search

helidon-io / helidon

Java libraries for writing microservices
https://helidon.io
Apache License 2.0
3.5k stars 566 forks source link

Support aud claim check with array of values in OIDC provider #5861

Open m1h43l opened 1 year ago

m1h43l commented 1 year ago

Some identity provider don't specify a single client/application in the audience ("aud") claim but all clients the user has access to. This results in an array of values in the aud claim. This makes sense in some cases but Heldion doesn't support this as Helidon expects a single value.

In the case of a array of values in the "aud" claim it would be great if Helidon would check if one of the values in the aud claim equals the configured audience in the Helidon configuration.

This feature request is not specific to any Heldion version or platform.

arjav-desai commented 1 year ago

Just adding @m1h43l queries from public slack channel, which lead to this issue:

  1. https://helidon.slack.com/archives/CCS216A5A/p1673347506184249 
    Helidon 2.5.5 and Keycloak 20 : I am trying to develop a micro service with Heldion which is secured with Keycloak 20. I am using the helidon-microprofile-oidc library and annotated the resource with Authenticated . So far so good. Now I am getting :
2023.01.10 11:29:46 SEVERE io.helidon.security.providers.oidc.TenantAuthenticationHandler Thread[helidon-client-0,5,security-thread-pool]: Fatal issues found:
FATAL: Audience must contain [http://localhost:8181/], yet it is: Optional[[my-realm, master-realm, account]] at io.helidon.security.jwt.Jwt@218aec4b
The aud claim in the JWT is really
"aud": [
"my-realm",
"master-realm",
"account"
],
How do I set the audience either in Helidon (oidc configuration) or in Keycloak correctly?
Thanks in advance.
Mihael
    Daniel Kec: 
Custom audience should help:
./kcadm.sh create -x "client-scopes" -r ${REALM_NAME} -s name=my-jwt-scope -s protocol=openid-connect
CUSTOM_JWT_AUDIENCE_SCOPE_ID=$(./kcadm.sh get client-scopes --fields id,name -r ${REALM_NAME} \
| jq -r '.[] | select(.name=="my-jwt-scope").id')
./kcadm.sh create client-scopes/$CUSTOM_JWT_AUDIENCE_SCOPE_ID/protocol-mappers/models -r ${REALM_NAME} -f - << 'EOF'
{
"protocol": "openid-connect",
"name": "my-custom-audience",
"protocolMapper": "oidc-audience-mapper",
"config": {
"access.token.claim": "true",
"id.token.claim": "true",
"included.client.audience": "",
"included.custom.audience": "http://localhost:8181/"
}
}
EOF
  2. https://helidon.slack.com/archives/CCS216A5A/p1673616500942069