search

keycloak / keycloak

Open Source Identity and Access Management For Modern Applications and Services
https://www.keycloak.org
Apache License 2.0
23.02k stars 6.71k forks source link

External token (not issued by Keycloak) cannot be validated in token exchange flow in case user info check is disabled #33332

Open cvetkovv opened 3 weeks ago

cvetkovv commented 3 weeks ago

Before reporting an issue

Area

token-exchange

Describe the bug

When exchanging an access token issued by an external provider (e.g. Microsoft configured as OpenID Connect v1.0) and user info check disabled, keycloak is returning error invalid_token because the token doesn't contain claim typ. The typ claim is optional and some providers (e.g. Microsoft) are not setting it. The regression was introduced with https://github.com/keycloak/keycloak/pull/28866

Suggested change is to validate the typ claim only if it is available and make it required only in KeycloakOIDCIdentityProvider

in OIDCIdentityProvider 

protected boolean isTokenTypeSupported(JsonWebToken parsedToken) {
    String type = parsedToken.getType();
    return Objects.isNull(type) || SUPPORTED_TOKEN_TYPES.contains(type);
}

and in KeycloakOIDCIdentityProvider 

protected boolean isTokenTypeSupported(JsonWebToken parsedToken) {
    String type = parsedToken.getType();
    if (Objects.isNull(type)) {
        return false;
    }
    return super.isTokenTypeSupported(parsedToken);
}

Version

25.0.6

Regression

Expected behavior

Access token can be validated in case it doesn't contain typ claim.

Actual behavior

External tokens that do not contain typ claim and user info check disabled cannot be exchanged to internal because of error invalid_token

How to Reproduce?

Configure as OpenID Connect v1.0 identity provider that doesn't set typ claim (e.g. Microsoft), disable user info check, and try to exchange external to internal token with grant_type = urn:ietf:params:oauth:grant-type:token-exchange and subject_token_type=urn:ietf:params:oauth:token-type:jwt.

Anything else?

No response

keycloak-github-bot[bot] commented 3 weeks ago

Due to the amount of issues reported by the community we are not able to prioritise resolving this issue at the moment.

If you are affected by this issue, upvote it by adding a :thumbsup: to the description. We would also welcome a contribution to fix the issue.

infl00p commented 2 days ago

I recently upgraded to KC25.0.6 and I am affected by this issue. I left a comment in the PR #33344 to backport to KC25 since it's a regression and there are no workarounds.