From b323fea8bcc945fbe170ef0e7158a9182f08fce2 Mon Sep 17 00:00:00 2001
From: Giuseppe Graziano <g.graziano94@gmail.com>
Date: Fri, 21 Nov 2025 16:39:44 +0100
Subject: [PATCH] Always allow to setup JWKS URL in oidc idp

Closes #44217

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
---
 .../keycloak.v2/admin/messages/messages_en.properties |  2 +-
 .../src/identity-providers/add/DiscoverySettings.tsx  |  1 +
 .../keycloak/broker/oidc/OIDCIdentityProvider.java    |  4 ++++
 ...OIDCIdentityProviderJWTAuthorizationGrantTest.java | 11 +++++++++++
 4 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/js/apps/admin-ui/maven-resources/theme/keycloak.v2/admin/messages/messages_en.properties b/js/apps/admin-ui/maven-resources/theme/keycloak.v2/admin/messages/messages_en.properties
index 3e0d2ed433e..8d31ebcf8fb 100644
--- a/js/apps/admin-ui/maven-resources/theme/keycloak.v2/admin/messages/messages_en.properties
+++ b/js/apps/admin-ui/maven-resources/theme/keycloak.v2/admin/messages/messages_en.properties
@@ -2456,7 +2456,7 @@ targetContextAttributes=Target Context Attributes
 targetContextAttributesHelp=Defines the evaluation of context attributes (claims) instead of identity attributes
 filteredByClaim=Verify essential claim
 rowCancelBtnAriaLabel=Cancel edits for {{messageBundle}}
-validateSignatureHelp=Enable/disable signature validation of external IDP signatures.
+validateSignatureHelp=Enable/disable signature validation of external IDP signatures. For Federated Client Authentication and JWT Authorization Grant the signature validation must be enabled.
 searchForFlow=Search for flow
 verifyEmail=Verify email
 addressClaim.locality.label=User Attribute Name for Locality
diff --git a/js/apps/admin-ui/src/identity-providers/add/DiscoverySettings.tsx b/js/apps/admin-ui/src/identity-providers/add/DiscoverySettings.tsx
index 037d3afa770..720bf100051 100644
--- a/js/apps/admin-ui/src/identity-providers/add/DiscoverySettings.tsx
+++ b/js/apps/admin-ui/src/identity-providers/add/DiscoverySettings.tsx
@@ -89,6 +89,7 @@ const Fields = ({ readOnly, isOIDC }: DiscoverySettingsProps) => {
           <DefaultSwitchControl
             name="config.validateSignature"
             label={t("validateSignature")}
+            labelIcon={t("validateSignatureHelp")}
             isDisabled={readOnly}
             stringify
           />
diff --git a/services/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProvider.java b/services/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProvider.java
index 57f611bddb3..d11352c3836 100755
--- a/services/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProvider.java
+++ b/services/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProvider.java
@@ -1077,6 +1077,10 @@ public class OIDCIdentityProvider extends AbstractOAuth2IdentityProvider<OIDCIde
             throw new IdentityBrokerException("JWT Authorization Granted is not enabled for the identity provider");
         }
 
+        if (!getConfig().isValidateSignature()) {
+            throw new IdentityBrokerException("Signature validation not enabled for issuer");
+        }
+
         // verify signature
         if (!verify(context.getJws())) {
             throw new IdentityBrokerException("Invalid signature");
diff --git a/tests/base/src/test/java/org/keycloak/tests/oauth/OIDCIdentityProviderJWTAuthorizationGrantTest.java b/tests/base/src/test/java/org/keycloak/tests/oauth/OIDCIdentityProviderJWTAuthorizationGrantTest.java
index c7733bdb51a..fe9ffe901dd 100644
--- a/tests/base/src/test/java/org/keycloak/tests/oauth/OIDCIdentityProviderJWTAuthorizationGrantTest.java
+++ b/tests/base/src/test/java/org/keycloak/tests/oauth/OIDCIdentityProviderJWTAuthorizationGrantTest.java
@@ -32,6 +32,17 @@ public class OIDCIdentityProviderJWTAuthorizationGrantTest extends AbstractJWTAu
         assertFailure("JWT Authorization Granted is not enabled for the identity provider", response, events.poll());
     }
 
+    @Test
+    public void testValidateSignatureDisabled() {
+        realm.updateIdentityProviderWithCleanup(IDP_ALIAS, rep -> {
+            rep.getConfig().put(OIDCIdentityProviderConfig.VALIDATE_SIGNATURE, "false");
+        });
+
+        String jwt = getIdentityProvider().encodeToken(createAuthorizationGrantToken("basic-user-id", oAuthClient.getEndpoints().getIssuer(), IDP_ISSUER));
+        AccessTokenResponse response = oAuthClient.jwtAuthorizationGrantRequest(jwt).send();
+        assertFailure("Signature validation not enabled for issuer", response, events.poll());
+    }
+
     public static class JWTAuthorizationGrantRealmConfig extends AbstractJWTAuthorizationGrantTest.JWTAuthorizationGrantRealmConfig {
 
         @Override