From 211224f61376a7180a069c7a6f072da21e8a7334 Mon Sep 17 00:00:00 2001
From: Thomas Darimont <thomas.darimont@googlemail.com>
Date: Thu, 5 Sep 2024 18:35:36 +0200
Subject: [PATCH] Use correct error value in Token Exchange error responses

The Token Exchange [RFC8693 Section-2.2.2](https://datatracker.ietf.org/doc/html/rfc8693#section-2.2.2) requires
that the error code for invalid requests is `invalid_request`.
Previously, Keycloak used `invalid_token` as the error code.

Fixes #31547

Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
---
 .../protocol/oidc/DefaultTokenExchangeProvider.java         | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/services/src/main/java/org/keycloak/protocol/oidc/DefaultTokenExchangeProvider.java b/services/src/main/java/org/keycloak/protocol/oidc/DefaultTokenExchangeProvider.java
index fb61294351..e418d572fa 100644
--- a/services/src/main/java/org/keycloak/protocol/oidc/DefaultTokenExchangeProvider.java
+++ b/services/src/main/java/org/keycloak/protocol/oidc/DefaultTokenExchangeProvider.java
@@ -155,7 +155,7 @@ public class DefaultTokenExchangeProvider implements TokenExchangeProvider {
                 } catch (JWSInputException e) {
                     event.detail(Details.REASON, "unable to parse jwt subject_token");
                     event.error(Errors.INVALID_TOKEN);
-                    throw new CorsErrorResponseException(cors, OAuthErrorException.INVALID_TOKEN, "Invalid token type, must be access token", Response.Status.BAD_REQUEST);
+                    throw new CorsErrorResponseException(cors, OAuthErrorException.INVALID_REQUEST, "Invalid token type, must be access token", Response.Status.BAD_REQUEST);
 
                 }
             }
@@ -169,7 +169,7 @@ public class DefaultTokenExchangeProvider implements TokenExchangeProvider {
             if (subjectTokenType != null && !subjectTokenType.equals(OAuth2Constants.ACCESS_TOKEN_TYPE)) {
                 event.detail(Details.REASON, "subject_token supports access tokens only");
                 event.error(Errors.INVALID_TOKEN);
-                throw new CorsErrorResponseException(cors, OAuthErrorException.INVALID_TOKEN, "Invalid token type, must be access token", Response.Status.BAD_REQUEST);
+                throw new CorsErrorResponseException(cors, OAuthErrorException.INVALID_REQUEST, "Invalid token type, must be access token", Response.Status.BAD_REQUEST);
 
             }
 
@@ -177,7 +177,7 @@ public class DefaultTokenExchangeProvider implements TokenExchangeProvider {
             if (authResult == null) {
                 event.detail(Details.REASON, "subject_token validation failure");
                 event.error(Errors.INVALID_TOKEN);
-                throw new CorsErrorResponseException(cors, OAuthErrorException.INVALID_TOKEN, "Invalid token", Response.Status.BAD_REQUEST);
+                throw new CorsErrorResponseException(cors, OAuthErrorException.INVALID_REQUEST, "Invalid token", Response.Status.BAD_REQUEST);
             }
 
             tokenUser = authResult.getUser();