Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Filter scopes in token exchange v2 based on requested audience #37353

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
mposolda merged 1 commit into from
Feb 14, 2025
Merged

Filter scopes in token exchange v2 based on requested audience #37353

mposolda merged 1 commit into from
Feb 14, 2025

Conversation

@graziang
Copy link
Contributor

@graziang graziang commented Feb 14, 2025
edited
Loading

Closes #37147

In the case where valid audiences are requested in the standard token exchange v2 request, only the realm roles and client roles belonging to the clients present in the audience parameter are considered during the scope evaluation.

Also token exchange requests with client scopes that do not exist or are not configured as default or optional for the requester client are rejected.

In all other cases, the behavior remains the same. You can find an example in this comment #37147 (comment).

NOTE: At the time of this PR, audiences are never blocked. The task to block audiences is: #37104

@graziang graziang requested review from a team as code owners February 14, 2025 11:38
@mposolda mposolda self-assigned this Feb 14, 2025
mposolda
mposolda approved these changes Feb 14, 2025
View reviewed changes
Copy link
Contributor

@mposolda mposolda left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@graziang LGTM, Thanks!

rmartinc
rmartinc approved these changes Feb 14, 2025
View reviewed changes
Copy link
Contributor

@rmartinc rmartinc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@mposolda mposolda merged commit b4f14b2 into keycloak:main Feb 14, 2025
78 checks passed
@mposolda mposolda mentioned this pull request Feb 14, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mposolda mposolda mposolda approved these changes

+1 more reviewer

@rmartinc rmartinc rmartinc approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@mposolda mposolda

Labels

team/cloud-native team/core-clients team/core-iam

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Filter scopes for token-exchange based on audience and client roles

3 participants

@graziang @mposolda @rmartinc