Description
Before reporting an issue
- I have searched existing issues
- I have reproduced the issue with the latest release
Area
token-exchange
Describe the bug
When you want to exchange an external token for an internal, Keycloak sends the token to the userinfo endpoint of the external provider for validation and recuperation of userinfo.
When the response is received, it is immediately mapped to a json structure without verifying in which format the response data was returned.
If it is returned as a signed jwt (encoded), this fails as the data structure contain unexpected characters.
Version
RHSSO 7.6.2 (keycloak 18.0.6)
Expected behavior
As is done when an OIDC provider is used in an authentication flow, the Content-Type header of the response of the userinfo endpoint should be checked processing the data.
If the Content-Type is application/json, the data can be processed as JSON.
If the Content-Type is application/jwt, the data should be prcessed as a JWT.
See
- https://github.com/keycloak/keycloak/blob/main/services/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProvider.java#L457
- https://github.com/keycloak/keycloak/blob/main/services/src/main/java/org/keycloak/broker/oidc/AbstractOAuth2IdentityProvider.java#L612
Actual behavior
instead of verifying the Content-Type and handling that properly, the data is considered to be application/json in any case. That is not correct.
The specs say that the data can be json in clear or a signed jwt.
How to Reproduce?
Use token exchange with a provider which returns a signed jwt on its userinfo endpoint.
Anything else?
No response