Always allow to setup JWKS URL in oidc idp

Closes #44217 Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
2025-12-21 06:20:05 -06:00 · 2025-11-21 16:39:44 +01:00
parent d5a507e90d
commit b323fea8bc
4 changed files with 17 additions and 1 deletions
--- a/js/apps/admin-ui/maven-resources/theme/keycloak.v2/admin/messages/messages_en.properties
+++ b/js/apps/admin-ui/maven-resources/theme/keycloak.v2/admin/messages/messages_en.properties
@@ -2456,7 +2456,7 @@ targetContextAttributes=Target Context Attributes
 targetContextAttributesHelp=Defines the evaluation of context attributes (claims) instead of identity attributes
 filteredByClaim=Verify essential claim
 rowCancelBtnAriaLabel=Cancel edits for {{messageBundle}}
-validateSignatureHelp=Enable/disable signature validation of external IDP signatures.
+validateSignatureHelp=Enable/disable signature validation of external IDP signatures. For Federated Client Authentication and JWT Authorization Grant the signature validation must be enabled.
 searchForFlow=Search for flow
 verifyEmail=Verify email
 addressClaim.locality.label=User Attribute Name for Locality
--- a/js/apps/admin-ui/src/identity-providers/add/DiscoverySettings.tsx
+++ b/js/apps/admin-ui/src/identity-providers/add/DiscoverySettings.tsx
@@ -89,6 +89,7 @@ const Fields = ({ readOnly, isOIDC }: DiscoverySettingsProps) => {
          <DefaultSwitchControl
            name="config.validateSignature"
            label={t("validateSignature")}
+            labelIcon={t("validateSignatureHelp")}
            isDisabled={readOnly}
            stringify
          />
--- a/services/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProvider.java
+++ b/services/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProvider.java
@@ -1077,6 +1077,10 @@ public class OIDCIdentityProvider extends AbstractOAuth2IdentityProvider<OIDCIde
            throw new IdentityBrokerException("JWT Authorization Granted is not enabled for the identity provider");
        }

+        if (!getConfig().isValidateSignature()) {
+            throw new IdentityBrokerException("Signature validation not enabled for issuer");
+        }
+
        // verify signature
        if (!verify(context.getJws())) {
            throw new IdentityBrokerException("Invalid signature");
--- a/tests/base/src/test/java/org/keycloak/tests/oauth/OIDCIdentityProviderJWTAuthorizationGrantTest.java
+++ b/tests/base/src/test/java/org/keycloak/tests/oauth/OIDCIdentityProviderJWTAuthorizationGrantTest.java
@@ -32,6 +32,17 @@ public class OIDCIdentityProviderJWTAuthorizationGrantTest extends AbstractJWTAu
        assertFailure("JWT Authorization Granted is not enabled for the identity provider", response, events.poll());
    }

+    @Test
+    public void testValidateSignatureDisabled() {
+        realm.updateIdentityProviderWithCleanup(IDP_ALIAS, rep -> {
+            rep.getConfig().put(OIDCIdentityProviderConfig.VALIDATE_SIGNATURE, "false");
+        });
+
+        String jwt = getIdentityProvider().encodeToken(createAuthorizationGrantToken("basic-user-id", oAuthClient.getEndpoints().getIssuer(), IDP_ISSUER));
+        AccessTokenResponse response = oAuthClient.jwtAuthorizationGrantRequest(jwt).send();
+        assertFailure("Signature validation not enabled for issuer", response, events.poll());
+    }
+
    public static class JWTAuthorizationGrantRealmConfig extends AbstractJWTAuthorizationGrantTest.JWTAuthorizationGrantRealmConfig {

        @Override