Add config param disableTypeClaimCheck in order to validate external … #35075
+75
−1
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
c2bfc05 to
2e82d9e
Compare
Contributor
Author
|
Based on the discussion 33344 |
2e82d9e to
cec58c1
Compare
| searchGroups=Search groups | ||
| trusted-hosts.tooltip=List of Hosts, which are trusted and are allowed to invoke Client Registration Service and/or be used as values of Client URIs. You can use hostnames or IP addresses. If you use star at the beginning (for example '*.example.com' ) then whole domain example.com will be trusted. | ||
| disableNonceHelp=Do not send the nonce parameter in the authentication request. The nonce parameter is sent and verified by default. | ||
| disableTypeClaimCheckHelp=Do not validate the type claim. The type claim is validated by default. |
Contributor
There was a problem hiding this comment.
I think it would be helpful to enhance this message a bit for clarity, e.g.:
Disables the validation of the `typ` claim of tokens received from the Identity Provider. If this is `off` the type claim is validated (default).
cec58c1 to
83f3c13
Compare
2 tasks
|
Added a thumbs up for visibility. |
|
Hello, any ETA for this to be closed ? :) |
51 tasks
2 tasks
|
We have a similar issue with Okta tokens, they don't contain the typ claim. This PR would solve our problem. |
83f3c13 to
f510250
Compare
f510250 to
83f3c13
Compare
Contributor
|
@cvetkovv - can you please rebase your PR? The test case unfortunately picked up conflict. Thanks! |
…tokens without typ claim Closes keycloak#33332 Signed-off-by: Venelin Cvetkov <[email protected]>
83f3c13 to
eddaca8
Compare
ahus1
approved these changes
Mar 20, 2025
Contributor
ahus1
left a comment
There was a problem hiding this comment.
Approving based on previous reviews. Thank you for fixing this often-requested issue!
ybasket
added a commit
to ybasket/terraform-provider-keycloak
that referenced
this pull request
Apr 11, 2025
Keycloak 26.2.0 adds a new option for the OIDC identity provider to disable checking the "typ" claim in incoming tokens. See keycloak/keycloak#35075. This adds support for this option to the Terraform provider.
ybasket
added a commit
to ybasket/terraform-provider-keycloak
that referenced
this pull request
Apr 11, 2025
Keycloak 26.2.0 adds a new option for the OIDC identity provider to disable checking the "typ" claim in incoming tokens. See keycloak/keycloak#35075. This adds support for this option to the Terraform provider. Signed-off-by: Yannick Heiber <[email protected]>
sschu
added a commit
to keycloak/terraform-provider-keycloak
that referenced
this pull request
Jun 20, 2025
Keycloak 26.2.0 adds a new option for the OIDC identity provider to disable checking the "typ" claim in incoming tokens. See keycloak/keycloak#35075. This adds support for this option to the Terraform provider. Signed-off-by: Yannick Heiber <[email protected]> Co-authored-by: Sebastian Schuster <[email protected]>
viniciusd
pushed a commit
to viniciusd/terraform-provider-keycloak
that referenced
this pull request
Jun 27, 2025
Keycloak 26.2.0 adds a new option for the OIDC identity provider to disable checking the "typ" claim in incoming tokens. See keycloak/keycloak#35075. This adds support for this option to the Terraform provider. Signed-off-by: Yannick Heiber <[email protected]> Co-authored-by: Sebastian Schuster <[email protected]> Signed-off-by: Vinicius Dantas <[email protected]>
horus
pushed a commit
to horus/terraform-provider-keycloak
that referenced
this pull request
Jul 6, 2025
Keycloak 26.2.0 adds a new option for the OIDC identity provider to disable checking the "typ" claim in incoming tokens. See keycloak/keycloak#35075. This adds support for this option to the Terraform provider. Signed-off-by: Yannick Heiber <[email protected]> Co-authored-by: Sebastian Schuster <[email protected]> Signed-off-by: horus <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
7 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
…tokens without typ claim
Closes #33332