From b52256facc81e90ac2e2aa2f1c4067592d1a2f62 Mon Sep 17 00:00:00 2001 From: rmartinc Date: Mon, 28 Oct 2024 12:37:15 +0100 Subject: [PATCH] Set client in context for dynamic scopes calculation Closes #33684 Signed-off-by: rmartinc --- .../keycloak/protocol/oidc/TokenManager.java | 1 + .../oidc/LightWeightAccessTokenTest.java | 28 +++++++++++++++++++ 2 files changed, 29 insertions(+) diff --git a/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java b/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java index 3f8d95dfaf..02b8e9d5d4 100755 --- a/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java +++ b/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java @@ -621,6 +621,7 @@ public class TokenManager { Set clientScopes; if (Profile.isFeatureEnabled(Profile.Feature.DYNAMIC_SCOPES)) { + session.getContext().setClient(client); clientScopes = AuthorizationContextUtil.getClientScopesStreamFromAuthorizationRequestContextWithClient(session, scopeParam) .collect(Collectors.toSet()); } else { diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/LightWeightAccessTokenTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/LightWeightAccessTokenTest.java index 69ba7af2bb..04a39bc293 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/LightWeightAccessTokenTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/LightWeightAccessTokenTest.java @@ -19,8 +19,12 @@ package org.keycloak.testsuite.oidc; import jakarta.ws.rs.NotFoundException; import jakarta.ws.rs.core.HttpHeaders; +import jakarta.ws.rs.core.Response; import org.apache.http.client.methods.CloseableHttpResponse; import org.apache.http.client.methods.HttpGet; +import org.apache.http.client.methods.HttpPost; +import org.apache.http.entity.ContentType; +import org.apache.http.entity.StringEntity; import org.apache.http.impl.client.CloseableHttpClient; import org.apache.http.impl.client.HttpClientBuilder; import org.jboss.logging.Logger; @@ -102,6 +106,7 @@ import static org.keycloak.protocol.oidc.mappers.RoleNameMapper.NEW_ROLE_NAME; import static org.keycloak.protocol.oidc.mappers.RoleNameMapper.ROLE_CONFIG; import static org.keycloak.testsuite.admin.AbstractAdminTest.loadJson; import static org.keycloak.testsuite.auth.page.AuthRealm.TEST; +import org.keycloak.testsuite.updaters.ClientAttributeUpdater; import static org.keycloak.testsuite.util.ClientPoliciesUtil.createAnyClientConditionConfig; @EnableFeature(value = Profile.Feature.TOKEN_EXCHANGE, skipRestart = true) @@ -523,6 +528,29 @@ public class LightWeightAccessTokenTest extends AbstractClientPoliciesTest { } } + @Test + @EnableFeature(value = Profile.Feature.DYNAMIC_SCOPES, skipRestart = true) + public void testAdminConsoleClientWithLightweightAccessTokenTransientSessionDynamicScopes() throws Exception { + try (ClientAttributeUpdater clientUpdater = ClientAttributeUpdater.forClient(adminClient, oauth.getRealm(), TEST_CLIENT) + .setAttribute(Constants.USE_LIGHTWEIGHT_ACCESS_TOKEN_ENABLED, Boolean.TRUE.toString()) + .update()) { + oauth.clientId(TEST_CLIENT); + OAuthClient.AccessTokenResponse response = oauth.doClientCredentialsGrantAccessTokenRequest(TEST_CLIENT_SECRET); + String accessToken = response.getAccessToken(); + logger.debug("access token:" + accessToken); + assertBasicClaims(oauth.verifyToken(accessToken), false, false); + + try (CloseableHttpClient client = HttpClientBuilder.create().build()) { + HttpPost post = new HttpPost(OAuthClient.SERVER_ROOT + "/auth/admin/realms"); + post.setHeader("Authorization", "Bearer " + accessToken); + post.setEntity(new StringEntity("{\"realm\":\"invalid\",\"enabled\":true}", ContentType.APPLICATION_JSON)); + try (CloseableHttpResponse resp = client.execute(post)) { + Assert.assertEquals(Response.Status.FORBIDDEN.getStatusCode(), resp.getStatusLine().getStatusCode()); + } + } + } + } + @Test public void testAdminApiWithLightweightAccessTokenAndTransientSession() { RealmResource masterRealm = realmsResouce().realm("master");