wadahiro
commented
4 years ago On fix-resource-server branch, I implemented the introspection and MTLS verification on the resource server temporarily by keycloak-gatekeeper customization in the following commit:
- Add token introspection: https://github.com/openstandia/keycloak-gatekeeper/commit/7f65d355f709b421f3cb2596c310aa3fcd359da5
- Add MTLS verification with token introspection: https://github.com/openstandia/keycloak-gatekeeper/commit/878b020f41057cf327fc7accd10950e66f018dd8
Then I tested fapi-rw-id2-ensure-request-object-with-multiple-aud-succeeds-with-private-key-and-mtls-holder-of-key again.
I confirmed CallAccountsEndpointWithBearerTokenExpectingError (OB-6.2.1-2) didn't passed in the test-case trying Client1 Crypto Keys with Client2 token:
But the other CallAccountsEndpointWithBearerTokenExpectingError (RFC6749-4.1.2) wasn't passed correctly due to WARN. The test-case attempts reuse of client2's authorization code & test if access token is revoked:
I checked RFC6749-4.1.2. It says:
if an authorization code is used more than
once, the authorization server MUST deny the request and SHOULD
revoke (when possible) all tokens previously issued based on
that authorization code.Should we support the revocation in keycloak? Or it's implemented on the latest keycloak?
tnorimat
CallAccountsEndpointWithBearerTokenExpectingError checks whether a resource server returns an error when a client 1 send an access token issued to a client 2. It checks a requirement of OpenBanking Security Profile section 6.2.1-2.
To pass these tests, the resource server defined as "resourceUrl" in the config file needs to be configured to satisfy a requirement of OpenBanking Security Profile section 6.2.1-2.
This requirement tells that the resource server with the FAPI endpoints shall verify that the client identifier bound to the underlying mutually authenticated TLS transport session matches the client that the access token was issued to. That means we shall use [MTLS] as client authentication, not private_key_jwt. Therefore, this check should be omitted for private_key_jwt testplan.
These test should be omitted because the test plan is for the authorization server (keycloak), not the resource server. And, this test is for OpenBanking Security Profile, not FAPI.