Fix DCR endpoint to honor requested token_endpoint_auth_method #45055
+62
−4
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The Dynamic Client Registration (DCR) endpoint was ignoring the client's requested token_endpoint_auth_method parameter and consistently returning client_secret_basic, even when clients explicitly requested client_secret_post or other methods. This occurred because the client-secret authenticator supports both client_secret_basic and client_secret_post, and the code was simply returning the first method from the set (which was always client_secret_basic due to LinkedHashSet ordering). Changes: - Store the requested token_endpoint_auth_method in client attributes during registration (toInternal method) - Retrieve and return the stored value in the DCR response (toExternalResponse method) - Add TOKEN_ENDPOINT_AUTH_METHOD constant to OIDCConfigAttributes - Maintain backward compatibility by falling back to the old behavior for clients registered before this fix - Add comprehensive tests for client_secret_post and client_secret_basic authentication methods Closes keycloak#44403 Signed-off-by: Stephan Eberle <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
The Dynamic Client Registration (DCR) endpoint was ignoring the client's requested
token_endpoint_auth_methodparameter and consistently returningclient_secret_basic, even when clients explicitly requestedclient_secret_postor other supported methods.Root Cause
The issue occurred because:
client-secretauthenticator in Keycloak supports bothclient_secret_basicandclient_secret_postmethodsgetProtocolAuthenticatorMethods()which returns aSet<String>containing both methods.iterator().next()to get the first element, which always returnedclient_secret_basicdue toLinkedHashSetorderingChanges Made
Core Fix
token_endpoint_auth_methodin client attributes during registrationTOKEN_ENDPOINT_AUTH_METHODconstantBackward Compatibility
Tests Added
testClientSecretPostAuthMethod(): Verifiesclient_secret_postis stored and returned correctlytestClientSecretBasicAuthMethod(): Verifiesclient_secret_basicis stored and returned correctlyTesting
Manual Testing
You can verify the fix with this curl command:
curl -X POST http://localhost:8080/realms/{realm}/clients-registrations/openid-connect \ -H "Content-Type: application/json" \ -d '{ "client_name": "Test Client", "redirect_uris": ["http://localhost:8000/callback"], "token_endpoint_auth_method": "client_secret_post" }'Before fix: Response contains
"token_endpoint_auth_method": "client_secret_basic"After fix: Response contains
"token_endpoint_auth_method": "client_secret_post"✅Automated Tests
Two new test cases added to verify both
client_secret_postandclient_secret_basicare properly preserved.Impact
This fix ensures RFC 7591 compliance and restores compatibility with:
Compliance Checklist
Closes #44403