Token exchange V2 - support for more audiences, using "requester" client for token-exchange instead of "target" client#36848
Closed
mposolda wants to merge 3 commits intokeycloak:mainfrom
Closed
Conversation
Unreported flaky test detectedIf the flaky tests below are affected by the changes, please review and update the changes accordingly. Otherwise, a maintainer should report the flaky tests prior to merging the PR. org.keycloak.testsuite.forms.ResetPasswordTest#resetPasswordWithSpnegoEnabledKeycloak CI - Forms IT (chrome) |
Signed-off-by: mposolda <[email protected]>
…thout changes) Signed-off-by: mposolda <[email protected]>
closes keycloak#35505 Signed-off-by: mposolda <[email protected]>
3e08553 to
3d3ba56
Compare
Contributor
Author
|
Closing as this would be addressed by a different way (See the other PR linked with #35505 ). |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
closes #35505
The summary of most important changes:
When creating token, it is using clientSession of "requester" client for the token-exchange instead of the "target" client . This means also
expirationand other token settings are taken from "requester" (Thetargetclient won't work due with multiple audiences there may not be singletargetclient. Using "requester" is in general more clean IMO and there are more reasons for it (those are specified in the google doc mentioned below)The client-scopes applied are based on the available scopes of all requested
targetclients of all audiences (aligned with the specs, which talks about "cartesian product" . This is not a cartesian product, but rather union of scopes)I've added the 3 commits, but first 2 commits are just refactoring without no real changes in the behaviour (dealing with
abstractmethods to make it easier to update V2 without too much code duplications etc). The "real changes" are just in the last commit 3d3ba56 . I've did the separate commits, so the "real changes" can be easily reviewed.Motivation
Added basic motivation for this here: #35505 . And more detailed motivation in the document https://docs.google.com/document/d/1T_4hjf0tapLAC5Hpac8wNiEHcrAmYZDQGpj3JRJ2MBI/edit?tab=t.0 . Especially see section Audiences and scopes - details .
Added the test
ClientTokenExchangeAudienceAndScopesTest, which tests the same scenario outlined in the "Example" inside that google document.The token-exchange V1 should have same behaviour as before. The only updated is standard token-exchange V2.