Use the target client when processing scopes for internal exchanges
Closes #19183 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
This commit is contained in:
parent
773bebbc2b
commit
788d146bf2
2 changed files with 18 additions and 6 deletions
|
@ -365,6 +365,8 @@ public class DefaultTokenExchangeProvider implements TokenExchangeProvider {
|
||||||
scope = Arrays.stream(scope.split(" ")).filter(s -> "openid".equals(s) || (targetClientScopes.contains(Profile.isFeatureEnabled(Profile.Feature.DYNAMIC_SCOPES) ? s.split(":")[0] : s))).collect(Collectors.joining(" "));
|
scope = Arrays.stream(scope.split(" ")).filter(s -> "openid".equals(s) || (targetClientScopes.contains(Profile.isFeatureEnabled(Profile.Feature.DYNAMIC_SCOPES) ? s.split(":")[0] : s))).collect(Collectors.joining(" "));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
try {
|
||||||
|
session.getContext().setClient(targetClient);
|
||||||
switch (requestedTokenType) {
|
switch (requestedTokenType) {
|
||||||
case OAuth2Constants.ACCESS_TOKEN_TYPE:
|
case OAuth2Constants.ACCESS_TOKEN_TYPE:
|
||||||
case OAuth2Constants.REFRESH_TOKEN_TYPE:
|
case OAuth2Constants.REFRESH_TOKEN_TYPE:
|
||||||
|
@ -372,6 +374,9 @@ public class DefaultTokenExchangeProvider implements TokenExchangeProvider {
|
||||||
case OAuth2Constants.SAML2_TOKEN_TYPE:
|
case OAuth2Constants.SAML2_TOKEN_TYPE:
|
||||||
return exchangeClientToSAML2Client(targetUser, targetUserSession, requestedTokenType, targetClient);
|
return exchangeClientToSAML2Client(targetUser, targetUserSession, requestedTokenType, targetClient);
|
||||||
}
|
}
|
||||||
|
} finally {
|
||||||
|
session.getContext().setClient(client);
|
||||||
|
}
|
||||||
|
|
||||||
throw new CorsErrorResponseException(cors, OAuthErrorException.INVALID_REQUEST, "requested_token_type unsupported", Response.Status.BAD_REQUEST);
|
throw new CorsErrorResponseException(cors, OAuthErrorException.INVALID_REQUEST, "requested_token_type unsupported", Response.Status.BAD_REQUEST);
|
||||||
}
|
}
|
||||||
|
|
|
@ -1010,6 +1010,13 @@ public class ClientTokenExchangeTest extends AbstractKeycloakTest {
|
||||||
assertEquals("Client is not within the token audience", response.getErrorDescription());
|
assertEquals("Client is not within the token audience", response.getErrorDescription());
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
@EnableFeature(value = Profile.Feature.DYNAMIC_SCOPES, skipRestart = true)
|
||||||
|
@UncaughtServerErrorExpected
|
||||||
|
public void testExchangeWithDynamicScopesEnabled() throws Exception {
|
||||||
|
testExchange();
|
||||||
|
}
|
||||||
|
|
||||||
private static void addDirectExchanger(KeycloakSession session) {
|
private static void addDirectExchanger(KeycloakSession session) {
|
||||||
RealmModel realm = session.realms().getRealmByName(TEST);
|
RealmModel realm = session.realms().getRealmByName(TEST);
|
||||||
RoleModel exampleRole = realm.addRole("example");
|
RoleModel exampleRole = realm.addRole("example");
|
||||||
|
|
Loading…
Reference in a new issue