mirror/keycloak
1
0
Fork 0
mirror of https://github.com/keycloak/keycloak.git synced 2026-02-20 06:09:27 -06:00
Code Issues Packages Projects Releases Wiki Activity

Add details about client assertion to event

Browse Source 
Fixes #41405

Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
This commit is contained in:
Thomas Darimont
2025-07-30 20:50:27 +02:00
committed by GitHub
parent 2b019d711e
commit 97dfbd2c84
3 changed files with 14 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
server-spi-private/src/main/java/org/keycloak/events/Details.java
View File

@@ -57,6 +57,9 @@ public interface Details {
String REFRESH_TOKEN_ID = "refresh_token_id";
String REFRESH_TOKEN_TYPE = "refresh_token_type";
String REFRESH_TOKEN_SUB = "refresh_token_sub";
String CLIENT_ASSERTION_ID = "client_assertion_id";
String CLIENT_ASSERTION_SUB = "client_assertion_sub";
String CLIENT_ASSERTION_ISSUER = "client_assertion_issuer";
String VALIDATE_ACCESS_TOKEN = "validate_access_token";
String UPDATED_REFRESH_TOKEN_ID = "updated_refresh_token_id";
String NODE_HOST = "node_host";

6
services/src/main/java/org/keycloak/authentication/authenticators/client/JWTClientValidator.java
View File

@@ -31,6 +31,7 @@ import org.keycloak.OAuth2Constants;
import org.keycloak.authentication.AuthenticationFlowError;
import org.keycloak.authentication.ClientAuthenticationFlowContext;
import org.keycloak.common.util.Time;
import org.keycloak.events.Details;
import org.keycloak.http.HttpRequest;
import org.keycloak.jose.jws.JWSInput;
import org.keycloak.jose.jws.JWSInputException;
@@ -116,6 +117,11 @@ public class JWTClientValidator {
jws = new JWSInput(clientAssertion);
token = jws.readJsonContent(JsonWebToken.class);
var event = context.getEvent();
event.detail(Details.CLIENT_ASSERTION_ID, token.getId());
event.detail(Details.CLIENT_ASSERTION_ISSUER, token.getIssuer());
event.detail(Details.CLIENT_ASSERTION_SUB, token.getSubject());
}
public boolean validateClient() {

5
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/ClientAuthSignedJWTTest.java
View File

@@ -35,6 +35,7 @@ import org.keycloak.crypto.SignatureSignerContext;
import org.keycloak.events.Details;
import org.keycloak.events.Errors;
import org.keycloak.jose.jws.JWSBuilder;
import org.keycloak.jose.jws.JWSInput;
import org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper;
import org.keycloak.protocol.oidc.OIDCConfigAttributes;
import org.keycloak.representations.AccessToken;
@@ -71,6 +72,7 @@ public class ClientAuthSignedJWTTest extends AbstractClientAuthSignedJWTTest {
@Test
public void testServiceAccountAndLogoutSuccess() throws Exception {
String client1Jwt = getClient1SignedJWT();
JsonWebToken client1JsonWebToken = new JWSInput(client1Jwt).readJsonContent(JsonWebToken.class);
AccessTokenResponse response = doClientCredentialsGrantRequest(client1Jwt);
assertEquals(200, response.getStatusCode());
@@ -85,6 +87,9 @@ public class ClientAuthSignedJWTTest extends AbstractClientAuthSignedJWTTest {
.detail(Details.REFRESH_TOKEN_ID, refreshToken.getId())
.detail(Details.USERNAME, ServiceAccountConstants.SERVICE_ACCOUNT_USER_PREFIX + "client1")
.detail(Details.CLIENT_AUTH_METHOD, JWTClientAuthenticator.PROVIDER_ID)
.detail(Details.CLIENT_ASSERTION_ID, client1JsonWebToken.getId())
.detail(Details.CLIENT_ASSERTION_ISSUER, "client1")
.detail(Details.CLIENT_ASSERTION_SUB, "client1")
.assertEvent();
assertEquals(accessToken.getSessionState(), refreshToken.getSessionState());