Use the target client when processing scopes for internal exchanges

Closes #19183

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
This commit is contained in:
Pedro Igor 2024-02-07 09:22:21 -03:00 committed by Marek Posolda
parent 773bebbc2b
commit 788d146bf2
2 changed files with 18 additions and 6 deletions

View file

@ -365,6 +365,8 @@ public class DefaultTokenExchangeProvider implements TokenExchangeProvider {
scope = Arrays.stream(scope.split(" ")).filter(s -> "openid".equals(s) || (targetClientScopes.contains(Profile.isFeatureEnabled(Profile.Feature.DYNAMIC_SCOPES) ? s.split(":")[0] : s))).collect(Collectors.joining(" ")); scope = Arrays.stream(scope.split(" ")).filter(s -> "openid".equals(s) || (targetClientScopes.contains(Profile.isFeatureEnabled(Profile.Feature.DYNAMIC_SCOPES) ? s.split(":")[0] : s))).collect(Collectors.joining(" "));
} }
try {
session.getContext().setClient(targetClient);
switch (requestedTokenType) { switch (requestedTokenType) {
case OAuth2Constants.ACCESS_TOKEN_TYPE: case OAuth2Constants.ACCESS_TOKEN_TYPE:
case OAuth2Constants.REFRESH_TOKEN_TYPE: case OAuth2Constants.REFRESH_TOKEN_TYPE:
@ -372,6 +374,9 @@ public class DefaultTokenExchangeProvider implements TokenExchangeProvider {
case OAuth2Constants.SAML2_TOKEN_TYPE: case OAuth2Constants.SAML2_TOKEN_TYPE:
return exchangeClientToSAML2Client(targetUser, targetUserSession, requestedTokenType, targetClient); return exchangeClientToSAML2Client(targetUser, targetUserSession, requestedTokenType, targetClient);
} }
} finally {
session.getContext().setClient(client);
}
throw new CorsErrorResponseException(cors, OAuthErrorException.INVALID_REQUEST, "requested_token_type unsupported", Response.Status.BAD_REQUEST); throw new CorsErrorResponseException(cors, OAuthErrorException.INVALID_REQUEST, "requested_token_type unsupported", Response.Status.BAD_REQUEST);
} }

View file

@ -1010,6 +1010,13 @@ public class ClientTokenExchangeTest extends AbstractKeycloakTest {
assertEquals("Client is not within the token audience", response.getErrorDescription()); assertEquals("Client is not within the token audience", response.getErrorDescription());
} }
@Test
@EnableFeature(value = Profile.Feature.DYNAMIC_SCOPES, skipRestart = true)
@UncaughtServerErrorExpected
public void testExchangeWithDynamicScopesEnabled() throws Exception {
testExchange();
}
private static void addDirectExchanger(KeycloakSession session) { private static void addDirectExchanger(KeycloakSession session) {
RealmModel realm = session.realms().getRealmByName(TEST); RealmModel realm = session.realms().getRealmByName(TEST);
RoleModel exampleRole = realm.addRole("example"); RoleModel exampleRole = realm.addRole("example");