Description
Description
This is follow-up on #21200
Currently accessToken with DPoP thumbprint still have type Bearer in the initial DPoP Keycloak PR. IMO it will makes more sense if the token type is DPoP. This is not explicitly mentioned in the specification, however it is mentioned that:
- Whole AccessTokenResponse should have token-type
DPoP, which we do. - The requests to resource-server also use
Authorization: DPoP ...instead ofAuthorization: Bearer ...
In general, theDPoPspecification prescribes to use typeDPoPin those places, so it would makes sense to me to use the same type in the access-token itself.
There is also one related point in the specification related to introspection endpoint https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop-11#section-6.2 :
If the token_type member is included in the introspection response, it MUST contain the value DPoP
It seems that we're currently not doing it and not adding token_type to the response. Maybe with the change above, we can start adding token_type (maybe in AccessTokenIntrospectionProvider, which would be u
618E
sed for both Bearer and DPoP tokens) and add token_type to the response, which would be retrieved simply from token.getType() (and hence would be DPoP for the DPoP based tokens).