libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases 1 Packages Activity Actions

Set logout token type to logout+jwt

Browse source 
Closes #28939

Signed-off-by: Justin Tay <49700559+justin-tay@users.noreply.github.com>
This commit is contained in:
Justin Tay 2024-05-03 09:44:59 +08:00 committed by Marek Posolda
parent 9db1443367
commit 7bd48e9f9f
3 changed files with 20 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
core/src/main/java/org/keycloak/util/TokenUtil.java
View file

@ -46,6 +46,9 @@ public class TokenUtil {
public static final String TOKEN_TYPE_JWT_ACCESS_TOKEN = "at+jwt"; public static final String TOKEN_TYPE_JWT_ACCESS_TOKEN = "at+jwt";
public static final String TOKEN_TYPE_JWT_ACCESS_TOKEN_PREFIXED = "application/" + TOKEN_TYPE_JWT_ACCESS_TOKEN; public static final String TOKEN_TYPE_JWT_ACCESS_TOKEN_PREFIXED = "application/" + TOKEN_TYPE_JWT_ACCESS_TOKEN;
// https://openid.net/specs/openid-connect-backchannel-1_0.html#LogoutToken
public static final String TOKEN_TYPE_JWT_LOGOUT_TOKEN = "logout+jwt";
public static final String TOKEN_TYPE_KEYCLOAK_ID = "Serialized-ID"; public static final String TOKEN_TYPE_KEYCLOAK_ID = "Serialized-ID";
public static final String TOKEN_TYPE_ID = "ID"; public static final String TOKEN_TYPE_ID = "ID";

12
services/src/main/java/org/keycloak/jose/jws/DefaultTokenManager.java
View file

@ -78,7 +78,8 @@ public class DefaultTokenManager implements TokenManager {
SignatureProvider signatureProvider = session.getProvider(SignatureProvider.class, signatureAlgorithm); SignatureProvider signatureProvider = session.getProvider(SignatureProvider.class, signatureAlgorithm);
SignatureSignerContext signer = signatureProvider.signer(); SignatureSignerContext signer = signatureProvider.signer();
String encodedToken = new JWSBuilder().type("JWT").jsonContent(token).sign(signer); String type = type(token.getCategory());
String encodedToken = new JWSBuilder().type(type).jsonContent(token).sign(signer);
return encodedToken; return encodedToken;
} }
@ -235,6 +236,15 @@ public class DefaultTokenManager implements TokenManager {
return encodedToken; return encodedToken;
} }
private String type(TokenCategory category) {
switch (category) {
case LOGOUT:
return TokenUtil.TOKEN_TYPE_JWT_LOGOUT_TOKEN;
default:
return "JWT";
}
}
private boolean isTokenEncryptRequired(TokenCategory category) { private boolean isTokenEncryptRequired(TokenCategory category) {
if (cekManagementAlgorithm(category) == null) return false; if (cekManagementAlgorithm(category) == null) return false;
if (encryptAlgorithm(category) == null) return false; if (encryptAlgorithm(category) == null) return false;

7
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/LogoutTest.java
View file

@ -336,7 +336,12 @@ public class LogoutTest extends AbstractKeycloakTest {
MatcherAssert.assertThat(response.getFirstHeader(HttpHeaders.LOCATION).getValue(), is(oauth.APP_AUTH_ROOT)); MatcherAssert.assertThat(response.getFirstHeader(HttpHeaders.LOCATION).getValue(), is(oauth.APP_AUTH_ROOT));
} }
validateLogoutToken(testingClient.testApp().getBackChannelLogoutToken()); String rawLogoutToken = testingClient.testApp().getBackChannelRawLogoutToken();
JWSInput jwsInput = new JWSInput(rawLogoutToken);
LogoutToken logoutToken = jwsInput.readJsonContent(LogoutToken.class);
validateLogoutToken(logoutToken);
JWSHeader logoutTokenHeader = jwsInput.getHeader();
assertEquals("logout+jwt", logoutTokenHeader.getType());
} finally { } finally {
rep.getAttributes().put(OIDCConfigAttributes.BACKCHANNEL_LOGOUT_URL, ""); rep.getAttributes().put(OIDCConfigAttributes.BACKCHANNEL_LOGOUT_URL, "");
clientResource.update(rep); clientResource.update(rep);