Specification parameters tests for standard token exchange v2

Closes #37114

Signed-off-by: Giuseppe Graziano <[email protected]>

request and response parameters tests for token exchange

Closes #37114

Signed-off-by: Giuseppe Graziano <[email protected]>

Author: graziang

testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/oauth/OAuthClient.java

@@ -291,6 +291,10 @@ public TokenExchangeRequest tokenExchangeRequest(String subjectToken) {
         return new TokenExchangeRequest(subjectToken, this);
     }
 
+    public TokenExchangeRequest tokenExchangeRequest(String subjectToken, String subjectTokenType) {
+        return new TokenExchangeRequest(subjectToken, subjectTokenType, this);
+    }
+
     /**
      * @deprecated Set clientId and clientSecret using {@link #client(String, String)} and use {@link #tokenExchangeRequest(String)}
      */

testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/oauth/TokenExchangeRequest.java

@@ -7,16 +7,25 @@
 import java.io.IOException;
 import java.util.List;
 import java.util.Map;
+import java.util.Optional;
 
 public class TokenExchangeRequest extends AbstractHttpPostRequest<TokenExchangeRequest, AccessTokenResponse> {
 
     private final String subjectToken;
+    private final String subjectTokenType;
     private List<String> audience;
     private Map<String, String> additionalParams;
 
     TokenExchangeRequest(String subjectToken, OAuthClient client) {
         super(client);
         this.subjectToken = subjectToken;
+        this.subjectTokenType = OAuth2Constants.ACCESS_TOKEN_TYPE;
+    }
+
+    TokenExchangeRequest(String subjectToken, String subjectTokenType, OAuthClient client) {
+        super(client);
+        this.subjectToken = subjectToken;
+        this.subjectTokenType = subjectTokenType;
     }
 
     @Override
@@ -38,7 +47,7 @@ protected void initRequest() {
         parameter(OAuth2Constants.GRANT_TYPE, OAuth2Constants.TOKEN_EXCHANGE_GRANT_TYPE);
 
         parameter(OAuth2Constants.SUBJECT_TOKEN, subjectToken);
-        parameter(OAuth2Constants.SUBJECT_TOKEN_TYPE, OAuth2Constants.ACCESS_TOKEN_TYPE);
+        parameter(OAuth2Constants.SUBJECT_TOKEN_TYPE, subjectTokenType != null ? subjectTokenType : OAuth2Constants.ACCESS_TOKEN_TYPE);
 
         if (audience != null) {
             audience.forEach(a -> parameter(OAuth2Constants.AUDIENCE, a));

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/tokenexchange/StandardTokenExchangeV2Test.java

@@ -36,14 +36,14 @@
 import org.keycloak.representations.idm.ClientRepresentation;
 import org.keycloak.representations.idm.RealmRepresentation;
 import org.keycloak.testsuite.AbstractKeycloakTest;
-import org.keycloak.testsuite.Assert;
 import org.keycloak.testsuite.AssertEvents;
 import org.keycloak.testsuite.admin.ApiUtil;
 import org.keycloak.testsuite.arquillian.annotation.EnableFeature;
 import org.keycloak.testsuite.arquillian.annotation.UncaughtServerErrorExpected;
 import org.keycloak.testsuite.pages.ConsentPage;
 import org.keycloak.testsuite.updaters.ClientAttributeUpdater;
 import org.keycloak.testsuite.util.oauth.AccessTokenResponse;
+import org.keycloak.testsuite.util.oauth.TokenExchangeRequest;
 import org.keycloak.util.TokenUtil;
 
 import java.util.Collections;
@@ -110,6 +110,83 @@ private AccessTokenResponse tokenExchange(String subjectToken, String clientId,
         return oauth.tokenExchangeRequest(subjectToken).client(clientId, secret).audience(audience).additionalParams(additionalParams).send();
     }
 
+    @Test
+    @UncaughtServerErrorExpected
+    public void testSubjectTokenType() throws Exception {
+        oauth.realm(TEST);
+        String accessToken = resourceOwnerLogin("john", "password", "subject-client", "secret");
+
+        TokenExchangeRequest request = oauth.tokenExchangeRequest(accessToken, OAuth2Constants.ACCESS_TOKEN_TYPE);
+        AccessTokenResponse response = request.send();
+        assertEquals(Response.Status.OK.getStatusCode(), response.getStatusCode());
+
+        request = oauth.tokenExchangeRequest(accessToken, OAuth2Constants.REFRESH_TOKEN_TYPE);
+        response = request.send();
+        assertEquals(Response.Status.BAD_REQUEST.getStatusCode(), response.getStatusCode());
+        assertEquals(OAuthErrorException.INVALID_REQUEST, response.getError());
+
+        request = oauth.tokenExchangeRequest(accessToken, OAuth2Constants.ID_TOKEN_TYPE);
+        response = request.send();
+        assertEquals(Response.Status.BAD_REQUEST.getStatusCode(), response.getStatusCode());
+        assertEquals(OAuthErrorException.INVALID_REQUEST, response.getError());
+
+        request = oauth.tokenExchangeRequest(accessToken, OAuth2Constants.SAML2_TOKEN_TYPE);
+        response = request.send();
+        assertEquals(Response.Status.BAD_REQUEST.getStatusCode(), response.getStatusCode());
+        assertEquals(OAuthErrorException.INVALID_REQUEST, response.getError());
+
+        request = oauth.tokenExchangeRequest(accessToken, OAuth2Constants.JWT_TOKEN_TYPE);
+        response = request.send();
+        assertEquals(Response.Status.BAD_REQUEST.getStatusCode(), response.getStatusCode());
+        assertEquals(OAuthErrorException.INVALID_REQUEST, response.getError());
+
+        request = oauth.tokenExchangeRequest(accessToken, "WRONG_TOKEN_TYPE");
+        response = request.send();
+        assertEquals(Response.Status.BAD_REQUEST.getStatusCode(), response.getStatusCode());
+        assertEquals(OAuthErrorException.INVALID_REQUEST, response.getError());
+    }
+
+    @Test
+    @UncaughtServerErrorExpected
+    public void testRequestedTokenType() throws Exception {
+        oauth.realm(TEST);
+        String accessToken = resourceOwnerLogin("john", "password", "subject-client", "secret");
+
+        AccessTokenResponse response = tokenExchange(accessToken, "requester-client", "secret", null, Map.of(OAuth2Constants.REQUESTED_TOKEN_TYPE, OAuth2Constants.ACCESS_TOKEN_TYPE));
+        assertEquals(Response.Status.OK.getStatusCode(), response.getStatusCode());
+        assertNotNull(response.getAccessToken());
+        assertEquals(TokenUtil.TOKEN_TYPE_BEARER, response.getTokenType());
+        assertEquals(OAuth2Constants.ACCESS_TOKEN_TYPE, response.getIssuedTokenType());
+
+        response = tokenExchange(accessToken, "requester-client", "secret", null, Map.of(OAuth2Constants.REQUESTED_TOKEN_TYPE, OAuth2Constants.REFRESH_TOKEN_TYPE));
+        assertEquals(Response.Status.OK.getStatusCode(), response.getStatusCode());
+        assertNotNull(response.getAccessToken());
+        assertEquals(TokenUtil.TOKEN_TYPE_BEARER, response.getTokenType());
+        assertEquals(OAuth2Constants.REFRESH_TOKEN_TYPE, response.getIssuedTokenType());
+
+        response = tokenExchange(accessToken, "requester-client", "secret", null, Map.of(OAuth2Constants.REQUESTED_TOKEN_TYPE, OAuth2Constants.ID_TOKEN_TYPE));
+        assertEquals(Response.Status.OK.getStatusCode(), response.getStatusCode());
+        assertNotNull(response.getAccessToken());
+        assertEquals(TokenUtil.TOKEN_TYPE_NA, response.getTokenType());
+        assertEquals(OAuth2Constants.ID_TOKEN_TYPE, response.getIssuedTokenType());
+
+        response = tokenExchange(accessToken, "requester-client", "secret", null, Map.of(OAuth2Constants.REQUESTED_TOKEN_TYPE, OAuth2Constants.JWT_TOKEN_TYPE));
+        assertEquals(Response.Status.BAD_REQUEST.getStatusCode(), response.getStatusCode());
+        assertEquals(OAuthErrorException.INVALID_REQUEST, response.getError());
+        assertEquals("requested_token_type unsupported", response.getErrorDescription());
+
+        //TODO: saml token type should not be supported
+        // response = tokenExchange(accessToken, "requester-client", "secret", null, Map.of(OAuth2Constants.REQUESTED_TOKEN_TYPE, OAuth2Constants.SAML2_TOKEN_TYPE));
+        // assertEquals(Response.Status.BAD_REQUEST.getStatusCode(), response.getStatusCode());
+        // assertEquals(OAuthErrorException.INVALID_REQUEST, response.getError());
+        //assertEquals("requested_token_type unsupported", response.getErrorDescription());
+
+        response = tokenExchange(accessToken, "requester-client", "secret", null, Map.of(OAuth2Constants.REQUESTED_TOKEN_TYPE, "WRONG_TOKEN_TYPE"));
+        assertEquals(Response.Status.BAD_REQUEST.getStatusCode(), response.getStatusCode());
+        assertEquals(OAuthErrorException.INVALID_REQUEST, response.getError());
+        assertEquals("requested_token_type unsupported", response.getErrorDescription());
+    }
+
     @Test
     @UncaughtServerErrorExpected
     public void testExchange() throws Exception {
@@ -158,7 +235,7 @@ public void testExchangeForIdToken() throws Exception {
                 .parse().getToken();
         assertEquals(TokenUtil.TOKEN_TYPE_BEARER, exchangedToken.getType());
 
-        Assert.assertNotNull("ID Token is null, but was expected to be present", response.getIdToken());
+        assertNotNull("ID Token is null, but was expected to be present", response.getIdToken());
         IDToken exchangedIdToken = TokenVerifier.create(response.getIdToken(), IDToken.class)
                 .parse().getToken();
         assertEquals(TokenUtil.TOKEN_TYPE_ID, exchangedIdToken.getType());
@@ -170,15 +247,15 @@ public void testExchangeForIdToken() throws Exception {
         oauth.scope(null);
         response = tokenExchange(accessToken, "requester-client", "secret", null, Map.of(OAuth2Constants.REQUESTED_TOKEN_TYPE, OAuth2Constants.ACCESS_TOKEN_TYPE));
         assertEquals(OAuth2Constants.ACCESS_TOKEN_TYPE, response.getIssuedTokenType());
-        Assert.assertNotNull(response.getAccessToken());
-        Assert.assertNull("ID Token was present, but should not be present", response.getIdToken());
+        assertNotNull(response.getAccessToken());
+        assertNull("ID Token was present, but should not be present", response.getIdToken());
 
         // Exchange request requesting id-token. ID Token should be issued inside "access_token" parameter (as per token-exchange specification https://datatracker.ietf.org/doc/html/rfc8693#name-successful-response - parameter "access_token")
         response = tokenExchange(accessToken, "requester-client", "secret", null, Map.of(OAuth2Constants.REQUESTED_TOKEN_TYPE, OAuth2Constants.ID_TOKEN_TYPE));
         assertEquals(OAuth2Constants.ID_TOKEN_TYPE, response.getIssuedTokenType());
         assertEquals(TokenUtil.TOKEN_TYPE_NA, response.getTokenType());
-        Assert.assertNotNull(response.getAccessToken());
-        Assert.assertNull("ID Token was present, but should not be present", response.getIdToken());
+        assertNotNull(response.getAccessToken());
+        assertNull("ID Token was present, but should not be present", response.getIdToken());
 
         exchangedIdToken = TokenVerifier.create(response.getAccessToken(), IDToken.class)
                 .parse().getToken();
@@ -196,13 +273,13 @@ public void testExchangeUsingServiceAccount() throws Exception {
         String accessToken = response.getAccessToken();
         TokenVerifier<AccessToken> accessTokenVerifier = TokenVerifier.create(accessToken, AccessToken.class);
         AccessToken token = accessTokenVerifier.parse().getToken();
-        Assert.assertNull(token.getSessionId());
+        assertNull(token.getSessionId());
         response = tokenExchange(accessToken, "requester-client", "secret", null, null);
         assertEquals(OAuth2Constants.ACCESS_TOKEN_TYPE, response.getIssuedTokenType());
         String exchangedTokenString = response.getAccessToken();
         TokenVerifier<AccessToken> verifier = TokenVerifier.create(exchangedTokenString, AccessToken.class);
         AccessToken exchangedToken = verifier.parse().getToken();
-        Assert.assertNull(exchangedToken.getSessionId());
+        assertNull(exchangedToken.getSessionId());
         assertEquals("requester-client", exchangedToken.getIssuedFor());
 
     }
@@ -272,9 +349,9 @@ public void testClientExchangeToItselfWithConsents() throws Exception {
     public void testExchangeWithPublicClient() throws Exception {
         String accessToken = resourceOwnerLogin("john", "password","subject-client", "secret");
         AccessTokenResponse response = tokenExchange(accessToken, "requester-client-public", null,  null, null);
-        org.junit.Assert.assertEquals(Response.Status.BAD_REQUEST.getStatusCode(), response.getStatusCode());
-        org.junit.Assert.assertEquals(OAuthErrorException.INVALID_CLIENT, response.getError());
-        org.junit.Assert.assertEquals("Public client is not allowed to exchange token", response.getErrorDescription());
+        assertEquals(Response.Status.BAD_REQUEST.getStatusCode(), response.getStatusCode());
+        assertEquals(OAuthErrorException.INVALID_CLIENT, response.getError());
+        assertEquals("Public client is not allowed to exchange token", response.getErrorDescription());
     }
 
     @Test