Open cvetkovv opened 3 weeks ago
Due to the amount of issues reported by the community we are not able to prioritise resolving this issue at the moment.
If you are affected by this issue, upvote it by adding a :thumbsup: to the description. We would also welcome a contribution to fix the issue.
I recently upgraded to KC25.0.6 and I am affected by this issue. I left a comment in the PR #33344 to backport to KC25 since it's a regression and there are no workarounds.
Before reporting an issue
Area
token-exchange
Describe the bug
When exchanging an access token issued by an external provider (e.g. Microsoft configured as OpenID Connect v1.0) and user info check disabled, keycloak is returning error
invalid_token
because the token doesn't contain claimtyp
. Thetyp
claim is optional and some providers (e.g. Microsoft) are not setting it. The regression was introduced with https://github.com/keycloak/keycloak/pull/28866Suggested change is to validate the
typ
claim only if it is available and make it required only inKeycloakOIDCIdentityProvider
in
OIDCIdentityProvider
and in
KeycloakOIDCIdentityProvider
Version
25.0.6
Regression
Expected behavior
Access token can be validated in case it doesn't contain
typ
claim.Actual behavior
External tokens that do not contain
typ
claim and user info check disabled cannot be exchanged to internal because of errorinvalid_token
How to Reproduce?
Configure as
OpenID Connect v1.0
identity provider that doesn't settyp
claim (e.g. Microsoft), disable user info check, and try to exchange external to internal token with grant_type =urn:ietf:params:oauth:grant-type:token-exchange
and subject_token_type=urn:ietf:params:oauth:token-type:jwt
.Anything else?
No response