Feature flag DPoP metadata in OIDC Well Known endpoint

Closes keycloak/keycloak#24547

Signed-off-by: Joshua Sorah <jsorah@gmail.com>
This commit is contained in:
Joshua Sorah 2023-11-03 22:31:08 -04:00 committed by Pedro Igor
parent 4ec85707f4
commit 7ca00975d4
2 changed files with 23 additions and 4 deletions

View file

@ -196,7 +196,9 @@ public class OIDCWellKnownProvider implements WellKnownProvider {
// https://tools.ietf.org/html/draft-ietf-oauth-mtls-08#section-6.2 // https://tools.ietf.org/html/draft-ietf-oauth-mtls-08#section-6.2
config.setTlsClientCertificateBoundAccessTokens(true); config.setTlsClientCertificateBoundAccessTokens(true);
if (Profile.isFeatureEnabled(Profile.Feature.DPOP)) {
config.setDpopSigningAlgValuesSupported(new ArrayList<>(DPoPUtil.DPOP_SUPPORTED_ALGS)); config.setDpopSigningAlgValuesSupported(new ArrayList<>(DPoPUtil.DPOP_SUPPORTED_ALGS));
}
URI revocationEndpoint = frontendUriBuilder.clone().path(OIDCLoginProtocolService.class, "revoke") URI revocationEndpoint = frontendUriBuilder.clone().path(OIDCLoginProtocolService.class, "revoke")
.build(realm.getName(), OIDCLoginProtocol.LOGIN_PROTOCOL); .build(realm.getName(), OIDCLoginProtocol.LOGIN_PROTOCOL);

View file

@ -69,6 +69,7 @@ import java.util.Map;
import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertTrue; import static org.junit.Assert.assertTrue;
import static org.junit.Assert.assertNull;
/** /**
* @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a> * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
@ -218,9 +219,9 @@ public class OIDCWellKnownProviderTest extends AbstractKeycloakTest {
assertTrue(oidcConfig.getFrontChannelLogoutSessionSupported()); assertTrue(oidcConfig.getFrontChannelLogoutSessionSupported());
assertTrue(oidcConfig.getFrontChannelLogoutSupported()); assertTrue(oidcConfig.getFrontChannelLogoutSupported());
// DPoP // DPoP - negative test for preview profile - see testDpopSigningAlgValuesSupportedWithDpop for actual test
Assert.assertNames(oidcConfig.getDpopSigningAlgValuesSupported(), Algorithm.PS256, Algorithm.PS384, Algorithm.PS512, assertNull("dpop_signing_alg_values_supported should not be present unless DPoP feature is enabled",
Algorithm.RS256, Algorithm.RS384, Algorithm.RS512, Algorithm.ES256, Algorithm.ES384, Algorithm.ES512); oidcConfig.getDpopSigningAlgValuesSupported());
} finally { } finally {
client.close(); client.close();
} }
@ -401,6 +402,22 @@ public class OIDCWellKnownProviderTest extends AbstractKeycloakTest {
} }
} }
@Test
@EnableFeature(value = Profile.Feature.DPOP, skipRestart = true)
public void testDpopSigningAlgValuesSupportedWithDpop() throws IOException {
Client client = AdminClientUtil.createResteasyClient();
try {
OIDCConfigurationRepresentation oidcConfig = getOIDCDiscoveryRepresentation(client, OAuthClient.AUTH_SERVER_ROOT);
// DPoP
Assert.assertNames(oidcConfig.getDpopSigningAlgValuesSupported(), Algorithm.PS256, Algorithm.PS384, Algorithm.PS512,
Algorithm.RS256, Algorithm.RS384, Algorithm.RS512, Algorithm.ES256, Algorithm.ES384, Algorithm.ES512);
} finally {
client.close();
}
}
private void assertScopesSupportedMatchesWithRealm(OIDCConfigurationRepresentation oidcConfig) { private void assertScopesSupportedMatchesWithRealm(OIDCConfigurationRepresentation oidcConfig) {
Assert.assertNames(oidcConfig.getScopesSupported(), OAuth2Constants.SCOPE_OPENID, OAuth2Constants.OFFLINE_ACCESS, Assert.assertNames(oidcConfig.getScopesSupported(), OAuth2Constants.SCOPE_OPENID, OAuth2Constants.OFFLINE_ACCESS,
OAuth2Constants.SCOPE_PROFILE, OAuth2Constants.SCOPE_EMAIL, OAuth2Constants.SCOPE_PHONE, OAuth2Constants.SCOPE_ADDRESS, OIDCLoginProtocolFactory.ACR_SCOPE, OAuth2Constants.SCOPE_PROFILE, OAuth2Constants.SCOPE_EMAIL, OAuth2Constants.SCOPE_PHONE, OAuth2Constants.SCOPE_ADDRESS, OIDCLoginProtocolFactory.ACR_SCOPE,