Service Accounts Client must create the Client ID mapper with Token Claim Name as client_id

closes #16329
2023-01-09 17:29:45 +02:00 · 2023-01-09 17:29:45 +02:00 · fd28cd2d4b
commit fd28cd2d4b
parent 9ed5e56fd5
5 changed files with 19 additions and 1 deletions
--- a/common/src/main/java/org/keycloak/common/constants/ServiceAccountConstants.java
+++ b/common/src/main/java/org/keycloak/common/constants/ServiceAccountConstants.java
@ -29,7 +29,9 @@ public interface ServiceAccountConstants {
    String CLIENT_ID_PROTOCOL_MAPPER = "Client ID";
    String CLIENT_HOST_PROTOCOL_MAPPER = "Client Host";
    String CLIENT_ADDRESS_PROTOCOL_MAPPER = "Client IP Address";
-    String CLIENT_ID = "clientId";
+
+    String CLIENT_ID_SESSION_NOTE = "clientId";
+    String CLIENT_ID = "client_id";
    String CLIENT_HOST = "clientHost";
    String CLIENT_ADDRESS = "clientAddress";

--- a/docs/documentation/server_admin/topics/clients/con-protocol-mappers.adoc
+++ b/docs/documentation/server_admin/topics/clients/con-protocol-mappers.adoc
@ -57,6 +57,7 @@ Impersonated user sessions provide the following details:
 Service account sessions provide the following details:

 * *clientId*: The client ID of the service account.
+* *client_id*: The client ID of the service account.
 * *clientAddress*: The remote host IP of the service account's authenticated device.
 * *clientHost*: The remote host name of the service account's authenticated device.

--- a/docs/documentation/upgrading/topics/keycloak/changes-22_0_0.adoc
+++ b/docs/documentation/upgrading/topics/keycloak/changes-22_0_0.adoc
@ -0,0 +1,10 @@
+= Change of the default Client ID mapper of Service Account Client
+
+Default `Client ID` mapper of `Service Account Client` has been changed. `Token Claim Name` field value has been changed from `clientId` to `client_id`.
+`client_id` claim is compliant with OAuth2 specifications:
+
+- https://datatracker.ietf.org/doc/html/rfc9068#section-2.2[JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens]
+- https://www.rfc-editor.org/rfc/rfc7662#section-2.2[OAuth 2.0 Token Introspection]
+- https://datatracker.ietf.org/doc/html/rfc8693#section-4.3[OAuth 2.0 Token Exchange]
+
+`clientId` userSession note still exists.
--- a/docs/documentation/upgrading/topics/keycloak/changes.adoc
+++ b/docs/documentation/upgrading/topics/keycloak/changes.adoc
@ -1,5 +1,9 @@
 == Migration Changes

+=== Migrating to 22.0.0
+
+include::changes-22_0_0.adoc[leveloffset=3]
+
 === Migrating to 21.0.0

 include::changes-21_0_0.adoc[leveloffset=3]
--- a/services/src/main/java/org/keycloak/protocol/oidc/endpoints/TokenEndpoint.java
+++ b/services/src/main/java/org/keycloak/protocol/oidc/endpoints/TokenEndpoint.java
@ -748,6 +748,7 @@ public class TokenEndpoint {
        ClientSessionContext clientSessionCtx = TokenManager.attachAuthenticationSession(session, userSession, authSession);

        // Notes about client details
+        userSession.setNote(ServiceAccountConstants.CLIENT_ID_SESSION_NOTE, client.getClientId()); // This is for backwards compatibility
        userSession.setNote(ServiceAccountConstants.CLIENT_ID, client.getClientId());
        userSession.setNote(ServiceAccountConstants.CLIENT_HOST, clientConnection.getRemoteHost());
        userSession.setNote(ServiceAccountConstants.CLIENT_ADDRESS, clientConnection.getRemoteAddr());