Check "Always use lightweight access token" is enabled on the client for Admin REST APIs

Closes #34944

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
(cherry picked from commit 5d600be6f2b34c5bcb4093af37005903db26cef0)

services/src/main/java/org/keycloak/services/resources/admin/permissions/MgmtPermissions.java

@@ -112,7 +112,8 @@ class MgmtPermissions implements AdminPermissionEvaluator, AdminPermissionManage
         AccessToken accessToken = auth.getToken();
         ClientModel client = adminsRealm.getClientByClientId(issuedFor);
         //support for lightweight access token and transient session
-        if (accessToken.getSubject() == null || (accessToken.getSessionId() == null && accessToken.getResourceAccess().isEmpty() && accessToken.getRealmAccess() == null)) {
+        boolean isAlwaysUseLightweightAccessToken = Boolean.parseBoolean(client.getAttribute(Constants.USE_LIGHTWEIGHT_ACCESS_TOKEN_ENABLED));
+        if (isAlwaysUseLightweightAccessToken || accessToken.getSubject() == null || (accessToken.getSessionId() == null && accessToken.getResourceAccess().isEmpty() && accessToken.getRealmAccess() == null)) {
             //get user session
             EventBuilder event = new EventBuilder(adminsRealm, session);
             event.event(EventType.INTROSPECT_TOKEN);

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/LightWeightAccessTokenTest.java

@@ -496,6 +496,7 @@ public class LightWeightAccessTokenTest extends AbstractClientPoliciesTest {
     @Test
     public void testAdminConsoleClientWithLightweightAccessToken() {
 
+        oauth.getDriver().manage().deleteAllCookies();
         oauth.realm("master");
         oauth.clientId(Constants.ADMIN_CONSOLE_CLIENT_ID);
         oauth.redirectUri(OAuthClient.SERVER_ROOT + "/auth/admin/master/console");
@@ -558,6 +559,40 @@ public class LightWeightAccessTokenTest extends AbstractClientPoliciesTest {
         }
     }
 
+    @Test
+    public void testAdminApiWithLightweightAccessAndSubClaim() {
+        setScopeProtocolMapper("master", OIDCLoginProtocolFactory.BASIC_SCOPE, "sub", true, false, true);
+
+        oauth.getDriver().manage().deleteAllCookies();
+        oauth.realm("master");
+        oauth.clientId(Constants.ADMIN_CONSOLE_CLIENT_ID);
+        oauth.redirectUri(OAuthClient.SERVER_ROOT + "/auth/admin/master/console");
+        PkceGenerator pkce = new PkceGenerator();
+        oauth.codeChallenge(pkce.getCodeChallenge());
+        oauth.codeChallengeMethod(OAuth2Constants.PKCE_METHOD_S256);
+        oauth.codeVerifier(pkce.getCodeVerifier());
+
+        OAuthClient.AuthorizationEndpointResponse authsEndpointResponse = oauth.doLogin("admin", "admin");
+        OAuthClient.AccessTokenResponse tokenResponse = oauth.doAccessTokenRequest(authsEndpointResponse.getCode(), TEST_CLIENT_SECRET);
+        String accessToken = tokenResponse.getAccessToken();
+        logger.debug("access token:" + accessToken);
+        assertBasicClaims(oauth.verifyToken(accessToken), false, false);
+
+        try (CloseableHttpClient client = HttpClientBuilder.create().build()) {
+            HttpGet get = new HttpGet(OAuthClient.SERVER_ROOT + "/auth/admin/realms/master");
+            get.setHeader("Authorization", "Bearer " + accessToken);
+            try (CloseableHttpResponse response = client.execute(get)) {
+                Assert.assertEquals(200, response.getStatusLine().getStatusCode());
+                RealmRepresentation realmRepresentation = JsonSerialization.readValue(response.getEntity().getContent(), RealmRepresentation.class);
+                Assert.assertEquals("master", realmRepresentation.getRealm());
+            }
+        } catch (Exception e) {
+            Assert.fail(e.getMessage());
+        }
+
+        setScopeProtocolMapper("master", OIDCLoginProtocolFactory.BASIC_SCOPE, "sub", true, false, false);
+    }
+
     private void removeSession(final String sessionId) {
         testingClient.testing().removeExpired(REALM_NAME);
         try {
@@ -697,8 +732,8 @@ public class LightWeightAccessTokenTest extends AbstractClientPoliciesTest {
         setScopeProtocolMapper(ADDRESS, ADDRESS, isIncludeAccessToken, isIncludeIntrospection, isIncludeLightweightAccessToken);
     }
 
-    private void setScopeProtocolMapper(String scopeName, String mapperName, boolean isIncludeAccessToken, boolean isIncludeIntrospection, boolean isIncludeLightweightAccessToken) {
-        ClientScopeResource scope = ApiUtil.findClientScopeByName(testRealm(), scopeName);
+    private void setScopeProtocolMapper(String realmName, String scopeName, String mapperName, boolean isIncludeAccessToken, boolean isIncludeIntrospection, boolean isIncludeLightweightAccessToken) {
+        ClientScopeResource scope = ApiUtil.findClientScopeByName(realmsResouce().realm(realmName), scopeName);
         ProtocolMapperRepresentation protocolMapper = ApiUtil.findProtocolMapperByName(scope, mapperName);
         Map<String, String> config = protocolMapper.getConfig();
         if (isIncludeAccessToken) {
@@ -719,6 +754,10 @@ public class LightWeightAccessTokenTest extends AbstractClientPoliciesTest {
         scope.getProtocolMappers().update(protocolMapper.getId(), protocolMapper);
     }
 
+    private void setScopeProtocolMapper(String scopeName, String mapperName, boolean isIncludeAccessToken, boolean isIncludeIntrospection, boolean isIncludeLightweightAccessToken) {
+        setScopeProtocolMapper(testRealm().toRepresentation().getRealm(), scopeName, mapperName, isIncludeAccessToken, isIncludeIntrospection, isIncludeLightweightAccessToken);
+    }
+
     private ProtocolMappersResource setProtocolMappers(boolean isIncludeAccessToken, boolean isIncludeIntrospection, boolean setPairWise) {
         setScopeProtocolMappers(isIncludeAccessToken, isIncludeIntrospection, false);
         List<ProtocolMapperRepresentation> protocolMapperList = new ArrayList<>();