From c0c4067bdd67e9679ecc9c544e32bbe7b5023fc2 Mon Sep 17 00:00:00 2001 From: Giuseppe Graziano Date: Wed, 10 Dec 2025 11:59:59 +0100 Subject: [PATCH] JWT Authorization Grant feature to preview Closes #44492 Signed-off-by: Giuseppe Graziano --- common/src/main/java/org/keycloak/common/Profile.java | 2 +- docs/documentation/release_notes/topics/26_5_0.adoc | 9 +++++++++ .../documentation/tests/src/test/resources/ignored-links | 3 ++- docs/guides/securing-apps/jwt-authorization-grant.adoc | 5 ++--- 4 files changed, 14 insertions(+), 5 deletions(-) diff --git a/common/src/main/java/org/keycloak/common/Profile.java b/common/src/main/java/org/keycloak/common/Profile.java index 50858f8137d..403fd679a1b 100755 --- a/common/src/main/java/org/keycloak/common/Profile.java +++ b/common/src/main/java/org/keycloak/common/Profile.java @@ -80,7 +80,7 @@ public class Profile { TOKEN_EXCHANGE_STANDARD_V2("Standard Token Exchange version 2", Type.DEFAULT, 2), TOKEN_EXCHANGE_EXTERNAL_INTERNAL_V2("External to Internal Token Exchange version 2", Type.EXPERIMENTAL, 2), - JWT_AUTHORIZATION_GRANT("JWT Profile for Oauth 2.0 Authorization Grant", Type.EXPERIMENTAL), + JWT_AUTHORIZATION_GRANT("JWT Profile for Oauth 2.0 Authorization Grant", Type.PREVIEW), WEB_AUTHN("W3C Web Authentication (WebAuthn)", Type.DEFAULT), diff --git a/docs/documentation/release_notes/topics/26_5_0.adoc b/docs/documentation/release_notes/topics/26_5_0.adoc index 347c5fa1e9c..75b6dac72a2 100644 --- a/docs/documentation/release_notes/topics/26_5_0.adoc +++ b/docs/documentation/release_notes/topics/26_5_0.adoc @@ -36,6 +36,15 @@ In some situation you might want to avoid it, as the calling client, for example You can now prevent this by disabling *Include in OpenID Provider Metadata*. +== JWT Authorization Grant new feature + +{project_name} 26.5 introduces a new feature called JWT Authorization Grant, which adds support for https://datatracker.ietf.org/doc/html/rfc7523[RFC 7523] to use external signed JWT assertions to request OAuth 2.0 access tokens. + +To accept signed JWT assertions, a trust relationship must be established between the external provider and {project_name}. This trust relationship can be configured through an identity provider in a dedicated section of the OpenID Connect v1.0 identity provider, or through the new JWT Authorization Grant identity provider. + +JWT Authorization Grant is recommended as an alternative to link:{securing_apps_base_link}/token-exchange#_external-token-to-internal-token-exchange[External to internal token exchange V1]. +This feature is in preview, and additional details are available in the link:{securing_apps_base_link}/jwt-authorization-grant[dedicated documentation]. + = Administration //// diff --git a/docs/documentation/tests/src/test/resources/ignored-links b/docs/documentation/tests/src/test/resources/ignored-links index 846846770eb..b99d67ab3cf 100644 --- a/docs/documentation/tests/src/test/resources/ignored-links +++ b/docs/documentation/tests/src/test/resources/ignored-links @@ -47,4 +47,5 @@ https://www.keycloak.org/server/logging#http-access-logging https://www.keycloak.org/server/logging#mdc # To be removed once KC 26.5.0 is release -https://www.keycloak.org/observability/telemetry \ No newline at end of file +https://www.keycloak.org/observability/telemetry +https://www.keycloak.org/securing-apps/jwt-authorization-grant \ No newline at end of file diff --git a/docs/guides/securing-apps/jwt-authorization-grant.adoc b/docs/guides/securing-apps/jwt-authorization-grant.adoc index 47c248bdc15..6242e20c261 100644 --- a/docs/guides/securing-apps/jwt-authorization-grant.adoc +++ b/docs/guides/securing-apps/jwt-authorization-grant.adoc @@ -7,8 +7,7 @@ title="JWT Authorization Grant" priority=130 summary="Guide for the JWT Authorization Grant specification RFC 7521 / 7523."> -// TODO: add tech preview when moved out experimental -//< @ features.techpreview feature="jwt-authorization-grant"/> +<@features.techpreview feature="jwt-authorization-grant"/> This guide defines how a JWT Bearer Token can be used in {project_name} as an authorization grant. This feature allows clients to send a JWT assertion to request an access token when the client wants to use an existing trust relationship without a direct user-approval step at the authorization server. The assertion is validated solely through the semantics of the JWT (its claims and signature). The trust relationship usually refers to another Identity Provider server (another OIDC server), and allows to obtain a cross-domain or cross-realm access token. In this sense, it is similar to the external to internal request in token exchange V1 (see <@links.securingapps id="token-exchange" anchor="_external-token-to-internal-token-exchange" /> for more information). @@ -212,4 +211,4 @@ The enforcer can be used for any request that uses an assertion parameter. Curre + As the previous executor, for the moment this enforcer can be used for JWT Authorization Grant and the Standard Token exchange. - \ No newline at end of file +