Using DPoP token type in the access-token and as token_type in introspection response #22244
Conversation
| @@ -85,6 +85,13 @@ public Response introspect(String token) { | |||
| } | |||
| } | |||
| } | |||
|
|
|||
| if (accessToken.getConfirmation() != null && accessToken.getConfirmation().getKeyThumbprint() != null) { | |||
There was a problem hiding this comment.
In the description of the issue, I suggested also to add DPoP instead of Bearer as the token type during authentication - in case of Bearer tokens. Does this look ok to you?
Maybe the easiest would be:
tokenMetadata.put(OAuth2Constants.TOKEN_TYPE, accessToken.getType());
WDYT?
There was a problem hiding this comment.
I see, only tokenMetadata.put(OAuth2Constants.TOKEN_TYPE, accessToken.getType()); is enough.
There was a problem hiding this comment.
I guess that when token type is updated to DPoP for the DPoP tokens, some small updates might be needed also in other places. I think that TokenVerifier.withDefaultChecks() may need to be updated to allow both Bearer and DPoP as token types.
There was a problem hiding this comment.
But maybe not... We can see if there are any failing tests :-)
| @@ -85,6 +85,13 @@ public Response introspect(String token) { | |||
| } | |||
| } | |||
| } | |||
|
|
|||
| if (accessToken.getConfirmation() != null && accessToken.getConfirmation().getKeyThumbprint() != null) { | |||
| tokenMetadata.put("token_type", "DPoP"); | |||
There was a problem hiding this comment.
Is it possible to use some constant for token_type like we're doing for other things? Maybe OAuth2Constants is good class to use it or something similar?
There was a problem hiding this comment.
Yes, the same above.
c8a8e04 to
a76f666
Compare
There was a problem hiding this comment.
@tnorimat Thanks for the updates.
I think that DPoPTest is failing because you don't yet set DPoP token type in the AccessToken. The token type is set to Bearer. We set DPoP as token_type claim only in the whole response, but not yet in the token. I've proposed to add DPoP also as token type, which would makes the test passing (See my description in Issue #21919).
| @@ -193,6 +193,7 @@ public void testDPoPProofByConfidentialClient() throws Exception { | |||
| TokenMetadataRepresentation tokenMetadataRepresentation = JsonSerialization.readValue(tokenResponse, TokenMetadataRepresentation.class); | |||
| Assert.assertTrue(tokenMetadataRepresentation.isActive()); | |||
| assertEquals(jkt, tokenMetadataRepresentation.getConfirmation().getKeyThumbprint()); | |||
| assertEquals("DPoP", tokenMetadataRepresentation.getOtherClaims().get("token_type")); | |||
There was a problem hiding this comment.
| assertEquals("DPoP", tokenMetadataRepresentation.getOtherClaims().get("token_type")); | |
| assertEquals("DPoP", tokenMetadataRepresentation.getOtherClaims().get(OAuth2Constants.TOKEN_TYPE)); |
NOTE: Maybe class OAuth2Constants would need to be imported in DPoPTest
| @@ -352,6 +352,7 @@ private void testIntrospectAccessToken(String jwaAlgorithm) throws Exception { | |||
| assertEquals("test-user@localhost", rep.getUserName()); | |||
| assertEquals("test-app", rep.getClientId()); | |||
| assertEquals(loginEvent.getUserId(), rep.getSubject()); | |||
| assertEquals("Bearer", rep.getOtherClaims().get("token_type")); | |||
There was a problem hiding this comment.
| assertEquals("Bearer", rep.getOtherClaims().get("token_type")); | |
| assertEquals("Bearer", rep.getOtherClaims().get(OAuth2Constants.TOKEN_TYPE)); |
NOTE: Maybe class OAuth2Constants would need to be imported in TokenIntrospectionTest
659dae4 to
aaedc60
Compare
…pection response closes keycloak#21919
aaedc60 to
cfa6da7
Compare
|
@mposolda I resolved the errors of the CI tests. Could you check the revised PR? |
closes #21919