libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases Packages Activity Actions

Use the target client when processing scopes for internal exchanges

Browse source 
Closes #19183

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
This commit is contained in:
Pedro Igor 2024-02-07 09:22:21 -03:00 committed by Marek Posolda
parent 773bebbc2b
commit 788d146bf2
2 changed files with 18 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
services/src/main/java/org/keycloak/protocol/oidc/DefaultTokenExchangeProvider.java
View file

@ -365,12 +365,17 @@ public class DefaultTokenExchangeProvider implements TokenExchangeProvider {
scope = Arrays.stream(scope.split(" ")).filter(s -> "openid".equals(s) || (targetClientScopes.contains(Profile.isFeatureEnabled(Profile.Feature.DYNAMIC_SCOPES) ? s.split(":")[0] : s))).collect(Collectors.joining(" ")); scope = Arrays.stream(scope.split(" ")).filter(s -> "openid".equals(s) || (targetClientScopes.contains(Profile.isFeatureEnabled(Profile.Feature.DYNAMIC_SCOPES) ? s.split(":")[0] : s))).collect(Collectors.joining(" "));
} }
switch (requestedTokenType) { try {
case OAuth2Constants.ACCESS_TOKEN_TYPE: session.getContext().setClient(targetClient);
case OAuth2Constants.REFRESH_TOKEN_TYPE: switch (requestedTokenType) {
return exchangeClientToOIDCClient(targetUser, targetUserSession, requestedTokenType, targetClient, audience, scope); case OAuth2Constants.ACCESS_TOKEN_TYPE:
case OAuth2Constants.SAML2_TOKEN_TYPE: case OAuth2Constants.REFRESH_TOKEN_TYPE:
return exchangeClientToSAML2Client(targetUser, targetUserSession, requestedTokenType, targetClient); return exchangeClientToOIDCClient(targetUser, targetUserSession, requestedTokenType, targetClient, audience, scope);
case OAuth2Constants.SAML2_TOKEN_TYPE:
return exchangeClientToSAML2Client(targetUser, targetUserSession, requestedTokenType, targetClient);
}
} finally {
session.getContext().setClient(client);
} }
throw new CorsErrorResponseException(cors, OAuthErrorException.INVALID_REQUEST, "requested_token_type unsupported", Response.Status.BAD_REQUEST); throw new CorsErrorResponseException(cors, OAuthErrorException.INVALID_REQUEST, "requested_token_type unsupported", Response.Status.BAD_REQUEST);

7
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/ClientTokenExchangeTest.java
View file

@ -1010,6 +1010,13 @@ public class ClientTokenExchangeTest extends AbstractKeycloakTest {
assertEquals("Client is not within the token audience", response.getErrorDescription()); assertEquals("Client is not within the token audience", response.getErrorDescription());
} }
@Test
@EnableFeature(value = Profile.Feature.DYNAMIC_SCOPES, skipRestart = true)
@UncaughtServerErrorExpected
public void testExchangeWithDynamicScopesEnabled() throws Exception {
testExchange();
}
private static void addDirectExchanger(KeycloakSession session) { private static void addDirectExchanger(KeycloakSession session) {
RealmModel realm = session.realms().getRealmByName(TEST); RealmModel realm = session.realms().getRealmByName(TEST);
RoleModel exampleRole = realm.addRole("example"); RoleModel exampleRole = realm.addRole("example");