From 7ca00975d433435bfd84f46f9bbbef4f2ed679da Mon Sep 17 00:00:00 2001 From: Joshua Sorah Date: Fri, 3 Nov 2023 22:31:08 -0400 Subject: [PATCH] Feature flag DPoP metadata in OIDC Well Known endpoint Closes keycloak/keycloak#24547 Signed-off-by: Joshua Sorah --- .../protocol/oidc/OIDCWellKnownProvider.java | 4 +++- .../oidc/OIDCWellKnownProviderTest.java | 23 ++++++++++++++++--- 2 files changed, 23 insertions(+), 4 deletions(-) diff --git a/services/src/main/java/org/keycloak/protocol/oidc/OIDCWellKnownProvider.java b/services/src/main/java/org/keycloak/protocol/oidc/OIDCWellKnownProvider.java index 49e4329d423..89d558c9cb9 100755 --- a/services/src/main/java/org/keycloak/protocol/oidc/OIDCWellKnownProvider.java +++ b/services/src/main/java/org/keycloak/protocol/oidc/OIDCWellKnownProvider.java @@ -196,7 +196,9 @@ public class OIDCWellKnownProvider implements WellKnownProvider { // https://tools.ietf.org/html/draft-ietf-oauth-mtls-08#section-6.2 config.setTlsClientCertificateBoundAccessTokens(true); - config.setDpopSigningAlgValuesSupported(new ArrayList<>(DPoPUtil.DPOP_SUPPORTED_ALGS)); + if (Profile.isFeatureEnabled(Profile.Feature.DPOP)) { + config.setDpopSigningAlgValuesSupported(new ArrayList<>(DPoPUtil.DPOP_SUPPORTED_ALGS)); + } URI revocationEndpoint = frontendUriBuilder.clone().path(OIDCLoginProtocolService.class, "revoke") .build(realm.getName(), OIDCLoginProtocol.LOGIN_PROTOCOL); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/OIDCWellKnownProviderTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/OIDCWellKnownProviderTest.java index d9b674bc6ac..60b11db79b4 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/OIDCWellKnownProviderTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/OIDCWellKnownProviderTest.java @@ -69,6 +69,7 @@ import java.util.Map; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertTrue; +import static org.junit.Assert.assertNull; /** * @author Marek Posolda @@ -218,9 +219,9 @@ public class OIDCWellKnownProviderTest extends AbstractKeycloakTest { assertTrue(oidcConfig.getFrontChannelLogoutSessionSupported()); assertTrue(oidcConfig.getFrontChannelLogoutSupported()); - // DPoP - Assert.assertNames(oidcConfig.getDpopSigningAlgValuesSupported(), Algorithm.PS256, Algorithm.PS384, Algorithm.PS512, - Algorithm.RS256, Algorithm.RS384, Algorithm.RS512, Algorithm.ES256, Algorithm.ES384, Algorithm.ES512); + // DPoP - negative test for preview profile - see testDpopSigningAlgValuesSupportedWithDpop for actual test + assertNull("dpop_signing_alg_values_supported should not be present unless DPoP feature is enabled", + oidcConfig.getDpopSigningAlgValuesSupported()); } finally { client.close(); } @@ -401,6 +402,22 @@ public class OIDCWellKnownProviderTest extends AbstractKeycloakTest { } } + @Test + @EnableFeature(value = Profile.Feature.DPOP, skipRestart = true) + public void testDpopSigningAlgValuesSupportedWithDpop() throws IOException { + Client client = AdminClientUtil.createResteasyClient(); + + try { + OIDCConfigurationRepresentation oidcConfig = getOIDCDiscoveryRepresentation(client, OAuthClient.AUTH_SERVER_ROOT); + + // DPoP + Assert.assertNames(oidcConfig.getDpopSigningAlgValuesSupported(), Algorithm.PS256, Algorithm.PS384, Algorithm.PS512, + Algorithm.RS256, Algorithm.RS384, Algorithm.RS512, Algorithm.ES256, Algorithm.ES384, Algorithm.ES512); + } finally { + client.close(); + } + } + private void assertScopesSupportedMatchesWithRealm(OIDCConfigurationRepresentation oidcConfig) { Assert.assertNames(oidcConfig.getScopesSupported(), OAuth2Constants.SCOPE_OPENID, OAuth2Constants.OFFLINE_ACCESS, OAuth2Constants.SCOPE_PROFILE, OAuth2Constants.SCOPE_EMAIL, OAuth2Constants.SCOPE_PHONE, OAuth2Constants.SCOPE_ADDRESS, OIDCLoginProtocolFactory.ACR_SCOPE,