External-Mirrors/keycloak
2
0
Fork 0
mirror of https://github.com/keycloak/keycloak.git synced 2026-01-10 15:32:05 -03:30
Code Issues Packages Projects Releases Wiki Activity

Cleanup changes made to JWTClientValidator after refactoring

Browse Source 
Closes #43429

Signed-off-by: stianst <stianst@gmail.com>
This commit is contained in:
Stian Thorgersen 2025-10-14 16:12:40 +02:00 committed by GitHub
parent 700b86fad8
commit 567a8ab93f
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 17 additions and 52 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
services/src/main/java/org/keycloak/authentication/authenticators/client/AbstractJWTClientValidator.java
View File

@ -93,8 +93,23 @@ public abstract class AbstractJWTClientValidator {
}
private boolean validateClientAssertionParameters() {
return expectedClientAssertionType.equals(clientAssertionState.getClientAssertionType()) &&
clientAssertionState.getClientAssertion() != null;
String clientAssertionType = clientAssertionState.getClientAssertionType();
String clientAssertion = clientAssertionState.getClientAssertion();
if (clientAssertionType == null) {
return failure("Parameter client_assertion_type is missing");
}
if (!expectedClientAssertionType.equals(clientAssertionType)) {
return failure("Parameter client_assertion_type has value '"
+ clientAssertionType + "' but expected is '" + expectedClientAssertionType + "'");
}
if (clientAssertion == null) {
return failure("client_assertion parameter missing");
}
return true;
}
private boolean validateClient() {

50
services/src/main/java/org/keycloak/authentication/authenticators/client/JWTClientValidator.java
View File

@ -1,11 +1,6 @@
package org.keycloak.authentication.authenticators.client;
import jakarta.ws.rs.core.MediaType;
import jakarta.ws.rs.core.Response;
import org.keycloak.OAuth2Constants;
import org.keycloak.authentication.AuthenticationFlowError;
import org.keycloak.authentication.ClientAuthenticationFlowContext;
import org.keycloak.http.HttpRequest;
import org.keycloak.protocol.LoginProtocol;
import org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper;
import org.keycloak.protocol.oidc.OIDCLoginProtocol;
@ -43,11 +38,6 @@ public class JWTClientValidator extends AbstractJWTClientValidator {
return expectedAudiences;
}
@Override
public boolean validate() {
return clientAssertionParametersValidation() && super.validate();
}
@Override
protected boolean isMultipleAudienceAllowed() {
OIDCLoginProtocol loginProtocol = (OIDCLoginProtocol) context.getSession().getProvider(LoginProtocol.class, OIDCLoginProtocol.LOGIN_PROTOCOL);
@ -74,44 +64,4 @@ public class JWTClientValidator extends AbstractJWTClientValidator {
return OIDCAdvancedConfigWrapper.fromClientModel(client).getTokenEndpointAuthSigningAlg();
}
public boolean clientAssertionParametersValidation() {
//KEYCLOAK-19461: Needed for quarkus resteasy implementation throws exception when called with mediaType authentication/json in OpenShiftTokenReviewEndpoint
if(!isFormDataRequest(context.getHttpRequest())) {
Response challengeResponse = ClientAuthUtil.errorResponse(Response.Status.BAD_REQUEST.getStatusCode(), "invalid_client", "Parameter client_assertion_type is missing");
context.challenge(challengeResponse);
return false;
}
var params = context.getHttpRequest().getDecodedFormParameters();
String clientAssertionType = params.getFirst(OAuth2Constants.CLIENT_ASSERTION_TYPE);
var clientAssertion = params.getFirst(OAuth2Constants.CLIENT_ASSERTION);
if (clientAssertionType == null) {
Response challengeResponse = ClientAuthUtil.errorResponse(Response.Status.BAD_REQUEST.getStatusCode(), "invalid_client", "Parameter client_assertion_type is missing");
context.challenge(challengeResponse);
return false;
}
if (!clientAssertionType.equals(OAuth2Constants.CLIENT_ASSERTION_TYPE_JWT)) {
Response challengeResponse = ClientAuthUtil.errorResponse(Response.Status.BAD_REQUEST.getStatusCode(), "invalid_client", "Parameter client_assertion_type has value '"
+ clientAssertionType + "' but expected is '" + OAuth2Constants.CLIENT_ASSERTION_TYPE_JWT + "'");
context.challenge(challengeResponse);
return false;
}
if (clientAssertion == null) {
Response challengeResponse = ClientAuthUtil.errorResponse(Response.Status.BAD_REQUEST.getStatusCode(), "invalid_client", "client_assertion parameter missing");
context.failure(AuthenticationFlowError.INVALID_CLIENT_CREDENTIALS, challengeResponse);
return false;
}
return true;
}
private boolean isFormDataRequest(HttpRequest request) {
MediaType mediaType = request.getHttpHeaders().getMediaType();
return mediaType != null && mediaType.isCompatible(MediaType.APPLICATION_FORM_URLENCODED_TYPE);
}
}