From 214e69fb701e3d1c9d608d41e4b1aab5071edac0 Mon Sep 17 00:00:00 2001 From: Andriy Redko Date: Tue, 12 May 2026 19:07:29 -0400 Subject: [PATCH] CXF-9161: Some of the OIDCFlowTest fail with timeout (JPA only) when HttpClient instance is shared Signed-off-by: Andriy Redko --- .../jaxrs/security/oidc/OIDCFlowTest.java | 1429 +++++++++-------- 1 file changed, 748 insertions(+), 681 deletions(-) diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oidc/OIDCFlowTest.java b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oidc/OIDCFlowTest.java index cd03952ea73..79d69a90f68 100644 --- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oidc/OIDCFlowTest.java +++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oidc/OIDCFlowTest.java @@ -126,7 +126,7 @@ public static Object[][] data() { return new Object[][]{ new Object[] {JCACHE_SERVER.getPort(), Map.of()}, new Object[] {JWT_JCACHE_SERVER.getPort(), Map.of()}, - new Object[] {JPA_SERVER.getPort(), Map.of("share.httpclient.http.conduit", false)}, + new Object[] {JPA_SERVER.getPort(), Map.of()}, new Object[] {JWT_NON_PERSIST_JCACHE_SERVER.getPort(), Map.of()} }; } @@ -134,31 +134,34 @@ public static Object[][] data() { @org.junit.Test public void testAuthorizationCodeFlow() throws Exception { String address = "https://localhost:" + port + "/services/"; - WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(), - "alice", "security", null); - - // Save the Cookie for the second request... - WebClient.getConfig(client).getRequestContext().put( - org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE); - - // Get Authorization Code - String code = OAuth2TestUtils.getAuthorizationCode(client, "openid"); - assertNotNull(code); + String code = null; + + try (WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(), + "alice", "security", null)) { + + // Save the Cookie for the second request... + WebClient.getConfig(client).getRequestContext().put( + org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE); + + // Get Authorization Code + code = OAuth2TestUtils.getAuthorizationCode(client, "openid"); + assertNotNull(code); + } // Now get the access token - client = WebClient.create(address, "consumer-id", "this-is-a-secret", null); - - ClientAccessToken accessToken = - OAuth2TestUtils.getAccessTokenWithAuthorizationCode(client, code); - assertNotNull(accessToken.getTokenKey()); - assertTrue(accessToken.getApprovedScope().contains("openid")); - - String idToken = accessToken.getParameters().get("id_token"); - assertNotNull(idToken); - validateIdToken(idToken, null); - - if (isAccessTokenInJWTFormat()) { - validateAccessToken(accessToken.getTokenKey()); + try (WebClient client = WebClient.create(address, "consumer-id", "this-is-a-secret", null)) { + ClientAccessToken accessToken = + OAuth2TestUtils.getAccessTokenWithAuthorizationCode(client, code); + assertNotNull(accessToken.getTokenKey()); + assertTrue(accessToken.getApprovedScope().contains("openid")); + + String idToken = accessToken.getParameters().get("id_token"); + assertNotNull(idToken); + validateIdToken(idToken, null); + + if (isAccessTokenInJWTFormat()) { + validateAccessToken(accessToken.getTokenKey()); + } } } @@ -167,44 +170,46 @@ public void testAuthorizationCodeFlow() throws Exception { @org.junit.Test public void testAuthorizationCodeFlowPOST() throws Exception { String address = "https://localhost:" + port + "/services/"; - WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(), - "alice", "security", null); - - // Save the Cookie for the second request... - WebClient.getConfig(client).getRequestContext().put( - org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE); - - // Make initial authorization request - client.type("application/x-www-form-urlencoded"); - - client.path("authorize/"); + String code = null; - Form form = new Form(); - form.param("client_id", "consumer-id"); - form.param("scope", "openid"); - form.param("redirect_uri", "http://www.blah.apache.org"); - form.param("response_type", "code"); - Response response = client.post(form); - - OAuthAuthorizationData authzData = response.readEntity(OAuthAuthorizationData.class); - String location = OAuth2TestUtils.getLocation(client, authzData, null); - String code = OAuth2TestUtils.getSubstring(location, "code"); - assertNotNull(code); + try (WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(), + "alice", "security", null)) { + // Save the Cookie for the second request... + WebClient.getConfig(client).getRequestContext().put( + org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE); + + // Make initial authorization request + client.type("application/x-www-form-urlencoded"); + + client.path("authorize/"); + + Form form = new Form(); + form.param("client_id", "consumer-id"); + form.param("scope", "openid"); + form.param("redirect_uri", "http://www.blah.apache.org"); + form.param("response_type", "code"); + try (Response response = client.post(form)) { + OAuthAuthorizationData authzData = response.readEntity(OAuthAuthorizationData.class); + String location = OAuth2TestUtils.getLocation(client, authzData, null); + code = OAuth2TestUtils.getSubstring(location, "code"); + assertNotNull(code); + } + } // Now get the access token - client = WebClient.create(address, "consumer-id", "this-is-a-secret", null); - - ClientAccessToken accessToken = - OAuth2TestUtils.getAccessTokenWithAuthorizationCode(client, code); - assertNotNull(accessToken.getTokenKey()); - assertTrue(accessToken.getApprovedScope().contains("openid")); - - String idToken = accessToken.getParameters().get("id_token"); - assertNotNull(idToken); - validateIdToken(idToken, null); - - if (isAccessTokenInJWTFormat()) { - validateAccessToken(accessToken.getTokenKey()); + try (WebClient client = WebClient.create(address, "consumer-id", "this-is-a-secret", null)) { + ClientAccessToken accessToken = + OAuth2TestUtils.getAccessTokenWithAuthorizationCode(client, code); + assertNotNull(accessToken.getTokenKey()); + assertTrue(accessToken.getApprovedScope().contains("openid")); + + String idToken = accessToken.getParameters().get("id_token"); + assertNotNull(idToken); + validateIdToken(idToken, null); + + if (isAccessTokenInJWTFormat()) { + validateAccessToken(accessToken.getTokenKey()); + } } } @@ -212,298 +217,326 @@ public void testAuthorizationCodeFlowPOST() throws Exception { @org.junit.Test public void testAuthorizationCodeOAuth() throws Exception { String address = "https://localhost:" + port + "/services/"; - WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(), - "alice", "security", null); - // Save the Cookie for the second request... - WebClient.getConfig(client).getRequestContext().put( - org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE); + String code = null; - // Get Authorization Code - String code = OAuth2TestUtils.getAuthorizationCode(client, "read_balance"); - assertNotNull(code); + try (WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(), + "alice", "security", null)) { + // Save the Cookie for the second request... + WebClient.getConfig(client).getRequestContext().put( + org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE); + + // Get Authorization Code + code = OAuth2TestUtils.getAuthorizationCode(client, "read_balance"); + assertNotNull(code); + } // Now get the access token - client = WebClient.create(address, "consumer-id", "this-is-a-secret", null); - - ClientAccessToken accessToken = - OAuth2TestUtils.getAccessTokenWithAuthorizationCode(client, code); - assertNotNull(accessToken.getTokenKey()); - // We should not have an IdToken here - String idToken = accessToken.getParameters().get("id_token"); - assertNull(idToken); - assertFalse(accessToken.getApprovedScope().contains("openid")); - - if (isAccessTokenInJWTFormat()) { - validateAccessToken(accessToken.getTokenKey()); + try (WebClient client = WebClient.create(address, "consumer-id", "this-is-a-secret", null)) { + ClientAccessToken accessToken = + OAuth2TestUtils.getAccessTokenWithAuthorizationCode(client, code); + assertNotNull(accessToken.getTokenKey()); + // We should not have an IdToken here + String idToken = accessToken.getParameters().get("id_token"); + assertNull(idToken); + assertFalse(accessToken.getApprovedScope().contains("openid")); + + if (isAccessTokenInJWTFormat()) { + validateAccessToken(accessToken.getTokenKey()); + } } } @org.junit.Test public void testAuthorizationCodeFlowWithNonce() throws Exception { String address = "https://localhost:" + port + "/services/"; - WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(), - "alice", "security", null); - // Save the Cookie for the second request... - WebClient.getConfig(client).getRequestContext().put( - org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE); - - // Get Authorization Code - String code = OAuth2TestUtils.getAuthorizationCode(client, "openid", "consumer-id", - "123456789", null); - assertNotNull(code); + String code = null; + + try (WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(), + "alice", "security", null)) { + // Save the Cookie for the second request... + WebClient.getConfig(client).getRequestContext().put( + org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE); + + // Get Authorization Code + code = OAuth2TestUtils.getAuthorizationCode(client, "openid", "consumer-id", + "123456789", null); + assertNotNull(code); + } // Now get the access token - client = WebClient.create(address, "consumer-id", "this-is-a-secret", null); - - ClientAccessToken accessToken = - OAuth2TestUtils.getAccessTokenWithAuthorizationCode(client, code); - assertNotNull(accessToken.getTokenKey()); - assertTrue(accessToken.getApprovedScope().contains("openid")); - - String idToken = accessToken.getParameters().get("id_token"); - assertNotNull(idToken); - validateIdToken(idToken, "123456789"); - - if (isAccessTokenInJWTFormat()) { - validateAccessToken(accessToken.getTokenKey()); + try (WebClient client = WebClient.create(address, "consumer-id", "this-is-a-secret", null)) { + ClientAccessToken accessToken = + OAuth2TestUtils.getAccessTokenWithAuthorizationCode(client, code); + assertNotNull(accessToken.getTokenKey()); + assertTrue(accessToken.getApprovedScope().contains("openid")); + + String idToken = accessToken.getParameters().get("id_token"); + assertNotNull(idToken); + validateIdToken(idToken, "123456789"); + + if (isAccessTokenInJWTFormat()) { + validateAccessToken(accessToken.getTokenKey()); + } } } @org.junit.Test public void testAuthorizationCodeFlowWithScope() throws Exception { String address = "https://localhost:" + port + "/services/"; - WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(), - "alice", "security", null); - // Save the Cookie for the second request... - WebClient.getConfig(client).getRequestContext().put( - org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE); + String code = null; - // Get Authorization Code - String code = OAuth2TestUtils.getAuthorizationCode(client, "openid read_balance"); - assertNotNull(code); + try (WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(), + "alice", "security", null)) { + // Save the Cookie for the second request... + WebClient.getConfig(client).getRequestContext().put( + org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE); + + // Get Authorization Code + code = OAuth2TestUtils.getAuthorizationCode(client, "openid read_balance"); + assertNotNull(code); + } // Now get the access token - client = WebClient.create(address, "consumer-id", "this-is-a-secret", null); - - ClientAccessToken accessToken = - OAuth2TestUtils.getAccessTokenWithAuthorizationCode(client, code); - assertNotNull(accessToken.getTokenKey()); - assertTrue(accessToken.getApprovedScope().contains("openid")); - assertTrue(accessToken.getApprovedScope().contains("read_balance")); - - String idToken = accessToken.getParameters().get("id_token"); - assertNotNull(idToken); - validateIdToken(idToken, null); - - if (isAccessTokenInJWTFormat()) { - validateAccessToken(accessToken.getTokenKey()); + try (WebClient client = WebClient.create(address, "consumer-id", "this-is-a-secret", null)) { + ClientAccessToken accessToken = + OAuth2TestUtils.getAccessTokenWithAuthorizationCode(client, code); + assertNotNull(accessToken.getTokenKey()); + assertTrue(accessToken.getApprovedScope().contains("openid")); + assertTrue(accessToken.getApprovedScope().contains("read_balance")); + + String idToken = accessToken.getParameters().get("id_token"); + assertNotNull(idToken); + validateIdToken(idToken, null); + + if (isAccessTokenInJWTFormat()) { + validateAccessToken(accessToken.getTokenKey()); + } } } @org.junit.Test public void testAuthorizationCodeFlowWithRefresh() throws Exception { String address = "https://localhost:" + port + "/services/"; - WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(), - "alice", "security", null); - // Save the Cookie for the second request... - WebClient.getConfig(client).getRequestContext().put( - org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE); - - // Get Authorization Code - String code = OAuth2TestUtils.getAuthorizationCode(client, "openid"); - assertNotNull(code); + String code = null; + String idToken = null; + ClientAccessToken accessToken = null; + + try (WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(), + "alice", "security", null)) { + // Save the Cookie for the second request... + WebClient.getConfig(client).getRequestContext().put( + org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE); + + // Get Authorization Code + code = OAuth2TestUtils.getAuthorizationCode(client, "openid"); + assertNotNull(code); + } + // Now get the access token - client = WebClient.create(address, "consumer-id", "this-is-a-secret", null); - - ClientAccessToken accessToken = - OAuth2TestUtils.getAccessTokenWithAuthorizationCode(client, code); - assertNotNull(accessToken.getTokenKey()); - assertTrue(accessToken.getApprovedScope().contains("openid")); - assertNotNull(accessToken.getRefreshToken()); - - String idToken = accessToken.getParameters().get("id_token"); - assertNotNull(idToken); - validateIdToken(idToken, null); - - // Refresh the access token - client = WebClient.create(address, OAuth2TestUtils.setupProviders(), - "consumer-id", "this-is-a-secret", null); - client.path("token"); - client.type("application/x-www-form-urlencoded").accept("application/json"); - - Form form = new Form(); - form.param("grant_type", "refresh_token"); - form.param("refresh_token", accessToken.getRefreshToken()); - form.param("client_id", "consumer-id"); - form.param("scope", "openid"); - Response response = client.post(form); - - accessToken = response.readEntity(ClientAccessToken.class); - assertNotNull(accessToken.getTokenKey()); - assertNotNull(accessToken.getRefreshToken()); - assertNotNull(accessToken.getParameters().get("id_token")); - assertNotNull(idToken); - - if (isAccessTokenInJWTFormat()) { - validateAccessToken(accessToken.getTokenKey()); + try (WebClient client = WebClient.create(address, "consumer-id", "this-is-a-secret", null)) { + accessToken = OAuth2TestUtils.getAccessTokenWithAuthorizationCode(client, code); + assertNotNull(accessToken.getTokenKey()); + assertTrue(accessToken.getApprovedScope().contains("openid")); + assertNotNull(accessToken.getRefreshToken()); + + idToken = accessToken.getParameters().get("id_token"); + assertNotNull(idToken); + validateIdToken(idToken, null); + } + + // Refresh the access token + try (WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(), + "consumer-id", "this-is-a-secret", null)) { + client.path("token"); + client.type("application/x-www-form-urlencoded").accept("application/json"); + + Form form = new Form(); + form.param("grant_type", "refresh_token"); + form.param("refresh_token", accessToken.getRefreshToken()); + form.param("client_id", "consumer-id"); + form.param("scope", "openid"); + try (Response response = client.post(form)) { + accessToken = response.readEntity(ClientAccessToken.class); + + assertNotNull(accessToken.getTokenKey()); + assertNotNull(accessToken.getRefreshToken()); + assertNotNull(accessToken.getParameters().get("id_token")); + assertNotNull(idToken); + + if (isAccessTokenInJWTFormat()) { + validateAccessToken(accessToken.getTokenKey()); + } + } } } @org.junit.Test public void testAuthorizationCodeFlowWithState() throws Exception { String address = "https://localhost:" + port + "/services/"; - WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(), - "alice", "security", null); - // Save the Cookie for the second request... - WebClient.getConfig(client).getRequestContext().put( - org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE); + String code = null; - // Get Authorization Code - String code = OAuth2TestUtils.getAuthorizationCode(client, "openid", "consumer-id", - null, "123456789"); - assertNotNull(code); + try (WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(), + "alice", "security", null)) { + // Save the Cookie for the second request... + WebClient.getConfig(client).getRequestContext().put( + org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE); + + // Get Authorization Code + code = OAuth2TestUtils.getAuthorizationCode(client, "openid", "consumer-id", + null, "123456789"); + assertNotNull(code); + } // Now get the access token - client = WebClient.create(address, "consumer-id", "this-is-a-secret", null); - - ClientAccessToken accessToken = - OAuth2TestUtils.getAccessTokenWithAuthorizationCode(client, code); - assertNotNull(accessToken.getTokenKey()); - assertTrue(accessToken.getApprovedScope().contains("openid")); - - String idToken = accessToken.getParameters().get("id_token"); - assertNotNull(idToken); - validateIdToken(idToken, null); - - if (isAccessTokenInJWTFormat()) { - validateAccessToken(accessToken.getTokenKey()); + try (WebClient client = WebClient.create(address, "consumer-id", "this-is-a-secret", null)) { + ClientAccessToken accessToken = + OAuth2TestUtils.getAccessTokenWithAuthorizationCode(client, code); + assertNotNull(accessToken.getTokenKey()); + assertTrue(accessToken.getApprovedScope().contains("openid")); + + String idToken = accessToken.getParameters().get("id_token"); + assertNotNull(idToken); + validateIdToken(idToken, null); + + if (isAccessTokenInJWTFormat()) { + validateAccessToken(accessToken.getTokenKey()); + } } } @org.junit.Test public void testAuthorizationCodeFlowWithAudience() throws Exception { String address = "https://localhost:" + port + "/services/"; - WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(), - "alice", "security", null); - // Save the Cookie for the second request... - WebClient.getConfig(client).getRequestContext().put( - org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE); + String code = null; - // Get Authorization Code - String code = OAuth2TestUtils.getAuthorizationCode(client, "openid", "consumer-id-aud", - null, null); - assertNotNull(code); + try (WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(), + "alice", "security", null)) { + // Save the Cookie for the second request... + WebClient.getConfig(client).getRequestContext().put( + org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE); + + // Get Authorization Code + code = OAuth2TestUtils.getAuthorizationCode(client, "openid", "consumer-id-aud", + null, null); + assertNotNull(code); + } // Now get the access token - client = WebClient.create(address, "consumer-id-aud", "this-is-a-secret", null); - - String audience = "https://localhost:" + port + "/secured/bookstore/books"; - ClientAccessToken accessToken = - OAuth2TestUtils.getAccessTokenWithAuthorizationCode(client, code, "consumer-id-aud", audience); - assertNotNull(accessToken.getTokenKey()); - - if (isAccessTokenInJWTFormat()) { - validateAccessToken(accessToken.getTokenKey()); + try (WebClient client = WebClient.create(address, "consumer-id-aud", "this-is-a-secret", null)) { + String audience = "https://localhost:" + port + "/secured/bookstore/books"; + ClientAccessToken accessToken = + OAuth2TestUtils.getAccessTokenWithAuthorizationCode(client, code, "consumer-id-aud", audience); + assertNotNull(accessToken.getTokenKey()); + + if (isAccessTokenInJWTFormat()) { + validateAccessToken(accessToken.getTokenKey()); + } } } @org.junit.Test public void testAuthorizationCodeFlowWithPKCE() throws Exception { String address = "https://localhost:" + port + "/services/"; - WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(), - "alice", "security", null); - // Save the Cookie for the second request... - WebClient.getConfig(client).getRequestContext().put( - org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE); - - // Get Authorization Code - AuthorizationCodeParameters parameters = new AuthorizationCodeParameters(); - parameters.setConsumerId("consumer-id"); - parameters.setScope(OidcUtils.OPENID_SCOPE); - parameters.setResponseType(OAuthConstants.CODE_RESPONSE_TYPE); - parameters.setPath("authorize/"); String codeVerifier = Base64UrlUtility.encode(CryptoUtils.generateSecureRandomBytes(32)); - CodeVerifierTransformer transformer = new DigestCodeVerifier(); - parameters.setCodeChallenge(transformer.transformCodeVerifier(codeVerifier)); - parameters.setCodeChallengeMethod(transformer.getChallengeMethod()); + String code = null; - String location = OAuth2TestUtils.getLocation(client, parameters); - String code = OAuth2TestUtils.getSubstring(location, "code"); - - assertNotNull(code); + try (WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(), + "alice", "security", null)) { + // Save the Cookie for the second request... + WebClient.getConfig(client).getRequestContext().put( + org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE); + + // Get Authorization Code + AuthorizationCodeParameters parameters = new AuthorizationCodeParameters(); + parameters.setConsumerId("consumer-id"); + parameters.setScope(OidcUtils.OPENID_SCOPE); + parameters.setResponseType(OAuthConstants.CODE_RESPONSE_TYPE); + parameters.setPath("authorize/"); + CodeVerifierTransformer transformer = new DigestCodeVerifier(); + parameters.setCodeChallenge(transformer.transformCodeVerifier(codeVerifier)); + parameters.setCodeChallengeMethod(transformer.getChallengeMethod()); + + String location = OAuth2TestUtils.getLocation(client, parameters); + code = OAuth2TestUtils.getSubstring(location, "code"); + + assertNotNull(code); + } // Now get the access token - client = WebClient.create(address, "consumer-id", "this-is-a-secret", null); - - ClientAccessToken accessToken = - OAuth2TestUtils.getAccessTokenWithAuthorizationCode(client, code, "consumer-id", null, codeVerifier); - assertNotNull(accessToken.getTokenKey()); - - if (isAccessTokenInJWTFormat()) { - validateAccessToken(accessToken.getTokenKey()); + try (WebClient client = WebClient.create(address, "consumer-id", "this-is-a-secret", null)) { + ClientAccessToken accessToken = + OAuth2TestUtils.getAccessTokenWithAuthorizationCode(client, code, "consumer-id", null, codeVerifier); + assertNotNull(accessToken.getTokenKey()); + + if (isAccessTokenInJWTFormat()) { + validateAccessToken(accessToken.getTokenKey()); + } } } @org.junit.Test public void testImplicitFlow() throws Exception { String address = "https://localhost:" + port + "/services/"; - WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(), - "alice", "security", null); - // Save the Cookie for the second request... - WebClient.getConfig(client).getRequestContext().put( - org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE); - - // Get Access Token - client.type("application/json").accept("application/json"); - client.query("client_id", "consumer-id"); - client.query("redirect_uri", "http://www.blah.apache.org"); - client.query("scope", "openid"); - client.query("response_type", "id_token token"); - client.query("nonce", "123456789"); - client.path("authorize-implicit/"); - Response response = client.get(); - - OAuthAuthorizationData authzData = response.readEntity(OAuthAuthorizationData.class); - - // Now call "decision" to get the access token - client.path("decision"); - client.type("application/x-www-form-urlencoded"); - - Form form = new Form(); - form.param("session_authenticity_token", authzData.getAuthenticityToken()); - form.param("client_id", authzData.getClientId()); - form.param("redirect_uri", authzData.getRedirectUri()); - form.param("scope", authzData.getProposedScope()); - if (authzData.getResponseType() != null) { - form.param("response_type", authzData.getResponseType()); - } - if (authzData.getNonce() != null) { - form.param("nonce", authzData.getNonce()); - } - form.param("oauthDecision", "allow"); - - response = client.post(form); - - String location = response.getHeaderString("Location"); - - // Check Access Token - String accessToken = OAuth2TestUtils.getSubstring(location, "access_token"); - assertNotNull(accessToken); - - // Check IdToken - String idToken = OAuth2TestUtils.getSubstring(location, "id_token"); - assertNotNull(idToken); - validateIdToken(idToken, null); - - JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(idToken); - JwtToken jwt = jwtConsumer.getJwtToken(); - assertNotNull(jwt.getClaims().getClaim(IdToken.ACCESS_TOKEN_HASH_CLAIM)); - assertNotNull(jwt.getClaims().getClaim(IdToken.NONCE_CLAIM)); - OidcUtils.validateAccessTokenHash(accessToken, jwt, true); - - if (isAccessTokenInJWTFormat()) { - validateAccessToken(accessToken); + try (WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(), + "alice", "security", null)) { + // Save the Cookie for the second request... + WebClient.getConfig(client).getRequestContext().put( + org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE); + + // Get Access Token + client.type("application/json").accept("application/json"); + client.query("client_id", "consumer-id"); + client.query("redirect_uri", "http://www.blah.apache.org"); + client.query("scope", "openid"); + client.query("response_type", "id_token token"); + client.query("nonce", "123456789"); + client.path("authorize-implicit/"); + + OAuthAuthorizationData authzData = null; + try (Response response = client.get()) { + authzData = response.readEntity(OAuthAuthorizationData.class); + } + + // Now call "decision" to get the access token + client.path("decision"); + client.type("application/x-www-form-urlencoded"); + + Form form = new Form(); + form.param("session_authenticity_token", authzData.getAuthenticityToken()); + form.param("client_id", authzData.getClientId()); + form.param("redirect_uri", authzData.getRedirectUri()); + form.param("scope", authzData.getProposedScope()); + if (authzData.getResponseType() != null) { + form.param("response_type", authzData.getResponseType()); + } + if (authzData.getNonce() != null) { + form.param("nonce", authzData.getNonce()); + } + form.param("oauthDecision", "allow"); + + try (Response response = client.post(form)) { + String location = response.getHeaderString("Location"); + + // Check Access Token + String accessToken = OAuth2TestUtils.getSubstring(location, "access_token"); + assertNotNull(accessToken); + + // Check IdToken + String idToken = OAuth2TestUtils.getSubstring(location, "id_token"); + assertNotNull(idToken); + validateIdToken(idToken, null); + + JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(idToken); + JwtToken jwt = jwtConsumer.getJwtToken(); + assertNotNull(jwt.getClaims().getClaim(IdToken.ACCESS_TOKEN_HASH_CLAIM)); + assertNotNull(jwt.getClaims().getClaim(IdToken.NONCE_CLAIM)); + OidcUtils.validateAccessTokenHash(accessToken, jwt, true); + + if (isAccessTokenInJWTFormat()) { + validateAccessToken(accessToken); + } + } } } @@ -512,449 +545,478 @@ public void testImplicitFlow() throws Exception { @org.junit.Test public void testImplicitFlowPOST() throws Exception { String address = "https://localhost:" + port + "/services/"; - WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(), - "alice", "security", null); - // Save the Cookie for the second request... - WebClient.getConfig(client).getRequestContext().put( - org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE); - - // Get Access Token - client.type("application/x-www-form-urlencoded"); - - client.path("authorize-implicit/"); - - Form form = new Form(); - form.param("client_id", "consumer-id"); - form.param("scope", "openid"); - form.param("redirect_uri", "http://www.blah.apache.org"); - form.param("response_type", "id_token token"); - form.param("nonce", "123456789"); - Response response = client.post(form); - - OAuthAuthorizationData authzData = response.readEntity(OAuthAuthorizationData.class); - - // Now call "decision" to get the access token - client.path("decision"); - client.type("application/x-www-form-urlencoded"); - - form = new Form(); - form.param("session_authenticity_token", authzData.getAuthenticityToken()); - form.param("client_id", authzData.getClientId()); - form.param("redirect_uri", authzData.getRedirectUri()); - form.param("scope", authzData.getProposedScope()); - if (authzData.getResponseType() != null) { - form.param("response_type", authzData.getResponseType()); - } - if (authzData.getNonce() != null) { - form.param("nonce", authzData.getNonce()); - } - form.param("oauthDecision", "allow"); - - response = client.post(form); - - String location = response.getHeaderString("Location"); - - // Check Access Token - String accessToken = OAuth2TestUtils.getSubstring(location, "access_token"); - assertNotNull(accessToken); - - // Check IdToken - String idToken = OAuth2TestUtils.getSubstring(location, "id_token"); - assertNotNull(idToken); - validateIdToken(idToken, null); - - JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(idToken); - JwtToken jwt = jwtConsumer.getJwtToken(); - assertNotNull(jwt.getClaims().getClaim(IdToken.ACCESS_TOKEN_HASH_CLAIM)); - assertNotNull(jwt.getClaims().getClaim(IdToken.NONCE_CLAIM)); - OidcUtils.validateAccessTokenHash(accessToken, jwt, true); - - if (isAccessTokenInJWTFormat()) { - validateAccessToken(accessToken); + try (WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(), + "alice", "security", null)) { + // Save the Cookie for the second request... + WebClient.getConfig(client).getRequestContext().put( + org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE); + + // Get Access Token + client.type("application/x-www-form-urlencoded"); + + client.path("authorize-implicit/"); + + Form form = new Form(); + form.param("client_id", "consumer-id"); + form.param("scope", "openid"); + form.param("redirect_uri", "http://www.blah.apache.org"); + form.param("response_type", "id_token token"); + form.param("nonce", "123456789"); + + OAuthAuthorizationData authzData = null; + try (Response response = client.post(form)) { + authzData = response.readEntity(OAuthAuthorizationData.class); + } + + // Now call "decision" to get the access token + client.path("decision"); + client.type("application/x-www-form-urlencoded"); + + form = new Form(); + form.param("session_authenticity_token", authzData.getAuthenticityToken()); + form.param("client_id", authzData.getClientId()); + form.param("redirect_uri", authzData.getRedirectUri()); + form.param("scope", authzData.getProposedScope()); + if (authzData.getResponseType() != null) { + form.param("response_type", authzData.getResponseType()); + } + if (authzData.getNonce() != null) { + form.param("nonce", authzData.getNonce()); + } + form.param("oauthDecision", "allow"); + + try (Response response = client.post(form)) { + String location = response.getHeaderString("Location"); + + // Check Access Token + String accessToken = OAuth2TestUtils.getSubstring(location, "access_token"); + assertNotNull(accessToken); + + // Check IdToken + String idToken = OAuth2TestUtils.getSubstring(location, "id_token"); + assertNotNull(idToken); + validateIdToken(idToken, null); + + JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(idToken); + JwtToken jwt = jwtConsumer.getJwtToken(); + assertNotNull(jwt.getClaims().getClaim(IdToken.ACCESS_TOKEN_HASH_CLAIM)); + assertNotNull(jwt.getClaims().getClaim(IdToken.NONCE_CLAIM)); + OidcUtils.validateAccessTokenHash(accessToken, jwt, true); + + if (isAccessTokenInJWTFormat()) { + validateAccessToken(accessToken); + } + } } } @org.junit.Test public void testImplicitFlowNoAccessToken() throws Exception { String address = "https://localhost:" + port + "/services/"; - WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(), - "alice", "security", null); - // Save the Cookie for the second request... - WebClient.getConfig(client).getRequestContext().put( - org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE); - - // Get Access Token - client.type("application/json").accept("application/json"); - client.query("client_id", "consumer-id"); - client.query("redirect_uri", "http://www.blah.apache.org"); - client.query("scope", "openid"); - client.query("response_type", "id_token"); - client.query("nonce", "123456789"); - client.path("authorize-implicit/"); - Response response = client.get(); - - OAuthAuthorizationData authzData = response.readEntity(OAuthAuthorizationData.class); - - // Now call "decision" to get the access token - client.path("decision"); - client.type("application/x-www-form-urlencoded"); - - Form form = new Form(); - form.param("session_authenticity_token", authzData.getAuthenticityToken()); - form.param("client_id", authzData.getClientId()); - form.param("redirect_uri", authzData.getRedirectUri()); - form.param("scope", authzData.getProposedScope()); - if (authzData.getResponseType() != null) { - form.param("response_type", authzData.getResponseType()); - } - if (authzData.getNonce() != null) { - form.param("nonce", authzData.getNonce()); + try (WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(), + "alice", "security", null)) { + // Save the Cookie for the second request... + WebClient.getConfig(client).getRequestContext().put( + org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE); + + // Get Access Token + client.type("application/json").accept("application/json"); + client.query("client_id", "consumer-id"); + client.query("redirect_uri", "http://www.blah.apache.org"); + client.query("scope", "openid"); + client.query("response_type", "id_token"); + client.query("nonce", "123456789"); + client.path("authorize-implicit/"); + + OAuthAuthorizationData authzData = null; + try (Response response = client.get()) { + authzData = response.readEntity(OAuthAuthorizationData.class); + } + + // Now call "decision" to get the access token + client.path("decision"); + client.type("application/x-www-form-urlencoded"); + + Form form = new Form(); + form.param("session_authenticity_token", authzData.getAuthenticityToken()); + form.param("client_id", authzData.getClientId()); + form.param("redirect_uri", authzData.getRedirectUri()); + form.param("scope", authzData.getProposedScope()); + if (authzData.getResponseType() != null) { + form.param("response_type", authzData.getResponseType()); + } + if (authzData.getNonce() != null) { + form.param("nonce", authzData.getNonce()); + } + form.param("oauthDecision", "allow"); + + try (Response response = client.post(form)) { + String location = response.getHeaderString("Location"); + + // Check Access Token - it should not be present + String accessToken = OAuth2TestUtils.getSubstring(location, "access_token"); + assertNull(accessToken); + + // Check IdToken + String idToken = OAuth2TestUtils.getSubstring(location, "id_token"); + assertNotNull(idToken); + validateIdToken(idToken, null); + + JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(idToken); + JwtToken jwt = jwtConsumer.getJwtToken(); + assertNull(jwt.getClaims().getClaim(IdToken.ACCESS_TOKEN_HASH_CLAIM)); + assertNotNull(jwt.getClaims().getClaim(IdToken.NONCE_CLAIM)); + } } - form.param("oauthDecision", "allow"); - - response = client.post(form); - - String location = response.getHeaderString("Location"); - - // Check Access Token - it should not be present - String accessToken = OAuth2TestUtils.getSubstring(location, "access_token"); - assertNull(accessToken); - - // Check IdToken - String idToken = OAuth2TestUtils.getSubstring(location, "id_token"); - assertNotNull(idToken); - validateIdToken(idToken, null); - - JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(idToken); - JwtToken jwt = jwtConsumer.getJwtToken(); - assertNull(jwt.getClaims().getClaim(IdToken.ACCESS_TOKEN_HASH_CLAIM)); - assertNotNull(jwt.getClaims().getClaim(IdToken.NONCE_CLAIM)); } @org.junit.Test public void testHybridCodeIdToken() throws Exception { String address = "https://localhost:" + port + "/services/"; - WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(), - "alice", "security", null); - WebClient.getConfig(client).getHttpConduit().getClient().setReceiveTimeout(100000000); - // Save the Cookie for the second request... - WebClient.getConfig(client).getRequestContext().put( - org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE); - - // Get location - AuthorizationCodeParameters parameters = new AuthorizationCodeParameters(); - parameters.setConsumerId("consumer-id"); - parameters.setScope("openid"); - parameters.setNonce("123456789"); - parameters.setResponseType("code id_token"); - parameters.setPath("authorize-hybrid/"); - - String location = OAuth2TestUtils.getLocation(client, parameters); - assertNotNull(location); - - // Check code - String code = OAuth2TestUtils.getSubstring(location, "code"); - assertNotNull(code); - - // Check id_token - String idToken = OAuth2TestUtils.getSubstring(location, "id_token"); - assertNotNull(idToken); - validateIdToken(idToken, "123456789"); - // check the code hash is returned from the implicit authorization endpoint - JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(idToken); - JwtToken jwt = jwtConsumer.getJwtToken(); - assertNotNull(jwt.getClaims().getClaim(IdToken.AUTH_CODE_HASH_CLAIM)); - + String idToken = null; + String code = null; + + try (WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(), + "alice", "security", null)) { + WebClient.getConfig(client).getHttpConduit().getClient().setReceiveTimeout(100000000); + // Save the Cookie for the second request... + WebClient.getConfig(client).getRequestContext().put( + org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE); + + // Get location + AuthorizationCodeParameters parameters = new AuthorizationCodeParameters(); + parameters.setConsumerId("consumer-id"); + parameters.setScope("openid"); + parameters.setNonce("123456789"); + parameters.setResponseType("code id_token"); + parameters.setPath("authorize-hybrid/"); + + String location = OAuth2TestUtils.getLocation(client, parameters); + assertNotNull(location); + + // Check code + code = OAuth2TestUtils.getSubstring(location, "code"); + assertNotNull(code); + + // Check id_token + idToken = OAuth2TestUtils.getSubstring(location, "id_token"); + assertNotNull(idToken); + validateIdToken(idToken, "123456789"); + // check the code hash is returned from the implicit authorization endpoint + JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(idToken); + JwtToken jwt = jwtConsumer.getJwtToken(); + assertNotNull(jwt.getClaims().getClaim(IdToken.AUTH_CODE_HASH_CLAIM)); + } + // Now get the access token - client = WebClient.create(address, "consumer-id", "this-is-a-secret", null); - - ClientAccessToken accessToken = - OAuth2TestUtils.getAccessTokenWithAuthorizationCode(client, code); - assertNotNull(accessToken.getTokenKey()); - assertTrue(accessToken.getApprovedScope().contains("openid")); - - // Check id_token from the token endpoint - idToken = accessToken.getParameters().get("id_token"); - assertNotNull(idToken); - validateIdToken(idToken, null); - // check the code hash is returned from the token endpoint - jwtConsumer = new JwsJwtCompactConsumer(idToken); - jwt = jwtConsumer.getJwtToken(); - assertNotNull(jwt.getClaims().getClaim(IdToken.AUTH_CODE_HASH_CLAIM)); - - if (isAccessTokenInJWTFormat()) { - validateAccessToken(accessToken.getTokenKey()); + try (WebClient client = WebClient.create(address, "consumer-id", "this-is-a-secret", null)) { + ClientAccessToken accessToken = + OAuth2TestUtils.getAccessTokenWithAuthorizationCode(client, code); + assertNotNull(accessToken.getTokenKey()); + assertTrue(accessToken.getApprovedScope().contains("openid")); + + // Check id_token from the token endpoint + idToken = accessToken.getParameters().get("id_token"); + assertNotNull(idToken); + validateIdToken(idToken, null); + // check the code hash is returned from the token endpoint + JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(idToken); + JwtToken jwt = jwtConsumer.getJwtToken(); + assertNotNull(jwt.getClaims().getClaim(IdToken.AUTH_CODE_HASH_CLAIM)); + + if (isAccessTokenInJWTFormat()) { + validateAccessToken(accessToken.getTokenKey()); + } } } @org.junit.Test public void testHybridCodeToken() throws Exception { String address = "https://localhost:" + port + "/services/"; - WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(), - "alice", "security", null); - // Save the Cookie for the second request... - WebClient.getConfig(client).getRequestContext().put( - org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE); - - // Get location - AuthorizationCodeParameters parameters = new AuthorizationCodeParameters(); - parameters.setConsumerId("consumer-id"); - parameters.setScope("openid"); - parameters.setNonce("123456789"); - parameters.setResponseType("code token"); - parameters.setPath("authorize-hybrid/"); - - String location = OAuth2TestUtils.getLocation(client, parameters); - assertNotNull(location); - - // Check code - String code = OAuth2TestUtils.getSubstring(location, "code"); - assertNotNull(code); - - // Check id_token - String idToken = OAuth2TestUtils.getSubstring(location, "id_token"); - assertNull(idToken); - - // Check Access Token - String implicitAccessToken = OAuth2TestUtils.getSubstring(location, "access_token"); - assertNotNull(implicitAccessToken); - - idToken = OAuth2TestUtils.getSubstring(location, "id_token"); - assertNull(idToken); - - // Now get the access token with the code - client = WebClient.create(address, "consumer-id", "this-is-a-secret", null); - - ClientAccessToken accessToken = - OAuth2TestUtils.getAccessTokenWithAuthorizationCode(client, code); - assertNotNull(accessToken.getTokenKey()); - assertTrue(accessToken.getApprovedScope().contains("openid")); - - // Check id_token from the token endpoint - idToken = accessToken.getParameters().get("id_token"); - assertNotNull(idToken); - validateIdToken(idToken, null); - // check the code hash is returned from the token endpoint - JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(idToken); - // returning c_hash in the id_token returned after exchanging the code is optional - assertNull(jwtConsumer.getJwtClaims().getClaim(IdToken.AUTH_CODE_HASH_CLAIM)); - - if (isAccessTokenInJWTFormat()) { - validateAccessToken(accessToken.getTokenKey()); + String idToken = null; + String code = null; + + try (WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(), + "alice", "security", null)) { + // Save the Cookie for the second request... + WebClient.getConfig(client).getRequestContext().put( + org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE); + + // Get location + AuthorizationCodeParameters parameters = new AuthorizationCodeParameters(); + parameters.setConsumerId("consumer-id"); + parameters.setScope("openid"); + parameters.setNonce("123456789"); + parameters.setResponseType("code token"); + parameters.setPath("authorize-hybrid/"); + + String location = OAuth2TestUtils.getLocation(client, parameters); + assertNotNull(location); + + // Check code + code = OAuth2TestUtils.getSubstring(location, "code"); + assertNotNull(code); + + // Check id_token + idToken = OAuth2TestUtils.getSubstring(location, "id_token"); + assertNull(idToken); + + // Check Access Token + String implicitAccessToken = OAuth2TestUtils.getSubstring(location, "access_token"); + assertNotNull(implicitAccessToken); + + idToken = OAuth2TestUtils.getSubstring(location, "id_token"); + assertNull(idToken); + } + + // Now get the access token with the code + try (WebClient client = WebClient.create(address, "consumer-id", "this-is-a-secret", null)) { + ClientAccessToken accessToken = + OAuth2TestUtils.getAccessTokenWithAuthorizationCode(client, code); + assertNotNull(accessToken.getTokenKey()); + assertTrue(accessToken.getApprovedScope().contains("openid")); + + // Check id_token from the token endpoint + idToken = accessToken.getParameters().get("id_token"); + assertNotNull(idToken); + validateIdToken(idToken, null); + // check the code hash is returned from the token endpoint + JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(idToken); + // returning c_hash in the id_token returned after exchanging the code is optional + assertNull(jwtConsumer.getJwtClaims().getClaim(IdToken.AUTH_CODE_HASH_CLAIM)); + + if (isAccessTokenInJWTFormat()) { + validateAccessToken(accessToken.getTokenKey()); + } } } @org.junit.Test public void testHybridCodeIdTokenToken() throws Exception { String address = "https://localhost:" + port + "/services/"; - WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(), - "alice", "security", null); - // Save the Cookie for the second request... - WebClient.getConfig(client).getRequestContext().put( - org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE); - - // Get location - AuthorizationCodeParameters parameters = new AuthorizationCodeParameters(); - parameters.setConsumerId("consumer-id"); - parameters.setScope("openid"); - parameters.setNonce("123456789"); - parameters.setResponseType("code id_token token"); - parameters.setPath("authorize-hybrid/"); - - String location = OAuth2TestUtils.getLocation(client, parameters); - assertNotNull(location); - - // Check code - String code = OAuth2TestUtils.getSubstring(location, "code"); - assertNotNull(code); - - // Check id_token - String idToken = OAuth2TestUtils.getSubstring(location, "id_token"); - assertNotNull(idToken); - validateIdToken(idToken, "123456789"); - - // check the code hash is returned from the implicit authorization endpoint - JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(idToken); - JwtToken jwt = jwtConsumer.getJwtToken(); - assertNotNull(jwt.getClaims().getClaim(IdToken.AUTH_CODE_HASH_CLAIM)); - - // Check Access Token - String accessToken = OAuth2TestUtils.getSubstring(location, "access_token"); - assertNotNull(accessToken); - - jwtConsumer = new JwsJwtCompactConsumer(idToken); - jwt = jwtConsumer.getJwtToken(); - assertNotNull(jwt.getClaims().getClaim(IdToken.ACCESS_TOKEN_HASH_CLAIM)); - OidcUtils.validateAccessTokenHash(accessToken, jwt, true); - assertNotNull(jwt.getClaims().getClaim(IdToken.AUTH_CODE_HASH_CLAIM)); - - if (isAccessTokenInJWTFormat()) { - validateAccessToken(accessToken); + try (WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(), + "alice", "security", null)) { + // Save the Cookie for the second request... + WebClient.getConfig(client).getRequestContext().put( + org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE); + + // Get location + AuthorizationCodeParameters parameters = new AuthorizationCodeParameters(); + parameters.setConsumerId("consumer-id"); + parameters.setScope("openid"); + parameters.setNonce("123456789"); + parameters.setResponseType("code id_token token"); + parameters.setPath("authorize-hybrid/"); + + String location = OAuth2TestUtils.getLocation(client, parameters); + assertNotNull(location); + + // Check code + String code = OAuth2TestUtils.getSubstring(location, "code"); + assertNotNull(code); + + // Check id_token + String idToken = OAuth2TestUtils.getSubstring(location, "id_token"); + assertNotNull(idToken); + validateIdToken(idToken, "123456789"); + + // check the code hash is returned from the implicit authorization endpoint + JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(idToken); + JwtToken jwt = jwtConsumer.getJwtToken(); + assertNotNull(jwt.getClaims().getClaim(IdToken.AUTH_CODE_HASH_CLAIM)); + + // Check Access Token + String accessToken = OAuth2TestUtils.getSubstring(location, "access_token"); + assertNotNull(accessToken); + + jwtConsumer = new JwsJwtCompactConsumer(idToken); + jwt = jwtConsumer.getJwtToken(); + assertNotNull(jwt.getClaims().getClaim(IdToken.ACCESS_TOKEN_HASH_CLAIM)); + OidcUtils.validateAccessTokenHash(accessToken, jwt, true); + assertNotNull(jwt.getClaims().getClaim(IdToken.AUTH_CODE_HASH_CLAIM)); + + if (isAccessTokenInJWTFormat()) { + validateAccessToken(accessToken); + } } } @org.junit.Test public void testAuthorizationCodeFlowUnsignedJWT() throws Exception { String address = "https://localhost:" + port + "/unsignedjwtservices/"; - WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(), - "alice", "security", null); - // Save the Cookie for the second request... - WebClient.getConfig(client).getRequestContext().put( - org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE); - - JwtClaims claims = new JwtClaims(); - claims.setIssuer("consumer-id"); - claims.setIssuedAt(Instant.now().getEpochSecond()); - claims.setAudiences( - Collections.singletonList("https://localhost:" + port + "/unsignedjwtservices/")); - - JwsHeaders headers = new JwsHeaders(); - headers.setAlgorithm("none"); - - JwtToken token = new JwtToken(headers, claims); - - JwsJwtCompactProducer jws = new JwsJwtCompactProducer(token); - String request = jws.getSignedEncodedJws(); - - // Get Authorization Code - AuthorizationCodeParameters parameters = new AuthorizationCodeParameters(); - parameters.setConsumerId("consumer-id"); - parameters.setScope("openid"); - parameters.setResponseType("code"); - parameters.setPath("authorize/"); - parameters.setRequest(request); - - String location = OAuth2TestUtils.getLocation(client, parameters); - String code = OAuth2TestUtils.getSubstring(location, "code"); - assertNotNull(code); + try (WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(), + "alice", "security", null)) { + // Save the Cookie for the second request... + WebClient.getConfig(client).getRequestContext().put( + org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE); + + JwtClaims claims = new JwtClaims(); + claims.setIssuer("consumer-id"); + claims.setIssuedAt(Instant.now().getEpochSecond()); + claims.setAudiences( + Collections.singletonList("https://localhost:" + port + "/unsignedjwtservices/")); + + JwsHeaders headers = new JwsHeaders(); + headers.setAlgorithm("none"); + + JwtToken token = new JwtToken(headers, claims); + + JwsJwtCompactProducer jws = new JwsJwtCompactProducer(token); + String request = jws.getSignedEncodedJws(); + + // Get Authorization Code + AuthorizationCodeParameters parameters = new AuthorizationCodeParameters(); + parameters.setConsumerId("consumer-id"); + parameters.setScope("openid"); + parameters.setResponseType("code"); + parameters.setPath("authorize/"); + parameters.setRequest(request); + + String location = OAuth2TestUtils.getLocation(client, parameters); + String code = OAuth2TestUtils.getSubstring(location, "code"); + assertNotNull(code); + } } @org.junit.Test public void testAuthorizationCodeFlowUnsignedJWTWithState() throws Exception { String address = "https://localhost:" + port + "/unsignedjwtservices/"; - WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(), - "alice", "security", null); - // Save the Cookie for the second request... - WebClient.getConfig(client).getRequestContext().put( - org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE); - - JwtClaims claims = new JwtClaims(); - claims.setIssuer("consumer-id"); - claims.setIssuedAt(Instant.now().getEpochSecond()); - claims.setAudiences( - Collections.singletonList("https://localhost:" + port + "/unsignedjwtservices/")); - - JwsHeaders headers = new JwsHeaders(); - headers.setAlgorithm("none"); - - JwtToken token = new JwtToken(headers, claims); - - JwsJwtCompactProducer jws = new JwsJwtCompactProducer(token); - String request = jws.getSignedEncodedJws(); - - // Get Authorization Code - AuthorizationCodeParameters parameters = new AuthorizationCodeParameters(); - parameters.setConsumerId("consumer-id"); - parameters.setScope("openid"); - parameters.setResponseType("code"); - parameters.setPath("authorize/"); - parameters.setState("123456789"); - parameters.setRequest(request); - - String location = OAuth2TestUtils.getLocation(client, parameters); - String code = OAuth2TestUtils.getSubstring(location, "code"); - assertNotNull(code); + try (WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(), + "alice", "security", null)) { + // Save the Cookie for the second request... + WebClient.getConfig(client).getRequestContext().put( + org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE); + + JwtClaims claims = new JwtClaims(); + claims.setIssuer("consumer-id"); + claims.setIssuedAt(Instant.now().getEpochSecond()); + claims.setAudiences( + Collections.singletonList("https://localhost:" + port + "/unsignedjwtservices/")); + + JwsHeaders headers = new JwsHeaders(); + headers.setAlgorithm("none"); + + JwtToken token = new JwtToken(headers, claims); + + JwsJwtCompactProducer jws = new JwsJwtCompactProducer(token); + String request = jws.getSignedEncodedJws(); + + // Get Authorization Code + AuthorizationCodeParameters parameters = new AuthorizationCodeParameters(); + parameters.setConsumerId("consumer-id"); + parameters.setScope("openid"); + parameters.setResponseType("code"); + parameters.setPath("authorize/"); + parameters.setState("123456789"); + parameters.setRequest(request); + + String location = OAuth2TestUtils.getLocation(client, parameters); + String code = OAuth2TestUtils.getSubstring(location, "code"); + assertNotNull(code); + } } @org.junit.Test public void testGetKeys() throws Exception { String address = "https://localhost:" + port + "/services/"; - WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(), - "alice", "security", null); - client.accept("application/json"); - - client.path("keys/"); - Response response = client.get(); - JsonWebKeys jsonWebKeys = response.readEntity(JsonWebKeys.class); - - assertEquals(1, jsonWebKeys.getKeys().size()); + try (WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(), + "alice", "security", null)) { + client.accept("application/json"); + + client.path("keys/"); + try (Response response = client.get()) { + JsonWebKeys jsonWebKeys = response.readEntity(JsonWebKeys.class); + + assertEquals(1, jsonWebKeys.getKeys().size()); + } + } } @org.junit.Test public void testAuthorizationCodeFlowWithKey() throws Exception { String address = "https://localhost:" + port + "/services/"; - WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(), - "alice", "security", null); - // Save the Cookie for the second request... - WebClient.getConfig(client).getRequestContext().put( - org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE); - - // Get Authorization Code - String code = OAuth2TestUtils.getAuthorizationCode(client, "openid"); - assertNotNull(code); - - // Now get the access token - client = WebClient.create(address, "consumer-id", "this-is-a-secret", null); - - ClientAccessToken accessToken = - OAuth2TestUtils.getAccessTokenWithAuthorizationCode(client, code); - assertNotNull(accessToken.getTokenKey()); - assertTrue(accessToken.getApprovedScope().contains("openid")); - - String idToken = accessToken.getParameters().get("id_token"); - assertNotNull(idToken); + String code = null; + String idToken = null; + + try (WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(), + "alice", "security", null)) { + // Save the Cookie for the second request... + WebClient.getConfig(client).getRequestContext().put( + org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE); + + // Get Authorization Code + code = OAuth2TestUtils.getAuthorizationCode(client, "openid"); + assertNotNull(code); + } + + // Now get the access token + try (WebClient client = WebClient.create(address, "consumer-id", "this-is-a-secret", null)) { + ClientAccessToken accessToken = + OAuth2TestUtils.getAccessTokenWithAuthorizationCode(client, code); + assertNotNull(accessToken.getTokenKey()); + assertTrue(accessToken.getApprovedScope().contains("openid")); + + idToken = accessToken.getParameters().get("id_token"); + assertNotNull(idToken); + } JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(idToken); + // Now get the key to validate the token - client = WebClient.create(address, OAuth2TestUtils.setupProviders(), - "alice", "security", null); - client.accept("application/json"); - - client.path("keys/"); - Response response = client.get(); - JsonWebKeys jsonWebKeys = response.readEntity(JsonWebKeys.class); - - assertTrue(jwtConsumer.verifySignatureWith(jsonWebKeys.getKeys().get(0), - SignatureAlgorithm.RS256)); + try (WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(), + "alice", "security", null)) { + client.accept("application/json"); + + client.path("keys/"); + try (Response response = client.get()) { + JsonWebKeys jsonWebKeys = response.readEntity(JsonWebKeys.class); + + assertTrue(jwtConsumer.verifySignatureWith(jsonWebKeys.getKeys().get(0), + SignatureAlgorithm.RS256)); + } + } } @org.junit.Test public void testAuthorizationCodeFlowRefreshToken() throws Exception { String address = "https://localhost:" + port + "/services/"; - WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(), - "alice", "security", null); - // Save the Cookie for the second request... - WebClient.getConfig(client).getRequestContext().put( - org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE); - - // Get Authorization Code - String code = OAuth2TestUtils.getAuthorizationCode(client, - String.join(" ", OidcUtils.getOpenIdScope(), OAuthConstants.REFRESH_TOKEN_SCOPE), - "consumer-id-oidc"); - assertNotNull(code); - - // Now get the access token - client = WebClient.create(address, "consumer-id-oidc", "this-is-a-secret", null); - - ClientAccessToken accessToken = - OAuth2TestUtils.getAccessTokenWithAuthorizationCode(client, code, "consumer-id-oidc", null); - assertNotNull(accessToken.getTokenKey()); - assertTrue(accessToken.getApprovedScope().contains("openid")); - - IdToken idToken = getIdToken(accessToken, address + "keys/", "consumer-id-oidc"); - assertNotNull(idToken); - Long issuedAt = idToken.getIssuedAt(); - - TimeUnit.SECONDS.sleep(1L); + String code = null; - accessToken = OAuthClientUtils.refreshAccessToken( - client, - new Consumer("consumer-id-oidc"), - accessToken); - idToken = getIdToken(accessToken, address + "keys/", "consumer-id-oidc"); + try (WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(), + "alice", "security", null)) { + // Save the Cookie for the second request... + WebClient.getConfig(client).getRequestContext().put( + org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE); + + // Get Authorization Code + code = OAuth2TestUtils.getAuthorizationCode(client, + String.join(" ", OidcUtils.getOpenIdScope(), OAuthConstants.REFRESH_TOKEN_SCOPE), + "consumer-id-oidc"); + assertNotNull(code); + } - assertNotEquals(issuedAt, idToken.getIssuedAt()); + // Now get the access token + try (WebClient client = WebClient.create(address, "consumer-id-oidc", "this-is-a-secret", null)) { + ClientAccessToken accessToken = + OAuth2TestUtils.getAccessTokenWithAuthorizationCode(client, code, "consumer-id-oidc", null); + assertNotNull(accessToken.getTokenKey()); + assertTrue(accessToken.getApprovedScope().contains("openid")); + + IdToken idToken = getIdToken(accessToken, address + "keys/", "consumer-id-oidc"); + assertNotNull(idToken); + Long issuedAt = idToken.getIssuedAt(); + + TimeUnit.SECONDS.sleep(1L); + + accessToken = OAuthClientUtils.refreshAccessToken( + client, + new Consumer("consumer-id-oidc"), + accessToken); + idToken = getIdToken(accessToken, address + "keys/", "consumer-id-oidc"); + + assertNotEquals(issuedAt, idToken.getIssuedAt()); + } } @org.junit.Test @@ -1012,15 +1074,20 @@ private void validateAccessToken(String accessToken) } private static IdToken getIdToken(ClientAccessToken accessToken, String jwksUri, String clientId) { - WebClient c = WebClient.create(jwksUri, + try (WebClient c = WebClient.create(jwksUri, Collections.singletonList(new JsonWebKeysProvider()), "alice", "security", null) - .accept(MediaType.APPLICATION_JSON); - IdTokenReader idTokenReader = new IdTokenReader(); - idTokenReader.setJwkSetClient(c); - idTokenReader.setIssuerId("OIDC IdP"); + .accept(MediaType.APPLICATION_JSON)) { + + WebClient.getConfig(c).getRequestContext() + .put("share.httpclient.http.conduit", false); - return idTokenReader.getIdToken(accessToken, new Consumer(clientId)); + IdTokenReader idTokenReader = new IdTokenReader(); + idTokenReader.setJwkSetClient(c); + idTokenReader.setIssuerId("OIDC IdP"); + + return idTokenReader.getIdToken(accessToken, new Consumer(clientId)); + } } private boolean isAccessTokenInJWTFormat() {