diff --git a/tests/utils-shared/src/main/java/org/keycloak/testsuite/util/oauth/AbstractOAuthClient.java b/tests/utils-shared/src/main/java/org/keycloak/testsuite/util/oauth/AbstractOAuthClient.java index 7e0ca24a83f..fd51c64e256 100644 --- a/tests/utils-shared/src/main/java/org/keycloak/testsuite/util/oauth/AbstractOAuthClient.java +++ b/tests/utils-shared/src/main/java/org/keycloak/testsuite/util/oauth/AbstractOAuthClient.java @@ -30,8 +30,6 @@ public abstract class AbstractOAuthClient { protected String request; protected String requestUri; protected String claims; - protected StateParamProvider state; - protected String nonce; private final KeyManager keyManager = new KeyManager(this); private final TokensManager tokensManager = new TokensManager(keyManager); @@ -308,18 +306,4 @@ public abstract class AbstractOAuthClient { return claims; } - public String getState() { - return state != null ? state.getState() : null; - } - - public String getNonce() { - return nonce; - } - - protected interface StateParamProvider { - - String getState(); - - } - } diff --git a/tests/utils-shared/src/main/java/org/keycloak/testsuite/util/oauth/LoginUrlBuilder.java b/tests/utils-shared/src/main/java/org/keycloak/testsuite/util/oauth/LoginUrlBuilder.java index f64f0bad0a4..92408691a8d 100644 --- a/tests/utils-shared/src/main/java/org/keycloak/testsuite/util/oauth/LoginUrlBuilder.java +++ b/tests/utils-shared/src/main/java/org/keycloak/testsuite/util/oauth/LoginUrlBuilder.java @@ -20,6 +20,16 @@ public class LoginUrlBuilder extends AbstractUrlBuilder { return this; } + public LoginUrlBuilder state(String state) { + parameter(OIDCLoginProtocol.STATE_PARAM, state); + return this; + } + + public LoginUrlBuilder nonce(String nonce) { + parameter(OIDCLoginProtocol.NONCE_PARAM, nonce); + return this; + } + public LoginUrlBuilder prompt(String prompt) { parameter(OIDCLoginProtocol.PROMPT_PARAM, prompt); return this; @@ -52,8 +62,6 @@ public class LoginUrlBuilder extends AbstractUrlBuilder { parameter(OAuth2Constants.CLIENT_ID, client.config().getClientId()); parameter(OAuth2Constants.REDIRECT_URI, client.config().getRedirectUri()); - parameter(OAuth2Constants.STATE, client.getState()); - parameter(OIDCLoginProtocol.NONCE_PARAM, client.getNonce()); parameter(OAuth2Constants.SCOPE, client.config().getScope()); parameter(OAuth2Constants.CODE_CHALLENGE, client.getCodeChallenge()); @@ -70,4 +78,10 @@ public class LoginUrlBuilder extends AbstractUrlBuilder { } } + public AuthorizationEndpointResponse doLogin(String username, String password) { + open(); + client.fillLoginForm(username, password); + return client.parseLoginResponse(); + } + } diff --git a/tests/utils-shared/src/main/java/org/keycloak/testsuite/util/oauth/ParRequest.java b/tests/utils-shared/src/main/java/org/keycloak/testsuite/util/oauth/ParRequest.java index 8efaecd95c5..fce9d1e37ea 100644 --- a/tests/utils-shared/src/main/java/org/keycloak/testsuite/util/oauth/ParRequest.java +++ b/tests/utils-shared/src/main/java/org/keycloak/testsuite/util/oauth/ParRequest.java @@ -24,12 +24,21 @@ public class ParRequest extends AbstractHttpPostRequest return this; } + public ParRequest nonce(String nonce) { + parameter(OIDCLoginProtocol.NONCE_PARAM, nonce); + return this; + } + + public ParRequest state(String state) { + parameter(OIDCLoginProtocol.STATE_PARAM, state); + return this; + } + @Override protected void initRequest() { parameter(OAuth2Constants.RESPONSE_TYPE, client.config().getResponseType()); parameter(OIDCLoginProtocol.RESPONSE_MODE_PARAM, client.config().getResponseMode()); parameter(OAuth2Constants.REDIRECT_URI, client.config().getRedirectUri()); - parameter(OIDCLoginProtocol.NONCE_PARAM, client.getNonce()); parameter(OAuth2Constants.SCOPE, client.config().getScope()); parameter(OIDCLoginProtocol.REQUEST_PARAM, client.getRequest()); parameter(OIDCLoginProtocol.REQUEST_URI_PARAM, client.getRequestUri()); diff --git a/tests/utils-shared/src/main/java/org/keycloak/testsuite/util/oauth/device/DeviceAuthorizationRequest.java b/tests/utils-shared/src/main/java/org/keycloak/testsuite/util/oauth/device/DeviceAuthorizationRequest.java index 1f2ee51bd25..5db8555b058 100644 --- a/tests/utils-shared/src/main/java/org/keycloak/testsuite/util/oauth/device/DeviceAuthorizationRequest.java +++ b/tests/utils-shared/src/main/java/org/keycloak/testsuite/util/oauth/device/DeviceAuthorizationRequest.java @@ -2,7 +2,6 @@ package org.keycloak.testsuite.util.oauth.device; import org.apache.http.client.methods.CloseableHttpResponse; import org.keycloak.OAuth2Constants; -import org.keycloak.protocol.oidc.OIDCLoginProtocol; import org.keycloak.testsuite.util.oauth.AbstractHttpPostRequest; import org.keycloak.testsuite.util.oauth.AbstractOAuthClient; @@ -22,7 +21,6 @@ public class DeviceAuthorizationRequest extends AbstractHttpPostRequest { .postLogoutRedirectUri(APP_ROOT + "/auth") .responseType(OAuth2Constants.CODE); - state = KeycloakModelUtils::generateId; clientSessionState = null; clientSessionHost = null; - nonce = null; request = null; requestUri = null; claims = null; @@ -121,14 +118,6 @@ public class OAuthClient extends AbstractOAuthClient { return config.getScope(); } - public String getState() { - return state.getState(); - } - - public String getNonce() { - return nonce; - } - public OAuthClient realm(String realm) { config.realm(realm); return this; @@ -149,16 +138,6 @@ public class OAuthClient extends AbstractOAuthClient { return this; } - public OAuthClient stateParamHardcoded(String value) { - this.state = () -> value; - return this; - } - - public OAuthClient stateParamRandom() { - this.state = KeycloakModelUtils::generateId; - return this; - } - public OAuthClient scope(String scope) { config.scope(scope); return this; @@ -189,11 +168,6 @@ public class OAuthClient extends AbstractOAuthClient { return this; } - public OAuthClient nonce(String nonce) { - this.nonce = nonce; - return this; - } - public OAuthClient request(String request) { this.request = request; return this; diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/concurrency/ConcurrentLoginTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/concurrency/ConcurrentLoginTest.java index de692897c0a..8065e4ee2b3 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/concurrency/ConcurrentLoginTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/concurrency/ConcurrentLoginTest.java @@ -343,8 +343,6 @@ public class ConcurrentLoginTest extends AbstractConcurrencyTest { OAuthClient oauth1 = new OAuthClient(HttpClientUtils.createDefault(), driver); // Add some randomness to state, nonce and redirectUri. Verify that login is successful and "state" and "nonce" will match - oauth1.stateParamHardcoded(KeycloakModelUtils.generateId()); - oauth1.nonce(KeycloakModelUtils.generateId()); oauth1.redirectUri(oauth.getRedirectUri() + "?some=" + new Random().nextInt(1024)); return oauth1; } @@ -380,10 +378,13 @@ public class ConcurrentLoginTest extends AbstractConcurrencyTest { oauth1.client("client" + i, "password"); log.infof("%d [%s]: Accessing login page for %s", threadIndex, Thread.currentThread().getName(), oauth1.getClientId()); + String requestState = KeycloakModelUtils.generateId(); + String requestNonce = KeycloakModelUtils.generateId(); + final HttpClientContext templateContext = clientContexts.get(i % clientContexts.size()); final HttpClientContext context = HttpClientContext.create(); context.setCookieStore(templateContext.getCookieStore()); - String pageContent = getPageContent(oauth1.loginForm().build(), httpClient, context); + String pageContent = getPageContent(oauth1.loginForm().nonce(requestNonce).state(requestState).build(), httpClient, context); assertThat(pageContent, Matchers.containsString("AUTH_RESPONSE")); assertThat(context.getRedirectLocations(), Matchers.notNullValue()); assertThat(context.getRedirectLocations(), Matchers.not(Matchers.empty())); @@ -393,7 +394,7 @@ public class ConcurrentLoginTest extends AbstractConcurrencyTest { String code = query.get(OAuth2Constants.CODE); String state = query.get(OAuth2Constants.STATE); - Assert.assertEquals("Invalid state.", state, oauth1.getState()); + Assert.assertEquals("Invalid state.", requestState, state); AtomicReference accessResRef = new AtomicReference<>(); totalInvocations.incrementAndGet(); @@ -410,7 +411,7 @@ public class ConcurrentLoginTest extends AbstractConcurrencyTest { Assert.assertNull(refreshedToken.getNonce()); AccessToken idToken = JsonSerialization.readValue(new JWSInput(accessRes.getIdToken()).getContent(), AccessToken.class); - Assert.assertEquals(oauth1.getNonce(), idToken.getNonce()); + Assert.assertEquals(requestNonce, idToken.getNonce()); accessResRef.set(accessRes); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/broker/AbstractBaseBrokerTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/broker/AbstractBaseBrokerTest.java index 48d3ef4dde0..777fe29fdb0 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/broker/AbstractBaseBrokerTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/broker/AbstractBaseBrokerTest.java @@ -260,7 +260,11 @@ public abstract class AbstractBaseBrokerTest extends AbstractKeycloakTest { } protected AuthorizationEndpointResponse doLoginSocial(OAuthClient oauth, String brokerId, String username, String password) { - oauth.openLoginForm(); + return doLoginSocial(oauth, brokerId, username, password, null); + } + + protected AuthorizationEndpointResponse doLoginSocial(OAuthClient oauth, String brokerId, String username, String password, String nonce) { + oauth.loginForm().nonce(nonce).open(); WaitUtils.waitForPageToLoad(); oauth.getDriver().findElement(By.id("social-" + brokerId)).click(); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/broker/KcOidcBrokerNonceParameterTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/broker/KcOidcBrokerNonceParameterTest.java index 3c43b446482..c733738c6d4 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/broker/KcOidcBrokerNonceParameterTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/broker/KcOidcBrokerNonceParameterTest.java @@ -62,9 +62,8 @@ public class KcOidcBrokerNonceParameterTest extends AbstractBrokerTest { oauth.realm(bc.consumerRealmName()); oauth.clientId("consumer-client"); - oauth.nonce("123456"); - AuthorizationEndpointResponse authzResponse = doLoginSocial(oauth, bc.getIDPAlias(), bc.getUserLogin(), bc.getUserPassword()); + AuthorizationEndpointResponse authzResponse = doLoginSocial(oauth, bc.getIDPAlias(), bc.getUserLogin(), bc.getUserPassword(), "123456"); String code = authzResponse.getCode(); AccessTokenResponse response = oauth.doAccessTokenRequest(code); IDToken idToken = toIdToken(response.getIdToken()); @@ -89,9 +88,8 @@ public class KcOidcBrokerNonceParameterTest extends AbstractBrokerTest { oauth.realm(bc.consumerRealmName()); oauth.clientId("consumer-client"); - oauth.nonce(null); - AuthorizationEndpointResponse authzResponse = doLoginSocial(oauth, bc.getIDPAlias(), bc.getUserLogin(), bc.getUserPassword()); + AuthorizationEndpointResponse authzResponse = doLoginSocial(oauth, bc.getIDPAlias(), bc.getUserLogin(), bc.getUserPassword(), null); String code = authzResponse.getCode(); AccessTokenResponse response = oauth.doAccessTokenRequest(code); IDToken idToken = toIdToken(response.getIdToken()); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/AbstractFAPITest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/AbstractFAPITest.java index 0a5fecfcd93..ce5ced4b96c 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/AbstractFAPITest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/AbstractFAPITest.java @@ -121,9 +121,9 @@ public abstract class AbstractFAPITest extends AbstractClientPoliciesTest { expectedScopes.containsAll(receivedScopes) && receivedScopes.containsAll(expectedScopes)); } - protected String loginUserAndGetCode(String clientId, boolean fragmentResponseModeExpected) { + protected String loginUserAndGetCode(String clientId, String nonce, boolean fragmentResponseModeExpected) { oauth.clientId(clientId); - oauth.doLogin(TEST_USERNAME, TEST_USERSECRET); + oauth.loginForm().nonce(nonce).doLogin(TEST_USERNAME, TEST_USERSECRET); grantPage.assertCurrent(); grantPage.assertGrants(OAuthGrantPage.PROFILE_CONSENT_TEXT, OAuthGrantPage.EMAIL_CONSENT_TEXT, OAuthGrantPage.ROLES_CONSENT_TEXT); @@ -134,9 +134,9 @@ public abstract class AbstractFAPITest extends AbstractClientPoliciesTest { return code; } - protected String loginUserAndGetCodeInJwtQueryResponseMode(String clientId) { + protected String loginUserAndGetCodeInJwtQueryResponseMode(String clientId, String nonce) { oauth.clientId(clientId); - oauth.doLogin(TEST_USERNAME, TEST_USERSECRET); + oauth.loginForm().nonce(nonce).doLogin(TEST_USERNAME, TEST_USERSECRET); grantPage.assertCurrent(); grantPage.assertGrants(OAuthGrantPage.PROFILE_CONSENT_TEXT, OAuthGrantPage.EMAIL_CONSENT_TEXT, OAuthGrantPage.ROLES_CONSENT_TEXT); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/FAPI1Test.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/FAPI1Test.java index ee9efaa403a..f67ed642892 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/FAPI1Test.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/FAPI1Test.java @@ -263,7 +263,7 @@ public class FAPI1Test extends AbstractFAPITest { checkRedirectUriForCurrentClientDuringLogin(); // Check PKCE with S256, redirectUri and nonce/state set. Login should be successful - successfulLoginAndLogout("foo", TEST_USERNAME, false, (String code) -> { + successfulLoginAndLogout("foo", "123456", TEST_USERNAME, false, (String code) -> { String signedJwt = getClientSecretSignedJWT("atleast-14chars-password", Algorithm.HS256); return doAccessTokenRequestWithClientSignedJWT(code, signedJwt, codeVerifier, DefaultHttpClient::new); }); @@ -293,7 +293,7 @@ public class FAPI1Test extends AbstractFAPITest { checkRedirectUriForCurrentClientDuringLogin(); // Check PKCE with S256, redirectUri and nonce/state set. Login should be successful - successfulLoginAndLogout("foo", TEST_USERNAME, false, (String code) -> { + successfulLoginAndLogout("foo", "123456", TEST_USERNAME, false, (String code) -> { oauth.codeVerifier(codeVerifier); return oauth.doAccessTokenRequest(code); }); @@ -378,14 +378,13 @@ public class FAPI1Test extends AbstractFAPITest { Assert.assertTrue(client.isPublicClient()); // Setup PKCE and nonce - oauth.nonce("123456"); String codeVerifier = "1234567890123456789012345678901234567890123"; // 43 String codeChallenge = generateS256CodeChallenge(codeVerifier); oauth.codeChallenge(codeChallenge); oauth.codeChallengeMethod(OAuth2Constants.PKCE_METHOD_S256); // Check PKCE with S256, redirectUri and nonce/state set. Login should be successful - successfulLoginAndLogout("foo", TEST_USERNAME, false, (String code) -> { + successfulLoginAndLogout("foo", "123456", TEST_USERNAME, false, (String code) -> { oauth.codeVerifier(codeVerifier); return oauth.doAccessTokenRequest(code); }); @@ -394,7 +393,7 @@ public class FAPI1Test extends AbstractFAPITest { setupPolicyFAPIAdvancedForAllClient(); // Should not be possible to login anymore with public client - oauth.openLoginForm(); + oauth.loginForm().nonce("123456").open(); assertRedirectedToClientWithError(OAuthErrorException.INVALID_CLIENT, "invalid client access type"); } @@ -462,7 +461,7 @@ public class FAPI1Test extends AbstractFAPITest { checkRedirectUriForCurrentClientDuringLogin(); // Check login request object required - oauth.openLoginForm(); + oauth.loginForm().nonce("123456").open(); assertRedirectedToClientWithError(OAuthErrorException.INVALID_REQUEST,"Missing parameter: 'request' or 'request_uri'"); // Create request without 'nbf' . Should fail in FAPI1 advanced client policy @@ -503,7 +502,7 @@ public class FAPI1Test extends AbstractFAPITest { PublicKey publicKey = keyPair.getPublic(); - String code = loginUserAndGetCode("foo", true); + String code = loginUserAndGetCode("foo", null, true); AuthorizationEndpointResponse authorizationEndpointResponse = oauth.parseLoginResponse(); @@ -559,7 +558,7 @@ public class FAPI1Test extends AbstractFAPITest { checkRedirectUriForCurrentClientDuringLogin(); // Check login request object required - oauth.openLoginForm(); + oauth.loginForm().nonce("123456").open(); assertRedirectedToClientWithError(OAuthErrorException.INVALID_REQUEST,"Missing parameter: 'request' or 'request_uri'"); // Set request object and correct responseType @@ -571,7 +570,7 @@ public class FAPI1Test extends AbstractFAPITest { oauth.openLoginForm(); loginPage.assertCurrent(); - String code = loginUserAndGetCode("foo", true); + String code = loginUserAndGetCode("foo", null, true); AuthorizationEndpointResponse authorizationEndpointResponse = oauth.parseLoginResponse(); @@ -610,14 +609,9 @@ public class FAPI1Test extends AbstractFAPITest { assertRedirectedToClientWithError(OAuthErrorException.INVALID_REQUEST,"Missing parameter: nonce"); // Check "state" required in non-OIDC request - oauth.nonce("123456"); - oauth.stateParamHardcoded(null); oauth.openid(false); - oauth.openLoginForm(); + oauth.loginForm().nonce("123456").open(); assertRedirectedToClientWithError(OAuthErrorException.INVALID_REQUEST,"Missing parameter: state"); - - // Revert to default "state" parameter generator - oauth.stateParamRandom(); } private void checkRedirectUriForCurrentClientDuringLogin() { @@ -671,8 +665,8 @@ public class FAPI1Test extends AbstractFAPITest { } // codeToTokenExchanger is supposed to exchange "code" for the accessTokenResponse. It is supposed to send the tokenRequest including proper client authentication - private void successfulLoginAndLogout(String clientId, String username, boolean fragmentResponseModeExpected, Function codeToTokenExchanger) throws Exception { - String code = loginUserAndGetCode(clientId, fragmentResponseModeExpected); + private void successfulLoginAndLogout(String clientId, String nonce, String username, boolean fragmentResponseModeExpected, Function codeToTokenExchanger) throws Exception { + String code = loginUserAndGetCode(clientId, nonce, fragmentResponseModeExpected); AccessTokenResponse tokenResponse = codeToTokenExchanger.apply(code); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/FAPI2Test.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/FAPI2Test.java index 3eb0c13c828..dce162e8510 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/FAPI2Test.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/FAPI2Test.java @@ -119,7 +119,7 @@ public class FAPI2Test extends AbstractFAPITest { oauth.request(null); // send an authorization request - String code = loginUserAndGetCode(clientId, false); + String code = loginUserAndGetCode(clientId, null, false); // send a token request signedJwt = createSignedRequestToken(clientId, Algorithm.PS256); @@ -168,12 +168,10 @@ public class FAPI2Test extends AbstractFAPITest { String codeChallenge = generateS256CodeChallenge(codeVerifier); oauth.codeChallenge(codeChallenge); oauth.codeChallengeMethod(OAuth2Constants.PKCE_METHOD_S256); - oauth.stateParamHardcoded(null); - oauth.nonce("123456"); // requiring hybrid request - should fail oauth.responseType(OIDCResponseType.CODE + " " + OIDCResponseType.ID_TOKEN + " " + OIDCResponseType.TOKEN); - ParResponse pResp = oauth.doPushedAuthorizationRequest(); + ParResponse pResp = oauth.pushedAuthorizationRequest().nonce("123456").send(); assertEquals(401, pResp.getStatusCode()); assertEquals(OAuthErrorException.UNAUTHORIZED_CLIENT, pResp.getError()); @@ -196,25 +194,23 @@ public class FAPI2Test extends AbstractFAPITest { pResp = oauth.doPushedAuthorizationRequest(); assertEquals(201, pResp.getStatusCode()); requestUri = pResp.getRequestUri(); - oauth.stateParamRandom(); oauth.requestUri(requestUri); - oauth.openLoginForm(); + oauth.loginForm().state("testFAPI2SecurityProfileLoginWithMTLS").open(); assertBrowserWithError("PAR request did not include necessary parameters"); // duplicated usage of a PAR request - should fail - oauth.openLoginForm(); + oauth.loginForm().state("testFAPI2SecurityProfileLoginWithMTLS").open(); assertBrowserWithError("PAR not found. not issued or used multiple times."); // send a pushed authorization request - oauth.stateParamHardcoded(null); oauth.requestUri(null); - pResp = oauth.doPushedAuthorizationRequest(); + pResp = oauth.pushedAuthorizationRequest().nonce("123456").send(); assertEquals(201, pResp.getStatusCode()); requestUri = pResp.getRequestUri(); // send an authorization request oauth.requestUri(requestUri); - String code = loginUserAndGetCode(clientId, false); + String code = loginUserAndGetCode(clientId, "123456", false); // send a token request oauth.codeVerifier(codeVerifier); @@ -274,7 +270,6 @@ public class FAPI2Test extends AbstractFAPITest { // Set request object and correct responseType oauth.client(clientId); - oauth.stateParamHardcoded(null); String codeVerifier = "1234567890123456789012345678901234567890123"; // 43 String codeChallenge = generateS256CodeChallenge(codeVerifier); TestingOIDCEndpointsApplicationResource.AuthorizationEndpointRequestObject requestObject = createValidRequestObjectForSecureRequestObjectExecutor(clientId); @@ -293,12 +288,11 @@ public class FAPI2Test extends AbstractFAPITest { // send an authorization request oauth.codeChallenge(codeChallenge); oauth.codeChallengeMethod(OAuth2Constants.PKCE_METHOD_S256); - oauth.nonce("123456"); oauth.responseType(OIDCResponseType.CODE); oauth.responseMode(OIDCResponseMode.QUERY_JWT.value()); oauth.requestUri(requestUri); oauth.request(null); - String code = loginUserAndGetCodeInJwtQueryResponseMode(clientId); + String code = loginUserAndGetCodeInJwtQueryResponseMode(clientId, "123456"); // send a token request oauth.codeVerifier(codeVerifier); @@ -339,15 +333,12 @@ public class FAPI2Test extends AbstractFAPITest { assertEquals(true, client.isConsentRequired()); oauth.client(clientId); - oauth.stateParamHardcoded(null); String codeVerifier = "1234567890123456789012345678901234567890123"; // 43 String codeChallenge = generateS256CodeChallenge(codeVerifier); // without a request object - should fail oauth.codeChallenge(codeChallenge); oauth.codeChallengeMethod(OAuth2Constants.PKCE_METHOD_S256); - oauth.stateParamHardcoded(null); - oauth.nonce("123456"); oauth.responseType(OIDCResponseType.CODE); TestingOIDCEndpointsApplicationResource.AuthorizationEndpointRequestObject requestObject = createValidRequestObjectForSecureRequestObjectExecutor(clientId); registerRequestObject(requestObject, clientId, Algorithm.PS256, true); @@ -355,7 +346,7 @@ public class FAPI2Test extends AbstractFAPITest { oauth.request(null); oauth.client(clientId); String signedJwt = createSignedRequestToken(clientId, Algorithm.PS256); - ParResponse pResp = oauth.pushedAuthorizationRequest().signedJwt(signedJwt).send(); + ParResponse pResp = oauth.pushedAuthorizationRequest().nonce("123456").signedJwt(signedJwt).send(); assertEquals(400, pResp.getStatusCode()); assertEquals(OAuthErrorException.INVALID_REQUEST_OBJECT, pResp.getError()); @@ -377,7 +368,7 @@ public class FAPI2Test extends AbstractFAPITest { // send an authorization request oauth.requestUri(requestUri); oauth.request(null); - String code = loginUserAndGetCodeInJwtQueryResponseMode(clientId); + String code = loginUserAndGetCodeInJwtQueryResponseMode(clientId, null); // send a token request signedJwt = createSignedRequestToken(clientId, Algorithm.PS256); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/OAuth2_1ConfidentialClientTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/OAuth2_1ConfidentialClientTest.java index 4b9bb702f6d..28b9a29ecc2 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/OAuth2_1ConfidentialClientTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/OAuth2_1ConfidentialClientTest.java @@ -71,7 +71,6 @@ public class OAuth2_1ConfidentialClientTest extends AbstractFAPITest { public void revertPolicies() throws ClientPolicyException { oauth.openid(true); oauth.responseType(OIDCResponseType.CODE); - oauth.nonce(null); oauth.codeChallenge(null); oauth.codeChallengeMethod(null); oauth.dpopProof(null); @@ -226,9 +225,8 @@ public class OAuth2_1ConfidentialClientTest extends AbstractFAPITest { private void testProhibitedImplicitOrHybridFlow(boolean isOpenid, String responseType, String nonce) { oauth.openid(isOpenid); oauth.responseType(responseType); - oauth.nonce(nonce); oauth.redirectUri(validRedirectUri); - oauth.openLoginForm(); + oauth.loginForm().nonce(nonce).open(); AuthorizationEndpointResponse authorizationEndpointResponse = oauth.parseLoginResponse(); assertEquals(OAuthErrorException.INVALID_REQUEST, authorizationEndpointResponse.getError()); assertEquals("Implicit/Hybrid flow is prohibited.", authorizationEndpointResponse.getErrorDescription()); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/OAuth2_1PublicClientTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/OAuth2_1PublicClientTest.java index fd5926edb2d..f18a9c98b7f 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/OAuth2_1PublicClientTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/OAuth2_1PublicClientTest.java @@ -88,7 +88,6 @@ public class OAuth2_1PublicClientTest extends AbstractFAPITest { public void revertPolicies() throws ClientPolicyException { oauth.openid(true); oauth.responseType(OIDCResponseType.CODE); - oauth.nonce(null); oauth.codeChallenge(null); oauth.codeChallengeMethod(null); oauth.dpopProof(null); @@ -274,9 +273,8 @@ public class OAuth2_1PublicClientTest extends AbstractFAPITest { private void testProhibitedImplicitOrHybridFlow(boolean isOpenid, String responseType, String nonce) { oauth.openid(isOpenid); oauth.responseType(responseType); - oauth.nonce(nonce); oauth.redirectUri(validRedirectUri); - oauth.openLoginForm(); + oauth.loginForm().nonce(nonce).open(); AuthorizationEndpointResponse authorizationEndpointResponse = oauth.parseLoginResponse(); assertEquals(OAuthErrorException.INVALID_REQUEST, authorizationEndpointResponse.getError()); assertEquals("Implicit/Hybrid flow is prohibited.", authorizationEndpointResponse.getErrorDescription()); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/policies/AbstractClientPoliciesTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/policies/AbstractClientPoliciesTest.java index 5c98ab69c1d..ef26bd90a19 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/policies/AbstractClientPoliciesTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/policies/AbstractClientPoliciesTest.java @@ -597,7 +597,6 @@ public abstract class AbstractClientPoliciesTest extends AbstractKeycloakTest { requestObject.setRedirectUriParam(oauth.getRedirectUri()); requestObject.setScope("openid"); String state = KeycloakModelUtils.generateId(); - oauth.stateParamHardcoded(state); requestObject.setState(state); requestObject.setMax_age(Integer.valueOf(600)); requestObject.setOtherClaims("custom_claim_ein", "rot"); @@ -1500,14 +1499,22 @@ public abstract class AbstractClientPoliciesTest extends AbstractKeycloakTest { } protected void successfulLoginAndLogout(String clientId, String clientSecret) { - AccessTokenResponse res = successfulLogin(clientId, clientSecret); + successfulLoginAndLogout(clientId, clientSecret, null, null); + } + + protected void successfulLoginAndLogout(String clientId, String clientSecret, String nonce, String state) { + AccessTokenResponse res = successfulLogin(clientId, clientSecret, nonce, state); oauth.doLogout(res.getRefreshToken()); events.expectLogout(res.getSessionState()).client(clientId).clearDetails().assertEvent(); } protected AccessTokenResponse successfulLogin(String clientId, String clientSecret) { + return successfulLogin(clientId, clientSecret, null, null); + } + + protected AccessTokenResponse successfulLogin(String clientId, String clientSecret, String nonce, String state) { oauth.client(clientId, clientSecret); - oauth.doLogin(TEST_USER_NAME, TEST_USER_PASSWORD); + oauth.loginForm().nonce(nonce).state(state).doLogin(TEST_USER_NAME, TEST_USER_PASSWORD); EventRepresentation loginEvent = events.expectLogin().client(clientId).assertEvent(); String sessionId = loginEvent.getSessionId(); @@ -1526,9 +1533,8 @@ public abstract class AbstractClientPoliciesTest extends AbstractKeycloakTest { String codeChallenge = generateS256CodeChallenge(codeVerifier); oauth.codeChallenge(codeChallenge); oauth.codeChallengeMethod(OAuth2Constants.PKCE_METHOD_S256); - oauth.nonce("bjapewiziIE083d"); - oauth.doLogin(userName, userPassword); + oauth.loginForm().nonce("bjapewiziIE083d").doLogin(userName, userPassword); EventRepresentation loginEvent = events.expectLogin().client(clientId).assertEvent(); String sessionId = loginEvent.getSessionId(); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/policies/ClientPoliciesConditionTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/policies/ClientPoliciesConditionTest.java index 31f08a6b30d..2f8b102a998 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/policies/ClientPoliciesConditionTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/policies/ClientPoliciesConditionTest.java @@ -200,8 +200,7 @@ public class ClientPoliciesConditionTest extends AbstractClientPoliciesTest { try { failLoginWithoutSecureSessionParameter(clientBetaId, ERR_MSG_MISSING_NONCE); - oauth.nonce("yesitisnonce"); - successfulLoginAndLogout(clientAlphaId, clientAlphaSecret); + successfulLoginAndLogout(clientAlphaId, clientAlphaSecret, "yesitisnonce", "somestate"); } catch (Exception e) { fail(); } diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/policies/ClientPoliciesExecutorTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/policies/ClientPoliciesExecutorTest.java index a4079d16a19..90b0707add2 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/policies/ClientPoliciesExecutorTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/policies/ClientPoliciesExecutorTest.java @@ -293,8 +293,7 @@ public class ClientPoliciesExecutorTest extends AbstractClientPoliciesTest { assertEquals("invalid response_type", authorizationEndpointResponse.getErrorDescription()); oauth.responseType(OIDCResponseType.CODE + " " + OIDCResponseType.ID_TOKEN); - oauth.nonce("vbwe566fsfffds"); - oauth.doLogin(TEST_USER_NAME, TEST_USER_PASSWORD); + oauth.loginForm().nonce("vbwe566fsfffds").doLogin(TEST_USER_NAME, TEST_USER_PASSWORD); EventRepresentation loginEvent = events.expectLogin().client(clientId).assertEvent(); String sessionId = loginEvent.getSessionId(); @@ -316,8 +315,7 @@ public class ClientPoliciesExecutorTest extends AbstractClientPoliciesTest { updateProfiles(json); oauth.responseType(OIDCResponseType.CODE + " " + OIDCResponseType.ID_TOKEN + " " + OIDCResponseType.TOKEN); // token response type allowed - oauth.nonce("cie8cjcwiw"); - oauth.doLogin(TEST_USER_NAME, TEST_USER_PASSWORD); + oauth.loginForm().nonce("cie8cjcwiw").doLogin(TEST_USER_NAME, TEST_USER_PASSWORD); loginEvent = events.expectLogin().client(clientId).assertEvent(); sessionId = loginEvent.getSessionId(); @@ -425,8 +423,7 @@ public class ClientPoliciesExecutorTest extends AbstractClientPoliciesTest { assertEquals("invalid response_type", authorizationEndpointResponse.getErrorDescription()); oauth.responseType(OIDCResponseType.CODE + " " + OIDCResponseType.ID_TOKEN); - oauth.nonce("LIVieviDie028f"); - oauth.doLogin(TEST_USER_NAME, TEST_USER_PASSWORD); + oauth.loginForm().nonce("LIVieviDie028f").doLogin(TEST_USER_NAME, TEST_USER_PASSWORD); EventRepresentation loginEvent = events.expectLogin().client(clientId).assertEvent(); String sessionId = loginEvent.getSessionId(); @@ -634,7 +631,7 @@ public class ClientPoliciesExecutorTest extends AbstractClientPoliciesTest { requestObject = createValidRequestObjectForSecureRequestObjectExecutor(clientId); requestObject.setState("notmatchstate"); registerRequestObject(requestObject, clientId, Algorithm.ES256, false); - oauth.openLoginForm(); + oauth.loginForm().state("wrongstate").open(); authorizationEndpointResponse = oauth.parseLoginResponse(); assertEquals(OAuthErrorException.INVALID_REQUEST, authorizationEndpointResponse.getError()); assertEquals("Invalid parameter. Parameters in 'request' object not matching with request parameters", authorizationEndpointResponse.getErrorDescription()); @@ -856,15 +853,12 @@ public class ClientPoliciesExecutorTest extends AbstractClientPoliciesTest { oauth.openid(true); failLoginWithoutSecureSessionParameter(clientBetaId, ERR_MSG_MISSING_NONCE); - oauth.nonce("yesitisnonce"); - successfulLoginAndLogout(clientBetaId, clientBetaSecret); + successfulLoginAndLogout(clientBetaId, clientBetaSecret, "yesitisnonce", "somestate"); oauth.openid(false); - oauth.stateParamHardcoded(null); failLoginWithoutSecureSessionParameter(clientBetaId, ERR_MSG_MISSING_STATE); - oauth.stateParamRandom(); - successfulLoginAndLogout(clientBetaId, clientBetaSecret); + successfulLoginAndLogout(clientBetaId, clientBetaSecret, "somenonce", "somestate"); } @Test @@ -1512,13 +1506,13 @@ public class ClientPoliciesExecutorTest extends AbstractClientPoliciesTest { oauth.client(clientBetaId, "secretBeta"); // Pushed Authorization Request - ParResponse pResp = oauth.doPushedAuthorizationRequest(); + ParResponse pResp = oauth.pushedAuthorizationRequest().send(); assertEquals(201, pResp.getStatusCode()); String requestUri = pResp.getRequestUri(); oauth.requestUri(requestUri); oauth.client(clientBetaId); - oauth.openLoginForm(); + oauth.loginForm().state("randomstatesomething").open(); assertTrue(errorPage.isCurrent()); assertEquals("PAR request did not include necessary parameters", errorPage.getError()); @@ -1529,7 +1523,6 @@ public class ClientPoliciesExecutorTest extends AbstractClientPoliciesTest { requestUri = pResp.getRequestUri(); oauth.requestUri(requestUri); - oauth.stateParamHardcoded(null); successfulLoginAndLogout(clientBetaId, "secretBeta"); } @@ -1562,15 +1555,14 @@ public class ClientPoliciesExecutorTest extends AbstractClientPoliciesTest { // Pushed Authorization Request without state parameter oauth.addCustomParameter("request", encodedRequestObject); - ParResponse pResp = oauth.doPushedAuthorizationRequest(); + ParResponse pResp = oauth.pushedAuthorizationRequest().send(); assertEquals(201, pResp.getStatusCode()); String requestUri = pResp.getRequestUri(); // only query parameters include state parameter oauth.removeCustomParameter("request"); - oauth.stateParamHardcoded("mystate2"); oauth.requestUri(requestUri); - oauth.openLoginForm(); + oauth.loginForm().state("mystate2").open(); assertTrue(errorPage.isCurrent()); assertEquals("PAR request did not include necessary parameters", errorPage.getError()); @@ -1580,7 +1572,7 @@ public class ClientPoliciesExecutorTest extends AbstractClientPoliciesTest { oauth.requestUri(null); oauth.addCustomParameter("request", encodedRequestObject); - pResp = oauth.doPushedAuthorizationRequest(); + pResp = oauth.pushedAuthorizationRequest().state("mystate2").send(); assertEquals(201, pResp.getStatusCode()); requestUri = pResp.getRequestUri(); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/policies/ClientPoliciesTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/policies/ClientPoliciesTest.java index d2936f1bc39..42b60a31a81 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/policies/ClientPoliciesTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/policies/ClientPoliciesTest.java @@ -1212,9 +1212,8 @@ public class ClientPoliciesTest extends AbstractClientPoliciesTest { oauth.scope("openid" + " " + "microprofile-jwt"); oauth.request(request); oauth.client(clientId, clientSecret); - oauth.nonce(nonce); oauth.responseType(OIDCResponseType.CODE + " " + OIDCResponseType.ID_TOKEN); - oauth.openLoginForm(); + oauth.loginForm().nonce(nonce).open(); AuthorizationEndpointResponse authorizationEndpointResponse = oauth.parseLoginResponse(); assertEquals(OAuthErrorException.INVALID_REQUEST, authorizationEndpointResponse.getError()); assertEquals("The intent is not bound with the client", authorizationEndpointResponse.getErrorDescription()); @@ -1325,7 +1324,6 @@ public class ClientPoliciesTest extends AbstractClientPoliciesTest { // revert test client instance settings the same as OAuthClient.init oauth.openid(true); oauth.responseType(OIDCResponseType.CODE); - oauth.nonce(null); } } @@ -1426,8 +1424,7 @@ public class ClientPoliciesTest extends AbstractClientPoliciesTest { private void testProhibitedImplicitOrHybridFlow(boolean isOpenid, String responseType, String nonce, String expectedError, String expectedErrorDescription) { oauth.openid(isOpenid); oauth.responseType(responseType); - oauth.nonce(nonce); - oauth.openLoginForm(); + oauth.loginForm().nonce(nonce).open(); AuthorizationEndpointResponse authorizationEndpointResponse = oauth.parseLoginResponse(); assertEquals(expectedError, authorizationEndpointResponse.getError()); assertEquals(expectedErrorDescription, authorizationEndpointResponse.getErrorDescription()); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/federation/kerberos/AbstractKerberosTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/federation/kerberos/AbstractKerberosTest.java index dd1d8484671..2604ef24a50 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/federation/kerberos/AbstractKerberosTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/federation/kerberos/AbstractKerberosTest.java @@ -241,7 +241,7 @@ public abstract class AbstractKerberosTest extends AbstractAuthTest { protected Response spnegoLogin(String username, String password) { - String kcLoginPageLocation = oauth.loginForm().build(); + String kcLoginPageLocation = oauth.loginForm().state("spnegoLogin").build(); // Request for SPNEGO login sent with Resteasy client spnegoSchemeFactory.setCredentials(username, password); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/MultipleTabsLoginTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/MultipleTabsLoginTest.java index dda9778ff38..b22cf90ca9b 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/MultipleTabsLoginTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/MultipleTabsLoginTest.java @@ -597,17 +597,15 @@ public class MultipleTabsLoginTest extends AbstractTestRealmKeycloakTest { String redirectUri1 = String.format("%s/auth/realms/master/app/auth/suffix1", getAuthServerContextRoot()); String redirectUri2 = String.format("%s/auth/realms/master/app/auth/suffix2", getAuthServerContextRoot()); // Open tab1 and start login here - oauth.stateParamHardcoded("state1"); oauth.redirectUri(redirectUri1); - oauth.openLoginForm(); + oauth.loginForm().state("state1").open(); loginPage.assertCurrent(); loginPage.login("login-test", "bad-password"); String tab1Url = driver.getCurrentUrl(); // Go to tab2 and start login with different client "root-url-client" - oauth.stateParamHardcoded("state2"); oauth.redirectUri(redirectUri2); - oauth.openLoginForm(); + oauth.loginForm().state("state2").open(); loginPage.assertCurrent(); String tab2Url = driver.getCurrentUrl(); @@ -629,17 +627,15 @@ public class MultipleTabsLoginTest extends AbstractTestRealmKeycloakTest { String redirectUri1 = String.format("%s/auth/realms/master/app/auth/suffix1", getAuthServerContextRoot()); String redirectUri2 = String.format("%s/auth/realms/master/app/auth/suffix2", getAuthServerContextRoot()); // Open tab1 and start login here - oauth.stateParamHardcoded("state1"); oauth.redirectUri(redirectUri1); - oauth.openLoginForm(); + oauth.loginForm().state("state1").open(); loginPage.assertCurrent(); loginPage.login("login-test", "bad-password"); String tab1Url = driver.getCurrentUrl(); // Go to tab2 and start login with different client "root-url-client" - oauth.stateParamHardcoded("state2"); oauth.redirectUri(redirectUri2); - oauth.openLoginForm(); + oauth.loginForm().state("state2").open(); loginPage.assertCurrent(); String tab2Url = driver.getCurrentUrl(); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/RestartCookieTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/RestartCookieTest.java index 4de488c5f4b..e9f999243e3 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/RestartCookieTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/RestartCookieTest.java @@ -158,10 +158,8 @@ public class RestartCookieTest extends AbstractTestRealmKeycloakTest { oauth.scope(null); oauth.responseType(null); oauth.requestUri(requestUri); - String state = oauth.stateParamRandom().getState(); - oauth.stateParamHardcoded(state); - oauth.openLoginForm(); + oauth.loginForm().state("testRestartCookieWithPar").open(); String restartCookie = driver.manage().getCookieNamed(RestartLoginCookie.KC_RESTART).getValue(); assertRestartCookie(restartCookie); } diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/AuthorizationCodeTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/AuthorizationCodeTest.java index 1d6670c8ea2..e7cdba1567a 100755 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/AuthorizationCodeTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/AuthorizationCodeTest.java @@ -86,14 +86,11 @@ public class AuthorizationCodeTest extends AbstractKeycloakTest { public void clientConfiguration() { oauth.responseType(OAuth2Constants.CODE); oauth.responseMode(null); - oauth.stateParamRandom(); } @Test public void authorizationRequest() throws IOException { - oauth.stateParamHardcoded("OpenIdConnect.AuthenticationProperties=2302984sdlk"); - - AuthorizationEndpointResponse response = oauth.doLogin("test-user@localhost", "password"); + AuthorizationEndpointResponse response = oauth.loginForm().state("OpenIdConnect.AuthenticationProperties=2302984sdlk").doLogin("test-user@localhost", "password"); assertTrue(response.isRedirected()); Assert.assertNotNull(response.getCode()); @@ -166,8 +163,6 @@ public class AuthorizationCodeTest extends AbstractKeycloakTest { @Test public void authorizationRequestNoState() throws IOException { - oauth.stateParamHardcoded(null); - AuthorizationEndpointResponse response = oauth.doLogin("test-user@localhost", "password"); assertTrue(response.isRedirected()); @@ -210,8 +205,7 @@ public class AuthorizationCodeTest extends AbstractKeycloakTest { public void authorizationRequestFormPostResponseModeInvalidResponseType() throws IOException { oauth.responseMode(OIDCResponseMode.FORM_POST.value()); oauth.responseType("tokenn"); - oauth.stateParamHardcoded("OpenIdConnect.AuthenticationProperties=2302984sdlk"); - oauth.openLoginForm(); + oauth.loginForm().state("OpenIdConnect.AuthenticationProperties=2302984sdlk").open(); String error = driver.findElement(By.id("error")).getText(); String state = driver.findElement(By.id("state")).getText(); @@ -225,8 +219,7 @@ public class AuthorizationCodeTest extends AbstractKeycloakTest { public void authorizationRequestFormPostResponseModeWithoutResponseType() throws IOException { oauth.responseMode(OIDCResponseMode.FORM_POST.value()); oauth.responseType(null); - oauth.stateParamHardcoded("OpenIdConnect.AuthenticationProperties=2302984sdlk"); - oauth.openLoginForm(); + oauth.loginForm().state("OpenIdConnect.AuthenticationProperties=2302984sdlk").open(); String error = driver.findElement(By.id("error")).getText(); String errorDescription = driver.findElement(By.id("error_description")).getText(); @@ -242,8 +235,7 @@ public class AuthorizationCodeTest extends AbstractKeycloakTest { @Test public void authorizationRequestFormPostResponseMode() throws IOException { oauth.responseMode(OIDCResponseMode.FORM_POST.value()); - oauth.stateParamHardcoded("OpenIdConnect.AuthenticationProperties=2302984sdlk"); - oauth.doLogin("test-user@localhost", "password"); + oauth.loginForm().state("OpenIdConnect.AuthenticationProperties=2302984sdlk").doLogin("test-user@localhost", "password"); String sources = driver.getPageSource(); System.out.println(sources); @@ -282,14 +274,16 @@ public class AuthorizationCodeTest extends AbstractKeycloakTest { oauth.responseType(OAuth2Constants.CODE); final String redirectUri = oauth.getRedirectUri() + "?p=>"; // set HTML entity > oauth.redirectUri(redirectUri); - oauth.stateParamHardcoded(KeycloakModelUtils.generateId()); - oauth.doLogin("test-user@localhost", "password"); + + String requestState = "authorizationRequestFormPostResponseModeHTMLEntitiesRedirectUri"; + + oauth.loginForm().state(requestState).doLogin("test-user@localhost", "password"); WaitUtils.waitForPageToLoad(); // if not properly encoded %3E would be received instead of > Assert.assertEquals("Redirect page was not encoded", redirectUri, oauth.getDriver().getCurrentUrl()); String state = driver.findElement(By.id("state")).getText(); - Assert.assertEquals(oauth.getState(), state); + Assert.assertEquals(requestState, state); Assert.assertNotNull(driver.findElement(By.id("code")).getText()); events.expect(EventType.LOGIN) @@ -311,8 +305,9 @@ public class AuthorizationCodeTest extends AbstractKeycloakTest { oauth.responseType(OAuth2Constants.CODE); final String redirectUri = oauth.getRedirectUri() + "?p=>"; // set HTML entity > oauth.redirectUri(redirectUri); - oauth.stateParamHardcoded(KeycloakModelUtils.generateId()); - oauth.doLogin("test-user@localhost", "password"); + + String requestState = "authorizationRequestFormPostJwtResponseModeHTMLEntitiesRedirectUri"; + oauth.loginForm().state(requestState).doLogin("test-user@localhost", "password"); WaitUtils.waitForPageToLoad(); // if not properly encoded %3E would be received instead of > @@ -322,7 +317,7 @@ public class AuthorizationCodeTest extends AbstractKeycloakTest { assertEquals("test-app", responseToken.getAudience()[0]); Assert.assertNotNull(responseToken.getOtherClaims().get("code")); Assert.assertNull(responseToken.getOtherClaims().get("error")); - Assert.assertEquals(oauth.getState(), responseToken.getOtherClaims().get("state")); + Assert.assertEquals(requestState, responseToken.getOtherClaims().get("state")); Assert.assertNotNull(responseToken.getOtherClaims().get("code")); events.expect(EventType.LOGIN) @@ -338,8 +333,7 @@ public class AuthorizationCodeTest extends AbstractKeycloakTest { @Test public void authorizationRequestFormPostResponseModeWithCustomState() throws IOException { oauth.responseMode(OIDCResponseMode.FORM_POST.value()); - oauth.stateParamHardcoded("\">bar_baz(2)far"); - oauth.doLogin("test-user@localhost", "password"); + oauth.loginForm().state("\">bar_baz(2)far").doLogin("test-user@localhost", "password"); String sources = driver.getPageSource(); System.out.println(sources); @@ -357,7 +351,7 @@ public class AuthorizationCodeTest extends AbstractKeycloakTest { public void authorizationRequestFragmentResponseModeNotKept() throws Exception { // Set response_mode=fragment and login oauth.responseMode(OIDCResponseMode.FRAGMENT.value()); - AuthorizationEndpointResponse response = oauth.doLogin("test-user@localhost", "password"); + AuthorizationEndpointResponse response = oauth.loginForm().state("authorizationRequestFragmentResponseModeNotKept").doLogin("test-user@localhost", "password"); Assert.assertNotNull(response.getCode()); Assert.assertNotNull(response.getState()); @@ -368,7 +362,7 @@ public class AuthorizationCodeTest extends AbstractKeycloakTest { // Unset response_mode. The initial OIDC AuthenticationRequest won't contain "response_mode" parameter now and hence it should fallback to "query". oauth.responseMode(null); - oauth.openLoginForm(); + oauth.loginForm().state("authorizationRequestFragmentResponseModeNotKept2").open(); response = oauth.parseLoginResponse(); Assert.assertNotNull(response.getCode()); @@ -382,8 +376,6 @@ public class AuthorizationCodeTest extends AbstractKeycloakTest { @Test public void authorizationRequestParamsMoreThanOnce() throws IOException { - oauth.stateParamHardcoded("OpenIdConnect.AuthenticationProperties=2302984sdlk"); - String logoutUrl = UriBuilder.fromUri(oauth.loginForm().build()).queryParam(OAuth2Constants.SCOPE, "read_write") .queryParam(OAuth2Constants.STATE, "abcdefg") .queryParam(OAuth2Constants.SCOPE, "pop push").build().toString(); @@ -400,8 +392,6 @@ public class AuthorizationCodeTest extends AbstractKeycloakTest { @Test public void authorizationRequestClientParamsMoreThanOnce() throws IOException { - oauth.stateParamHardcoded("OpenIdConnect.AuthenticationProperties=2302984sdlk"); - String logoutUrl = UriBuilder.fromUri(oauth.loginForm().build()).queryParam(OAuth2Constants.SCOPE, "read_write") .queryParam(OAuth2Constants.CLIENT_ID, "client2client") .queryParam(OAuth2Constants.REDIRECT_URI, "https://www.example.com") diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/OAuth2OnlyTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/OAuth2OnlyTest.java index 42af3d5cf9b..fa78c38e11c 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/OAuth2OnlyTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/OAuth2OnlyTest.java @@ -177,8 +177,7 @@ public class OAuth2OnlyTest extends AbstractTestRealmKeycloakTest { @Test public void testMissingNonceInOAuth2ImplicitFlow() throws Exception { oauth.responseType("token"); - oauth.nonce(null); - String loginFormUrl = oauth.loginForm().build(); + String loginFormUrl = oauth.loginForm().nonce(null).build(); loginFormUrl = ActionURIUtils.removeQueryParamFromURI(loginFormUrl, OAuth2Constants.SCOPE); driver.navigate().to(loginFormUrl); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/OAuthRedirectUriStateTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/OAuthRedirectUriStateTest.java index f74410da7ed..6d6c3285ac8 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/OAuthRedirectUriStateTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/OAuthRedirectUriStateTest.java @@ -38,13 +38,10 @@ public class OAuthRedirectUriStateTest extends AbstractTestRealmKeycloakTest { public void clientConfiguration() { oauth.clientId("test-app"); oauth.responseType(OIDCResponseType.CODE); - oauth.stateParamRandom(); } void assertStateReflected(String state) { - oauth.stateParamHardcoded(state); - - AuthorizationEndpointResponse response = oauth.doLogin("test-user@localhost", "password"); + AuthorizationEndpointResponse response = oauth.loginForm().state(state).doLogin("test-user@localhost", "password"); Assert.assertNotNull(response.getCode()); URL url; diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/RefreshTokenTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/RefreshTokenTest.java index faec99516e6..698d41859f4 100755 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/RefreshTokenTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/RefreshTokenTest.java @@ -195,9 +195,7 @@ public class RefreshTokenTest extends AbstractKeycloakTest { @Test public void refreshTokenStructure() { - - oauth.nonce("123456"); - oauth.doLogin("test-user@localhost", "password"); + oauth.loginForm().nonce("123456").doLogin("test-user@localhost", "password"); EventRepresentation loginEvent = events.expectLogin().assertEvent(); @@ -227,8 +225,7 @@ public class RefreshTokenTest extends AbstractKeycloakTest { @Test public void refreshTokenRequest() throws Exception { - oauth.nonce("123456"); - oauth.doLogin("test-user@localhost", "password"); + oauth.loginForm().nonce("123456").doLogin("test-user@localhost", "password"); EventRepresentation loginEvent = events.expectLogin().assertEvent(); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/hok/HoKTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/hok/HoKTest.java index 5c06ff9cd3a..49e8c73d592 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/hok/HoKTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/hok/HoKTest.java @@ -611,9 +611,8 @@ public class HoKTest extends AbstractTestRealmKeycloakTest { ClientManager.realm(adminClient.realm("test")).clientId("test-app").standardFlow(true).implicitFlow(true); oauth.client("test-app", "password"); oauth.responseType(OIDCResponseType.CODE + " " + OIDCResponseType.ID_TOKEN); - oauth.nonce(nonce); - oauth.doLogin("test-user@localhost", "password"); + oauth.loginForm().nonce(nonce).doLogin("test-user@localhost", "password"); EventRepresentation loginEvent = events.expectLogin().assertEvent(); AuthorizationEndpointResponse authzResponse = oauth.parseLoginResponse(); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/par/ParTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/par/ParTest.java index a65fcb510db..29dbf301cd2 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/par/ParTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/par/ParTest.java @@ -168,9 +168,8 @@ public class ParTest extends AbstractClientPoliciesTest { oauth.scope(null); oauth.responseType(null); oauth.requestUri(requestUri); - String state = oauth.stateParamRandom().getState(); - oauth.stateParamHardcoded(state); - AuthorizationEndpointResponse loginResponse = oauth.doLogin(TEST_USER_NAME, TEST_USER_PASSWORD); + String state = "testSuccessfulSinglePar"; + AuthorizationEndpointResponse loginResponse = oauth.loginForm().state(state).doLogin(TEST_USER_NAME, TEST_USER_PASSWORD); assertEquals(state, loginResponse.getState()); String code = loginResponse.getCode(); String sessionId =loginResponse.getSessionState(); @@ -247,9 +246,8 @@ public class ParTest extends AbstractClientPoliciesTest { oauth.scope(null); oauth.responseType(null); oauth.requestUri(requestUri); - String state = oauth.stateParamRandom().getState(); - oauth.stateParamHardcoded(state); - AuthorizationEndpointResponse loginResponse = oauth.doLogin(TEST_USER_NAME, TEST_USER_PASSWORD); + String state = "testSuccessfulSingleParPublicClient"; + AuthorizationEndpointResponse loginResponse = oauth.loginForm().state(state).doLogin(TEST_USER_NAME, TEST_USER_PASSWORD); assertEquals(state, loginResponse.getState()); String code = loginResponse.getCode(); String sessionId =loginResponse.getSessionState(); @@ -462,7 +460,7 @@ public class ParTest extends AbstractClientPoliciesTest { requestObject.setRedirectUriParam(CLIENT_REDIRECT_URI); requestObject.setScope("openid"); requestObject.setNonce(KeycloakModelUtils.generateId()); - requestObject.setState(oauth.stateParamRandom().getState()); + requestObject.setState("testRequestParameterPrecedenceOverOtherParameters"); byte[] contentBytes = JsonSerialization.writeValueAsBytes(requestObject); @@ -483,8 +481,7 @@ public class ParTest extends AbstractClientPoliciesTest { oauth.responseType("code id_token"); oauth.redirectUri("http://invalid"); oauth.scope(null); - oauth.nonce("12345"); - ParResponse pResp = oauth.doPushedAuthorizationRequest(); + ParResponse pResp = oauth.pushedAuthorizationRequest().nonce("12345").send(); assertEquals(201, pResp.getStatusCode()); String requestUri = pResp.getRequestUri(); assertEquals(requestUriLifespan, pResp.getExpiresIn()); @@ -493,12 +490,10 @@ public class ParTest extends AbstractClientPoliciesTest { oauth.redirectUri("http://invalid"); oauth.responseType("invalid"); oauth.redirectUri(null); - oauth.nonce("12345"); oauth.request(null); oauth.requestUri(requestUri); - String wrongState = oauth.stateParamRandom().getState(); - oauth.stateParamHardcoded(wrongState); - AuthorizationEndpointResponse loginResponse = oauth.doLogin(TEST_USER_NAME, TEST_USER_PASSWORD); + String wrongState = "wrongState"; + AuthorizationEndpointResponse loginResponse = oauth.loginForm().state(wrongState).nonce("12345").doLogin(TEST_USER_NAME, TEST_USER_PASSWORD); assertEquals(requestObject.getState(), loginResponse.getState()); assertNotEquals(requestObject.getState(), wrongState); @@ -565,8 +560,7 @@ public class ParTest extends AbstractClientPoliciesTest { oauth.responseType("code id_token"); oauth.redirectUri("http://invalid"); oauth.scope(null); - oauth.nonce("12345"); - ParResponse pResp = oauth.doPushedAuthorizationRequest(); + ParResponse pResp = oauth.pushedAuthorizationRequest().nonce("12345").send(); assertEquals(201, pResp.getStatusCode()); String requestUri = pResp.getRequestUri(); assertEquals(requestUriLifespan, pResp.getExpiresIn()); @@ -575,12 +569,10 @@ public class ParTest extends AbstractClientPoliciesTest { oauth.redirectUri("http://invalid"); oauth.responseType("invalid"); oauth.redirectUri(null); - oauth.nonce("12345"); oauth.request(null); oauth.requestUri(requestUri); - String wrongState = oauth.stateParamRandom().getState(); - oauth.stateParamHardcoded(wrongState); - AuthorizationEndpointResponse loginResponse = oauth.doLogin(TEST_USER_NAME, TEST_USER_PASSWORD); + String wrongState = "wrongState"; + AuthorizationEndpointResponse loginResponse = oauth.loginForm().state(wrongState).nonce("12345").doLogin(TEST_USER_NAME, TEST_USER_PASSWORD); assertNull(loginResponse.getState()); assertNotEquals(requestObject.getState(), wrongState); @@ -632,9 +624,8 @@ public class ParTest extends AbstractClientPoliciesTest { oauth.scope(null); oauth.responseType(null); oauth.requestUri(requestUriTwo); - String state = oauth.stateParamRandom().getState(); - oauth.stateParamHardcoded(state); - AuthorizationEndpointResponse loginResponse = oauth.doLogin(TEST_USER2_NAME, TEST_USER2_PASSWORD); + String state = "testSuccessfulMultipleParBySameClient"; + AuthorizationEndpointResponse loginResponse = oauth.loginForm().state(state).doLogin(TEST_USER2_NAME, TEST_USER2_PASSWORD); assertEquals(state, loginResponse.getState()); String code = loginResponse.getCode(); String sessionId =loginResponse.getSessionState(); @@ -664,9 +655,8 @@ public class ParTest extends AbstractClientPoliciesTest { oauth.scope(null); oauth.responseType(null); oauth.requestUri(requestUriOne); - state = oauth.stateParamRandom().getState(); - oauth.stateParamHardcoded(state); - loginResponse = oauth.doLogin(TEST_USER_NAME, TEST_USER_PASSWORD); + state = "testSuccessfulMultipleParBySameClient2"; + loginResponse = oauth.loginForm().state(state).doLogin(TEST_USER_NAME, TEST_USER_PASSWORD); assertEquals(state, loginResponse.getState()); code = loginResponse.getCode(); sessionId =loginResponse.getSessionState(); @@ -734,9 +724,8 @@ public class ParTest extends AbstractClientPoliciesTest { oauth.scope(null); oauth.responseType(null); oauth.requestUri(requestUriTwo); - String state = oauth.stateParamRandom().getState(); - oauth.stateParamHardcoded(state); - AuthorizationEndpointResponse loginResponse = oauth.doLogin(TEST_USER2_NAME, TEST_USER2_PASSWORD); + String state = "testSuccessfulMultipleParByMultipleClients"; + AuthorizationEndpointResponse loginResponse = oauth.loginForm().state(state).doLogin(TEST_USER2_NAME, TEST_USER2_PASSWORD); assertEquals(state, loginResponse.getState()); String code = loginResponse.getCode(); String sessionId =loginResponse.getSessionState(); @@ -767,9 +756,8 @@ public class ParTest extends AbstractClientPoliciesTest { oauth.scope(null); oauth.responseType(null); oauth.requestUri(requestUriOne); - state = oauth.stateParamRandom().getState(); - oauth.stateParamHardcoded(state); - loginResponse = oauth.doLogin(TEST_USER_NAME, TEST_USER_PASSWORD); + state = "testSuccessfulMultipleParByMultipleClients2"; + loginResponse = oauth.loginForm().state(state).doLogin(TEST_USER_NAME, TEST_USER_PASSWORD); assertEquals(state, loginResponse.getState()); code = loginResponse.getCode(); sessionId =loginResponse.getSessionState(); @@ -817,9 +805,8 @@ public class ParTest extends AbstractClientPoliciesTest { oauth.scope(null); oauth.responseType(null); oauth.requestUri(IMAGINARY_REQUEST_URI); - String state = oauth.stateParamRandom().getState(); - oauth.stateParamHardcoded(state); - oauth.openLoginForm(); + String state = "testFailureNotIssuedParUsed"; + oauth.loginForm().state(state).open(); AuthorizationEndpointResponse errorResponse = oauth.parseLoginResponse(); Assert.assertFalse(errorResponse.isRedirected()); } @@ -851,9 +838,8 @@ public class ParTest extends AbstractClientPoliciesTest { oauth.scope(null); oauth.responseType(null); oauth.requestUri(requestUri); - String state = oauth.stateParamRandom().getState(); - oauth.stateParamHardcoded(state); - AuthorizationEndpointResponse loginResponse = oauth.doLogin(TEST_USER_NAME, TEST_USER_PASSWORD); + String state = "testFailureParUsedTwice"; + AuthorizationEndpointResponse loginResponse = oauth.loginForm().state(state).doLogin(TEST_USER_NAME, TEST_USER_PASSWORD); assertEquals(state, loginResponse.getState()); String code = loginResponse.getCode(); @@ -864,9 +850,8 @@ public class ParTest extends AbstractClientPoliciesTest { // Authorization Request with request_uri of PAR // use same redirect_uri - state = oauth.stateParamRandom().getState(); - oauth.stateParamHardcoded(state); - oauth.openLoginForm(); + state = "testFailureParUsedTwice2"; + oauth.loginForm().state(state).open(); AuthorizationEndpointResponse errorResponse = oauth.parseLoginResponse(); Assert.assertFalse(errorResponse.isRedirected()); } @@ -911,9 +896,8 @@ public class ParTest extends AbstractClientPoliciesTest { oauth.scope(null); oauth.responseType(null); oauth.requestUri(requestUri); - String state = oauth.stateParamRandom().getState(); - oauth.stateParamHardcoded(state); - oauth.openLoginForm(); + String state = "testFailureParUsedByOtherClient"; + oauth.loginForm().state(state).open(); AuthorizationEndpointResponse errorResponse = oauth.parseLoginResponse(); Assert.assertFalse(errorResponse.isRedirected()); } @@ -975,9 +959,8 @@ public class ParTest extends AbstractClientPoliciesTest { oauth.scope(null); oauth.responseType(null); oauth.requestUri(requestUri); - String state = oauth.stateParamRandom().getState(); - oauth.stateParamHardcoded(state); - oauth.openLoginForm(); + String state = "testFailureParExpired"; + oauth.loginForm().state(state).open(); AuthorizationEndpointResponse errorResponse = oauth.parseLoginResponse(); Assert.assertFalse(errorResponse.isRedirected()); } @@ -1264,9 +1247,8 @@ public class ParTest extends AbstractClientPoliciesTest { oauth.scope(null); oauth.responseType(null); oauth.requestUri(requestUri); - String state = oauth.stateParamRandom().getState(); - oauth.stateParamHardcoded(state); - AuthorizationEndpointResponse loginResponse = oauth.doLogin(TEST_USER_NAME, TEST_USER_PASSWORD); + String state = "doNormalAuthzProcess"; + AuthorizationEndpointResponse loginResponse = oauth.loginForm().state(state).doLogin(TEST_USER_NAME, TEST_USER_PASSWORD); assertEquals(state, loginResponse.getState()); String code = loginResponse.getCode(); String sessionId =loginResponse.getSessionState(); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/AuthorizationTokenEncryptionTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/AuthorizationTokenEncryptionTest.java index a88c5b48916..94dd6a5b4f8 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/AuthorizationTokenEncryptionTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/AuthorizationTokenEncryptionTest.java @@ -182,8 +182,7 @@ public class AuthorizationTokenEncryptionTest extends AbstractTestRealmKeycloakT // get authorization response oauth.responseMode("jwt"); - oauth.stateParamHardcoded("OpenIdConnect.AuthenticationProperties=2302984sdlk"); - AuthorizationEndpointResponse response = oauth.doLogin("test-user@localhost", "password"); + AuthorizationEndpointResponse response = oauth.loginForm().state("OpenIdConnect.AuthenticationProperties=2302984sdlk").doLogin("test-user@localhost", "password"); // parse JWE and JOSE Header String jweStr = response.getResponse(); @@ -279,9 +278,7 @@ public class AuthorizationTokenEncryptionTest extends AbstractTestRealmKeycloakT // get authorization response but failed oauth.responseMode("jwt"); - oauth.stateParamHardcoded("OpenIdConnect.AuthenticationProperties=2302984sdlk"); - - AuthorizationEndpointResponse errorResponse = oauth.doLogin("test-user@localhost", "password"); + AuthorizationEndpointResponse errorResponse = oauth.loginForm().state("OpenIdConnect.AuthenticationProperties=2302984sdlk").doLogin("test-user@localhost", "password"); System.out.println(driver.getPageSource().contains("Unexpected error when handling authentication request to identity provider.")); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/AuthorizationTokenResponseModeTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/AuthorizationTokenResponseModeTest.java index 843a90f8201..47ca9308270 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/AuthorizationTokenResponseModeTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/AuthorizationTokenResponseModeTest.java @@ -53,9 +53,8 @@ public class AuthorizationTokenResponseModeTest extends AbstractTestRealmKeycloa @Test public void authorizationRequestQueryJWTResponseMode() throws Exception { oauth.responseMode(OIDCResponseMode.QUERY_JWT.value()); - oauth.stateParamHardcoded("OpenIdConnect.AuthenticationProperties=2302984sdlk"); - AuthorizationEndpointResponse response = oauth.doLogin("test-user@localhost", "password"); + AuthorizationEndpointResponse response = oauth.loginForm().state("OpenIdConnect.AuthenticationProperties=2302984sdlk").doLogin("test-user@localhost", "password"); assertTrue(response.isRedirected()); AuthorizationResponseToken responseToken = oauth.verifyAuthorizationResponseToken(response.getResponse()); @@ -72,9 +71,8 @@ public class AuthorizationTokenResponseModeTest extends AbstractTestRealmKeycloa public void authorizationRequestJWTResponseMode() throws Exception { // jwt response_mode. It should fallback to query.jwt oauth.responseMode("jwt"); - oauth.stateParamHardcoded("OpenIdConnect.AuthenticationProperties=2302984sdlk"); - AuthorizationEndpointResponse response = oauth.doLogin("test-user@localhost", "password"); + AuthorizationEndpointResponse response = oauth.loginForm().state("OpenIdConnect.AuthenticationProperties=2302984sdlk").doLogin("test-user@localhost", "password"); assertTrue(response.isRedirected()); AuthorizationResponseToken responseToken = oauth.verifyAuthorizationResponseToken(response.getResponse()); @@ -96,9 +94,8 @@ public class AuthorizationTokenResponseModeTest extends AbstractTestRealmKeycloa @Test public void authorizationRequestFragmentJWTResponseMode() throws Exception { oauth.responseMode(OIDCResponseMode.FRAGMENT_JWT.value()); - oauth.stateParamHardcoded("OpenIdConnect.AuthenticationProperties=2302984sdlk"); - AuthorizationEndpointResponse response = oauth.doLogin("test-user@localhost", "password"); + AuthorizationEndpointResponse response = oauth.loginForm().state("OpenIdConnect.AuthenticationProperties=2302984sdlk").doLogin("test-user@localhost", "password"); assertTrue(response.isRedirected()); AuthorizationResponseToken responseToken = oauth.verifyAuthorizationResponseToken(response.getResponse()); @@ -118,8 +115,7 @@ public class AuthorizationTokenResponseModeTest extends AbstractTestRealmKeycloa @Test public void authorizationRequestFormPostJWTResponseMode() throws IOException { oauth.responseMode(OIDCResponseMode.FORM_POST_JWT.value()); - oauth.stateParamHardcoded("OpenIdConnect.AuthenticationProperties=2302984sdlk"); - oauth.doLogin("test-user@localhost", "password"); + oauth.loginForm().state("OpenIdConnect.AuthenticationProperties=2302984sdlk").doLogin("test-user@localhost", "password"); String sources = driver.getPageSource(); System.out.println(sources); @@ -142,10 +138,8 @@ public class AuthorizationTokenResponseModeTest extends AbstractTestRealmKeycloa // jwt response_mode. It should fallback to fragment.jwt when its hybrid flow oauth.responseMode("jwt"); oauth.responseType("code id_token"); - oauth.stateParamHardcoded("OpenIdConnect.AuthenticationProperties=2302984sdlk"); - oauth.nonce("123456"); - AuthorizationEndpointResponse response = oauth.doLogin("test-user@localhost", "password"); + AuthorizationEndpointResponse response = oauth.loginForm().state("OpenIdConnect.AuthenticationProperties=2302984sdlk").nonce("123456").doLogin("test-user@localhost", "password"); assertTrue(response.isRedirected()); AuthorizationResponseToken responseToken = oauth.verifyAuthorizationResponseToken(response.getResponse()); @@ -173,10 +167,8 @@ public class AuthorizationTokenResponseModeTest extends AbstractTestRealmKeycloa // jwt response_mode. It should fallback to fragment.jwt when its hybrid flow oauth.responseMode("jwt"); oauth.responseType("token id_token"); - oauth.stateParamHardcoded("OpenIdConnect.AuthenticationProperties=2302984sdlk"); - oauth.nonce("123456"); - AuthorizationEndpointResponse response = oauth.doLogin("test-user@localhost", "password"); + AuthorizationEndpointResponse response = oauth.loginForm().state("OpenIdConnect.AuthenticationProperties=2302984sdlk").nonce("123456").doLogin("test-user@localhost", "password"); assertTrue(response.isRedirected()); AuthorizationResponseToken responseToken = oauth.verifyAuthorizationResponseToken(response.getResponse()); @@ -206,9 +198,7 @@ public class AuthorizationTokenResponseModeTest extends AbstractTestRealmKeycloa ClientManager.realm(adminClient.realm("test")).clientId("test-app").implicitFlow(true); oauth.responseMode("query.jwt"); oauth.responseType("code id_token"); - oauth.stateParamHardcoded("OpenIdConnect.AuthenticationProperties=2302984sdlk"); - oauth.nonce("123456"); - oauth.openLoginForm(); + oauth.loginForm().state("OpenIdConnect.AuthenticationProperties=2302984sdlk").nonce("123456").open(); AuthorizationEndpointResponse errorResponse = oauth.parseLoginResponse(); AuthorizationResponseToken responseToken = oauth.verifyAuthorizationResponseToken(errorResponse.getResponse()); @@ -223,9 +213,7 @@ public class AuthorizationTokenResponseModeTest extends AbstractTestRealmKeycloa ClientManager.realm(adminClient.realm("test")).clientId("test-app").implicitFlow(true); oauth.responseMode("query.jwt"); oauth.responseType("code id_token"); - oauth.stateParamHardcoded("OpenIdConnect.AuthenticationProperties=2302984sdlk"); - oauth.nonce("123456"); - oauth.openLoginForm(); + oauth.loginForm().state("OpenIdConnect.AuthenticationProperties=2302984sdlk").nonce("123456").open(); AuthorizationEndpointResponse errorResponse = oauth.parseLoginResponse(); AuthorizationResponseToken responseToken = oauth.verifyAuthorizationResponseToken(errorResponse.getResponse()); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/LightWeightAccessTokenTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/LightWeightAccessTokenTest.java index 3855b5a749b..16179150c3b 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/LightWeightAccessTokenTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/LightWeightAccessTokenTest.java @@ -149,7 +149,6 @@ public class LightWeightAccessTokenTest extends AbstractClientPoliciesTest { public void accessTokenFalseIntrospectionTrueTest() throws IOException { ProtocolMappersResource protocolMappers = setProtocolMappers(false, true, true); try { - oauth.nonce("123456"); oauth.scope("address"); oauth.client(TEST_CLIENT, TEST_CLIENT_SECRET); AccessTokenResponse response = browserLogin(TEST_USER_NAME, TEST_USER_PASSWORD).tokenResponse; @@ -170,7 +169,6 @@ public class LightWeightAccessTokenTest extends AbstractClientPoliciesTest { public void accessTokenTrueIntrospectionFalseTest() throws IOException { ProtocolMappersResource protocolMappers = setProtocolMappers(true, false, true); try { - oauth.nonce("123456"); oauth.scope("address"); oauth.client(TEST_CLIENT, TEST_CLIENT_SECRET); AccessTokenResponse response = browserLogin(TEST_USER_NAME, TEST_USER_PASSWORD).tokenResponse; @@ -192,7 +190,6 @@ public class LightWeightAccessTokenTest extends AbstractClientPoliciesTest { public void accessTokenTrueIntrospectionTrueTest() throws IOException { ProtocolMappersResource protocolMappers = setProtocolMappers(true, true, true); try { - oauth.nonce("123456"); oauth.scope("address"); oauth.client(TEST_CLIENT, TEST_CLIENT_SECRET); AccessTokenResponse response = browserLogin(TEST_USER_NAME, TEST_USER_PASSWORD).tokenResponse; @@ -213,7 +210,6 @@ public class LightWeightAccessTokenTest extends AbstractClientPoliciesTest { public void accessTokenTrueIntrospectionReturnedAsJwt() throws IOException { ProtocolMappersResource protocolMappers = setProtocolMappers(true, true, true); try { - oauth.nonce("123456"); oauth.scope("address"); oauth.client(TEST_CLIENT, TEST_CLIENT_SECRET); AccessTokenResponse response = browserLogin(TEST_USER_NAME, TEST_USER_PASSWORD).tokenResponse; @@ -238,7 +234,6 @@ public class LightWeightAccessTokenTest extends AbstractClientPoliciesTest { public void offlineTokenTest() throws IOException { ProtocolMappersResource protocolMappers = setProtocolMappers(false, true, true); try { - oauth.nonce("123456"); oauth.scope("openid address offline_access"); oauth.client(TEST_CLIENT, TEST_CLIENT_SECRET); @@ -263,7 +258,6 @@ public class LightWeightAccessTokenTest extends AbstractClientPoliciesTest { public void clientCredentialTest() throws Exception { ProtocolMappersResource protocolMappers = setProtocolMappers(false, true, false); try { - oauth.nonce("123456"); oauth.scope("address"); oauth.client(TEST_CLIENT, TEST_CLIENT_SECRET); @@ -286,7 +280,6 @@ public class LightWeightAccessTokenTest extends AbstractClientPoliciesTest { public void exchangeTest() throws Exception { ProtocolMappersResource protocolMappers = setProtocolMappers(false, true, true); try { - oauth.nonce("123456"); oauth.scope("address"); oauth.client(TEST_CLIENT, TEST_CLIENT_SECRET); @@ -312,12 +305,11 @@ public class LightWeightAccessTokenTest extends AbstractClientPoliciesTest { setUseLightweightAccessTokenExecutor(); ProtocolMappersResource protocolMappers = setProtocolMappers(true, true, false, false); try { - oauth.nonce("123456"); oauth.scope("address"); oauth.client(TEST_CLIENT, TEST_CLIENT_SECRET); - AuthorizationEndpointResponse authsEndpointResponse = oauth.doLogin(TEST_USER_NAME, TEST_USER_PASSWORD); + AuthorizationEndpointResponse authsEndpointResponse = oauth.loginForm().nonce("123456").doLogin(TEST_USER_NAME, TEST_USER_PASSWORD); AccessTokenResponse tokenResponse = oauth.doAccessTokenRequest(authsEndpointResponse.getCode()); String accessToken = tokenResponse.getAccessToken(); assertAccessToken(oauth.verifyToken(accessToken), true, false, true); @@ -347,12 +339,11 @@ public class LightWeightAccessTokenTest extends AbstractClientPoliciesTest { setUseLightweightAccessTokenExecutor(); ProtocolMappersResource protocolMappers = setProtocolMappers(false, true, true, false); try { - oauth.nonce("123456"); oauth.scope("address"); oauth.client(TEST_CLIENT, TEST_CLIENT_SECRET); - AuthorizationEndpointResponse authsEndpointResponse = oauth.doLogin(TEST_USER_NAME, TEST_USER_PASSWORD); + AuthorizationEndpointResponse authsEndpointResponse = oauth.loginForm().nonce("123456").doLogin(TEST_USER_NAME, TEST_USER_PASSWORD); AccessTokenResponse tokenResponse = oauth.doAccessTokenRequest(authsEndpointResponse.getCode()); String accessToken = tokenResponse.getAccessToken(); logger.debug("access token:" + accessToken); @@ -379,12 +370,11 @@ public class LightWeightAccessTokenTest extends AbstractClientPoliciesTest { alwaysUseLightWeightAccessToken(true); ProtocolMappersResource protocolMappers = setProtocolMappers(true, true, false, false); try { - oauth.nonce("123456"); oauth.scope("address"); oauth.client(TEST_CLIENT, TEST_CLIENT_SECRET); - AuthorizationEndpointResponse authsEndpointResponse = oauth.doLogin(TEST_USER_NAME, TEST_USER_PASSWORD); + AuthorizationEndpointResponse authsEndpointResponse = oauth.loginForm().nonce("123456").doLogin(TEST_USER_NAME, TEST_USER_PASSWORD); AccessTokenResponse tokenResponse = oauth.doAccessTokenRequest(authsEndpointResponse.getCode()); String accessToken = tokenResponse.getAccessToken(); assertAccessToken(oauth.verifyToken(accessToken), true, false, true); @@ -414,12 +404,11 @@ public class LightWeightAccessTokenTest extends AbstractClientPoliciesTest { alwaysUseLightWeightAccessToken(true); ProtocolMappersResource protocolMappers = setProtocolMappers(false, true, true, false); try { - oauth.nonce("123456"); oauth.scope("address"); oauth.client(TEST_CLIENT, TEST_CLIENT_SECRET); - AuthorizationEndpointResponse authsEndpointResponse = oauth.doLogin(TEST_USER_NAME, TEST_USER_PASSWORD); + AuthorizationEndpointResponse authsEndpointResponse = oauth.loginForm().nonce("123456").doLogin(TEST_USER_NAME, TEST_USER_PASSWORD); AccessTokenResponse tokenResponse = oauth.doAccessTokenRequest(authsEndpointResponse.getCode()); String accessToken = tokenResponse.getAccessToken(); logger.debug("access token:" + accessToken); @@ -483,8 +472,6 @@ public class LightWeightAccessTokenTest extends AbstractClientPoliciesTest { removeDefaultBasicClientScope(); alwaysUseLightWeightAccessToken(true); try { - oauth.nonce("123456"); - oauth.client(TEST_CLIENT, TEST_CLIENT_SECRET); AccessTokenResponse response = oauth.doClientCredentialsGrantAccessTokenRequest(); String accessToken = response.getAccessToken(); @@ -886,7 +873,7 @@ public class LightWeightAccessTokenTest extends AbstractClientPoliciesTest { } private TokenResponseContext browserLogin(String username, String password) { - AuthorizationEndpointResponse authsEndpointResponse = oauth.doLogin(username, password); + AuthorizationEndpointResponse authsEndpointResponse = oauth.loginForm().nonce("123456").doLogin(username, password); String userSessionId = authsEndpointResponse.getSessionState(); AccessTokenResponse tokenResponse = oauth.doAccessTokenRequest(authsEndpointResponse.getCode()); return new TokenResponseContext(userSessionId, tokenResponse); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/NonceBackwardsCompatibleMapperTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/NonceBackwardsCompatibleMapperTest.java index 50974aeb3c3..996689b11c7 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/NonceBackwardsCompatibleMapperTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/NonceBackwardsCompatibleMapperTest.java @@ -137,10 +137,9 @@ public class NonceBackwardsCompatibleMapperTest extends AbstractTestRealmKeycloa private void testNonceImplicit(boolean mapper) throws IOException { String nonce = KeycloakModelUtils.generateId(); - oauth.nonce(nonce); oauth.responseMode(OIDCResponseMode.JWT.value()); oauth.responseType(OIDCResponseType.TOKEN + " " + OIDCResponseType.ID_TOKEN); - AuthorizationEndpointResponse response = oauth.doLogin("test-user@localhost", "password"); + AuthorizationEndpointResponse response = oauth.loginForm().nonce(nonce).doLogin("test-user@localhost", "password"); Assert.assertTrue(response.isRedirected()); AuthorizationResponseToken responseToken = oauth.verifyAuthorizationResponseToken(response.getResponse()); @@ -158,11 +157,10 @@ public class NonceBackwardsCompatibleMapperTest extends AbstractTestRealmKeycloa private void testNonce(boolean mapper, boolean offlineSession) throws IOException { String nonce = KeycloakModelUtils.generateId(); - oauth.nonce(nonce); if (offlineSession) { oauth.scope(OAuth2Constants.OFFLINE_ACCESS); } - oauth.doLogin("test-user@localhost", "password"); + oauth.loginForm().nonce(nonce).doLogin("test-user@localhost", "password"); EventRepresentation loginEvent = events.expectLogin().assertEvent(); String code = oauth.parseLoginResponse().getCode(); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/OIDCAdvancedRequestParamsTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/OIDCAdvancedRequestParamsTest.java index e39fb651c73..bfaadf7a66e 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/OIDCAdvancedRequestParamsTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/OIDCAdvancedRequestParamsTest.java @@ -511,7 +511,6 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest // REQUEST & REQUEST_URI @Test public void requestObjectNotRequiredNotProvided() { - oauth.stateParamHardcoded("mystate2"); // Set request object not required for client ClientResource clientResource = ApiUtil.findClientByClientId(adminClient.realm("test"), "test-app"); ClientRepresentation clientRep = clientResource.toRepresentation(); @@ -520,7 +519,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest // Send request without request object // Assert that the request is accepted - AuthorizationEndpointResponse response = oauth.doLogin("test-user@localhost", "password"); + AuthorizationEndpointResponse response = oauth.loginForm().state("mystate2").doLogin("test-user@localhost", "password"); Assert.assertNotNull(response.getCode()); Assert.assertEquals("mystate2", response.getState()); assertTrue(appPage.isCurrent()); @@ -528,7 +527,6 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest @Test public void requestObjectNotRequiredProvidedInRequestParam() { - oauth.stateParamHardcoded("mystate2"); // Set request object not required for client ClientResource clientResource = ApiUtil.findClientByClientId(adminClient.realm("test"), "test-app"); ClientRepresentation clientRep = clientResource.toRepresentation(); @@ -542,7 +540,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest // Send request object in "request" param oauth.request(oidcClientEndpointsResource.getOIDCRequest()); // Assert that the request is accepted - AuthorizationEndpointResponse response1 = oauth.doLogin("test-user@localhost", "password"); + AuthorizationEndpointResponse response1 = oauth.loginForm().state("mystate2").doLogin("test-user@localhost", "password"); Assert.assertNotNull(response1.getCode()); Assert.assertEquals("mystate2", response1.getState()); assertTrue(appPage.isCurrent()); @@ -550,7 +548,6 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest @Test public void requestObjectNotRequiredProvidedInRequestUriParam() { - oauth.stateParamHardcoded("mystate2"); // Set request object not required for client ClientResource clientResource = ApiUtil.findClientByClientId(adminClient.realm("test"), "test-app"); ClientRepresentation clientRep = clientResource.toRepresentation(); @@ -564,7 +561,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest // Send request object reference in "request_uri" param oauth.requestUri(TestApplicationResourceUrls.clientRequestUri()); // Assert that the request is accepted - AuthorizationEndpointResponse response2 = oauth.doLogin("test-user@localhost", "password"); + AuthorizationEndpointResponse response2 = oauth.loginForm().state("mystate2").doLogin("test-user@localhost", "password"); Assert.assertNotNull(response2.getCode()); Assert.assertEquals("mystate2", response2.getState()); assertTrue(appPage.isCurrent()); @@ -572,7 +569,6 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest @Test public void requestObjectRequiredNotProvided() { - oauth.stateParamHardcoded("mystate2"); // Set request object not required for client ClientResource clientResource = ApiUtil.findClientByClientId(adminClient.realm("test"), "test-app"); ClientRepresentation clientRep = clientResource.toRepresentation(); @@ -581,7 +577,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest // Send request without request object // Assert that the request is not accepted - oauth.openLoginForm(); + oauth.loginForm().state("mystate2").open(); Assert.assertTrue(errorPage.isCurrent()); assertEquals("Invalid Request", errorPage.getError()); @@ -592,7 +588,6 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest @Test public void requestObjectRequiredProvidedInRequestParam() { - oauth.stateParamHardcoded("mystate2"); // Set request object not required for client ClientResource clientResource = ApiUtil.findClientByClientId(adminClient.realm("test"), "test-app"); ClientRepresentation clientRep = clientResource.toRepresentation(); @@ -606,7 +601,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest // Send request object in "request" param oauth.request(oidcClientEndpointsResource.getOIDCRequest()); // Assert that the request is accepted - AuthorizationEndpointResponse response1 = oauth.doLogin("test-user@localhost", "password"); + AuthorizationEndpointResponse response1 = oauth.loginForm().state("mystate2").doLogin("test-user@localhost", "password"); Assert.assertNotNull(response1.getCode()); Assert.assertEquals("mystate2", response1.getState()); assertTrue(appPage.isCurrent()); @@ -620,7 +615,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest public void requestObjectSupersedesQueryParameter() { String stateInRequestObject = "stateInRequestObject"; String stateInQueryParameter = "stateInQueryParameter"; - oauth.stateParamHardcoded(stateInQueryParameter); + // Set request object not required for client ClientResource clientResource = ApiUtil.findClientByClientId(adminClient.realm("test"), "test-app"); ClientRepresentation clientRep = clientResource.toRepresentation(); @@ -634,7 +629,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest // Send request object in "request" param oauth.request(oidcClientEndpointsResource.getOIDCRequest()); // Assert that the request is accepted - AuthorizationEndpointResponse response1 = oauth.doLogin("test-user@localhost", "password"); + AuthorizationEndpointResponse response1 = oauth.loginForm().state(stateInQueryParameter).doLogin("test-user@localhost", "password"); Assert.assertNotNull(response1.getCode()); Assert.assertEquals(stateInRequestObject, response1.getState()); assertTrue(appPage.isCurrent()); @@ -646,20 +641,18 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest @Test public void requestObjectClientIdAndResponseTypeTest() { - oauth.stateParamHardcoded("some-state"); - // Test that "client_id" mandatory in the query even if set in the "request" object TestOIDCEndpointsApplicationResource oidcClientEndpointsResource = testingClient.testApp().oidcClientEndpoints(); oidcClientEndpointsResource.setOIDCRequest("test", "test-app", oauth.getRedirectUri(), "10", "some-state", "none"); oauth.request(oidcClientEndpointsResource.getOIDCRequest()); oauth.clientId(null); - oauth.openLoginForm(); + oauth.loginForm().state("some-state").open(); errorPage.assertCurrent(); // Test that "response_type" mandatory in the query even if set in the "request" object oauth.clientId("test-app"); oauth.responseType(null); - oauth.openLoginForm(); + oauth.loginForm().state("some-state").open(); appPage.assertCurrent(); AuthorizationEndpointResponse authorizationEndpointResponse = oauth.parseLoginResponse(); Assert.assertEquals("invalid_request", authorizationEndpointResponse.getError()); @@ -668,13 +661,13 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest // Test that different "client_id" in the query and in the request object is disallowed oauth.clientId("test-app-scope"); oauth.responseType(OAuth2Constants.CODE); - oauth.openLoginForm(); + oauth.loginForm().state("some-state").open(); errorPage.assertCurrent(); // Test that different "response_type" in the query and in the request object is disallowed oauth.clientId("test-app"); oauth.responseType(OAuth2Constants.CODE + " " + OAuth2Constants.ID_TOKEN); - oauth.openLoginForm(); + oauth.loginForm().state("some-state").open(); appPage.assertCurrent(); oauth.responseMode("query"); // Keycloak falls back to query in this case authorizationEndpointResponse = oauth.parseLoginResponse(); @@ -691,14 +684,13 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest oauth.request(requestObjectString); oauth.clientId("test-app"); oauth.responseType(OAuth2Constants.CODE); - AuthorizationEndpointResponse response1 = oauth.doLogin("test-user@localhost", "password"); + AuthorizationEndpointResponse response1 = oauth.loginForm().state("some-state").doLogin("test-user@localhost", "password"); Assert.assertNotNull(response1.getCode()); Assert.assertEquals("request-state", response1.getState()); } @Test public void requestObjectRequiredProvidedInRequestUriParam() { - oauth.stateParamHardcoded("mystate2"); // Set request object not required for client ClientResource clientResource = ApiUtil.findClientByClientId(adminClient.realm("test"), "test-app"); ClientRepresentation clientRep = clientResource.toRepresentation(); @@ -712,7 +704,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest // Send request object reference in "request_uri" param oauth.requestUri(TestApplicationResourceUrls.clientRequestUri()); // Assert that the request is accepted - AuthorizationEndpointResponse response2 = oauth.doLogin("test-user@localhost", "password"); + AuthorizationEndpointResponse response2 = oauth.loginForm().state("mystate2").doLogin("test-user@localhost", "password"); Assert.assertNotNull(response2.getCode()); Assert.assertEquals("mystate2", response2.getState()); assertTrue(appPage.isCurrent()); @@ -724,7 +716,6 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest @Test public void requestObjectRequiredAsRequestParamNotProvided() { - oauth.stateParamHardcoded("mystate2"); // Set request object not required for client ClientResource clientResource = ApiUtil.findClientByClientId(adminClient.realm("test"), "test-app"); ClientRepresentation clientRep = clientResource.toRepresentation(); @@ -733,7 +724,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest // Send request without request object // Assert that the request is not accepted - oauth.openLoginForm(); + oauth.loginForm().state("mystate2").open(); Assert.assertTrue(errorPage.isCurrent()); assertEquals("Invalid Request", errorPage.getError()); @@ -744,7 +735,6 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest @Test public void requestObjectRequiredAsRequestParamProvidedInRequestParam() { - oauth.stateParamHardcoded("mystate2"); // Set request object not required for client ClientResource clientResource = ApiUtil.findClientByClientId(adminClient.realm("test"), "test-app"); ClientRepresentation clientRep = clientResource.toRepresentation(); @@ -758,7 +748,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest // Send request object in "request" param oauth.request(oidcClientEndpointsResource.getOIDCRequest()); // Assert that the request is accepted - AuthorizationEndpointResponse response1 = oauth.doLogin("test-user@localhost", "password"); + AuthorizationEndpointResponse response1 = oauth.loginForm().state("mystate2").doLogin("test-user@localhost", "password"); Assert.assertNotNull(response1.getCode()); Assert.assertEquals("mystate2", response1.getState()); assertTrue(appPage.isCurrent()); @@ -770,7 +760,6 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest @Test public void requestObjectRequiredAsRequestParamProvidedInRequestUriParam() { - oauth.stateParamHardcoded("mystate2"); // Set request object not required for client ClientResource clientResource = ApiUtil.findClientByClientId(adminClient.realm("test"), "test-app"); ClientRepresentation clientRep = clientResource.toRepresentation(); @@ -784,7 +773,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest // Send request object reference in "request_uri" param oauth.requestUri(TestApplicationResourceUrls.clientRequestUri()); // Assert that the request is accepted - oauth.openLoginForm(); + oauth.loginForm().state("mystate2").open(); Assert.assertTrue(errorPage.isCurrent()); assertEquals("Invalid Request", errorPage.getError()); @@ -795,7 +784,6 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest @Test public void requestObjectRequiredAsRequestUriParamNotProvided() { - oauth.stateParamHardcoded("mystate2"); // Set request object not required for client ClientResource clientResource = ApiUtil.findClientByClientId(adminClient.realm("test"), "test-app"); ClientRepresentation clientRep = clientResource.toRepresentation(); @@ -804,7 +792,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest // Send request without request object // Assert that the request is not accepted - oauth.openLoginForm(); + oauth.loginForm().state("mystate2").open(); Assert.assertTrue(errorPage.isCurrent()); assertEquals("Invalid Request", errorPage.getError()); @@ -815,7 +803,6 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest @Test public void requestObjectRequiredAsRequestUriParamProvidedInRequestParam() { - oauth.stateParamHardcoded("mystate2"); // Set request object not required for client ClientResource clientResource = ApiUtil.findClientByClientId(adminClient.realm("test"), "test-app"); ClientRepresentation clientRep = clientResource.toRepresentation(); @@ -829,7 +816,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest // Send request object in "request" param oauth.request(oidcClientEndpointsResource.getOIDCRequest()); // Assert that the request is not accepted - oauth.openLoginForm(); + oauth.loginForm().state("mystate2").open(); Assert.assertTrue(errorPage.isCurrent()); assertEquals("Invalid Request", errorPage.getError()); @@ -840,7 +827,6 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest @Test public void requestObjectRequiredAsRequestUriParamProvidedInRequestUriParam() { - oauth.stateParamHardcoded("mystate2"); // Set request object not required for client ClientResource clientResource = ApiUtil.findClientByClientId(adminClient.realm("test"), "test-app"); ClientRepresentation clientRep = clientResource.toRepresentation(); @@ -854,7 +840,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest // Send request object reference in "request_uri" param oauth.requestUri(TestApplicationResourceUrls.clientRequestUri()); // Assert that the request is accepted - AuthorizationEndpointResponse response1 = oauth.doLogin("test-user@localhost", "password"); + AuthorizationEndpointResponse response1 = oauth.loginForm().state("mystate2").doLogin("test-user@localhost", "password"); Assert.assertNotNull(response1.getCode()); Assert.assertEquals("mystate2", response1.getState()); assertTrue(appPage.isCurrent()); @@ -866,8 +852,6 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest @Test public void requestParamUnsigned() { - oauth.stateParamHardcoded("mystate2"); - String validRedirectUri = oauth.getRedirectUri(); TestOIDCEndpointsApplicationResource oidcClientEndpointsResource = testingClient.testApp().oidcClientEndpoints(); @@ -876,7 +860,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest String requestStr = oidcClientEndpointsResource.getOIDCRequest(); oauth.request(requestStr); - oauth.openLoginForm(); + oauth.loginForm().state("mystate2").open(); Assert.assertTrue(errorPage.isCurrent()); assertEquals("Invalid parameter: redirect_uri", errorPage.getError()); @@ -886,7 +870,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest requestStr = oidcClientEndpointsResource.getOIDCRequest(); oauth.request(requestStr); - AuthorizationEndpointResponse response = oauth.doLogin("test-user@localhost", "password"); + AuthorizationEndpointResponse response = oauth.loginForm().state("mystate2").doLogin("test-user@localhost", "password"); Assert.assertNotNull(response.getCode()); Assert.assertEquals("mystate2", response.getState()); assertTrue(appPage.isCurrent()); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/flows/AbstractOIDCResponseTypeTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/flows/AbstractOIDCResponseTypeTest.java index a33bf27bcf0..c8b060749a7 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/flows/AbstractOIDCResponseTypeTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/flows/AbstractOIDCResponseTypeTest.java @@ -128,8 +128,7 @@ public abstract class AbstractOIDCResponseTypeTest extends AbstractTestRealmKeyc } protected void validateNonceNotUsedErrorExpected() { - oauth.nonce(null); - oauth.openLoginForm(); + oauth.loginForm().nonce(null).open(); assertFalse(loginPage.isCurrent()); assertTrue(appPage.isCurrent()); @@ -181,11 +180,7 @@ public abstract class AbstractOIDCResponseTypeTest extends AbstractTestRealmKeyc protected EventRepresentation loginUser(String nonce) { - if (nonce != null) { - oauth.nonce(nonce); - } - - oauth.openLoginForm(); + oauth.loginForm().nonce(nonce).state("somestate").open(); loginPage.assertCurrent(); loginPage.login("test-user@localhost", "password"); @@ -195,15 +190,11 @@ public abstract class AbstractOIDCResponseTypeTest extends AbstractTestRealmKeyc } protected EventRepresentation loginUserWithRedirect(String nonce, String redirectUri) { - if (nonce != null) { - oauth.nonce(nonce); - } - if (redirectUri != null) { oauth.redirectUri(redirectUri); } - oauth.openLoginForm(); + oauth.loginForm().nonce(nonce).state("somestate").open(); loginPage.assertCurrent(); loginPage.login("test-user@localhost", "password");