DPoP: OIDC client registration support

closes #21918
This commit is contained in:
Takashi Norimatsu 2023-07-26 15:38:53 +09:00 committed by Marek Posolda
parent 2f617bd28e
commit 6498b5baf3
3 changed files with 61 additions and 0 deletions

View file

@ -102,6 +102,9 @@ public class OIDCClientRepresentation {
private String tls_client_auth_subject_dn; private String tls_client_auth_subject_dn;
// OAuth 2.0 DPoP
private Boolean dpop_bound_access_tokens;
// OIDC Session Management // OIDC Session Management
private List<String> post_logout_redirect_uris; private List<String> post_logout_redirect_uris;
@ -476,6 +479,14 @@ public class OIDCClientRepresentation {
this.tls_client_certificate_bound_access_tokens = tls_client_certificate_bound_access_tokens; this.tls_client_certificate_bound_access_tokens = tls_client_certificate_bound_access_tokens;
} }
public Boolean getDpopBoundAccessTokens() {
return dpop_bound_access_tokens;
}
public void setDpopBoundAccessTokens(Boolean dpop_bound_access_tokens) {
this.dpop_bound_access_tokens = dpop_bound_access_tokens;
}
public String getBackchannelLogoutUri() { public String getBackchannelLogoutUri() {
return backchannel_logout_uri; return backchannel_logout_uri;
} }

View file

@ -212,6 +212,13 @@ public class DescriptionConverter {
configWrapper.setPostLogoutRedirectUris(clientOIDC.getPostLogoutRedirectUris()); configWrapper.setPostLogoutRedirectUris(clientOIDC.getPostLogoutRedirectUris());
} }
// OAuth 2.0 DPoP
Boolean dpopBoundAccessTokens = clientOIDC.getDpopBoundAccessTokens();
if (dpopBoundAccessTokens != null) {
if (dpopBoundAccessTokens.booleanValue()) configWrapper.setUseDPoP(true);
else configWrapper.setUseDPoP(false);
}
// CIBA // CIBA
String backchannelTokenDeliveryMode = clientOIDC.getBackchannelTokenDeliveryMode(); String backchannelTokenDeliveryMode = clientOIDC.getBackchannelTokenDeliveryMode();
if (backchannelTokenDeliveryMode != null) { if (backchannelTokenDeliveryMode != null) {
@ -413,6 +420,11 @@ public class DescriptionConverter {
response.setBackchannelLogoutUri(config.getBackchannelLogoutUrl()); response.setBackchannelLogoutUri(config.getBackchannelLogoutUrl());
response.setBackchannelLogoutSessionRequired(config.isBackchannelLogoutSessionRequired()); response.setBackchannelLogoutSessionRequired(config.isBackchannelLogoutSessionRequired());
response.setBackchannelLogoutSessionRequired(config.getBackchannelLogoutRevokeOfflineTokens()); response.setBackchannelLogoutSessionRequired(config.getBackchannelLogoutRevokeOfflineTokens());
if (config.isUseDPoP()) {
response.setDpopBoundAccessTokens(Boolean.TRUE);
} else {
response.setDpopBoundAccessTokens(Boolean.FALSE);
}
if (client.getAttributes() != null) { if (client.getAttributes() != null) {
String mode = client.getAttributes().get(CibaConfig.CIBA_BACKCHANNEL_TOKEN_DELIVERY_MODE_PER_CLIENT); String mode = client.getAttributes().get(CibaConfig.CIBA_BACKCHANNEL_TOKEN_DELIVERY_MODE_PER_CLIENT);

View file

@ -356,6 +356,44 @@ public class OIDCClientRegistrationTest extends AbstractClientRegistrationTest {
} }
@Test
public void testDPoPHoKTokenEnabled() throws Exception {
// create (no specification)
OIDCClientRepresentation clientRep = createRep();
OIDCClientRepresentation response = reg.oidc().create(clientRep);
Assert.assertEquals(Boolean.FALSE, response.getDpopBoundAccessTokens());
Assert.assertNotNull(response.getClientSecret());
// Test Keycloak representation
ClientRepresentation kcClient = getClient(response.getClientId());
OIDCAdvancedConfigWrapper config = OIDCAdvancedConfigWrapper.fromClientRepresentation(kcClient);
assertTrue(!config.isUseDPoP());
// update (true)
reg.auth(Auth.token(response));
response.setDpopBoundAccessTokens(Boolean.TRUE);
OIDCClientRepresentation updated = reg.oidc().update(response);
assertTrue(updated.getDpopBoundAccessTokens().booleanValue());
// Test Keycloak representation
kcClient = getClient(updated.getClientId());
config = OIDCAdvancedConfigWrapper.fromClientRepresentation(kcClient);
assertTrue(config.isUseDPoP());
// update (false)
reg.auth(Auth.token(updated));
updated.setDpopBoundAccessTokens(Boolean.FALSE);
OIDCClientRepresentation reUpdated = reg.oidc().update(updated);
assertTrue(!reUpdated.getDpopBoundAccessTokens().booleanValue());
// Test Keycloak representation
kcClient = getClient(reUpdated.getClientId());
config = OIDCAdvancedConfigWrapper.fromClientRepresentation(kcClient);
assertTrue(!config.isUseDPoP());
}
@Test @Test
public void testUserInfoEncryptedResponse() throws Exception { public void testUserInfoEncryptedResponse() throws Exception {
OIDCClientRepresentation response = null; OIDCClientRepresentation response = null;