libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases 1 Packages Activity Actions

client-jwt authentication fails on Token Introspection Endpoint

Browse source 
closes #30599

Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>
This commit is contained in:
Takashi Norimatsu 2024-06-20 13:02:56 +09:00 committed by Marek Posolda
parent 0ce778061c
commit 6b135ff6e7
2 changed files with 8 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
services/src/main/java/org/keycloak/authentication/authenticators/client/JWTClientAuthenticator.java
View file

@ -199,8 +199,9 @@ public class JWTClientAuthenticator extends AbstractClientAuthenticator {
private List<String> getExpectedAudiences(ClientAuthenticationFlowContext context, RealmModel realm) { private List<String> getExpectedAudiences(ClientAuthenticationFlowContext context, RealmModel realm) {
String issuerUrl = Urls.realmIssuer(context.getUriInfo().getBaseUri(), realm.getName()); String issuerUrl = Urls.realmIssuer(context.getUriInfo().getBaseUri(), realm.getName());
String tokenUrl = OIDCLoginProtocolService.tokenUrl(context.getUriInfo().getBaseUriBuilder()).build(realm.getName()).toString(); String tokenUrl = OIDCLoginProtocolService.tokenUrl(context.getUriInfo().getBaseUriBuilder()).build(realm.getName()).toString();
String tokenIntrospectUrl = OIDCLoginProtocolService.tokenIntrospectionUrl(context.getUriInfo().getBaseUriBuilder()).build(realm.getName()).toString();
String parEndpointUrl = ParEndpoint.parUrl(context.getUriInfo().getBaseUriBuilder()).build(realm.getName()).toString(); String parEndpointUrl = ParEndpoint.parUrl(context.getUriInfo().getBaseUriBuilder()).build(realm.getName()).toString();
List<String> expectedAudiences = new ArrayList<>(Arrays.asList(issuerUrl, tokenUrl, parEndpointUrl)); List<String> expectedAudiences = new ArrayList<>(Arrays.asList(issuerUrl, tokenUrl, tokenIntrospectUrl, parEndpointUrl));
String backchannelAuthenticationUrl = CibaGrantType.authorizationUrl(context.getUriInfo().getBaseUriBuilder()).build(realm.getName()).toString(); String backchannelAuthenticationUrl = CibaGrantType.authorizationUrl(context.getUriInfo().getBaseUriBuilder()).build(realm.getName()).toString();
expectedAudiences.add(backchannelAuthenticationUrl); expectedAudiences.add(backchannelAuthenticationUrl);

8
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/ClientAuthSignedJWTTest.java
View file

@ -573,6 +573,10 @@ public class ClientAuthSignedJWTTest extends AbstractClientAuthSignedJWTTest {
testEndpointAsAudience(oauth.getBackchannelAuthenticationUrl()); testEndpointAsAudience(oauth.getBackchannelAuthenticationUrl());
} }
@Test
public void testTokenIntrospectionEndpointAsAudience() throws Exception {
testEndpointAsAudience(oauth.getTokenIntrospectionUrl());
}
@Test @Test
public void testInvalidAudience() throws Exception { public void testInvalidAudience() throws Exception {
ClientRepresentation clientRepresentation = app2; ClientRepresentation clientRepresentation = app2;
@ -649,8 +653,8 @@ public class ClientAuthSignedJWTTest extends AbstractClientAuthSignedJWTTest {
setTimeOffset(0); setTimeOffset(0);
assertError(response, "client1", OAuthErrorException.INVALID_CLIENT, Errors.INVALID_CLIENT_CREDENTIALS); assertError(response, "client1", OAuthErrorException.INVALID_CLIENT, Errors.INVALID_CLIENT_CREDENTIALS);
} }
@Test @Test