Thanks to visit codestin.com
Credit goes to Github.com

Skip to content

Added RESOURCE_OWNER_PASSWORD_CREDENTIALS_REQUEST - Fixes policy enforcement gap for direct access grant flows #46283

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
msdaly200 wants to merge 2 commits into
base: main
Choose a base branch
from
+39 −0
Open

Added RESOURCE_OWNER_PASSWORD_CREDENTIALS_REQUEST - Fixes policy enforcement gap for direct access grant flows #46283

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
aa3b62a
Added RESOURCE_OWNER_PASSWORD_CREDENTIALS_REQUEST - Fixes policy enfo…
msdaly200 Feb 12, 2026
01fca96
Updates to test
msdaly200 Feb 12, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions ...src/main/java/org/keycloak/services/clientpolicy/condition/ClientAccessTypeCondition.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,7 @@ public String getProviderId() {
public ClientPolicyVote applyPolicy(ClientPolicyContext context) throws ClientPolicyException {
switch (context.getEvent()) {
case AUTHORIZATION_REQUEST:
case RESOURCE_OWNER_PASSWORD_CREDENTIALS_REQUEST:
case TOKEN_REQUEST:
case TOKEN_RESPONSE:
case SERVICE_ACCOUNT_TOKEN_REQUEST:
Expand Down
38 changes: 38 additions & 0 deletions ...lian/tests/base/src/test/java/org/keycloak/testsuite/oidc/LightWeightAccessTokenTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,7 @@
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.representations.idm.UserRepresentation;
import org.keycloak.services.clientpolicy.condition.AnyClientConditionFactory;
import org.keycloak.services.clientpolicy.condition.ClientAccessTypeConditionFactory;
import org.keycloak.services.clientpolicy.executor.UseLightweightAccessTokenExecutorFactory;
import org.keycloak.testsuite.admin.ApiUtil;
import org.keycloak.testsuite.arquillian.annotation.EnableFeature;
Expand Down Expand Up @@ -608,6 +609,43 @@ public void testAdminApiWithLightweightAccessAndSubClaim() {
setScopeProtocolMapper("master", OIDCLoginProtocolFactory.BASIC_SCOPE, "sub", true, false, false);
}

@Test
public void testPublicClientWithLightweightAccessTokenViaDirectGrant() throws Exception {
// Setup client policy with client-access-type=public + lightweight token executor
String json = (new ClientPoliciesUtil.ClientProfilesBuilder()).addProfile(
(new ClientPoliciesUtil.ClientProfileBuilder()).createProfile(PROFILE_NAME, "Lightweight Token for Public Clients")
.addExecutor(UseLightweightAccessTokenExecutorFactory.PROVIDER_ID, null)
.toRepresentation()
).toString();
updateProfiles(json);

json = (new ClientPoliciesUtil.ClientPoliciesBuilder()).addPolicy(
(new ClientPoliciesUtil.ClientPolicyBuilder()).createPolicy(POLICY_NAME, "Public Client Policy", Boolean.TRUE)
.addCondition(ClientAccessTypeConditionFactory.PROVIDER_ID,
ClientPoliciesUtil.createClientAccessTypeConditionConfig(List.of(ClientAccessTypeConditionFactory.TYPE_PUBLIC)))
.addProfile(PROFILE_NAME)
.toRepresentation()
).toString();
updatePolicies(json);

// Create public client with direct access grants
String publicClientId = generateSuffixedName("public-direct-grant-client");
createClientByAdmin(publicClientId, (ClientRepresentation clientRep) -> {
clientRep.setPublicClient(Boolean.TRUE);
clientRep.setDirectAccessGrantsEnabled(Boolean.TRUE);
});

// Perform direct access grant (POST with username/password)
oauth.client(publicClientId);
AccessTokenResponse response = oauth.doPasswordGrantRequest(TEST_USER_NAME, TEST_USER_PASSWORD);

// Verify lightweight token
AccessToken token = oauth.verifyToken(response.getAccessToken());
AccessTokenContext ctx = testingClient.testing(REALM_NAME).getTokenContext(token.getId());
Assert.assertEquals(AccessTokenContext.TokenType.LIGHTWEIGHT, ctx.getTokenType());
Assert.assertEquals(TEST_USER_PASSWORD, ctx.getGrantType());
}

private void removeSession(final String sessionId) {
testingClient.testing().removeExpired(REALM_NAME);
try {
Expand Down
Loading