client-jwt authentication fails on Token Introspection Endpoint

closes #30599

Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>

services/src/main/java/org/keycloak/authentication/authenticators/client/JWTClientAuthenticator.java

@@ -199,8 +199,9 @@ public class JWTClientAuthenticator extends AbstractClientAuthenticator {
     private List<String> getExpectedAudiences(ClientAuthenticationFlowContext context, RealmModel realm) {
         String issuerUrl = Urls.realmIssuer(context.getUriInfo().getBaseUri(), realm.getName());
         String tokenUrl = OIDCLoginProtocolService.tokenUrl(context.getUriInfo().getBaseUriBuilder()).build(realm.getName()).toString();
+        String tokenIntrospectUrl = OIDCLoginProtocolService.tokenIntrospectionUrl(context.getUriInfo().getBaseUriBuilder()).build(realm.getName()).toString();
         String parEndpointUrl = ParEndpoint.parUrl(context.getUriInfo().getBaseUriBuilder()).build(realm.getName()).toString();
-        List<String> expectedAudiences = new ArrayList<>(Arrays.asList(issuerUrl, tokenUrl, parEndpointUrl));
+        List<String> expectedAudiences = new ArrayList<>(Arrays.asList(issuerUrl, tokenUrl, tokenIntrospectUrl, parEndpointUrl));
         String backchannelAuthenticationUrl = CibaGrantType.authorizationUrl(context.getUriInfo().getBaseUriBuilder()).build(realm.getName()).toString();
         expectedAudiences.add(backchannelAuthenticationUrl);
 

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/ClientAuthSignedJWTTest.java

@@ -573,6 +573,10 @@ public class ClientAuthSignedJWTTest extends AbstractClientAuthSignedJWTTest {
         testEndpointAsAudience(oauth.getBackchannelAuthenticationUrl());
     }
 
+    @Test
+    public void testTokenIntrospectionEndpointAsAudience() throws Exception {
+        testEndpointAsAudience(oauth.getTokenIntrospectionUrl());
+    }
     @Test
     public void testInvalidAudience() throws Exception {
         ClientRepresentation clientRepresentation = app2;