libre.sh/keycloak-scim
4
0
Fork 0
Code Issues 15 Pull requests Releases 1 Activity Actions

aud should be client-id, issuer should be realm

Browse source
This commit is contained in:
Bill Burke 2014-10-29 15:56:25 -04:00
parent c660be7bbb
commit 0183ac43bc
6 changed files with 10 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
core/src/main/java/org/keycloak/RSATokenVerifier.java
View file

@ -35,7 +35,7 @@ public class RSATokenVerifier {
if (user == null) {
throw new VerificationException("Token user was null.");
}
if (!realm.equals(token.getAudience())) {
if (!realm.equals(token.getIssuer())) {
throw new VerificationException("Token audience doesn't match domain.");
}

4
core/src/test/java/org/keycloak/RSAVerifierTest.java
View file

@ -72,7 +72,7 @@ public class RSAVerifierTest {
token = new AccessToken();
token.subject("CN=Client")
.audience("domain")
.issuer("domain")
.addAccess("service").addRole("admin");
}
@ -213,7 +213,7 @@ public class RSAVerifierTest {
public void testTokenAuth() throws Exception {
token = new AccessToken();
token.subject("CN=Client")
.audience("domain")
.issuer("domain")
.addAccess("service").addRole("admin").verifyCaller(true);
String encoded = new JWSBuilder()

4
docbook/reference/en/en-US/modules/MigrationFromOlderVersions.xml
View file

@ -5,8 +5,8 @@
<itemizedlist>
<listitem>UserSessionModel JPA and Mongo storage schema has changed as these interfaces have been refactored</listitem>
<listitem>
Upgrade your adapters as REST API has changed. We're still supporting older adapters for now, but in future
versions this backward compatibility will be removed.
Upgrade your adapters. We interpreted JSON Web Token and OIDC ID Token specification incorrectly. 'aud'
claim must be the client id, we were storing the realm name in there and validating it.
</listitem>
</itemizedlist>
</sect1>

6
services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java
View file

@ -222,7 +222,7 @@ public class TokenManager {
IDToken token = new IDToken();
token.id(KeycloakModelUtils.generateId());
token.subject(user.getId());
token.audience(realm.getName());
token.audience(claimer.getClientId());
token.issuedNow();
token.issuedFor(client.getUsername());
token.issuer(realm.getName());
@ -239,7 +239,7 @@ public class TokenManager {
AccessToken token = new AccessToken();
token.id(KeycloakModelUtils.generateId());
token.subject(user.getId());
token.audience(realm.getName());
token.audience(client.getClientId());
token.issuedNow();
token.issuedFor(client.getClientId());
token.issuer(realm.getName());
@ -343,7 +343,7 @@ public class TokenManager {
idToken = new IDToken();
idToken.id(KeycloakModelUtils.generateId());
idToken.subject(accessToken.getSubject());
idToken.audience(realm.getName());
idToken.audience(client.getClientId());
idToken.issuedNow();
idToken.issuedFor(accessToken.getIssuedFor());
idToken.issuer(accessToken.getIssuer());

2
services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java
View file

@ -107,7 +107,7 @@ public class AuthenticationManager {
token.id(KeycloakModelUtils.generateId());
token.issuedNow();
token.subject(user.getId());
token.audience(realm.getName());
token.issuer(realm.getName());
if (session != null) {
token.setSessionState(session.getId());
}

2
services/src/main/java/org/keycloak/services/resources/admin/AdminRoot.java
View file

@ -140,7 +140,7 @@ public class AdminRoot {
} catch (IOException e) {
throw new UnauthorizedException("Bearer token format error");
}
String realmName = token.getAudience();
String realmName = token.getIssuer();
RealmManager realmManager = new RealmManager(session);
RealmModel realm = realmManager.getRealmByName(realmName);
if (realm == null) {