diff --git a/services/src/main/java/org/keycloak/authentication/authenticators/client/JWTClientAuthenticator.java b/services/src/main/java/org/keycloak/authentication/authenticators/client/JWTClientAuthenticator.java index 7382897db4..2f083163f5 100644 --- a/services/src/main/java/org/keycloak/authentication/authenticators/client/JWTClientAuthenticator.java +++ b/services/src/main/java/org/keycloak/authentication/authenticators/client/JWTClientAuthenticator.java @@ -199,8 +199,9 @@ public class JWTClientAuthenticator extends AbstractClientAuthenticator { private List getExpectedAudiences(ClientAuthenticationFlowContext context, RealmModel realm) { String issuerUrl = Urls.realmIssuer(context.getUriInfo().getBaseUri(), realm.getName()); String tokenUrl = OIDCLoginProtocolService.tokenUrl(context.getUriInfo().getBaseUriBuilder()).build(realm.getName()).toString(); + String tokenIntrospectUrl = OIDCLoginProtocolService.tokenIntrospectionUrl(context.getUriInfo().getBaseUriBuilder()).build(realm.getName()).toString(); String parEndpointUrl = ParEndpoint.parUrl(context.getUriInfo().getBaseUriBuilder()).build(realm.getName()).toString(); - List expectedAudiences = new ArrayList<>(Arrays.asList(issuerUrl, tokenUrl, parEndpointUrl)); + List expectedAudiences = new ArrayList<>(Arrays.asList(issuerUrl, tokenUrl, tokenIntrospectUrl, parEndpointUrl)); String backchannelAuthenticationUrl = CibaGrantType.authorizationUrl(context.getUriInfo().getBaseUriBuilder()).build(realm.getName()).toString(); expectedAudiences.add(backchannelAuthenticationUrl); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/ClientAuthSignedJWTTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/ClientAuthSignedJWTTest.java index 8d96b68247..3f9ee91bd7 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/ClientAuthSignedJWTTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/ClientAuthSignedJWTTest.java @@ -573,6 +573,10 @@ public class ClientAuthSignedJWTTest extends AbstractClientAuthSignedJWTTest { testEndpointAsAudience(oauth.getBackchannelAuthenticationUrl()); } + @Test + public void testTokenIntrospectionEndpointAsAudience() throws Exception { + testEndpointAsAudience(oauth.getTokenIntrospectionUrl()); + } @Test public void testInvalidAudience() throws Exception { ClientRepresentation clientRepresentation = app2; @@ -649,8 +653,8 @@ public class ClientAuthSignedJWTTest extends AbstractClientAuthSignedJWTTest { setTimeOffset(0); assertError(response, "client1", OAuthErrorException.INVALID_CLIENT, Errors.INVALID_CLIENT_CREDENTIALS); - - + + } @Test