Skip to content

Token exchange V2 - support for more audiences, using "requester" client for token-exchange instead of "target" client#36848

Closed
mposolda wants to merge 3 commits intokeycloak:mainfrom
mposolda:35505-token-exchange-more-audiences
Closed

Token exchange V2 - support for more audiences, using "requester" client for token-exchange instead of "target" client#36848
mposolda wants to merge 3 commits intokeycloak:mainfrom
mposolda:35505-token-exchange-more-audiences

Conversation

@mposolda
Copy link
Copy Markdown
Contributor

@mposolda mposolda commented Jan 27, 2025

closes #35505

The summary of most important changes:

  • When creating token, it is using clientSession of "requester" client for the token-exchange instead of the "target" client . This means also expiration and other token settings are taken from "requester" (The target client won't work due with multiple audiences there may not be single target client. Using "requester" is in general more clean IMO and there are more reasons for it (those are specified in the google doc mentioned below)

  • The client-scopes applied are based on the available scopes of all requested target clients of all audiences (aligned with the specs, which talks about "cartesian product" . This is not a cartesian product, but rather union of scopes)

I've added the 3 commits, but first 2 commits are just refactoring without no real changes in the behaviour (dealing with abstract methods to make it easier to update V2 without too much code duplications etc). The "real changes" are just in the last commit 3d3ba56 . I've did the separate commits, so the "real changes" can be easily reviewed.

Motivation

Added basic motivation for this here: #35505 . And more detailed motivation in the document https://docs.google.com/document/d/1T_4hjf0tapLAC5Hpac8wNiEHcrAmYZDQGpj3JRJ2MBI/edit?tab=t.0 . Especially see section Audiences and scopes - details .

Added the test ClientTokenExchangeAudienceAndScopesTest , which tests the same scenario outlined in the "Example" inside that google document.

The token-exchange V1 should have same behaviour as before. The only updated is standard token-exchange V2.

Copy link
Copy Markdown

@keycloak-github-bot keycloak-github-bot Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unreported flaky test detected, please review

@keycloak-github-bot
Copy link
Copy Markdown

Unreported flaky test detected

If the flaky tests below are affected by the changes, please review and update the changes accordingly. Otherwise, a maintainer should report the flaky tests prior to merging the PR.

org.keycloak.testsuite.forms.ResetPasswordTest#resetPasswordWithSpnegoEnabled

Keycloak CI - Forms IT (chrome)

org.openqa.selenium.WebDriverException: 
aborted by navigation: loader has changed while resolving nodes
  (Session info: chrome=132.0.6834.83)
Build info: version: '4.25.0', revision: '8a8aea2337'
System info: os.name: 'Linux', os.arch: 'amd64', os.version: '6.8.0-1020-azure', java.version: '21.0.5'
...

Report flaky test

@mposolda mposolda force-pushed the 35505-token-exchange-more-audiences branch from 3e08553 to 3d3ba56 Compare January 27, 2025 19:15
@mposolda mposolda changed the title 35505 token exchange more audiences Token exchange V2 - support for more audiences, using "requester" client for token-exchange instead of "target" client Jan 28, 2025
@mposolda
Copy link
Copy Markdown
Contributor Author

mposolda commented Feb 6, 2025

Closing as this would be addressed by a different way (See the other PR linked with #35505 ).

@mposolda mposolda closed this Feb 6, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Support for multiple values of audience

1 participant