Disable issuer verification of Initial Access Token and Registration …

…Access Token Signed-off-by: Réda Housni Alaoui <[email protected]>
Cosium · Mar 19, 2024 · 531d1fc · 531d1fc
1 parent b77e228
commit 531d1fc
Show file tree

Hide file tree

Showing 5 changed files with 86 additions and 18 deletions.
diff --git a/services/src/main/java/org/keycloak/services/clientregistration/ClientRegistrationAuth.java b/services/src/main/java/org/keycloak/services/clientregistration/ClientRegistrationAuth.java
@@ -17,6 +17,7 @@
 
 package org.keycloak.services.clientregistration;
 
+import java.util.function.Predicate;
 import org.jboss.resteasy.spi.Failure;
 import org.keycloak.Config;
 import org.keycloak.OAuthErrorException;
@@ -89,7 +90,12 @@ private void init() {
 
         token = split[1];
 
-        ClientRegistrationTokenUtils.TokenVerification tokenVerification = ClientRegistrationTokenUtils.verifyToken(session, realm, token);
+        ClientRegistrationTokenUtils.TokenVerification tokenVerification = ClientRegistrationTokenUtils.verifyToken(
+                session,
+                realm,
+                token,
+                Predicate.<JsonWebToken>not(ClientRegistrationAuth::isRegistrationAccessToken)
+                        .and(Predicate.not(ClientRegistrationAuth::isInitialAccessToken)));
         if (tokenVerification.getError() != null) {
             throw unauthorized(tokenVerification.getError().getMessage());
         }
@@ -121,10 +127,19 @@ private boolean isBearerToken() {
     }
 
     public boolean isInitialAccessToken() {
+        return isInitialAccessToken(jwt);
+    }
+
+    private static boolean isInitialAccessToken(JsonWebToken jwt) {
         return jwt != null && ClientRegistrationTokenUtils.TYPE_INITIAL_ACCESS_TOKEN.equals(jwt.getType());
     }
 
+
     public boolean isRegistrationAccessToken() {
+        return isRegistrationAccessToken(jwt);
+    }
+
+    private static boolean isRegistrationAccessToken(JsonWebToken jwt) {
         return jwt != null && ClientRegistrationTokenUtils.TYPE_REGISTRATION_ACCESS_TOKEN.equals(jwt.getType());
     }
 

diff --git a/.../src/main/java/org/keycloak/services/clientregistration/ClientRegistrationTokenUtils.java b/.../src/main/java/org/keycloak/services/clientregistration/ClientRegistrationTokenUtils.java
@@ -17,6 +17,7 @@
 
 package org.keycloak.services.clientregistration;
 
+import java.util.function.Predicate;
 import org.keycloak.TokenCategory;
 import org.keycloak.TokenVerifier;
 import org.keycloak.common.VerificationException;
@@ -85,16 +86,17 @@ public static String createInitialAccessToken(KeycloakSession session, RealmMode
         return setupToken(initialToken, session, realm, model.getId(), TYPE_INITIAL_ACCESS_TOKEN, model.getExpiration() > 0 ? model.getTimestamp() + model.getExpiration() : 0);
     }
 
-    public static TokenVerification verifyToken(KeycloakSession session, RealmModel realm, String token) {
+    public static TokenVerification verifyToken(KeycloakSession session, RealmModel realm, String token, Predicate<JsonWebToken> mustVerifyIssuer) {
         if (token == null) {
             return TokenVerification.error(new RuntimeException("Missing token"));
         }
 
         String kid;
         JsonWebToken jwt;
         try {
+            TokenVerifier.Predicate<JsonWebToken> realmUrlCheck = jsonWebToken -> !mustVerifyIssuer.test(jsonWebToken) || new TokenVerifier.RealmUrlCheck(getIssuer(session, realm)).test(jsonWebToken);
             TokenVerifier<JsonWebToken> verifier = TokenVerifier.create(token, JsonWebToken.class)
-                    .withChecks(new TokenVerifier.RealmUrlCheck(getIssuer(session, realm)), TokenVerifier.IS_ACTIVE, new TokenRevocationCheck(session));
+                    .withChecks(realmUrlCheck, TokenVerifier.IS_ACTIVE, new TokenRevocationCheck(session));
 
             SignatureVerifierContext verifierContext = session.getProvider(SignatureProvider.class, verifier.getHeader().getAlgorithm().name()).verifier(verifier.getHeader().getKeyId());
             verifier.verifierContext(verifierContext);

diff --git a/...illian/tests/base/src/test/java/org/keycloak/testsuite/client/ClientRegistrationTest.java b/...illian/tests/base/src/test/java/org/keycloak/testsuite/client/ClientRegistrationTest.java
@@ -753,4 +753,24 @@ public void registerClientWithWrongCharacters() throws IOException {
             }
         }
     }
+
+    @Test
+    public void registerClientInMasterRealmViaAlternativeDomain() throws Exception {
+        String alternativeContextRoot = "http://keycloak.127.0.0.1.nip.io:" + System.getProperty("auth.server.http.port");
+        ClientRegistration alternativeReg = ClientRegistration.create().url(alternativeContextRoot + "/auth", "master").build();
+
+        String token = oauth.doGrantAccessTokenRequest("master", "admin", "admin", null, Constants.ADMIN_CLI_CLIENT_ID, null).getAccessToken();
+        alternativeReg.auth(Auth.token(token));
+
+        ClientRepresentation client = new ClientRepresentation();
+        client.setClientId(CLIENT_ID);
+        client.setSecret(CLIENT_SECRET);
+
+        try {
+            alternativeReg.create(client);
+            fail("Expected 401");
+        } catch (ClientRegistrationException e) {
+            assertEquals(401, ((HttpErrorException) e.getCause()).getStatusLine().getStatusCode());
+        }
+    }
 }
diff --git a/...illian/tests/base/src/test/java/org/keycloak/testsuite/client/InitialAccessTokenTest.java b/...illian/tests/base/src/test/java/org/keycloak/testsuite/client/InitialAccessTokenTest.java
@@ -22,6 +22,7 @@
 import org.junit.Test;
 import org.keycloak.admin.client.resource.ClientInitialAccessResource;
 import org.keycloak.client.registration.Auth;
+import org.keycloak.client.registration.ClientRegistration;
 import org.keycloak.client.registration.ClientRegistrationException;
 import org.keycloak.client.registration.HttpErrorException;
 import org.keycloak.crypto.Algorithm;
@@ -150,4 +151,20 @@ public void createDeleted() throws ClientRegistrationException, InterruptedExcep
         }
     }
 
+    @Test
+    public void createViaAlternativeDomain() throws ClientRegistrationException {
+        String alternativeContextRoot = "http://keycloak.127.0.0.1.nip.io:" + System.getProperty("auth.server.http.port");
+        ClientRegistration alternativeReg = ClientRegistration.create().url(alternativeContextRoot + "/auth", "test").build();
+
+        ClientInitialAccessPresentation response = resource.create(new ClientInitialAccessCreatePresentation());
+        alternativeReg.auth(Auth.token(response));
+
+        ClientRepresentation rep = new ClientRepresentation();
+
+        setTimeOffset(10);
+
+        ClientRepresentation created = alternativeReg.create(rep);
+        Assert.assertNotNull(created);
+    }
+
 }
diff --git a/...n/tests/base/src/test/java/org/keycloak/testsuite/client/RegistrationAccessTokenTest.java b/...n/tests/base/src/test/java/org/keycloak/testsuite/client/RegistrationAccessTokenTest.java
@@ -20,6 +20,7 @@
 import org.junit.Before;
 import org.junit.Test;
 import org.keycloak.client.registration.Auth;
+import org.keycloak.client.registration.ClientRegistration;
 import org.keycloak.client.registration.ClientRegistrationException;
 import org.keycloak.client.registration.HttpErrorException;
 import org.keycloak.representations.idm.ClientRepresentation;
@@ -62,22 +63,26 @@ public void before() throws Exception {
         reg.auth(Auth.token(client.getRegistrationAccessToken()));
     }
 
+	private ClientRepresentation assertRead(ClientRegistration reg, String id, String registrationAccess, boolean expectSuccess) throws ClientRegistrationException {
+		if (expectSuccess) {
+			reg.auth(Auth.token(registrationAccess));
+			ClientRepresentation rep = reg.get(id);
+			assertNotNull(rep);
+			return rep;
+		} else {
+			reg.auth(Auth.token(registrationAccess));
+			try {
+				reg.get(client.getClientId());
+				fail("Expected 403");
+			} catch (Exception e) {
+				assertEquals(401, ((HttpErrorException) e.getCause()).getStatusLine().getStatusCode());
+			}
+		}
+		return null;
+	}
+
     private ClientRepresentation assertRead(String id, String registrationAccess, boolean expectSuccess) throws ClientRegistrationException {
-        if (expectSuccess) {
-            reg.auth(Auth.token(registrationAccess));
-            ClientRepresentation rep = reg.get(id);
-            assertNotNull(rep);
-            return rep;
-        } else {
-            reg.auth(Auth.token(registrationAccess));
-            try {
-                reg.get(client.getClientId());
-                fail("Expected 403");
-            } catch (Exception e) {
-                assertEquals(401, ((HttpErrorException) e.getCause()).getStatusLine().getStatusCode());
-            }
-        }
-        return null;
+        return assertRead(reg, id, registrationAccess, expectSuccess);
     }
 
     @Test
@@ -174,4 +179,13 @@ public void deleteClientWithBadRegistrationToken() throws ClientRegistrationExce
         assertNotNull(getClient(client.getId()));
     }
 
+	@Test
+	public void getClientViaAlternativeDomain() throws ClientRegistrationException {
+		setTimeOffset(10);
+
+		String alternativeContextRoot = "http://keycloak.127.0.0.1.nip.io:" + System.getProperty("auth.server.http.port");
+		ClientRegistration alternativeReg = ClientRegistration.create().url(alternativeContextRoot + "/auth", "test").build();
+
+		assertRead(alternativeReg, client.getClientId(), client.getRegistrationAccessToken(), true);
+	}
 }