Description
Before reporting an issue
- I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.
Area
token-exchange
Describe the bug
When exchanging an access token issued by an external provider (e.g. Microsoft configured as OpenID Connect v1.0) and user info check disabled, keycloak is returning error invalid_token because the token doesn't contain claim typ. The
typ claim is optional and some providers (e.g. Microsoft) are not setting it. The regression was introduced with #28866
Suggested change is to validate the typ claim only if it is available and make it required only in KeycloakOIDCIdentityProvider
in OIDCIdentityProvider
protected boolean isTokenTypeSupported(JsonWebToken parsedToken) {
String type = parsedToken.getType();
return Objects.isNull(type) || SUPPORTED_TOKEN_TYPES.contains(type);
}
and in KeycloakOIDCIdentityProvider
protected boolean isTokenTypeSupported(JsonWebToken parsedToken) {
String type = parsedToken.getType();
if (Objects.isNull(type)) {
return false;
}
return super.isTokenTypeSupported(parsedToken);
}
Version
25.0.6
Regression
- The issue is a regression
Expected behavior
Access token can be validated in case it doesn't contain typ claim.
Actual behavior
External tokens that do not contain typ claim and user info check disabled cannot be exchanged to internal because of error invalid_token
How to Reproduce?
Configure as OpenID Connect v1.0 identity provider that doesn't set typ claim (e.g. Microsoft), disable user info check, and try to exchange external to internal token with grant_type = urn:ietf:params:oauth:grant-type:token-exchange and subject_token_type=urn:ietf:params:oauth:token-type:jwt.
Anything else?
No response