Service Accounts Client must create the Client ID mapper with Token Claim Name as client_id

closes #16329
This commit is contained in:
Konstantinos Georgilakis 2023-01-09 17:29:45 +02:00 committed by Marek Posolda
parent 9ed5e56fd5
commit fd28cd2d4b
5 changed files with 19 additions and 1 deletions

View file

@ -29,7 +29,9 @@ public interface ServiceAccountConstants {
String CLIENT_ID_PROTOCOL_MAPPER = "Client ID"; String CLIENT_ID_PROTOCOL_MAPPER = "Client ID";
String CLIENT_HOST_PROTOCOL_MAPPER = "Client Host"; String CLIENT_HOST_PROTOCOL_MAPPER = "Client Host";
String CLIENT_ADDRESS_PROTOCOL_MAPPER = "Client IP Address"; String CLIENT_ADDRESS_PROTOCOL_MAPPER = "Client IP Address";
String CLIENT_ID = "clientId";
String CLIENT_ID_SESSION_NOTE = "clientId";
String CLIENT_ID = "client_id";
String CLIENT_HOST = "clientHost"; String CLIENT_HOST = "clientHost";
String CLIENT_ADDRESS = "clientAddress"; String CLIENT_ADDRESS = "clientAddress";

View file

@ -57,6 +57,7 @@ Impersonated user sessions provide the following details:
Service account sessions provide the following details: Service account sessions provide the following details:
* *clientId*: The client ID of the service account. * *clientId*: The client ID of the service account.
* *client_id*: The client ID of the service account.
* *clientAddress*: The remote host IP of the service account's authenticated device. * *clientAddress*: The remote host IP of the service account's authenticated device.
* *clientHost*: The remote host name of the service account's authenticated device. * *clientHost*: The remote host name of the service account's authenticated device.

View file

@ -0,0 +1,10 @@
= Change of the default Client ID mapper of Service Account Client
Default `Client ID` mapper of `Service Account Client` has been changed. `Token Claim Name` field value has been changed from `clientId` to `client_id`.
`client_id` claim is compliant with OAuth2 specifications:
- https://datatracker.ietf.org/doc/html/rfc9068#section-2.2[JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens]
- https://www.rfc-editor.org/rfc/rfc7662#section-2.2[OAuth 2.0 Token Introspection]
- https://datatracker.ietf.org/doc/html/rfc8693#section-4.3[OAuth 2.0 Token Exchange]
`clientId` userSession note still exists.

View file

@ -1,5 +1,9 @@
== Migration Changes == Migration Changes
=== Migrating to 22.0.0
include::changes-22_0_0.adoc[leveloffset=3]
=== Migrating to 21.0.0 === Migrating to 21.0.0
include::changes-21_0_0.adoc[leveloffset=3] include::changes-21_0_0.adoc[leveloffset=3]

View file

@ -748,6 +748,7 @@ public class TokenEndpoint {
ClientSessionContext clientSessionCtx = TokenManager.attachAuthenticationSession(session, userSession, authSession); ClientSessionContext clientSessionCtx = TokenManager.attachAuthenticationSession(session, userSession, authSession);
// Notes about client details // Notes about client details
userSession.setNote(ServiceAccountConstants.CLIENT_ID_SESSION_NOTE, client.getClientId()); // This is for backwards compatibility
userSession.setNote(ServiceAccountConstants.CLIENT_ID, client.getClientId()); userSession.setNote(ServiceAccountConstants.CLIENT_ID, client.getClientId());
userSession.setNote(ServiceAccountConstants.CLIENT_HOST, clientConnection.getRemoteHost()); userSession.setNote(ServiceAccountConstants.CLIENT_HOST, clientConnection.getRemoteHost());
userSession.setNote(ServiceAccountConstants.CLIENT_ADDRESS, clientConnection.getRemoteAddr()); userSession.setNote(ServiceAccountConstants.CLIENT_ADDRESS, clientConnection.getRemoteAddr());