Use correct error value in Token Exchange error responses
The Token Exchange [RFC8693 Section-2.2.2](https://datatracker.ietf.org/doc/html/rfc8693#section-2.2.2) requires that the error code for invalid requests is `invalid_request`. Previously, Keycloak used `invalid_token` as the error code. Fixes #31547 Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
This commit is contained in:
parent
9f5f8e017e
commit
211224f613
1 changed files with 3 additions and 3 deletions
|
@ -155,7 +155,7 @@ public class DefaultTokenExchangeProvider implements TokenExchangeProvider {
|
||||||
} catch (JWSInputException e) {
|
} catch (JWSInputException e) {
|
||||||
event.detail(Details.REASON, "unable to parse jwt subject_token");
|
event.detail(Details.REASON, "unable to parse jwt subject_token");
|
||||||
event.error(Errors.INVALID_TOKEN);
|
event.error(Errors.INVALID_TOKEN);
|
||||||
throw new CorsErrorResponseException(cors, OAuthErrorException.INVALID_TOKEN, "Invalid token type, must be access token", Response.Status.BAD_REQUEST);
|
throw new CorsErrorResponseException(cors, OAuthErrorException.INVALID_REQUEST, "Invalid token type, must be access token", Response.Status.BAD_REQUEST);
|
||||||
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -169,7 +169,7 @@ public class DefaultTokenExchangeProvider implements TokenExchangeProvider {
|
||||||
if (subjectTokenType != null && !subjectTokenType.equals(OAuth2Constants.ACCESS_TOKEN_TYPE)) {
|
if (subjectTokenType != null && !subjectTokenType.equals(OAuth2Constants.ACCESS_TOKEN_TYPE)) {
|
||||||
event.detail(Details.REASON, "subject_token supports access tokens only");
|
event.detail(Details.REASON, "subject_token supports access tokens only");
|
||||||
event.error(Errors.INVALID_TOKEN);
|
event.error(Errors.INVALID_TOKEN);
|
||||||
throw new CorsErrorResponseException(cors, OAuthErrorException.INVALID_TOKEN, "Invalid token type, must be access token", Response.Status.BAD_REQUEST);
|
throw new CorsErrorResponseException(cors, OAuthErrorException.INVALID_REQUEST, "Invalid token type, must be access token", Response.Status.BAD_REQUEST);
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -177,7 +177,7 @@ public class DefaultTokenExchangeProvider implements TokenExchangeProvider {
|
||||||
if (authResult == null) {
|
if (authResult == null) {
|
||||||
event.detail(Details.REASON, "subject_token validation failure");
|
event.detail(Details.REASON, "subject_token validation failure");
|
||||||
event.error(Errors.INVALID_TOKEN);
|
event.error(Errors.INVALID_TOKEN);
|
||||||
throw new CorsErrorResponseException(cors, OAuthErrorException.INVALID_TOKEN, "Invalid token", Response.Status.BAD_REQUEST);
|
throw new CorsErrorResponseException(cors, OAuthErrorException.INVALID_REQUEST, "Invalid token", Response.Status.BAD_REQUEST);
|
||||||
}
|
}
|
||||||
|
|
||||||
tokenUser = authResult.getUser();
|
tokenUser = authResult.getUser();
|
||||||
|
|
Loading…
Reference in a new issue