Feature flag DPoP metadata in OIDC Well Known endpoint

Closes keycloak/keycloak#24547 Signed-off-by: Joshua Sorah <jsorah@gmail.com>
2023-11-03 22:31:08 -04:00 · 2023-11-03 22:31:08 -04:00 · 7ca00975d4
commit 7ca00975d4
parent 4ec85707f4
2 changed files with 23 additions and 4 deletions
--- a/services/src/main/java/org/keycloak/protocol/oidc/OIDCWellKnownProvider.java
+++ b/services/src/main/java/org/keycloak/protocol/oidc/OIDCWellKnownProvider.java
@ -196,7 +196,9 @@ public class OIDCWellKnownProvider implements WellKnownProvider {
        // https://tools.ietf.org/html/draft-ietf-oauth-mtls-08#section-6.2
        config.setTlsClientCertificateBoundAccessTokens(true);
-        config.setDpopSigningAlgValuesSupported(new ArrayList<>(DPoPUtil.DPOP_SUPPORTED_ALGS));
+        if (Profile.isFeatureEnabled(Profile.Feature.DPOP)) {
            config.setDpopSigningAlgValuesSupported(new ArrayList<>(DPoPUtil.DPOP_SUPPORTED_ALGS));
        }
        URI revocationEndpoint = frontendUriBuilder.clone().path(OIDCLoginProtocolService.class, "revoke")
            .build(realm.getName(), OIDCLoginProtocol.LOGIN_PROTOCOL);
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/OIDCWellKnownProviderTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/OIDCWellKnownProviderTest.java
@ -69,6 +69,7 @@ import java.util.Map;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertTrue;
 import static org.junit.Assert.assertNull;
 /**
 * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
@ -218,9 +219,9 @@ public class OIDCWellKnownProviderTest extends AbstractKeycloakTest {
            assertTrue(oidcConfig.getFrontChannelLogoutSessionSupported());
            assertTrue(oidcConfig.getFrontChannelLogoutSupported());
-            // DPoP
+            // DPoP - negative test for preview profile - see testDpopSigningAlgValuesSupportedWithDpop for actual test
-            Assert.assertNames(oidcConfig.getDpopSigningAlgValuesSupported(), Algorithm.PS256, Algorithm.PS384, Algorithm.PS512,
+            assertNull("dpop_signing_alg_values_supported should not be present unless DPoP feature is enabled",
-                    Algorithm.RS256, Algorithm.RS384, Algorithm.RS512, Algorithm.ES256, Algorithm.ES384, Algorithm.ES512);
+                    oidcConfig.getDpopSigningAlgValuesSupported());
        } finally {
            client.close();
        }
@ -401,6 +402,22 @@ public class OIDCWellKnownProviderTest extends AbstractKeycloakTest {
        }
    }
    @Test
    @EnableFeature(value = Profile.Feature.DPOP, skipRestart = true)
    public void testDpopSigningAlgValuesSupportedWithDpop() throws IOException {
        Client client = AdminClientUtil.createResteasyClient();
        try {
            OIDCConfigurationRepresentation oidcConfig = getOIDCDiscoveryRepresentation(client, OAuthClient.AUTH_SERVER_ROOT);
            // DPoP
            Assert.assertNames(oidcConfig.getDpopSigningAlgValuesSupported(), Algorithm.PS256, Algorithm.PS384, Algorithm.PS512,
                    Algorithm.RS256, Algorithm.RS384, Algorithm.RS512, Algorithm.ES256, Algorithm.ES384, Algorithm.ES512);
        } finally {
            client.close();
        }
    }
    private void assertScopesSupportedMatchesWithRealm(OIDCConfigurationRepresentation oidcConfig) {
        Assert.assertNames(oidcConfig.getScopesSupported(), OAuth2Constants.SCOPE_OPENID, OAuth2Constants.OFFLINE_ACCESS,
                OAuth2Constants.SCOPE_PROFILE, OAuth2Constants.SCOPE_EMAIL, OAuth2Constants.SCOPE_PHONE, OAuth2Constants.SCOPE_ADDRESS, OIDCLoginProtocolFactory.ACR_SCOPE,