search

keycloak / keycloak

Open Source Identity and Access Management For Modern Applications and Services
https://www.keycloak.org
Apache License 2.0
23.45k stars 6.77k forks source link

`Registration Access Token`'s issuer claim prevents smooth migration of the realm's issuer #28045

Open reda-alaoui opened 8 months ago

reda-alaoui commented 8 months ago

Description

Authenticating to Keycloak via internet domain A using Registration Access Token generated on internet domain B will fail.

Discussion

No response

Motivation

We have a Keycloak instance deployed on internet domain A that we want to move to domain B. Many Keycloak's clients have persisted registration access tokens associated to domain A. Those tokens are rejected when trying to use them on domain B because of their issuer values.

Details

https://github.com/keycloak/keycloak/blob/main/services/src/main/java/org/keycloak/services/clientregistration/ClientRegistrationTokenUtils.java#L97-L97

The registration access token authentication, in addition to the usual JWT validations, compares the registrationToken stored in the Client entity with the JWT jti claim (https://github.com/keycloak/keycloak/blob/main/services/src/main/java/org/keycloak/services/clientregistration/ClientRegistrationAuth.java#L189-L189). Therefore, isn't it overkill to also verify the issuer claim for this kind of token?

mposolda commented 7 months ago

It can be nice if this is handled by default client policies ( https://github.com/keycloak/keycloak/issues/27188 ) once they are supported. See this comment for the details: https://github.com/keycloak/keycloak/pull/28054#pullrequestreview-1958085623 .