/**
   * Create a new authentication flow
   *
   * @param flow Authentication flow representation
   * @return
   */
  @Path("/flows")
  @POST
  @NoCache
  @Consumes(MediaType.APPLICATION_JSON)
  public Response createFlow(AuthenticationFlowRepresentation flow) {
    auth.requireManage();

    if (flow.getAlias() == null || flow.getAlias().isEmpty()) {
      return ErrorResponse.exists("Failed to create flow with empty alias name");
    }

    if (realm.getFlowByAlias(flow.getAlias()) != null) {
      return ErrorResponse.exists("Flow " + flow.getAlias() + " already exists");
    }

    AuthenticationFlowModel createdModel =
        realm.addAuthenticationFlow(RepresentationToModel.toModel(flow));

    flow.setId(createdModel.getId());
    adminEvent
        .operation(OperationType.CREATE)
        .resourcePath(uriInfo, createdModel.getId())
        .representation(flow)
        .success();
    return Response.status(201).build();
  }
 public List<AuthenticationExecutionModel> getSortedExecutions(
     AuthenticationFlowModel parentFlow) {
   List<AuthenticationExecutionModel> executions =
       new LinkedList<>(realm.getAuthenticationExecutions(parentFlow.getId()));
   Collections.sort(executions, AuthenticationExecutionModel.ExecutionComparator.SINGLETON);
   return executions;
 }
  /**
   * Copy existing authentication flow under a new name
   *
   * <p>The new name is given as 'newName' attribute of the passed JSON object
   *
   * @param flowAlias Name of the existing authentication flow
   * @param data JSON containing 'newName' attribute
   */
  @Path("/flows/{flowAlias}/copy")
  @POST
  @NoCache
  @Consumes(MediaType.APPLICATION_JSON)
  public Response copy(@PathParam("flowAlias") String flowAlias, Map<String, String> data) {
    auth.requireManage();

    String newName = data.get("newName");
    if (realm.getFlowByAlias(newName) != null) {
      return Response.status(Response.Status.CONFLICT).build();
    }

    AuthenticationFlowModel flow = realm.getFlowByAlias(flowAlias);
    if (flow == null) {
      logger.debug("flow not found: " + flowAlias);
      return Response.status(NOT_FOUND).build();
    }
    AuthenticationFlowModel copy = new AuthenticationFlowModel();
    copy.setAlias(newName);
    copy.setDescription(flow.getDescription());
    copy.setProviderId(flow.getProviderId());
    copy.setBuiltIn(false);
    copy.setTopLevel(flow.isTopLevel());
    copy = realm.addAuthenticationFlow(copy);
    copy(newName, flow, copy);

    data.put("id", copy.getId());
    adminEvent.operation(OperationType.CREATE).resourcePath(uriInfo).representation(data).success();

    return Response.status(201).build();
  }
Пример #4
0
  protected Response processFlow(
      String execution,
      ClientSessionModel clientSession,
      String flowPath,
      AuthenticationFlowModel flow,
      String errorMessage) {
    AuthenticationProcessor processor = new AuthenticationProcessor();
    processor
        .setClientSession(clientSession)
        .setFlowPath(flowPath)
        .setFlowId(flow.getId())
        .setConnection(clientConnection)
        .setEventBuilder(event)
        .setProtector(authManager.getProtector())
        .setRealm(realm)
        .setSession(session)
        .setUriInfo(uriInfo)
        .setRequest(request);
    if (errorMessage != null)
      processor.setForwardedErrorMessage(new FormMessage(null, errorMessage));

    try {
      if (execution != null) {
        return processor.authenticationAction(execution);
      } else {
        return processor.authenticate();
      }
    } catch (Exception e) {
      return processor.handleBrowserException(e);
    }
  }
 protected void copy(String newName, AuthenticationFlowModel from, AuthenticationFlowModel to) {
   for (AuthenticationExecutionModel execution : realm.getAuthenticationExecutions(from.getId())) {
     if (execution.isAuthenticatorFlow()) {
       AuthenticationFlowModel subFlow = realm.getAuthenticationFlowById(execution.getFlowId());
       AuthenticationFlowModel copy = new AuthenticationFlowModel();
       copy.setAlias(newName + " " + subFlow.getAlias());
       copy.setDescription(subFlow.getDescription());
       copy.setProviderId(subFlow.getProviderId());
       copy.setBuiltIn(false);
       copy.setTopLevel(false);
       copy = realm.addAuthenticationFlow(copy);
       execution.setFlowId(copy.getId());
       copy(newName, subFlow, copy);
     }
     execution.setId(null);
     execution.setParentFlow(to.getId());
     realm.addAuthenticatorExecution(execution);
   }
 }
  /**
   * Add new flow with new execution to existing flow
   *
   * @param flowAlias Alias of parent authentication flow
   * @param data New authentication flow / execution JSON data containing 'alias', 'type',
   *     'provider', and 'description' attributes
   */
  @Path("/flows/{flowAlias}/executions/flow")
  @POST
  @NoCache
  @Consumes(MediaType.APPLICATION_JSON)
  public void addExecutionFlow(@PathParam("flowAlias") String flowAlias, Map<String, String> data) {
    auth.requireManage();

    AuthenticationFlowModel parentFlow = realm.getFlowByAlias(flowAlias);
    if (parentFlow == null) {
      throw new BadRequestException("Parent flow doesn't exists");
    }
    String alias = data.get("alias");
    String type = data.get("type");
    String provider = data.get("provider");
    String description = data.get("description");

    AuthenticationFlowModel newFlow = realm.getFlowByAlias(alias);
    if (newFlow != null) {
      throw new BadRequestException("New flow alias name already exists");
    }
    newFlow = new AuthenticationFlowModel();
    newFlow.setAlias(alias);
    newFlow.setDescription(description);
    newFlow.setProviderId(type);
    newFlow = realm.addAuthenticationFlow(newFlow);
    AuthenticationExecutionModel execution = new AuthenticationExecutionModel();
    execution.setParentFlow(parentFlow.getId());
    execution.setFlowId(newFlow.getId());
    execution.setRequirement(AuthenticationExecutionModel.Requirement.DISABLED);
    execution.setAuthenticatorFlow(true);
    execution.setAuthenticator(provider);
    execution.setPriority(getNextPriority(parentFlow));
    execution = realm.addAuthenticatorExecution(execution);

    data.put("id", execution.getId());
    adminEvent.operation(OperationType.CREATE).resourcePath(uriInfo).representation(data).success();
  }
  /**
   * Add new authentication execution to a flow
   *
   * @param flowAlias Alias of parent flow
   * @param data New execution JSON data containing 'provider' attribute
   */
  @Path("/flows/{flowAlias}/executions/execution")
  @POST
  @NoCache
  @Consumes(MediaType.APPLICATION_JSON)
  public void addExecution(@PathParam("flowAlias") String flowAlias, Map<String, String> data) {
    auth.requireManage();

    AuthenticationFlowModel parentFlow = realm.getFlowByAlias(flowAlias);
    if (parentFlow == null) {
      throw new BadRequestException("Parent flow doesn't exists");
    }
    if (parentFlow.isBuiltIn()) {
      throw new BadRequestException("It is illegal to add execution to a built in flow");
    }
    String provider = data.get("provider");

    // make sure provider is one of the registered providers
    ProviderFactory f;
    if (parentFlow.getProviderId().equals(AuthenticationFlow.CLIENT_FLOW)) {
      f =
          session
              .getKeycloakSessionFactory()
              .getProviderFactory(ClientAuthenticator.class, provider);
    } else if (parentFlow.getProviderId().equals(AuthenticationFlow.FORM_FLOW)) {
      f = session.getKeycloakSessionFactory().getProviderFactory(FormAction.class, provider);
    } else {
      f = session.getKeycloakSessionFactory().getProviderFactory(Authenticator.class, provider);
    }
    if (f == null) {
      throw new BadRequestException("No authentication provider found for id: " + provider);
    }

    AuthenticationExecutionModel execution = new AuthenticationExecutionModel();
    execution.setParentFlow(parentFlow.getId());
    execution.setRequirement(AuthenticationExecutionModel.Requirement.DISABLED);
    execution.setAuthenticatorFlow(false);
    execution.setAuthenticator(provider);
    execution.setPriority(getNextPriority(parentFlow));

    execution = realm.addAuthenticatorExecution(execution);

    data.put("id", execution.getId());
    adminEvent.operation(OperationType.CREATE).resourcePath(uriInfo).representation(data).success();
  }
  /**
   * Delete authenticator configuration
   *
   * @param id Configuration id
   */
  @Path("config/{id}")
  @DELETE
  @NoCache
  public void removeAuthenticatorConfig(@PathParam("id") String id) {
    auth.requireManage();

    AuthenticatorConfigModel config = realm.getAuthenticatorConfigById(id);
    if (config == null) {
      throw new NotFoundException("Could not find authenticator config");
    }
    List<AuthenticationFlowModel> flows = new LinkedList<>();
    for (AuthenticationFlowModel flow : realm.getAuthenticationFlows()) {
      for (AuthenticationExecutionModel exe : realm.getAuthenticationExecutions(flow.getId())) {
        if (id.equals(exe.getAuthenticatorConfig())) {
          exe.setAuthenticatorConfig(null);
          realm.updateAuthenticatorExecution(exe);
        }
      }
    }

    realm.removeAuthenticatorConfig(config);

    adminEvent.operation(OperationType.DELETE).resourcePath(uriInfo).success();
  }
  public void recurseExecutions(
      AuthenticationFlowModel flow,
      List<AuthenticationExecutionInfoRepresentation> result,
      int level) {
    int index = 0;
    List<AuthenticationExecutionModel> executions = realm.getAuthenticationExecutions(flow.getId());
    for (AuthenticationExecutionModel execution : executions) {
      AuthenticationExecutionInfoRepresentation rep =
          new AuthenticationExecutionInfoRepresentation();
      rep.setLevel(level);
      rep.setIndex(index++);
      rep.setRequirementChoices(new LinkedList<String>());
      if (execution.isAuthenticatorFlow()) {
        AuthenticationFlowModel flowRef = realm.getAuthenticationFlowById(execution.getFlowId());
        if (AuthenticationFlow.BASIC_FLOW.equals(flowRef.getProviderId())) {
          rep.getRequirementChoices()
              .add(AuthenticationExecutionModel.Requirement.ALTERNATIVE.name());
          rep.getRequirementChoices().add(AuthenticationExecutionModel.Requirement.REQUIRED.name());
          rep.getRequirementChoices().add(AuthenticationExecutionModel.Requirement.DISABLED.name());
        } else if (AuthenticationFlow.FORM_FLOW.equals(flowRef.getProviderId())) {
          rep.getRequirementChoices().add(AuthenticationExecutionModel.Requirement.REQUIRED.name());
          rep.getRequirementChoices().add(AuthenticationExecutionModel.Requirement.DISABLED.name());
          rep.setProviderId(execution.getAuthenticator());
          rep.setAuthenticationConfig(execution.getAuthenticatorConfig());
        } else if (AuthenticationFlow.CLIENT_FLOW.equals(flowRef.getProviderId())) {
          rep.getRequirementChoices()
              .add(AuthenticationExecutionModel.Requirement.ALTERNATIVE.name());
          rep.getRequirementChoices().add(AuthenticationExecutionModel.Requirement.REQUIRED.name());
          rep.getRequirementChoices().add(AuthenticationExecutionModel.Requirement.DISABLED.name());
        }
        rep.setDisplayName(flowRef.getAlias());
        rep.setConfigurable(false);
        rep.setId(execution.getId());
        rep.setAuthenticationFlow(execution.isAuthenticatorFlow());
        rep.setRequirement(execution.getRequirement().name());
        rep.setFlowId(execution.getFlowId());
        result.add(rep);
        AuthenticationFlowModel subFlow = realm.getAuthenticationFlowById(execution.getFlowId());
        recurseExecutions(subFlow, result, level + 1);
      } else {
        String providerId = execution.getAuthenticator();
        ConfigurableAuthenticatorFactory factory =
            CredentialHelper.getConfigurableAuthenticatorFactory(session, providerId);
        rep.setDisplayName(factory.getDisplayType());
        rep.setConfigurable(factory.isConfigurable());
        for (AuthenticationExecutionModel.Requirement choice : factory.getRequirementChoices()) {
          rep.getRequirementChoices().add(choice.name());
        }
        rep.setId(execution.getId());

        if (factory.isConfigurable()) {
          AuthenticatorConfigModel authenticatorConfig =
              realm.getAuthenticatorConfigById(execution.getAuthenticatorConfig());

          if (authenticatorConfig != null) {
            rep.setAlias(authenticatorConfig.getAlias());
          }
        }

        rep.setRequirement(execution.getRequirement().name());
        rep.setProviderId(execution.getAuthenticator());
        rep.setAuthenticationConfig(execution.getAuthenticatorConfig());
        result.add(rep);
      }
    }
  }
Пример #10
0
  // Moved to static method, so it's possible to test this from other places too (for example
  // export-import tests)
  public static void assertDataImportedInRealm(KeycloakSession session, RealmModel realm) {
    Assert.assertTrue(realm.isVerifyEmail());

    List<RequiredCredentialModel> creds = realm.getRequiredCredentials();
    Assert.assertEquals(1, creds.size());
    RequiredCredentialModel cred = creds.get(0);
    Assert.assertEquals("password", cred.getFormLabel());
    Assert.assertEquals(3, realm.getDefaultRoles().size());

    Assert.assertNotNull(realm.getRole("foo"));
    Assert.assertNotNull(realm.getRole("bar"));

    UserModel user = session.users().getUserByUsername("loginclient", realm);
    Assert.assertNotNull(user);
    Assert.assertEquals(0, session.users().getFederatedIdentities(user, realm).size());

    List<ClientModel> resources = realm.getClients();
    Assert.assertEquals(7, resources.size());

    // Test applications imported
    ClientModel application = realm.getClientByClientId("Application");
    ClientModel otherApp = realm.getClientByClientId("OtherApp");
    ClientModel accountApp = realm.getClientByClientId(Constants.ACCOUNT_MANAGEMENT_CLIENT_ID);
    ClientModel nonExisting = realm.getClientByClientId("NonExisting");
    Assert.assertNotNull(application);
    Assert.assertNotNull(otherApp);
    Assert.assertNull(nonExisting);
    Map<String, ClientModel> clients = realm.getClientNameMap();
    Assert.assertEquals(7, clients.size());
    Assert.assertTrue(clients.values().contains(application));
    Assert.assertTrue(clients.values().contains(otherApp));
    Assert.assertTrue(clients.values().contains(accountApp));
    realm.getClients().containsAll(clients.values());

    Assert.assertEquals("Applicationn", application.getName());
    Assert.assertEquals(50, application.getNodeReRegistrationTimeout());
    Map<String, Integer> appRegisteredNodes = application.getRegisteredNodes();
    Assert.assertEquals(2, appRegisteredNodes.size());
    Assert.assertTrue(10 == appRegisteredNodes.get("node1"));
    Assert.assertTrue(20 == appRegisteredNodes.get("172.10.15.20"));

    // test clientAuthenticatorType
    Assert.assertEquals(application.getClientAuthenticatorType(), "client-secret");
    Assert.assertEquals(otherApp.getClientAuthenticatorType(), "client-jwt");

    // Test finding applications by ID
    Assert.assertNull(realm.getClientById("982734"));
    Assert.assertEquals(application, realm.getClientById(application.getId()));

    // Test role mappings
    UserModel admin = session.users().getUserByUsername("admin", realm);
    // user without creation timestamp in import
    Assert.assertNull(admin.getCreatedTimestamp());
    Set<RoleModel> allRoles = admin.getRoleMappings();
    Assert.assertEquals(3, allRoles.size());
    Assert.assertTrue(allRoles.contains(realm.getRole("admin")));
    Assert.assertTrue(allRoles.contains(application.getRole("app-admin")));
    Assert.assertTrue(allRoles.contains(otherApp.getRole("otherapp-admin")));

    Assert.assertTrue(application.getRole("app-admin").isScopeParamRequired());
    Assert.assertFalse(otherApp.getRole("otherapp-admin").isScopeParamRequired());
    Assert.assertFalse(otherApp.getRole("otherapp-user").isScopeParamRequired());

    UserModel wburke = session.users().getUserByUsername("wburke", realm);
    // user with creation timestamp in import
    Assert.assertEquals(new Long(123654), wburke.getCreatedTimestamp());
    allRoles = wburke.getRoleMappings();
    Assert.assertEquals(2, allRoles.size());
    Assert.assertFalse(allRoles.contains(realm.getRole("admin")));
    Assert.assertTrue(allRoles.contains(application.getRole("app-user")));
    Assert.assertTrue(allRoles.contains(otherApp.getRole("otherapp-user")));

    Assert.assertEquals(0, wburke.getRealmRoleMappings().size());

    UserModel loginclient = session.users().getUserByUsername("loginclient", realm);
    // user with creation timestamp as string in import
    Assert.assertEquals(new Long(123655), loginclient.getCreatedTimestamp());

    Set<RoleModel> realmRoles = admin.getRealmRoleMappings();
    Assert.assertEquals(1, realmRoles.size());
    Assert.assertEquals("admin", realmRoles.iterator().next().getName());

    Set<RoleModel> appRoles = admin.getClientRoleMappings(application);
    Assert.assertEquals(1, appRoles.size());
    Assert.assertEquals("app-admin", appRoles.iterator().next().getName());

    // Test attributes
    Map<String, List<String>> attrs = wburke.getAttributes();
    Assert.assertEquals(1, attrs.size());
    List<String> attrVals = attrs.get("email");
    Assert.assertEquals(1, attrVals.size());
    Assert.assertEquals("*****@*****.**", attrVals.get(0));

    attrs = admin.getAttributes();
    Assert.assertEquals(2, attrs.size());
    attrVals = attrs.get("key1");
    Assert.assertEquals(1, attrVals.size());
    Assert.assertEquals("val1", attrVals.get(0));
    attrVals = attrs.get("key2");
    Assert.assertEquals(2, attrVals.size());
    Assert.assertTrue(attrVals.contains("val21") && attrVals.contains("val22"));

    // Test client
    ClientModel oauthClient = realm.getClientByClientId("oauthclient");
    Assert.assertEquals("clientpassword", oauthClient.getSecret());
    Assert.assertEquals(true, oauthClient.isEnabled());
    Assert.assertNotNull(oauthClient);

    // Test scope relationship
    Set<RoleModel> allScopes = oauthClient.getScopeMappings();
    Assert.assertEquals(2, allScopes.size());
    Assert.assertTrue(allScopes.contains(realm.getRole("admin")));
    Assert.assertTrue(allScopes.contains(application.getRole("app-user")));

    Set<RoleModel> realmScopes = oauthClient.getRealmScopeMappings();
    Assert.assertTrue(realmScopes.contains(realm.getRole("admin")));

    Set<RoleModel> appScopes = application.getClientScopeMappings(oauthClient);
    Assert.assertTrue(appScopes.contains(application.getRole("app-user")));

    // Test social linking
    UserModel socialUser = session.users().getUserByUsername("mySocialUser", realm);
    Set<FederatedIdentityModel> socialLinks =
        session.users().getFederatedIdentities(socialUser, realm);
    Assert.assertEquals(3, socialLinks.size());
    boolean facebookFound = false;
    boolean googleFound = false;
    boolean twitterFound = false;
    for (FederatedIdentityModel federatedIdentityModel : socialLinks) {
      if ("facebook".equals(federatedIdentityModel.getIdentityProvider())) {
        facebookFound = true;
        Assert.assertEquals(federatedIdentityModel.getUserId(), "facebook1");
        Assert.assertEquals(federatedIdentityModel.getUserName(), "fbuser1");
      } else if ("google".equals(federatedIdentityModel.getIdentityProvider())) {
        googleFound = true;
        Assert.assertEquals(federatedIdentityModel.getUserId(), "google1");
        Assert.assertEquals(federatedIdentityModel.getUserName(), "*****@*****.**");
      } else if ("twitter".equals(federatedIdentityModel.getIdentityProvider())) {
        twitterFound = true;
        Assert.assertEquals(federatedIdentityModel.getUserId(), "twitter1");
        Assert.assertEquals(federatedIdentityModel.getUserName(), "twuser1");
      }
    }
    Assert.assertTrue(facebookFound && twitterFound && googleFound);

    UserModel foundSocialUser =
        session
            .users()
            .getUserByFederatedIdentity(
                new FederatedIdentityModel("facebook", "facebook1", "fbuser1"), realm);
    Assert.assertEquals(foundSocialUser.getUsername(), socialUser.getUsername());
    Assert.assertNull(
        session
            .users()
            .getUserByFederatedIdentity(
                new FederatedIdentityModel("facebook", "not-existing", "not-existing"), realm));

    FederatedIdentityModel foundSocialLink =
        session.users().getFederatedIdentity(socialUser, "facebook", realm);
    Assert.assertEquals("facebook1", foundSocialLink.getUserId());
    Assert.assertEquals("fbuser1", foundSocialLink.getUserName());
    Assert.assertEquals("facebook", foundSocialLink.getIdentityProvider());

    // Test removing social link
    Assert.assertTrue(session.users().removeFederatedIdentity(realm, socialUser, "facebook"));
    Assert.assertNull(session.users().getFederatedIdentity(socialUser, "facebook", realm));
    Assert.assertFalse(session.users().removeFederatedIdentity(realm, socialUser, "facebook"));
    session
        .users()
        .addFederatedIdentity(
            realm, socialUser, new FederatedIdentityModel("facebook", "facebook1", "fbuser1"));

    // Test smtp config
    Map<String, String> smtpConfig = realm.getSmtpConfig();
    Assert.assertTrue(smtpConfig.size() == 3);
    Assert.assertEquals("*****@*****.**", smtpConfig.get("from"));
    Assert.assertEquals("localhost", smtpConfig.get("host"));
    Assert.assertEquals("3025", smtpConfig.get("port"));

    // Test identity providers
    List<IdentityProviderModel> identityProviders = realm.getIdentityProviders();
    Assert.assertEquals(1, identityProviders.size());
    IdentityProviderModel google = identityProviders.get(0);
    Assert.assertEquals("google1", google.getAlias());
    Assert.assertEquals("google", google.getProviderId());
    Assert.assertTrue(google.isEnabled());
    Assert.assertEquals("googleId", google.getConfig().get("clientId"));
    Assert.assertEquals("googleSecret", google.getConfig().get("clientSecret"));

    // Test federation providers
    List<UserFederationProviderModel> fedProviders = realm.getUserFederationProviders();
    Assert.assertTrue(fedProviders.size() == 2);
    UserFederationProviderModel ldap1 = fedProviders.get(0);
    Assert.assertEquals("MyLDAPProvider1", ldap1.getDisplayName());
    Assert.assertEquals("ldap", ldap1.getProviderName());
    Assert.assertEquals(1, ldap1.getPriority());
    Assert.assertEquals("ldap://foo", ldap1.getConfig().get(LDAPConstants.CONNECTION_URL));

    UserFederationProviderModel ldap2 = fedProviders.get(1);
    Assert.assertEquals("MyLDAPProvider2", ldap2.getDisplayName());
    Assert.assertEquals("ldap://bar", ldap2.getConfig().get(LDAPConstants.CONNECTION_URL));

    // Test federation mappers
    Set<UserFederationMapperModel> fedMappers1 =
        realm.getUserFederationMappersByFederationProvider(ldap1.getId());
    Assert.assertTrue(fedMappers1.size() == 1);
    UserFederationMapperModel fullNameMapper = fedMappers1.iterator().next();
    Assert.assertEquals("FullNameMapper", fullNameMapper.getName());
    Assert.assertEquals(
        FullNameLDAPFederationMapperFactory.PROVIDER_ID, fullNameMapper.getFederationMapperType());
    Assert.assertEquals(ldap1.getId(), fullNameMapper.getFederationProviderId());
    Assert.assertEquals(
        "cn",
        fullNameMapper.getConfig().get(FullNameLDAPFederationMapper.LDAP_FULL_NAME_ATTRIBUTE));

    // All builtin LDAP mappers should be here
    Set<UserFederationMapperModel> fedMappers2 =
        realm.getUserFederationMappersByFederationProvider(ldap2.getId());
    Assert.assertTrue(fedMappers2.size() > 3);
    Set<UserFederationMapperModel> allMappers = realm.getUserFederationMappers();
    Assert.assertEquals(allMappers.size(), fedMappers1.size() + fedMappers2.size());

    // Assert that federation link wasn't created during import
    UserFederationProviderFactory factory =
        (UserFederationProviderFactory)
            session
                .getKeycloakSessionFactory()
                .getProviderFactory(UserFederationProvider.class, "dummy");
    Assert.assertNull(factory.getInstance(session, null).getUserByUsername(realm, "wburke"));

    // Test builtin authentication flows
    AuthenticationFlowModel clientFlow = realm.getClientAuthenticationFlow();
    Assert.assertEquals(
        DefaultAuthenticationFlows.CLIENT_AUTHENTICATION_FLOW, clientFlow.getAlias());
    Assert.assertNotNull(realm.getAuthenticationFlowById(clientFlow.getId()));
    Assert.assertTrue(realm.getAuthenticationExecutions(clientFlow.getId()).size() > 0);

    AuthenticationFlowModel resetFlow = realm.getResetCredentialsFlow();
    Assert.assertEquals(DefaultAuthenticationFlows.RESET_CREDENTIALS_FLOW, resetFlow.getAlias());
    Assert.assertNotNull(realm.getAuthenticationFlowById(resetFlow.getId()));
    Assert.assertTrue(realm.getAuthenticationExecutions(resetFlow.getId()).size() > 0);

    // Test protocol mappers. Default application has all the builtin protocol mappers. OtherApp
    // just gss credential
    Assert.assertNotNull(
        application.getProtocolMapperByName(OIDCLoginProtocol.LOGIN_PROTOCOL, "username"));
    Assert.assertNotNull(
        application.getProtocolMapperByName(OIDCLoginProtocol.LOGIN_PROTOCOL, "email"));
    Assert.assertNotNull(
        application.getProtocolMapperByName(OIDCLoginProtocol.LOGIN_PROTOCOL, "given name"));
    Assert.assertNull(
        application.getProtocolMapperByName(
            OIDCLoginProtocol.LOGIN_PROTOCOL,
            KerberosConstants.GSS_DELEGATION_CREDENTIAL_DISPLAY_NAME));

    Assert.assertEquals(1, otherApp.getProtocolMappers().size());
    Assert.assertNull(
        otherApp.getProtocolMapperByName(OIDCLoginProtocol.LOGIN_PROTOCOL, "username"));
    ProtocolMapperModel gssCredentialMapper =
        otherApp.getProtocolMapperByName(
            OIDCLoginProtocol.LOGIN_PROTOCOL,
            KerberosConstants.GSS_DELEGATION_CREDENTIAL_DISPLAY_NAME);
    Assert.assertEquals(
        KerberosConstants.GSS_DELEGATION_CREDENTIAL_DISPLAY_NAME, gssCredentialMapper.getName());
    Assert.assertEquals(OIDCLoginProtocol.LOGIN_PROTOCOL, gssCredentialMapper.getProtocol());
    Assert.assertEquals(UserSessionNoteMapper.PROVIDER_ID, gssCredentialMapper.getProtocolMapper());
    String includeInAccessToken =
        gssCredentialMapper.getConfig().get(OIDCAttributeMapperHelper.INCLUDE_IN_ACCESS_TOKEN);
    String includeInIdToken =
        gssCredentialMapper.getConfig().get(OIDCAttributeMapperHelper.INCLUDE_IN_ID_TOKEN);
    Assert.assertTrue(includeInAccessToken.equalsIgnoreCase("true"));
    Assert.assertTrue(includeInIdToken == null || Boolean.parseBoolean(includeInIdToken) == false);

    // Test user consents
    admin = session.users().getUserByUsername("admin", realm);
    Assert.assertEquals(2, admin.getConsents().size());

    UserConsentModel appAdminConsent = admin.getConsentByClient(application.getId());
    Assert.assertEquals(2, appAdminConsent.getGrantedRoles().size());
    Assert.assertTrue(
        appAdminConsent.getGrantedProtocolMappers() == null
            || appAdminConsent.getGrantedProtocolMappers().isEmpty());
    Assert.assertTrue(appAdminConsent.isRoleGranted(realm.getRole("admin")));
    Assert.assertTrue(appAdminConsent.isRoleGranted(application.getRole("app-admin")));

    UserConsentModel otherAppAdminConsent = admin.getConsentByClient(otherApp.getId());
    Assert.assertEquals(1, otherAppAdminConsent.getGrantedRoles().size());
    Assert.assertEquals(1, otherAppAdminConsent.getGrantedProtocolMappers().size());
    Assert.assertTrue(otherAppAdminConsent.isRoleGranted(realm.getRole("admin")));
    Assert.assertFalse(otherAppAdminConsent.isRoleGranted(application.getRole("app-admin")));
    Assert.assertTrue(otherAppAdminConsent.isProtocolMapperGranted(gssCredentialMapper));

    // Test service accounts
    Assert.assertFalse(application.isServiceAccountsEnabled());
    Assert.assertTrue(otherApp.isServiceAccountsEnabled());
    Assert.assertNull(session.users().getUserByServiceAccountClient(application));
    UserModel linked = session.users().getUserByServiceAccountClient(otherApp);
    Assert.assertNotNull(linked);
    Assert.assertEquals("my-service-user", linked.getUsername());
  }