libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases 1 Packages Activity Actions

[KEYCLOAK-18723] - Configurable constraints for request object encryption

Browse source
This commit is contained in:
Pedro Igor 2021-07-12 10:25:30 -03:00 committed by Marek Posolda
parent 730d4e8ac9
commit 396a78bcc4
13 changed files with 253 additions and 28 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
services/src/main/java/org/keycloak/protocol/oidc/OIDCAdvancedConfigWrapper.java
View file

@ -74,7 +74,23 @@ public class OIDCAdvancedConfigWrapper {
String algStr = alg==null ? null : alg.toString();
setAttribute(OIDCConfigAttributes.REQUEST_OBJECT_SIGNATURE_ALG, algStr);
}
public void setRequestObjectEncryptionAlg(String algorithm) {
setAttribute(OIDCConfigAttributes.REQUEST_OBJECT_ENCRYPTION_ALG, algorithm);
}
public String getRequestObjectEncryptionAlg() {
return getAttribute(OIDCConfigAttributes.REQUEST_OBJECT_ENCRYPTION_ALG);
}
public String getRequestObjectEncryptionEnc() {
return getAttribute(OIDCConfigAttributes.REQUEST_OBJECT_ENCRYPTION_ENC);
}
public void setRequestObjectEncryptionEnc(String algorithm) {
setAttribute(OIDCConfigAttributes.REQUEST_OBJECT_ENCRYPTION_ENC, algorithm);
}
public String getRequestObjectRequired() {
return getAttribute(OIDCConfigAttributes.REQUEST_OBJECT_REQUIRED);
}

2
services/src/main/java/org/keycloak/protocol/oidc/OIDCConfigAttributes.java
View file

@ -21,6 +21,8 @@ public final class OIDCConfigAttributes {
public static final String USER_INFO_RESPONSE_SIGNATURE_ALG = "user.info.response.signature.alg";
public static final String REQUEST_OBJECT_SIGNATURE_ALG = "request.object.signature.alg";
public static final String REQUEST_OBJECT_ENCRYPTION_ALG = "request.object.encryption.alg";
public static final String REQUEST_OBJECT_ENCRYPTION_ENC = "request.object.encryption.enc";
public static final String REQUEST_OBJECT_REQUIRED = "request.object.required";
public static final String REQUEST_OBJECT_REQUIRED_REQUEST_OR_REQUEST_URI = "request or request_uri";

65
services/src/main/java/org/keycloak/protocol/oidc/endpoints/request/AuthzEndpointRequestObjectParser.java
View file

@ -19,10 +19,13 @@ package org.keycloak.protocol.oidc.endpoints.request;
import com.fasterxml.jackson.databind.JsonNode;
import java.util.HashSet;
import java.util.Set;
import java.util.function.BiConsumer;
import org.keycloak.OAuth2Constants;
import org.keycloak.jose.JOSEHeader;
import org.keycloak.jose.JOSE;
import org.keycloak.jose.jwe.JWE;
import org.keycloak.jose.jwe.JWEHeader;
import org.keycloak.jose.jws.Algorithm;
import org.keycloak.jose.jws.JWSInput;
import org.keycloak.models.ClientModel;
@ -36,28 +39,10 @@ import org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper;
*/
public class AuthzEndpointRequestObjectParser extends AuthzEndpointRequestParser {
private static void validateAlgorithm(JOSE jwt, ClientModel clientModel) {
if (jwt instanceof JWSInput) {
JOSEHeader header = jwt.getHeader();
String headerAlgorithm = header.getRawAlgorithm();
if (headerAlgorithm == null) {
throw new RuntimeException("Request object signed algorithm not specified");
}
Algorithm requestedSignatureAlgorithm = OIDCAdvancedConfigWrapper.fromClientModel(clientModel)
.getRequestObjectSignatureAlg();
if (requestedSignatureAlgorithm != null && !requestedSignatureAlgorithm.name().equals(headerAlgorithm)) {
throw new RuntimeException("Request object signed with different algorithm than client requested algorithm");
}
}
}
private final JsonNode requestParams;
public AuthzEndpointRequestObjectParser(KeycloakSession session, String requestObject, ClientModel client) {
this.requestParams = session.tokens().decodeClientJWT(requestObject, client, AuthzEndpointRequestObjectParser::validateAlgorithm, JsonNode.class);
this.requestParams = session.tokens().decodeClientJWT(requestObject, client, createRequestObjectValidator(session), JsonNode.class);
if (this.requestParams == null) {
throw new RuntimeException("Failed to verify signature on 'request' object");
@ -101,6 +86,48 @@ public class AuthzEndpointRequestObjectParser extends AuthzEndpointRequestParser
return keys;
}
private BiConsumer<JOSE, ClientModel> createRequestObjectValidator(KeycloakSession session) {
return (jwt, clientModel) -> {
if (jwt instanceof JWSInput) {
JOSEHeader header = jwt.getHeader();
String headerAlgorithm = header.getRawAlgorithm();
if (headerAlgorithm == null) {
throw new RuntimeException("Request object signed algorithm not specified");
}
Algorithm requestedSignatureAlgorithm = OIDCAdvancedConfigWrapper.fromClientModel(clientModel)
.getRequestObjectSignatureAlg();
if (requestedSignatureAlgorithm != null && !requestedSignatureAlgorithm.name().equals(headerAlgorithm)) {
throw new RuntimeException(
"Request object signed with different algorithm than client requested algorithm");
}
} else {
String encryptionAlg = OIDCAdvancedConfigWrapper.fromClientModel(clientModel).getRequestObjectEncryptionAlg();
if (encryptionAlg != null) {
if (!encryptionAlg.equals(jwt.getHeader().getRawAlgorithm())) {
throw new RuntimeException("Request object encrypted with different algorithm than client requested algorithm");
}
}
String encryptionEncAlg = OIDCAdvancedConfigWrapper.fromClientModel(clientModel).getRequestObjectEncryptionEnc();
if (encryptionEncAlg != null) {
JWE jwe = (JWE) jwt;
JWEHeader header = (JWEHeader) jwe.getHeader();
if (!encryptionEncAlg.equals(header.getEncryptionAlgorithm())) {
throw new RuntimeException("Request object content encrypted with different algorithm than client requested algorithm");
}
}
session.setAttribute(AuthzEndpointRequestParser.AUTHZ_REQUEST_OBJECT_ENCRYPTED, jwt);
}
};
}
@Override
protected <T> T replaceIfNotNull(T previousVal, T newVal) {
// force parameters values from request object as per spec any parameter set directly should be ignored

1
services/src/main/java/org/keycloak/protocol/oidc/endpoints/request/AuthzEndpointRequestParser.java
View file

@ -47,6 +47,7 @@ public abstract class AuthzEndpointRequestParser {
public static final int ADDITIONAL_REQ_PARAMS_MAX_SIZE = 200;
public static final String AUTHZ_REQUEST_OBJECT = "ParsedRequestObject";
public static final String AUTHZ_REQUEST_OBJECT_ENCRYPTED = "EncryptedRequestObject";
/** Set of known protocol GET params not to be stored into additionalReqParams} */
public static final Set<String> KNOWN_REQ_PARAMS = new HashSet<>();

20
services/src/main/java/org/keycloak/services/clientpolicy/executor/SecureRequestObjectExecutor.java
View file

@ -63,6 +63,7 @@ public class SecureRequestObjectExecutor implements ClientPolicyExecutorProvider
configuration = new Configuration();
configuration.setVerifyNbf(Boolean.TRUE);
configuration.setAvailablePeriod(DEFAULT_AVAILABLE_PERIOD);
configuration.setEncryptionRequired(Boolean.FALSE);
} else {
configuration = config;
if (config.isVerifyNbf() == null) {
@ -71,6 +72,9 @@ public class SecureRequestObjectExecutor implements ClientPolicyExecutorProvider
if (config.getAvailablePeriod() == null) {
configuration.setAvailablePeriod(DEFAULT_AVAILABLE_PERIOD);
}
if (config.isEncryptionRequired() == null) {
configuration.setEncryptionRequired(Boolean.FALSE);
}
}
}
@ -84,6 +88,8 @@ public class SecureRequestObjectExecutor implements ClientPolicyExecutorProvider
protected Integer availablePeriod;
@JsonProperty("verify-nbf")
protected Boolean verifyNbf;
@JsonProperty(SecureRequestObjectExecutorFactory.ENCRYPTION_REQUIRED)
private Boolean encryptionRequired;
public Integer getAvailablePeriod() {
return availablePeriod;
@ -100,6 +106,14 @@ public class SecureRequestObjectExecutor implements ClientPolicyExecutorProvider
public void setVerifyNbf(Boolean verifyNbf) {
this.verifyNbf = verifyNbf;
}
public void setEncryptionRequired(Boolean encryptionRequired) {
this.encryptionRequired = encryptionRequired;
}
public Boolean isEncryptionRequired() {
return encryptionRequired;
}
}
@Override
@ -229,6 +243,12 @@ public class SecureRequestObjectExecutor implements ClientPolicyExecutorProvider
throw new ClientPolicyException(OAuthErrorException.INVALID_REQUEST, "Invalid parameter. Parameters in 'request' object not matching with request parameters");
}
Boolean encryptionRequired = Optional.ofNullable(configuration.isEncryptionRequired()).orElse(Boolean.FALSE);
if (encryptionRequired && session.getAttribute(AuthzEndpointRequestParser.AUTHZ_REQUEST_OBJECT_ENCRYPTED) == null) {
logger.trace("request object's not encrypted.");
throw new ClientPolicyException(INVALID_REQUEST_OBJECT, "Request object not encrypted");
}
logger.trace("Passed.");
}

7
services/src/main/java/org/keycloak/services/clientpolicy/executor/SecureRequestObjectExecutorFactory.java
View file

@ -41,11 +41,16 @@ public class SecureRequestObjectExecutorFactory implements ClientPolicyExecutorP
"claim and this claim will be validated", ProviderConfigProperty.BOOLEAN_TYPE, true);
public static final String AVAILABLE_PERIOD = "available-period";
public static final String ENCRYPTION_REQUIRED = "encryption-required";
private static final ProviderConfigProperty AVAILABLE_PERIOD_PROPERTY = new ProviderConfigProperty(
AVAILABLE_PERIOD, "Available Period", "The maximum period in seconds for which the 'request' object used in OIDC authorization request is considered valid. " +
"It is used if 'Verify Not-Before' is ON.", ProviderConfigProperty.STRING_TYPE, "3600");
private static final ProviderConfigProperty ENCRYPTION_REQUIRED_PROPERTY = new ProviderConfigProperty(
ENCRYPTION_REQUIRED, "Encryption Required", "Whether request object encryption is required. If enabled, request objects must be encrypted. Otherwise, encryption is optional.",
ProviderConfigProperty.BOOLEAN_TYPE, Boolean.FALSE);
@Override
public ClientPolicyExecutorProvider create(KeycloakSession session) {
return new SecureRequestObjectExecutor(session);
@ -75,7 +80,7 @@ public class SecureRequestObjectExecutorFactory implements ClientPolicyExecutorP
@Override
public List<ProviderConfigProperty> getConfigProperties() {
return new ArrayList<>(Arrays.asList(VERIFY_NBF_PROPERTY, AVAILABLE_PERIOD_PROPERTY));
return new ArrayList<>(Arrays.asList(VERIFY_NBF_PROPERTY, AVAILABLE_PERIOD_PROPERTY, ENCRYPTION_REQUIRED_PROPERTY));
}
}

6
services/src/main/java/org/keycloak/services/clientregistration/oidc/DescriptionConverter.java
View file

@ -320,6 +320,12 @@ public class DescriptionConverter {
if (config.getRequestObjectSignatureAlg() != null) {
response.setRequestObjectSigningAlg(config.getRequestObjectSignatureAlg().toString());
}
if (config.getRequestObjectEncryptionAlg() != null) {
response.setRequestObjectEncryptionAlg(config.getRequestObjectEncryptionAlg());
}
if (config.getRequestObjectEncryptionEnc() != null) {
response.setRequestObjectEncryptionEnc(config.getRequestObjectEncryptionEnc());
}
if (config.isUseJwksUrl()) {
response.setJwksUri(config.getJwksUrl());
}

15
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/ClientPoliciesTest.java
View file

@ -1168,7 +1168,7 @@ public class ClientPoliciesTest extends AbstractClientPoliciesTest {
}
@Test
public void testSecureRequestObjectExecutor() throws Exception, URISyntaxException, IOException {
public void testSecureRequestObjectExecutor() throws Exception {
Integer availablePeriod = Integer.valueOf(SecureRequestObjectExecutor.DEFAULT_AVAILABLE_PERIOD + 400);
// register profiles
String json = (new ClientProfilesBuilder()).addProfile(
@ -1362,6 +1362,19 @@ public class ClientPoliciesTest extends AbstractClientPoliciesTest {
registerRequestObject(requestObject, clientId, Algorithm.ES256, false);
successfulLoginAndLogout(clientId, clientSecret);
// update profile : force request object encryption
json = (new ClientProfilesBuilder()).addProfile(
(new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Prvy Profil")
.addExecutor(SecureRequestObjectExecutorFactory.PROVIDER_ID, createSecureRequestObjectExecutorConfig(null, null, true))
.toRepresentation()
).toString();
updateProfiles(json);
requestObject = createValidRequestObjectForSecureRequestObjectExecutor(clientId);
registerRequestObject(requestObject, clientId, Algorithm.ES256, false);
oauth.openLoginForm();
assertEquals(SecureRequestObjectExecutor.INVALID_REQUEST_OBJECT, oauth.getCurrentQuery().get(OAuth2Constants.ERROR));
assertEquals("Request object not encrypted", oauth.getCurrentQuery().get(OAuth2Constants.ERROR_DESCRIPTION));
}
@Test

88
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/OIDCAdvancedRequestParamsTest.java
View file

@ -105,6 +105,7 @@ import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertNull;
import static org.junit.Assert.assertTrue;
import static org.junit.Assert.fail;
import static org.keycloak.jose.jwe.JWEConstants.RSA_OAEP;
import static org.keycloak.jose.jwe.JWEConstants.RSA_OAEP_256;
import static org.keycloak.testsuite.admin.ApiUtil.findClientResourceByClientId;
@ -1296,8 +1297,84 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
events.expectLogin().assertEvent();
}
@Test
public void testWrongEncryptionAlgorithm() throws Exception {
try {
ClientResource clientResource = ApiUtil.findClientByClientId(adminClient.realm(oauth.getRealm()), oauth.getClientId());
ClientRepresentation clientRep = clientResource.toRepresentation();
OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setRequestObjectEncryptionAlg(RSA_OAEP_256);
clientResource.update(clientRep);
oauth.request(createEncryptedRequestObject(RSA_OAEP));
oauth.doLogin("test-user@localhost", "password");
fail("Should fail due to invalid encryption algorithm");
} catch (Exception ignore) {
assertTrue(errorPage.isCurrent());
oauth.request(createEncryptedRequestObject(RSA_OAEP_256));
oauth.doLogin("test-user@localhost", "password");
assertTrue(appPage.isCurrent());
} finally {
ClientResource clientResource = ApiUtil.findClientByClientId(adminClient.realm(oauth.getRealm()), oauth.getClientId());
ClientRepresentation clientRep = clientResource.toRepresentation();
OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setRequestObjectEncryptionAlg(null);
clientResource.update(clientRep);
}
oauth.openLogout();
oauth = oauth.request(createEncryptedRequestObject(RSA_OAEP_256));
oauth.doLogin("test-user@localhost", "password");
assertTrue(appPage.isCurrent());
}
@Test
public void testWrongContentEncryptionAlgorithm() throws Exception {
ClientResource clientResource = ApiUtil.findClientByClientId(adminClient.realm(oauth.getRealm()), oauth.getClientId());
ClientRepresentation clientRep = clientResource.toRepresentation();
try {
OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setRequestObjectEncryptionAlg(RSA_OAEP_256);
OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setRequestObjectEncryptionEnc(JWEConstants.A192GCM);
clientResource.update(clientRep);
clientRep = clientResource.toRepresentation();
assertEquals(JWEConstants.A192GCM, OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).getRequestObjectEncryptionEnc());
oauth.request(createEncryptedRequestObject(RSA_OAEP_256));
oauth.doLogin("test-user@localhost", "password");
fail("Should fail due to invalid content encryption algorithm");
} catch (Exception ignore) {
assertTrue(errorPage.isCurrent());
oauth.request(createEncryptedRequestObject(RSA_OAEP_256));
clientRep = clientResource.toRepresentation();
OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setRequestObjectEncryptionEnc(JWEConstants.A256GCM);
clientResource.update(clientRep);
clientRep = clientResource.toRepresentation();
assertEquals(JWEConstants.A256GCM, OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).getRequestObjectEncryptionEnc());
oauth.doLogin("test-user@localhost", "password");
assertTrue(appPage.isCurrent());
} finally {
clientResource = ApiUtil.findClientByClientId(adminClient.realm(oauth.getRealm()), oauth.getClientId());
clientRep = clientResource.toRepresentation();
OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setRequestObjectEncryptionAlg(null);
OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setRequestObjectEncryptionEnc(null);
clientResource.update(clientRep);
}
oauth.openLogout();
oauth = oauth.request(createEncryptedRequestObject(RSA_OAEP_256));
oauth.doLogin("test-user@localhost", "password");
assertTrue(appPage.isCurrent());
clientRep = clientResource.toRepresentation();
assertNull(OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).getRequestObjectEncryptionAlg());
assertNull(OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).getRequestObjectEncryptionEnc());
}
@Test
public void testSignedAndEncryptedRequestObject() throws IOException, JWEException {
oauth = oauth.request(createEncryptedRequestObject(RSA_OAEP_256));
oauth.doLogin("test-user@localhost", "password");
events.expectLogin().assertEvent();
}
private String createEncryptedRequestObject(String encAlg) throws IOException, JWEException {
try (CloseableHttpClient httpClient = HttpClientBuilder.create().build()) {
OIDCConfigurationRepresentation representation = SimpleHttp
.doGet(getAuthServerRoot().toString() + "realms/" + oauth.getRealm() + "/.well-known/openid-configuration",
@ -1308,22 +1385,21 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
String keyId = null;
if (keyId == null) {
KeysMetadataRepresentation.KeyMetadataRepresentation encKey = KeyUtils.getActiveEncKey(testRealm().keys().getKeyMetadata(),
org.keycloak.crypto.Algorithm.PS256);
KeysMetadataRepresentation.KeyMetadataRepresentation encKey = KeyUtils
.getActiveEncKey(testRealm().keys().getKeyMetadata(),
org.keycloak.crypto.Algorithm.PS256);
keyId = encKey.getKid();
}
PublicKey decryptionKEK = keysForUse.get(keyId);
JWE jwe = new JWE()
.header(new JWEHeader(RSA_OAEP_256, JWEConstants.A256GCM, null))
.header(new JWEHeader(encAlg, JWEConstants.A256GCM, null))
.content(createAndSignRequestObject().getBytes());
jwe.getKeyStorage()
.setEncryptionKey(decryptionKEK);
oauth = oauth.request(jwe.encodeJwe());
oauth.doLogin("test-user@localhost", "password");
events.expectLogin().assertEvent();
return jwe.encodeJwe();
}
}

5
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/util/ClientPoliciesUtil.java
View file

@ -168,9 +168,14 @@ public final class ClientPoliciesUtil {
}
public static SecureRequestObjectExecutor.Configuration createSecureRequestObjectExecutorConfig(Integer availablePeriod, Boolean verifyNbf) {
return createSecureRequestObjectExecutorConfig(availablePeriod, verifyNbf, false);
}
public static SecureRequestObjectExecutor.Configuration createSecureRequestObjectExecutorConfig(Integer availablePeriod, Boolean verifyNbf, Boolean encryptionRequired) {
SecureRequestObjectExecutor.Configuration config = new SecureRequestObjectExecutor.Configuration();
if (availablePeriod != null) config.setAvailablePeriod(availablePeriod);
if (verifyNbf != null) config.setVerifyNbf(verifyNbf);
if (encryptionRequired != null) config.setEncryptionRequired(encryptionRequired);
return config;
}

4
themes/src/main/resources/theme/base/admin/messages/admin-messages_en.properties
View file

@ -403,6 +403,10 @@ request-object-signature-alg=Request Object Signature Algorithm
request-object-signature-alg.tooltip=JWA algorithm, which client needs to use when sending OIDC request object specified by 'request' or 'request_uri' parameters. If set to 'any', Request object can be signed by any algorithm (including 'none' ).
request-object-required=Request Object Required
request-object-required.tooltip=Specifies if the client needs to provide a request object with their authorization requests, and what method they can use for this. If set to "not required", providing a request object is optional. In all other cases, providing a request object is mandatory. If set to "request", the request object must be provided by value. If set to "request_uri", the request object must be provided by reference. If set to "request or request_uri", either method can be used.
request-object-encryption-alg=Request Object Encryption Algorithm
request-object-encryption-alg.tooltip=JWE algorithm, which client needs to use when sending OIDC request object specified by 'request' or 'request_uri' parameters. If set to 'any', encryption is optional and any algorithm is allowed.
request-object-encryption-enc=Request Object Content Encryption Algorithm
request-object-encryption-enc.tooltip=JWE algorithm, which client needs to use when encrypting the content of the OIDC request object specified by 'request' or 'request_uri' parameters. If set to 'any', any algorithm is allowed.
ciba-backchannel-auth-request-signing-alg=CIBA Backchannel Authentication Request Signature Algorithm
ciba-backchannel-auth-request-signing-alg.tooltip=JWA algorithm, which client needs to use when sending CIBA backchannel authentication request specified by 'request' or 'request_uri' parameters.
request-uris=Valid Request URIs

22
themes/src/main/resources/theme/base/admin/resources/js/controllers/clients.js
View file

@ -1314,6 +1314,12 @@ module.controller('ClientDetailCtrl', function($scope, realm, client, flows, $ro
var attrVal5 = $scope.client.attributes['ciba.backchannel.auth.request.signing.alg'];
$scope.cibaBackchannelAuthRequestSigningAlg = attrVal5==null ? 'none' : attrVal5;
var attrVal6 = $scope.client.attributes['request.object.encryption.alg'];
$scope.requestObjectEncryptionAlg = attrVal6==null ? 'any' : attrVal6;
var attrVal7 = $scope.client.attributes['request.object.encryption.enc'];
$scope.requestObjectEncryptionEnc = attrVal7==null ? 'any' : attrVal7;
if ($scope.client.attributes["exclude.session.state.from.auth.response"]) {
if ($scope.client.attributes["exclude.session.state.from.auth.response"] == "true") {
$scope.excludeSessionStateFromAuthResponse = true;
@ -1527,6 +1533,22 @@ module.controller('ClientDetailCtrl', function($scope, realm, client, flows, $ro
}
};
$scope.changeRequestObjectEncryptionAlg = function() {
if ($scope.requestObjectEncryptionAlg === 'any') {
$scope.clientEdit.attributes['request.object.encryption.alg'] = null;
} else {
$scope.clientEdit.attributes['request.object.encryption.alg'] = $scope.requestObjectEncryptionAlg;
}
};
$scope.changeRequestObjectEncryptionEnc = function() {
if ($scope.requestObjectEncryptionEnc === 'any') {
$scope.clientEdit.attributes['request.object.encryption.enc'] = null;
} else {
$scope.clientEdit.attributes['request.object.encryption.enc'] = $scope.requestObjectEncryptionEnc;
}
};
$scope.changePkceCodeChallengeMethod = function() {
$scope.clientEdit.attributes['pkce.code.challenge.method'] = $scope.pkceCodeChallengeMethod;
};

28
themes/src/main/resources/theme/base/admin/resources/partials/client-detail.html
View file

@ -559,6 +559,34 @@
</div>
<kc-tooltip>{{:: 'request-object-signature-alg.tooltip' | translate}}</kc-tooltip>
</div>
<div class="form-group clearfix block" data-ng-show="protocol == 'openid-connect'">
<label class="col-md-2 control-label" for="requestObjectEncryptionAlg">{{:: 'request-object-encryption-alg' | translate}}</label>
<div class="col-sm-6">
<div>
<select class="form-control" id="requestObjectEncryptionAlg"
ng-change="changeRequestObjectEncryptionAlg()"
ng-model="requestObjectEncryptionAlg">
<option value="any">any</option>
<option ng-repeat="provider in serverInfo.listProviderIds('cekmanagement')" value="{{provider}}">{{provider}}</option>
</select>
</div>
</div>
<kc-tooltip>{{:: 'request-object-encryption-alg.tooltip' | translate}}</kc-tooltip>
</div>
<div class="form-group clearfix block" data-ng-show="protocol == 'openid-connect'">
<label class="col-md-2 control-label" for="requestObjectEncryptionEnc">{{:: 'request-object-encryption-enc' | translate}}</label>
<div class="col-sm-6">
<div>
<select class="form-control" id="requestObjectEncryptionEnc"
ng-change="changeRequestObjectEncryptionEnc()"
ng-model="requestObjectEncryptionEnc">
<option value="any">any</option>
<option ng-repeat="provider in serverInfo.listProviderIds('contentencryption')" value="{{provider}}">{{provider}}</option>
</select>
</div>
</div>
<kc-tooltip>{{:: 'request-object-encryption-enc.tooltip' | translate}}</kc-tooltip>
</div>
<div class="form-group clearfix block" data-ng-show="protocol == 'openid-connect'">
<label class="col-md-2 control-label" for="changeRequestObjectRequired">{{:: 'request-object-required' | translate}}</label>
<div class="col-sm-6">