Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions app/adapters/keycloak_adapter.rb
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,7 @@ def to_h
redirectUris: [ redirect_url ].compact,
attributes: { '3scale' => true },
enabled: enabled?,
protocolMappers: [audience_mapper],
**oidc_configuration,
**self.class.attributes,
}
Expand All @@ -79,6 +80,21 @@ def enabled?
def self.attributes
Rails.application.config.x.keycloak.deep_symbolize_keys.dig(:attributes) || Hash.new
end

private

def audience_mapper
{
name: 'audience-mapper',
protocol: 'openid-connect',
protocolMapper: 'oidc-audience-mapper',
config: {
'included.client.audience' => id,
'id.token.claim' => 'false',
'access.token.claim' => 'true',
},
}
end
end

def self.build_client(attributes)
Expand Down
13 changes: 13 additions & 0 deletions test/adapters/keycloak_adapter_test.rb
Original file line number Diff line number Diff line change
Expand Up @@ -102,6 +102,19 @@ class KeycloakAdapterTest < ActiveSupport::TestCase
assert_equal client.to_h.to_json, client.to_json
end

test 'audience mapper is always included' do
client = KeycloakAdapter::Client.new(id: 'my-client-id')
mappers = client.to_h[:protocolMappers]

assert_equal 1, mappers.length
mapper = mappers.first
assert_equal 'audience-mapper', mapper[:name]
assert_equal 'oidc-audience-mapper', mapper[:protocolMapper]
assert_equal 'my-client-id', mapper[:config]['included.client.audience']
assert_equal 'true', mapper[:config]['access.token.claim']
assert_equal 'false', mapper[:config]['id.token.claim']
end

test 'oauth flows' do
keycloak = { clientId: "client_id", implicitFlowEnabled: true, serviceAccountsEnabled: true }

Expand Down
20 changes: 14 additions & 6 deletions test/integration/data_model_test.rb
Original file line number Diff line number Diff line change
Expand Up @@ -91,9 +91,11 @@ def teardown
to_return(status: 404)

perform_enqueued_jobs do
audience_mapper_foo = [{ name: 'audience-mapper', protocol: 'openid-connect', protocolMapper: 'oidc-audience-mapper', config: { 'included.client.audience' => 'foo', 'id.token.claim' => 'false', 'access.token.claim' => 'true' } }]

stub_request(:put, 'http://example.com/auth/realm/master/clients-registrations/default/foo').
with(
body: '{"name":null,"description":null,"clientId":"foo","secret":"bar","redirectUris":[],"attributes":{"3scale":true},"enabled":null}',
body: { name: nil, description: nil, clientId: 'foo', secret: 'bar', redirectUris: [], attributes: { '3scale' => true }, enabled: nil, protocolMappers: audience_mapper_foo }.to_json,
headers: {
'Authorization'=>'Bearer token',
'Content-Type'=>'application/json',
Expand All @@ -102,7 +104,7 @@ def teardown

stub_request(:put, 'http://example.com/auth/realm/master/clients-registrations/default/foo').
with(
body: '{"name":"new-name","description":null,"clientId":"foo","secret":"bar","redirectUris":[],"attributes":{"3scale":true},"enabled":null}',
body: { name: 'new-name', description: nil, clientId: 'foo', secret: 'bar', redirectUris: [], attributes: { '3scale' => true }, enabled: nil, protocolMappers: audience_mapper_foo }.to_json,
headers: {
'Authorization'=>'Bearer token',
'Content-Type'=>'application/json',
Expand Down Expand Up @@ -144,8 +146,10 @@ def teardown

stub_oauth_access_token(keycloak)

audience_mapper_foo = [{ name: 'audience-mapper', protocol: 'openid-connect', protocolMapper: 'oidc-audience-mapper', config: { 'included.client.audience' => 'foo', 'id.token.claim' => 'false', 'access.token.claim' => 'true' } }]

stub_request(:put, "http://example.com/clients-registrations/default/foo").
with(body: '{"name":null,"description":null,"clientId":"foo","secret":"bar","redirectUris":[],"attributes":{"3scale":true},"enabled":null}').
with(body: { name: nil, description: nil, clientId: 'foo', secret: 'bar', redirectUris: [], attributes: { '3scale' => true }, enabled: nil, protocolMappers: audience_mapper_foo }.to_json).
to_return(status: 200)

stub_request(:get, "#{tenant.endpoint}/admin/api/applications/find.json?application_id=2").
Expand Down Expand Up @@ -180,8 +184,10 @@ def teardown

stub_oauth_access_token(keycloak)

audience_mapper_foo = [{ name: 'audience-mapper', protocol: 'openid-connect', protocolMapper: 'oidc-audience-mapper', config: { 'included.client.audience' => 'foo', 'id.token.claim' => 'false', 'access.token.claim' => 'true' } }]

stub_request(:put, "http://example.com/clients-registrations/default/foo").
with(body: '{"name":null,"description":null,"clientId":"foo","secret":"bar","redirectUris":[],"attributes":{"3scale":true},"enabled":null}').
with(body: { name: nil, description: nil, clientId: 'foo', secret: 'bar', redirectUris: [], attributes: { '3scale' => true }, enabled: nil, protocolMappers: audience_mapper_foo }.to_json).
to_return(status: 200)

put_notification(type: 'Application', id: 1, service_id: service.to_param, tenant_id: tenant.to_param)
Expand Down Expand Up @@ -238,11 +244,13 @@ def teardown
stub_oauth_access_token(keycloak1)
stub_oauth_access_token(keycloak2)

audience_mapper_foo = [{ name: 'audience-mapper', protocol: 'openid-connect', protocolMapper: 'oidc-audience-mapper', config: { 'included.client.audience' => 'foo', 'id.token.claim' => 'false', 'access.token.claim' => 'true' } }]

stub_request(:put, "http://example.com/clients-registrations/default/foo").
with(body: '{"name":null,"description":null,"clientId":"foo","secret":"secret-service-one","redirectUris":[],"attributes":{"3scale":true},"enabled":null}').
with(body: { name: nil, description: nil, clientId: 'foo', secret: 'secret-service-one', redirectUris: [], attributes: { '3scale' => true }, enabled: nil, protocolMappers: audience_mapper_foo }.to_json).
to_return(status: 200)
stub_request(:put, "http://second.example.com/clients-registrations/default/foo").
with(body: '{"name":null,"description":null,"clientId":"foo","secret":"secret-service-two","redirectUris":[],"attributes":{"3scale":true},"enabled":null}').
with(body: { name: nil, description: nil, clientId: 'foo', secret: 'secret-service-two', redirectUris: [], attributes: { '3scale' => true }, enabled: nil, protocolMappers: audience_mapper_foo }.to_json).
to_return(status: 200)

put_notification(type: 'Application', id: 1, service_id: service1.to_param, tenant_id: tenant.to_param)
Expand Down
3 changes: 3 additions & 0 deletions test/services/integration/keycloak_service_test.rb
Original file line number Diff line number Diff line change
Expand Up @@ -39,13 +39,16 @@ def test_new
test 'client auth flows attributes' do
entry = entries(:client)

audience_mapper = [{ name: 'audience-mapper', protocol: 'openid-connect', protocolMapper: 'oidc-audience-mapper', config: { 'included.client.audience' => 'two_id', 'id.token.claim' => 'false', 'access.token.claim' => 'true' } }]

stub_request(:put, "http://example.com/clients-registrations/default/two_id").
with(
body: {
name: "client name", description: "client description",
clientId: "two_id", secret: "two_secret",
redirectUris: ["http://example.com"], attributes: {'3scale' => true},
enabled: true,
protocolMappers: audience_mapper,
standardFlowEnabled: true, implicitFlowEnabled: true,
serviceAccountsEnabled: true, directAccessGrantsEnabled: true,
}.to_json,
Expand Down