keycloak does not check whether Request Object include "scope" claim and return appropriate error

[tnorimat]

According to FAPI-RW-5.2.3-8(https://openid.net/specs/openid-financial-api-part-2-ID2.html#public-client), FAPI-R-5.2.3-7(https://openid.net/specs/openid-financial-api-part-1-ID2.html#public-client) and OIDCC-3.3.2.6 (https://openid.net/specs/openid-connect-core-1_0.html#HybridAuthError) because FAPI RW uses hybrid flow :

• check whether Request Object does include "scope" claim
• check whether the value of "scope" query parameter matches the value of "scope" claim in the request object exactly
• if not, return the error (error=invalid_request_object) from authorization endpoint such that HTTP/1.1 302 Found Location: https://client.example.com/cb#error=invalid_request_object&state=xyz

[tnorimat]

FAPI-RW-5.2.3-8 states that all of query parameters in an authorization code request should be included in signed Request Object in order to protect those query parameters (substitution, tampering, insertion by malicious one).

FAPI-R-5.2.3-7 states that "scope" query parameter should be added in an authorization code request.

Both are requirements for Client, but they imply that Authorization Server should also check them and return error if Client does not obey them.

[tnorimat]

related keycloak-jira ticket created : https://issues.jboss.org/browse/KEYCLOAK-11256

[pritish-nitb]

@tnorimat I was able to fix this defect in Keycloak and test it through FAPI-compliance suit. I see in the JIRA ticket and other relevant tickets and docs and found that there is a proposed plan to have Client conformance profiles(https://issues.redhat.com/browse/KEYCLOAK-11612) which as you rightly mentioned is an epic task.

So, shall we not go ahead and try fixing these outstanding FAPI compliance defects. let me know your thoughts.

[tnorimat]

@pritish-nitb Hello. As you mentioned, I have the plan to resolve this issue by KEYCLOAK-14204 . To do so, I need to establish the basics of Client Policies mentioned in KEYCLOAK-14189 and its pull-request in under review by keycloak development team. Therefore, could you please wait for my work on it?

I hope that Client Policies makes it easy for us to support not only FAPI Security Profile (RO, RW) but also other OAuth2/OIDC based security profiles like FAPI CIBA security profile, OpenBanking Security Profile (UK), Consumer Data Right (Australia), security profile for Native App, security profile for SPA, etc.

[VinodAnandan]

@tnorimat and @pritish-nitb thank you for your contribution on Keycloak FAPI. I think if we can continue the discussion of this thread further in the keycloak-dev mailing list ( https://groups.google.com/g/keycloak-dev ) ,it may help to get visibility from others who are interested in it. What do you think about it?

[tnorimat]

@VinodAnandan Yes, I agree with you.

[tnorimat]

closed. https://issues.redhat.com/browse/KEYCLOAK-14204