mirror/keycloak
1
0
Fork 0
mirror of https://github.com/keycloak/keycloak.git synced 2026-05-07 23:50:03 -05:00
Code Issues Packages Projects Releases Wiki Activity

Adjustements to the behaviour of dpop_bound_access_tokens switch

Browse Source 
closes #21920
This commit is contained in:
Takashi Norimatsu
2023-07-27 11:00:32 +09:00
committed by Marek Posolda
parent 74200f2779
commit 9a921441cc
4 changed files with 30 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files
services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java
+2 -2
View File
@@ -498,8 +498,8 @@ public class TokenManager {
}
if (Profile.isFeatureEnabled(Profile.Feature.DPOP)) {
if (OIDCAdvancedConfigWrapper.fromClientModel(client).isUseDPoP() && client.isPublicClient()) {
DPoP dPoP = (DPoP) session.getAttribute(DPoPUtil.DPOP_SESSION_ATTRIBUTE);
DPoP dPoP = (DPoP) session.getAttribute(DPoPUtil.DPOP_SESSION_ATTRIBUTE);
if (client.isPublicClient() && (OIDCAdvancedConfigWrapper.fromClientModel(client).isUseDPoP() || dPoP != null )) {
try {
DPoPUtil.validateBinding(refreshToken, dPoP);
} catch (VerificationException ex) {
services/src/main/java/org/keycloak/protocol/oidc/endpoints/TokenEndpoint.java
+2 -2
View File
@@ -334,7 +334,7 @@ public class TokenEndpoint {
private void checkAndRetrieveDPoPProof(boolean isDPoPSupported) {
if (!isDPoPSupported) return;
if (clientConfig.isUseDPoP()) {
if (clientConfig.isUseDPoP() || request.getHttpHeaders().getHeaderString(DPoPUtil.DPOP_HTTP_HEADER) != null) {
try {
dPoP = new DPoPUtil.Validator(session).request(request).uriInfo(session.getContext().getUri()).validate();
session.setAttribute(DPoPUtil.DPOP_SESSION_ATTRIBUTE, dPoP);
@@ -547,7 +547,7 @@ public class TokenEndpoint {
private void checkAndBindDPoPToken(TokenManager.AccessTokenResponseBuilder responseBuilder, boolean useRefreshToken, boolean isDPoPSupported) {
if (!isDPoPSupported) return;
if (clientConfig.isUseDPoP()) {
if (clientConfig.isUseDPoP() || dPoP != null) {
DPoPUtil.bindToken(responseBuilder.getAccessToken(), dPoP);
// TODO Probably uncomment as the accessToken type "DPoP" will have more sense than "Bearer". It will require some changes in the introspection endpoint too...
// responseBuilder.getAccessToken().type(DPoPUtil.DPOP_TOKEN_TYPE);
services/src/main/java/org/keycloak/services/util/DPoPUtil.java
+1 -1
View File
@@ -69,7 +69,7 @@ public class DPoPUtil {
DISABLED
}
private static final String DPOP_HTTP_HEADER = "DPoP";
public static final String DPOP_HTTP_HEADER = "DPoP";
private static final String DPOP_JWT_HEADER_TYPE = "dpop+jwt";
private static final String DPOP_ATH_ALG = "RS256";