvided() {
oauth.stateParamHardcoded("mystate2");
// Set request object not required for client
ClientResource clientResource = ApiUtil.findClientByClientId(adminClient.realm("test"), "test-app");
ClientRepresentation clientRep = clientResource.toRepresentation();
@ -804,7 +792,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
// Send request without request object
// Assert that the request is not accepted
oauth.openLoginForm();
oauth.loginForm().state("mystate2").open();
Assert.assertTrue(errorPage.isCurrent());
assertEquals("Invalid Request", errorPage.getError());
@ -815,7 +803,6 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
@Test
public void requestObjectRequiredAsRequestUriParamProvidedInRequestParam() {
oauth.stateParamHardcoded("mystate2");
// Set request object not required for client
ClientResource clientResource = ApiUtil.findClientByClientId(adminClient.realm("test"), "test-app");
ClientRepresentation clientRep = clientResource.toRepresentation();
@ -829,7 +816,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
// Send request object in "request" param
oauth.request(oidcClientEndpointsResource.getOIDCRequest());
// Assert that the request is not accepted
oauth.openLoginForm();
oauth.loginForm().state("mystate2").open();
Assert.assertTrue(errorPage.isCurrent());
assertEquals("Invalid Request", errorPage.getError());
@ -840,7 +827,6 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
@Test
public void requestObjectRequiredAsRequestUriParamProvidedInRequestUriParam() {
oauth.stateParamHardcoded("mystate2");
// Set request object not required for client
ClientResource clientResource = ApiUtil.findClientByClientId(adminClient.realm("test"), "test-app");
ClientRepresentation clientRep = clientResource.toRepresentation();
@ -854,7 +840,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
// Send request object reference in "request_uri" param
oauth.requestUri(TestApplicationResourceUrls.clientRequestUri());
// Assert that the request is accepted
AuthorizationEndpointResponse response1 = oauth.doLogin("test-user@localhost", "password");
AuthorizationEndpointResponse response1 = oauth.loginForm().state("mystate2").doLogin("test-user@localhost", "password");
Assert.assertNotNull(response1.getCode());
Assert.assertEquals("mystate2", response1.getState());
assertTrue(appPage.isCurrent());
@ -866,8 +852,6 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
@Test
public void requestParamUnsigned() {
oauth.stateParamHardcoded("mystate2");
String validRedirectUri = oauth.getRedirectUri();
TestOIDCEndpointsApplicationResource oidcClientEndpointsResource = testingClient.testApp().oidcClientEndpoints();
@ -876,7 +860,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
String requestStr = oidcClientEndpointsResource.getOIDCRequest();
oauth.request(requestStr);
oauth.openLoginForm();
oauth.loginForm().state("mystate2").open();
Assert.assertTrue(errorPage.isCurrent());
assertEquals("Invalid parameter: redirect_uri", errorPage.getError());
@ -886,7 +870,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
requestStr = oidcClientEndpointsResource.getOIDCRequest();
oauth.request(requestStr);
AuthorizationEndpointResponse response = oauth.doLogin("test-user@localhost", "password");
AuthorizationEndpointResponse response = oauth.loginForm().state("mystate2").doLogin("test-user@localhost", "password");
Assert.assertNotNull(response.getCode());
Assert.assertEquals("mystate2", response.getState());
assertTrue(appPage.isCurrent());

15
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/flows/AbstractOIDCResponseTypeTest.java
View File

@ -128,8 +128,7 @@ public abstract class AbstractOIDCResponseTypeTest extends AbstractTestRealmKeyc
}
protected void validateNonceNotUsedErrorExpected() {
oauth.nonce(null);
oauth.openLoginForm();
oauth.loginForm().nonce(null).open();
assertFalse(loginPage.isCurrent());
assertTrue(appPage.isCurrent());
@ -181,11 +180,7 @@ public abstract class AbstractOIDCResponseTypeTest extends AbstractTestRealmKeyc
protected EventRepresentation loginUser(String nonce) {
if (nonce != null) {
oauth.nonce(nonce);
}
oauth.openLoginForm();
oauth.loginForm().nonce(nonce).state("somestate").open();
loginPage.assertCurrent();
loginPage.login("test-user@localhost", "password");
@ -195,15 +190,11 @@ public abstract class AbstractOIDCResponseTypeTest extends AbstractTestRealmKeyc
}
protected EventRepresentation loginUserWithRedirect(String nonce, String redirectUri) {
if (nonce != null) {
oauth.nonce(nonce);
}
if (redirectUri != null) {
oauth.redirectUri(redirectUri);
}
oauth.openLoginForm();
oauth.loginForm().nonce(nonce).state("somestate").open();
loginPage.assertCurrent();
loginPage.login("test-user@localhost", "password");