libre.sh/keycloak-scim
4
0
Fork 0
Code Issues 15 Pull requests Releases 1 Activity Actions

Allow empty key use in JWKS from identity provider

Browse source 
Closes #31823

Signed-off-by: Justin Tay <49700559+justin-tay@users.noreply.github.com>
This commit is contained in:
Justin Tay 2024-08-02 16:30:27 +08:00 committed by Marek Posolda
parent 773e309f75
commit f537343545
3 changed files with 42 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
services/src/main/java/org/keycloak/keys/loader/OIDCIdentityProviderPublicKeyLoader.java
View file

@ -56,7 +56,7 @@ public class OIDCIdentityProviderPublicKeyLoader implements PublicKeyLoader {
if (config.isUseJwksUrl()) { if (config.isUseJwksUrl()) {
String jwksUrl = config.getJwksUrl(); String jwksUrl = config.getJwksUrl();
JSONWebKeySet jwks = JWKSHttpUtils.sendJwksRequest(session, jwksUrl); JSONWebKeySet jwks = JWKSHttpUtils.sendJwksRequest(session, jwksUrl);
return JWKSUtils.getKeyWrappersForUse(jwks, JWK.Use.SIG); return JWKSUtils.getKeyWrappersForUse(jwks, JWK.Use.SIG, true);
} else { } else {
try { try {
KeyWrapper publicKey = getSavedPublicKey(); KeyWrapper publicKey = getSavedPublicKey();

4
testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/testsuite/broker/oidc/MissingUseJwksRestResource.java
View file

@ -57,7 +57,9 @@ public class MissingUseJwksRestResource {
.filter(certs -> !certs.isEmpty()) .filter(certs -> !certs.isEmpty())
.orElseGet(() -> Collections.singletonList(k.getCertificate())); .orElseGet(() -> Collections.singletonList(k.getCertificate()));
if (k.getType().equals(KeyType.RSA)) { if (k.getType().equals(KeyType.RSA)) {
return b.rsa(k.getPublicKey(), certificates, k.getUse()); JWK rsaKey = b.rsa(k.getPublicKey(), certificates, k.getUse());
rsaKey.setPublicKeyUse(null);
return rsaKey;
} else if (k.getType().equals(KeyType.EC)) { } else if (k.getType().equals(KeyType.EC)) {
JWK ecKey = b.ec(k.getPublicKey(), k.getUse()); JWK ecKey = b.ec(k.getPublicKey(), k.getUse());
ecKey.setPublicKeyUse(null); ecKey.setPublicKeyUse(null);

38
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/broker/KcOidcBrokerIdpPublicKeyMissingUseTest.java Normal file
View file

@ -0,0 +1,38 @@
package org.keycloak.testsuite.broker;
import org.keycloak.broker.oidc.OIDCIdentityProviderConfig;
import org.keycloak.models.IdentityProviderSyncMode;
import org.keycloak.protocol.oidc.OIDCLoginProtocol;
import org.keycloak.representations.idm.IdentityProviderRepresentation;
import java.util.Map;
import static org.keycloak.testsuite.broker.BrokerTestConstants.IDP_OIDC_ALIAS;
import static org.keycloak.testsuite.broker.BrokerTestConstants.IDP_OIDC_PROVIDER_ID;
import static org.keycloak.testsuite.broker.BrokerTestConstants.REALM_PROV_NAME;
import static org.keycloak.testsuite.broker.BrokerTestTools.createIdentityProvider;
import static org.keycloak.testsuite.broker.BrokerTestTools.getProviderRoot;
public class KcOidcBrokerIdpPublicKeyMissingUseTest extends AbstractBrokerTest {
@Override
protected BrokerConfiguration getBrokerConfiguration() {
return new KcOidcBrokerConfigurationWithIdpPublicKeyMissingUse();
}
private class KcOidcBrokerConfigurationWithIdpPublicKeyMissingUse extends KcOidcBrokerConfiguration {
@Override
public IdentityProviderRepresentation setUpIdentityProvider(IdentityProviderSyncMode syncMode) {
IdentityProviderRepresentation idp = createIdentityProvider(IDP_OIDC_ALIAS, IDP_OIDC_PROVIDER_ID);
Map<String, String> config = idp.getConfig();
applyDefaultConfiguration(config, syncMode);
config.put("clientAuthMethod", OIDCLoginProtocol.CLIENT_SECRET_BASIC);
config.put(OIDCIdentityProviderConfig.JWKS_URL,
getProviderRoot() + "/auth/realms/" + REALM_PROV_NAME + "/missing-use-jwks/jwks");
return idp;
}
}
}