From fd28cd2d4b475324c6b88c9912e49c0f8535dcd9 Mon Sep 17 00:00:00 2001 From: Konstantinos Georgilakis Date: Mon, 9 Jan 2023 17:29:45 +0200 Subject: [PATCH] Service Accounts Client must create the Client ID mapper with Token Claim Name as client_id closes #16329 --- .../common/constants/ServiceAccountConstants.java | 4 +++- .../topics/clients/con-protocol-mappers.adoc | 1 + .../upgrading/topics/keycloak/changes-22_0_0.adoc | 10 ++++++++++ .../upgrading/topics/keycloak/changes.adoc | 4 ++++ .../protocol/oidc/endpoints/TokenEndpoint.java | 1 + 5 files changed, 19 insertions(+), 1 deletion(-) create mode 100644 docs/documentation/upgrading/topics/keycloak/changes-22_0_0.adoc diff --git a/common/src/main/java/org/keycloak/common/constants/ServiceAccountConstants.java b/common/src/main/java/org/keycloak/common/constants/ServiceAccountConstants.java index 7789aea4ed..4dc0dd1cf7 100644 --- a/common/src/main/java/org/keycloak/common/constants/ServiceAccountConstants.java +++ b/common/src/main/java/org/keycloak/common/constants/ServiceAccountConstants.java @@ -29,7 +29,9 @@ public interface ServiceAccountConstants { String CLIENT_ID_PROTOCOL_MAPPER = "Client ID"; String CLIENT_HOST_PROTOCOL_MAPPER = "Client Host"; String CLIENT_ADDRESS_PROTOCOL_MAPPER = "Client IP Address"; - String CLIENT_ID = "clientId"; + + String CLIENT_ID_SESSION_NOTE = "clientId"; + String CLIENT_ID = "client_id"; String CLIENT_HOST = "clientHost"; String CLIENT_ADDRESS = "clientAddress"; diff --git a/docs/documentation/server_admin/topics/clients/con-protocol-mappers.adoc b/docs/documentation/server_admin/topics/clients/con-protocol-mappers.adoc index 30ebb2ee63..a5ae151f07 100644 --- a/docs/documentation/server_admin/topics/clients/con-protocol-mappers.adoc +++ b/docs/documentation/server_admin/topics/clients/con-protocol-mappers.adoc @@ -57,6 +57,7 @@ Impersonated user sessions provide the following details: Service account sessions provide the following details: * *clientId*: The client ID of the service account. +* *client_id*: The client ID of the service account. * *clientAddress*: The remote host IP of the service account's authenticated device. * *clientHost*: The remote host name of the service account's authenticated device. diff --git a/docs/documentation/upgrading/topics/keycloak/changes-22_0_0.adoc b/docs/documentation/upgrading/topics/keycloak/changes-22_0_0.adoc new file mode 100644 index 0000000000..4f0c9cce7f --- /dev/null +++ b/docs/documentation/upgrading/topics/keycloak/changes-22_0_0.adoc @@ -0,0 +1,10 @@ += Change of the default Client ID mapper of Service Account Client + +Default `Client ID` mapper of `Service Account Client` has been changed. `Token Claim Name` field value has been changed from `clientId` to `client_id`. +`client_id` claim is compliant with OAuth2 specifications: + +- https://datatracker.ietf.org/doc/html/rfc9068#section-2.2[JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens] +- https://www.rfc-editor.org/rfc/rfc7662#section-2.2[OAuth 2.0 Token Introspection] +- https://datatracker.ietf.org/doc/html/rfc8693#section-4.3[OAuth 2.0 Token Exchange] + +`clientId` userSession note still exists. \ No newline at end of file diff --git a/docs/documentation/upgrading/topics/keycloak/changes.adoc b/docs/documentation/upgrading/topics/keycloak/changes.adoc index 83e2d06dd1..ad24931991 100644 --- a/docs/documentation/upgrading/topics/keycloak/changes.adoc +++ b/docs/documentation/upgrading/topics/keycloak/changes.adoc @@ -1,5 +1,9 @@ == Migration Changes +=== Migrating to 22.0.0 + +include::changes-22_0_0.adoc[leveloffset=3] + === Migrating to 21.0.0 include::changes-21_0_0.adoc[leveloffset=3] diff --git a/services/src/main/java/org/keycloak/protocol/oidc/endpoints/TokenEndpoint.java b/services/src/main/java/org/keycloak/protocol/oidc/endpoints/TokenEndpoint.java index e1f4011922..4eef558787 100644 --- a/services/src/main/java/org/keycloak/protocol/oidc/endpoints/TokenEndpoint.java +++ b/services/src/main/java/org/keycloak/protocol/oidc/endpoints/TokenEndpoint.java @@ -748,6 +748,7 @@ public class TokenEndpoint { ClientSessionContext clientSessionCtx = TokenManager.attachAuthenticationSession(session, userSession, authSession); // Notes about client details + userSession.setNote(ServiceAccountConstants.CLIENT_ID_SESSION_NOTE, client.getClientId()); // This is for backwards compatibility userSession.setNote(ServiceAccountConstants.CLIENT_ID, client.getClientId()); userSession.setNote(ServiceAccountConstants.CLIENT_HOST, clientConnection.getRemoteHost()); userSession.setNote(ServiceAccountConstants.CLIENT_ADDRESS, clientConnection.getRemoteAddr());