search

TNG / keycloak-mock

A Java library to test REST endpoints secured by Keycloak via OpenID connect.
Apache License 2.0
120 stars 27 forks source link

Typ attibute should be in header #148

Closed mb-techno closed 1 year ago

mb-techno commented 1 year ago

Hi, when testing I found that access tokens generated trough this library where being rejected by Nimbus. After some digging I found that's the case because the "typ" attribute should be in the header, not in the claims.

This line should be moved upwards to be the same as the "kid" header: https://github.com/TNG/keycloak-mock/blob/9a11e42c8cd484f7a0ebebdf3f31720aacdf71bb/mock/src/main/java/com/tngtech/keycloakmock/impl/TokenGenerator.java#L56

The tests with a keycloak source token have the typ attibute correctly in the header: https://github.com/TNG/keycloak-mock/blob/9a11e42c8cd484f7a0ebebdf3f31720aacdf71bb/mock/src/test/java/com/tngtech/keycloakmock/api/TokenConfigTest.java#L22

Additionally, the current "typ" is set to "Bearer". That should be set to "JWT".

ostrya commented 1 year ago

Right. Wow, should have noticed that earlier. But thanks for the heads-up!

ostrya commented 1 year ago

Actually, the "typ" parameter in the body is correct, see https://github.com/keycloak/keycloak/blob/e2cf45f65fe0ef7c65870292fd95e7526325f94d/core/src/main/java/org/keycloak/representations/JsonWebToken.java#L58. But you are also correct that I currently don't set the "typ" value in the JWT header.

mb-techno commented 1 year ago

Interesting. Odd to have it in both places. But I see you've already made a PR. Great work!