From 6b135ff6e7653c43af4c9839ab538d0d5cc39fa5 Mon Sep 17 00:00:00 2001
From: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>
Date: Thu, 20 Jun 2024 13:02:56 +0900
Subject: [PATCH] client-jwt authentication fails on Token Introspection
 Endpoint

closes #30599

Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>
---
 .../authenticators/client/JWTClientAuthenticator.java     | 3 ++-
 .../keycloak/testsuite/oauth/ClientAuthSignedJWTTest.java | 8 ++++++--
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/services/src/main/java/org/keycloak/authentication/authenticators/client/JWTClientAuthenticator.java b/services/src/main/java/org/keycloak/authentication/authenticators/client/JWTClientAuthenticator.java
index 7382897db4..2f083163f5 100644
--- a/services/src/main/java/org/keycloak/authentication/authenticators/client/JWTClientAuthenticator.java
+++ b/services/src/main/java/org/keycloak/authentication/authenticators/client/JWTClientAuthenticator.java
@@ -199,8 +199,9 @@ public class JWTClientAuthenticator extends AbstractClientAuthenticator {
     private List<String> getExpectedAudiences(ClientAuthenticationFlowContext context, RealmModel realm) {
         String issuerUrl = Urls.realmIssuer(context.getUriInfo().getBaseUri(), realm.getName());
         String tokenUrl = OIDCLoginProtocolService.tokenUrl(context.getUriInfo().getBaseUriBuilder()).build(realm.getName()).toString();
+        String tokenIntrospectUrl = OIDCLoginProtocolService.tokenIntrospectionUrl(context.getUriInfo().getBaseUriBuilder()).build(realm.getName()).toString();
         String parEndpointUrl = ParEndpoint.parUrl(context.getUriInfo().getBaseUriBuilder()).build(realm.getName()).toString();
-        List<String> expectedAudiences = new ArrayList<>(Arrays.asList(issuerUrl, tokenUrl, parEndpointUrl));
+        List<String> expectedAudiences = new ArrayList<>(Arrays.asList(issuerUrl, tokenUrl, tokenIntrospectUrl, parEndpointUrl));
         String backchannelAuthenticationUrl = CibaGrantType.authorizationUrl(context.getUriInfo().getBaseUriBuilder()).build(realm.getName()).toString();
         expectedAudiences.add(backchannelAuthenticationUrl);
 
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/ClientAuthSignedJWTTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/ClientAuthSignedJWTTest.java
index 8d96b68247..3f9ee91bd7 100644
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/ClientAuthSignedJWTTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/ClientAuthSignedJWTTest.java
@@ -573,6 +573,10 @@ public class ClientAuthSignedJWTTest extends AbstractClientAuthSignedJWTTest {
         testEndpointAsAudience(oauth.getBackchannelAuthenticationUrl());
     }
 
+    @Test
+    public void testTokenIntrospectionEndpointAsAudience() throws Exception {
+        testEndpointAsAudience(oauth.getTokenIntrospectionUrl());
+    }
     @Test
     public void testInvalidAudience() throws Exception {
         ClientRepresentation clientRepresentation = app2;
@@ -649,8 +653,8 @@ public class ClientAuthSignedJWTTest extends AbstractClientAuthSignedJWTTest {
         setTimeOffset(0);
 
         assertError(response, "client1", OAuthErrorException.INVALID_CLIENT, Errors.INVALID_CLIENT_CREDENTIALS);
-        
-        
+
+
     }
 
     @Test