Introduce ExternalToInternalTokenExchangeProvider. Make it working wi… #40134
+222
−15
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…th Google IDP using token-info endpoint instead of user-info endpoint closes keycloak#40146 closes keycloak#40133 Signed-off-by: mposolda <mposolda@gmail.com>
432eff8 to
45e6917
Compare
|
@graziang Thanks for the review |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
…th Google IDP using token-info endpoint instead of user-info endpoint
closes #40146
closes #40133
PR introduces provider
ExternalToInternalTokenExchangeProviderand the featureTOKEN_EXCHANGE_EXTERNAL_INTERNAL_V2. See Introduce external-internal token exchange provider #40146 for some reasoning for using "external internal" only for now and make it separated from "internal external" .Similarly like we did for "standard token exchange", we may want to develop supported "external internal" and at the same time make the token-exchange:v1 works the same as before. This means also that Identity providers may need to behave differently for V1 and V2. Due to this, I've added the method
getVersionon theTokenExchangeProviderand methods likeexchangeExternalTokenV1ImplandexchangeExternalTokenV2Implon the Identity provider.The
exchangeExternalTokenV1Implworks the same as before for V1 token exchange.The
exchangeExternalTokenV2Implis implemented only for Google provider now. So Google is the only provider, which works withExternalToInternalTokenExchangeProviderright now. Instead of using only user-info endpoint for the verification (like V1 is doing), The V2 uses token-verification, which works with Google token-info endpoint and checks that token has expected audience. See some details in the GH issue Verification of external google token by Google token-info endpoint #40133 and in the google doc regarding this.Other providers (OIDC, other social providers) can hopefully be done in a follow-up PRs. 8000 Created some subtasks of #40132 for this.