Skip to content

Commit

Permalink
Supporting OAuth 2.1 for public clients
Browse files Browse the repository at this point in the history 
closes keycloak#25316

Co-authored-by: shigeyuki kabano <[email protected]>
Signed-off-by: Takashi Norimatsu <[email protected]>
  • Loading branch information
@tnorimat @skabano
tnorimat and skabano committed Dec 18, 2023
1 parent ba8c22e commit 57d148a
Show file tree
Hide file tree
Showing 2 changed files with 112 additions and 0 deletions.
38 changes: 38 additions & 0 deletions services/src/main/resources/keycloak-default-client-profiles.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -284,6 +284,44 @@
}
}
]
},
{
"name": "oauth-2-1-for-public-client",
"description": "Client profile, which enforce public clients to conform 'OAuth 2.1' specification.",
"executors": [
{
"executor": "secure-redirect-uris-enforcer",
"configuration": {
"allow-ipv4-loopback-address": "true",
"allow-ipv6-loopback-address": "true",
"allow-private-use-uri-scheme": "true"
}
},
{
"executor": "pkce-enforcer",
"configuration": {
"auto-configure": "true"
}
},
{
"executor": "dpop-bind-enforcer",
"configuration": {
"auto-configure": "true"
}
},
{
"executor": "reject-implicit-grant",
"configuration": {
"auto-configure": "true"
}
},
{
"executor": "reject-ropc-grant",
"configuration": {
"auto-configure": "true"
}
}
]
}
]
}
74 changes: 74 additions & 0 deletions ...lian/tests/base/src/test/java/org/keycloak/testsuite/client/OAuth2_1PublicClientTest.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,74 @@
/*
* Copyright 2023 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
*/

package org.keycloak.testsuite.client;

import org.junit.Test;

public class OAuth2_1PublicClientTest extends AbstractFAPITest {

@Test
public void testOAuth2_1NotAllowImplicitGrant() throws Exception {
// TODO
// token request by implicit grant
}

@Test
public void testOAuth2_1NotAllowResourceOwnerPasswordCredentialsGrant() throws Exception {
// TODO
// token request by resource owner password credentials grant - fail
}

@Test
public void testOAuth2_1ProofKeyForCodeExchange() throws Exception {
// TODO
// registration (auto-config) - success
// update (auto-config) - success
// authorization request - fail
// authorization request - success, token request - fail
// authorization request - success, token request - success
}

@Test
public void testOAuth2_1RedirectUris() throws Exception {
// TODO
// registration with invalid redirect_uri - fail
// registration with valid redirect_uri- success
// update with invalid redirect_uri - fail
// update with valid redirect_uri - success
// authorization with invalid redirect_uri request - fail
// authorization with valid redirect_uri request - success
}

@Test
public void testOAuth2_1DPoPSenderConstrainedToken() throws Exception {
// TODO
// registration (auto-config) - success
// update (auto-config) with disabling DPoP - success
// authorization request - success
// token request without DPoP Proof - fail
// token request with DPoP Proof - success
// token refresh request with DPoP Proof by other key - fail
// token refresh request with DPoP Proof by the same key - success
// userinfo request without DPoP Proof - fail
// userinfo request with DPoP Proof by the same key - success
// token revocation without DPoP Proof - fail
// token revocation with DPoP Proof by the same key - success
}

}

0 comments on commit 57d148a

Please sign in to comment.