Last active
November 29, 2021 10:38
-
-
Save rm3l/84b4c837bb04904910de479003f07dce to your computer and use it in GitHub Desktop.
Patch for Keycloak bug : [OIDC] Access Token claims not imported using Identity Provider Attribute Importer Mappers. See https://github.com/keycloak/keycloak/discussions/8462
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
diff --git a/services/src/main/java/org/keycloak/broker/oidc/KeycloakOIDCIdentityProvider.java b/services/src/main/java/org/keycloak/broker/oidc/KeycloakOIDCIdentityProvider.java | |
index b6b15b06e5..4ecca0c5cb 100755 | |
--- a/services/src/main/java/org/keycloak/broker/oidc/KeycloakOIDCIdentityProvider.java | |
+++ b/services/src/main/java/org/keycloak/broker/oidc/KeycloakOIDCIdentityProvider.java | |
@@ -63,13 +63,6 @@ public class KeycloakOIDCIdentityProvider extends OIDCIdentityProvider { | |
return new KeycloakEndpoint(callback, realm, event); | |
} | |
- @Override | |
- protected void processAccessTokenResponse(BrokeredIdentityContext context, AccessTokenResponse response) { | |
- // Don't verify audience on accessToken as it may not be there. It was verified on IDToken already | |
- JsonWebToken access = validateToken(response.getToken(), true); | |
- context.getContextData().put(VALIDATED_ACCESS_TOKEN, access); | |
- } | |
- | |
protected class KeycloakEndpoint extends OIDCEndpoint { | |
public KeycloakEndpoint(AuthenticationCallback callback, RealmModel realm, EventBuilder event) { | |
super(callback, realm, event); | |
diff --git a/services/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProvider.java b/services/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProvider.java | |
index e7f6fa1ae4..773442d2e5 100755 | |
--- a/services/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProvider.java | |
+++ b/services/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProvider.java | |
@@ -250,8 +250,9 @@ public class OIDCIdentityProvider extends AbstractOAuth2IdentityProvider<OIDCIde | |
} | |
protected void processAccessTokenResponse(BrokeredIdentityContext context, AccessTokenResponse response) { | |
- | |
- | |
+ // Don't verify audience on accessToken as it may not be there. It was verified on IDToken already | |
+ JsonWebToken access = validateToken(response.getToken(), true); | |
+ context.getContextData().put(KeycloakOIDCIdentityProvider.VALIDATED_ACCESS_TOKEN, access); | |
} | |
protected SimpleHttp getRefreshTokenRequest(KeycloakSession session, String refreshToken, String clientId, String clientSecret) { | |
diff --git a/services/src/main/java/org/keycloak/social/gitlab/GitLabIdentityProvider.java b/services/src/main/java/org/keycloak/social/gitlab/GitLabIdentityProvider.java | |
index b781cd4ea0..10ea8666aa 100755 | |
--- a/services/src/main/java/org/keycloak/social/gitlab/GitLabIdentityProvider.java | |
+++ b/services/src/main/java/org/keycloak/social/gitlab/GitLabIdentityProvider.java | |
@@ -63,6 +63,10 @@ public class GitLabIdentityProvider extends OIDCIdentityProvider implements Soc | |
} | |
} | |
+ @Override | |
+ protected void processAccessTokenResponse(BrokeredIdentityContext context, | |
+ AccessTokenResponse response) {} | |
+ | |
protected String getUsernameFromUserInfo(JsonNode userInfo) { | |
return getJsonProperty(userInfo, "username"); | |
} | |
diff --git a/services/src/main/java/org/keycloak/social/google/GoogleIdentityProvider.java b/services/src/main/java/org/keycloak/social/google/GoogleIdentityProvider.java | |
index 17b1a0bceb..f67d485ed9 100755 | |
--- a/services/src/main/java/org/keycloak/social/google/GoogleIdentityProvider.java | |
+++ b/services/src/main/java/org/keycloak/social/google/GoogleIdentityProvider.java | |
@@ -27,6 +27,7 @@ import org.keycloak.common.ClientConnection; | |
import org.keycloak.common.util.KeycloakUriBuilder; | |
import org.keycloak.events.EventBuilder; | |
import org.keycloak.models.KeycloakSession; | |
+import org.keycloak.representations.AccessTokenResponse; | |
import org.keycloak.representations.JsonWebToken; | |
import javax.ws.rs.core.MultivaluedMap; | |
@@ -72,6 +73,10 @@ public class GoogleIdentityProvider extends OIDCIdentityProvider implements Soci | |
return uri; | |
} | |
+ @Override | |
+ protected void processAccessTokenResponse(BrokeredIdentityContext context, | |
+ AccessTokenResponse response) {} | |
+ | |
@Override | |
protected boolean supportsExternalExchange() { | |
return true; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment