Java tutorial
/** * Licensed to the Apache Software Foundation (ASF) under one * or more contributor license agreements. See the NOTICE file * distributed with this work for additional information * regarding copyright ownership. The ASF licenses this file * to you under the Apache License, Version 2.0 (the * "License"); you may not use this file except in compliance * with the License. You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, * software distributed under the License is distributed on an * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY * KIND, either express or implied. See the License for the * specific language governing permissions and limitations * under the License. */ package org.apache.cxf.fediz.systests.oidc; import java.io.File; import java.io.FileInputStream; import java.io.FileOutputStream; import java.io.IOException; import java.net.URL; import java.security.KeyStore; import java.security.KeyStoreException; import java.security.NoSuchAlgorithmException; import java.security.cert.Certificate; import java.security.cert.CertificateException; import java.security.cert.X509Certificate; import java.text.SimpleDateFormat; import java.util.ArrayList; import java.util.Date; import java.util.Locale; import java.util.TimeZone; import javax.servlet.ServletException; import com.gargoylesoftware.htmlunit.FailingHttpStatusCodeException; import com.gargoylesoftware.htmlunit.HttpMethod; import com.gargoylesoftware.htmlunit.UnexpectedPage; import com.gargoylesoftware.htmlunit.WebClient; import com.gargoylesoftware.htmlunit.WebRequest; import com.gargoylesoftware.htmlunit.WebResponse; import com.gargoylesoftware.htmlunit.html.DomElement; import com.gargoylesoftware.htmlunit.html.DomNodeList; import com.gargoylesoftware.htmlunit.html.HtmlButton; import com.gargoylesoftware.htmlunit.html.HtmlForm; import com.gargoylesoftware.htmlunit.html.HtmlPage; import com.gargoylesoftware.htmlunit.html.HtmlSelect; import com.gargoylesoftware.htmlunit.html.HtmlSubmitInput; import com.gargoylesoftware.htmlunit.html.HtmlTable; import com.gargoylesoftware.htmlunit.html.HtmlTextInput; import com.gargoylesoftware.htmlunit.util.NameValuePair; import com.gargoylesoftware.htmlunit.util.WebConnectionWrapper; import org.apache.catalina.Context; import org.apache.catalina.LifecycleException; import org.apache.catalina.LifecycleState; import org.apache.catalina.connector.Connector; import org.apache.catalina.startup.Tomcat; import org.apache.commons.io.IOUtils; import org.apache.cxf.fediz.tomcat7.FederationAuthenticator; import org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm; import org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer; import org.apache.cxf.rs.security.jose.jwt.JwtConstants; import org.apache.cxf.rs.security.jose.jwt.JwtToken; import org.apache.http.auth.AuthScope; import org.apache.http.auth.UsernamePasswordCredentials; import org.apache.wss4j.common.util.Loader; import org.junit.AfterClass; import org.junit.Assert; import org.junit.BeforeClass; /** * Some OIDC tests. */ public class OIDCTest { static String idpHttpsPort; static String rpHttpsPort; private static Tomcat idpServer; private static Tomcat rpServer; private static String storedClientId; private static String storedClient2Id; @BeforeClass public static void init() throws Exception { System.setProperty("org.apache.commons.logging.Log", "org.apache.commons.logging.impl.SimpleLog"); System.setProperty("org.apache.commons.logging.simplelog.showdatetime", "true"); System.setProperty("org.apache.commons.logging.simplelog.log.httpclient.wire", "info"); System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.commons.httpclient", "info"); System.setProperty("org.apache.commons.logging.simplelog.log.org.springframework.webflow", "info"); System.setProperty("org.apache.commons.logging.simplelog.log.org.springframework.security.web", "info"); System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.cxf.fediz", "info"); System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.cxf", "info"); idpHttpsPort = System.getProperty("idp.https.port"); Assert.assertNotNull("Property 'idp.https.port' null", idpHttpsPort); rpHttpsPort = System.getProperty("rp.https.port"); Assert.assertNotNull("Property 'rp.https.port' null", rpHttpsPort); idpServer = startServer(true, idpHttpsPort); rpServer = startServer(false, rpHttpsPort); loginToClientsPage(rpHttpsPort, idpHttpsPort); } private static Tomcat startServer(boolean idp, String port) throws ServletException, LifecycleException, IOException { Tomcat server = new Tomcat(); server.setPort(0); String currentDir = new File(".").getCanonicalPath(); String baseDir = currentDir + File.separator + "target"; server.setBaseDir(baseDir); if (idp) { server.getHost().setAppBase("tomcat/idp/webapps"); } else { server.getHost().setAppBase("tomcat/rp/webapps"); } server.getHost().setAutoDeploy(true); server.getHost().setDeployOnStartup(true); Connector httpsConnector = new Connector(); httpsConnector.setPort(Integer.parseInt(port)); httpsConnector.setSecure(true); httpsConnector.setScheme("https"); //httpsConnector.setAttribute("keyAlias", keyAlias); httpsConnector.setAttribute("keystorePass", "tompass"); httpsConnector.setAttribute("keystoreFile", "test-classes/server.jks"); httpsConnector.setAttribute("truststorePass", "tompass"); httpsConnector.setAttribute("truststoreFile", "test-classes/server.jks"); httpsConnector.setAttribute("clientAuth", "want"); // httpsConnector.setAttribute("clientAuth", "false"); httpsConnector.setAttribute("sslProtocol", "TLS"); httpsConnector.setAttribute("SSLEnabled", true); server.getService().addConnector(httpsConnector); if (idp) { File stsWebapp = new File(baseDir + File.separator + server.getHost().getAppBase(), "fediz-idp-sts"); server.addWebapp("/fediz-idp-sts", stsWebapp.getAbsolutePath()); File idpWebapp = new File(baseDir + File.separator + server.getHost().getAppBase(), "fediz-idp"); server.addWebapp("/fediz-idp", idpWebapp.getAbsolutePath()); } else { File rpWebapp = new File(baseDir + File.separator + server.getHost().getAppBase(), "fediz-oidc"); Context cxt = server.addWebapp("/fediz-oidc", rpWebapp.getAbsolutePath()); // Substitute the IDP port. Necessary if running the test in eclipse where port filtering doesn't seem // to work File f = new File(currentDir + "/src/test/resources/fediz_config.xml"); FileInputStream inputStream = new FileInputStream(f); String content = IOUtils.toString(inputStream, "UTF-8"); inputStream.close(); if (content.contains("idp.https.port")) { content = content.replaceAll("\\$\\{idp.https.port\\}", "" + idpHttpsPort); File f2 = new File(baseDir + "/test-classes/fediz_config.xml"); try (FileOutputStream outputStream = new FileOutputStream(f2)) { IOUtils.write(content, outputStream, "UTF-8"); } } FederationAuthenticator fa = new FederationAuthenticator(); fa.setConfigFile(currentDir + File.separator + "target" + File.separator + "test-classes" + File.separator + "fediz_config.xml"); cxt.getPipeline().addValve(fa); } server.start(); return server; } @AfterClass public static void cleanup() throws Exception { try { loginToClientsPageAndDeleteClient(rpHttpsPort, idpHttpsPort); } finally { shutdownServer(idpServer); shutdownServer(rpServer); } } private static void shutdownServer(Tomcat server) { try { if (server != null && server.getServer() != null && server.getServer().getState() != LifecycleState.DESTROYED) { if (server.getServer().getState() != LifecycleState.STOPPED) { server.stop(); } server.destroy(); } } catch (Exception e) { e.printStackTrace(); } } public String getIdpHttpsPort() { return idpHttpsPort; } public String getRpHttpsPort() { return rpHttpsPort; } public String getServletContextName() { return "fedizhelloworld"; } // Runs as BeforeClass: Login to the OIDC Clients page + create two new clients private static void loginToClientsPage(String rpPort, String idpPort) throws Exception { String url = "https://localhost:" + rpPort + "/fediz-oidc/console/clients"; String user = "alice"; String password = "ecila"; // Login to the client page successfully WebClient webClient = setupWebClient(user, password, idpPort); HtmlPage loginPage = login(url, webClient); final String bodyTextContent = loginPage.getBody().getTextContent(); Assert.assertTrue(bodyTextContent.contains("Registered Clients")); // Now try to register a new client HtmlPage registeredClientPage = registerNewClient(webClient, url, "new-client", "https://127.0.0.1", "https://cxf.apache.org"); String registeredClientPageBody = registeredClientPage.getBody().getTextContent(); Assert.assertTrue(registeredClientPageBody.contains("Registered Clients")); Assert.assertTrue(registeredClientPageBody.contains("new-client")); Assert.assertTrue(registeredClientPageBody.contains("https://127.0.0.1")); HtmlTable table = registeredClientPage.getHtmlElementById("registered_clients"); storedClientId = table.getCellAt(1, 1).asText().trim(); Assert.assertNotNull(storedClientId); // Try to register another new client registeredClientPage = registerNewClient(webClient, url, "new-client2", "https://127.0.1.1", "https://ws.apache.org"); registeredClientPageBody = registeredClientPage.getBody().getTextContent(); Assert.assertTrue(registeredClientPageBody.contains("Registered Clients")); Assert.assertTrue(registeredClientPageBody.contains("new-client")); Assert.assertTrue(registeredClientPageBody.contains("https://127.0.0.1")); Assert.assertTrue(registeredClientPageBody.contains("new-client2")); Assert.assertTrue(registeredClientPageBody.contains("https://127.0.1.1")); table = registeredClientPage.getHtmlElementById("registered_clients"); storedClient2Id = table.getCellAt(2, 1).asText().trim(); if (storedClient2Id.equals(storedClientId)) { storedClient2Id = table.getCellAt(1, 1).asText().trim(); } Assert.assertNotNull(storedClient2Id); webClient.close(); } private static HtmlPage registerNewClient(WebClient webClient, String url, String clientName, String redirectURI, String clientAudience) throws Exception { HtmlPage registerPage = webClient.getPage(url + "/register"); final HtmlForm form = registerPage.getForms().get(0); // Set new client values final HtmlTextInput clientNameInput = form.getInputByName("client_name"); clientNameInput.setValueAttribute(clientName); final HtmlSelect clientTypeSelect = form.getSelectByName("client_type"); clientTypeSelect.setSelectedAttribute("confidential", true); final HtmlTextInput redirectURIInput = form.getInputByName("client_redirectURI"); redirectURIInput.setValueAttribute(redirectURI); final HtmlTextInput clientAudienceURIInput = form.getInputByName("client_audience"); clientAudienceURIInput.setValueAttribute(clientAudience); final HtmlButton button = form.getButtonByName("submit_button"); return button.click(); } // Runs as AfterClass: Login to the OIDC Clients page + delete the created clients! private static void loginToClientsPageAndDeleteClient(String rpPort, String idpPort) throws Exception { String url = "https://localhost:" + rpPort + "/fediz-oidc/console/clients"; String user = "alice"; String password = "ecila"; // Login to the client page successfully WebClient webClient = setupWebClient(user, password, idpPort); HtmlPage loginPage = login(url, webClient); final String bodyTextContent = loginPage.getBody().getTextContent(); Assert.assertTrue(bodyTextContent.contains("Registered Clients")); // Get the client identifier HtmlTable table = loginPage.getHtmlElementById("registered_clients"); String clientId = table.getCellAt(1, 1).asText().trim(); Assert.assertNotNull(clientId); String clientId2 = table.getCellAt(2, 1).asText().trim(); Assert.assertNotNull(clientId2); // Now go to the specific client page HtmlPage registeredClientsPage = deleteClient(webClient, url, clientId); // Check we have one more registered clients table = registeredClientsPage.getHtmlElementById("registered_clients"); Assert.assertEquals(2, table.getRowCount()); // Now delete the other client registeredClientsPage = deleteClient(webClient, url, clientId2); // Check we have no more registered clients table = registeredClientsPage.getHtmlElementById("registered_clients"); Assert.assertEquals(1, table.getRowCount()); webClient.close(); } private static HtmlPage deleteClient(WebClient webClient, String url, String clientId) throws Exception { HtmlPage clientPage = webClient.getPage(url + "/" + clientId); final HtmlForm deleteForm = clientPage.getFormByName("deleteForm"); Assert.assertNotNull(deleteForm); // Delete the client final HtmlButton button = deleteForm.getButtonByName("submit_delete_button"); return button.click(); } // Test that we managed to create the clients ok @org.junit.Test public void testCreatedClients() throws Exception { String url = "https://localhost:" + getRpHttpsPort() + "/fediz-oidc/console/clients"; String user = "alice"; String password = "ecila"; // Login to the client page successfully WebClient webClient = setupWebClient(user, password, getIdpHttpsPort()); HtmlPage loginPage = login(url, webClient); final String bodyTextContent = loginPage.getBody().getTextContent(); Assert.assertTrue(bodyTextContent.contains("Registered Clients")); // Get the new client identifier HtmlTable table = loginPage.getHtmlElementById("registered_clients"); // 2 clients Assert.assertEquals(table.getRows().size(), 3); // Now check the first client String clientId = table.getCellAt(1, 1).asText().trim(); Assert.assertNotNull(clientId); // Check the Date String date = table.getCellAt(1, 2).asText().trim(); SimpleDateFormat dateFormat = new SimpleDateFormat("dd MMM yyyy", Locale.US); dateFormat.setTimeZone(TimeZone.getTimeZone("GMT")); Assert.assertEquals(dateFormat.format(new Date()), date); // Check the redirect URI String redirectURI = table.getCellAt(1, 3).asText().trim(); Assert.assertTrue("https://127.0.0.1".equals(redirectURI) || "https://127.0.1.1".equals(redirectURI)); // Now check the specific client page HtmlPage clientPage = webClient.getPage(url + "/" + clientId); HtmlTable clientTable = clientPage.getHtmlElementById("client"); Assert.assertEquals(clientId, clientTable.getCellAt(1, 0).asText().trim()); webClient.close(); } @org.junit.Test public void testOIDCLoginForClient1() throws Exception { String url = "https://localhost:" + getRpHttpsPort() + "/fediz-oidc/idp/authorize?"; url += "client_id=" + storedClientId; url += "&response_type=code"; url += "&scope=openid"; String user = "alice"; String password = "ecila"; // Login to the OIDC token endpoint + get the authorization code WebClient webClient = setupWebClient(user, password, getIdpHttpsPort()); String authorizationCode = loginAndGetAuthorizationCode(url, webClient); Assert.assertNotNull(authorizationCode); // Now use the code to get an IdToken url = "https://localhost:" + getRpHttpsPort() + "/fediz-oidc/oauth2/token"; WebRequest request = new WebRequest(new URL(url), HttpMethod.POST); request.setRequestParameters(new ArrayList<NameValuePair>()); request.getRequestParameters().add(new NameValuePair("client_id", storedClientId)); request.getRequestParameters().add(new NameValuePair("grant_type", "authorization_code")); request.getRequestParameters().add(new NameValuePair("code", authorizationCode)); webClient.getOptions().setJavaScriptEnabled(false); final UnexpectedPage responsePage = webClient.getPage(request); String response = responsePage.getWebResponse().getContentAsString(); // Check the IdToken String idToken = getIdToken(response); Assert.assertNotNull(idToken); validateIdToken(idToken, storedClientId); webClient.close(); } // TODO @Ignoring failing test for now @org.junit.Test @org.junit.Ignore public void testOIDCLoginForClient2() throws Exception { String url = "https://localhost:" + getRpHttpsPort() + "/fediz-oidc/idp/authorize?"; url += "client_id=" + storedClient2Id; url += "&response_type=code"; url += "&scope=openid"; String user = "alice"; String password = "ecila"; // Login to the OIDC token endpoint + get the authorization code WebClient webClient = setupWebClient(user, password, getIdpHttpsPort()); String authorizationCode = loginAndGetAuthorizationCode(url, webClient); Assert.assertNotNull(authorizationCode); // Now use the code to get an IdToken url = "https://localhost:" + getRpHttpsPort() + "/fediz-oidc/oauth2/token"; WebRequest request = new WebRequest(new URL(url), HttpMethod.POST); request.setRequestParameters(new ArrayList<NameValuePair>()); request.getRequestParameters().add(new NameValuePair("client_id", storedClient2Id)); request.getRequestParameters().add(new NameValuePair("grant_type", "authorization_code")); request.getRequestParameters().add(new NameValuePair("code", authorizationCode)); webClient.getOptions().setJavaScriptEnabled(false); final UnexpectedPage responsePage = webClient.getPage(request); String response = responsePage.getWebResponse().getContentAsString(); // Check the IdToken String idToken = getIdToken(response); Assert.assertNotNull(idToken); validateIdToken(idToken, storedClient2Id); webClient.close(); } // TODO @Ignoring failing test for now @org.junit.Test @org.junit.Ignore public void testUsingCodeForOtherClient() throws Exception { // Get the code for the first client String url = "https://localhost:" + getRpHttpsPort() + "/fediz-oidc/idp/authorize?"; url += "client_id=" + storedClientId; url += "&response_type=code"; url += "&scope=openid"; String user = "alice"; String password = "ecila"; // Login to the OIDC token endpoint + get the authorization code WebClient webClient = setupWebClient(user, password, getIdpHttpsPort()); String authorizationCode = loginAndGetAuthorizationCode(url, webClient); Assert.assertNotNull(authorizationCode); // Now try and get a token for the second client url = "https://localhost:" + getRpHttpsPort() + "/fediz-oidc/oauth2/token"; WebRequest request = new WebRequest(new URL(url), HttpMethod.POST); request.setRequestParameters(new ArrayList<NameValuePair>()); request.getRequestParameters().add(new NameValuePair("client_id", storedClient2Id)); request.getRequestParameters().add(new NameValuePair("grant_type", "authorization_code")); request.getRequestParameters().add(new NameValuePair("code", authorizationCode)); webClient.getOptions().setJavaScriptEnabled(false); try { webClient.getPage(request); Assert.fail(); } catch (FailingHttpStatusCodeException ex) { // expected } } @org.junit.Test public void testBadClientId() throws Exception { String url = "https://localhost:" + getRpHttpsPort() + "/fediz-oidc/idp/authorize?"; url += "client_id=" + storedClientId + 2; url += "&response_type=code"; url += "&scope=openid"; String user = "alice"; String password = "ecila"; // Login to the OIDC token endpoint + get the authorization code WebClient webClient = setupWebClient(user, password, getIdpHttpsPort()); String authorizationCode = loginAndGetAuthorizationCode(url, webClient); Assert.assertNull(authorizationCode); webClient.close(); } @org.junit.Test public void testEmptyClientId() throws Exception { String url = "https://localhost:" + getRpHttpsPort() + "/fediz-oidc/idp/authorize?"; url += "client_id="; url += "&response_type=code"; url += "&scope=openid"; String user = "alice"; String password = "ecila"; // Login to the OIDC token endpoint + get the authorization code WebClient webClient = setupWebClient(user, password, getIdpHttpsPort()); String authorizationCode = loginAndGetAuthorizationCode(url, webClient); Assert.assertNull(authorizationCode); webClient.close(); } @org.junit.Test public void testIncorrectRedirectURI() throws Exception { String url = "https://localhost:" + getRpHttpsPort() + "/fediz-oidc/idp/authorize?"; url += "client_id=" + storedClientId; url += "&response_type=code"; url += "&scope=openid"; url += "&redirect_uri=https://127.0.0.5"; String user = "alice"; String password = "ecila"; // Login to the OIDC token endpoint + get the authorization code WebClient webClient = setupWebClient(user, password, getIdpHttpsPort()); String authorizationCode = loginAndGetAuthorizationCode(url, webClient); Assert.assertNull(authorizationCode); webClient.close(); } @org.junit.Test public void testCreateClientWithInvalidRegistrationURI() throws Exception { String url = "https://localhost:" + getRpHttpsPort() + "/fediz-oidc/console/clients"; String user = "alice"; String password = "ecila"; // Login to the client page successfully WebClient webClient = setupWebClient(user, password, getIdpHttpsPort()); HtmlPage loginPage = login(url, webClient); final String bodyTextContent = loginPage.getBody().getTextContent(); Assert.assertTrue(bodyTextContent.contains("Registered Clients")); // Now try to register a new client try { HtmlPage errorPage = registerNewClient(webClient, url, "asfxyz", "https://127.0.0.1//", "https://cxf.apache.org"); Assert.assertTrue(errorPage.asText().contains("Invalid Client Registration")); } catch (Exception ex) { // expected } webClient.close(); } @org.junit.Test public void testCreateClientWithRegistrationURIFragment() throws Exception { String url = "https://localhost:" + getRpHttpsPort() + "/fediz-oidc/console/clients"; String user = "alice"; String password = "ecila"; // Login to the client page successfully WebClient webClient = setupWebClient(user, password, getIdpHttpsPort()); HtmlPage loginPage = login(url, webClient); final String bodyTextContent = loginPage.getBody().getTextContent(); Assert.assertTrue(bodyTextContent.contains("Registered Clients")); // Now try to register a new client try { HtmlPage errorPage = registerNewClient(webClient, url, "asfxyz", "https://127.0.0.1#fragment", "https://cxf.apache.org"); Assert.assertTrue(errorPage.asText().contains("Invalid Client Registration")); } catch (Exception ex) { // expected } webClient.close(); } @org.junit.Test public void testCreateClientWithInvalidAudienceURI() throws Exception { String url = "https://localhost:" + getRpHttpsPort() + "/fediz-oidc/console/clients"; String user = "alice"; String password = "ecila"; // Login to the client page successfully WebClient webClient = setupWebClient(user, password, getIdpHttpsPort()); HtmlPage loginPage = login(url, webClient); final String bodyTextContent = loginPage.getBody().getTextContent(); Assert.assertTrue(bodyTextContent.contains("Registered Clients")); // Now try to register a new client try { HtmlPage errorPage = registerNewClient(webClient, url, "asfxyz", "https://127.0.0.1/", "https://cxf.apache.org//"); Assert.assertTrue(errorPage.asText().contains("Invalid Client Registration")); } catch (Exception ex) { // expected } webClient.close(); } @org.junit.Test public void testCreateClientWithAudienceURIFragment() throws Exception { String url = "https://localhost:" + getRpHttpsPort() + "/fediz-oidc/console/clients"; String user = "alice"; String password = "ecila"; // Login to the client page successfully WebClient webClient = setupWebClient(user, password, getIdpHttpsPort()); HtmlPage loginPage = login(url, webClient); final String bodyTextContent = loginPage.getBody().getTextContent(); Assert.assertTrue(bodyTextContent.contains("Registered Clients")); // Now try to register a new client try { HtmlPage errorPage = registerNewClient(webClient, url, "asfxyz", "https://127.0.0.1", "https://cxf.apache.org#fragment"); Assert.assertTrue(errorPage.asText().contains("Invalid Client Registration")); } catch (Exception ex) { // expected } webClient.close(); } private static WebClient setupWebClient(String user, String password, String idpPort) { final WebClient webClient = new WebClient(); webClient.getOptions().setUseInsecureSSL(true); webClient.getCredentialsProvider().setCredentials(new AuthScope("localhost", Integer.parseInt(idpPort)), new UsernamePasswordCredentials(user, password)); webClient.getOptions().setJavaScriptEnabled(false); return webClient; } private static HtmlPage login(String url, WebClient webClient) throws IOException { webClient.getOptions().setJavaScriptEnabled(false); final HtmlPage idpPage = webClient.getPage(url); webClient.getOptions().setJavaScriptEnabled(true); Assert.assertEquals("IDP SignIn Response Form", idpPage.getTitleText()); // Test the SAML Version here DomNodeList<DomElement> results = idpPage.getElementsByTagName("input"); String wresult = null; for (DomElement result : results) { if ("wresult".equals(result.getAttributeNS(null, "name"))) { wresult = result.getAttributeNS(null, "value"); break; } } Assert.assertTrue(wresult != null && wresult.contains("urn:oasis:names:tc:SAML:2.0:cm:bearer")); final HtmlForm form = idpPage.getFormByName("signinresponseform"); final HtmlSubmitInput button = form.getInputByName("_eventId_submit"); return button.click(); } private static String loginAndGetAuthorizationCode(String url, WebClient webClient) throws Exception { webClient.getOptions().setJavaScriptEnabled(false); final HtmlPage idpPage = webClient.getPage(url); webClient.getOptions().setJavaScriptEnabled(true); Assert.assertEquals("IDP SignIn Response Form", idpPage.getTitleText()); DomNodeList<DomElement> results = idpPage.getElementsByTagName("input"); String wresult = null; for (DomElement result : results) { if ("wresult".equals(result.getAttributeNS(null, "name"))) { wresult = result.getAttributeNS(null, "value"); break; } } Assert.assertTrue(wresult != null && wresult.contains("urn:oasis:names:tc:SAML:2.0:cm:bearer")); final HtmlForm form = idpPage.getFormByName("signinresponseform"); final HtmlSubmitInput button = form.getInputByName("_eventId_submit"); // Bit of a hack here to get the authorization code - necessary as HtmlUnit tries // to follow the server redirect to "https://127.0.0.1" - the redirect URI CodeWebConnectionWrapper wrapper = new CodeWebConnectionWrapper(webClient); try { button.click(); } catch (Throwable t) { // expected } wrapper.close(); return wrapper.getCode(); } private String getIdToken(String parentString) { String foundString = parentString .substring(parentString.indexOf("id_token") + ("id_token" + "\":\"").length()); int ampersandIndex = foundString.indexOf('\"'); if (ampersandIndex < 1) { ampersandIndex = foundString.length(); } return foundString.substring(0, ampersandIndex); } private void validateIdToken(String idToken, String audience) throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException { JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(idToken); JwtToken jwt = jwtConsumer.getJwtToken(); // Validate claims Assert.assertEquals("alice", jwt.getClaim("preferred_username")); Assert.assertEquals("accounts.fediz.com", jwt.getClaim(JwtConstants.CLAIM_ISSUER)); Assert.assertEquals(audience, jwt.getClaim(JwtConstants.CLAIM_AUDIENCE)); Assert.assertNotNull(jwt.getClaim(JwtConstants.CLAIM_EXPIRY)); Assert.assertNotNull(jwt.getClaim(JwtConstants.CLAIM_ISSUED_AT)); KeyStore keystore = KeyStore.getInstance("JKS"); keystore.load(Loader.getResource("oidc.jks").openStream(), "password".toCharArray()); Certificate cert = keystore.getCertificate("alice"); Assert.assertNotNull(cert); Assert.assertTrue(jwtConsumer.verifySignatureWith((X509Certificate) cert, SignatureAlgorithm.RS256)); } private static class CodeWebConnectionWrapper extends WebConnectionWrapper { private String code; CodeWebConnectionWrapper(WebClient webClient) throws IllegalArgumentException { super(webClient); } public WebResponse getResponse(WebRequest request) throws IOException { WebResponse response = super.getResponse(request); String location = response.getResponseHeaderValue("Location"); if (location != null && location.contains("code=")) { code = getSubstring(location, "code"); } return response; } public String getCode() { return code; } private String getSubstring(String parentString, String substringName) { String foundString = parentString .substring(parentString.indexOf(substringName + "=") + (substringName + "=").length()); int ampersandIndex = foundString.indexOf('&'); if (ampersandIndex < 1) { ampersandIndex = foundString.length(); } return foundString.substring(0, ampersandIndex); } } }