requestHeaders;
@@ -506,6 +508,9 @@ public AccessTokenResponse doAccessTokenRequest(String code, String password, Cl
if (codeVerifier != null) {
parameters.add(new BasicNameValuePair(OAuth2Constants.CODE_VERIFIER, codeVerifier));
}
+ if (resource != null) {
+ parameters.add(new BasicNameValuePair(OAuth2Constants.RESOURCE, resource));
+ }
UrlEncodedFormEntity formEntity = new UrlEncodedFormEntity(parameters, Charsets.UTF_8);
post.setEntity(formEntity);
@@ -1000,6 +1005,9 @@ public AccessTokenResponse doRefreshTokenRequest(String refreshToken, String pas
if (clientSessionHost != null) {
parameters.add(new BasicNameValuePair(AdapterConstants.CLIENT_SESSION_HOST, clientSessionHost));
}
+ if (resource != null) {
+ parameters.add(new BasicNameValuePair(OAuth2Constants.RESOURCE, resource));
+ }
UrlEncodedFormEntity formEntity;
try {
@@ -1044,6 +1052,9 @@ public DeviceAuthorizationResponse doDeviceAuthorizationRequest(String clientId,
if (codeChallengeMethod != null) {
parameters.add(new BasicNameValuePair(OAuth2Constants.CODE_CHALLENGE_METHOD, codeChallengeMethod));
}
+ if (resource != null) {
+ parameters.add(new BasicNameValuePair(OAuth2Constants.RESOURCE, resource));
+ }
UrlEncodedFormEntity formEntity;
try {
@@ -1619,6 +1630,11 @@ public OAuthClient redirectUri(String redirectUri) {
return this;
}
+ public OAuthClient resource(String resource) {
+ this.resource = resource;
+ return this;
+ }
+
public OAuthClient postLogoutRedirectUri(String postLogoutRedirectUri) {
this.postLogoutRedirectUri = postLogoutRedirectUri;
return this;
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/AccessTokenTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/AccessTokenTest.java
index 2343081f0c5e..941444605962 100755
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/AccessTokenTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/AccessTokenTest.java
@@ -246,6 +246,9 @@ public void accessTokenRequest() throws Exception {
assertEquals(oauth.parseRefreshToken(response.getRefreshToken()).getId(), event.getDetails().get(Details.REFRESH_TOKEN_ID));
assertEquals(sessionId, token.getSessionState());
+ //by default audience without resource parameter, defaultAudValueForAccessToken be set and scope with audience audience must be null
+ Assert.assertNull(token.getAudience());
+
}
@Test
@@ -1423,4 +1426,46 @@ public void tokenRequestParamsMoreThanOnce() throws Exception {
}
}
+ @Test
+ public void tokenRequestWithResource() throws IOException {
+ oauth.resource("https://www.keycloak.org/documentation");
+
+ try {
+ oauth.doLogin("test-user@localhost", "password");
+
+ EventRepresentation loginEvent = events.expectLogin().assertEvent();
+
+ String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
+ OAuthClient.AccessTokenResponse response = oauth.doAccessTokenRequest(code, "password");
+ Assert.assertEquals(200, response.getStatusCode());
+ Assert.assertNotNull(response.getAccessToken());
+ AccessToken accessToken = oauth.verifyToken(response.getAccessToken());
+ Assert.assertTrue(accessToken.hasAudience("https://www.keycloak.org/documentation"));
+
+ } finally {
+ oauth.resource(null);
+ }
+ }
+
+ @Test
+ public void tokenRequestWithDefaultAudienceValue() throws IOException {
+ RealmManager.realm(adminClient.realm("test")).defaultAudValueForAccessToken("https://www.keycloak.org/");
+
+ try {
+ oauth.doLogin("test-user@localhost", "password");
+
+ EventRepresentation loginEvent = events.expectLogin().assertEvent();
+
+ String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
+ OAuthClient.AccessTokenResponse response = oauth.doAccessTokenRequest(code, "password");
+ Assert.assertEquals(200, response.getStatusCode());
+ Assert.assertNotNull(response.getAccessToken());
+ AccessToken accessToken = oauth.verifyToken(response.getAccessToken());
+ Assert.assertTrue(accessToken.hasAudience("https://www.keycloak.org/"));
+
+ } finally {
+ RealmManager.realm(adminClient.realm("test")).defaultAudValueForAccessToken(null);
+ }
+ }
+
}
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/AuthorizationCodeTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/AuthorizationCodeTest.java
index 03c44553b961..5837ead9327f 100755
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/AuthorizationCodeTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/AuthorizationCodeTest.java
@@ -27,6 +27,7 @@
import org.keycloak.events.Errors;
import org.keycloak.models.Constants;
import org.keycloak.protocol.oidc.utils.OIDCResponseMode;
+import org.keycloak.representations.AccessToken;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.testsuite.AbstractKeycloakTest;
import org.keycloak.testsuite.AssertEvents;
@@ -38,6 +39,7 @@
import javax.ws.rs.core.UriBuilder;
import java.io.IOException;
+import java.net.MalformedURLException;
import java.net.URI;
import java.util.HashMap;
import java.util.List;
@@ -131,6 +133,21 @@ public void testInvalidRedirectUri() {
assertEquals("Invalid parameter: redirect_uri", errorPage.getError());
}
+// @Test
+// public void testInvalidResourceParameter() throws MalformedURLException {
+// oauth.resource("data://www.keycloak.org/guides");
+//
+// UriBuilder b = UriBuilder.fromUri(oauth.getLoginFormUrl());
+// driver.navigate().to(b.build().toURL());
+//
+// String error = driver.findElement(By.id("error")).getText();
+// String errorDescription = driver.findElement(By.id("error_description")).getText();
+// assertEquals(OAuthErrorException.INVALID_TARGET, error);
+// assertEquals("The requested resource is invalid or malformed.", errorDescription);
+//
+// oauth.resource(null);
+// }
+
@Test
public void authorizationRequestNoState() throws IOException {
oauth.stateParamHardcoded(null);
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/OAuth2DeviceAuthorizationGrantTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/OAuth2DeviceAuthorizationGrantTest.java
index 2fb110d443c4..dae9c3f42394 100644
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/OAuth2DeviceAuthorizationGrantTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/OAuth2DeviceAuthorizationGrantTest.java
@@ -217,6 +217,41 @@ public void testPublicClient() throws Exception {
assertNotNull(token);
}
+ @Test
+ public void testPublicClientWithResource() throws Exception {
+ // Device Authorization Request from device
+ oauth.realm(REALM_NAME);
+ oauth.clientId(DEVICE_APP_PUBLIC);
+ OAuthClient.DeviceAuthorizationResponse response = oauth.doDeviceAuthorizationRequest(DEVICE_APP_PUBLIC, null);
+
+ Assert.assertEquals(200, response.getStatusCode());
+ assertNotNull(response.getDeviceCode());
+ assertNotNull(response.getUserCode());
+ assertNotNull(response.getVerificationUri());
+ assertNotNull(response.getVerificationUriComplete());
+ Assert.assertEquals(60, response.getExpiresIn());
+ Assert.assertEquals(5, response.getInterval());
+
+ openVerificationPage(response.getVerificationUriComplete());
+
+ // Do Login
+ oauth.fillLoginForm("device-login", "password");
+
+ // Consent
+ grantPage.accept();
+
+ // Token request from device
+ OAuthClient.AccessTokenResponse tokenResponse = oauth.doDeviceTokenRequest(DEVICE_APP_PUBLIC, null, response.getDeviceCode());
+
+ Assert.assertEquals(200, tokenResponse.getStatusCode());
+
+ String tokenString = tokenResponse.getAccessToken();
+ assertNotNull(tokenString);
+ AccessToken token = oauth.verifyToken(tokenString);
+
+ assertNotNull(token);
+ }
+
@Test
public void testPublicClientOptionalScope() throws Exception {
// Device Authorization Request from device - check giving optional scope phone
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/OAuthGrantTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/OAuthGrantTest.java
index 2e13634c4767..4b8ca92a27e8 100755
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/OAuthGrantTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/OAuthGrantTest.java
@@ -22,6 +22,7 @@
import org.junit.Rule;
import org.junit.Test;
import org.keycloak.OAuth2Constants;
+import org.keycloak.OAuthErrorException;
import org.keycloak.admin.client.resource.ClientResource;
import org.keycloak.admin.client.resource.ClientScopeResource;
import org.keycloak.admin.client.resource.RealmResource;
@@ -59,6 +60,7 @@
import javax.ws.rs.core.Response;
import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
import static org.keycloak.testsuite.admin.AbstractAdminTest.loadJson;
import static org.keycloak.testsuite.admin.ApiUtil.findClientByClientId;
@@ -146,6 +148,43 @@ public void oauthGrantAcceptTest() {
assertEquals(0, driver.findElements(By.id("revoke-third-party")).size());
}
+ @Test
+ public void oauthGrantTestWithResourceParameter() {
+ try {
+ oauth.resource("https://www.keycloak.org/documentation");
+ oauth.clientId(THIRD_PARTY_APP);
+ oauth.doLoginGrant("test-user@localhost", "password");
+
+ grantPage.assertCurrent();
+ grantPage.assertGrants(OAuthGrantPage.PROFILE_CONSENT_TEXT, OAuthGrantPage.EMAIL_CONSENT_TEXT, OAuthGrantPage.ROLES_CONSENT_TEXT);
+
+ grantPage.accept();
+
+ Assert.assertTrue(oauth.getCurrentQuery().containsKey(OAuth2Constants.CODE));
+
+ EventRepresentation loginEvent = events.expectLogin()
+ .client(THIRD_PARTY_APP)
+ .detail(Details.CONSENT, Details.CONSENT_VALUE_CONSENT_GRANTED)
+ .assertEvent();
+ String codeId = loginEvent.getDetails().get(Details.CODE_ID);
+ String sessionId = loginEvent.getSessionId();
+
+ OAuthClient.AccessTokenResponse accessTokenResponse = oauth.doAccessTokenRequest(oauth.getCurrentQuery().get(OAuth2Constants.CODE), "password");
+
+ Assert.assertNotNull(accessTokenResponse.getAccessToken());
+ AccessToken accessToken = oauth.verifyToken(accessTokenResponse.getAccessToken());
+ Assert.assertTrue(accessToken.hasAudience("https://www.keycloak.org/documentation"));
+
+ accountAppsPage.open();
+
+ assertEquals(1, driver.findElements(By.id("revoke-third-party")).size());
+
+ accountAppsPage.revokeGrant(THIRD_PARTY_APP);
+ } finally {
+ oauth.resource(null);
+ }
+ }
+
@Test
public void oauthGrantCancelTest() {
oauth.clientId(THIRD_PARTY_APP);
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/RefreshTokenTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/RefreshTokenTest.java
index 82f6942b9962..8790a6608ae3 100755
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/RefreshTokenTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/RefreshTokenTest.java
@@ -198,6 +198,40 @@ public void refreshTokenStructure() {
assertTrue("ResourceAccess should be null for RefreshTokens", refreshToken.getResourceAccess().isEmpty());
}
+ @Test
+ public void refreshTokenFlowWithResourceParameter() {
+
+ try {
+ oauth.doLogin("test-user@localhost", "password");
+
+ EventRepresentation loginEvent = events.expectLogin().assertEvent();
+
+ String sessionId = loginEvent.getSessionId();
+ String codeId = loginEvent.getDetails().get(Details.CODE_ID);
+
+ String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
+
+ OAuthClient.AccessTokenResponse tokenResponse = oauth.doAccessTokenRequest(code, "password");
+ AccessToken token = oauth.verifyToken(tokenResponse.getAccessToken());
+ Assert.assertFalse(token.hasAudience("https://www.keycloak.org/documentation"));
+
+ String refreshTokenString = tokenResponse.getRefreshToken();
+ events.expectCodeToToken(codeId, sessionId).assertEvent();
+
+ assertNotNull(refreshTokenString);
+
+ oauth.resource("https://www.keycloak.org/documentation");
+ OAuthClient.AccessTokenResponse response = oauth.doRefreshTokenRequest(refreshTokenString, "password");
+ assertEquals(200, response.getStatusCode());
+ assertNotNull(response.getRefreshToken());
+ AccessToken refreshedAccessToken = oauth.verifyToken(response.getAccessToken());
+ Assert.assertTrue(refreshedAccessToken.hasAudience("https://www.keycloak.org/documentation"));
+
+ } finally {
+ oauth.resource(null);
+ }
+ }
+
@Test
public void refreshTokenRequest() throws Exception {
oauth.nonce("123456");
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/util/RealmManager.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/util/RealmManager.java
index 9d70b075a646..433f0f0139b3 100644
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/util/RealmManager.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/util/RealmManager.java
@@ -172,4 +172,12 @@ public RealmManager ssoSessionIdleTimeout(int ssoSessionIdleTimeout) {
realm.update(rep);
return this;
}
+
+ public RealmManager defaultAudValueForAccessToken(String defaultAudValueForAccessToken) {
+ RealmRepresentation realmRepresentation = realm.toRepresentation();
+ realmRepresentation.setDefaultAudValueForAccessToken(defaultAudValueForAccessToken);
+ realm.update(realmRepresentation);
+ return this;
+ }
+
}
\ No newline at end of file
diff --git a/themes/src/main/resources/theme/base/admin/messages/admin-messages_en.properties b/themes/src/main/resources/theme/base/admin/messages/admin-messages_en.properties
index ba9ca09757e2..0d06098e8979 100644
--- a/themes/src/main/resources/theme/base/admin/messages/admin-messages_en.properties
+++ b/themes/src/main/resources/theme/base/admin/messages/admin-messages_en.properties
@@ -178,6 +178,8 @@ login-timeout=Login timeout
login-timeout.tooltip=Max time a user has to complete a login. This is recommended to be relatively long, such as 30 minutes or more.
login-action-timeout=Login action timeout
login-action-timeout.tooltip=Max time a user has to complete login related actions like update password or configure totp. This is recommended to be relatively long, such as 5 minutes or more.
+default-aud-value-access-token=Default aud value for access token
+default-aud-value-access-token.tooltip=Default optional aud value for access token. If resource parameter is not present, aud claim is set equal to this value. Extra aud claim values can be added with Audience and AudienceResolver protocol mappers.
oauth2-device-code-lifespan=OAuth 2.0 Device Code Lifespan
oauth2-device-code-lifespan.tooltip=Max time before the device code and user code are expired. This value needs to be a long enough lifetime to be usable (allowing the user to retrieve their secondary device, navigate to the verification URI, login, etc.), but should be sufficiently short to limit the usability of a code obtained for phishing.
diff --git a/themes/src/main/resources/theme/base/admin/resources/partials/realm-tokens.html b/themes/src/main/resources/theme/base/admin/resources/partials/realm-tokens.html
index 65232d2de568..dceed791a203 100755
--- a/themes/src/main/resources/theme/base/admin/resources/partials/realm-tokens.html
+++ b/themes/src/main/resources/theme/base/admin/resources/partials/realm-tokens.html
@@ -286,6 +286,16 @@
+
+