DPoP: OIDC client registration support

closes #21918

core/src/main/java/org/keycloak/representations/oidc/OIDCClientRepresentation.java

@@ -102,6 +102,9 @@ public class OIDCClientRepresentation {
 
     private String tls_client_auth_subject_dn;
 
+    // OAuth 2.0 DPoP
+    private Boolean dpop_bound_access_tokens;
+
     // OIDC Session Management
     private List<String> post_logout_redirect_uris;
 
@@ -476,6 +479,14 @@ public class OIDCClientRepresentation {
         this.tls_client_certificate_bound_access_tokens = tls_client_certificate_bound_access_tokens;
     }
 
+    public Boolean getDpopBoundAccessTokens() {
+        return dpop_bound_access_tokens;
+    }
+
+    public void setDpopBoundAccessTokens(Boolean dpop_bound_access_tokens) {
+        this.dpop_bound_access_tokens = dpop_bound_access_tokens;
+    }
+
     public String getBackchannelLogoutUri() {
         return backchannel_logout_uri;
     }

services/src/main/java/org/keycloak/services/clientregistration/oidc/DescriptionConverter.java

@@ -212,6 +212,13 @@ public class DescriptionConverter {
             configWrapper.setPostLogoutRedirectUris(clientOIDC.getPostLogoutRedirectUris());
         }
 
+        // OAuth 2.0 DPoP
+        Boolean dpopBoundAccessTokens = clientOIDC.getDpopBoundAccessTokens();
+        if (dpopBoundAccessTokens != null) {
+            if (dpopBoundAccessTokens.booleanValue()) configWrapper.setUseDPoP(true);
+            else configWrapper.setUseDPoP(false);
+        }
+
         // CIBA
         String backchannelTokenDeliveryMode = clientOIDC.getBackchannelTokenDeliveryMode();
         if (backchannelTokenDeliveryMode != null) {
@@ -413,6 +420,11 @@ public class DescriptionConverter {
         response.setBackchannelLogoutUri(config.getBackchannelLogoutUrl());
         response.setBackchannelLogoutSessionRequired(config.isBackchannelLogoutSessionRequired());
         response.setBackchannelLogoutSessionRequired(config.getBackchannelLogoutRevokeOfflineTokens());
+        if (config.isUseDPoP()) {
+            response.setDpopBoundAccessTokens(Boolean.TRUE);
+        } else {
+            response.setDpopBoundAccessTokens(Boolean.FALSE);
+        }
 
         if (client.getAttributes() != null) {
             String mode = client.getAttributes().get(CibaConfig.CIBA_BACKCHANNEL_TOKEN_DELIVERY_MODE_PER_CLIENT);

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/OIDCClientRegistrationTest.java

@@ -356,6 +356,44 @@ public class OIDCClientRegistrationTest extends AbstractClientRegistrationTest {
 
     }
 
+    @Test
+    public void testDPoPHoKTokenEnabled() throws Exception {
+        // create (no specification)
+        OIDCClientRepresentation clientRep = createRep();
+
+        OIDCClientRepresentation response = reg.oidc().create(clientRep);
+        Assert.assertEquals(Boolean.FALSE, response.getDpopBoundAccessTokens());
+        Assert.assertNotNull(response.getClientSecret());
+
+        // Test Keycloak representation
+        ClientRepresentation kcClient = getClient(response.getClientId());
+        OIDCAdvancedConfigWrapper config = OIDCAdvancedConfigWrapper.fromClientRepresentation(kcClient);
+        assertTrue(!config.isUseDPoP());
+
+        // update (true)
+        reg.auth(Auth.token(response));
+        response.setDpopBoundAccessTokens(Boolean.TRUE);
+        OIDCClientRepresentation updated = reg.oidc().update(response);
+        assertTrue(updated.getDpopBoundAccessTokens().booleanValue());
+
+        // Test Keycloak representation
+        kcClient = getClient(updated.getClientId());
+        config = OIDCAdvancedConfigWrapper.fromClientRepresentation(kcClient);
+        assertTrue(config.isUseDPoP());
+
+        // update (false)
+        reg.auth(Auth.token(updated));
+        updated.setDpopBoundAccessTokens(Boolean.FALSE);
+        OIDCClientRepresentation reUpdated = reg.oidc().update(updated);
+        assertTrue(!reUpdated.getDpopBoundAccessTokens().booleanValue());
+
+        // Test Keycloak representation
+        kcClient = getClient(reUpdated.getClientId());
+        config = OIDCAdvancedConfigWrapper.fromClientRepresentation(kcClient);
+        assertTrue(!config.isUseDPoP());
+
+    }
+
     @Test
     public void testUserInfoEncryptedResponse() throws Exception {
         OIDCClientRepresentation response = null;